i**p
发帖数: 902 | 1 【 以下文字转载自 CS 讨论区 】
发信人: isup (No), 信区: CS
标 题: NAT, router, firewall
发信站: BBS 未名空间站 (Mon Sep 19 15:44:07 2005)
I found most vendors talking NAT in the firewall category. I thougt NAT is
main for IPv4 shortage, which will reuse private IPs in Internet. The effect
is to hide internal IP. In this sense, it is rather routing than security. Any
guru like to comment/discuss it? | l***y
发帖数: 791 | 2 using routing to provide security, IMHO, is like having a wisely
structured castle built, before putting in well-armed and well-trained
soldiers. simple firewalling often builds around a DMZ, which is a
network segment. using private IP for that segment saves the money to
buy more public ip addresses. there're more ways than one to do NAT,
but the gist for it is that network engineering should be the first step
in development. having entry and exit points in a large, well segmented
network, vs a
【在 i**p 的大作中提到】
: 【 以下文字转载自 CS 讨论区 】
: 发信人: isup (No), 信区: CS
: 标 题: NAT, router, firewall
: 发信站: BBS 未名空间站 (Mon Sep 19 15:44:07 2005)
: I found most vendors talking NAT in the firewall category. I thougt NAT is
: main for IPv4 shortage, which will reuse private IPs in Internet. The effect
: is to hide internal IP. In this sense, it is rather routing than security. Any
: guru like to comment/discuss it?
| i**p
发帖数: 902 | 3 Thanks!
"NAT" is bacame another name of RFC 1631, right?
Is there any other standard/method used in SOHO router for the same purpose?
【在 l***y 的大作中提到】
: using routing to provide security, IMHO, is like having a wisely
: structured castle built, before putting in well-armed and well-trained
: soldiers. simple firewalling often builds around a DMZ, which is a
: network segment. using private IP for that segment saves the money to
: buy more public ip addresses. there're more ways than one to do NAT,
: but the gist for it is that network engineering should be the first step
: in development. having entry and exit points in a large, well segmented
: network, vs a
| l***y
发帖数: 791 | 4 a more expensive solution, which is also very old, i think, is VPN.
software VPN will setup a tunnel from your side to server side. this
will work whether or not you have a home/small office private network.
for a scattered number of small office routers that needs to talk to
each other, networking VPN will give each SOHO a private routing table(vrf),
only including the networks they need access. also, from the public network
nothing can get to the networks behind these SOHO routers. This will p
【在 i**p 的大作中提到】
: Thanks!
: "NAT" is bacame another name of RFC 1631, right?
: Is there any other standard/method used in SOHO router for the same purpose?
| i**p
发帖数: 902 | 5 NAT does work well now, and makes inexpensive private network available
without public IPs. It compromises with PORT number. The router has to check
the port number in TCP/UDP layer for routing. Is it a drawback and will affect
other application later?
private
【在 l***y 的大作中提到】
: a more expensive solution, which is also very old, i think, is VPN.
: software VPN will setup a tunnel from your side to server side. this
: will work whether or not you have a home/small office private network.
: for a scattered number of small office routers that needs to talk to
: each other, networking VPN will give each SOHO a private routing table(vrf),
: only including the networks they need access. also, from the public network
: nothing can get to the networks behind these SOHO routers. This will p
| l***y
发帖数: 791 | 6 em, definately there can be some more inteligent 'application routers'
to handle the problems NAT generates. apps using protocols such as SIP, FTP,
etc,
refer to the private ip of the endpoints behind NAT, this'll break the
applications unless some measure is taken to handle NAT. either the router
can re-write the signalling packets to replace private ips with public ip,
or the endpoints have to be aware and handle NAT, or ...
NAT can be single ip to single ip, btw, doesn't have to be multiple i
【在 i**p 的大作中提到】
: NAT does work well now, and makes inexpensive private network available
: without public IPs. It compromises with PORT number. The router has to check
: the port number in TCP/UDP layer for routing. Is it a drawback and will affect
: other application later?
:
: private
|
|
