Lesson 8: NAT Considerations When Managing Your Security Policy

Prof Wool: Firewall Management 201 | Lesson 8: NAT Considerations When Managing Your Security Policy Subscribe

Firewall Management 201: Lesson 8
A business owner makes a simple change request to allow traffic to a new application. You now need to figure out the right firewall rules to change. This should be pretty simple… but what if you’re using NAT (Network Address Translation) in your environment? In this lesson, Professor Wool explains some key principles of NATing and why it’s critical to understand your NAT policy in order to identify the right paths for network traffic, which firewalls rules really need to be modified, and how to write your security policy correctly.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello and welcome to security management 201 I'm professor wool and today we're going to be talking about net considerations when managing your security policy so let's look at a typical simple example suppose you have in your organization you have three firewalls for well one firewall to firewall three and a particular business owner made a change request because they're powering up a new application and they need to allow traffic from 10.1.1.1 23.3 23.3 using the HTTP service now you have to configure your security policies on the firewalls to allow that traffic through well you look at your network diagram you figure that 10111 is over here in the green network three three three three is over there in the blue network so you need to touch firewall on you need to put touch firewall three and basically you need to write the rule as requested by the application owner to allow the requested traffic and that's all fine if there is no address translation going on but if there is not going on in your environment then things get a little more complex so let's imagine that one of the simplest scenarios is that firewall one isn't configured to do source netting it's hiding the whole subnet of 10111 zero behind one particular IP address let's say 10.1.1.1 so any traffic that comes from the sub in the green subnet as it exits firewall one the source IP address is going to be translated to ten one 111 if that's the case then you cannot write the rule on the downstream firewall in this case firewall three as requested because when the traffic reaches firewall 3 it's going to have the translated IP address in the source so you have to write the translated address in the source of the rule in firewall 3 like this 10.1.1.1 2 3 3 3 3 allow HTTP and then the traffic will go through firewall one will be allowed by the security policy and the green firewall will be translated the source to the intermediate address of 10 1 111 and firewall 3 seeing the translated traffic would allow that through as well in its access policy ok so far so good what happens though if instead of this simple source netting you have a destination net going on so maybe instead of this type of address translation you have a rule on the firewall one that says if the destination belongs to 3 3 3 3 / 24 then do a static NAT and translate that to to to to 0/24 so this firewall is actually translating the whole subnet of 3 3 3 0 mapping it 1 2 1 2 the subnet to 2 2/24 if that's the case two things happen first of all the path that you considered in the in the first example going through firewall 1 and then from through firewall 3 that path is no longer correct because the traffic goes through firewall 1 the destination changes to 2 2 to 3 and then the flow of the traffic is really this way and it's going to hit try out the the server in the red network over there so understanding the NAT policy on firewall 1 really determines the path that the traffic will take through the network and it really determines which firewalls you need to modify you no longer have to modify firewall 3 you have to modify firewall 2 in addition to that the security policy that you have to put in the red firewall and firewall 2 is going to show the source being 10.1.1.1 and the destination being this red server over here 2 2 2 2 whereas security policy on fire one one is still going to show the destination as requested by the business owner now the business owner doesn't necessarily know that all of this is happening so they might even complicate matters further and make their original request using the the address - - - - to begin with they might not know that there is nothing going on and they might request the traffic as according to the IP address the public IP address of the red server if this happens the networking team really has to do a reverse translation to take the destination as provided in the request and realize that this is a post net address somehow identify what the pre net address for it should have been so recognizing the 3 333 to allow them to write the policy on the first firewall to use the pre net address and then on the security policy on the second firewall to use the post net address so to summarize what you really will need to take away from this lesson is that you need to understand the net policy in your organization first of all - ident and identify the paths through the network and which firewalls you need to modify to allow a particular change request and also you need to understand the NAT policy in your organization to be able to actually write the security policy rules on the relevant firewalls correctly and if you're going to use an automated system to help you manage this complexity you need to make sure that your solution understands the netting as well so that it gives you accurate recommendations thank you for your attention

Videos

Prof Wool: Firewall Management 201 | Lesson 8: NAT Considerations When Managing Your Security Policy Subscribe

Related videos

Lesson 15: How to Synchronize Object Management with a CMDB

Lesson 16: How to Take Control of a Firewall Migration...

Lesson 14: Synchronized Object Management in a...

Sharing Network Security Information with the Wider IT...