Of the many enhancements to firewalls, this section concentrates on four of the most important feature enhancements present in today's firewalls, namely:
NAT
Proxy services
Content filtering
Antivirus software
NAT is a router or firewall function whose main objective is to translate the addresses of hosts behind a firewall or router. NAT can also be used to overcome the IP address shortage that users currently experience with IPv4.
NAT is typically used for internal IP networks that have unregistered (not globally unique) IP addresses. NAT translates these unregistered addresses into the legal addresses of the outside (public) network. This allows unregistered IP address space connectivity to the web and also provides added security.
NOTE
NAT is defined by RFC 1631, which can be found at http://www.ietf.org/rfc/rfc1631.txt. Cisco devices started supporting NAT in Cisco IOS versions 11.2 and higher. NAT basically provides the capability to retain your network's original IP addressing scheme while translating that scheme into a valid Internet IP address or to ensure your private address is never viewed by intruders.
Cisco IOS 12.0 and higher support full NAT functionality in all images. Cisco IOS 11.2 and higher need the "PLUS" image set for NAT feature support. (Cisco extended NAT with port address capabilities to increase the utility of each outside address. This is called Port Address Translation [PAT] in the Cisco terminology.)
PAT provides additional address expansion but is less flexible than NAT. With PAT, one IP address can be used for up to 64,000 hosts by mapping several IP port numbers to one IP address. PAT is secure because the source IP address of the inside hosts is hidden from the outside world. The perimeter router typically provides the function of NAT or PAT.
Figure 9-10 displays a typical scenario in which a private address space is deployed that requires Internet access. The private subnetted Class A 10.10.10.0/24 is not routable in the Internet.
The users in Figure 9-10 are configured with an inside local address ranging from 10.10.10.2/24 to 10.10.10.254/24. To allow Internet access, NAT is configured on Router IAR to permit the inside local addresses access to the Internet. (In this case, only PAT is configured because only one IP address was allocated by InterNIC, namely 171.71.1.1.) The advantages of using NAT include
Hiding the Class A address space 10.10.10.0/24
Internet access provided to all protected users without IP address changes
To view the NAT translation table on a Cisco router, apply the exec command
show ip nat translations on the CLI interface. Example 9-1 illustrates the
show ip nat translation configuration command on the Internet Accessible Router (IAR).
show ip nat Translation Command
IAR#show ip nat translation Pro Inside global Inside local outside local Outside global tcp 171.71.1.1:3598 10.10.10.2:3598 198.133.219.25:80 198.133.219.25:80 tcp 171.71.1.1:3612 10.10.10.3:3612 198.133.219.25:80 198.133.219.25:80 tcp 171.71.1.1:3616 10.10.10.4:3616 198.133.219.25:80 198.133.219.25:80 tcp 171.71.1.1:3620 10.10.10.5:3620 198.133.219.25:80 198.133.219.25:80 IAR#
Before examining a demonstration of the configuration on the router and PIX Firewall, you need to become familiar with the NAT environment terminology set out in Table 9-1.
The disadvantages of NAT/PAT include the following:
They are CPU processing power intensive.
The Layer 3 header and source address changes.
Voice over IP is not yet supported.
Some multimedia-intensive applications do not support NAT, especially when the data stream inbound is different from the outbound path, for example, in multicast environments.
The use of proxy services in the network has multiple goals. Proxy services can be used to hide the real IP address of users. This means that when crackers or intruders try to spoof IP addresses, for example, they have no idea about the hidden addresses and in fact attack a proxy server designed to drop the packets and alert network administrators of the event.
There are even websites dedicated to home users and corporate users that offer proxy-like services. For more information, please visit http://theproxyconnection.com/.
NOTE
Users need to be very careful when choosing and using a public proxy. All traffic is routed through the proxy. All accounts, passwords, and so on are visible to the proxy. (It might even do SSL man-in-the-middle encoding and decoding.) It is therefore essential that the proxy be run by a highly trusted entity.
Today's firewalls can act as proxy servers on behalf of clients such as UNIX hosts, Windows users, or HTTP servers.
Proxy servers can also cache information that is frequently used by end users and thus can act as an intermediate device between a web client and a web server. This allows other web clients to access web content much faster by downloading web content from a local device rather than from the web (proxies protect clients and reverse proxies protect servers).
With content filtering (also known as URL filtering), an organization designs a policy defining which websites are permitted to be accessed by local resources and which are not. Content filters can monitor, manage, and provide restricted access to the Internet. This means that employees do not tie up valuable and expensive WAN connections to the Internet for nonbusiness matters. You might, for example, allow access to www.cisco.com but deny employees access to music websites that permit large downloads of sheet music or MP3 files.
Cisco provides a number of content-filtering engines that can perform the following functions:
Deny access to URLs specified in a list
Permit access only to URLs specified in a list
Use an authentication server in conjunction with a URL filtering scheme
The scenario illustrated in Figure 9-11 briefly touches on this concept. User1 with the IP address 10.10.10.1 is granted full access to all Internet resources, whereas User2, who is a temporarily employee with the IP address 10.10.10.2, has access only to the Cisco website and the Cisco Press website.
Example 9-2 presents configuration files relevant to the filtering scenario and shows the commands of the router.
show ip wccp Commands
IAR#sh ip wccp web-cache details WCCP Cache-Engine information:
Web Cache ID: 10.10.10.3 Protocol Version: 2.0 State: Usable Initial Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Hash Allotment: 256 (100.00%) Packets Redirected: 17729 Connect Time: 4d19h IAR#
sh ip wccp web-cache view WCCP Routers Informed of:
10.10.10.254 WCCP Cache Engines Visible:
10.10.10.3 WCCP Cache Engines NOT Visible: -none- IAR#
sh ip wccp web-cache Global WCCP information: Router information:
Router Identifier: 10.10.10.254 Protocol Version: 2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 17729 Redirect access-list: 1 Total Packets Denied Redirect: 16614 Total Packets Unassigned: 0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 IAR#
show running-config Building configuration... Current configuration : 6812 bytes ! ! No configuration change since last restart ! version 12.2 service timestamps debug datetime service timestamps log datetime no service password-encryption ! hostname IAR ! clock timezone BRU 1 ip subnet-zero
ip wccp web-cache redirect-list 1 ! <snip> ! interface FastEthernet0/0 ip address 10.10.10.254 255.255.255.0 ! interface FastEthernet0/1 ip address 171.71.1.1 255.255.255.0
ip wccp web-cache redirect out ! IAR #
show access-list 1
Standard IP access list 1 deny 10.10.10.1 (3091 matches) permit any (18717 matches) IAR #
Example 9-3 presents the configuration files relevant to the filtering scenario and shows the commands of the content filtering engine. The goodurl.txt file contains all permitted HTTP addresses.
CE#show config hostname CE ! ! http cache-cookies http cache-on-abort enable http proxy incoming 80 ! <snip> ! interface FastEthernet 0/0 ip address 10.10.10.3 255.255.255.0 exit ! ip default-gateway 10.10.10.254 ! primary-interface FastEthernet 0/0 ! ! wccp router-list 1 10.10.10.254 wccp web-cache router-list-num 1 wccp version 2 ! rule enable rule action cache ttl days 30 pattern-list 1 protocol http ! ! ! url-filter http good-sites-allow file /local1/etc/goodurl.txt url-filter http custom-message /local1/msgs no url-filter http websense allowmode enable no url-filter http N2H2 allowmode enable url-filter http good-sites-allow enable ! CE# CE#
type goodurl.txt http://www.cisco.com/ http://www.ciscopress.com/ CE#
The purpose of this example is to show the functionality of content filtering. Although shown here on different standalone computers, this feature can also be integrated in recent versions of the firewalls.
As described in Chapter 3, "Understanding Defenses," a computer virus can best be described as a small program or piece of code that penetrates into the operating system, causing an unexpected and usually negative event. Antivirus software applications scan the memory and hard disks of hosts for known viruses. If the application finds a virus (using a reference database with virus definitions), it informs the user. The user can decide what needs to happen next. These types of applications are becoming integrated features of newer software firewalls.
![[View full size image]](/image/library/english/13756_09fig10_alt.gif;380136){kind=link}