Tài liệu Module 6: NAT as a Solution for Internet Connectivity docx

In Microsoft® Windows® 2000, the Network Address Translation NAT protocol that is provided by Routing and Remote Access provides a solution for Internet connectivity, and protects the re

Contents

Overview 1

Enhancing a NAT Design for

Discussion: Enhancing a NAT Solution 20

Review 30

Module 6: NAT as a Solution for Internet Connectivity

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries/regions

Project Lead: Don Thompson (Volt Technical)

Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc

Instructional Design Consultants: Paul Howard, Susan Greenberg

Program Managers: Jack Creasey, Doug Steen (Independent Contractor)

Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies

Graphic Artist: Kirsten Larson (S&T OnSite)

Editing Manager: Lynette Skinner

Editor: Kristen Heller (Wasser)

Copy Editor: Kaarin Dolliver (S&T Consulting)

Online Program Manager: Debbi Conger

Online Publications Manager: Arlo Emerson (Aditi)

Online Support: Eric Brandt (S&T Consulting)

Multimedia Development: Kelly Renner (Entex)

Test Leads: Sid Benevente, Keith Cotton

Test Developer: Greg Stemp (S&T OnSite)

Production Support: Lori Walker (S&T Consulting)

Manufacturing Manager: Rick Terek (S&T OnSite)

Manufacturing Support: Laura King (S&T OnSite)

Lead Product Manager, Development Services: Bo Galford

Lead Product Manager: Ken Rosen

Group Product Manager: Robert Stewart

Other product and company names mentioned herein may be the trademarks of their respective owners

Overview

Introducing NAT

Designing a Functional NAT Solution

Securing a NAT Solution

Enhancing a NAT Design for Availability and Performance

When an organization decides to connect to the Internet, a primary consideration is how to provide Internet access for users on the private network while protecting private network resources In Microsoft® Windows® 2000, the Network Address Translation (NAT) protocol that is provided by Routing and Remote Access provides a solution for Internet connectivity, and protects the resources of private networks

NAT is an appropriate solution for Internet connectivity requirements for organizations that have limited security requirements and a relatively small number of users within each location

At the end of this module, you will be able to:

Evaluate NAT as a solution for Internet connectivity

Evaluate and create a functional design for baseline Internet connectivity

Select appropriate strategies to secure a NAT Internet connectivity solution

Select appropriate strategies to enhance Internet connection availability and improve Internet connectivity performance

Throughout the remainder of the module, NAT is used to describe the NAT protocol in Windows 2000

Note

Establish the design requirements for a NAT solution

Identify how the features provided by NAT support the Internet connectivity design requirements

Design Decisions for a NAT Solution

Same Security Requirements for All Users

Nonrouted Private Network

Required Private Addressing

Internet

NAT

You must base your decision to use NAT as an Internet connectivity solution on the size of the private network and the security requirements of the

organization NAT is an appropriate solution for Internet connectivity when:

Internet access and access to the private network is not restricted on a by-user basis

user-
The private network consists of any number of users in a nonrouted environment

The organization requires private addressing for the computers on the private network

Features of NAT

Translate Public and Private Addresses

Supply IP Configuration to Clients

Forward Name Resolution Requests

Protect Private Network Resources

Integrate into Existing Networks

To ensure an effective Internet connectivity solution, you need to understand how the features of NAT support the organization’s connectivity requirements NAT is one of the protocols supported by Routing and Remote Access in Windows 2000; therefore, to use NAT, you must include Routing and Remote Access in your solution

Translate Public and Private Addresses

The network address translation feature of NAT secures the private network by hiding the private network addresses from Internet-based users Network address translation allows one or more public addresses to be translated to the private Internet Protocol (IP) addressing scheme within the private network Network address translation is inherent in NAT and necessitates the use of private addressing

For situations where a public address exists for each computer on the private network, you can use IP routing as provided in Routing and Remote Access

Supply IP Configuration to Clients

The automatic IP address assignment feature of NAT supplies the IP configuration to client computers on the private network This feature of NAT eliminates the requirement for a separate DHCP server You can use automatic

IP address assignment to configure any DHCP-compatible client

Forward Name Resolution Requests

The name resolution feature of NAT uses DNS proxies to forward requests for name resolution The NAT server sends client requests to the appropriate DNS servers on the private network, or across the Internet

Note

Protect Private Network Resources

NAT protects private network resources from Internet-based users by enabling communications with a specific port on a specific private network IP address

To provide this protection, NAT uses address pools and special ports The

NAT server forwards requests from Internet-based users to the computers on the private network that manage the resource

Integrate into Existing Networks

When you integrate NAT into existing networks, consider that NAT:

Supports automatic IP configuration of client computers that use DHCP for configuration

Provides IP configuration You must ensure that DHCP servers do not provide IP configuration for the private network

Supports only the IP protocol, not any other routable protocols such as Internetwork Package Exchange/Sequenced Packet Exchange (IPX/SPX)

Cannot perform address translation on certain protocols

The following is a list of protocols that are not supported by NAT:

• Simple Network Management Protocol (SNMP)

• Lightweight Directory Access Protocol (LDAP)

• Component Object Model (COM) or Distributed Component Object Model (DCOM)

Many applications may use DCOM to communicate between clients and servers in a multi-tier solution

• Kerberos Version 5 The Active Directory™ directory service uses Kerberos V5 protocol, so domain controllers cannot replicate through NAT

• Microsoft Remote Procedure Call (RPC) Many of the Microsoft Management Console (MMC) snap-ins use RPC

to communicate between the client and the server

• Internet Protocol Security (IPSec) packets that use IP header encryption

For any applications that require the protocols not supported by NAT, use Microsoft Proxy Server 2.0 as the Internet connectivity solution

Note

Designing a Functional NAT Solution

Integrating NAT into the Existing Network

Selecting NAT Server Options

Discussion: Designing NAT Solutions

Your design decisions establish the essential aspects of your NAT solution and provide the foundation for your Internet connectivity design You make these decisions by:

Determining the placement of the NAT server and the IP address, type of persistence, and data rate of the NAT server interface

Selecting the appropriate automatic IP address assignment and DNS name resolution feature options

Integrating NAT into the Existing Network

NAT Server Placement on the Private Network

Interface Address and Subnet Mask Selection

Interface Data Rate and Persistence Selection

Private Network

NAT Server Placement on the Private Network

You need to place the NAT server between the network segments to localize network traffic and maintain security The NAT server provided by

Windows 2000 is appropriate for connecting the private network to public networks

You must place the NAT server within the private network to:

Isolate the network traffic to the source, destination, and intermediary network segments

Create a screened subnet within the private network, thereby protecting confidential data

Exchange network packets between dissimilar network segments, such as between an Ethernet network segment and Integrated Services Digital Network (ISDN)

Select the Interface Address and Subnet Mask

When selecting the NAT server interface address and subnet mask, remember that:

Each NAT server interface requires an IP address and subnet mask

The IP address assigned to the NAT interface must be within the range of addresses that is assigned to the network segment that is directly connected

to the interface

The subnet mask assigned to the NAT server interface must match the subnet mask that is assigned to the network segment that is directly connected to the interface

Select the Interface Data Rate and Persistence

Each NAT server interface connects to a private or public network segment These network segments can be persistent or non-persistent In addition, the data rates for these network segments can vary considerably You need to specify the data rate and persistence for each NAT server interface so that the NAT server can connect to private and public network segments

Interfaces that connect to private network segments

Private network segments are based on local area network (LAN) technologies that are persistent interface connections The data rate of the private network segment is determined by the LAN technology, such as 100 megabits per second (Mbps) data transfer rate for 100 Mbps Ethernet

Interfaces that connect to public network segments

Public network segments are based on LAN and demand-dial technologies that can be persistent or non-persistent Public network segments that appear to the NAT server as LAN interfaces are persistent, and the data rate is determined by the LAN technology

Public network segments that appear as demand-dial interfaces are persistent, and the data rate is determined by the underlying technology An example of this would be a 56 Kbps dial-up modem connection that supports a maximum data rate of 56 Kbps

non-When the public network segments are based on LAN technologies, you can include demand-dial interfaces, such as a VPN connection over a digital subscriber line (DSL) connection Include a demand-dial interface in your solution when:

An exchange of credentials, such as VPN tunnel authentication, is required

to perform authentication

Charges, such as ISDN connection charges, are accumulated

Selecting NAT Server Options

Automatic IP Address Assignment

DNS Name Resolution

Internet

Name Resolution

DNS Server

Automatic Addressing

NAT

Private Network

In addition to providing network address translation, NAT provides automatic addressing and name resolution for private network clients These NAT server options eliminate the need for additional Windows 2000–based servers to provide the same function

Automatic IP Address Assignment

The automatic IP address assignment feature in NAT supplies IP configuration

to any DHCP-compatible client on the private network Include this feature in your solution when the:

Client computers on the private network use DHCP for IP configuration

Private network consists of a single, nonrouted subnet

You must configure the NAT client computers on the private network such that they automatically obtain their Transmission Control Protocol/Internet Protocol (TCP/IP) configuration When the computers on the private network are started, the NAT server configures the TCP/IP options of the computers

The following table lists the TCP/IP options and associated TCP/IP settings that are configured on the DHCP client computers

This option Is set to

addresses

If you enable the automatic IP addressing feature, ensure that DHCP servers do not provide IP configuration for the private network because the DHCP servers and the NAT server would both attempt to configure the computers

DNS Name Resolution

The name resolution feature of NAT forwards DNS name resolution requests from clients on the private network to DNS servers across the Internet Include this feature in your solution when:

Other private network servers do not provide DNS name resolution

The private network consists of a single, nonrouted subnet

Note

Discussion: Designing NAT Solutions

Edinburgh Glasgow

Dublin

London

Belfast

Birmingham Bristol

As you create NAT designs, you need to translate information relating to the solution into design requirements This discussion involves the design of basic NAT solutions During the discussion, note any ideas presented by other students in the class that are relevant to the NAT solution

The following scenario describes the current network configuration of a firm that represents electronic component manufacturers Read the scenario and answer the questions Be prepared to discuss your answers with the class

Questions

1 The London central sales office is upgrading the order entry and tracking order system to a Web-based solution that uses distributed Microsoft SQL Server™ version 7.0 databases The new order system requires the regional representatives to add an additional computer running Windows 2000 Advanced Server and SQL Server 7.0 The order entry system updates order information over the Internet in real time, so a permanent Internet

connection is required What solutions that use the NAT services in Windows 2000 could you recommend to the company?

2 The director of sales for the firm is evaluating contact management software for use by the regional representatives The software would allow the regional representatives to manage customer contact information, and allow sales managers in the London central sales office to review activity on key customer accounts The repository for the contact information is a SQL Server database in the London office What impact would the selection of the contact management software have on your design?

Securing a NAT Solution

Restricting Internet Traffic by Using IP Filters

Allowing Access with Address Pools and Special Ports

Enhancing NAT Security with VPN

The default security provided by NAT is adequate to protect private network resources that are not available to Internet users For Internet connectivity solutions that require restricted access to Internet sites or to private network resources, you need to incorporate the security features provided by NAT To enhance the security of a NAT solution, consider:

Specifying Routing and Remote Access filters

Allowing access to private network resources by using address pools and special ports

Enhancing NAT security with VPN connections

Restricting Internet Traffic by Using IP Filters

Restrict by Using Routing and Remote Access IP Filters

Apply Filters to Internet or Private Network Interface

Filter all Traffic Based on IP Address and Protocol

Private Network NAT Outgoing

Central Office

Web Server

To restrict access to the Internet or to the private network, you can specify unique Routing and Remote Access IP filters for each NAT interface These filters are based on an incoming or outgoing IP address range and protocol You can add multiple filters for each NAT interface to create a combination of filters that address any security requirements Routing and Remote Access IP filters provide similar security to firewall filters

You can specify Routing and Remote Access IP filters that restrict:

Internet-based user access to private network resources

Private network user access to Internet-based resources, such as partner networks or central offices

Restrict by Using Routing and Remote Access IP Filters

Routing and Remote Access filters restrict traffic at International Organization for Standardization (ISO) layer two and affect all IP traffic received by a NAT interface These filters specify which IP packets are forwarded or rejected by the NAT interface

Apply Filters to the Internet or Private Network Interface

You can apply Routing and Remote Access filters to the Internet or private NAT interface The following table lists the interface types and describes the reasons for assigning a filter to each interface

Create a filter on the To restrict

Filter All Traffic Based on IP Address and Protocol

You create Routing and Remote Access filters by specifying the source or destination IP address range and the protocol type of the packets to be filtered You can base your filter design upon any combination of the following:

Source IP address range

Destination IP address range

IP protocol number

You can design the filters to either accept or reject packets that match any of the

filters assigned to the NAT interface