Secure Networking and Perimeter Security in IT
Networking and Security Terms
What is software-defined perimeter?
Software-defined perimeter is network security technology that eliminates any reliance on physical infrastructure and secures the network boundary using only software. It enables granular application-level access control for heightened security, and continuous validation for both internal and external users to the network to ensure continuous data protection. It also can have a significant positive impact on your organizations network throughput.
What is network throughput?
Network throughput can be considered synonymous with network performance, and more specifically defined as the rate at which message delivery takes place over a communication channel.
What is normal (full-cone) NAT?
A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.
What is restricted cone NAT?
A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.
What is port restricted cone NAT?
A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.
What is symmetric NAT?
A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.
What is NAT hole-punching?
NAT hole-punching is using a previously established association to permit an arbitrary external address/port to send data to an internal address/port is referred to as hole-punching. Hole-punching is possible with normal (full-cone), restricted and port-restricted NATs, which map the same internal address/port consistently to an external address/port.
Hole-punching can be used for both TCP and UDP traffic. For hole-punching to work, the association must be created by initiating an outbound connection from an internal system, and then reusing the port on the internal system as a listener. External systems other than the target of the original connection will be able to connect to the internal system through the association.
Hole-punching can be used when both parties of the desired communication path are behind NATs, as long as at least one side is able to determine the dynamic association assigned to the other party by the NAT, and send data through the association.