proxy server network address translator firewall
play

Proxy Server, Network Address Translator, Firewall 1 Proxy Server - PDF document

Sep 20, 2023 •45 likes •365 views

Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as a server while talking with

  1. Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1

  2. Introduction • What is a proxy server? � Acts on behalf of other clients, and presents requests from other clients to a server. � Acts as a server while talking with a client, and as a client while talking with a server. • Commonly used HTTP proxy server: � Squid � available on all platforms. 3 What is it really? • It is a server that sits between a client application (Web browser), and a real server. � It intercepts all requests to the real server to see if it can fulfill the requests itself. � If not, it forwards the request to the real server. 4 2

  3. • Mainly serves two purposes: � Improve performance � Can dramatically improve performance for a group of users. � It saves all the results of requests in a cache. � Can greatly conserve bandwidth. � Filter requests � Prevent users from accessing a specific set of web sites. � Prevent users for accessing pages containing some specified strings. � Prevent users from accessing video files (say). 5 Anonymous Proxy Servers • Hide the user’s IP address, thereby preventing unauthorized access to user’s computer through the Internet. • All requests to the outside world originate with the IP address of the proxy server. • Very convenient for group subscription: � On-line journals. � Digital library. 6 3

  4. Where it is located? User agent User Origin PROXY agent server SERVER User Access agent Rules Cache 7 Functions of a HTTP Proxy • Request forwarding � Primary function. � Acts as a rudimentary firewall. • Access control � Allow or deny accesses, based on � Contents � Location • Cache management � Efficient utilization of bandwidth. � Faster access. 8 4

  5. Network Address Translator (NAT) 9 What is NAT? • Allows a single device (router or a dedicated box) to act as an agent between the Internet (public network) and a local (private) network. � Tries to address the IP address distribution problem. � RFC 1631. � Only one unique IP address is required to represent an entire group of computers. � Several variations possible. 10 5

  6. Private Addresses 11 Basic operation of NAT Private Internet network Source = 10.0.1.2 Source = 128.143.71.21 Destination = 213.168.112.3 Destination = 213.168.112.3 NAT private address: 10.0.1.2 public address: 213.168.112.3 device public address: 128.143.71.21 H1 H5 Source = 213.168.112.3 Source = 213.168.112.3 Destination = 10.0.1.2 Destination = 128.143.71.21 Private Public Address Address 10.0.1.2 128.143.71.21 • NAT device has address translation table 12 6

  7. Various Forms of NAT • Static NAT � Used to map an unregistered IP address to a registered IP address. � One-to-one mapping. � N registered addresses for N machines. • Dynamic NAT � Used to map an unregistered IP address to a registered IP address. � From a given pool of registered IP addresses. � Addresses are assigned dynamically. � Any number of internal computers. � A limit N to the number communicating at a time. 13 Various Forms of NAT (contd.) • Overloading � A special form of dynamic NAT. � Used to map multiple unregistered IP addresses to a single registered IP address by using different ports. � Also called port address translation (PAT). � Each computer on the private network gets translated to the same IP address, but with a different port number assignment. � Widely used. 14 7

  8. NAT Overloading …. • Utilizes the multiplexing feature of TCP/IP stack. � A computer maintains several concurrent connections with a remote computer, using different port numbers. • The header of a TCP/IP packet contains: � Source IP address (32 bit) � Source port number (16 bit) � Destination IP address (32 bit) � Destination port number (16 bit) � The combination of above four elements define a TCP/IP connection. 15 • Notations: � Stub domain: the internal or the private network. � Address translation table (ATT): maintained by router/NAT for address and port mapping. • Easy to implement dynamic NAT. � Address translation table need only contain IP address mappings. � Private to public, and vice versa. � No port numbers needed. 16 8

  9. How NAT overloading works? • The scenario: � Internal network has non-routable IP addresses. � NAT-enabled router contains a registered IP address assigned by IANA. � An internal host X tries to connect to, say, an outside Web server. � The router receives the packet from X. 17 � The router will now: � Save IP address and port number from X’s packet to an ATT. � In the packet, replace the IP address with the router’s IP address. � Replace the port number with a port number from the ATT (look for match). For new connection, generate a unique port number. 18 9

  10. � When a packet comes back. � Its destination port is used to search ATT. � Source IP address and port numbers can be obtained. � Addresses changed accordingly. 19 � The Address Translation Table (ATT) looks like: Source Source IP Source NAT IP NAT port address port address number Computer number A 10.5.17.112 500 203.11.16.5 1 B 10.5.17.85 75 203.11.16.5 2 C 10.23.10.5 2480 203.11.16.5 3 D 10.22.5.118 1120 203.11.16.5 4 20 10

  11. Capability Limit of a NAT • Maximum number of concurrent translations: � Mainly determined by the size of the memory to store the ATT. � Typical entry in the ATT takes about 160 bits. � Memory size of 8 Mbyte will support about 8 x 1024 x 1024 x 8 / 160 = 4,19,000 concurrent translations. 21 Which addresses to use inside? • Private address classes. � Set aside by IANA an non-routable. � These addresses are considered unregistered. � Routers discard these addresses, if used as destination. � A packet from a host with a private unregistered address can reach a registered destination host, but not the reverse. 22 11

  12. The Private Address Classes • Class A (one) � 10.0.0.0 to 10.255.255.255 • Class B (sixteen) � 172.16.0.0 to 172.31.255.255 • Class C (256) � 192.168.0.0 to 192.168.255.255 23 Main uses of NAT • Pooling of IP addresses • Supporting migration between network service providers • IP masquerading • Load balancing of servers 24 12

  13. Pooling of IP addresses • Scenario: Corporate network has many hosts but only a small number of public IP addresses • NAT solution: � Corporate network is managed with a private address space. � NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses. 25 � When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host. 26 13

  14. Pooling of IP addresses 27 Migration Between Service Providers • Scenario: � In CIDR, the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network. • NAT solution: � Assign private addresses to the hosts of the corporate network. � NAT device has static address translation entries which bind the private address of a host to the public address. 28 14

  15. � Migration to a new network service provider merely requires an update of the NAT device. � This migration is not noticeable to the hosts on the network. � Note: � The difference to the use of NAT with IP address pooling is that in the present case mapping of public and private IP addresses is static. 29 Supporting Migration Source = 128.143.71.21 ISP 1 Destination = 213.168.112.3 allocates address block 128.143.71.0/24 to private Source = 10.0.1.2 Destination = 213.168.112.3 network: 128.143.71.21 private address: 10.0.1.2 NAT public address: 128.143.71.21 device 128.195.4.120 128.195.4.120 H1 ISP 2 Private allocates address block network 128.195.4.0/24 to private Source = 128.195.4.120 network: Destination = 213.168.112.3 Private Public Address Address 128.143.71.21 10.0.1.2 128.195.4.120 30 15

  16. IP Masquerading • Also called: � Network address and port translation (NAPT), port address translation (PAT). • Scenario: � Single public IP address is mapped to multiple hosts in a private network. • NAT solution: � Assign private addresses to the hosts of the corporate network. � NAT device modifies the port numbers for outgoing traffic. 31 IP Masquerading Source = 10.0.1.2 Source = 128.143.71.21 Source port = 2001 Source port = 2100 private address: 10.0.1.2 NAT 128.143.71.21 Internet H1 Private network device private address: 10.0.1.3 H2 Source = 10.0.1.3 Source = 128.143.71.21 Source port = 3020 Destination = 4444 Private Public Address Address 10.0.1.2/2001 128.143.71.21/2100 10.0.1.3/3020 128.143.71.21/4444 32 16

Recommend

Content Server Caching Network Client Web Server Browser Avoid Network Latency Avoid Queuing

Content Server Caching Network Client Web Server Browser Avoid Network Latency Avoid Queuing

Content Server Caching Network Client Web Server Browser Avoid Network Latency Avoid Queuing Delays at Server Cache Content Locally at client Updates? Cache Content at proxies Proxy Server Client Proxy Server Content Server Proxy

781 views • 14 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy

Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy

Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy Servers When a user logs into Web Interface and clicks an application icon, Web Interface dynamically renders an ICA file containing the instructions

490 views • 3 slides
SIP issues Jan Rika CESNET email,sip:janru@cesnet.cz Architecture User Agent

SIP issues Jan Rika CESNET email,sip:janru@cesnet.cz Architecture User Agent

SIP issues Jan Rika CESNET email,sip:janru@cesnet.cz Architecture User Agent B2BUA Server Gateway (UA) registrar MCU (UA) redirect Outbound proxy proxy SIP enabled firewall stateless with NAT

580 views • 13 slides
Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its

Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its

Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its interface Three main concerns Identifies itself to network name server Parameter passing Tells local runtime its dispatcher address Failure cases Import

115 views • 7 slides
How a Translator Works CS 222: Programming Languages Translators The job of a tr translator is to

How a Translator Works CS 222: Programming Languages Translators The job of a tr translator is to

How a Translator Works CS 222: Programming Languages Translators The job of a tr translator is to convert data in a source language to an equivalent form in a target language. translator Assemblers Assembly language Machine code Decrement

296 views • 11 slides
Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005 1 Project Objectives Methods that improve network firewall performance 1. Develop policy optim ization techniques Formal

221 views • 9 slides
Web Proxy Caching Model Web Servers Aggregate Proxy Workload server Web Clients Factors and

Web Proxy Caching Model Web Servers Aggregate Proxy Workload server Web Clients Factors and

Web Proxy Caching Model Web Servers Aggregate Proxy Workload server Web Clients Factors and Levels Cache size Cache Replacement Policy Recency-based LRU Frequency-based LFU-Aging Size-based GD-Size Workload

303 views • 3 slides
Web kuohh Computer Center, CS, NCTU Outline Web hosting Basics Client-Server

Web kuohh Computer Center, CS, NCTU Outline Web hosting Basics Client-Server

Web kuohh Computer Center, CS, NCTU Outline Web hosting Basics Client-Server architecture HTTP protocol Static vs. dynamic pages Virtual hosts Proxy Forward proxy Reverse proxy 2 Computer Center, CS, NCTU

781 views • 34 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Broker Matthias Vallentin UC Berkeley International Computer Science Institute (ICSI) BroCon

Broker Matthias Vallentin UC Berkeley International Computer Science Institute (ICSI) BroCon

Broker Matthias Vallentin UC Berkeley International Computer Science Institute (ICSI) BroCon '16 Communication in Bro Tap Internal Internet Firewall Tap Network Frontend Nodes Manager + Proxy + ... ... Proxy Backend Nodes

755 views • 40 slides
Address Resolution ARP, RARP, Proxy ARP (C) Herbert Haas 2005/03/11 Agenda IP Forwarding

Address Resolution ARP, RARP, Proxy ARP (C) Herbert Haas 2005/03/11 Agenda IP Forwarding

Address Resolution ARP, RARP, Proxy ARP (C) Herbert Haas 2005/03/11 Agenda IP Forwarding Principle Address Resolution Protocol (ARP) IP Routing Basics IP Forwarding and ARP RARP Proxy ARP ICMP IP Forwarding and

1.03k views • 74 slides
1 WeShare comes from the name in the address of the server. 2 SHAREPOINT is the name of

1 WeShare comes from the name in the address of the server. 2 SHAREPOINT is the name of

1 WeShare comes from the name in the address of the server. 2 SHAREPOINT is the name of the Application that runs on the server. It is a Microsoft application that is designed to enable people to Collaborate on documents. 3 One feature

434 views • 18 slides
Maria Bulatova, Daria Kolistratova Background Network Function (NF) a component of a network

Maria Bulatova, Daria Kolistratova Background Network Function (NF) a component of a network

Maria Bulatova, Daria Kolistratova Background Network Function (NF) a component of a network infrastructure with well defined interfaces and behavior ( routing, network address translation (NAT), firewall, etc.). Traditional NFs:

224 views • 19 slides
Firewalls What is a firewall? A machine to protect a network from malicious external

Firewalls What is a firewall? A machine to protect a network from malicious external

Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits between a LAN/WAN and the Internet Running special software to regulate network traffic Lecture 9 Page 1

602 views • 29 slides
XCache deployment experience What is XCache? Basically an xrootd proxy server that also stores

XCache deployment experience What is XCache? Basically an xrootd proxy server that also stores

XCache deployment experience What is XCache? Basically an xrootd proxy server that also stores data passing through it. On next access it delivers data from disk. It needs: a) Dedicated node b) Local storage c) IP d) Secrets (to

390 views • 9 slides
THE THINGS NETWORK STACK V3 Johan Stokking ANNOUNCING THE THINGS NETWORK STACK V3 Supports

THE THINGS NETWORK STACK V3 Johan Stokking ANNOUNCING THE THINGS NETWORK STACK V3 Supports

THE THINGS NETWORK STACK V3 Johan Stokking ANNOUNCING THE THINGS NETWORK STACK V3 Supports LoRaWAN versions: 1.1, 1.0.2 and 1.0 Features Gateway Agent, Gateway Server, Network Server, ApplicaEon Server, Join Server, IdenEty Server

465 views • 23 slides
Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Chanwoo Chung , Jinhyung Koo, Junsu Im, Arvind , and Sungjin Lee DGIST and MIT NVRAMOS 19 2019.10.24 DATA -INTENSIVE COMPUTING SYSTEMS LAB ORATORY Computation Application Application Application Application Application

597 views • 48 slides
I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing Anton Belka, antonbelka@gmail.com GUADEC 2013 The TM Conference GUADEC Proxy editing What is proxy editing? Proxy editing is the ability to

1.75k views • 143 slides
FIREWALL DEPLOYMENT FOR SCADA/PCN How closed need your network needs to be? How open can

FIREWALL DEPLOYMENT FOR SCADA/PCN How closed need your network needs to be? How open can

FIREWALL DEPLOYMENT FOR SCADA/PCN How closed need your network needs to be? How open can you afford your network to be? Where from the vulnerability is coming? How to mitigate the vulnerability? How to detect that anyone

634 views • 48 slides
RESTful WebServices Florian Motlik Webservices now RPC Style SOAP is complicated HTTP not

RESTful WebServices Florian Motlik Webservices now RPC Style SOAP is complicated HTTP not

RESTful WebServices Florian Motlik Webservices now RPC Style SOAP is complicated HTTP not fully used (only post) HTTP Tools not usable (proxy, cache, Firewall) Another layer needed for inspection of SOAP Great for Starting Action on Server

210 views • 9 slides
System Structuring with Threads Example: A Transcoding Web Proxy Appliance Proxy clients

System Structuring with Threads Example: A Transcoding Web Proxy Appliance Proxy clients

System Structuring with Threads Example: A Transcoding Web Proxy Appliance Proxy clients Interposed between Web (HTTP) clients and servers. Masquerade as (represent) the server to the client. Masquerade as (represent) the client to the

617 views • 14 slides

More recommend