09318a
17
Click here to load reader
-
Upload
arpita-sengupta -
Category
Documents
-
view
4 -
download
0
description
Computer Networks
Transcript of 09318a
Chapter 18
Internet Architecture1811/1/2003
Chapter 18
Internet Architecture
Learning Objectives
This lesson explain the Internet architecture. At the end of the lesson, the students should be able to:
Identify the services to be offered.
Develop communications architecture.
Design a demilitarized zone.
Explain Network Address Translation.
Explain partner networks.
Estimated Time for Module: 3 hours
This lesson explains various services offered by organizations. It explains the how to develop a communications architecture and design a demilitarized zone. It also explains Network Address Translation and partner networks.
Preparing for Class
Before taking this lesson, ensure that the students are familiar with the concepts covered in the previous lessons. This lesson should preferably be conducted in a computer lab with access to the Internet.Prerequisites for Class
Ensure that the students:
ave read lesson17.
Have a basic knowledge about Internet.
Class Preparation Notes
This lesson does not require any extra material. However, a viewing projector will be required for the PowerPoint slides for this lesson.
General Teaching Tips
Certain concepts, like architectures are best explained using diagrams. Every topic in this lesson is important. Enough time should be budgeted to explain all the concepts.
Key terms
Demilitarized zone (DMZ)
Domain Name Service (DNS)
dual-firewall architecture
dynamic NAT
Internet Control Message Protocol (ICMP)
list server
Network Address Translation (NAT)
Network Time Protocol (NTP)
partner networks
point of presence (POP)
private class addresses
redundant circuit
static NAT
Lecture Outline
I.Identifying Services Offered by an Organization
A.Mail
1.Mail services, if available, are offered to internal employees.
2.This service requires at least one mail server to be established to receive inbound mail.
3.If higher availability is required, at least two mail servers are required.
4.An organization may also choose to establish public relays for e-mails and discussions.
5.Such systems are called list servers.
6.List servers can exist on the same machine as the organizations primary mail systems.
B.Encrypted E-mail.
1.Generally e-mails do not carry sensitive information.
2.It is better to encrypt the content of the e-mail to protect information.
Discussion Point
Discuss the types of available services to encyrpt e-mails.
C.Web
1.A Web server omust be established by an organization to publish information to customers or partners over the Web.
2.The Web server can be hosted at another location or internally.
3.Content on the Web server can be static or dynamic.
4.Access to the Web server can be public or restricted through an authentication mechanism.
5.If some content on the site is restricted, HTTPS is to be used.
a)HTTPS is the encrypted version of HTTP.
b)It is used for Web pages that contain sensitive information or require authentication.
6.The organization may use a File Transfer Protocol (FTP) server as part of the Web server.
D.Internal access to the Internet.
1.The level of Internet usage will impact the amount of traffic.
Discussion Point
Discuss the set of services that employees are allowed to use.
E.External access to internal systems.
1.Includes employee or non-employee access.2.An employee may access internal systems remotely using virtual private networks (VPNs), dial-up lines, or a leased line.
3.Non-employee access can be accomplished using VPNs, dial-up lines, or a leased line or by direct, encrypted access.
F.Control Services
1.Domain Name Service (DNS)
a)Resolves system names into IP addresses.
b)To host a DNS, this system should be separate from the internal DNS.
c)A split DNS is where an internal system is not included in the external DNS.
2.Internet Control Message Protocol (ICMP)
a)A control service that helps the network to function.
b)Provides services such as ping and messages such as network and host unreachable and packet time to live expired.
3.Network Time Protocol (NTP)
a)Synchronizes time between systems.
b)If this service is chosen, one system should be the primary local time source.
G.Services not to be offered.
Teaching Tip
To explain what services are not offered by the organization, refer to the table on page 6.
II.Communications ArchitectureDiscussion Point
Discuss the primary issues when developing a communications architecture.
A.Single-Line access.
1.The ISP supplies a single communications line of appropriate bandwidth to the organization.
2.The local loop is the actual wire or fiber that connects the organizations facility with the phone companys central office (CO).
3.The link to the ISP will actually terminate at the nearest point of presence (POP).
4.The local loop connection requires the line to go through the closest CO.
5.The link goes through the ISP network to the Internet from the POP.
Discussion Point
Discuss the various points that where an equipment failure will cause an outage.
B.Multiple-line access to a single ISP.
1.Is also known as a shadow link or redundant circuit.
2.Single-POP Access.
a)An ISP can provide fail-over access by setting up a redundant circuit to the same POP.
b)The redundant circuit may include a redundant router and a Channel Service Unit (CSU) or a single router may be used.
c)A benefit of this architecture is the low cost of redundant circuit.3.Multiple-POP access.
a)The second connection can be a redundant connection or it can run continuously.
b)The ISP should run the Border Gateway Protocol (BGP).
c)The BGP is a routing protocol for this architecture.
d)This type of architecture has two points of failure, at the local loop and the CO.
e)The failures can be overcome by using two local loop connections.
C.Multiple-line access to multiple ISPs.
Teaching Tip
Multiple-line access to multiple ISPs can reduce the risk of loss of service. Explain this with the help of Figure 18-5 on page 12.1.Choice of ISPs.
a)It is complex to establishing an architecture that uses two different ISPs.
b)Knowledge of BGP and knowledge and experience of ISPs that are used is essential.
c)The physical routing of the connections will impact the choice of ISPs.
2.Addressing
a)When working with multiple ISPs, the issue of addressing must be resolved.
b)Normally, when working with a single ISP, the ISP assigns an address space to the organization.
c)When multiple ISPs are used, the addresses to be used should be determined.
d)Routing takes place from one ISP and the other ISP must agree to broadcast a route to address space that belongs to the first ISP.
e)Another option for the organization is to buy a set of addresses.
f)The final option is to use addresses from both ISPs.
III.Demilitarized Zone (DMZ)
A.A portion of the network that is not trusted.
B.The zone is normally delineated with network access controls such as firewalls or heavily filtered routers.
C.Any system that can be directly contacted by an external user should be placed in the DMZ.
D.DMZ systems must be restricted from accessing external systems.
E.Systems to be placed in the DMZ are:
1.Mail
2.Web
3.Externally accessible systems
4.Control systems
Discussion Point
Discuss the various systems to be placed in the DMZ with the help of Figure 18-8.
F.Appropriate DMZ architecture.
1.Router and Firewall.
a)The router is connected to the link from the ISP and the internal network.
b)The firewall controls access to the internal network.
c)These systems can be easily attacked as they are placed on the external network.
Teaching Tip
Refer to Figure 18-9 to explain the router and firewall architecture.2.Single firewall.
a)All traffic is forced through the firewall.
b)The firewall provides a log that shows the traffic that is allowed and denied.
c)The firewall is a single point of failure and a potential bottleneck for traffic.
3.Dual firewalls.
a)Separates the DMZ from the external and internal networks.
b)Firewall 1 is configured to allow DMZ and internal traffic.
c)Firewall 2 is configured to allow outbound traffic to the Internet.
IV.Network Address Translation (NAT)
A.Translates one or more addresses into other addresses.
B.In most networks, firewalls and routers perform the NAT function.
C.Private Class Addresses.
1.Request for Comment (RFC) specifies addresses for the internal network known as private class addresses.
Discussion Point
Discuss the addresses that are specifed as private class addresses by the RFC.
2.None of the private class addresses are routable on the Internet.
D.Static NAT1.Allows systems to be accessed from the Internet.
2.Maps a single real address from the organizations external network to a system on the DMZ.
E.Dynamic NAT1.Maps many internal addresses to a single real address.
2.Typically, the real address used is generally the address of the firewall.
3.Dynamic NAT is useful for desktop clients who use the Dynamic Host Configuration Protocol (DHCP).
Teaching Tip
Refer to Figure 18-13 to explain dynamic NAT.
V.Partner Networks
A.Use of partner networks.
1.Partner Networks are generally established to exchange data or files between organizations.
B.Setup
1.The services necessary for the connection are identified.2.The systems providing these services are placed in a DMZ.
C.Addressing issues1.Addressing is an issue when dealing with partner network.
2.Most organizations use private class addresses for internal networks.
3.This may lead to a partner using the same address as the organization.
4.It is good practise to use NAT when connecting to partner networks.
Teaching Tip
Refer to Table 18-1 to list some rules for Internet firewall with Partner Network Access.
ProjectList the steps involved in designing a partner network.Project Solution
Step1.Identify the use of a partner network.
Step2.Identify the risks involved if the organizations are connected. Step3.Identify the necessary services for the connection.
Step4.Resolve addressing issues.
Step5.Define a translation policy.
Chapter Review
While designing Internet architecture, decide what services are to be offered.
Encryption is used to protect sensitive information in transit.
The DNS, ICMP, and NTP services make network operations easier to manage.
Throughput and availability are the primary concerns for establishing an Internet connection.
Single line access has several points of failure such as router failure, CSU failure, cut local loop, damage to the telephone companys CO, and POP failure at the ISP.
One way to overcome single-access problems is to have multiple-line access or two lines to the ISP.
Many ISPs can provide a second POP for fail-over capability.
DMZ is a semi-secure, not fully trusted zone outside of the trusted network.
Web servers that are publicly accessible must be placed in the DMZ.
External DNS servers should be placed in the DMZ, and the organizations ISP can provide alternate DNS services.
The most common DMZ architectures are router and firewall, single firewall, and dual firewalls.
The single-firewall architecture is a single point of failure unless there is a fail-over configuration.
The dual-firewall architecture increases costs due to the additional hardware and support for configuration and maintenance.
Network addressing issues will arise when an organization plans to install a firewall.
Static NAT and dynamic NAT are the two types of NAT which allow you to map internal addresses.
Partner networks are generally established to exchange data between organizations.
Rules must be added to firewalls to allow systems at the partner organization to communicate with internal systems.
Assessment Quiz
The following quiz will help you gauge the level of understanding of your students.Questions
1.What is the use of a virtual private network?
2.What is generally used to synchronize time between various systems?
3.How many DNS servers are recommended for use? Why?
4.What are the two types of NAT?
5.What is the BGP used for?
6.Fill in the blank: The ____________________ provides messages such as packet time to live expired.
7.Fill in the blank: Information in transit can be protected by ____________________ technologies.
8.Fill in the blank: The most common Internet architecture is ____________________.
9.Fill in the blank: ____________________ is also known as a shadow link or redundant circuit.
10.Fill in the blank: It is good practise to use ____________________ when connecting to partner networks.
11.True or false? The DMZ is a semi secure portion of the network.
12.True or false? Clients who use the Dynamic Host Configuration Protocol (DHCP) cannot use static NAT.
13.True or false? The SNMP service must be provided to employees.
14.True or false? The dual-firewall architecture reduces cost.
15.True or false? Partner networks helps exchange data between organizations.
Answers
1.A virtual private network allows external access to internal systems from remote locations.
2.Network time Protocol is generally used to synchronize time between various systems.
3.Two DNS servers are recommended. One internally provides services to the employees and one in the DMZ provides services to users on the Internet.
4.The two types of NAT are static and dynamic.
5.BGP is a routing protocol that is used to specify routes between entities with dual connections.
6.The ICMP provides messages such as packet time to live expired.
7.Information in transit can be protected by encryption technologies.
8.The most common Internet architecture is single-line access.9.Multiple-line access to a single ISP is also known as a shadow link or redundant circuit.
10.It is good practise to use NAT when connecting to partner networks.
11.True. The DMZ is a semi secure portion of the network.
12.True. Clients who use the Dynamic Host Configuration Protocol (DHCP) cannot use static NAT.
13.False. The SNMP service must not be provided to employees.
14.False. The dual-firewall architecture increases cost because of additional hardware and support for configuration and maintenance.
15.True. Partner networks helps exchange data between organizations.093-218-1
