08_Network_Firewalls

Download Report

Transcript 08_Network_Firewalls

The Network
Dave Devereaux-Weber
University of Wisconsin-Madison
Internet2 Commons Site Coordinator Training
September27, 2004
Austin, Texas
Wiring and Station Cables
Ethernet switch
horizontal wiring
datajack
station cable
device
iMac
3rd floor
 Common practice is unshielded twisted-pair
(UTP) according to the specs:
• CAT 3 [old] supports 10 Mbps Ethernet (10base-T)
• CAT 5 [modern] supports 10base-T, 100 Mbps
(100base-TX) and 1000 Mbps (1000base-T) Ethernet
• CAT 6 [new] supports CAT 5 applications +
Wiring and Station Cables
 Actual wire used and quality of
installation may vary widely – know
your wiring!
 Important to consider the station cables
• Don’t use sub-CAT 5 station cables for 100 Mbps
connections.
• Silver Satin telephone line cords are not CAT 5.
Ethernet LAN
 10 / 100 / 1000 Mbps
 Full- and Half-Duplex
• Half-duplex: send or receive, one at a time (listens
for collision).
• Full-duplex: send and receive simultaneously
(does not listen for collision).
• 10 Mbps Ethernet supports half-duplex; full-duplex
is not consistently implemented.
• 100 Mbps supports half- and full-duplex.
• Modern devices can auto-sense speed and
duplex.
LAN: Switches vs. Repeaters
 Repeaters (hubs) are old technology.
 A repeater sends (repeats) packets
that are incoming on one port, out all
other ports (I know you’re out there
somewhere!).
 Can only operate in half-duplex mode.
 Bandwidth and jitter provided to any
single device is highly dependent on
the LAN traffic.
LAN: Switches vs. Repeaters
 A switch learns the MAC addresses of the
devices connected to it, and sends packets
directly and only to the target end-point.
 Provides much more consistent bandwidth
and latency (low jitter).
 A well-designed switched LAN is important
for videoconferencing. Repeater-based
LANs should be upgraded to switched for
videoconferencing!
LAN: Ethernet Duplex Mismatch
 “One of the most common causes of
performance issues on 10/100Mb
Ethernet links is when one port on the
link is operating at half-duplex while
the other port is operating at fullduplex.”
• http://www.cisco.com/warp/public/473/3.html
LAN: Ethernet Duplex Mismatch
 “There is a silent performance-killer out
there, one so inconspicuous that it is hardly
ever looked for or even suspected. You
could suffer from it and never know it, as it
robs a site of performance but not
connectivity. This performance-killer has a
name: Ethernet duplex mismatch.”
• http://www.hostingtech.com/nm/01_01_mismatch.html
LAN: Ethernet Duplex Mismatch
 If one end of a connection (device or
Ethernet switch) is set for autonegotiation, and fails to see autonegotiation at the other end, the former
sets itself to the default, half-duplex.
 Auto-negotiation can sometimes fail,
even when both sides are set to auto
(although this isn’t as prevalent as in
the past).
LAN: Duplex Mismatch –
Detection
 Microsoft Windows doesn’t display
the auto-negotiated duplex setting.
 Some routers re-negotiate autospeed or auto-duplex, which can
introduce jitter.
LAN: Ethernet Duplex Mismatch
SETTINGS
switch
device
auto
half
full
auto
half
full
auto
full
full
auto
auto
half
half
auto
RESULTS
switch
device
BAD!
BAD!
auto
half
full
auto
half
full
half
full
full
half
half
half
half
half
LAN: Duplex MismatchPrevention
 Our recommendations:
•Don’t use hubs for videoconferencing
•If building wiring is sub-CAT 5, then
set switch ports to 10/half
•If building wiring is CAT 5 or better,
then set switch ports and devices to
100/full if supported on switch.
Router
 Provides interface to
the WAN.
• Intranet, commercial
Internet, and Internet2
connections.
• Typically, every
networked device at an
Internet2-connected
institution has
connectivity to Internet2.
WAN Segments
Service
Speed
Sample Uses
T1
1.5 Mbps
remote building; extension center
DS3
45 Mbps
inter-campus; Internet (I1) connection
OC3
155 Mbps
inter-campus; I1 & Internet2 connection
OC12
622 Mbps
I1 backbones; Internet2 connection
OC48
2.4 Gbps
Gigabit
Etherne
t
1 Gbps
I1 and Internet2 backbones
advanced inter-campus connections when
have access to dark fiber
Indiana University Abilene NOC
Weathermap

Traffic on the Network
 Typical university today:
• IP
– TCP
– UDP
• IPX [diminishing]
• Appletalk [diminishing]
Traffic on the LAN
 Unicast : one-to-one
 Multicast: one-to-many
 Broadcast:
one-to-every
Unicast
 Most common traffic
 Common applications: mail,
Web browsing, file transfer, etc.
IP Multicast
 A one-to-many mode of transmission
 Network numbers 224.0.0.0 through
239.255.255.255 are reserved for
multicast.
 Examples of multicast applications:
• Vic/rat videoconferencing
• Centralized PC software administration tools such
as Symantec Ghost
IP Multicast – Leak Problems
 Beware: high rates of unpruned
multicast can adversely affect
videoconference performance.
 Use a network traffic and protocol
analyzer to identify this problem.
Broadcast
 A one-to-every mode of transmission
 Used by network protocols including ARP
and IPX, NetBIOS system discovery, and
name resolution.
 All devices on the network must process
every broadcast packet; high broadcast rates
can divert processing capacity.
 If the broadcast domain is too large or
unusually active, the activity required at the
end-point to deal with the broadcasts could
diminish performance.
Broadcast
 A healthy network should have less
than 100 broadcast packets per
second.
 Check using a network traffic and
protocol analyzer tool.
Firewalls
 A firewall is a network node that acts to
enforce an access control policy between
two networks, e.g., between a university
intranet and the commercial Internet.
 Used to secure IT resources against external
attacks and break-ins.
 Network-layer firewalls typically make their
decisions based upon port numbers and
source/destination addresses.
 Application-layer firewalls act as proxies.
Firewalls
 H.323 uses the IP ports:
• Statically-assigned TCP ports 1718 – 1720 and
1731 for call setup and control.
• Dynamically-assigned UDP ports in the range of
1024 – 65535 for video and audio data streams.
 Firewalls don’t allow unrestricted ports.
Typical modern firewalls and H.323
don’t get along so well.
Firewalls – Solutions for H.323
 [bad; non-scaleable] Allow unrestricted
ports for specific, known, external IPaddresses.
 [better, but still not so good] Use feature of
some videoconferencing clients to confine
dynamic ports to a specific, narrow range.
 [OK, but extra admin work] Use Ridgeway
Systems H.323 application proxy.
 [best] Use a firewall that snoops on the
H.323 call set-up channels (static ports) and
opens ports for the audio/video (dynamic
ports) as needed.
NATs
 Allows multiple computers behind the NAT to
share one external network address.
 Uses:
• Alleviate shortage of IP addresses
• Security – obscures view of the network from outside
• Flexible network administration
 Not commonly used at universities on the
campus level. Used somewhat in
corporations. Common in small offices and at
home – behind DSL, cable modem, or ISDN
network service.
NATs
 Difficult to use H.323 behind NATs.
 Some videoconferencing terminals provide
features to work with NAT – refer to
videoconferencing terminal documentation.
Latency
 Latency is the time required for a packet to
traverse a network from source to
destination.
 Components of latency include:
• Propagation delay: the time it takes to traverse
the distance of the transmission line; controlled by
the speed of light in the media; rule-of-thumb:
20ms San Francisco to New York.
Latency
 Transmission delay: the time it takes for the
source to put a packet on the network. Ruleof-thumb: < 1ms.
 Store-and-forward delay: the cumulative
length of time it takes the internetworking
devices along the path to receive, process,
and resend the packets. Rule-of-thumb:
variable, and depends upon network load.
Latency
 Rule of thumb:
• A one-way delay of:
-
0 – 150 ms provides excellent interactivity
150 – 300 ms is OK
300 – 400 ms is bad
400+ ms is unacceptable
Jitter
 Jitter is variation in latency over time.
 If the endpoints are on switched LANs,
then the primary source of jitter is
variation in the store-and-forward time,
resulting from network load.
 H.323, particularly audio, is adversely
affected by high levels of jitter.
 What is high? Rule of thumb?
Packet Loss
 Packet loss is typically due to
congested links and routers.
•
1% is noticeable
•
5% becomes intolerable
QoS
 Not currently feasible on commercial
Internet and Internet2 networks for
production, regular use. Internet2 is
working on QoS plans, but the current
over-provisioned Internet2 network
doesn’t dictate need.
 Is useful on over-utilized intranet WAN
links.
QoS
 How:
• Some videoconferencing terminals can set
the IP precedence bits. Use that for
marking and priority queuing on the WAN.
 Or:
• Use a H.323 Proxy for consolidation of
traffic to a single address, router access list
for marking, and priority queuing on the
WAN.
QoS
 Caution!
• The wrong implementation could result in
unwanted tradeoffs, e.g., packet loss
improves but jitter gets worse.
The End-to-End Performance
Problem
 Scenario
• Users on two different campuses of a university
are experiencing poor video and audio in a
conference.
• Each user is supported by a different group of
videoconferencing engineers.
• Each campus is supported by a different group of
network engineers.
• The wide-area network is supported by a third
group of network engineers.
The End-to-End Performance
Problem
 Problem
• How do the users get timely, useful assistance?
• How is network problem resolution coordinated?
The End-to-End Performance
Problem
 Obstacles
• Different groups, schedules, and priorities.
• No one engineer has a complete understanding of
the entire network path.
• No one engineer can gain access to all the
network nodes (routers, switches) along the path
to inspect for trouble.
• Communications are inconsistent from engineer to
engineer.
The End-to-End Performance
Problem
 Solutions
• Articulate the E-2-E problem to network
management and engineers on all campuses.
• Establish reliable communication tools, and insist
that engineers utilize the tools.
• Hold regular meetings; bring all engineers
together in one place and time to share
information.
• Have good network documentation for all
networks.
H.323 is Network Sensitive!
 The big problems are:
• Half/Full-duplex mismatches
• Packet loss
• Jitter
• Substandard horizontal wiring or station cables
• Multicast leaks
• High broadcast rates
Recommendations
 Develop a close relationship with the
network engineers and NOC. Make sure
they understand what’s being done with
videoconferencing and the network
sensitivity of IP-based video.
 Articulate the End-to-End Performance
Problem to network engineering and
operations management. Champion ways to
reduce the problem.
 Be sure to open trouble tickets with your
NOC so that a problem history is
maintained.
Recommendations
 Use switched Ethernet.
 Watch out for duplex mismatches.
 Keep an eye on utilization of WAN
links, packet loss, and jitter.
 Make sure you don’t have broadcast or
multicast leaking problems.
 Make sure wiring is up to the task.
Recommendations
 Have engineers in the
videoconferencing support group
trained to understand networking
issues and tools.
The Network
Information on these slides courtesy of
Doug Pearson
Indiana University
And
David Devereaux-Weber
University of Wisconsin-Madison