Understanding NAT And Firewall: Exam-like Essay Question. (70 Characters)

Working Principle of Network Address Port Translation (NAT)

Network Address Port translation is a part of NAT which resembles the technique where private internet protocol (IP) and port numbers are mapped from multiple internal hosts to one public address.

For home broadband router it allows router to acts as an agent between the local network (private network) and internet (public network). Even though all the host under the private network is unaccusable from outside, for using private services like web, e-mail, FTP a virtual server can be set to provide secure connection.

Dynamic NAPT implementation would automatically builds a firewall between internet and the local network (Monir et al. 2019).  Which prevents connection outside of the internal network unless the internal system initiates the connection request. So, it is not possible to latch onto the private network’s IP address and utilizes this to access the port of a host by an outsider.

NAPT is useful for establishing connection to external domain while hiding the private network. In NAT gateway it allows to minimize the number of Public Ip address.

Figure 1: NAPT Working Principle

A firewall is used for preventing unwanted communications from external network by creating a whitelist where few Ip address is allow to connect to the local network.  Similarly, some blocklist also can be created to prevent certain Ip address to communicate (Yusuf et al. 2017). So, Firewall works as security checker for all the traffic going in and out of the network.

On other hand, NAT is used to convert IP address while converting all traffic towards or coming from the external network. So, it can change source or destination id depending on the flow of data.

From above explanation it is clear that NAT and Firewall is used for different purpose hence cannot be used as an equivalent. In order to control traffic in and out of the local network, both NAT and Firewall is needed.

With the source port of 1023 and any IP address a host is sending packet to 192.168.1.0 subnetwork without specifying destination port trough TCP protocol. The packet transfer is allowed by the subnetwork without any extra security measures from destination port.

Any destination host on any destination port can only be reached by hosts with the source address 192.168.1.0 on any source port.

It will allow packet from any source to transfer into the SMTP server port with 192.168.1.2 Ip address.

According to the rule, any connection attempted by a host computer with the source address 192.168.1.1 to any destination address through any destination port would be refused.

Any source address on any source port attempting to connect to destination address 192.168.1.1 on any destination port is forbidden, according to Ruleset 3.

Importance:  The packet filtering ruleset are important to provide clear direction of the traffic allocation and denial. In this local network the medium size organization would not want every sub network to have access to every server or other sub networks. In order to implement such conditions, the packet filtering ruleset is provided. smallorg.co.uk. will need a lot of Layer 2 switches if smallorg.co.uk. physically prepare separate Layer 2 switches and split the Ethernet network. VLAN allows a single Layer 2 switch to segment an Ethernet network effectively. The diagram below provides an example of using VLAN to divide an Ethernet network. Layer 2 Switch 1 is set up with VLAN10 and VLAN20. VLAN10 is allocated to the port where PC1/PC2 is connected, whereas VLAN20 is assigned to the port where PC3/PC4 is attached. The network is then divided into two pieces by Layer 2 Switch 1, an Ethernet network with VLAN 10 and an Ethernet network with VLAN 20. PC1 to PC4 have IP addresses set so that PC1/PC2 are on the same 192.168.1.0/24 network as PC3/PC4 and PC3/PC4 are on the 192.168.2.0/24 network.

Packet Filtering Ruleset and Its Importance

When an Ethernet network is separated into VLANs, broadcasts/multicasts, and other network traffic are blocked (VLAN). Only inside the same network will they be forwarded.

Internal VLAN interfaces on multilayer switches can be used to execute inter-VLAN routing. External physical interfaces can accept traffic, although they aren't required for routing. While routing across VLANs, all broadcast traffic received on a VLAN would stay on VLAN members' ports. Inter-VLAN routing is not possible with sub interfaces on multilayer switches.

Figure 2: Subnetting Ip address

Egress filtering is the practice of controlling, monitoring and restrict traffic send by a network with the aim to ensure the traffic allocation is legitimate and any unauthorized traffic will be blocked. Such practice can be achieved by implementing predefined security rules and regulation on the firewalls (Soliman et al. 2018). Egress filtering is used to keep normal users from accessing forbidden services, such as online gambling sites, or to prevent criminal activities, such as infected devices attempting to leak data to distant hosts. In the local network the network packet transfer from 192.168.1.1 to the outside ISP.

Ingress filtering is a practice of controlling, monitoring and restrict traffic from entering the network if the traffic is not ligament. It is also implemented in the firewall with some predefined security regulation and rules. Ingress filtering is responsible for the network from the outside ISP to the subnet host that provides services in a DMZ. Ingress filtering is a simple and efficient way of reducing the consequences of a Denial of Service (DoS) attack by denying traffic with a faked source IP address access to 192.168.1/24 and ensuring that traffic is traceable to its rightful network

A passive attacker can monitor the avian carrier system by keep a keen eye on the sender base. When a pigeon is leaving from the base station, the passive attackers can follow it with the help of UAVs. 

While tracking the pigeon leaving time and path for a certain amount of time. The passive attacker could have gain information about some weakness of the insecurity airway to prevent the pigeon from reaching the destination base.  

An active attacker will disturb the system by catching the pigeon and copy the flash drive into their system. After copying the flash drive, they can either make sure the pigeon reaches the destination base, so no one will suspect the security breach or prevent the information to reach destination base. The active attacker will use the information extracted by the passive attacker who could have vital information to identify such pigeons from a flock.

When the attacker is on-path, he will take the flash drive from pigeon and could alter it with a fake datagram. The on-path attacker will try to use this opportunity to gain access to the base stations using the original datagram content. He could also alter the content of the flash drive with some malicious software which will affect the destination base. 

The off-path attacker will train a pigeon to impersonate the originals. The attacker would also use his own customized flash drive embed with the fake pigeon to reach the destination base. The destination base could mistake the fake one with the real pigeon and use the flash drive containing malicious software. 

VLAN (Virtual Local Area Network)

we can monitor the system by through camera and a tracking chip. The both base stations must be monitored by the camera all the time. The camera coverage also needs to be extended to the neighbouring buildings and high points in order to identify any suspicious personals.

In addition to the camera, the base system must put a tracking chip inside the pigeon flesh, which would be monitored in real time. Both the stations must be equipped with the tracking device which has the capability to find anomaly or any suspicious behaviour on the pigeon’s travel time.

Additionally, the pigeons can also be equipped with subminiature camera to check its travel Vlog which will ensure the pigeon did not stray way from its intended path or encountered anything Suspicious.

Moreover, the flash drive can be programmed and designed differently in stead of conventional way. The flash drive could be programmed in such a way that if it is accessed by any unauthenticated machine the contents will be self-destruct.

The carriage truck for pigeons must also be tracked and covered under CCTV all the time from the sender to destination and vice versa.

Data integration between the two bases must be achieved in order to enable secure data transfer. The base station must have a same authentication system which could encode and decode a special type of hash. The key must be shared between the two bases in advanced secure way. The key should also need to be update after certain duration of time. By implementing such system, both bases can identify the data integrity. Any temperation or modification of data will be identified easily and effectively which would prevent both on-path and off-attacker to have impact on the transmission.

A malicious pcap file received at a base station delivered by a bird could be identified by marking the pigeon with a unique authentication cheap as a rouge unit detection tool. the authentication cheap also needs to be updated regularly to keep process protected. Every now and then the folk of pigeons must go through security clearance in order to keep using them as transmission tool. Additionally, another tool must be designed to identified any modified data and stop accessing the flash drive.

The confidentiality must be practised in several places. Firstly, the resting location of the flock must not be disclosed to public. Other than the resting place, the process of choosing particular type of pigeons and the training must keep safe. The time of every pigeon departure is also need to be a confidential information.

The easiest technique to warranty data confidentiality is to encrypt all sensitive data for processing, storage and transmission. While data encryption provides a satisfactory degree of security protection, several subtle and difficult challenges must be handled. For avian data transmission default protocols like IPsec and TLS does not work. So, the flash drive must be equipped with high level of data encryption in order to guaranty safety.

The university currently operates with other larger companies and serviced a larger number of clients. The university uses the JISC network as a network provider, they apply wide fidelity and ethernet as a medium of data communication across the campus, use a virtual private network, and data center or private cloud. In addition, the university use NAT and firewalls internally and a Palo Alto FW as their main network gateway. SDN is a networking method that utilizes APIs or software-based controllers to link with underlying hardware infrastructure and guide influx on a network.

Egress Filtering

This report will provide detailed effects of Software-Defined Network deployment to university, how it will be used in the security improvement and changes to the IT infrastructure. The following key area will be discussing the new network architecture could look like, the network protection and controls could be deployed, the benefits of SDN to the university and how the implementation of SDN will change the attack source of the university IT infrastructure,

Before deploying SDN, the current architecture needs to be analyzed which can provide more insight to enable an effective SDN control.

The universities network consists of

User: student, faculty, guest, management team, etc

Device: Desktop, laptop, Smartphone, Router, Switch, Server.

Applications: student learning center, exam center, black board, monitoring application, etc

Connectivity option: wired, wireless, remote vpn, etc

• As the department and courses for each subject required different type of application, it is hard to provide such services to the faculty and students with the existing architecture.
• It is also not possible to provide different policies and services based on user need.
• Host new advanced services to meet real-time demands.
• Apply and enforce application-specific performance.

Figure 2: proposed architecture (enable SDN control)

The new architecture can solve those issue effortlessly. The new system enables service control which can be used by the university to provide student portal as a service and take exam in a controlled manner. They will also will be able manage the students’ actions on the system.

Granular Security: One of the main advantages of SDN networking is increased network visibility. Any security that has an impacts traffic, in traditional networking, is considered as comprehensive. With SDN, it is granular, this implies that engineers can block malicious traffic in your network at a granular level (Alsaeedi, Mohamad and Al-Roubaiey 2019). As a consequence, you'll be able to deal with any misbehaving sections correctly. What used to require hours of manual pour-over may now be accomplished in seconds thanks to the increased clarity provided by a single centralized point.

Updates: When important security updates are issued, manually installing them on each device might take a long time and result in misconfigurations or devices not being updated. Each node can be renovated without getting in touch the actual devices through the SDN controller. This means that all commutes may be disseminated throughout the network quickly and accurately.

Hardware Restrictions: Because the SD controller isolates control over your whole network, no device has the power to make package decisions. This method gives organizations more control over their network without requiring them to work with proprietary hardware controllers. Of course, SDN networking has additional advantages, such as the usage of SD-WAN to abstract network control virtually over a company's WAN (Alsaeedi, Mohamad and Al-Roubaiey 2019). However, these aren't directly SDN benefits; rather, they are SDN networking technology-based benefits. As with any business solution, the advantages must be weighed against any potential drawbacks.

• SDN will provide the capability to maximize the virtualization of the applications, services, power consumption and optimal resource utilization.
• It will also improve service availability.
• Rapid service deployment and tear down without impacting other logical networks, thanks to network virtualization.

As the de facto standard SDN protocol, OpenFlow introduces a reactive packet processing mechanism with the match-action paradigm: an OpenFlow switch processes packets based on flow tables, and when no flow entries in the local flow table match a specific packet (known as a table-miss), the switch encapsulates the packet in a packet-in message and sends it to the controller for further processing.

With the advent of SDN, a new approach for protecting control plane traffic is required. The control plane security in older IP networks was provided by routing protocol security features such as IS-IS, or OSPFv2, MD5 for EIGRP, IPsec AH for OSPFv3, or GTSM/ACLs/passwords for MP-BGP (Abdou, Van Oorschot and Wan 2018). For classic IP networks, some implementers do not even follow these fundamental procedures. They will expose their company to assaults if they approach the implementation of an SDN with the same disdain for security.

Conclusion

Campus networks needs multiple challenging and diverse requirement like security policy enforcement, provisioning, integration which needs to be implemented for achieve optimal workflow. SDN is very well suited to provide such solution into the system by introducing virtualized compute nodes, complex regulatory environments, layered switch fabrics, wired and wireless connectivity.

As the SDN evolves the university will also be on an advantage from intelligent, highly programmable and abstract architecture standpoint.

References

Alsaeedi, M., Mohamad, M.M. and Al-Roubaiey, A.A., 2019. Toward adaptive and scalable OpenFlow-SDN flow control: A survey. IEEE Access, 7, pp.107346-107379.

Monir, M.F., Uddin, R. and Pan, D., 2019, December. Behavior of NAPT Middleware in an SDN Environment. In 2019 4th International Conference on Electrical Information and Communication Technology (EICT) (pp. 1-5). IEEE.

Soliman, A.K., Salama, C. and Mohamed, H.K., 2018, December. Detecting DNS reflection amplification DDoS attack originating from the cloud. In 2018 13th International Conference on Computer Engineering and Systems (ICCES) (pp. 145-150). IEEE.

Yusuf, S.E., Ge, M., Hong, J.B., Alzaid, H. and Kim, D.S., 2017, August. Evaluating the effectiveness of security metrics for dynamic networks. In 2017 IEEE Trustcom/BigDataSE/ICESS (pp. 277-284). IEEE