《Cisco Certified Network Professional Security(资深网络安全工程师)AddressTranslation.ppt》由会员分享,可在线阅读,更多相关《Cisco Certified Network Professional Security(资深网络安全工程师)AddressTranslation.ppt(30页珍藏版)》请在三一办公上搜索。
1、Address Translation,Protocol and Application Issues(一),Applications with Multiple Connections,Protocol and Application Issues(二),Applications and Embedded Addressing Information,Protocol and Application Issues(三),Applications and Security Issues,TCP Connection Example,TCP Connection Example,Parts 1
2、and 2The appliance compares packet information against the existing connections to the state table to determine if the packet is new or part of an existing connection.Since it is a new connection,it wont be found.The appliance then looks for an ACL applied in-bound in the interface.If one exists,the
3、 packet must match a permit statement in the list of statements to be allowed.If the packet is allowed,the appliance then compares the packet header information with the existing translation entries in the translation table to see if an existing transla-tion can be used,or if a new one needs to be c
4、reated.Ill assume,however,that this is the first time the source has sent a packet through the appliance,so no existing translation entries in the xlate table will match.,TCP Connection Example,Parts 1 and 2Next the appliance compares the information in the packet header with the config-ured transla
5、tion policiesstatic and dynamicfor a match.If a match is not found,then the packet is dropped.If a match is found,a translation entry is built and added to the xlate table,the TCP sequence number is randomized,and the TCP connection is added o the conn table.The appliance then increments the embryon
6、ic connection counter.An embryonic con-nection is a half-open connection:it hasnt gone through the three-way handshake.The appliance keeps track of this kind of information to limit the effectiveness of TCP SYN flood attacks.If the limit is exceeded,the appliance will implement its TCP Intercept fea
7、ture,discussed later in the chapter.The two idle timers are then started for the con-nection in the conn and xlate tables respectively.,TCP Connection Example,Parts 3 and 4Once the destination receives the packet,it responds back with a TCP SYN/ACK re-sponse.Upon receiving the packet,the appliance c
8、ompares the header information with the conn table to find a match;in this case,since the source initi-ated the connection in part 1,the connection is in the table.The appliance then validates the idle timer to ensure that the entry in the state table hasnt expired:If the entry has expired,it is rem
9、oved from the conn table and the packet is dropped.If there wasnt a match in the conn table or the entry had timed out,then the ACL on the interface would be used to validate whether the packet was allowed inbound to the inside interface.therefore,the appliance then undoes the randomization of the a
10、cknowledgment number.This is the sequence number randomization(SNR)feature at work,which is used to defeat ses-sion hijacking attacks.,TCP Connection Example,TCP Connection Example,Parts 5 and 6In part 5,the source completes the three-way handshake by sending a TCP ACK,shown in Figure 5-5.The applia
11、nce first compares packet information to the existing connections to the state table to determine if the packet is a new or part of an existing connection.Since it is an existing connection,it should be in the state table.If you examine the Outside Network column above part 2,this shows the packet h
12、eader as it leaves the appliance.Notice that the source address was changed because of a match on the configured translation policy,and the TCP sequence number was ran-domized.The corresponding idle timers in the conn and state tables are reset,and the packet is forwarded to the destination,shown in
13、 part 6.Again,the appliance keeps track of the packets for the connection and updates the conn table appropriately.If no packets are seen for the duration of the idle timer or the connection is torn down by the source or destination,the entry is removed from the conn table.,ADDRESS TRANSLATION OVERV
14、IEW,ADDRESS TRANSLATION OVERVIEW,Private Addresses,ADDRESS TRANSLATION OVERVIEW,Needs for Address Translation:You are merging two networks that have an overlapping address space.You need to make it appear that the overlapping network numbers are unique to the two different sides.Your ISP has assigne
15、d you a very small number of public addresses,and you need to provide many of your devices access to the Internet.You were assigned a public address space by your ISP,and when you change ISPs,your new ISP will not support your currently assigned address space.You have critical services on a single d
16、evice,and you need to duplicate these resources across many devices.However,you need to make it appear that all of the devices that contain these resources appear as a single entity.,ADDRESS TRANSLATION OVERVIEW,Disadvantages of Address Translation:First,when address translation is performed by your
17、 address translation device(like the Cisco security appliances),it will have to change the IP addresses in the IP packet header and possibly even the port numbers in TCP or UDP segment headers.Because of this,the address translation device will have to perform additional processing not only to handl
18、e the translation process,but also to compute new checksums for the packets.Another problem that address translation introduces deals with troubleshooting net-work problems.Because address translation changes the source and/or destination IP addresses in the packet headers,it becomes more difficult
19、to troubleshoot network prob-lems.When you examine the addresses in the packet header,you dont know whether you are dealing with the addresses that these machines have assigned on them,or with the addresses that they have been translated to by an address translation device.,Advantages of Address Tra
20、nslation,NAT Example,PhysicalE0/0E0/1,LogicalOutsideInside,Security Level0100,Appliance192.168.1.1/24,192.168.1.0/24,200.1.1.1,E0/0,E0/1,InsideNetwork,Internet,Figure5-8.The user sends a packet to a destination with a private address in it.,192.168.1.6,TranslationDevice,201.201.201.2,Internet,192.16
21、8.1.5,NAT Example,PAT Example,PAT Example,PAT Example,Address Translation Configuration,Simple NAT Example,ciscoasa(config)#nat-control ciscoasa(config)#nat(inside)1 192.168.3.0 255.255.255.0 ciscoasa(config)#global(outside)1 200.200.200.1-200.200.200.125 netmask 255.255.255.128 ciscoasa(config)#nat
22、(inside)2 192.168.4.0 255.255.255.0 ciscoasa(config)#global(outside)2 200.200.200.126 netmask 255.255.255.255,NAT,PAT,Address Translation Configuration,PAT and Identity NAT Example,ciscoasa(config)#nat-control ciscoasa(config)#nat(inside)0 200.200.200.128 255.255.255.128 ciscoasa(config)#nat(inside)
23、1 192.168.3.0 255.255.255.0 50 25 ciscoasa(config)#global(outside)1 200.200.200.1 netmask,255.255.255.255,Address Translation Configuration,Three-Interface NAT Example,ciscoasa(config)#nat-control ciscoasa(config)#nat(inside)1 0.0.0.0 0.0.0.0 ciscoasa(config)#nat(dmz)1 192.168.5.0 255.255.255.0 cisc
24、oasa(config)#global(outside)1 200.200.200.10-200.200.200.254 netmask 255.255.255.0 ciscoasa(config)#global(dmz)1 192.168.5.10-192.168.5.254 netmask 255.255.255.0,Heres a breakdown of the address translation policies:inside-to-dmz inside-to-outsidedmz-to-outside(no dmz-to-dmz),Address Translation Con
25、figuration,Policy NAT Example,ciscoasa(config)#access-list Site_A permit tcp 10.0.1.0 255.255.255.0 host 172.16.10.1 ciscoasa(config)#nat(inside)100 access-list Site_A ciscoasa(config)#global(outside)100 172.16.1.100 netmask 255.255.255.255 ciscoasa(config)#access-list Site_B permit tcp 10.0.1.0 255
26、.255.255.0 host 172.17.10.2 ciscoasa(config)#nat(inside)101 access-list Site_B ciscoasa(config)#global(outside)101 172.17.1.88 netmask 255.255.255.255,Address Translation Configuration,SOHO(config)#access-list VPN-EXEMPT-NAT permit ip 10.100.10.0 255.255.255.0 10.10.0.0 255.255.0.0 SOHO(config)#nat-
27、control SOHO(config)#nat(inside)0 access-list VPN-EXEMPT-NAT SOHO(config)#nat(inside)1 10.100.0.0 255.255.0.0 SOHO(config)#global(outside)1 interface,In the preceding example,the following translation policies are configured:When traffic goes across the site-to-site VPN tunnel to the Corporate offic
28、e,it should not be translated:the access-list and nat(inside)0 commands implement this policy.When traffic goes from the SOHO to the Internet locations,it will be translated using PAT:the nat(inside)1 and global(outside)1 commands implement this policy.,Policy Identity NAT Example,Address Translatio
29、n Configuration,Static NAT Example,ciscoasa(config)#nat-control ciscoasa(config)#static(dmz,outside)200.200.200.1 192.168.5.2 netmask 255.255.255.255 ciscoasa(config)#static(dmz,outside)200.200.200.2 192.168.5.3 netmask 255.255.255.255 ciscoasa(config)#static(inside,outside)200.200.200.3 192.168.4.1
30、 netmask 255.255.255.255 ciscoasa(config)#nat(inside)1 0.0.0.0 0.0.0.0 ciscoasa(config)#global(outside)1 200.200.200.10-200.200.200.254 netmask 255.255.255.0 ciscoasa(config)#global(dmz)1 192.168.5.10-192.168.5.254 netmask 255.255.255.0,To create a static NAT translation,use the following command:ci
31、scoasa(config)#static(local_if_name,global_if_name)global_IP_addr local_IP_addr netmask subnet_mask tcp max_conns embryonic_conn_limit udp max_conns dns norandomseq,Address Translation Configuration,Static PAT Example,ciscoasa(config)#static(inside,outside)tcp interface 80 192.168.1.20 80 netmask 25
32、5.255.255.255,In this example,web traffic sent to port 80 to the IP address on the outside interface of the appliance will be redirected to 192.168.1.20 on port 80 of the inside interface.,Finding a Matching Translation Policy,When looking for a matching transla-tion policy,the appliance goes throug
33、h the following steps:1.The appliance looks for an existing translation in the translation table;sometimes Cisco will refer to this as trying to find a“matching xlate slot”in the translation table.2.If no entry exists in the translation table,the appliance looks for address translation exceptions in
34、 the nat 0 commands on a best-match basis.3.If there are no matches on the Identity NAT commands,the appliance will try to find a match against the configured static NAT commands based on a best-match basis.4.If there are no matches on the static NAT commands,the appliance will try to find a match a
35、gainst the configured static PAT(PAR)policies on a best-match basis.5.If no match is found within the PAR translation policies,the appliance then looks for a match in its policy nat and global commands with a corresponding ACL.6.If there is not a match on a policy translation configuration,the appli
36、ance then looks for a match in its normal nat and global commands.7.If a translation or translation policy doesnt exist for the packet,the appliance will drop the packet if NAT control is enabled;if NAT control is not enabled,then the packet is not translated,but can flow through the appliance,assum
37、ing other appliance policies allow it.,The Original TCP Intercept/TCP Intercept with SYN Cookies,To prevent an attacker from filling the conn table with half-open TCP connections,Cisco enhanced the TCP Intercept feature with TCP SYN cookies in version 6.2.Instead of proxy-ing the half-open TCP conne
38、ctions and maintaining them in the conn table,the appliance generates a cookie by hashing certain parts of the TCP headerthis is then included in the SYN/ACK sent back to the source.Nothing about the original TCP SYN connection is maintained in the state table by the appliance.If a connection attemp
39、t is legitimate,the source will respond with the TCP ACK,which should contain the cookie information in the TCP header.At this point,the appliance itself will proxy the connection to the destination and add the new connection to the state table.With the SYN cookie feature,the appliance doesnt have t
40、o maintain any connection information for the initial SYN connection attempt,greatly reducing the overhead involved when dealing with a TCP SYN flood attack.,Translation and Configuration Verification,ciscoasa#show xlate detail global|local IP_address1-IP_address2 netmask subnet_mask gport|lport por
41、t-port interface interface_name_1,interface_name_X state state_information,ciscoasa#show conn detail count foreign|local IP_address_1-IP_address_2 netmask subnet_mask protocol tcp|udp|protocol fport|lport port_1-port_2 state state_information,ciscoasa#show local-host IP_address detail ciscoasa#clear local-host IP_address all,ciscoasa#clear xlate,
