Module 7: Designing Internet Connectivity
Download
Report
Transcript Module 7: Designing Internet Connectivity
Module 6: NAT As a
Solution for Internet
Connectivity
When an organization decides to connect to the
Internet, a primary consideration is how to provide
Internet access for users on the private network while
protecting private network resources. In Microsoft®
Windows® 2000, the Network Address Translation (NAT)
protocol that is provided by Routing and Remote
Access provides a solution for Internet connectivity, and
protects the resources of private networks.
NAT is an appropriate solution for Internet connectivity
requirements for organizations that have limited
security requirements and a relatively small number of
users within each location.
At the end of this module, you will be able to:
Evaluate NAT as a solution for Internet connectivity.
Evaluate and create a functional design for baseline
Internet connectivity.
Select appropriate strategies to secure a NAT Internet
connectivity solution.
Select appropriate strategies to enhance Internet
connection availability and improve Internet connectivity
performance.
Note: Throughout the remainder of the module, NAT is
used to describe the NAT protocol in Windows 2000.
Overview
Introducing NAT
Designing a Functional NAT Solution
Securing a NAT Solution
Enhancing a NAT Design for Availability and
Performance
Introducing NAT
Design Decisions for a NAT Solution
Features of NAT
NAT connects private networks to the Internet while also
protecting the private network resources. To design a
strategy for providing Internet connectivity by using
NAT, you must:
Establish the design requirements for a NAT solution.
Identify how the features provided by NAT support the
Internet connectivity design requirements.
Design Decisions for a NAT Solution
Internet
NAT
Same Security Requirements for All Users
Nonrouted Private Network
Required Private Addressing
You must base your decision to use NAT as an Internet
connectivity solution on the size of the private network
and the security requirements of the organization. NAT
is an appropriate solution for Internet connectivity
when:
Internet access and access to the private network is not
restricted on a user-by-user basis.
The private network consists of any number of users in a
private address (RFC 1918) environment.
The organization requires private addressing for the
computers on the private network.
Features of NAT
Translate Public and Private Addresses
Supply IP Configuration to Clients
Forward Name Resolution Requests
Protect Private Network Resources
Integrate into Existing Networks
Features of NAT
To ensure an effective Internet connectivity solution,
you need to understand how the features of NAT
support the organization's connectivity requirements.
NAT is one of the protocols supported by Routing and
Remote Access in Windows 2000; therefore, to use NAT,
you must include Routing and Remote Access in your
solution.
Translate Public and Private Addresses
The network address translation feature of NAT secures
the private network by hiding the private network
addresses from Internet-based users. Network address
translation allows one or more public addresses to be
translated to the private Internet Protocol (IP)
addressing scheme within the private network. Network
address translation is inherent in NAT and necessitates
the use of private addressing.
Note: For situations where a public address exists for
each computer on the private network, you can use IP
routing as provided in Routing and Remote Access.
Supply IP Configuration to Clients
The automatic IP address assignment feature of NAT
supplies the IP configuration to client computers on the
private network. This feature of NAT eliminates the
requirement for a separate DHCP server. You can use
automatic IP address assignment to configure any
DHCP-compatible client.
Forward Name Resolution Requests
The name resolution feature of NAT uses DNS proxies to
forward requests for name resolution. The NAT server
sends client requests to the appropriate DNS servers on
the private network, or across the Internet.
Protect Private Network Resources
NAT protects private network resources from Internetbased users by enabling communications with a
specific port on a specific private network IP address.
To provide this protection, NAT uses address pools and
special ports. The NAT server forwards requests from
Internet-based users to the computers on the private
network that manage the resource.
Integrate into Existing Networks
When you integrate NAT into existing networks,
consider that NAT:
Supports automatic IP configuration of client computers
that use DHCP for configuration.
Provides IP configuration. You must ensure that DHCP
servers do not provide IP configuration for the private
network.
Supports only the IP protocol, not any other routable
protocols such as Internetwork Package
Exchange/Sequenced Packet Exchange (IPX/SPX).
Cannot perform address translation on certain protocols.
The following is a list of protocols that are not supported by NAT:
Simple Network Management Protocol (SNMP)
Lightweight Directory Access Protocol (LDAP)
Component Object Model (COM) or Distributed Component Object Model
(DCOM)
Many applications may use DCOM to communicate between clients and
servers in a multi-tier solution.
Kerberos Version 5
The Active Directory™ directory service uses Kerberos V5 protocol, so domain
controllers cannot replicate through NAT.
Microsoft Remote Procedure Call (RPC)
Many of the Microsoft Management Console (MMC) snap-ins use RPC to
communicate between the client and the server.
Internet Protocol Security (IPSec) packets that use IP header encryption
Note: For any applications that require the protocols not supported by NAT,
use Microsoft Proxy Server 2.0 as the Internet connectivity solution.
Designing a Functional NAT Solution
Integrating NAT into the Existing Network
Selecting NAT Server Options
Discussion: Designing NAT Solutions
Your design decisions establish the essential aspects of
your NAT solution and provide the foundation for your
Internet connectivity design. You make these decisions
by:
Determining the placement of the NAT server and the IP
address, type of persistence, and data rate of the NAT
server interface.
Selecting the appropriate automatic IP address
assignment and DNS name resolution feature options.
Integrating NAT into the Existing Network
LAN Interface
Internet
NAT
Demand-Dial Interface
NAT Server Placement on the Private Network
Interface Address and Subnet Mask Selection
Interface Data Rate and Persistence Selection
Integrating NAT into the Existing Network
The NAT server in your network design must have at
least two interfaces: one interface that connects to the
Internet and one interface that connects to the private
network. For each NAT server interface, you must
describe the interface characteristics so that you can
integrate the NAT server into the existing network.
NAT Server Placement on the Private Network
You need to place the NAT server between the network segments to
localize network traffic and maintain security. The NAT server
provided by Windows 2000 is appropriate for connecting the private
network to public networks.
You must place the NAT server within the private network to:
Isolate the network traffic to the source, destination, and intermediary
network segments.
Create a screened subnet within the private network, thereby
protecting confidential data.
Exchange network packets between dissimilar network segments,
such as between an Ethernet network segment and Integrated
Services Digital Network (ISDN).
Select the Interface Address and Subnet Mask
When selecting the NAT server interface address and
subnet mask, remember that:
Each NAT server interface requires an IP address and
subnet mask.
The IP address assigned to the NAT interface must be
within the range of addresses that is assigned to the
network segment that is directly connected to the
interface.
The subnet mask assigned to the NAT server interface
must match the subnet mask that is assigned to the
network segment that is directly connected to the
interface.
Select the Interface Data Rate and Persistence
Each NAT server interface connects to a private or public
network segment. These network segments can be
persistent or non-persistent. In addition, the data rates
for these network segments can vary considerably. You
need to specify the data rate and persistence for each
NAT server interface so that the NAT server can connect
to private and public network segments.
Interfaces that connect to private network segments
Private network segments are based on local area
network (LAN) technologies that are persistent interface
connections. The data rate of the private network
segment is determined by the LAN technology, such as
100 megabits per second (Mbps) data transfer rate for
100 Mbps Ethernet.
Interfaces that connect to public network segments
Public network segments are based on LAN and demand-dial
technologies that can be persistent or non-persistent. Public network
segments that appear to the NAT server as LAN interfaces are
persistent, and the data rate is determined by the LAN technology.
Public network segments that appear as demand-dial interfaces are
non-persistent, and the data rate is determined by the underlying
technology. An example of this would be a 56 Kbps dial-up modem
connection that supports a maximum data rate of 56 Kbps.
When the public network segments are based on LAN technologies,
you can include demand-dial interfaces, such as a VPN connection
over a digital subscriber line (DSL) connection. Include a demanddial interface in your solution when:
An exchange of credentials, such as VPN tunnel authentication, is
required to perform authentication.
Charges, such as ISDN connection charges, are accumulated.
Selecting NAT Server Options
Name
Resolution
Private
Network
Internet
Automatic
Addressing
DNS Server
NAT
Automatic IP Address Assignment
DNS Name Resolution
In addition to providing network address translation,
NAT provides automatic addressing and name
resolution for private network clients. These NAT server
options eliminate the need for additional Windows 2000based servers to provide the same function.
Automatic IP Address Assignment
The automatic IP address assignment feature in NAT
supplies IP configuration to any DHCP-compatible client
on the private network. Include this feature in your
solution when the:
Client computers on the private network use DHCP for
IP configuration.
Private network consists of a single, nonrouted subnet.
You must configure the NAT client computers on the
private network such that they automatically obtain their
Transmission Control Protocol/Internet Protocol
(TCP/IP) configuration. When the computers on the
private network are started, the NAT server configures
the TCP/IP options of the computers.
The following table lists the TCP/IP options and associated TCP/IP
settings that are configured on the DHCP client computers.
This option
Is set to
IP Address
An IP address from the range of 192.168.0/24.
Subnet mask
255.255.255.0.
DNS server
The IP address of the NAT private network interface,
which is typically 192.168.0.1
You can also use Automatic Private IP Addressing
(APIPA) in Windows 2000 and Microsoft Windows 98 to
automatically configure computers on the private
network. When you use APIPA, you must manually
select the IP address of the private network interface for
the NAT server from the range of APIPA addresses.
Note: If you enable the automatic IP addressing feature,
ensure that DHCP servers do not provide IP
configuration for the private network because the DHCP
servers and the NAT server would both attempt to
configure the computers.
DNS Name Resolution
The name resolution feature of NAT forwards DNS name
resolution requests from clients on the private network
to DNS servers across the Internet. Include this feature
in your solution when:
Other private network servers do not provide DNS name
resolution.
The private network consists of a single, nonrouted
subnet.
Discussion: Designing NAT Solutions
Edinburgh
Glasgow
Belfast
Dublin
Birmingham
Bristol
London
As you create NAT designs, you need to translate
information relating to the solution into design
requirements.
The following scenario describes the current network
configuration of a firm that represents electronic
component manufacturers.
Scenario
A firm represents a number of electronic component
manufacturers. The central sales office is located in
London with regional representatives located
throughout the United Kingdom. The regional
representatives conduct business from their homes.
Each regional representative currently has one
computer running Microsoft Windows 95 that uses a
direct dial-up connection to a remote access server in
the London central sales office to place orders. In
addition, the representatives also connect to the
Internet, through local Internet service providers (ISPs),
so they can view product information from the
electronic manufacturers they represent.
Securing a NAT Solution
Restricting Internet Traffic by Using IP Filters
Allowing Access with Address Pools and Special Ports
Enhancing NAT Security with VPN
The default security provided by NAT is adequate to
protect private network resources that are not available
to Internet users. For Internet connectivity solutions that
require restricted access to Internet sites or to private
network resources, you need to incorporate the security
features provided by NAT. To enhance the security of a
NAT solution, consider:
Specifying Routing and Remote Access filters.
Allowing access to private network resources by using
address pools and special ports.
Enhancing NAT security with VPN connections.
Restricting Internet Traffic by Using IP Filters
Central
Office
NAT
Internet
Web
Server
Private
Network
NAT
NAT
Outgoing
Incoming
Partner
Network
Restrict by Using Routing and Remote Access IP Filters
Apply Filters to Internet or Private Network Interface
Filter all Traffic Based on IP Address and Protocol
To restrict access to the Internet or to the private
network, you can specify unique Routing and Remote
Access IP filters for each NAT interface. These filters are
based on an incoming or outgoing IP address range and
protocol. You can add multiple filters for each NAT
interface to create a combination of filters that address
any security requirements. Routing and Remote Access
IP filters provide similar security to firewall filters.
You can specify Routing and Remote Access IP filters
that restrict:
Internet-based user access to private network resources.
Private network user access to Internet-based
resources, such as partner networks or central offices.
Restrict by Using Routing and Remote Access IP
Filters
Routing and Remote Access filters restrict traffic at
International Organization for Standardization (ISO)
layer two and affect all IP traffic received by a NAT
interface. These filters specify which IP packets are
forwarded or rejected by the NAT interface.
Apply Filters to the Internet or Private Network
Interface
You can apply Routing and Remote Access filters to the Internet or
private NAT interface. The following table lists the interface types and
describes the reasons for assigning a filter to each interface.
Create a filter on the
To restrict
Internet interface
Private network user access to
Internet-based resources.
Private network interface
Internet-based user access to
private network resources.
Packet Traffic Filters
You can create Routing and Remote Access Filters by
specifying the source or destination IP address range,
protocol type, or port number of the packets to be
filtered. You can base your filter design upon any
combination of the following:
Source IP address range.
Destination IP address range.
IP protocol number.
You can design the filters to either accept or reject
packets that match any of the filters assigned to the
NAT interface.
Allowing Access with Address Pools and Special
Ports
Private
Network
Internet
Special Port
Mapping
Web
Server
NAT
Use the Default—All Computers Are Inaccessible
Reserve Addresses from the Address Pool
Define Special Port Mappings
Remote
User
Allowing Access with Address Pools and Special
Ports
You can allow access to specific computers and
applications within the private network by reserving IP
addresses from the NAT Interface address pool, or by
creating special port mappings.
Use the Default—All Computers Are Inaccessible
By default, NAT discards any Internet-based requests to
access computers located within the private network.
As such, all computers on the private network are
inaccessible from the Internet in a NAT solution. Choose
the default configuration when users on the:
Private network require access to Internet sites.
Internet must not have access to any of the private
network resource computers.
In situations where the default security provided by NAT is not
appropriate, select the method for exposing private network
resources to the Internet. You can select the method based on the
number of public addresses available to the organization.
The following table describes the strategies for enabling access to
private network resources.
When the design includes
Enable access to private network
resources by
Multiple public IP addresses Reserving addresses from the address
pool.
Single public IP address
Defining special port mappings.
Reserve Addresses from the Address Pool
When the NAT solution includes multiple public IP
addresses, you can place the addresses in an address
pool to enable private network resource access.
Address pools enable NAT to examine Internet-based
requests and forward the requests to resources on a
server within the private network.
You must obtain and reserve a public IP address in the
NAT address pool for each resource server on the
private network.
Note: Using address pools allows all IP ports on the
resource server to be accessed. If the security
specification of the design requires restricted IP port
access, you can use Routing and Remote Access filters
to restrict port access.
Define Special Port Mappings
When the NAT solution includes only one public IP
address, you must define special port mappings within
Routing and Remote Access to enable private network
resource access. Special port mappings enable NAT to
examine the IP address and port number of Internetbased requests. NAT then forwards the requests to a
specific IP address and port number of a resource
server within the private network. For each resource
that you share with the Internet, you must define
separate special port mappings in Routing and Remote
Access.
Enhancing NAT Security with VPN
Remote
User
VPN
Servers
Central
Office
Internet
VPN
Server
NAT
NAT
VPN
Server
Private
Network
Supports PPTP Tunnels
Provides User Level Authentication
Supports Inbound and Outbound Connections
Partner
Network
NAT does not provide security on a user-by-user basis.
However, you can restrict access to resources by using
VPN connections. VPNs authenticate users and encrypt
data transferred across public networks.
For example, you can use VPN connections in a NAT
solution to secure connections between:
Remote users that need to access private network
resources.
Users on the private network and resources within
partner organizations.
Users on the private network and resources at other
locations within the organization.
Enhancing NAT Security with VPN
The following table lists solutions provided by VPN connections and
describes how the solutions enhance the security of a NAT design.
VPN connections
To
Support Point-to-Point
Tunneling Protocol
(PPTP) tunnels
Provide authentication and encryption for
sensitive data.
Provide user level
authentication
Secure access to remote resources over the
Internet on a user-by-user basis.
Support inbound and
outbound connections
Allow access to private network resources
from users outside the local private network.
Allow access to resources outside the local
private network.
Note: VPN tunnels that use Layer Two Tunneling
Protocol (L2TP) are not supported because IPSec can
encrypt the IP header and NAT cannot perform address
translation.
Enhancing a NAT Design for Availability and
Performance
LAN Interface
Internet
NAT
Demand-Dial Interface
Dedicate a Computer to NAT
Select Persistent Internet Connections
Provide Multiple Internet Connections
You can enhance the availability and performance of
NAT by dedicating a computer to NAT, selecting
persistent Internet connections, or providing multiple
Internet connections. Any of these strategies enhance
availability and improve performance.
The following table describes how these strategies enhance
availability and performance.
Use this strategy To enhance availability by
To optimize performance by
Dedicating a
Preventing other applications
computer to NAT that run on the same computer
from becoming unstable, and
ultimately requiring a restart of
the computer.
Selecting
Preventing a lack of availability
persistent
for dial-up connections, such as
Internet
by busy signals.
connections
Providing
Providing redundant
multiple Internet connections to the Internet in
connections
the event one of the
connections fails.
Preventing other applications
that run on the same computer
from consuming system
resources and impacting NAT
performance.
Eliminating the time required to
establish a nonpersistent
connection.
Distributing the traffic across
the multiple connections to the
Internet.
Discussion: Enhancing a NAT Solution
Edinburgh
Glasgow
Belfast
Dublin
Birmingham
Bristol
London
After you have provided a basic NAT solution, you need
to examine the security, availability, and performance
requirements for the solution.
The following scenario describes the requirements for
enhancing the NAT solution of the firm that represents
the electronic component manufacturers.
Scenario
During the deployment of the NAT solution for the firm
that represents electronic component manufacturers,
the firm decides to enhance the order entry and order
tracking system. The enhancements allow customers to
place orders and then track their orders by using a Webbased application over the Internet.
Each regional sales representative will run a copy of the
Web-based application on the computer running
Windows 2000. As customers place orders, the SQL
Server 7.0 database located in the regional
representative's home office and the SQL Server 7.0
database in the London central sales office are updated.
Lab A: Designing a NAT Solution
Objectives
After completing this lab, you will be able to:
Evaluate a scenario to determine the requirements that
affect a NAT solution
Design a NAT solution to fulfill the requirements of the
scenario.
Prerequisites
Before working on this lab, you must have:
Knowledge of the design decisions required in creating
a NAT solution.
Knowledge of the design decisions that enhance the
security, availability, and performance of a NAT solution.
Exercise 1: Designing a NAT Solution
In this exercise, you are presented with the task of
creating a NAT solution for a public utility. This public
utility plans to relocate the offices of its customer
service agents. You will design a NAT solution that
supports the public utility's requirements.
Review the scenario, diagrams, and design limitations
and requirements and then answer the exercise
questions.
Scenario
A public utility is relocating its customer service staff
from offices within the public utility main office to home
offices. The customer service agents answer billing and
customer questions regarding the utility service.
The utility will provide Windows 2000-based computers
to the customer service agents for use in their home
offices. As the network architect for the public utility,
you will create the design that allows the customer
service agents to work from their home offices.
The current network configuration provides:
Support for a mission-critical, Web-based application
that allows the customer service agents to manage
customers and their billing information.
Support for a mission-critical, Web-based application
that allows customers to make account payments and
submit service requests over the Internet.
Support for all mission-critical applications to be
available 24-hours-a-day, 7-days-a-week.
Internet connections installed in the home office, but
not connected to the home office network.
Design Limitations and Requirements
Your assessment of the existing network configuration,
and your investigation of the future configuration
requirements, reveal the following design requirements
that you must meet in your NAT solution:
Internet access from the central and home offices.
Isolation of the central and home offices from the
Internet.
Connection for the home offices to the central office by
using dedicated connections over the Internet.
Review
Introducing NAT
Designing a Functional NAT Solution
Securing a NAT Solution
Enhancing a NAT Design for Availability and
Performance