“Fundamentals of IP Networking 2017 Webinar Series”

Part 4Building a Segmented IP Network Focused On Performance &

Security

Wayne M. Pecena, CPBE, CBNETexas A&M University

Educational Broadcast Services – KAMU Public Broadcasting

“Fundamentals of IP Networking 2017 Webinar Series”Advertised Presentation Scope

Part 1- Introduction to IP Networking Standards & the Physical Layer

Part 2 - Ethernet Switching Fundamentals and Implementation

Part 3 - IP Routing and Internetworking Fundamentals

Part 4 - Building a Segmented IP Network Focused On Performance & Security - July 25

Part 5 - Cybersecurity Fundamentals & Securing the Network - August 29

2

Part 4 will bring the conceptual aspects of previous webinars together to understand how to design and implement a segmented network infrastructure designed for performance and security. Best practice approaches will be presented to insure network performance and security. Specific topics will include developing an IP addressing plan, segmentation techniques, and Access Control List (ACL) implementation.

Today’s Outline:

• Takeaway Review From Webinar 3

• Brief Overview of Layer 4 and above

• Network Design Considerations

• Segmented Network Design

• IP Addressing Plan

• Access Control Lists (ACL)

• Takeaways, References, Questions, and Maybe Some Answers

3

Takeaway Points – Layer 3

• The Network Layer – Focus Upon Packet Delivery to a Network– IP Routing Protocol– IP Address Contains Network Address

• IP Routing Protocols– Internal– External– Best Protocol = Best Fit for Your Network Environment

• IP Addressing Rules Must Be Obeyed:– Each Network MUST Have a Unique Network ID– Each Host MUST Have a Unique Host ID– Every IP Address MUST Have a Subnet Mask– An IP Address Must Be Unique Globally If Host on the Public Internet– The First & Last IP Address of a Network is Not Useable!

• VLSM Widely Used Today – Subnet Mask Explicated Stated (CIDR notation)• “Public” IPv4 Address Space is Limited• IPv6 Provides Expanded Address Space + IP Re-Engineering• IPv6 is NOT Backward Compatible With IPv4 (but Migration Friendly)• Future - IPv6: A Must to Add Hosts to the Internet – Restores Host-Host

Communications That IP is Based Upon

4

BRIEF OVERVIEW OF LAYER 4 AND ABOVE

5

TCP BasicsTransmission Control Protocol

RFC 675 and later v4 in RFC 793

• “Connection – Oriented” Protocol– Connection Establishment

– Segmentation & Sequencing

– Acknowledgement

– Flow Control or Windowing

• Guaranteed Or Reliable Data Delivery– Acknowledgment of Packet Receipt

– Retransmission Occurs if Packet Not Received

• High Overhead

• Requires Establishment of a “Session”

• TCP Windowing Feature– Dynamic Window Sizing

– “Slow-Start”

6

TCP 3-Way Handshake

7

Host 1 Host 2

SYN

SYN + ACK

ACK

Host 1 Sends

Synchronize Message

to Host 2

Host 2 Responds With

Acknowledgement

Plus Sends It’s Own

Synchronization

Message to Host 1Host 1 Completes the

3-Way Handshake By

Sending

Acknowledgement to

Host 2

Host 1 Initiates

Connection to Host 2

The TCP Session Summary

8

SYN + ACK

Time

Network

SYN

ACK

FIN

FIN

ACK

ACK

ACK

Connection

Closed

Listen

SYN Sent

SYN Received

Connection

Established Connection

Established

Connection

Closed

FIN Wait 1

FIN Wait 2

CLOSE Wait

Last ACK

ACK

ACK

Data Segment 1

Data Segment 2

Data Segment 3

UDP BasicsUser Datagram Protocol

RFC 768

• “Connectionless” Protocol

• Simple or Lightweight, but Inherently Unreliable

• “Best Effort” Data Delivery

• Low Overhead, Thus Low Latency

• Why Use?

– Required for Real-Time Applications:• VOIP or “Video Over IP” or “Voice Over IP”

• AOIP or Audio Over IP”

– Latency More Detrimental Than Data Loss

9

UDP Session

10

Network

SYN

SYN + ACK

ACK

Data

Data

Data

Time

Data

Data

TCP Used to

Establish UDP

Session

TCP vs UDP

TCP• Connection Oriented

• Guaranteed Delivery

• Acknowledgments Sent

• Reliable, But Higher Latency

• Segments & Sequences Data

• Resends Dropped Segments

• Provides Flow Control

• Performs CRC

• Uses Port Numbers for Multiplexing

UDP• Connectionless

• Not Guaranteed

• No Acknowledgements

• Unreliable, But Low Latency

• No Sequencing

• No Retransmission

• No Flow Control

• Performs CRC

• Uses Port Numbers for Multiplexing

11

TCP and UDP Headers

12

RTP – Real Time ProtocolRFC 3550

• UDP Based Real-time Streaming Media Delivery

• RTP Provides:– Packet Sequencing

– Timestamping

– Payload Type

• RTP Stream Overview (encapsulated in UDP segments):– RTP Data Transfer (time stamped)

– RTCP QoS Feedback (receiver to sender)

13

EthernetHeader

RTPHeader

UDPHeader

IPHeader

RTP Payload

Layer 5

Segment – Layer 4

Packet Layer 3

Frame – Layer 2

A Few Words About Port NumbersRFC 6335

• Applications Are Indexed by a “Port Number”

• Allows Differentiation of Multiple Applications

• Port Numbers Can Be Between 0 – 65,535

– 0 – 1,023 Are Considered “Reserved or System Ports”

– 1,024 – 49,151 “User Ports” Can Be Registered

– 49,152 – 65,535 Are Considered Dynamic or Private

• 65,535 TCP and 65,535 UDP Port Numbers

14

Reserved & Registered Ports Numbers:http://www.iana.org/assignments/port-numbers

Examples:

“Well Known” System Port Numbers”

Port 20 / 21 – FTP “File Transfer Protocol”

Port 23 – TELNET

Port 53 – DNS “Domain Name Service”

Port 80 – HTTP

Port 110 – POP3 “Post Office Protocol”

Port 123 – NTP “Network Time Protocol”

Port 161 – SNMP “Simple Network

Management Protocol” (UDP)

Port 443 - HTTPS

Sockets• A “Socket” Is a Combination of an IP Address & A Port Number

• Allows Multiple Network Services to Exist on the Same Host (IP Address)

• IP Address + Port Number = Socket

16

IP Address: 192.168.100.10

Port Number: 8080

Yields

Socket: 192.168.100.10:8080

User PC

Email Ap

Browser AP

Media Player Ap

Server

Email

Web Server

Stream Media Server

192.168.100.100

Stream

Media

Server

HTTP

Server

SMTP

Server

UDPTCP

192.168.100.100

Stream

Media

Player

Web

Browser

Mail

Client

UDPTCP

192.168.100.002

192.168.100.100 TCP 25 - 192.168.100.002 TCP 1245

192.168.100.100 TCP 80 - 192.168.100.002 TCP 1328

192.168.100.100 UDP 1755 - 192.168.100.002 UDP 1873

NETWORK DESIGN CONSIDERATIONS

17

The Building Blocks: Hubs, Switches, & Routers

• Hub– Layer 1 Device– Acts as a Repeater - All Incoming Frame FWD Out Every Other Port– Half-Duplex Based – CSMA/CD Algorithm Controlled– No Intelligence – Collision & Broadcast Domain Across All Ports

• Switch– Layer 2 Device – Originally Called “Forwarding”- Then “Bridging” - Now Called

“Switching”– Full Duplex Based– Intelligence Based – Selectively Forwards Frame to a Port– Each Port is a Collision Domain (assuming one device per port)– Each Switch is Within a Broadcast Domain

• Router– Layer 3 Device– Forwards Packets Between Different Networks– Creates Broadcast Domains– Each Interface is a Broadcast Domain

18

X

The Flat Network“Legacy Network Architecture”

19

192.168.1.0

.1 .2 .3 .4 .5 .6 .7 .8 .9.10 .11 .12

A Single Broadcast Domain

Common Addressed Subnet

Challenges:

Manageability, Security, Scalability, Reliability

The Hierarchical Network

20

192.168.1.0

192.168.1.0 /26

192.168.1.64 /26

192.168.1.128 /26

Organize By:

Geographic

Policy / Regulation

Security

Performance

Network Design Considerations

• Understand “Your” Environment – Each Network is Different!

• IP Addressing Considerations

• VLAN Configuration

• Routing Protocol Selection

• Network Service(s) Selection (DNS, DHCP, etc)

• Security Aspects

• Access, Management, Documentation, & Monitoring

• Physical Layer Scheme

• Hardware (Switch & Router) Selection

Network Architecture Considerations

Layer 3

Layer 2

Core or Backbone

Distribution

Access

“Classic”

Layered

Approach

Ethernet Switch Considerations• Network Role & Location

– Self-Contained– “Stackable”– Modular (chassis + cards)

• Interface Requirements – Capabilities - Range• Interface Density• Layer 3 Capability?• Processor/Memory/MAC Addresses Supported/Multicast IGMP• Backplane Fabric Throughput /Forwarding Rate (Gbps)• Redundancy (power, processor, interfaces)• PoE Requirements / Switch Capacity: (48vdc nominal)

– 802.af (15w) “Class 3”– 802.at (25w) “PoE+”

Router Considerations

• Network Role & Location– Self-Contained– Modular (chassis + cards)

• Interface Requirements – Capabilities (LAN/WAN)• Processor/Memory/Route Capacity• Fabric/Backplane Throughput (packets per second “PPS”)• Redundancy (power, processor, interfaces)• Required Feature Set:

– Security / IDS– QoS– MPLS– VOIP– NetFlow

SEGMENTED NETWORK DESIGN

25

Logical Networks

26

Engineering Rack Room

Production Island

Administrative Suites

Production

VLAN Engineering VLANAdministration

VLAN

Cisco 1841 Router

Cisco 3750G Switch

Cisco 2960G Switch

HP ProCurve 2530 Switch

Cisco 2960G Switch

MM Fiber

MM Fiber

CAT5 TPISP

CAT5 TP

Internet

Ennes

Router

EngRack

Switch

Prod

Switch

Admin

Switch

The “Ennes” Network Architecture for KSBE

VLAN Configuration:

100 - Administration

200 - Production

300 - Engineering

400 - NetMgmt

DHCP

Enabled VLANS:

200 – Production (4 hosts)

300 – Engineering (2 hosts)

400 - NetMgmt

Enabled VLANS:

100 – Administration (2 hosts)

200 – Production (8 hosts)

300 – Engineering (12 hosts)

400 – NetMgmt (1 host)

Enabled VLANS:

100 – Administration (6 hosts)

400 - NetMgmt

Cisco 1841

Cisco C2960G

Cisco C2960G

Cisco C3750G

“EngRack” Switch to “Ennes” Router Interface

Gi1/0/1 Fa0/1

Fa0/1.1

Fa0/1.2

Fa0/1.3

Fa0/1.4

VLAN 100

VLAN 200

VLAN 300

VLAN 400

“Trunk”

Interface “Sub-Interface”

802.1Q Trunk Link

What is Wrong With This Design?

Cisco 1841 Router

Cisco 3750G Switch

Cisco 2960G Switch

Cisco 2960G Switch

MM Fiber

MM Fiber

CAT5 TPISP

CAT5 TP

Why a 100 Mbps Link Here?GigE

100Mbps

Let’s Fix It!Cisco 1841 Router

Cisco 3750G Switch

Cisco 2960G Switch

Cisco 2960G Switch

MM Fiber

MM Fiber

CAT5 TPISP

MM Fiber

Then Re-Configure Ports:

Switch & Router

Another Approach!

Cisco 3750G Switch

Cisco 2960G Switch

Cisco 2960G Switch

MM Fiber

MM Fiber

CAT5 TPISP

“Use a Layer 3 Switch”

IP ADDRESSING PLAN

33

IP Addressing Considerations

• IP Address Planning (range)– Current Needs

– Scalability

– Organize Subnets (Hierarchical)

• IP Address Host Allocation– Public vs Private (RFC 1918)

– Static vs Dynamic Policy

– Assignment Documentation (IPAM sys)

• What About IPv6?– Implementation Factors

– Migration Plan

Network Address Translation – NATRFC 3022

• Types of NAT:– Static – One-to-One Translation

– Dynamic – Pool of Public Addresses Made Available to Outbound Traffic Client Traffic

– NAT Overloading or Port Address Translation (PAT) – Translates to a Single Public IP by Use of a Unique Port Number

• NAT Addressing Terminology:– Inside Local or Inside Private

– Inside Global or Inside Global

– Outside Global or Outside Public

– Outside Local or Outside Private

35

Inside

Network

(private)

Outside

Network

Gateway Router

w/ NAT Services

Inside Local

Inside Global

Outside Local

Outside Global

In General:

Inside Addresses Are Local

Global Addresses Are Public

Static NAT

36

10.0.0.2 /24

Gateway

Router

w/ NAT Services

10.0.0.2 mapped to 128.194.247.2

10.0.0.3 mapped to 128.194.247.3

10.0.0.4 mapped to 128.194.247.4

10.0.0.3 /24

10.0.0.4 /24

128.194.247.2 mapped to 10.0.0.2

128.194.247.3 mapped to 10.0.0.3

128.194.247.4 mapped to 10.0.0.4

Public Network Space

Private Network Space

10.0.0.2 128.194.300.2 Payload 128.194.247.2 128.194.300.2 Payload

128.194.300.2 /24

Source IP Address Changed by NAT

Simple Layer 3 Packet

128.194.247.2 10.0.0.2 Payload 128.194.300.2 128.194.247.2 Payload

Simple Layer 3 Packet

Source IP Destination IP

Destination IP Address Changed by NAT

Source IP Destination IP

128.194.247.0 /2410.0.0.0/24

Dynamic NAT

37

10.0.0.2 /24

Gateway

Router

w/ NAT Services

10.0.0.3 /24

10.0.0.4 /24

Public Network Space

Private Network Space

Pool Of

AVAILABLE

Public

IP

Addresses

10.0.0.2 128.194.247 10

NAT Table

IP Address Chosen from

Pool of Public IP Addresses:

128.194.247.2 – 128.194.247.14

Dynamic Entry Remains if Traffic Flows (timeout)

Common to Have More Private Hosts Than Public IP Address Space

NAT Overloading or – PATPort Address Translation

Single Address NAT / Port-Level Multiplexed NAT

38

10.0.0.2 /24

Gateway

Router

w/ NAT Services

10.0.0.3 /24

10.0.0.4 /24

Public Network

Space

Private Network

Space

128.194.247.10

10.0.0.2:1024 128.194.247.10:1024

NAT Table

Inside Local Inside Global

10.0.0.3:1026 128.194.247.10:1026

10.0.0.4:1028 128.194.247.10:1028

Source Address

&

Port

Destination

Address

&

Port

NAT Drawbacks!• Accountability Limited Globally

– Multiple Internal Hosts Share Global IP Address

• Breaks IP Concept of End-End Connectivity

• Complicates Process of Allowing a Global IP Host to Establish Session With an Internal Host

39

Internet

Ennes

Router

EngRack

Switch

Prod

Switch

Admin

Switch

The “Ennes” Network Architecture for KSBE

VLAN Configuration:

100 - Administration

200 - Production

300 - Engineering

400 - NetMgmt

DHCP

Enabled VLANS:

200 – Production (4 hosts)

300 – Engineering (2 hosts)

400 - NetMgmt

Enabled VLANS:

100 – Administration (2 hosts)

200 – Production (8 hosts)

300 – Engineering (12 hosts)

400 – NetMgmt (1 host)

Enabled VLANS:

100 – Administration (6 hosts)

400 - NetMgmt

Cisco 1841

Cisco C2960G

Cisco C2960G

Cisco C3750G

# Hosts Last IP AddressSubnet Address 1st IP Address

Subnet

SizeBroadastMask

Network # Hosts HOSTS

Administration

Production

Engineering

NetMgmt

Subnet

8

12

14

4

Consider Growth – 20%

10

15

17

5

IP Address Block SizeBased Upon 2n

41

2n

128

64

32

16

8

4

2

1LSB

IP Addressing PlanBase Network: 192.168.100.0 /25

Use a “VLSM” Subnet Calculator:

http://subnettingpractice.com/vlsm.html

16

32

32

8

Internet

Ennes

Router

EngRack

Switch

Prod

Switch

Admin

Switch

The “Ennes” Network Architecture for KSBE

VLAN IP Address Configuration:

VLAN: Network: Mask: Default Gateway:

100 – Administration 192.168.100.64 255.255.255.240 192.168.100.65

200 – Production 192.168.100.32 255.255.255.224 192.168.100.33

300 – Engineering 192.168.100.0 255.255.255.224 192.168.100.1

400 - NetMgmt 192.168.100.80 255.255.255.248 192.168.100.81

DHCP

Enabled VLANS:

200 – Production (4 hosts)

300 – Engineering (2 hosts)

400 - NetMgmt

Enabled VLANS:

100 – Administration (2 hosts)

200 – Production (8 hosts)

300 – Engineering (12 hosts)

400 – NetMgmt (1 host)

Enabled VLANS:

100 – Administration (6 hosts)

400 - NetMgmt

Cisco 1841

Cisco C2960GCisco C2960G

Cisco C3750G

Management:

192.168.100.82

Management:

192.168.100.83

Management:

192.168.100.84

Management:

192.168.100.85

Gi1/0/1

Gi1/0/27 Gi1/0/28

Fa0/1Trunk - VLAN(s):

100,200,300,400

Fa0/0

Trunk - VLAN(s): 100,400Trunk - VLAN(s): 200,300,400

Gi0/7 Gi0/7

IP Configuration Plan

IP Configuration Plan - 2

The First & Last IP Address of a Network is Not Useable!

• The First Address = Network Address or “Wire” Address

• The Last Address = Broadcast Address

126 “Useable”

Hosts

/25

62 “Useable”

Hosts

30 “Useable”

Hosts

/26 /27

Network Address

Broadcast Address

Network Address Network Address

Broadcast Address

Broadcast Address

12

8 IP

Ad

dre

sses

32

IP A

dd

ress

es

64

IP A

dd

ress

es

Gateway Address

Gateway Address

46

Gateway Address

ACCESS CONTROL LISTS (ACL)

47

Access Control List“ACL”

• Provides “Basic” Network Access Security Buffer

• Packet Filter Based

• Filter IP Network Packets– Forwarded @ Egress Interface

– Blocked @ Ingress Interface

• Implemented:– Border

– Internally

48

Internet

Network

Apply @ Border

Apply Internally

The “ACL” Rules

• Standard Access List– Can Only Permit or Deny The Source Host IP Address

– Placed Closest to Destination Host

• Extended Access List– Can Permit or Deny Based Upon:

• Source IP Address

• Destination IP Address

• TCP Port #

• UDP Port #

• TCP/IP Protocol

– Placed Closest to Source Network

49

Implementing an Access Control List

50

Egress ACL Filters

Outbound Packets

Ingress ACL Filters

Inbound Packets

Egress ACL Filters

Outbound Packets

Ingress ACL Filters

Inbound Packets

Interface

0/0

Interface

0/1

Permit or Deny:

Source IP Address

Destination IP Address

ICMP

TCP/UDP Source Port

TCP/UDP Destination Port

One ACL per:

Interface

Direction

Protocol

Create

Access Control List

Apply

Access Control List

ACL Implementation ExampleBlock External Users From “Pinging” Inside Network Hosts

51

Router

1

192.168.10.1 /24

192.168.10.2 /24

192.168.10.6 /24

The

“Internet”E0

E1

Create Access List on Router 1:access list 10 deny icmp any any

access-list 10 permit ip any any

Apply Access List to Interface:interface ethernet1

ip access-group 10 in

Configuration Disclaimer:

Exact configuration commands may vary based upon specific equipment models and software version.

Generic “Cisco” commands utilized for illustration purposes.

TAKEAWAYS, REFERENCES, QUESTIONS, AND MAYBE SOME ANSWERS

52

Takeaway Points – Part 4

• Use Segmented Networks Design Techniques:– Performance– Security– Policy

• VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated Networks, Broadcast Domains, or Subnets

• Each Network, Subnet, or VLAN is a Broadcast Domain With a Unique IP Address Scheme

• L2 Ethernet Switches Eliminate Collision Domains• L3 Routers Control Broadcast Domains• NAT Can Be Used to Minimize IPV4 Address Space• IP Addressing Rules Must Be Obeyed:

– Each Network MUST Have a Unique Network ID– Each Host MUST Have a Unique Host ID– Every IP Address MUST Have a Subnet Mask– An IP Address Must Be Unique Globally If Host on the Public Internet– The First & Last IP Address of a Network is Not Useable!

53

My Favorite Reference Texts:

54

55

My Favorite Subnet CalculatorThe “Mask” iOS Subnet Calculator:

http://www.cylineapro.com/cylsoft-portfolio/the-mask-ipv4-ipv6-calculator

Web Reference Sources:www.packetlife.net

56

57

Thank You for Attending!

Wayne M. Pecenawpecena@sbe.org

979.845.5662

58

Don’t Miss: Webinar #5 - Cybersecurity Fundamentals & Securing the Network

August 29