Symantec™ Security Gateways Reference Guide - Sawmill

Preventing attacksAddress transforms123Server non-transparencyIt is usually a good idea to hide the IP address of servers that sit on a service network. Clients external tothe service network direct their connection requests to the security gateway to gain access to the desiredservice. For anyone external to the service network, it appears that the security gateway itself is providingall services. The security gateway replaces its address in the header’s destination IP address field with theserver’s real IP address (dst != dst’) and forwards the packet on to the server. Responses from the servertravel back through the security gateway, even if the server knows the client’s real IP address, and thesecurity gateway replaces the header’s source IP address with its own IP address. The client believes that itis only dealing with the security gateway. Figure 9-3 shows this address hiding.Figure 9-3Server non-transparencyServer transparencyYou can configure the security gateway to accept connections for a service hosted by an external server.When the security gateway accepts these connections, it still acts as a proxy, with the same level ofsecurity. Assuming that you created the appropriate rule, the connection is allowed through, and theheader left unchanged (dst = dst’). Because the client uses the real server address, you can describe thesecurity gateway as transparent in the connection from the client to the server. This is shown in Figure 9-4.Figure 9-4Server transparency