Routing and WAN connections
378
11.4
IP masquerading
BAT54-Rail/F..
Release
7.54
06/08
D The masquerading module must support and ’understand’ the particular
server service of the ’exposed host’. For instance, several VoIP servers
use proprietary, non-standard ports for extended signalling. Thus such
server could be used on unmasked connections solely.
D From a security point of view, it must be considered that the ’exposed
host’ resides within the LAN. When the host is under control of an attack-
er, it could be misused as a starting point for further attacks against ma-
chines in the local network.
Note: In order to prevent attacks from a cracked server to the local network,
some BAT provide a dedicated DMZ interface or are able to separate their
LAN ports on Ethernet level by hardware.
U Two local networks - operating servers in a DMZ
This feature requires an Internet access with multiple static IP addresses.
Please contact you ISP for an appropriate offer.
Example: You are assigned the IP network address 123.45.67.0 with the net-
mask 255.255.255.248 by your provider. Then you can assign the IP ad-
dresses as follows:
All computers and devices in the Intranet have no public IP address, and
therefore appear with the IP address of the BAT (123.45.67.1) on the Inter-
net.
U Separation of Intranet and DMZ
Note: Although Intranet and DMZ may be already separated on a Ethernet
level by distinct interfaces, an appropriate Firewall rules must be set up in
any case so that the DMZ is being separated from the LAN on the IP level
as well.
Thereby, the server service shall be available from the Internet and from
the Intranet, but any IP traffic from the DMZ towards the Intranet must be
prohibited. For the above example, this reads as follows:
D With a ’Allow All’ strategy (default): Deny access from 123.45.67.2 to “All
stations in local network“
DMZ IP
address
Meaning/use
123.45.67.0 network address
123.45.67.1 BAT as a gateway for the Intranet
123.45.67.2 Device in the LAN which is to receive unmasked access to the Internet, e.g. web server con-
nected at the DMZ port
123.45.67.3 broadcast address