 |
||||
| ||||
|
||||
Basic Computer Networking
Basic Telecommunication Concepts
Broadband
Slick RSS
Simple Javascript Menu
|
||||||||||||||||
Bridges, gateways, routers, and firewalls Basics
It is important to note that an IP address does not necessarily refer to a single node, but
rather to a network interface that is present on such a system. In this way it is possible to
have multiple IP addresses that exist on a single computer system in its entirety, but
each individual IP address relates to individual interfaces as parts of that system.
Therefore, it is possible to allocate a different IP address to each of two network cards
that are part of the same PC, or to have a third IP address allocated to a dial-up modem
or ISDN interface that is also connected to the same system. In such a configuration,
each network interface could have an address that is part of a different network, and as
such, the PC would be connected to three networks.
A system that has multiple different addresses and sits between multiple different
networks can be described in a number of ways, depending on precisely what function it
performs. If the sole purpose is to connect two different networks together, and to allow
systems on one network to communicate with those on the other network, the dual-
interfaced system is acting as what is known as a bridge as it spans the gap between
two different networks or network segments. In effect, a bridge is just a dumb router with a single rule - allow traffic from network A to reach network B, and vice versa - it simply routes traffic from one area of the network to another without analysing any of the traffic that passes through it.
A more complicated set of rules will turn this same system from being a simple bridge
between two networks into a router or gateway system instead. A router contains
information about where to redirect network traffic by analysing the structure of the
individual data packets, noting their destination, and forwarding them to the relevant
location according to the configuration of the currently installed ruleset. There is little real
difference between a gateway and a router beyond than the fact that a gateway is
normally used to provide the sole point of egress (or route) from one network to another, and a router can potentially control more than one route between different networks.
Similarly, by investigating the data packets passing from the network through a gateway
or router, it is possible to restrict and control certain types of network traffic, or to re-route certain types of traffic to a alternative location on the network. Studying the network data and applying a set of rules that determine the fate of each packet is the realm of a firewall.
The most concise definition of a firewall (in a networking sense) is a system that is used
to control network traffic. A firewall will monitor each network packet that passes through it and, depending on the ruleset that has been configured will apply a series of rules to that packet. Being able to block, redirect, or otherwise restrict certain types of network traffic from reaching a network is the first stage in securing and protecting that network. It is possible to picture a firewall as a security guard that inspects each visitor to a building to determine if they have authority to be let in or not.
Normally a network firewall is used as a filter - by reading information from the packets of data it is possible to determine where the data comes from, where it is being sent, and
what service is being requested. Any or all of this information can be used to control the
types of network traffic that you wish to allow into your private network. The firewall can be configured to accept each individual packet, return it to the originating address, or simply eradicate it completely, and it can operate as a filter on both sides of the system, blocking incoming as well as outbound traffic.
There are two schools of thought on firewall implementation - the first is to accept
everything, and then block that which is undesired, and the second to deny everything,
and then accept that which is desired. While the first can afford your network some
protection, there is always the chance that something you were not previously aware of
can inadvertently get into your network. Taking the second stance means that unless
you expressly allow that type of traffic the only traffic coming in to the network will be of a type that you are already aware of, which greatly reduces the risk of a security incident.
The vast majority of firewalls, SmoothWall included, are of the second school of design.
These two types of firewall design are like the security guard that either allows you
access to the guarded building unless you are on a list of undesirables, or prevents you
from entering unless you are already on a list of acceptable people. It is obvious to see
that the second school of design is inherently more secure.
Example IP networks
To illustrate and clarify the points discussed above it is perhaps useful to discuss a small
number of example networks. To begin with we shall look at a very simple network, and
then move towards slightly more complex situations.
The first example shows a simple closed network of four PCs using one of the private
ranges of IP address the 192.168.1.X network. Each PC has a unique name and IP
address, and since all addresses are within the same network address range each PC is
visible across the network from each other.
In this environment, with no gateway machine, the network address would be
192.168.1.0, and the broadcast address 192.168.1.255. The basic netmask would be
255.255.255.0.
The hosts table for each PC on this network would look something like this:
Fred
Barney
Wilma
Betty
192.168.1.10
192.168.1.20
192.168.1.30
192.168.1.40
Extending the complexity of this network environment a little, by adding a bridge with two
IP addresses, it becomes possible to join this network to a second private network that
uses a different range of IP addresses in this case, the 192.168.2.X network range.
Hence the details of the two networks are as follows:
Network A(192.168.1.X) Network B (192.168.2.X)
Network Address 192.168.1.0
Broadcast Address 192.168.1.255
Gateway Address 192.168.1.1
192.168.2.0
192.168.2.255
192.168.2.1
Netmask
255.255.255.0
255.255.255.0
The hosts file on each system would look something like this:
Bedrock 192.168.1.1
Fred 192.168.1.10
Barney 192.168.1.20
Wilma 192.168.1.30
Betty 192.168.1.40
Looney 192.168.2.1
Bugs 192.168.2.10
Daffy 192.168.2.20
Elmer 192.168.2.30
Porky 192.168.2.40
gateway that has been supplied by an ISP.
broadcast address of 192.168.1.255, a netmask of 255.255.255.0, and a gateway
address of 192.168.1.1. The gateway will be configured to pass data packets from the
192.168.1.0 network to the network relating to the address allocated by the ISP.
In this example, the gateway system could be a router, a simple gateway, or a firewall,
but the most likely case is a system that is part of each a firewalled gateway system
that protects the private network behind it from the Internet outside.
The hosts table for this network would be similar to that of the first example, with the
addition of the following two entries:
Bedrock-ext ISP assigned address
For a computer system the natural language to communicate in is numerical, and this is
why the series of addresses available for IP-based networks are based on the dotted
quad format - each part of the quad is a number that can be expressed as an eight digit
binary number. However, the human brain is far better at recalling names than numbers,
and so a human-friendly means of referring to networked systems exists. As an analogy,
it is possible that you could give out your address as a map grid reference rather than as
a house number and streetname, but it would then be more difficult to find your house.
Since the postal service does not usually operate on grid references, your grid reference
would need to be translated back to a house and streetname before any mail could be
delivered.
A translation of human-friendly (and hopefully more memorable) names to the
appropriate numerical IP addresses can be achieved by means of a file that simply
contains nothing more than a list of names and their IP addresses. This file is known as
the hosts file as each networked system can be referred to as a host, since it hosts a
variety of network services that you may which to use.
The structure of this hosts file is very simple - the IP address of the system, fol owed by
a space (or series of spaces), and then the name of the system. More space(s) and any
other name (or alias) which refers to the system may also fol ow this, but this is not
necessary. The hosts file is stored in a specific location on each PC so that the system
can refer to it when it becomes necessary to translate a name to its numeric address.
On a PC running Microsoft Windows 95/8 the file is simply called hosts and can be found in the Windows directory, normally found at C:\Windows. On Windows NT or 2000, the hosts file can instead be found in C:\WinNT\System32\drivers\etc directory (or the equivalent, if you have Windows installed in a different location). On a Unix-based system the file can be found at /etc/hosts, and on a Macintosh system the hosts file can normally be found in System Folder/Preferences.
So that any new systems on the network can be found by each of the existing nodes the
hosts file on each computer has to remain identical and in sync with each other. As the
size and complexity of the network grows, maintaining a hosts file for each and every
system on the network becomes a time-consuming and increasingly error-prone task.
Fortunately, though, there is a way around this. By maintaining a single central file that
all other systems can refer to, any new additions to the network can be accounted for in
a single place and you can be assured that any changes or updates to this file will then
be available across the network so that each node becomes aware of the most current
and up to date network configuration. In order to centralise all the information about your network you will need to operate a DNS (domain name service) server, which serves the purpose of an address book for the network. Again, the scope of this document is not intended to cover the setup and maintenance of a DNS system, but interested readers should look at the section on Further Reading at the end of this document.
A DNS server is considered to be the definitive (and authoritative) source of knowledge
for the network that it contains information about. When a host system on the network
wishes to find another nodes IP address so that it can send data to it, it will issue a DNS query to the local DNS server. The DNS server then looks up the information and returns the IP address in question to the original host, which can then use this information to connect to the relevant service on the network. When asked by a host system for
information about systems on other networks that the DNS server has no definitive
source for, the DNS server itself will request this information from a more knowledgeable source that resides upstream from it. This occurs in a similar fashion to routers that forward network packets for remote systems to other upstream routers that are external to the local network to handle. As such, a hierarchical tree-like structure is built up, with individual servers not always having the necessary information immediately to hand, but knowing where to ask to find out.
There is another means of allocating addresses to networked systems, which ties in well
with DNS. This method is called DHCP, and is a protocol that allows a machine that has currently got no IP address assigned to request to borrow (or lease) an IP address from a central system (the DHCP server). The DHCP server maintains a set of IP addresses for this purpose a short-term loan - analogous to a lending library loaning out books.
As with the library, it is necessary to record what has been borrowed, and by which PC, but also to reclaim unused loans. There is nothing to stop a machine from receiving a different address each time it requests one - depending on the size of the pool of
available addresses the chances of getting the same address can vary greatly.
So that a machine can be used and referred to by a human-friendly name, a DHCP
server has strong ties to the DNS service. Each system on a network has a unique
name, allocated to it upon setting up the network, and the DHCP server records both the unique name and the address that has been leased in a similar manner to that which a
DNS server allocates addresses. Note that the addresses recorded by a DNS system do not change without manual intervention and are commonly referred to as static IP
addresses, but those allocated by a DHCP server can easily be different from one hour
to the next, depending on the length of time that the lease is valid for, and hence are
referred to as dynamic IP addresses.
Network address translation.
As has been noted above, a system can have more than one IP network address, with
each address being associated (or bound) to a specific network interface. Internal private networks are normally given addresses in the ranges specially reserved for these
purposes. However, these addresses are not reachable from systems outside the private
network with real IP addresses, since all intervening routers and gateways are pre-
programmed to know that addresses in the private network ranges do not really exist
and hence are not valid for use as external systems.
In order that systems on a private network that use addresses in the reserved ranges
can access systems beyond the network gateway some means of passing data back to
the internal address must be implemented. The means by which this is achieved is a
process called network address translation, or NAT. NAT allows packets originally from a system on the inside of the network that pass through the gateway to the outside world to be re-written by the gateway such that they appear to originate from the gateway systems externally-facing (and real) address instead. When the requested data returns to the gateway machine the packets are re-written once again with the correct information so that the originating internal machine receives the data as if it had passed between the two systems directly.
This seamless translation also adds an additional layer of protection to your private
network, as there is no way from the outside to reach any systems behind the NAT
gateway. Anybody who attempts to determine the addresses of systems in your network
will only come up with the address of the gateway system as the originating IP address,
and if that system has a series of firewalling rules in place there is little that can be
actually attacked.
Data is passed from the originating system to the destination system by the most
appropriate route, depending on the IP address that is contained within the structure of
the packet itself. However, once the packet has arrived at the correct destination, how is the data contained within that packet transmitted to the correct application running on the estination system? The answer to this lies in the use of something known as ports.
Each network application or service has its own port that it uses for communication. If
the IP address can be thought of as the postal address of a block of flats, the port is the
correct front door to use for deliveries for a specific flat within that block.
When a network service starts up on a server it attaches (or binds) itself to a specific port and then listens out on the network for any incoming requests for that particular
service. Ports number from 0 to 65535, with the first 1024 (0-1023) being reserved (or
restricted) for use by particular services. Ports with a number above 1023 are termed
unrestricted (or unprivileged) ports.
In the same way that IP network packets contain information about the source and
destination IP address, they also contain information about the source and destination
port. The source (or local) port is frequently just an unused unprivileged port on the
system that the packet originated from - an unprivileged port is used to ensure that there
are no conflicts with any services that may be running on this system. The destination
port is the port that the data is aiming for when it connects to the relevant service on the
destination system.
When the remote system receives the data packet it confirms receipt by simply swapping the source and destination IP address and port numbers, so that the destination port of this new packet is the same as the local port on the initial originating system.
In the event that several simultaneous connections to the same service are initiated by
the same local system, the differences in the local source port numbers enables the
correct data to be passed back from the destination service. The reversal of port
numbers ensures that the combination of both source and destination ports remains
uniquely identifiable.
Since a specific service runs on a known port it therefore become possible to connect a
dummy port forwarding service to a given port, and then redirect the traffic that is sent
to that address and port combination to an alternative address/port combination. It is
also possible to run an alternative service and then redirect network traffic as appropriate - such a system is known either as a proxy or port forwarder, depending on exactly what happens to the traffic. By seamlessly redirecting traffic from one address/port to another it is possible to not only centralise services, but also to provide additional security.
| < Prev | Next > |
|---|