1. Corporate Firewalls and DMZs By Matt Bertram ISQS 6342 (Spring 2003) Professor John Durrett

2. IP Routing Basics Every system has an “IP address” (e.g. 129.118.1.3) and a “subnet mask” (e.g., 255.255.0.0) subnet mask = mask = network mask = netmask subnet mask = mask = network mask = netmask A mask is NOT an IP address The first “n” bits of the mask are 1’s and denote the “network portion” of the IP address The first “n” bits of the mask are 1’s and denote the “network portion” of the IP address The remaining “24-n” bits are 0’s and denote the “host portion” of the address The remaining “24-n” bits are 0’s and denote the “host portion” of the address address = 129.118.1.3 = 10000001.01110110.00000001.00000011 mask = 255.255.0.0 = 11111111.11111111.00000000.00000000 address = 129.118.1.3 = 10000001.01110110.00000001.00000011 mask = 255.255.0.0 = 11111111.11111111.00000000.00000000 “Prefix” notation: address/n (e.g., 129.118.1.3/16) Easier to work with, becoming more common Easier to work with, becoming more common

3. Network Addresses You can choose any n-bit subnet mask you want provided you do not mix 1’s and 0’s 255.224.0.0 = 11111111.11100000.00000000.00000000 = OK 255.225.0.0 = 11111111.11100001.00000000.00000000 = NOT OK 255.224.0.0 = 11111111.11100000.00000000.00000000 = OK 255.225.0.0 = 11111111.11100001.00000000.00000000 = NOT OK For hosts with a given subnet mask, you can use any IP address you want except: all host bits of “0” -- this is reserved as the “network address”, which addresses the subnet itself all host bits of “0” -- this is reserved as the “network address”, which addresses the subnet itself all host bits of “1” -- this is reserved as the “broadcast address”, which addresses all hosts on the subnet all host bits of “1” -- this is reserved as the “broadcast address”, which addresses all hosts on the subnet For the host 129.118.1.3/16: For the host 129.118.1.3/16: address = 10000001.01110110.00000001.00000011 mask = 11111111.11111111.00000000.00000000 address = 10000001.01110110.00000001.00000011 mask = 11111111.11111111.00000000.00000000 network = 10000001.01110110.00000000.00000000 broadcast = 10000001.01110110.11111111.11111111 network = 10000001.01110110.00000000.00000000 broadcast = 10000001.01110110.11111111.11111111

4. Routing Tables Every host maintains a routing table Use the “route” command in Linux and Windows Use the “route” command in Linux and Windows Each row (or “entry”) in the routing table has the following columns: (1) destination address and (2) mask (1) destination address and (2) mask (3) gateway [i.e., the IP address of the host’s gateway/router] (3) gateway [i.e., the IP address of the host’s gateway/router] (4) interface [i.e., the IP address of a host interface] (4) interface [i.e., the IP address of a host interface] (5) metric [indicates the “cost” of the route, smaller is better] (5) metric [indicates the “cost” of the route, smaller is better] When the host wants to send a packet to a destination, it looks in the routing table to find out how Each OS handles routing somewhat differently Each OS handles routing somewhat differently

5. Routing Tables Suppose host A/a wants to sends a packet to host B Each entry in the routing table on host A is examined: If a specific route to B exists, use this route (i.e., send the packet using the interface specified in the table) If a specific route to B exists, use this route (i.e., send the packet using the interface specified in the table) If a specific route to B’s network exists, use this route If a specific route to B’s network exists, use this route In the special case where A and B are in the same subnet (if the first a bits of A and B match), send the packet directly to B If a default route exists (i.e., A has is configured to use a “gateway” or “router”), send this packet to the router If a default route exists (i.e., A has is configured to use a “gateway” or “router”), send this packet to the router A default route is listed in the routing table as “0.0.0.0/0” The router has a routing table and follows this same process The packet is not sent The packet is not sent If multiple entries for some destination exist, they are tried from smallest to largest metric

6. Routing A host with two (or more) interfaces and addresses on two (or more) networks is referred to as “multihomed” Can be “hardware,” e.g., Cisco router X Can be “hardware,” e.g., Cisco router X Can be “software,” e.g., a PC running Linux Can be “software,” e.g., a PC running Linux A multihomed host that has “IP forwarding” enabled can be configured to pass traffic between networks (i.e., to function as a “router”) In Linux, add “forward_ip4=yes” to “/etc/sysconfig/network” In Linux, add “forward_ip4=yes” to “/etc/sysconfig/network” In Windows XP, create or edit the following registry key: In Windows XP, create or edit the following registry key: Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Value Name: IPEnableRouter Data Type: REG_DWORD Value Data: "0" (disabled) or "1" (enabled) In Windows 2000 Server, install and configure “Routing and Remote Access” In Windows 2000 Server, install and configure “Routing and Remote Access”

7. Firewalls A router can also be configured as a “firewall” A firewall examines packets at layers 2/3/4 and makes decisions about what to do with them Current operating systems include firewall functionality In Linux (2.4 and later), use the “iptables” command In Linux (2.4 and later), use the “iptables” command In Linux (prior to 2.4), use the “ipchains” command In Linux (prior to 2.4), use the “ipchains” command In Windows XP, enable “Internet Connection Firewall” In Windows XP, enable “Internet Connection Firewall” Some Microsoft applications open ports during installation In Windows 2000 Server, purchase “Microsoft Internet Security and Acceleration Server” In Windows 2000 Server, purchase “Microsoft Internet Security and Acceleration Server”

8. Unswitched Devices “Dumb” Devices (forward all packets) Layer 1 = Hub, Repeater Technically, a hub passes signals without regenerating them Technically, a hub passes signals without regenerating them Layer 2 = Bridge Connects different types of LANs (e.g., Ethernet and ATM, but not Token Ring if you’re lucky) Connects different types of LANs (e.g., Ethernet and ATM, but not Token Ring if you’re lucky) “Intelligent” Devices (decide whether to forward packets) Layer 3 = Router Use routing table to make decisions Improved performance and security Layer 2/3 = Bridge/Router

9. Switches Layer 2 = data link layer (MAC address) = + over hubs/repeaters Systems only see traffic they are supposed to see Systems only see traffic they are supposed to see Unswitched versus switched (full duplex) 10 and 100 mb Ethernet = 40% of bandwidth versus 95%+ (no collisions) Unswitched versus switched (full duplex) 10 and 100 mb Ethernet = 40% of bandwidth versus 95%+ (no collisions) Layer 3 = network layer (IP address) = + over routers Routers moved to periphery Routers moved to periphery Virtual LANs (VLANs) become viable Virtual LANs (VLANs) become viable Layer 4 = transport layer (TCP/UDP/ICMP headers) = + over L3 Firewall functionality (i.e., packet filtering) Firewall functionality (i.e., packet filtering) Significantly more expensive Significantly more expensive Layer 5 = session layer and above (URLs) = + over L4 for clusters Application proxy functionality (but MUCH faster than proxies) Application proxy functionality (but MUCH faster than proxies) Special function, cutting-edge = significant specific performance gains Special function, cutting-edge = significant specific performance gains 1999/2000: researchers (from IBM & Lucent) designed a layer 5 switch as front-end to a load-balanced 3-node cluster running AIX and Apache: 1999/2000: researchers (from IBM & Lucent) designed a layer 5 switch as front-end to a load-balanced 3-node cluster running AIX and Apache: 220% performance increase due to content partitioning 600% performance increase due to SSL session reuse