1

I designed a network architecture in cloud. I placed first IPS and then firewall (with Nat). I want to know if some attacks gone to internal networks which are not blocked by IPS. But I think these internal IP addresses were replaced by the Firewall Nat IP address. how do I track the attacks targeting my internal network as I don't have the correct IP addresses?

JOW
  • 2,319
  • 2
  • 16
  • 24
user95437
  • 11
  • 1
  • 2
  • 1
    I am having trouble understanding your question. Perhaps you can get help with the wording and grammar from someone you know. – Neil Smithline Dec 28 '15 at 04:50

4 Answers4

2

In my answer, I will assume that, when you write "I placed first IPS and then firewall (with Nat)", you actually mean that you have a NAT device (which might be a firewall) in between your IPS and Internet. If that is not the case, please update your question and leave a comment.

In such case, NAT should not create any specific issue because, typically, you're going to use DNAT for connections (and datagrams) comming from the outside. This type of NAT will replace the destination IP only, leaving the source IP untouched. It means that you'll get the IP of the real, internal server that will be affected and the original (source) IP of the attacker (or, at least, the source address contained in the IP header: it will not give you the real attacker if the packet has been spoofed)

For instance, if you have a packet coming with source IP 1.2.3.4:4556 (attacker) for server 5.6.7.8:80 (public server IP address), here is what will happen:

Original packet: S: 1.2.3.4:4556 D: 5.6.7.8:80
DNATed packet:   S: 1.2.3.4:4556 D: 10.0.0.8:80

(Note that more complex NAT rule could change this. It is possible to fully replace source AND destination addresses and ports but that is only used in very specific cases and, since you're the one creating the NATing rules, you should know about it).

Stephane
  • 18,557
  • 3
  • 61
  • 70
1

If you are really suspicious about the attacker from the internal network you can setup a STUN server which simply does that it tells the client IP behind the NAT. The main purpose of the STUN protocol is to enable a device running behind a NAT device to discover its public IP and what type of NAT is running on the gateway it is connected to. It also enables the device connected behind a gateway to discover the port translation done by the gateway itself(in your case its NAT)

ashish
  • 127
  • 1
  • 6
0

the Firewall or Gateway is just a Router and as a Router, it connects networks. In your case, it connects the internet(network A) with your network in the cloud(network B).

When you place the IPS outside the firewall, the IPS now resides with the internet and NOT inside your network.

If you want the IPS to detect threats inside your network, you should first connect the firewall to the internet and then connect the IPS to the firewall. this will also solve your problem with NAT as the IP Addresses visible to the IPS are not NATed.

JOW
  • 2,319
  • 2
  • 16
  • 24
0

As far as I have got your question, you are sketching something like this: Internet=>IPS=>Firewall(NATing here)=>your private network.

Firstly, this is not the best practice to place a firewall after an IPS, because it exposes the IPS to internet and hence makes it the first target for malicious people from the internet. Secondly, theoretically, yes! Because in this case, the attack will be targeted to the public ip address and there will not be a specific way to identify the private ip of a specific host connected after your firewall in your private network. As for tracking part,you should follow the solution given above in the first answer. Hope you get your answer!

Hassan Mussana
  • 101
  • 3