Network Perimeter Security

For network perimeter security, or protecting the external interfaces between

your network and external networks, we consider the use of address translation

mechanisms and fi rewalls.

Network address translation, or NAT, is the mapping of IP addresses from one

realm to another. Typically this is between public and private IP address space.

Private IP address space is the set of IETF-defi ned private address spaces (RFC 1918):

■ Class A 10.x.x.x 10/8 prefi x

■ Class B 172.16.x.x 172.16/12 prefi x

■ Class C 192.168.x.x 192.168/16 prefi x

NAT is used to create bindings between addresses, such as one-to-one address

binding (static NAT); one-to-many address binding (dynamic NAT); and address

and port bindings (network address port translation, or NAPT).

While NAT was developed to address the issues of address space exhaustion,

it was quickly adopted as a mechanism to enhance security at external interfaces.

Routes to private IP address spaces are not propagated within the Internet; therefore,

the use of private IP addresses hides the internal addressing structure of a

network from the outside.

The security architecture should consider a combination of static and dynamic

NAT and NAPT, based on the devices that are being protected. For example, static

NAT is often used for bindings to multiple-user devices such as servers or high-end

computing devices, while dynamic NAT is used with generic computing devices.

Firewalls are combinations of one or more security mechanisms, implemented

in network devices (routers) placed at strategic locations within a network.

Firewalls can be fi ltering gateways, application proxies with fi ltering gateways, or

devices running specialized “ fi rewall ” software.

Related Posts Plugin for WordPress, Blogger...