corporate firewalls and dmzs by matt bertram isqs 6342 (spring 2003) professor john durrett
TRANSCRIPT
Corporate FirewallsCorporate Firewallsand DMZsand DMZs
By Matt BertramBy Matt Bertram
ISQS 6342 (Spring 2003)ISQS 6342 (Spring 2003)Professor John DurrettProfessor John Durrett
IP Routing BasicsIP Routing Basics
Every system has an “IP address” (e.g. 129.118.1.3) and Every system has an “IP address” (e.g. 129.118.1.3) and a “subnet mask” (e.g., 255.255.0.0)a “subnet mask” (e.g., 255.255.0.0)
subnet mask = mask = network mask = netmasksubnet mask = mask = network mask = netmask
A mask is NOT an IP addressA mask is NOT an IP address The first “n” bits of the mask are 1’s and denote the “The first “n” bits of the mask are 1’s and denote the “network network
portionportion” of the IP address” of the IP address The remaining “24-n” bits are 0’s and denote the “The remaining “24-n” bits are 0’s and denote the “host portionhost portion” of ” of
the addressthe address address = address = 129129..118118..11..33 = = 1000000110000001..0111011001110110..0000000100000001..0000001100000011
mask = 255.255.0.0 = 11111111.11111111.00000000.00000000mask = 255.255.0.0 = 11111111.11111111.00000000.00000000
““Prefix” notation: address/n (e.g., 129.118.1.3/16)Prefix” notation: address/n (e.g., 129.118.1.3/16) Easier to work with, becoming more commonEasier to work with, becoming more common
Network AddressesNetwork Addresses
You can choose any n-bit subnet mask you want provided You can choose any n-bit subnet mask you want provided you do not mix 1’s and 0’syou do not mix 1’s and 0’s
255.224.0.0 = 11111111.11100000.00000000.00000000 = OK255.224.0.0 = 11111111.11100000.00000000.00000000 = OK255.225.0.0 = 11111111.1110000255.225.0.0 = 11111111.111000011.00000000.00000000 = .00000000.00000000 = NOT OKNOT OK
For hosts with a given subnet mask, you can use any IP For hosts with a given subnet mask, you can use any IP address you want except:address you want except:
all host bits of “0” -- this is reserved as the “network address”, all host bits of “0” -- this is reserved as the “network address”, which addresses the subnet itselfwhich addresses the subnet itself
all host bits of “1” -- this is reserved as the “broadcast address”, all host bits of “1” -- this is reserved as the “broadcast address”, which addresses all hosts on the subnetwhich addresses all hosts on the subnet
For the host For the host 129129..118118.1.3/16:.1.3/16: address = address = 1000000110000001..0111011001110110.00000001.00000011.00000001.00000011
mask = 11111111.11111111.00000000.00000000mask = 11111111.11111111.00000000.00000000 network = network = 1000000110000001..0111011001110110.00000000.00000000.00000000.00000000
broadcast = broadcast = 1000000110000001..0111011001110110.11111111.11111111.11111111.11111111
Routing TablesRouting Tables
Every host maintains a routing tableEvery host maintains a routing table Use the “route” command in Linux and WindowsUse the “route” command in Linux and Windows
Each row (or “entry”) in the routing table has the Each row (or “entry”) in the routing table has the following columns:following columns:
(1) destination address and (2) mask(1) destination address and (2) mask (3) gateway [i.e., the IP address of the host’s gateway/router](3) gateway [i.e., the IP address of the host’s gateway/router] (4) interface [i.e., the IP address of a host interface](4) interface [i.e., the IP address of a host interface] (5) metric [indicates the “cost” of the route, smaller is better](5) metric [indicates the “cost” of the route, smaller is better]
When the host wants to send a packet to a destination, it When the host wants to send a packet to a destination, it looks in the routing table to find out howlooks in the routing table to find out how
Each OS handles routing somewhat differentlyEach OS handles routing somewhat differently
Routing TablesRouting Tables
Suppose host A/a wants to sends a packet to host BSuppose host A/a wants to sends a packet to host B
Each entry in the routing table on host A is examined:Each entry in the routing table on host A is examined: If a specific route to B exists, use this route (i.e., send the packet using If a specific route to B exists, use this route (i.e., send the packet using
the interface specified in the table)the interface specified in the table) If a specific route to B’s network exists, use this routeIf a specific route to B’s network exists, use this route
In the special case where A and B are in the same subnet (if the first In the special case where A and B are in the same subnet (if the first aa bits bits of A and B match), send the packet directly to Bof A and B match), send the packet directly to B
If a default route exists (i.e., A has is configured to use a “gateway” or If a default route exists (i.e., A has is configured to use a “gateway” or “router”), send this packet to the router“router”), send this packet to the router
A default route is listed in the routing table as “0.0.0.0/0”A default route is listed in the routing table as “0.0.0.0/0”
The router has a routing table and follows this same processThe router has a routing table and follows this same process The packet is not sentThe packet is not sent
If multiple entries for some destination exist, they are tried from If multiple entries for some destination exist, they are tried from smallest to largest metricsmallest to largest metric
RoutingRouting
A host with two (or more) interfaces and addresses on A host with two (or more) interfaces and addresses on two (or more) networks is referred to as “multihomed”two (or more) networks is referred to as “multihomed”
Can be “hardware,” e.g., Cisco router XCan be “hardware,” e.g., Cisco router X Can be “software,” e.g., a PC running LinuxCan be “software,” e.g., a PC running Linux
A multihomed host that has “IP forwarding” enabled can A multihomed host that has “IP forwarding” enabled can be configured to pass traffic between networks (i.e., to be configured to pass traffic between networks (i.e., to function as a “router”)function as a “router”)
In Linux, add “forward_ip4=yes” to “/etc/sysconfig/network”In Linux, add “forward_ip4=yes” to “/etc/sysconfig/network” In Windows XP, create or edit the following registry key:In Windows XP, create or edit the following registry key:
Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ParametersKey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ParametersValue Name: IPEnableRouterValue Name: IPEnableRouterData Type: REG_DWORD Data Type: REG_DWORD Value Data: "0" (disabled) or "1" (enabled)Value Data: "0" (disabled) or "1" (enabled)
In Windows 2000 Server, install and configure “Routing and In Windows 2000 Server, install and configure “Routing and Remote Access”Remote Access”
FirewallsFirewalls
A router can also be configured as a “firewall”A router can also be configured as a “firewall”A firewall examines packets at layers 2/3/4 and A firewall examines packets at layers 2/3/4 and makes decisions about what to do with themmakes decisions about what to do with themCurrent operating systems include firewall Current operating systems include firewall functionalityfunctionality In Linux (2.4 and later), use the “iptables” commandIn Linux (2.4 and later), use the “iptables” command In Linux (prior to 2.4), use the “ipchains” commandIn Linux (prior to 2.4), use the “ipchains” command In Windows XP, enable “Internet Connection Firewall”In Windows XP, enable “Internet Connection Firewall”
Some Microsoft applications open ports during installationSome Microsoft applications open ports during installation In Windows 2000 Server, purchase “Microsoft Internet In Windows 2000 Server, purchase “Microsoft Internet
Security and Acceleration Server”Security and Acceleration Server”
Unswitched DevicesUnswitched Devices
““Dumb” DevicesDumb” Devices(forward all packets)(forward all packets)
Layer 1 = Hub, RepeaterLayer 1 = Hub, Repeater Technically, a hub passes Technically, a hub passes
signals without signals without regenerating themregenerating them
Layer 2 = BridgeLayer 2 = Bridge Connects different types of Connects different types of
LANs (e.g., Ethernet and LANs (e.g., Ethernet and ATM, but not Token Ring if ATM, but not Token Ring if you’re lucky)you’re lucky)
““Intelligent” DevicesIntelligent” Devices(decide whether to(decide whether to
forward packets)forward packets)Layer 3 = RouterLayer 3 = Router
Use routing table to make Use routing table to make decisionsdecisions
ImprovedImprovedperformanceperformanceand securityand security
Layer 2/3 =Layer 2/3 =Bridge/RouterBridge/Router
SwitchesSwitches
Layer 2 = data link layer (MAC address) = + over hubs/repeatersLayer 2 = data link layer (MAC address) = + over hubs/repeaters Systems only see traffic they are supposed to seeSystems only see traffic they are supposed to see Unswitched versus switched (full duplex) 10 and 100 mb Ethernet =Unswitched versus switched (full duplex) 10 and 100 mb Ethernet =
40% of bandwidth versus 95%+ (no collisions)40% of bandwidth versus 95%+ (no collisions)Layer 3 = network layer (IP address) = + over routersLayer 3 = network layer (IP address) = + over routers
Routers moved to peripheryRouters moved to periphery Virtual LANs (VLANs) become viableVirtual LANs (VLANs) become viable
Layer 4 = transport layer (TCP/UDP/ICMP headers) = + over L3Layer 4 = transport layer (TCP/UDP/ICMP headers) = + over L3 Firewall functionality (i.e., packet filtering)Firewall functionality (i.e., packet filtering) Significantly more expensiveSignificantly more expensive
Layer 5 = session layer and above (URLs) = + over L4 for clustersLayer 5 = session layer and above (URLs) = + over L4 for clusters Application proxy functionality (but MUCH faster than proxies)Application proxy functionality (but MUCH faster than proxies) Special function, cutting-edge = significant specific performance gainsSpecial function, cutting-edge = significant specific performance gains 1999/2000: researchers (from IBM & Lucent) designed a layer 5 switch 1999/2000: researchers (from IBM & Lucent) designed a layer 5 switch
as front-end to a load-balanced 3-node cluster running AIX and Apache:as front-end to a load-balanced 3-node cluster running AIX and Apache:220% performance increase due to content partitioning220% performance increase due to content partitioning600% performance increase due to SSL session reuse600% performance increase due to SSL session reuse