Inline...
It wasn't my understanding that a NAT box would do stateful packet
inspection unless one obtained the ones that specifically do SPI. I see
that there are now inexpensive routers that have SPI added.
NAT is stateful by definition.
Here's how an incoming packet is handled:
Destination port explicitly forwarded (static routing)? -> forward packet.
Destination port exists as entry in dynamic NAT table (stateful
routing )? ->forward packet
Else silently drop packet.
The addition of a stateful firewall doesn't add much *if* NAT is already in
place, but it might let you add some static firewall rues ( blocking
specific source / destination etc ), and of course you could add outbound
firewall rules too. You can use this for example to prevent a virus on
your LAN from bulk-emailling the entire internet, by permitting outbound
connections on SMTP port to only your ISP's mailserver.
Where the SPI firewall becomes criticaly important is when the router is
being used in a no-NAT configuration, as a pure IP forwarding router. This
is the case if you have a routed subnet from your ISP. In this case,
there's no NAT to block un-solicited inbound connections to machines on the
LAN. A static port filter firewall would not be much use, because you need
to allow the firewall to dynamically permit replies to outbound connections,
so the firewall needs to maintain state, ie a record of connections
initiated from the inside, and use this state table to determine whether an
inbound packet is unsolicited, or solicited ( in reply to an outbound
request. )
Hmmmmm... here are some diabolical (?) thoughts:
- In a simple network with one gateway / proxy server, the proxy server
knows that it is a proxy server. So, why does it need to be specifically
addressed? Any external address is surely directed to it. But OK, that's
how it's implemented I guess.
*IT* knows it's a proxy server.
But internal machines onthe LAN don't know about it unless you tell them.
The internal machines on your LAN need to be explicitly told to use it.
Yes, external machines like web servers will see all traffic from your LAN
as coming from the proxy, and these machines do not need to know it's
actually a proxy, not the actual originating machine. They just reply to the
machine they see as the originator, and if that happens to be a proxy, well
and good.
- In a NAT implementation it is clear that any external address needs to be
dealt with by changing the source IP address and adding a port.
Changing a port, not adding a port.
NAT example, browsing to
www.google.com:
Internal machine 192.168.0.2
NAT router 192.168.0.1 on Internal side, 81.187.191.65 Public side.
Destination Web site 64.233.167.104
Client machine sends packet to server from random port >1024:
Source IP : Port = 192.168.0.2 : 1025
Destination IP : Port = 64.233.167.104 : 80
This packet is sent to the router's MAC address, because the router
is the defauly gateway, and the destination IP address is outwith the local
subnet.
The NAT function in the router changes the packet as follows:
Source IP : Port = 81.187.191.65 : 5000
Destination IP : Port = 64.233.167.104 : 80
The modified packet is sent on to the web server, and the NAT router
maintains the mapping:
External : 5000 <-> Intenal 192.168.0.2 : 1025
in the NAT table.
The webserver gets the packer, and replies:
Source IP : Port = 64.233.167.104 : 80
Destination IP : Port = 81.187.191.65 : 5000
The router looks at the response, and sees that the destination port
matches a dynamic entry in the NAT table. So the router modifies the
incoming packet with the data fromthe NAT table, and passes the
modifies packet back into the LAN:
Source IP : Port = 64.233.167.104 : 80
Destination IP : Port = 192.168.0.2 : 1025
The original client gets the reply, un-aware of the shenannigans
that went on in between.
It's not clear to me how these are different in what is presented to the
outside world - either outgoing messages or listening "ports"
None, really.
In both cases, all traffic will appear to come from one machine.
Either the NAT box or the proxy box.
Like I say, they are 2 different technologies for doing the same thing.
They operate at different levels in the network layer-cake.
I'm dealing with a system that is designed with a cascaded translation
arrrangement as follows:
NAT router is the outer layer between the internet and the mid-layer
connection. It is connected to a WinProxy server which is the inner layer.
All clients are behind the inner layer - connected to the inside of the
WinProxy server.
It's this way because it was perceived to be somehow "better" to have a
"hardware firewall" in combination with the proxy server.
I do understand why cascaded NAT are used - to isolate individual sections
of a network (e.g. 2 connected LANs with *some* isolation between them). I
have not yet figured out how 2 layers of NAT (or proxy server) provide any
advantage otherwise at the inner layer.
So, as I rearchitect this system I have a number of choices:
1) leave it with two layers because that's deemed "acceptable" and live with
the complexity of the proxy server. Or, leave it with two layers because it
is clearly superior in some (as yet undefined) way.
2) get rid of the proxy server altogether because it provides little
improvement and adds a lot of complexity. This would have the perceived
disadvantage that there is no proxy server and, thus, is not as good a
firewall. But, if the NAT router has SPI then I wonder......
3) get rid of the NAT router because somehow the proxy server is "better".
This would have the perceived disadvantage that it's a Windows-based
"software firewall" only.
So far I have not heard why a proxy server is somehow superior.
It's not, IMHO.
If one were to start with a proxy server and add a NAT router "hardware
firewall" to augment the proxy server then I could sort of understand the
evolution.
However, doing this then begs the question: "why keep the proxy
server?"
It does indeed.
I hope the orgin of my questions is clearer now. I do appreciate the help!
Fred
Personally, I like to reduce complexity.
I would most likely want to loose the proxy.
I don't think the proxy adds much to the security in the situation you have.
But it adds a level of complexity, and it will reduce functionality you may
want in the future.
But then again I don't see the whole picture.
There may be other reasons it's there.
You'd need to get the whole case history.
Is it possibly being used as an Internet Access control system, to permit
certain
users and deny others Internet Access?
Of course there are political as well as technical considerations, and if it
is the case that the management are heavily wedded to this setup, you may
have a hard time persuading them to change it.
Even security aside, there may be reluctance to mess with a
currently-working setup it in case it breaks.
Perhaps if the proxy machine were to suffer an unexpected and catastrophic
failure.... ;-)