SilentKnight System IP traffic patterns and network integration highlights User Manual

3

Scenario 1: IPDACT and VisorALARM behind a NAPT router

In a typical scenario, the IPDACT and VisorALARM default gateways are connected to the Internet. The
UDP frames transmitted to the Internet through these gateways are hence modified according to NAPT
(Network Address Port Translation). The following diagram illustrates a network diagram for this scenario
as well as the UDP frame header parameters in each network segment (subscriber network, the Internet and
the ARC network):

Figure 1. NAPT scenario and UDP frame header conversions

As we can observe in Figure 1, both routers need to do NAPT so the transmitted UDP frame travels along
the Internet with the system public IP addresses (213.4.21.187 and 80.26.96.183 in the Figure). For the
correct system operation, the subscriber’s network firewall should allow:

•

UDP traffic sent from the IPDACT (IP address: 192.168.1.2 in the example) to the ARC public IP
address (80.26.96.183 in the example). On transmission, the subscriber’s default gateway sets a
NAPT conversion entry in its cache memory, so the received UDP traffic from the Internet can be
forwarded back to the IPDACT.

•

UDP traffic received from the ARC (80.26.96.183). The subscriber’s default gateway will forward
this traffic to the IPDACT (192.168.1.2) according to its cached NAPT entry.

In analogy, the ARC network firewall should allow:

•

UDP traffic received from the Internet to its serving port (port 80 in the example). Traffic to this
port should be triggered to the VisorALARM (IP address: 172.24.4.1, serving port 80).

•

UDP traffic sent from the VisorALARM to the Internet.