Sunday, December 21, 2014

How Proxy & NAT works ?

NAT is an acronym for "Network Address Translation." Traditionally NAT is done by routers and firewalls. On the vast majority of networks the IP addresses given to computers are not publicly routable. This means that computers which share a network can talk to each other directly; however to talk to the Internet their local IP addresses must be "translated," to a publicly routable address. Traditionally this is done by a router or firewall. The router/firewall has one or more publicly routable addresses, which the whole Internet can direct communications to. It also has a local address on the inside network, a network which it shares with its PCs and other devices. When a PC makes a request out to the Internet, it's directed to the router/firewall. The router/firewall changes the source IP address of the packets to its public IP address, notes the connection request in its memory, and sends them on their way on the Internet. When a response is received, the router looks up the connection in its memory, and this time changes the destination address from the public IP to the local IP of the machine which initiated communications. It then sends the packet on its way on the inside network. On Linux this is referred to as "source" NAT. Cisco calls it "dynamic" NAT.

When you have a server behind a firewall, "destination" or "static" NAT is performed. Connection requests come into public IP(s) on the firewall or router. The router/firewall looks in its memory and determines if the port is supposed to be NATed to an inside server. If it is, the router/firewall changes the destination address from the public IP it arrived with to the corresponding private IP of the corresponding server in its memory. It then sends the request onto the inside network. There is also 1:1 NAT, which Cisco refers to as a type of static NAT. In 1:1 static NAT, an IP on one interface is directly mapped to a corresponding IP on another. A good and properly configured firewall will still inspect and filter the traffic being translated. There are more complicated scenarios involving NAT, but these are the three most common and basic.

Note that NAT requires the traffic to be running through the router/firewall. It affects traffic as it moves from one routed interface to another. Applications are generally not aware that NAT is taking place, and there is no client side configuration.

There are several different kinds of proxy, each adapted for specific use cases.

Forward proxies are run by servers. To use one client applications must be configured to use the proxy. They are mostly used in two cases. The first is in the corporate world, where they can be used to cache and filter. When a properly configured client application wants to initiate communications, it makes the request to the proxy. The proxy can then determine whether the connection is allowed. This is part of why corporations use them, to enforce Internet access and data security policies. If the connection is allowed, the proxy server makes a connection to the requested resource and sends it to the client who requested it.

Forward proxies can also cache. So, and this was more true in the dial up days, if I have 100 workers who all browse to the same web page to perform their jobs, the proxy can download it once, and send the same copy to subsequent requesters. This would cut down on bandwidth. Another use of traditional forward proxies is to have your traffic appear to come from somewhere else. Remember, the proxy makes its own connection, from its own IP, to the destination resource, and marshals the communications back and forth. The proxy clients requests appear to come from the proxy itself, and not client. Forward proxies can be used across the Internet, even if the traffic wouldn't normally take that route. This also helps to differentiate them from NAT.

Transparent proxies are similar to forward proxies, but the client applications aren't aware of them. They are newer to the block than traditional forward proxies; as processors and RAM have gotten cheaper, the use of transparent and caching proxies on routers and firewalls instead of forward proxy servers is on the rise. The router/firewall sends all or some requests (generally HTTP requests,) passing through it to a software proxy application it's running, such as squid, before they are sent out on the Internet. This gives squid a chance to either deny the connection or serve it from its own cache. The upside to these is that you don't have to configure proxy server settings on individual PCs or through Group Policy.

A reverse proxy is used to load balance and protect inside web servers from outside hosts. So, if I'm running a website on an insecure platform, I can setup an Apache reverse proxy and use that to allow access from the Internet to my web servers. I can then setup Apache in a secure manner and protect my IIS servers. Cisco makes the ACE which allows high end switches and routers to run reverse proxies.

No comments:

Post a Comment