A DMZ Network with NAT/PAT and ACLs

·

4 min read

A DMZ Network with NAT/PAT and ACLs

DMZ

<What>

A Demilitierezed Zone (DMZ) is a network that separates the internal network from the external network. I like to think of a DMZ network as a security vestibule or a mantrap of a building. The building will resemble a corporate network, the public will resemble the Internet, and the building’s offices and rooms will resemble the internal network. Once an individual or guest has entered the building, they will be stopped and trapped in the security vestibule for proof of identification and reason for visit. The concierge will then determine if the guest is deemed accessible; the same works for a DMZ network. The DMZ usually has a server accessed from the internet like web servers, mail servers, and even proxy servers. The DMZ either a single or dual-homed firewall will inspect packets flowing in and out from the DMZ to the internal network and allow or drop packets based on configured rules.

<Why>

DMZ will minimize the risk of an attack of any form; again it won't protect you at 100% but again it will help. Implementing other security solutions, tactics, and techniques is all great, but with the addition of a DMZ this defense-in-depth layer approach just bolsters your network security. With the evolving nature of cybersecurity, there is a modern approach to this and its Zero-Trust Architecture which will touch base on later.

For now, understand that a DMZ isolates internal and external networks to prevent unauthorized access of services, and also acts as a buffer zone by having control of inbound/outbound network traffic.

NAT/PAT

<What>

Network Address Translation (NAT) is a process used to alter the source and or destination IP address. This is commonly used in networks today, especially in Small Office Home Networks (SOHO). Let’s say your phone’s IP address in your home network is 10.0.0.76, but when requesting something over the internet whether that is a file or video, your IP will be translated to something else to be able to communicate with other devices/services out in the wild world wide web. In simpler terms, your statically/dynamically private IP will translate to a public IP.

Now for Port Address Translation (PAT) AKA NAT Overload, will translate both the port number and IP address. This will allow many hosts in a private network to use that single PAT configuration….. pretty cool huh?

<Why>

I am sure most of you guys know about IPv4 coming to an end, and IPv6 becoming the new thing. Not saying that IPv6 is that new, but in a sense, IPv4 will soon be exhausted of all addresses and will have no choice but to use IPv6. NAT was the solution to conserve IPv4 addresses where translating a private one to a public one seemed ideal. Not only did it fix this issue temporarily for a good amount of time, but it also provided some security where your IP is hidden from the public.

ACLs

<What>

Access Control Lists (ACLs) are rules set to either permit and or deny traffic based on source/destination IPs and ports; can also be more descriptive rules. I like to think of ACLs as a packet filter or a firewall-like device; firewalls do more than ACLs. There are different groups of ACLs (standard-named, standard-numbered, and extended). Take note that these ACLs are processed from start to end; order is crucial.

Standard ACLs, standard-named and numbered, filter traffic based on the source IP address. For numbered ACLs, the ranges are from 1-99 and 1300-1999. While named ACLs, they are named with either of the following syntax, for example, ALLOW_VLAN12 or BLOCK_SRV2. Lastly, extended ACLs are much more descriptive in the sense that packets are filtered by both source/destination IPs and port numbers.

<Why>

You need to have control of what goes in and out of your network because, without you, attackers will have a larger attack surface on your network. Let’s compare this to your car if you own one or plan to get one. Assuming you are security conscious, installed a dashcam/alarm, car doors are locked, windows are closed, personal items are not visible from outside the car, the steering wheel is locked, and you installed lug nut locks. All of these are controls you set in place to prevent for three things; car, personal belongings, and tires. ACLs do the same; protect data and ensure system/service integrity.

Demonstration Video

In this video, I’ll demonstrate how to filter network traffic using extended ACLs while concealing a LAN's internal subnet IP range and ports through NAT/PAT.