Abstract: The state-based SNAT function of NAT gateway can provide security protection for internal servers. Correct use of NAT gateway can build a more secure cloud network.
Firewall Literacy
When I didn't learn networking before, I thought that the firewall is really a firewall that can be firewalled. More than 10 years ago, many people asked how much a firewall cost per square meter.
But now everyone knows that the firewall is used to prevent hackers, it is the boundary between the internal network and the external network, it is used to protect the internal server and network, and it is an information security protection system.
Image credit: https://www.tunnelsup.com/what-is-a-firewall/
A firewall has several of the most important characteristics:
1. Deployed between the internal network and the external network. This is really similar to the firewall on the building, which is why it is called Firewall.
2. Provide state-based security protection. This description is very professional and best describes the nature of the firewall. The first firewall was a packet filtering firewall implemented based on the router's access control list (ACL), and then gradually developed and evolved into a state-based firewall. The so-called state simply means that the firewall will maintain a connection state of a quintuple of source IP, destination IP, source port, destination port, and protocol, and only packets with a connection session state established on the firewall will be released. Otherwise it will be discarded. This is a very strong defensive capability.
A firewall is generally a security-hardened product, and it can run without a firewall service. Just like the lack of access control and security in the community, it does not affect the normal use of the community, but it also means that the bad guys can come in and out at will, and the security risk is very high. Therefore, users of some scales will generally consider deploying firewalls.
Firewall function of NAT gateway
In the VPC network, there is an enterprise-level product called NAT gateway. There are two important functions in this NAT gateway, one is SNAT and the other is DNAT. SNAT is actually a state-based security protection function that can be used as a simple firewall.
当部署完NAT网关后,外部设备3如果想主动访问内部服务器1的话,在NAT网关上会把外部设备3的访问请求拒绝掉,把报文丢弃。因为外部设备3的公网IP 3.3.3.3在NAT网关的SNAT状态表中不存在。
但内部服务器1可以主动访问外部设备2,当内部服务器1对外访问的第一个报文到达NAT网关时,NAT网关会记录下会话状态。假设内部服务器1通过80端口访问外部服务器2的80端口,此时NAT会把五元组信息记录下来并保持状态信息。之后如果外部服务器2以80端口,访问内部服务器1的80端口,此时NAT网关会接受访问请求,并将报文转发到内部服务器。但如果外部服务器2以8080端口访问内部服务器1的80端口时,此时这个访问请求也会被丢弃,因为在SNAT状态表中没有对应五元组的状态连接信息。
上面的描述就是典型的基于状态的安全防护功能,不允许外部的用户或设备主动访问内部的服务器。只允许内部服务器主动访问外部服务器后并建立起连接状态后,外部服务器才能和内部服务器通信。
所以NAT网关在使用中是可以当一个功能简单的防火墙使用的,可以把后端的服务器隐藏到NAT网关后面,不会被黑客扫描到,也不会轻易的被黑客攻击。
最佳实践
举个最佳实践的例子,很多部署在云上的在线支付系统都会调用支付宝的支付接口。而在线支付系统的安全性一般要求是特别高的,不能轻易的被黑客扫描到,不能轻易的被黑客攻击。在这种场景下,用户会选择在VPC网络中部署NAT网关。当前在线支付系统有调用支付宝支付接口的需求时,会通过NAT网关出公网。此时NAT网关会记录调用请求的状态信息。NAT会检查收到的IP报文,只有IP报文的源IP,源端口号,目的IP,目的端口号,协议类型这五元组信息和SNAT状态表中的连接信息相匹配时。NAT网关才会将报文转发到内部支付系统,否则接收到的报文一律丢弃。
Original link: https://yq.aliyun.com/articles/204556?spm=5176.100244.teamhomeleft.37.udfZ2M