Time
31 hours 29 minutes
Difficulty
Beginner
CEU/CPE
30

Video Description

NATPAT and DMZ-De-Militarized Zone This lesson covers Network Access Translation and Port Address Translation. Network address translation (NAT) converts an internal IP address to an external IP address. The traffic is forwarded to the private IP and web servers. Port address translation tracks IP/Port numbers and a private IP is assigned to a public IP and port. The demilitarized zone (DMZ) creates an area for public use with a public facing firewall than is less restrictive then the private. It is the place for VPN concentrators and web servers.

Video Transcription

00:04
Our next function of our firewall is going to be network address, translation and poured address. Translation. That and Pat. Now we've talked about network address translation in a previous module, but let's cover a real quick again as pertaining to our firewalls. Network of dress Translation is essentially converting an internal i p address to an external I p address
00:23
and vice versa.
00:25
This allows us to how our Web service is and allow other service is to connect to our internal devices without actually having to assign a public i p address to those devices. For example, if we have a
00:39
Web server in our environment and then we have a firewall, well, our Web server is assigned a private i p address of 1 92.1 68 dot
00:50
17.3.
00:53
That's our private I p address for this Web server. Our firewall router here
00:58
is going to have in
01:00
internal address of 1 92.1 68 17.1 That's its internal interface,
01:08
and it's going to have an external interface i p address of 15.1 65.1 73.24. That's its public I p address
01:23
this public. I p address is not does not just service our web server, but service is a couple of other back in servers.
01:30
Maybe we have a couple of clients. May we have a few other servers that need to connect to the Internet?
01:38
But when we have someone out on the Internet
01:40
who wants to connect to our Web server
01:44
and they send our firewall, request the port 80
01:47
for an http, get request. Support 80. How does our firewall know who to allow that traffic to? How does our firewall? No Could afford that traffic too?
01:57
Well, a network address translation is going to translate that traffic,
02:00
and we're gonna set up network address translation to say OK, any ID, any traffic that is sent to 15.1 65. That 1 73 24 at Port 80. I want you to Ford to me because I am the Web server. So I want you to afford it to the Web server
02:16
and then any traffic that I send out,
02:21
I want you to forward to this public I p address.
02:24
So the person on the Internet the in client never sees our private I p address, which is good because then they would have more knowledge about our internal network, which is what we would do not want them to have, that
02:36
what they do know is just our public i p address, which is okay in this situation because they need that information to connect to us. So that's our network address. Translation. That's how we're translating this private I p address toe a public i p address and then vice versa. When we're having an incoming connection.
02:52
Now what's a little bit different is something called port address. Translation.
02:57
Now point address translation also known as overloading that
03:02
is going to actually take. We'll actually leave that there
03:07
is going to assume that we have
03:10
more in tunnel I p addresses that we need to translate to external I p addresses. Then we have public I p addresses.
03:20
So this device here only has one public i p address.
03:23
But let's say we have three separate sobers that need to be accessed over the Internet.
03:30
So we have 1 92.1 68.17 dot 31 92.1 68 got 17.4 and 1 92
03:39
That 1 68
03:43
not 17.5.
03:45
And all three of these need to access over the internet, and they need to be directly be able to re responded to over the Internet.
03:53
So these these other we But we only have one public I p address. Essentially. So we can't say any traffic to 15.1 65. That 1 73 24 A report 80 goes to this one or this one or this one.
04:08
Because
04:10
that means that
04:11
that traffic isn't gonna get where needs to go
04:14
if we If we say Okay, well, I'm gonna say that 1 92.1 68 that 17.3 is assigned this public I P address. Well, then, what about these other two computers? Well, if we signed them a sign in the same public I P address than all three of these servers are gonna get packets for everybody.
04:30
The firewall router is not going to know who to send these packets too,
04:34
because they only way only have one public i p address assigned to one private I p address.
04:41
Fortunately for us private I P addresses when we're sending our public and private I p addresses I p addresses in general, when we're sending packets to them, have a port number associated with them have a source and destination port.
04:55
So what port address translation does is it not only assigns an i p address
05:00
to a private public i p address to a private I P address poured address translation assigns a public i p address to a private I P address and port number so public address plus port number to a private I P address plus port number.
05:14
So
05:15
when we're going to save were going to say that because this is our Web server. Whenever anyone tries to connect to 15 about 1 65 that 1 73 24 over Port 80 which is our http port, it's going to be forwarded to our Web server.
05:31
So any traffic inbound directed toward Port 8 80 goes toward our Web server.
05:38
But now we have a client. Here we have 1 92.1 68 That 17 got five That needs to request a Web server from somewhere out on the Internet,
05:46
but it's not going to send its data. It's going to send its data initially support 80.
05:51
But when it gets to this device, when it gets through our port address, translation, firewall or firewall slash router
05:59
are
06:00
we have a decision to make here. We can't send along this data over Port 80 on a public address because Port 80 is already being associated with our Web server.
06:10
If we send that data outbound a report 80 we're going to get an inbound connection. Also report 80 that we would have to send to our Web server.
06:17
So what we're going to do is
06:20
we're going to translate this this private I P address and port number. We're going to say, OK, I'm going to send this packet along on 15.1 65. That 1 73.24 Port 87 would actually use a higher port number. We'll say 87
06:41
870 870.
06:44
So it's going to send the traffic out over port. It's going to send the traffic using the same public i p address, but it's going to send it over Port 870.
06:55
But it's still on http packet. It doesn't matter. It's fine that we're sending it over a non standard port. It's okay. We can send protocols over nonstandard ports for that protocol.
07:03
So we send the packet out. That packet goes out to the Internet to some other source.
07:09
The other source responds, and it would have responds back to us. It's going to respond. It's one. It'll send its response packet to our public. I treat P address at Port 8 70
07:20
So then the packet comes back,
07:23
It goes to our device, and then our port address. Translation says Okay, I have a packet directed toward my public i p address at Port 8 70
07:31
I remember that I assigned Port 8 70
07:34
and I translated one that I translated this private addresses at Port 80 to my public address at Port 8 70
07:43
So I'm now going to convert this packet back to the destination of 1 92.1 68.17 Got five on Port 80 so I can translate important dress Translation. We're not just translating the i P address, but we're also translating the port number that we're sending data on.
07:59
So we now get this packet and we Ford it back to its correct recipient.
08:03
So again we can see how we are with our network address translation and our poor grants. Translation. They work very similar similarly,
08:11
but our network address translation is wannabe one internal toe. One external was our port address. Translation is going to be in I internal I p and port number to a different external. I pee in port number
08:26
and then lastly, we have r d m Z.
08:28
Now
08:28
r d m Z stands for a demilitarized zone. And this comes from a military term which is a demilitarized strip of land where we don't have sort of a buffer zone between one country and another, or one
08:43
battlezone and another. It's gonna be our strip of land where we don't have any fighting going on. We don't have any issues going on
08:52
or our demilitarized zone for a network is going to be an area on our network. Between our public, they are public facing and our private facing firewalls.
09:01
So again, we're going to use firewall routers were going to use firewalls that also function is routers in this scenario just for simplicity,
09:09
and we're going to have our live fire World number one followed by fire. Wrong number two. And then we're going to have our connection out to the Internet and we're gonna have our internal network and our Web server and then our internal network.
09:26
So the area right here
09:28
is R D m Z
09:31
with our two firewalls in the devices that are in between of our two between our two firewalls.
09:35
Now what does this do for us?
09:37
Our DNC creates a location that is a little bit filtered, but not so strictly filtered as our private network.
09:46
This is typically where we're going to place our public facing appliances. We're going to be where we place things such as our VP and concentrators going to replace our our Web server. And in this case, we have our Web server. Are our Web server slash Our sales are our point of sale server for people making purchasing transactions.
10:07
So we want people on the Internet to be able to access
10:11
through this firewall and get to our Web server.
10:16
But we don't want them to be able to just send anything to that Web server. We don't want them to be able to send any packets or any protocols to our Web server. So our public facing firewall router filters has a certain list which filters a couple things out of that I'll throw out of the mix. We don't filter everything because we still want people to be able to access this Web server.
10:37
But we also have our internal network that's also connected here.
10:43
We don't want all of the same protocols that can access our Web server to be able to access our internal network.
10:48
So our second firewall that faces are private Network is going to beam or locked down and more secure. It's gonna have a stronger security policy. So if anything militias does leak into our public side, it won't leak into our private side. Maybe this is where we store all of the
11:05
processing for the credit cards. Maybe this is where we store. All of our information were how we can change the prices on items and where we store
11:15
our secret company information. We don't want that on our pub. On our public side, we don't want that we're allowing people to connect in, so we keep that past our private firewall. That's R D M Z
11:28
R D M Z is going to be located on the perimeter of our network and is commonly referred to as our perimeter network because it's on the edge. If you think of it again as our network as a battleground, it's what's on the edge of our battleground. R D M Z Wei don't have a d m Z
11:45
in the center of our battle zone because then you'd have to cross through the battle zone to get to the d M Z.
11:48
We have a d m Z on the perimeter of our network, so this would be right on the edge of our network, not deep down deep, deep down inside of our network.
11:58
And again, just remember the key things with our perimeter of with R D m Z is that a It's between two firewalls and be our public facing Firewall is more strict than our private inside firewall. So that's our two key things to take away from our d m Z r demilitarized zone.
12:16
So thank you for joining us here today on cyber Today we went over a lot of the different features and a lot of the different facets of setting up a basic firewall. We talked about what firewalls are and how they work with filtering protocols, imports and how they can be and act as things more than just firewalls.
12:33
We talked about the difference between our software firewalls and our hardware firewalls,
12:37
as well as the difference between a packet filtering and our state full inspection on our state full filtering
12:41
on. And then we moved on to a lot of the other options that are firewalls, such as how we block and allow certain objects, as well as inbound versus outbound on a CZ. How we use these and how we use access control lists to keep our networks more secure and to keep things out that we don't want to be in our network. So
12:58
hopefully you enjoyed this session and hopefully it gave you more insight as to how firewalls work and how we're going to
13:05
set them up and configure them on our network. And hopefully we'll see you here next time on cyber

Up Next

CompTIA Network+

This CompTIA Network+ certification training provides you with the knowledge to begin a career in network administration. This online course teaches the skills needed to create, configure, manage, and troubleshoot wireless and wired networks.

Instructed By

Instructor Profile Image
Anthony Harris
Systems Analyst and Administrator at SAIC
Instructor