Firewalls

Firewalls can be an implementation of software, hardware, or a combination of the two. Once deployed, they can be used to augment existing environment security, and/or prevent unwanted network traffic from passing through to the internal network. Because of the many benefits that firewalls offer, they have become a standard component for most businesses that need to link their internal network to the Internet. Some of the more common types of firewalls in use are packet filtering firewalls and network address translation (NAT) firewalls.

 


Filtering Criteria

A firewall is a router system between two subnets. In addition to the routing, it also filters all communication. Only packets that pass at least one filter rule are allowed to pass the firewall. All other packets are discarded.


A filter rule usually consists of the protocol type, a direction, a source port and a destination port. Instead of a specific port, also a port range can be given.

Following are firewall filtering criteria:


NAT (Network Address Translation) firewalls

Network address translation is often used on firewall systems in combination with port, protocol, and IP restrictions. The IP addresses that are sent through the firewall will be translated into other IP addresses. There are several reasons to translate the IP addresses. One common reason is the IP addresses on the internal side of the firewall are not valid IP addresses on the external side of the firewall; therefore they cannot be used on the Internet. NAT firewalls can be configured to translate addresses of systems on either side of the firewall. The figure below shows a NAT firewall configuration where the IP address for the internal system has been translated. System ISP1 connects to the internal system CUST1 using the IP address 154.66.4.250. The firewall uses the NAT table to translate the 154.66.4.250 global address to the 10.0.0.1 local address and routes the traffic to the correct system.

NAT firewall support between OVPM and OVPA


NAT Translation of Duplicate IP Ranges

In a service provider environment, duplicate IP ranges are common. The figure below shows two customer networks, which have duplicate IP addresses on their internal network. To allow the service provider to communicate with the customer systems, each customer must configure their NAT firewall to map their systems to unique IP addresses which are accessible by the Service Provider. For example, suppose both customers have a system with the Internal Local IP address 10.0.0.1.

Customer 1 can translate the Internal Local IP address 10.0.0.1 to the Internal Global IP address 154.66.4.200.

Customer 2 can translate the Internal Local IP address 10.0.0.1 to the Internal Global IP address 154.66.4.250. The service provider will then have unique IP addresses for each of the customer systems.

 

next