Contents

Overview

• Network address translation (NAT)

• Port mapping

• Packet filtering

• Anti-spoofing

The network address translation is a technique which modifies packets sent from the entire local area network (or from its defined part) so that they look as if sent from the computer which runs WinRoute (the computer replaces the address in the packet with its own one). The incoming packets (which are the answer), are sent back to the computers in the local area network.

Port mapping provides access to selected services protected by NAT.

Packet filtering is a basic security module of each firewall. Using data in packets (like source and target IP address, the type of network protocol, source and target port, etc.) it either allows packets to pass trough or blocks them. If a filtering rule applies (depending on the meaning of the rule), information about the packet is recorded.

Anti-spoofing is an add-on to packet filtering, which protects the local area network against an attack during which an intruder falsifies source IP addresses.

In order to achieve a high level of security, WinRoute contains the so-called inspection module. It is a special driver which works between the line and network layers of the OSI model. The driver uses an original technology which ensures that WinRoute receives packets directly from the network card driver, that is before the packets are received by any other component of the operating system.

The location of the WinRoute's inspection module (which checks the contents of packets) in the network architecture of Windows operating systems is shown in the figure bellow.

Terminology

TCP/IP protocols
WinRoute is a product which works with TCP/IP networks. The TCP/IP protocols are designed to work in layers. When speaking about TCP/IP protocols, especially the following protocols are meant: IP, TCP, UDP, ICMP, and others based on IP.

Network interface
A network interface is a device which connects the computer with other computers by means of a communication medium. A network interface may be an ethernet card, modem, ISDN card, etc. The computer sends and receives packets by means of the network interface.

IP address
An IP address is a unique 32-bit number, which identifies the computer in IP networks. The unique IP address is assigned to each computer in the Internet. Each packet passing across the Internet contains an information about from which address it was sent (the source IP address) and to which address it should be delivered (the target IP address).

Network mask
Network mask is used to group IP addresses together. There is a group of addresses assigned to each network segment. For example, the mask 255.255.255.0 groups together 254 IP addresses. If we have, for example, a sub-network 194.196.16.0 with mask 255.255.255.0, the addresses we may assign to computers on the sub-network are 194.196.16.1 through 194.196.16.254

Port
A port is a 16-bit number (the allowed range being 1 through 65535) used by the protocols of the transport layer - the TCP and UDP protocols. Ports are used to address applications (services) which run on a computer. If there was only a single network application running on the computer, there would be no need for port numbers and the IP address only would suffice for addressing services. However, several applications may run at once on a particular computer and we need to differentiate among them. This is what port numbers are used for. Thus, a port number may be seed as an address of an application within the computer.

Packet
A packet is a basic communication data unit used when transmitting data from one computer to another. Each packet contains a certain amount of data. The maximum length of a packet depends on the communication medium. As an example, in ethernet networks the maximum length is 1500 bytes. In each layer, we may divide the contents of the packet into two parts: the header part and the data part. The header contains control information of the particular layer, the data part contains data that belong to the upper layer. More detailed information on the structure of the packet may be found bellow in the section on packet filtering.

Network Address Translation

• automatic local area network protection
• a transparent connection of the network (or its part) to the Internet using a single registered IP address

The connection of an entire network using a single registered IP address is made possible since the NAT module rewrites the source address in the packets sent from computers in the local area network with the address of the computer WinRoute is running on.

The connection to the Internet is transparent, which means that the computers in the local network use WinRoute as their gateway (router). From the point of view of the local computers it looks as if they were connected to the Internet using registered addresses. Thus, most applications work with the NAT without the need to setup anything on the application's or server's side. This is the main feature which makes NAT to differ significantly from various proxy servers and application-level gateways that will in principle never be able to support some protocols.

How NAT Works

The NAT module maintains a table, which records information about each connection. The main pieces of information are: source IP address and port, target IP address and port, IP address and port used to modify packets.

We may demonstrate the way NAT works using the following example:

Let us consider a computer in a protected network. The IP address of the computer is 192.168.1.22. The computer decides to communicate from port 7658 with a WWW server in the Internet, the IP address of which is 194.196.16.43 and its port number is 80. The communication passes through WinRoute, which uses the address 195.75.16.75 on its outer interface.

First, the computer 192.168.1.22 sends a packet from port 7358 to computer 194.196.16.43, port 80. The packet passes through WinRoute, which checks its table to see if it contains an appropriate entry. If so, the existing entry is used, otherwise WinRoute creates a new one. Then it modifies the packet so that it replaces the source address to its own address. It also changes the source port. Thus the source address will be 195.75.16.65, and the port number will for example be 61001. After the changes the packet is sent on. When an answer arrives, it contains 195.75.16.65 as the target address and 61001 as the target port. WinRoute searches its table by the port number 61001 and finds the entry for the connection. According to the entry, it changes the target address and port, back to 192.168.1.22 and 7658, respectively.

Please note:
Port numbers in the packets passing through WinRoute must be modified, since if two or more stations in the protected network start to communicate from the same port number, we need to identify to which of the stations a packet belongs. The NAT module assigns port numbers from the range of 61000 through 61600. A unique port is allocated for each connection.

NAT Critical Points

Basic Configuration

NAT may be configured using the menu:

Settings => Interface Table => NAT "Perform NAT with the IP address of this interface on all communication passing through" This switches NAT on for the interface. When NAT is on, it is applied to all packets passing through the interface. "Exclude this computer from NAT" This option controls whether NAT is also applied to the communication from the computer on which WinRoute runs. If you switch this option on, NAT will not be applied and the computer will not be protected. Generally, we do not recommend to set this option on. Use it only if you have a server application that has to be accessible from the Internet and that is unable to work inside the protected network (using port mapping).

Advanced Settings

NAT advanced settings may be used in case you need to apply NAT to some parts (segments) of your network and not to the rest of it. You may need this if registered addresses are used in a part of your network and this part is accessible from the Internet, while the rest of the network uses unregistered addresses. The advanced NAT is also suitable for creating demilitarized zones (DMZs) in which the servers accessible from the Internet run. Another possibility is to choose the IP address which is used to modify the passing packets (the IP address of the interface is used implicitly).

To be able to work with NAT advanced settings, the NAT has to be set on already for an interface. So we first set the NAT on for some interface and then, in the advanced settings, we decide when NAT should not be applied.

The NAT advanced settings are defined with a table of rules. The table is always searched from its top to bottom. The search ends after a first applicable rule is found. The rule is applicable if source and target addresses comply with the data set in the rule.

The NAT advanced settings are configured in the menu:

Settings => Advanced => NAT pad => Add/Edit button "Packet Description" This defines, to which packets the rule should be applied. The packet is specified by source and/or target address. There may be a single address or a group of addresses specified by a network mask, an interval of addresses, or a named group of addresses. The condition "Only when outgoing interface is" says that the rule is applicable only if the packet is sent out through the specified interface. "NAT" This defines what to do with a packet when the rule is applicable to it. There are the following possibilities: "Do not do NAT" "Do NAT with specified IP address" "Log Packet" If the rule is applicable to a packet, packet information is recorded. Logging is suitable especially for testing the configuration or finding problems in it.

An Example Configuration of Advanced NAT

1. 192.168.1.0 with mask 255.255.255.0
2. 192.168.2.0 with mask 255.255.255.0
3. 194.196.16.0 with mask 255.255.255.0

Port Mapping

How Port Mapping Works

Settings => Advanced => Port Mapping => Add/Edit button "Protocol" The protocol to be used for the communication through the mapped port. "Listen IP" If an IP address is entered in this field (this is an optional field), the target address of the incoming packets is compared with it. The packet is only allowed to pass through if the two addresses are equal. "Listen Port" It gives the port number or an interval of port numbers for which the entry is valid. "Destination IP" The IP address of the computer to which the packets that comply with the previous conditions should be routed. "Destination Port" The port number on the computer to which the packets are routed. In most occasions, this number is equal to the Listen Port.

Several useful configurations of port mapping are shown in Appendix.

Packet Filtering

In each layer, the contents of a packet might be divided into two parts: the header and data. The header contains control information of the given layer. The data part contains data that belong to the upper layer. Each layer adds its own header, so in the result the packet looks as shown bellow:

The following information is used when setting up the filtering rules for headers of particular protocols (layers):

Internet Protocol (Internet layer)

Internet Protocol is a basic protocol used for (unreliable) delivery of upper layers' data.

The following information may be used for filtering:

• source IP address
• destination IP address
• the type of upper layer protocol, eg. TCP, UDP, ICMP
• IP options field

ICMP protocol (Internet layer)

Internet Control Message Protocol is used for sending error and control messages among computers.

The following information may be used for filtering:

• ICMP message type

TCP protocol (transport layer)

The Transmission Control Protocol is used for reliable transmission of data between two computers. The computers communicate using a "connection". The creation of the connection, data transmission and closing the connection is controlled by special flags in TCP header of the packet. The flag which controls the creation of a connection is of importance for packet filtering, since data can only be transmitted after a connection is created.

The following information may be used for filtering:

• source port
• destination port
• flags

UDP protocol (transport layer)

The User Datagram Protocol offers the application layer an unreliable datagram-based transmission of data. In contrast to TCP, the UDP does not create a connection between the two computers and packets may be sent to any IP address and any port number.

The following information may be used for filtering:

• source port
• destination port

Generally, there exist two kinds of applications in the Internet environment: the client applications and server applications. A WWW browser is an example of a client application, while a WWW server is - naturally enough - a server application. In order to communicate, the client applications create a connection with the server ones. The server applications wait for connections on given fixed port numbers. Usually, these port numbers are less than 1024. On the other hand, the client application usually does not need any specific port number, so the port number is assigned dynamically to it (the application asks the operating system for an unused port number). The port numbers used for dynamic assignment are grated than 1024.

The example communication of a browser and a WWW server is shown in the figure:

More restrictive rules may cause some Internet services to be inaccessible for your users. This is the case with applications which need an additional connection to be created from the Internet, or UDP-based applications. On the other hand, when the rules are more benevolent, more applications will be functional but the network will get less secure.

The basic principle for setting up the filtering rules is that you block the access from the Internet to your network, while you keep the other direction open (the direction from your network to Internet). Then, according to the services you want to access outside and the services you want to offer to the outside world, you tune the the rules.

The most important is the protection of vital services in your network. These services (eg. file servers, intranet WWW servers, SQL servers) usually listen for connections on ports with numbers less than 1024. Services with port numbers less than 1024 might not run on servers only, even user workstation may run such services. This is the case with file sharing. On the other hand, the port numbers used by client applications are greater than 1024. Thus the number 1024 is very significant for security policies setup.

Each reasonable policy blocks access from the Internet to ports less than 1024 for both the TCP and UDP. After that, you may allow services that you want to make accessible from the Internet. For example, for WWW you allow TCP on port 80.

The more restrictive policy also forbids all incoming UDP packets and also TCP packets that try to establish a connection from Internet to port numbers greater than 1024. So, this policy entirely forbids a connection to be established with the protected network from the Internet, but it allows any communication to be initiated from the protected network. When this policy is applied, some application may cease to function (entirely or in part, this depends upon the application). The applications that will have problems are those which expect that their party will connect from the Internet to port number greater than 1024. Also applications which use UDP will not work.

Example policies:

When setting up the filtering rules it is important to remember that the rules are searched in the order they appear in the table and once an applicable rule is found, the search is stopped.

The following examples show both the more and less restrictive policies you may use when setting up the rules:

The less restrictive policy:

• individually allow packets with port number smaller than 1024 for the services that you want to offer to the outside world
• allow UDP packets from DNS servers, that is packets having both the source and target ports equal to 53.
• forbid TCP packets with target port number smaller than 1024
• forbid UDP packets with target port number smaller than 1024

The more restrictive policy:

• individually allow packets with port number smaller than 1024 for the services that you want to offer to the outside world
• allow UDP packets from DNS servers, that is packets having the source port equal to 53 and the target source greater than 1024.
• allow UDP packets from DNS servers, that is packets having both the source and target ports equal to 53
• forbid TCP packets with target port number less than 1024
• forbid TCP packets establishing a connection for all port numbers
• forbid UDP packets for all ports

The figure shows the configuration of the policy in the packet filter:

Restricting User Access to Certain Internet Services

For example, to restrict access to FTP (File Transfer Protocol), do the following:

For outgoing packets on the interface connected to Internet:

• forbid TCP packets with target port number 21

If you run a proxy server which does filtering according to URL and you want to make your users use the proxy instead of a direct connection, use the following:

For outgoing packets on the interface connected to Internet:

• Allow packets from the address of the proxy server with target port equal to 80
• Forbid TCP packets with target port equal to 80.

The security rules are processed using the following method:
The rules are searched in the order in which they are displayed in the configuration dialog. Upon arrival or departure of a packet, first the rules for the interface from which the packet arrived are searched. Then rules valid for any interface are searched. After an applicable rule is found, no other rules are searched and an appropriate action is taken: the packet is either allowed to pass through, discarded or denied. Optionally, an information about the packet is written to a file or to WinRoute window.

The packet filtering may be configured in the menu: Settings => Advanced => Packet Filter => Add/Edit "Protocol" The network protocol. The possibilities are: IP, TCP, UDP, ICMP, PPTP. "Source", "Destination" The definition of source and target addresses. It is possible to enter either a single address or a group of addresses specified by a network mask or an address interval. A named group of addresses may also be used. It is also possible to specify target and source ports for the TCP and UDP protocols. "ICMP type" (with ICMP only) Used to specify a particular type of ICMP message. "TCP flags" (with TCP only) It is possible to specify the following: "Only established TCP connections" : the rule applies if a packet does not create a new TCP connection, ie. its SYN flag is not set on. "Only establishing TCP connections" : the rule applies if a packet attempts to create a new TCP connection, ie. its SYN flag is on. "Action" If the rule is applicable to a packet, an action is performed: Permit - the packet is allowed to enter the protected network Drop - the packet is discarded Deny - packet is denied If the packet is denied, a deny message is sent to the sender of the packet (ie. TCP reset, or ICMP port unreachable messages). "Log Packet" If the rule applies to a packet, the information about it is recorded. The recording is done either to the WinRoute window or to a file "Valid at" Defines the time interval in which the rule is valid. You may set the rule to be always valid.

Anti-spoofing

The anti-spoofing test is performed upon the arrival of a packet. It it possible to define what IP addresses may appear in packets received by each interface. Packets with source addresses other than the allowed ones are discarded and optionally information about the packet is logged.

The method of anti-spoofing setup in WinRoute is as follows:

We define for each interface that the source address of the incoming packets must belong to the interval of addresses of the directly connected sub-network. If there are other network segments behind a router, it is necessary to create a named group of addresses for these segments. Then we may define that only packets from the directly connected network or from the named address group are allowed.

It is evident that it is impossible to name all addresses that may appear in packets incoming to the interface connected to the Internet. A packet is allowed to pass through if its source address does not fall among the addresses allowed for the interfaces which lead to the protected network. So any address other than the addresses accepted by the local area network interfaces is allowed. This ensures that no packets with a falsified source address (packets which look as if sent from a computer inside the protected network) are allowed to pass through.

Anti-spoofing Configuration Example

1. 192.168.1.0 with mask 255.255.255.0
2. 192.168.2.0 with mask 255.255.255.0
3. 194.196.16.0 with mask 255.255.255.0

The anti-spoofing is configured according to the following figure:

The configuration rules are:

• The interface NE20002 accepts packets with source addresses from the networks 1 and 2.
• Interface EL90X1 accepts packets with source addresses from the network 3.
• Interface line0 accepts packets with any source address with the exception of addresses from networks 1, 2, and 3.

The configuration dialogs are as follows:

Named Address Groups And Time Intervals

The advantages of named address groups are:

• One name may represent several networks so it is not necessary to specify each network separately when source/target addresses are entered.
• When the configuration of the network is changed (new network segment added, IP addresses changed, etc.), it suffices to change the named group only.
• With complex networks, named groups simplify the setup.

The named address groups are configured in the menu: Settings => Advanced => Address Groups Each named group may contain any number of entries. An entry is either a single address, a group a addresses specified by a network mask, or a group of addresses specified by interval of addresses.

Time Intervals

Time interval are configured in the menu: Settings => Advanced => Time Intervals Any number of entries may be created under one name which allows for a very flexible time setup.