1 / 9

Corporate Firewalls and DMZs

Corporate Firewalls and DMZs. By Matt Bertram ISQS 6342 (Spring 2003) Professor John Durrett. IP Routing Basics. Every system has an “IP address” (e.g. 129.118.1.3) and a “subnet mask” (e.g., 255.255.0.0) subnet mask = mask = network mask = netmask A mask is NOT an IP address

stormy
Download Presentation

Corporate Firewalls and DMZs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Corporate Firewallsand DMZs By Matt Bertram ISQS 6342 (Spring 2003) Professor John Durrett

  2. IP Routing Basics • Every system has an “IP address” (e.g. 129.118.1.3) and a “subnet mask” (e.g., 255.255.0.0) • subnet mask = mask = network mask = netmask • A mask is NOT an IP address • The first “n” bits of the mask are 1’s and denote the “network portion” of the IP address • The remaining “24-n” bits are 0’s and denote the “host portion” of the address • address = 129.118.1.3 = 10000001.01110110.00000001.00000011mask = 255.255.0.0 = 11111111.11111111.00000000.00000000 • “Prefix” notation: address/n (e.g., 129.118.1.3/16) • Easier to work with, becoming more common

  3. Network Addresses • You can choose any n-bit subnet mask you want provided you do not mix 1’s and 0’s • 255.224.0.0 = 11111111.11100000.00000000.00000000 = OK255.225.0.0 = 11111111.11100001.00000000.00000000 = NOT OK • For hosts with a given subnet mask, you can use any IP address you want except: • all host bits of “0” -- this is reserved as the “network address”, which addresses the subnet itself • all host bits of “1” -- this is reserved as the “broadcast address”, which addresses all hosts on the subnet • For the host 129.118.1.3/16: • address = 10000001.01110110.00000001.00000011mask = 11111111.11111111.00000000.00000000 • network = 10000001.01110110.00000000.00000000broadcast = 10000001.01110110.11111111.11111111

  4. Routing Tables • Every host maintains a routing table • Use the “route” command in Linux and Windows • Each row (or “entry”) in the routing table has the following columns: • (1) destination address and (2) mask • (3) gateway [i.e., the IP address of the host’s gateway/router] • (4) interface [i.e., the IP address of a host interface] • (5) metric [indicates the “cost” of the route, smaller is better] • When the host wants to send a packet to a destination, it looks in the routing table to find out how • Each OS handles routing somewhat differently

  5. Routing Tables • Suppose host A/a wants to sends a packet to host B • Each entry in the routing table on host A is examined: • If a specific route to B exists, use this route (i.e., send the packet using the interface specified in the table) • If a specific route to B’s network exists, use this route • In the special case where A and B are in the same subnet (if the first a bits of A and B match), send the packet directly to B • If a default route exists (i.e., A has is configured to use a “gateway” or “router”), send this packet to the router • A default route is listed in the routing table as “0.0.0.0/0” • The router has a routing table and follows this same process • The packet is not sent • If multiple entries for some destination exist, they are tried from smallest to largest metric

  6. Routing • A host with two (or more) interfaces and addresses on two (or more) networks is referred to as “multihomed” • Can be “hardware,” e.g., Cisco router X • Can be “software,” e.g., a PC running Linux • A multihomed host that has “IP forwarding” enabled can be configured to pass traffic between networks (i.e., to function as a “router”) • In Linux, add “forward_ip4=yes” to “/etc/sysconfig/network” • In Windows XP, create or edit the following registry key: • Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters • Value Name: IPEnableRouter • Data Type: REG_DWORD • Value Data: "0" (disabled) or "1" (enabled) • In Windows 2000 Server, install and configure “Routing and Remote Access”

  7. Firewalls • A router can also be configured as a “firewall” • A firewall examines packets at layers 2/3/4 and makes decisions about what to do with them • Current operating systems include firewall functionality • In Linux (2.4 and later), use the “iptables” command • In Linux (prior to 2.4), use the “ipchains” command • In Windows XP, enable “Internet Connection Firewall” • Some Microsoft applications open ports during installation • In Windows 2000 Server, purchase “Microsoft Internet Security and Acceleration Server”

  8. “Dumb” Devices (forward all packets) Layer 1 = Hub, Repeater Technically, a hub passes signals without regenerating them Layer 2 = Bridge Connects different types of LANs (e.g., Ethernet and ATM, but not Token Ring if you’re lucky) “Intelligent” Devices (decide whether toforward packets) Layer 3 = Router Use routing table to make decisions Improvedperformanceand security Layer 2/3 =Bridge/Router Unswitched Devices

  9. Switches • Layer 2 = data link layer (MAC address) = + over hubs/repeaters • Systems only see traffic they are supposed to see • Unswitched versus switched (full duplex) 10 and 100 mb Ethernet =40% of bandwidth versus 95%+ (no collisions) • Layer 3 = network layer (IP address) = + over routers • Routers moved to periphery • Virtual LANs (VLANs) become viable • Layer 4 = transport layer (TCP/UDP/ICMP headers) = + over L3 • Firewall functionality (i.e., packet filtering) • Significantly more expensive • Layer 5 = session layer and above (URLs) = + over L4 for clusters • Application proxy functionality (but MUCH faster than proxies) • Special function, cutting-edge = significant specific performance gains • 1999/2000: researchers (from IBM & Lucent) designed a layer 5 switch as front-end to a load-balanced 3-node cluster running AIX and Apache: • 220% performance increase due to content partitioning • 600% performance increase due to SSL session reuse

More Related