Firewall and Gateway Design Traits
Due to the shortage of IP addresses under the current IP allocation
scheme, companies are frequently only allocated a small number of
Internet routable numbers for use on an Internet gateway. Commonly,
this is around an 8 or 16 host subnet, which leaves a limited number of
hosts available for externally facing servers and services. Furthermore,
common security practice dictates that externally facing machines
should be shielded from the full wrath of the Internet by a multi-homed
bastion host, such as a Firewall.
Network Address Translation (NAT)
Many Internet installations make use of Network Address Translation
(NAT) to obscure the real IP’s of servers placed behind the Firewall and
available to the Internet. This may be because the real IP’s are RFC1918
illegal addresses, or simply to hide internal address ranges in use. The
way NAT is used varies depending on the deployment of the gateway,
and the type of firewall, although for ease of configuration, many
Firewall administrators will simply NAT any internal or DMZ hosts to
have the same IP as the Firewall itself.
IP Visibility
Typically, Application Proxy Firewalls are multi homed, with an
external IP for connectivity to the upstream/ISP routers. If a number of
external hosts, including a gateway (e.g. www.example.com,
mail.example.com and gateway.example.com) all have the same IP
address, then that IP is often of some kind of application proxy.
If the external services are spread across a number of IP’s then the
gateway host is most likely to be either a more carefully configured
application proxy, or a Stateful Inspection gateway such as Firewall-1.
In this case, the Firewall’s external IP is used only for connectivity
between the Firewall and Internet hosts, rather than being publicized as
the address on which Internet services are running. Use of phantom
proxy IP’s handled by the Firewall further obscures the true IP of both
the server and the Firewall, making host targeting harder for an
attacker.
Risk Level
This mapping technique uses information that has been previously
gained through passive methods. It is unlikely to alert system
administrators of a hacker’s presence when used so carries a low risk of
discovery.
No comments:
Post a Comment