Chapter 1 – Introduction and Description
Multi-Tech RouteFinder RF650VPN User Guide
15
With these protection mechanisms in place, Internet connectivity remains available, but it is no longer
possible to identify individual machines from the outside.
By using Destination NAT (DNAT), it is still possible to place servers within the protected network/DMZ
and make them available for a certain service.
In the sample graphic above, a user with the IP 5.4.3.2, port 1111 sends a request to the web server in
the DMZ. Of course the user only knows the external IP (1.1.1.1, port 80). By using DNAT, the
RouteFinder now changes the external IP address to 10.10.10.99, port 80 and sends the request to the
web server. The Web server then sends off the answer with its IP address (10.10.10.99, port 80) and the
IP of the user. The RouteFinder recognizes the packet by the user address and changes the internal IP
(10.10.10.99, port 80) into the external IP address (1.1.1.1, port 80).
To satisfy today’s business world needs, the IT infrastructure must offer real-time communication and co-
operate closely with business partners, consultants and branches. Increasingly, the demand for real-time
capability is leading to the creation of so called extranets, that operate either:
·
via dedicated lines, or
·
unencrypted via the Internet
Each of these methods has advantages and disadvantages, as there is a conflict between the resulting
costs and the security requirements.
Virtual Private Networking (VPN)
establishs secure (i.e., encrypted) connections via the Internet, an
important function especially if your organization operates at several locations that have Internet
connections. Theses secure connections use the IPSec standard, derived from the IP protocol IPv6.
ISO Layers and TCP/IP
Once set up, this encrypted connection is used automatically (i.e., without extra configurations or
passwords at the client systems) regardless of the type of data that is to be transferred, so as to protect
the content during the transport. At the other end of the connection, the transferred data is transparently
decoded and is available for the recipient in its original form.
The RF650VPN uses a hybrid of the above listed basic forms of firewalls and combines the advantages of
both variations: the stateful inspection packet filter functionality offers platform-independent flexibility, and
the ability to define, enable or disable all necessary services.
Existing proxies make the RouteFinder an application gateway that secures vital client system services,
such as HTTP, Mail and DNS by using proxying. It also enables generic circuit-level proxying via SOCKS.
VPN, Source NAT, Destination NAT, masquerading and the ability to define static routes make the
dedicated firewall an efficient distribution and checkpoint in your network.
