Router
Layer 3 devices that route traffic from one LAN to another.
Static and Default Routes
Static routes are fixed routing entries such as “10.0.0.0/8 via router 192.168.2.7”. Routers have static “default route” that sends all external traffic to one router.
Routing Protocols
Complex networks with many routers and redundant paths utilize routing protocols to automatically learn changes in topology. A network that has had no recent outages is normally “converged”.
Routing protocols comes in two basic varieties: Interior Gateway Protocols (IGPs) like RIP and OSPF and Exterior Gateway Protocols (EGPs) like BGP.
Distance Vector Routing Protocols
Uses hop counts as metric and will choses the closet hop, prone to routing loops. RIP is an example of a distance vector routing protocol
RIP
- Sends updates every 30s – convergence is slow
- Max hop is 15, 16 is infinite
- Uses split horizon to avoid routing loops
- Poison reverse is an addition to split horizon by sending route with cost of 16 so router can ignore path
- Uses hold down timer (180s) to avoid flapping.
Link State Routing Protocols
Factor’s in additional metrics for best route, including bandwidth.
OSPF
- Open shortest Path first (OSPF) is an open link state routing protocol
- OSPF learns the entire network topology for their area.
- Routers sends even-driven updates
- Faster convergence
BGP
Border Gateway protocol used on the internet. Routes between autonomous systems. It has some distance vector protocol properties but is known as a path vector routing protocol.
Firewalls
Performs stateful packet filtering on layers 3 and 4. Some proxy firewalls can make decisions based on layers 5-7.
Packet Filter
Performs filtering decision on a the basis of a single packet and has no concept of “state”. Ex. ICMP echo response and UDP return packets requires stateful packet inspection to allow packets to enter the firewall. Packet filters are faster but less secure.
Stateful Firewalls
Uses state tables to compare current packets with previous ones. It inspects return packets such as ICMP echos replies and UDP DNS replies and allows them back into the Firewall if there is matching previous packet. It is Slower but more secure.
Proxy Firewalls
Acts as intermediary servers often another hop that along in the route from the firewall or packet filter. It often terminates connections as oppose by intercepting and handling the TCP 3-way handshake on behalf of the client and server. It hides the origin of the connection.
Application-Layer Proxy Firewalls
Operates on layer 7 and makes decisions based on application data such as HTTP traffic. Dedicated proxies are often required for each protocol and allows for tighter control of filtering decisions.
Circuit-Level Proxies Including SOCKS
Operates at layer 5 (session layer) such as SOCKS. Applications needs to be reconfigured or recompiled to support SOCKS. SOCKS5 is the current version and listens on port 1080.
Fundamental Firewall Design
Bastion hosts
Any host that is placed on the internet that is not protected by another device (Firewall). Bastion hosts must protect themselves and hardened to withstand attack.
Dual-Homed Host
Has two network interfaces; one connected to the internet and one connected to the trusted network. It does not route. In order to access the internet a user must log into the dual homed host first.
Screened Host Architecture
Is an older flat network design using one router to filter external traffic to and from a bastion host via an access control list. The bastion host can reach other internal resources but the router ACL forbids direct external/internal connectivity. Weakness (does not employ defence in depth) – compromise of bastion host allows access to other systems in the internal network.
DMZ Networks and Screened Subnet Architecture
Demilitarized zone network utilizes two firewalls (the term DMZ alone implies two firewalls) where servers that are used to receive internet traffic to be placed in between two firewalls. The hosts needs to employ defence in depth strategies such as patching, hardening to mitigate risks. A compromise in the DMZ is designed to be contained from extending into the internal trusted networks. A single FW can be used to implement 3 legged DMZ which requires it to filter traffic on all interfaces. Dual firewalls are considered more secure than a single FW.
Modem
A modem is a modulator/demodulator – converts binary data into analog sound vice versa.
DTE/DCE and CSU/DSU
- DTE – Data Terminal Equipment – Type of network connected user machine i.e. desktop, server, or actual terminal
- DCE – Data Circuit terminating equipment – Router. DCE marks the end of the ISPs network connecting to DTE
- Customer demarc (demarcation point)- Point where DCE meets DTE
- CSU/DSU (Channel service unit/Data service unit) – A modem, a DCE device. Both sides of the the DCE/DTE must synchronize to a clock signal provided by the DCE