Let's use a metaphor to help you visualize this; imagine that you are a freight forwarder in the US operating with Chinese clients. They have a lot of customers in the US to ship items to, but it's simpler to send packages to one location for customs and administrative purposes. So, a package with a genuine destination someplace in the US arrives for you from one of your clients in China (the private network, in this example) (the internet). You hand it to the postal service after changing the box's address label to the US (public) address and your own public address (since it can't be sent back to China without upsetting the customer).
The merchandise comes to you if the customer returns it. For them to send back a replacement through you, you modify the return address to your private address and the destination to the company that it originated from in China by looking it up in your records.
This is very effective, but there is a small issue. What happens if a client needs to send the business anything, say a money order as payment for something? Alternatively, suppose that a web server located within the network sends an SYN request to the router from a computer connected to the internet.
The only address on the letter or packet is the router's public one, thus the router is actually unsure of where to send it! Any machine connected to the private network might receive it, or none of them. When someone calls you on their home phone, there is usually no issue, but when you call them, there is no way for them to know who the call is for, thus the wrong person may answer.
While humans can sort this out fairly easily, computers have a much harder time since not every computer on your network is aware of every other machine.
Finally, we arrive at port forwarding.
The solution to this issue is port forwarding, which allows you to instruct your router as to which computer inside the network inbound connections should be forwarded to. There are three ways we can accomplish this:
Faux-DMZ: The DMZ feature is available on many routers. A demilitarized Zone, a type of network security arrangement, is what this term denotes. Because it lacks the characteristics of a true DMZ, the DMZ on home routers is frequently referred to as a faux-DMZ. It just does the most basic type of incoming connection management, which is to send all incoming connection requests to a specific network node. Simply enter an IP address in your router's setup, and all incoming connections will route to that address. However, you can have many computers that must accept incoming connections, so this isn't always possible. We do have that...
Whenever a network connection request is made, a "port" is included. A computer uses the port, which is merely a number, to identify packets. IANA has stated that HTTP is utilized on Port 80. This implies that each incoming packet with port 80 specified is a request for a web server. Your router's port forwarding feature lets you enter an IP address and a port number (or, depending on the router, a range or combination of numbers). The internal computer with such an address will receive all incoming connections with the corresponding port number.
UPnP port forwarding: UPnP forwarding functions exactly the same as port forwarding, except rather than requiring user configuration, software on a networked computer automatically instructs the router to forward traffic on a certain port to that computer.
An example
Let's examine a usage illustration. With many multiplayer video games (like Counter-Strike, for instance), you can run a game server on your computer that other players can connect to and join you in playing. The people who want to play on your computer can't connect to them since your computer doesn't know who they are; instead, they must send your computer new connection requests over the internet.
Without any configuration, the router would receive these connection requests and simply disregard them (or, more precisely, it would send back a packet indicating that it can't connect) because it wouldn't know which computer in the network was the game server. Fortunately, you are aware of the port that will be used for gaming server connection requests. Therefore, you configure a port forward on the router using the IP address of the machine hosting the game server and the port number that the game server expects (for example, 27015). (for example, 192.168.1.105).
Computers outside the network will be able to connect because the router will know to send incoming connection requests to 192.168.1.105 inside the network.
Another illustration would be a local network of two computers with an Apache website being hosted by the computer with IP address 192.168.1.10. Incoming port 80 requests should be forwarded to this machine by the router as a result. Both machines can operate simultaneously on the same network by using port forwarding.
The most frequent usage of port forwarding for regular users may be in video games, but most current games employ UPnP, making it totally automatic rather than requiring manual action. But every time you want to be able to connect directly to something on your network, you'll need to do this (rather than through some intermediary on the internet). This could involve managing your own web server or logging into one of your machines using the Remote Desktop Protocol.
A note on security
The ease with which some built-in security is provided by NAT is one of its wonderful features. Many people search the internet for susceptible computers, and they do this by attempting to open connections with different ports. Since these are incoming connections, the router will drop them as was mentioned before. This indicates that only the router itself is susceptible to attacks involving inbound connections in a NAT arrangement. This is advantageous because the router is far less complex than a computer running a complex operating system and a lot of applications, making it less vulnerable.
Therefore, you should be aware that DMZing a computer inside your network (designating it as the DMZ destination) removes that layer of security from that computer. As a result, you must secure it as though it were directly connected since it is now completely open to incoming connections from the internet. Naturally, if a port is forwarded, the computer on the receiving end becomes exposed to that particular port. So make sure you're running current, and properly set up the software.
No comments:
Post a Comment