Fortinet black logo

Cookbook

Using Hairpinning in a Network

Copy Link
Copy Doc ID 598118ae-ea1f-11e9-8977-00505692583a:105831
Download PDF

Using Hairpinning in a Network

What do hair pins have to do with networking?

Hair-pinning, in a networking context, is the method where a packet travels to an interface, goes out towards the Internet but instead of continuing on, makes a “hair pin turn”, and comes back in on the same interface. Initially, it may seem unnecessary or pointless even but it does serve a purpose.

These days, due to the shortage of IPv4 addresses, most networks behind a firewall, use private IP addresses. Private IPv4 addresses are not routable so a virtual IP needs to be configured to allow users from the Internet to access any private IP addresses on the internal side of the FortiGate. For more information on private IPv4 addresses, you can check out RFC 1918.

For instance, on the Internet you could use the address of the external IP, where the traffic would then be forwarded to the internal address of the server. You could then use the internal IP address to access the server if you are on the internal LAN. There is also the option to allow everyone to use a consistent address by setting up a Fully Qualified Domain Name (FQDN). This simplifies access seeing as words are easier to remember than IP addresses.

In recent years, system administrators focused on finding ways to strengthen their systems to prevent outside threats from intruding their networks. Unfortunately, they did not always take the time to protect their networks from internal threats, a situation where an internal resource became compromised. Hackers, crackers and other malicious actors took advantage of this weakness and invented “spoofing”. The bad guys used the spoofing method to alter packets to appear as if they were coming from the internal network, kind of like buzzing at the door of an apartment building and when someone answers, saying “let me back in, please”.

It took some time for the devices and programmers of network protocols to catch up. Networking and protocols were originally designed to work where everybody was on the same side. The security aspect was added later on as some people began exploiting the system.

It was not long before the good guys developed techniques to harden their systems to prevent packets coming in from what appear as internal IP addresses, when in reality, the packets are coming in from the Internet.

In order to use a common FQDN in combination with the VIP, the traffic has to come in to through the external interface to access the server. This is where the VIP accepts traffic.

System administrators put a lot of effort into preventing packets with internal IP addresses from coming in through the external interface. Humans have the ability of understanding the context of what is going on and use their judgment accordingly, but computers have no judgment and do only what you tell them to; nothing more. A computer has no basis for setting apart malicious attacks and safe traffic based only on the source address of the traffic. However, it is safe to assume that something coming in from the outside with an internal address raises some red flags. This is the reason why it is important to specify the source IPs of which traffic can be forwarded to the internal IP through the VIP.

A properly configured FortiGate is aware of the criteria to determine which source IP addresses will allow a packet to be forwarded to the internal IP address. If the incoming packets are from an allowed IP address, along with the other allowed parameters, they are forwarded to the appropriate internal address. If they are not explicitly approved, they are explicitly denied.

In the growing battle and evolution of those building a mousetrap and those trying to build an even better mousetrap, adapting to those changes becomes necessary. System administrators need to acclimate to the evolution on both sides all the while ensuring the user’s needs are met and the security on the network is maintained. Right now, one of the adaptations we make is to use a hair-pinning technique. This means working around the protections put in place to prevent malicious attacks and at the same time, accommodating users on a network. This technique provides users with the convenience of a continuous method of access and the security of preventing a commonly used attack technique.

Related Videos

sidebar video

FortiGate Hair-pinning

  • 20,347 views
  • 6 years ago

Using Hairpinning in a Network

What do hair pins have to do with networking?

Hair-pinning, in a networking context, is the method where a packet travels to an interface, goes out towards the Internet but instead of continuing on, makes a “hair pin turn”, and comes back in on the same interface. Initially, it may seem unnecessary or pointless even but it does serve a purpose.

These days, due to the shortage of IPv4 addresses, most networks behind a firewall, use private IP addresses. Private IPv4 addresses are not routable so a virtual IP needs to be configured to allow users from the Internet to access any private IP addresses on the internal side of the FortiGate. For more information on private IPv4 addresses, you can check out RFC 1918.

For instance, on the Internet you could use the address of the external IP, where the traffic would then be forwarded to the internal address of the server. You could then use the internal IP address to access the server if you are on the internal LAN. There is also the option to allow everyone to use a consistent address by setting up a Fully Qualified Domain Name (FQDN). This simplifies access seeing as words are easier to remember than IP addresses.

In recent years, system administrators focused on finding ways to strengthen their systems to prevent outside threats from intruding their networks. Unfortunately, they did not always take the time to protect their networks from internal threats, a situation where an internal resource became compromised. Hackers, crackers and other malicious actors took advantage of this weakness and invented “spoofing”. The bad guys used the spoofing method to alter packets to appear as if they were coming from the internal network, kind of like buzzing at the door of an apartment building and when someone answers, saying “let me back in, please”.

It took some time for the devices and programmers of network protocols to catch up. Networking and protocols were originally designed to work where everybody was on the same side. The security aspect was added later on as some people began exploiting the system.

It was not long before the good guys developed techniques to harden their systems to prevent packets coming in from what appear as internal IP addresses, when in reality, the packets are coming in from the Internet.

In order to use a common FQDN in combination with the VIP, the traffic has to come in to through the external interface to access the server. This is where the VIP accepts traffic.

System administrators put a lot of effort into preventing packets with internal IP addresses from coming in through the external interface. Humans have the ability of understanding the context of what is going on and use their judgment accordingly, but computers have no judgment and do only what you tell them to; nothing more. A computer has no basis for setting apart malicious attacks and safe traffic based only on the source address of the traffic. However, it is safe to assume that something coming in from the outside with an internal address raises some red flags. This is the reason why it is important to specify the source IPs of which traffic can be forwarded to the internal IP through the VIP.

A properly configured FortiGate is aware of the criteria to determine which source IP addresses will allow a packet to be forwarded to the internal IP address. If the incoming packets are from an allowed IP address, along with the other allowed parameters, they are forwarded to the appropriate internal address. If they are not explicitly approved, they are explicitly denied.

In the growing battle and evolution of those building a mousetrap and those trying to build an even better mousetrap, adapting to those changes becomes necessary. System administrators need to acclimate to the evolution on both sides all the while ensuring the user’s needs are met and the security on the network is maintained. Right now, one of the adaptations we make is to use a hair-pinning technique. This means working around the protections put in place to prevent malicious attacks and at the same time, accommodating users on a network. This technique provides users with the convenience of a continuous method of access and the security of preventing a commonly used attack technique.