2/6 Matt - Dr. John Durrett

Download Report

Transcript 2/6 Matt - Dr. John Durrett 

Corporate Firewalls
and DMZs
By Matt Bertram
ISQS 6342 (Spring 2003)
Professor John Durrett
IP Routing Basics
Every system has an “IP address” (e.g. 129.118.1.3) and
a “subnet mask” (e.g., 255.255.0.0)

subnet mask = mask = network mask = netmask
A mask is NOT an IP address



The first “n” bits of the mask are 1’s and denote the “network
portion” of the IP address
The remaining “24-n” bits are 0’s and denote the “host portion” of
the address
address = 129.118.1.3 = 10000001.01110110.00000001.00000011
mask
= 255.255.0.0 = 11111111.11111111.00000000.00000000
“Prefix” notation: address/n (e.g., 129.118.1.3/16)

Easier to work with, becoming more common
Network Addresses
You can choose any n-bit subnet mask you want
provided you do not mix 1’s and 0’s

255.224.0.0 = 11111111.11100000.00000000.00000000 = OK
255.225.0.0 = 11111111.11100001.00000000.00000000 = NOT OK
For hosts with a given subnet mask, you can use any IP
address you want except:





all host bits of “0” -- this is reserved as the “network address”,
which addresses the subnet itself
all host bits of “1” -- this is reserved as the “broadcast address”,
which addresses all hosts on the subnet
For the host 129.118.1.3/16:
address
= 10000001.01110110.00000001.00000011
mask
= 11111111.11111111.00000000.00000000
network
= 10000001.01110110.00000000.00000000
broadcast = 10000001.01110110.11111111.11111111
Routing Tables
Every host maintains a routing table

Use the “route” command in Linux and Windows
Each row (or “entry”) in the routing table has the
following columns:




(1) destination address and (2) mask
(3) gateway [i.e., the IP address of the host’s gateway/router]
(4) interface [i.e., the IP address of a host interface]
(5) metric [indicates the “cost” of the route, smaller is better]
When the host wants to send a packet to a destination, it
looks in the routing table to find out how

Each OS handles routing somewhat differently
Routing Tables
Suppose host A/a wants to sends a packet to host B
Each entry in the routing table on host A is examined:


If a specific route to B exists, use this route (i.e., send the packet using
the interface specified in the table)
If a specific route to B’s network exists, use this route
In the special case where A and B are in the same subnet (if the first a bits of
A and B match), send the packet directly to B

If a default route exists (i.e., A has is configured to use a “gateway” or
“router”), send this packet to the router
A default route is listed in the routing table as “0.0.0.0/0”
The router has a routing table and follows this same process

The packet is not sent
If multiple entries for some destination exist, they are tried from
smallest to largest metric
Routing
A host with two (or more) interfaces and addresses on
two (or more) networks is referred to as “multihomed”


Can be “hardware,” e.g., Cisco router X
Can be “software,” e.g., a PC running Linux
A multihomed host that has “IP forwarding” enabled can
be configured to pass traffic between networks (i.e., to
function as a “router”)


In Linux, add “forward_ip4=yes” to “/etc/sysconfig/network”
In Windows XP, create or edit the following registry key:
Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value Name: IPEnableRouter
Data Type: REG_DWORD
Value Data: "0" (disabled) or "1" (enabled)

In Windows 2000 Server, install and configure “Routing and
Remote Access”
Firewalls
A router can also be configured as a “firewall”
A firewall examines packets at layers 2/3/4 and
makes decisions about what to do with them
Current operating systems include firewall
functionality



In Linux (2.4 and later), use the “iptables” command
In Linux (prior to 2.4), use the “ipchains” command
In Windows XP, enable “Internet Connection Firewall”
Some Microsoft applications open ports during installation

In Windows 2000 Server, purchase “Microsoft Internet
Security and Acceleration Server”
Unswitched Devices
“Dumb” Devices
(forward all packets)
Layer 1 = Hub, Repeater

Technically, a hub passes
signals without
regenerating them
“Intelligent” Devices
(decide whether to
forward packets)
Layer 3 = Router

Layer 2 = Bridge

Connects different types of
LANs (e.g., Ethernet and
ATM, but not Token Ring if
you’re lucky)

Use routing table to make
decisions
Improved
performance
and security
Layer 2/3 =
Bridge/Router
Switches
Layer 2 = data link layer (MAC address) = + over hubs/repeaters


Systems only see traffic they are supposed to see
Unswitched versus switched (full duplex) 10 and 100 mb Ethernet =
40% of bandwidth versus 95%+ (no collisions)
Layer 3 = network layer (IP address) = + over routers


Routers moved to periphery
Virtual LANs (VLANs) become viable
Layer 4 = transport layer (TCP/UDP/ICMP headers) = + over L3


Firewall functionality (i.e., packet filtering)
Significantly more expensive
Layer 5 = session layer and above (URLs) = + over L4 for clusters



Application proxy functionality (but MUCH faster than proxies)
Special function, cutting-edge = significant specific performance gains
1999/2000: researchers (from IBM & Lucent) designed a layer 5 switch
as front-end to a load-balanced 3-node cluster running AIX and Apache:
220% performance increase due to content partitioning
600% performance increase due to SSL session reuse