7.4. SAT
NetDefendOS can translate entire ranges of IP addresses and/or port numbers. Such translations are
transpositions where each address or port is mapped to a corresponding address or port in a new
range, rather than translating them all to the same address or port. This functionality is known as
Static Address Translation (SAT).
Note: Port forwarding
Some network equipment vendors use the term "port forwarding" when referring to
SAT. Both terms are referring to the same functionality.
SAT Requires Multiple IP Rules
Unlike NAT, SAT requires more than just a single IP rule to be defined. A SAT rule must first be
added to specify the address translation but NetDefendOS does not terminate the rule set lookup
after finding a matching SAT rule. Instead, the IP rule search continues for a matching Allow, NAT
or FwdFast rule. Only when it has found such a matching rule does NetDefendOS execute the
original SAT rule.
The SAT rule only defines the translation that is to take place. The second, associated IP rule must
exist to actually allow the traffic to traverse the firewall.
The Second Rule Must Trigger on the Untranslated Destination IP
An important principle to keep in mind when creating the IP rules for SAT is that the second rule,
for example an Allow rule, must trigger on the untranslated destination IP address. A common
mistake is to create a rule which triggers on the translated address given by the SAT rule.
For example, if a SAT rule translates the destination from 1.1.1.1 to 2.2.2.2 then the second
associated rule should allow traffic to pass to the destination 1.1.1.1 and not 2.2.2.2.
Only after the second rule triggers to allow the traffic, is the route lookup then done by
NetDefendOS on the translated address to work out which interface the packets should be sent from.
7.4.1. Translation of a Single IP Address (1:1)
The simplest form of SAT usage is translation of a single IP address. A very common scenario for
this is to enable external users to access a protected server in a DMZ that has a private address. This
is also sometimes referred to as implementing a Virtual IP or as a Virtual Server and is often used in
confunction with a DMZ.
The Role of a DMZ
At this point, it is relevant to discuss the role of the network known as the Demilitarized Zone
(DMZ) since SAT rules are often used in allowing DMZ access.
The DMZ's purpose is to have a network where the administrator can place those resources which
will be accessed by external, untrusted clients and where this access typically takes place across the
public Internet. These servers will have the maximum exposure to external threats and are therefore
at most risk of being compromised.
By isolating these servers in the DMZ, we are creating a distinct separation from the more sensitive
local, internal networks. This allows NetDefendOS to better control what traffic flows between the
DMZ and internal networks and to better isolate any security breaches that might occur in DMZ
servers.
7.4. SAT
Chapter 7. Address Translation
378
Содержание NetDefend DFL-1660
Страница 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Страница 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Страница 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Страница 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Страница 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Страница 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Страница 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Страница 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Страница 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Страница 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Страница 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Страница 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Страница 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Страница 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...