proxy server network address translator firewall
play

Proxy Server, Network Address Translator, Firewall 1 Proxy Server - PDF document

Sep 20, 2023 •45 likes •365 views

Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as a server while talking with

  1. Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1

  2. Introduction • What is a proxy server? � Acts on behalf of other clients, and presents requests from other clients to a server. � Acts as a server while talking with a client, and as a client while talking with a server. • Commonly used HTTP proxy server: � Squid � available on all platforms. 3 What is it really? • It is a server that sits between a client application (Web browser), and a real server. � It intercepts all requests to the real server to see if it can fulfill the requests itself. � If not, it forwards the request to the real server. 4 2

  3. • Mainly serves two purposes: � Improve performance � Can dramatically improve performance for a group of users. � It saves all the results of requests in a cache. � Can greatly conserve bandwidth. � Filter requests � Prevent users from accessing a specific set of web sites. � Prevent users for accessing pages containing some specified strings. � Prevent users from accessing video files (say). 5 Anonymous Proxy Servers • Hide the user’s IP address, thereby preventing unauthorized access to user’s computer through the Internet. • All requests to the outside world originate with the IP address of the proxy server. • Very convenient for group subscription: � On-line journals. � Digital library. 6 3

  4. Where it is located? User agent User Origin PROXY agent server SERVER User Access agent Rules Cache 7 Functions of a HTTP Proxy • Request forwarding � Primary function. � Acts as a rudimentary firewall. • Access control � Allow or deny accesses, based on � Contents � Location • Cache management � Efficient utilization of bandwidth. � Faster access. 8 4

  5. Network Address Translator (NAT) 9 What is NAT? • Allows a single device (router or a dedicated box) to act as an agent between the Internet (public network) and a local (private) network. � Tries to address the IP address distribution problem. � RFC 1631. � Only one unique IP address is required to represent an entire group of computers. � Several variations possible. 10 5

  6. Private Addresses 11 Basic operation of NAT Private Internet network Source = 10.0.1.2 Source = 128.143.71.21 Destination = 213.168.112.3 Destination = 213.168.112.3 NAT private address: 10.0.1.2 public address: 213.168.112.3 device public address: 128.143.71.21 H1 H5 Source = 213.168.112.3 Source = 213.168.112.3 Destination = 10.0.1.2 Destination = 128.143.71.21 Private Public Address Address 10.0.1.2 128.143.71.21 • NAT device has address translation table 12 6

  7. Various Forms of NAT • Static NAT � Used to map an unregistered IP address to a registered IP address. � One-to-one mapping. � N registered addresses for N machines. • Dynamic NAT � Used to map an unregistered IP address to a registered IP address. � From a given pool of registered IP addresses. � Addresses are assigned dynamically. � Any number of internal computers. � A limit N to the number communicating at a time. 13 Various Forms of NAT (contd.) • Overloading � A special form of dynamic NAT. � Used to map multiple unregistered IP addresses to a single registered IP address by using different ports. � Also called port address translation (PAT). � Each computer on the private network gets translated to the same IP address, but with a different port number assignment. � Widely used. 14 7

  8. NAT Overloading …. • Utilizes the multiplexing feature of TCP/IP stack. � A computer maintains several concurrent connections with a remote computer, using different port numbers. • The header of a TCP/IP packet contains: � Source IP address (32 bit) � Source port number (16 bit) � Destination IP address (32 bit) � Destination port number (16 bit) � The combination of above four elements define a TCP/IP connection. 15 • Notations: � Stub domain: the internal or the private network. � Address translation table (ATT): maintained by router/NAT for address and port mapping. • Easy to implement dynamic NAT. � Address translation table need only contain IP address mappings. � Private to public, and vice versa. � No port numbers needed. 16 8

  9. How NAT overloading works? • The scenario: � Internal network has non-routable IP addresses. � NAT-enabled router contains a registered IP address assigned by IANA. � An internal host X tries to connect to, say, an outside Web server. � The router receives the packet from X. 17 � The router will now: � Save IP address and port number from X’s packet to an ATT. � In the packet, replace the IP address with the router’s IP address. � Replace the port number with a port number from the ATT (look for match). For new connection, generate a unique port number. 18 9

  10. � When a packet comes back. � Its destination port is used to search ATT. � Source IP address and port numbers can be obtained. � Addresses changed accordingly. 19 � The Address Translation Table (ATT) looks like: Source Source IP Source NAT IP NAT port address port address number Computer number A 10.5.17.112 500 203.11.16.5 1 B 10.5.17.85 75 203.11.16.5 2 C 10.23.10.5 2480 203.11.16.5 3 D 10.22.5.118 1120 203.11.16.5 4 20 10

  11. Capability Limit of a NAT • Maximum number of concurrent translations: � Mainly determined by the size of the memory to store the ATT. � Typical entry in the ATT takes about 160 bits. � Memory size of 8 Mbyte will support about 8 x 1024 x 1024 x 8 / 160 = 4,19,000 concurrent translations. 21 Which addresses to use inside? • Private address classes. � Set aside by IANA an non-routable. � These addresses are considered unregistered. � Routers discard these addresses, if used as destination. � A packet from a host with a private unregistered address can reach a registered destination host, but not the reverse. 22 11

  12. The Private Address Classes • Class A (one) � 10.0.0.0 to 10.255.255.255 • Class B (sixteen) � 172.16.0.0 to 172.31.255.255 • Class C (256) � 192.168.0.0 to 192.168.255.255 23 Main uses of NAT • Pooling of IP addresses • Supporting migration between network service providers • IP masquerading • Load balancing of servers 24 12

  13. Pooling of IP addresses • Scenario: Corporate network has many hosts but only a small number of public IP addresses • NAT solution: � Corporate network is managed with a private address space. � NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses. 25 � When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host. 26 13

  14. Pooling of IP addresses 27 Migration Between Service Providers • Scenario: � In CIDR, the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network. • NAT solution: � Assign private addresses to the hosts of the corporate network. � NAT device has static address translation entries which bind the private address of a host to the public address. 28 14

  15. � Migration to a new network service provider merely requires an update of the NAT device. � This migration is not noticeable to the hosts on the network. � Note: � The difference to the use of NAT with IP address pooling is that in the present case mapping of public and private IP addresses is static. 29 Supporting Migration Source = 128.143.71.21 ISP 1 Destination = 213.168.112.3 allocates address block 128.143.71.0/24 to private Source = 10.0.1.2 Destination = 213.168.112.3 network: 128.143.71.21 private address: 10.0.1.2 NAT public address: 128.143.71.21 device 128.195.4.120 128.195.4.120 H1 ISP 2 Private allocates address block network 128.195.4.0/24 to private Source = 128.195.4.120 network: Destination = 213.168.112.3 Private Public Address Address 128.143.71.21 10.0.1.2 128.195.4.120 30 15

  16. IP Masquerading • Also called: � Network address and port translation (NAPT), port address translation (PAT). • Scenario: � Single public IP address is mapped to multiple hosts in a private network. • NAT solution: � Assign private addresses to the hosts of the corporate network. � NAT device modifies the port numbers for outgoing traffic. 31 IP Masquerading Source = 10.0.1.2 Source = 128.143.71.21 Source port = 2001 Source port = 2100 private address: 10.0.1.2 NAT 128.143.71.21 Internet H1 Private network device private address: 10.0.1.3 H2 Source = 10.0.1.3 Source = 128.143.71.21 Source port = 3020 Destination = 4444 Private Public Address Address 10.0.1.2/2001 128.143.71.21/2100 10.0.1.3/3020 128.143.71.21/4444 32 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Content Server Caching Network Client Web Server Browser Avoid Network Latency Avoid Queuing

Content Server Caching Network Client Web Server Browser Avoid Network Latency Avoid Queuing

Content Server Caching Network Client Web Server Browser Avoid Network Latency Avoid Queuing Delays at Server Cache Content Locally at client Updates? Cache Content at proxies Proxy Server Client Proxy Server Content Server Proxy

781 views • 14 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy

Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy

Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy Servers When a user logs into Web Interface and clicks an application icon, Web Interface dynamically renders an ICA file containing the instructions

490 views • 3 slides
SIP issues Jan Rika CESNET email,sip:janru@cesnet.cz Architecture User Agent

SIP issues Jan Rika CESNET email,sip:janru@cesnet.cz Architecture User Agent

SIP issues Jan Rika CESNET email,sip:janru@cesnet.cz Architecture User Agent B2BUA Server Gateway (UA) registrar MCU (UA) redirect Outbound proxy proxy SIP enabled firewall stateless with NAT

580 views • 13 slides
Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its

Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its

Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its interface Three main concerns Identifies itself to network name server Parameter passing Tells local runtime its dispatcher address Failure cases Import

115 views • 7 slides
How a Translator Works CS 222: Programming Languages Translators The job of a tr translator is to

How a Translator Works CS 222: Programming Languages Translators The job of a tr translator is to

How a Translator Works CS 222: Programming Languages Translators The job of a tr translator is to convert data in a source language to an equivalent form in a target language. translator Assemblers Assembly language Machine code Decrement

296 views • 11 slides
Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005 1 Project Objectives Methods that improve network firewall performance 1. Develop policy optim ization techniques Formal

221 views • 9 slides
Web Proxy Caching Model Web Servers Aggregate Proxy Workload server Web Clients Factors and

Web Proxy Caching Model Web Servers Aggregate Proxy Workload server Web Clients Factors and

Web Proxy Caching Model Web Servers Aggregate Proxy Workload server Web Clients Factors and Levels Cache size Cache Replacement Policy Recency-based LRU Frequency-based LFU-Aging Size-based GD-Size Workload

303 views • 3 slides
Web kuohh Computer Center, CS, NCTU Outline Web hosting Basics Client-Server

Web kuohh Computer Center, CS, NCTU Outline Web hosting Basics Client-Server

Web kuohh Computer Center, CS, NCTU Outline Web hosting Basics Client-Server architecture HTTP protocol Static vs. dynamic pages Virtual hosts Proxy Forward proxy Reverse proxy 2 Computer Center, CS, NCTU

781 views • 34 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Broker Matthias Vallentin UC Berkeley International Computer Science Institute (ICSI) BroCon

Broker Matthias Vallentin UC Berkeley International Computer Science Institute (ICSI) BroCon

Broker Matthias Vallentin UC Berkeley International Computer Science Institute (ICSI) BroCon '16 Communication in Bro Tap Internal Internet Firewall Tap Network Frontend Nodes Manager + Proxy + ... ... Proxy Backend Nodes

755 views • 40 slides
Address Resolution ARP, RARP, Proxy ARP (C) Herbert Haas 2005/03/11 Agenda IP Forwarding

Address Resolution ARP, RARP, Proxy ARP (C) Herbert Haas 2005/03/11 Agenda IP Forwarding

Address Resolution ARP, RARP, Proxy ARP (C) Herbert Haas 2005/03/11 Agenda IP Forwarding Principle Address Resolution Protocol (ARP) IP Routing Basics IP Forwarding and ARP RARP Proxy ARP ICMP IP Forwarding and

1.03k views • 74 slides
1 WeShare comes from the name in the address of the server. 2 SHAREPOINT is the name of

1 WeShare comes from the name in the address of the server. 2 SHAREPOINT is the name of

1 WeShare comes from the name in the address of the server. 2 SHAREPOINT is the name of the Application that runs on the server. It is a Microsoft application that is designed to enable people to Collaborate on documents. 3 One feature

434 views • 18 slides
Maria Bulatova, Daria Kolistratova Background Network Function (NF) a component of a network

Maria Bulatova, Daria Kolistratova Background Network Function (NF) a component of a network

Maria Bulatova, Daria Kolistratova Background Network Function (NF) a component of a network infrastructure with well defined interfaces and behavior ( routing, network address translation (NAT), firewall, etc.). Traditional NFs:

224 views • 19 slides
Spring 2010 CS419 Computer Security Vinod Ganapathy Lecture 14 Chapters 6 and 9 Intrusion

Spring 2010 CS419 Computer Security Vinod Ganapathy Lecture 14 Chapters 6 and 9 Intrusion

Spring 2010 CS419 Computer Security Vinod Ganapathy Lecture 14 Chapters 6 and 9 Intrusion Detection and Prevention Firewalls and IPSes effective means of protecting LANs internet connectivity essential for organization and

343 views • 23 slides
Application Level Gateways Prof. Chuan-Ming Liu Computer Science and Information Engineering

Application Level Gateways Prof. Chuan-Ming Liu Computer Science and Information Engineering

Mobile Computing & Software Engineering Lab Mobile Computing & Software Engineering Lab Application Level Gateways Prof. Chuan-Ming Liu Computer Science and Information Engineering National Taipei University of Technology Taipei,

239 views • 19 slides
Tunneling and Gateways Tunneling and Gateways Examples Gateways Motivation

Tunneling and Gateways Tunneling and Gateways Examples Gateways Motivation

Topics Topics Tunneling Motivation Terminology Tunneling and Gateways Tunneling and Gateways Examples Gateways Motivation Interoperability Srinidhi Varadarajan Remote provisioning of functionality Enhanced

360 views • 7 slides
Web App Log Analytics www.roykim.ca roy@roykim.ca Op Open Web Applica cation tion Secu

Web App Log Analytics www.roykim.ca roy@roykim.ca Op Open Web Applica cation tion Secu

August 21, 2019 Web App Log Analytics www.roykim.ca roy@roykim.ca Op Open Web Applica cation tion Secu curity rity Project ject OWASP ModSecurity Core Rule Set (CRS) OWASP Top 10 Most Critical Web Application Security Risks

490 views • 21 slides
Firewalls, IDS and Social Network Presenter: Yinzhi Cao Lehigh University Acknowledgement

Firewalls, IDS and Social Network Presenter: Yinzhi Cao Lehigh University Acknowledgement

CSE343/443 Lehigh University Fall 2015 Firewalls, IDS and Social Network Presenter: Yinzhi Cao Lehigh University Acknowledgement http://www.cs.northwestern.edu/~ychen/ classes/mitp-458/firewalls.ppt http://web.cse.ohio-state.edu/~xuan/

1.29k views • 81 slides
Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general):

Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general):

IN3210 Network Security Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general): Packet forwarding incl. routing Properties: Connection-less Adressing: source + destination IP address No

725 views • 47 slides
Software Thinking Ryan Perry Synology Collaboration Collaborate anywhere with innovative file

Software Thinking Ryan Perry Synology Collaboration Collaborate anywhere with innovative file

Software Thinking Ryan Perry Synology Collaboration Collaborate anywhere with innovative file server Surveillance Smart video analysis, capturing the crucial Software Intellect moments Smart Life Anywhere Networking Safeguard cyber safety

823 views • 59 slides
NDN Managed Gateways and The NDN Testbed John DeHart Computer Science & Engineering

NDN Managed Gateways and The NDN Testbed John DeHart Computer Science & Engineering

NDN Managed Gateways and The NDN Testbed John DeHart Computer Science & Engineering Washington University www.arl.wustl.edu NDN Nodes Types of NDN Nodes Gatew ay Routers End User Application Nodes Gatew ay Router Nodes

552 views • 16 slides

More recommend