In era progress technology information Network infrastructure plays a very important role in connecting devices and services globally.
However, the rapid growth in the use of devices that require access using public/static IPs has caused public IP address version 4 (IPv4)
to approach its capacity limit, coupled with the prediction that there will be up to 50 billion devices connected to the Internet by 2025.
IPv4 is an internet protocol address which is a 32-bit address and the temporary problem is that we have seen there are fewer IP addresses
so that in the future their future will not be able to last too long. The rapid growth of the internet has exhausted the IPv4 address allocation
from the Internet Assigned Numbers Authority (IANA). The statistical report issued by the Regional Internet Registry (RIR) on May 7,
2024 regarding the “Internet Number Resource Report Q1 March 2024” shows that the remaining IPv4 address space available in each
RIR is very limited. The document "Number Resource Status Report (NRO) Q1-2024" reveals the following details:
AFRINIC: 0.068 /8 blocks (approximately 1,140,851 IPv4addresses)
APNIC: 0.14 blocks /8 (approximately 2,348,810 IPv4 addresses)
ARIN: 0 blocks /8
LACNIC: 0 blocks /8
RIPE NCC: 0 blocks /8
The /8 block represents 16,777,216 IPv4 addresses. The total remaining IPv4 addresses available globally is approximately 3,489,661
IPv4 addresses, out of the total 4,294,967,296 existing IPv4 addresses. Thus, about 99.92% of IPv4 addresses have been used, leaving
only about 0.08% still available. This indicates that almost all allocable IPv4 blocks have been used, with only a few remaining mainly
in APNIC and AFRINIC.
Organizations, companies, and individuals who want to run services, devices or servers in their network infrastructure are now faced
with difficulties in obtaining adequate IP address allocation. This limitation is a significant obstacle in the efficient management of
network infrastructure because currently approaching the end of IPv4, there are still many infrastructures that are dependent and cannot
be easily changed to IPv6 because many aspects cannot be easily migrated, for example, hosting servers, it is not easy to change the
network address (IP) that has been registered to the DNS (domain name system) so that to make changes in it must do crucial
maintenance such as turning off the server or device.
The limited remaining quota of IPv4 can be overcome using Network Address Translation (NAT) technology which works by covering
private/local IP addresses with public/static IP addresses, so that local devices can access the internet and Internet services with the help
of public IP addresses provided by MikroTik routers, this solution is known as Enhanced Explicit Port Forwarding (EEPF), but the
challenge is the need for a mechanism that can bridge between IP NAT and external access exposure. MikroTik is a Linux-based
operating system created specifically for network needs, has become one of the important elements in the management of modern
network infrastructure. Nginx (engine-X) is here to answer the challenges related to EEPF, because in general, Nginx is used to form
server clusters and their internal platforms through Reverse Proxy Nginx.
Topology or mechanism related to EEPF requires allocation of private/local IP and original port forwarded to and from MikroTik, as a
result with the same public/static IP but having many ports, this is not good because the ports used are exposed, the challenge in
maintaining its security is getting bigger, because the use of network security mechanisms in communication networks such as Firewalls
and Intrusion Detection Systems (IDS), must be prioritized and considered more. The most common cyber attacks are on web servers
or hosting, especially related to NMAP (Network Mapper) port scan attacks which pose security risks. Returning to the problem
mentioned earlier, related to the EEPF mechanism which requires the use of ports in each of its redirection services (portforward) which
if a port scan is carried out will see all the ports used, whether the port is for an application or device that is public or internal/private.
According to the OWASP report, the most significant risk categories are presented in Figure 1.
In Figure 1 OWASP (The Open Worldwide Application Security Project) explains that things that can happen related to damage to the
web server, among others, are broken access control. As many as 94% of applications tested showed some form of broken access control,
�with 34 related Common Weakness Enumerations (CWEs) having a higher frequency than other categories. Injection, which includes
94% of applications tested for some form of injection, has 33 CWEs related to this category which has the second highest frequency.
Wrong Security Configuration (Security Misconfiguration) is found in 90% of applications tested, indicating some form of wrong
security configuration. This data confirms that web application security risks contribute significantly to attacks on web servers or hosting.
Therefore, handling these aspects is very important to maintain infrastructure security, especially at the initial entry point (port sniffing).
NMAP scan is the most powerful tool for network sniffing and security scanner used to find open ports and services running on them
on a computer network plus the efficiency of scanning multiple target IP addresses with NMAP can be increase. Port scan is the first
step of a cyber attack, by using NMAP, an attacker can get a deep picture of the services running on a target server, including the service
version and the operating system used by the host and port scans are a persistent problem in contemporary communication networks
and are usually used as a reconnaissance attack tool, they can also create problems with application performance and throughput. This
attack can provide strategic information about open or used service ports on a server, especially a web server. NMAP begins its process
by converting a hostname to an IPv4 address via DNS name resolution and then checking each service or service, in other words tracking
the ports on the target computer. NMAP, as a commonly used scanning tool, can provide crucial information that can be analyzed to
support further attacks. This research will place emphasis on the proposed innovative solutions to address two major issues, namely the
efficiency of IPv4 address usage with the EEPF method and protection against NMAP port scan attacks using the Reverse Proxy method.
This approach not only improves the optimization of IPv4 address usage, but also strengthens the defense against attacks from NMAP
port scans, thereby maintaining infrastructure security holistically. The proposed solution will integrate the latest technologies, such as
port redirection using MikroTik and Nginx as a Reverse Proxy (proxy server or proxy server), to achieve optimal efficiency and security
in managing network infrastructure.
