穿越防火墙技术 转载
穿越防火墙技术报告者:刘智汉
指导老师:连耀南 教授
References
NAT Traversal for VOIP, Ai-Chun Pang
solving the Firewall and NAT Traversal Issues for Multimedia over IP Service, http://www.newport-networks.com/
SearchTekTarget.com
In this talk we will talk about
什麼是防火墙/NAT
为什麼要使用防火墙/NAT
防火墙/NAT的种类
现有穿越防火墙/NAT技术介绍
结论
防火墙简介及其功能
企业网路对外的控管设备
主要功能:
存取控管 (Access Control)
身份识别 (Authentication)
安全稽核
为甚麼要使用防火墙
现有的 IPV4 已经不敷使用
新IP的取得不容易
节省成本
安全考量
便於控管
企业多使用NAT的方式让私有网域能够上网
常见NAT种类
Full Cone
Restricted Cone
Port Restricted Cone
Symmetric NAT
Full Cone
Restricted Cone(1/2)
Restricted Cone(2/2)
Port Restricted Cone
Symmetric NAT(1/2)
NAT 中最为严谨
只允许先由私有网域内的使用者发送封包到网际网路中的使用者可以回传封包
随著网路安全的要求越来越高,使用此种NAT有越来越多的趋势
Symmetric NAT(2/2)
防火墙造成的问题
NAT 造成的问题
防火墙穿越技术介绍
IPV6(Internet Protocol Version 6)
UPnP(Universal Plug and Play)
TRUN(Traversal Using Relay NAT)
ALG(Application Layer Gatewqy)
ICE(Interactive Connectivity Establish)
STUN(Simple Traversal of UDP Through Netwoek Address Translators)-RFC 3489
UPnP
Universal Plug and Play
Its being pushed by Microsoft
A UPnP-aware client can ask the UPnP-enabled NAT how it would map a particular IP:port through UPnP
UPnP Operation
STUN(1/2)
Simple Traversal of UDP Through Network Address Translators
需要在NAT外部架设 STUN Server
Client 端需有特殊的 STUN Client 功能
无法穿透 symmetric NAT
未来会被ICE所整合
STUN(2/2)
TURN(1/2)
Traversal Using Relay NAT
主要是为了解决 symmetric NATs
必须要架设 TURN Server
未来也会被包含进 ICE
TURN(2/2)
ALG(1/2)
Application Layer gateway
It Understands the signalling messages and their relationship with the resulting media flows.
It can modify the signalling to reflect the public IP address and ports being used by singalling and media traffic.
ALG(2/2)
ICE
Interactive Connectivity Establishment
非 protocol 而是 framework
主要技术是:STUN, TRUN, SIP
目前仍在草案讨论阶段
结论
All IP Network 是未来的趋势
如何解决防火墙及NAT将是重要议题
页:
[1]