Web servers communicate with clients using the Hypertext Transfer Protocol (HTTP), and HTTP uses port number 80. If you create a port filter on your net- work stopping all traffic addressed to port 80, your computers can’t send HTTP requests to Web servers and therefore can’t access Web sites. Port filtering does not prevent the user from actually running the Web browser, but it does prevent the browser from communicating with servers on the Internet.
To create packet filters, you use a firewall or a router with packet filtering capabilities. If you use a computer running Windows Server 2003 as the router connecting your net- work to your ISP, you can create packet filters in the RRAS module.
Limiting Users
In most organizations with Internet connections, there are different types of users who require varying degrees of Internet access to perform their jobs. In your own Internet access plan, you might want to provide all the network’s users with e-mail capabilities but restrict Web browsing to a certain group of users and FTP capabilities to still another group.
There are two methods you can use to provide different levels of Internet access for indi vidual users. The first is to use packet filtering. In addition to filtering packets based on port numbers, you can filter them based on IP addresses. By combining these two filter types, you can specify the ports that each computer on the network is permitted to use.
Tip Regulating Internet access using packet filtering can be time consuming for network administrators.
The second method is to use a software product that recognizes users and enables you to grant them access to specific Internet services. Proxy server products, such as Microsoft Internet Security and Acceleration (ISA) Server 2000, include features like these as well as other capabilities.
Regulating Internet Access
As mentioned earlier, network security hazards can originate from internal sources as well as external ones. Your own network users might not cause as much damage as Internet intruders can, by introducing viruses or wantonly deleting files, but they can still hamper network operations by monopolizing Internet bandwidth or lower produc tivity by spending too much time on personal Internet activities.
For these reasons, many network administrators impose restrictions on Internet use, such as specifying sites that users can access, limiting the hours during which users can access the Internet, and limiting the amount of bandwidth they can use. These features are also included in proxy server products.
Using NAT
NAT is a primary method enabling computers with unregistered IP addresses to access the Internet. As described in Chapter 2, “Planning a TCP/IP Network Infrastructure,” NAT functions as an intermediary between a client computer on an unregistered net- work and the Internet. For each packet generated by a client, the NAT implementation substitutes a registered address for the client’s unregistered address.
Following are three basic types of NAT:
■ Static NAT Static NAT translates a number of unregistered IP addresses to an equal number of registered addresses (see Figure 3-4) so that each client always uses the same registered address. This type of NAT does not conserve the IP address space because you need the same number of registered addresses as unregistered addresses. Static NAT is also not as secure as the other NAT types because each computer is permanently associated with a particular registered address, which makes it more possible for Internet intruders to direct traffic to a particular computer on your network using that registered address.
NAT Router Unregistered IP Unregistered IP Unregistered IP Unregistered IP Unregistered IP Registered IP Registered IP
Figure 3-4 Static NAT
■ Dynamic NAT Dynamic NAT is intended for circumstances in which you have fewer registered IP addresses than unregistered computers (see Figure 3-5). Dynamic NAT translates each unregistered computer to one of the registered addresses. Intruders on the Internet are less able to associate a registered address with a particular computer (as in static NAT) because the registered address assigned to each client changes frequently. The main drawback of dynamic NAT is that it can support only the same number of simultaneous users as you have reg istered IP addresses available. If all the registered addresses are in use, a client attempting to access the Internet receives an error message.
NAT Router Unregistered IP Unregistered IP Unregistered IP Unregistered IP Unregistered IP Registered IP Registered IP Registered IP Registered IP Registered IP
Figure 3-5 Dynamic NAT
■ Masquerading Masquerading translates all the unregistered IP addresses on your network using a single registered IP address (see Figure 3-6). To enable multiple clients to access the Internet simultaneously, the NAT router uses port numbers to differentiate between packets generated by and destined to different computers. Masquerading provides the best security of the NAT types because the association between the unregistered client and the registered IP address/ port number combination in the NAT router lasts only for the duration of a single connection.
NAT Router Unregistered IP Unregistered IP Unregistered IP Unregistered IP Unregistered IP Registered IP + port
Figure 3-6 Masquerading NAT
NAT Security
Most NAT implementations today rely on the masquerading technique because it min imizes the number of registered IP addresses needed and it maximizes the security pro vided by NAT. Note, however, that NAT by itself, even using masquerading, is not a true firewall and does not provide ironclad security for high-risk situations. NAT effec tively blocks unsolicited requests and other probes from the Internet, meaning that it thwarts intruders searching for unprotected file shares and private Web or FTP servers. However, NAT does not prevent users on the Internet from launching directed denial of service attacks against specific computers on the private network or from using other, more complex tactics to compromise your network.
Off the Record Under normal conditions, client computers are not often subject to threats like these, so a NAT server and a good anti-virus program (kept current with frequent virus sig nature updates) are usually sufficient. However, Internet servers and other high-traffic com puters are more likely to be targeted by intruders and generally require more comprehensive firewall protection.