“Fundamentals of IP Networking 2017 Webinar Series” · “Fundamentals of IP Networking 2017...
Transcript of “Fundamentals of IP Networking 2017 Webinar Series” · “Fundamentals of IP Networking 2017...
“Fundamentals of IP Networking 2017 Webinar Series”
Part 4Building a Segmented IP Network Focused On Performance &
Security
Wayne M. Pecena, CPBE, CBNETexas A&M University
Educational Broadcast Services – KAMU Public Broadcasting
“Fundamentals of IP Networking 2017 Webinar Series”Advertised Presentation Scope
Part 1- Introduction to IP Networking Standards & the Physical Layer
Part 2 - Ethernet Switching Fundamentals and Implementation
Part 3 - IP Routing and Internetworking Fundamentals
Part 4 - Building a Segmented IP Network Focused On Performance & Security - July 25
Part 5 - Cybersecurity Fundamentals & Securing the Network - August 29
2
Part 4 will bring the conceptual aspects of previous webinars together to understand how to design and implement a segmented network infrastructure designed for performance and security. Best practice approaches will be presented to insure network performance and security. Specific topics will include developing an IP addressing plan, segmentation techniques, and Access Control List (ACL) implementation.
Today’s Outline:
• Takeaway Review From Webinar 3
• Brief Overview of Layer 4 and above
• Network Design Considerations
• Segmented Network Design
• IP Addressing Plan
• Access Control Lists (ACL)
• Takeaways, References, Questions, and Maybe Some Answers
3
Takeaway Points – Layer 3
• The Network Layer – Focus Upon Packet Delivery to a Network– IP Routing Protocol– IP Address Contains Network Address
• IP Routing Protocols– Internal– External– Best Protocol = Best Fit for Your Network Environment
• IP Addressing Rules Must Be Obeyed:– Each Network MUST Have a Unique Network ID– Each Host MUST Have a Unique Host ID– Every IP Address MUST Have a Subnet Mask– An IP Address Must Be Unique Globally If Host on the Public Internet– The First & Last IP Address of a Network is Not Useable!
• VLSM Widely Used Today – Subnet Mask Explicated Stated (CIDR notation)• “Public” IPv4 Address Space is Limited• IPv6 Provides Expanded Address Space + IP Re-Engineering• IPv6 is NOT Backward Compatible With IPv4 (but Migration Friendly)• Future - IPv6: A Must to Add Hosts to the Internet – Restores Host-Host
Communications That IP is Based Upon
4
BRIEF OVERVIEW OF LAYER 4 AND ABOVE
5
TCP BasicsTransmission Control Protocol
RFC 675 and later v4 in RFC 793
• “Connection – Oriented” Protocol– Connection Establishment
– Segmentation & Sequencing
– Acknowledgement
– Flow Control or Windowing
• Guaranteed Or Reliable Data Delivery– Acknowledgment of Packet Receipt
– Retransmission Occurs if Packet Not Received
• High Overhead
• Requires Establishment of a “Session”
• TCP Windowing Feature– Dynamic Window Sizing
– “Slow-Start”
6
TCP 3-Way Handshake
7
Host 1 Host 2
SYN
SYN + ACK
ACK
Host 1 Sends
Synchronize Message
to Host 2
Host 2 Responds With
Acknowledgement
Plus Sends It’s Own
Synchronization
Message to Host 1Host 1 Completes the
3-Way Handshake By
Sending
Acknowledgement to
Host 2
Host 1 Initiates
Connection to Host 2
The TCP Session Summary
8
SYN + ACK
Time
Network
SYN
ACK
FIN
FIN
ACK
ACK
ACK
Connection
Closed
Listen
SYN Sent
SYN Received
Connection
Established Connection
Established
Connection
Closed
FIN Wait 1
FIN Wait 2
CLOSE Wait
Last ACK
ACK
ACK
Data Segment 1
Data Segment 2
Data Segment 3
UDP BasicsUser Datagram Protocol
RFC 768
• “Connectionless” Protocol
• Simple or Lightweight, but Inherently Unreliable
• “Best Effort” Data Delivery
• Low Overhead, Thus Low Latency
• Why Use?
– Required for Real-Time Applications:• VOIP or “Video Over IP” or “Voice Over IP”
• AOIP or Audio Over IP”
– Latency More Detrimental Than Data Loss
9
UDP Session
10
Network
SYN
SYN + ACK
ACK
Data
Data
Data
Time
Data
Data
TCP Used to
Establish UDP
Session
TCP vs UDP
TCP• Connection Oriented
• Guaranteed Delivery
• Acknowledgments Sent
• Reliable, But Higher Latency
• Segments & Sequences Data
• Resends Dropped Segments
• Provides Flow Control
• Performs CRC
• Uses Port Numbers for Multiplexing
UDP• Connectionless
• Not Guaranteed
• No Acknowledgements
• Unreliable, But Low Latency
• No Sequencing
• No Retransmission
• No Flow Control
• Performs CRC
• Uses Port Numbers for Multiplexing
11
TCP and UDP Headers
12
RTP – Real Time ProtocolRFC 3550
• UDP Based Real-time Streaming Media Delivery
• RTP Provides:– Packet Sequencing
– Timestamping
– Payload Type
• RTP Stream Overview (encapsulated in UDP segments):– RTP Data Transfer (time stamped)
– RTCP QoS Feedback (receiver to sender)
13
EthernetHeader
RTPHeader
UDPHeader
IPHeader
RTP Payload
Layer 5
Segment – Layer 4
Packet Layer 3
Frame – Layer 2
A Few Words About Port NumbersRFC 6335
• Applications Are Indexed by a “Port Number”
• Allows Differentiation of Multiple Applications
• Port Numbers Can Be Between 0 – 65,535
– 0 – 1,023 Are Considered “Reserved or System Ports”
– 1,024 – 49,151 “User Ports” Can Be Registered
– 49,152 – 65,535 Are Considered Dynamic or Private
• 65,535 TCP and 65,535 UDP Port Numbers
14
Reserved & Registered Ports Numbers:http://www.iana.org/assignments/port-numbers
Examples:
“Well Known” System Port Numbers”
Port 20 / 21 – FTP “File Transfer Protocol”
Port 23 – TELNET
Port 53 – DNS “Domain Name Service”
Port 80 – HTTP
Port 110 – POP3 “Post Office Protocol”
Port 123 – NTP “Network Time Protocol”
Port 161 – SNMP “Simple Network
Management Protocol” (UDP)
Port 443 - HTTPS
Sockets• A “Socket” Is a Combination of an IP Address & A Port Number
• Allows Multiple Network Services to Exist on the Same Host (IP Address)
• IP Address + Port Number = Socket
16
IP Address: 192.168.100.10
Port Number: 8080
Yields
Socket: 192.168.100.10:8080
User PC
Email Ap
Browser AP
Media Player Ap
Server
Web Server
Stream Media Server
192.168.100.100
Stream
Media
Server
HTTP
Server
SMTP
Server
UDPTCP
192.168.100.100
Stream
Media
Player
Web
Browser
Client
UDPTCP
192.168.100.002
192.168.100.100 TCP 25 - 192.168.100.002 TCP 1245
192.168.100.100 TCP 80 - 192.168.100.002 TCP 1328
192.168.100.100 UDP 1755 - 192.168.100.002 UDP 1873
NETWORK DESIGN CONSIDERATIONS
17
The Building Blocks: Hubs, Switches, & Routers
• Hub– Layer 1 Device– Acts as a Repeater - All Incoming Frame FWD Out Every Other Port– Half-Duplex Based – CSMA/CD Algorithm Controlled– No Intelligence – Collision & Broadcast Domain Across All Ports
• Switch– Layer 2 Device – Originally Called “Forwarding”- Then “Bridging” - Now Called
“Switching”– Full Duplex Based– Intelligence Based – Selectively Forwards Frame to a Port– Each Port is a Collision Domain (assuming one device per port)– Each Switch is Within a Broadcast Domain
• Router– Layer 3 Device– Forwards Packets Between Different Networks– Creates Broadcast Domains– Each Interface is a Broadcast Domain
18
X
The Flat Network“Legacy Network Architecture”
19
192.168.1.0
.1 .2 .3 .4 .5 .6 .7 .8 .9.10 .11 .12
A Single Broadcast Domain
Common Addressed Subnet
Challenges:
Manageability, Security, Scalability, Reliability
The Hierarchical Network
20
192.168.1.0
192.168.1.0 /26
192.168.1.64 /26
192.168.1.128 /26
Organize By:
Geographic
Policy / Regulation
Security
Performance
Network Design Considerations
• Understand “Your” Environment – Each Network is Different!
• IP Addressing Considerations
• VLAN Configuration
• Routing Protocol Selection
• Network Service(s) Selection (DNS, DHCP, etc)
• Security Aspects
• Access, Management, Documentation, & Monitoring
• Physical Layer Scheme
• Hardware (Switch & Router) Selection
Network Architecture Considerations
Layer 3
Layer 2
Core or Backbone
Distribution
Access
“Classic”
Layered
Approach
Ethernet Switch Considerations• Network Role & Location
– Self-Contained– “Stackable”– Modular (chassis + cards)
• Interface Requirements – Capabilities - Range• Interface Density• Layer 3 Capability?• Processor/Memory/MAC Addresses Supported/Multicast IGMP• Backplane Fabric Throughput /Forwarding Rate (Gbps)• Redundancy (power, processor, interfaces)• PoE Requirements / Switch Capacity: (48vdc nominal)
– 802.af (15w) “Class 3”– 802.at (25w) “PoE+”
Router Considerations
• Network Role & Location– Self-Contained– Modular (chassis + cards)
• Interface Requirements – Capabilities (LAN/WAN)• Processor/Memory/Route Capacity• Fabric/Backplane Throughput (packets per second “PPS”)• Redundancy (power, processor, interfaces)• Required Feature Set:
– Security / IDS– QoS– MPLS– VOIP– NetFlow
SEGMENTED NETWORK DESIGN
25
Logical Networks
26
Engineering Rack Room
Production Island
Administrative Suites
Production
VLAN Engineering VLANAdministration
VLAN
Cisco 1841 Router
Cisco 3750G Switch
Cisco 2960G Switch
HP ProCurve 2530 Switch
Cisco 2960G Switch
MM Fiber
MM Fiber
CAT5 TPISP
CAT5 TP
Internet
Ennes
Router
EngRack
Switch
Prod
Switch
Admin
Switch
The “Ennes” Network Architecture for KSBE
VLAN Configuration:
100 - Administration
200 - Production
300 - Engineering
400 - NetMgmt
DHCP
Enabled VLANS:
200 – Production (4 hosts)
300 – Engineering (2 hosts)
400 - NetMgmt
Enabled VLANS:
100 – Administration (2 hosts)
200 – Production (8 hosts)
300 – Engineering (12 hosts)
400 – NetMgmt (1 host)
Enabled VLANS:
100 – Administration (6 hosts)
400 - NetMgmt
Cisco 1841
Cisco C2960G
Cisco C2960G
Cisco C3750G
“EngRack” Switch to “Ennes” Router Interface
Gi1/0/1 Fa0/1
Fa0/1.1
Fa0/1.2
Fa0/1.3
Fa0/1.4
VLAN 100
VLAN 200
VLAN 300
VLAN 400
“Trunk”
Interface “Sub-Interface”
802.1Q Trunk Link
What is Wrong With This Design?
Cisco 1841 Router
Cisco 3750G Switch
Cisco 2960G Switch
Cisco 2960G Switch
MM Fiber
MM Fiber
CAT5 TPISP
CAT5 TP
Why a 100 Mbps Link Here?GigE
100Mbps
Let’s Fix It!Cisco 1841 Router
Cisco 3750G Switch
Cisco 2960G Switch
Cisco 2960G Switch
MM Fiber
MM Fiber
CAT5 TPISP
MM Fiber
Then Re-Configure Ports:
Switch & Router
Another Approach!
Cisco 3750G Switch
Cisco 2960G Switch
Cisco 2960G Switch
MM Fiber
MM Fiber
CAT5 TPISP
“Use a Layer 3 Switch”
IP ADDRESSING PLAN
33
IP Addressing Considerations
• IP Address Planning (range)– Current Needs
– Scalability
– Organize Subnets (Hierarchical)
• IP Address Host Allocation– Public vs Private (RFC 1918)
– Static vs Dynamic Policy
– Assignment Documentation (IPAM sys)
• What About IPv6?– Implementation Factors
– Migration Plan
Network Address Translation – NATRFC 3022
• Types of NAT:– Static – One-to-One Translation
– Dynamic – Pool of Public Addresses Made Available to Outbound Traffic Client Traffic
– NAT Overloading or Port Address Translation (PAT) – Translates to a Single Public IP by Use of a Unique Port Number
• NAT Addressing Terminology:– Inside Local or Inside Private
– Inside Global or Inside Global
– Outside Global or Outside Public
– Outside Local or Outside Private
35
Inside
Network
(private)
Outside
Network
Gateway Router
w/ NAT Services
Inside Local
Inside Global
Outside Local
Outside Global
In General:
Inside Addresses Are Local
Global Addresses Are Public
Static NAT
36
10.0.0.2 /24
Gateway
Router
w/ NAT Services
10.0.0.2 mapped to 128.194.247.2
10.0.0.3 mapped to 128.194.247.3
10.0.0.4 mapped to 128.194.247.4
10.0.0.3 /24
10.0.0.4 /24
128.194.247.2 mapped to 10.0.0.2
128.194.247.3 mapped to 10.0.0.3
128.194.247.4 mapped to 10.0.0.4
Public Network Space
Private Network Space
10.0.0.2 128.194.300.2 Payload 128.194.247.2 128.194.300.2 Payload
128.194.300.2 /24
Source IP Address Changed by NAT
Simple Layer 3 Packet
128.194.247.2 10.0.0.2 Payload 128.194.300.2 128.194.247.2 Payload
Simple Layer 3 Packet
Source IP Destination IP
Destination IP Address Changed by NAT
Source IP Destination IP
128.194.247.0 /2410.0.0.0/24
Dynamic NAT
37
10.0.0.2 /24
Gateway
Router
w/ NAT Services
10.0.0.3 /24
10.0.0.4 /24
Public Network Space
Private Network Space
Pool Of
AVAILABLE
Public
IP
Addresses
10.0.0.2 128.194.247 10
NAT Table
IP Address Chosen from
Pool of Public IP Addresses:
128.194.247.2 – 128.194.247.14
Dynamic Entry Remains if Traffic Flows (timeout)
Common to Have More Private Hosts Than Public IP Address Space
NAT Overloading or – PATPort Address Translation
Single Address NAT / Port-Level Multiplexed NAT
38
10.0.0.2 /24
Gateway
Router
w/ NAT Services
10.0.0.3 /24
10.0.0.4 /24
Public Network
Space
Private Network
Space
128.194.247.10
10.0.0.2:1024 128.194.247.10:1024
NAT Table
Inside Local Inside Global
10.0.0.3:1026 128.194.247.10:1026
10.0.0.4:1028 128.194.247.10:1028
Source Address
&
Port
Destination
Address
&
Port
NAT Drawbacks!• Accountability Limited Globally
– Multiple Internal Hosts Share Global IP Address
• Breaks IP Concept of End-End Connectivity
• Complicates Process of Allowing a Global IP Host to Establish Session With an Internal Host
39
Internet
Ennes
Router
EngRack
Switch
Prod
Switch
Admin
Switch
The “Ennes” Network Architecture for KSBE
VLAN Configuration:
100 - Administration
200 - Production
300 - Engineering
400 - NetMgmt
DHCP
Enabled VLANS:
200 – Production (4 hosts)
300 – Engineering (2 hosts)
400 - NetMgmt
Enabled VLANS:
100 – Administration (2 hosts)
200 – Production (8 hosts)
300 – Engineering (12 hosts)
400 – NetMgmt (1 host)
Enabled VLANS:
100 – Administration (6 hosts)
400 - NetMgmt
Cisco 1841
Cisco C2960G
Cisco C2960G
Cisco C3750G
# Hosts Last IP AddressSubnet Address 1st IP Address
Subnet
SizeBroadastMask
Network # Hosts HOSTS
Administration
Production
Engineering
NetMgmt
Subnet
8
12
14
4
Consider Growth – 20%
10
15
17
5
IP Address Block SizeBased Upon 2n
41
2n
128
64
32
16
8
4
2
1LSB
IP Addressing PlanBase Network: 192.168.100.0 /25
Use a “VLSM” Subnet Calculator:
http://subnettingpractice.com/vlsm.html
16
32
32
8
Internet
Ennes
Router
EngRack
Switch
Prod
Switch
Admin
Switch
The “Ennes” Network Architecture for KSBE
VLAN IP Address Configuration:
VLAN: Network: Mask: Default Gateway:
100 – Administration 192.168.100.64 255.255.255.240 192.168.100.65
200 – Production 192.168.100.32 255.255.255.224 192.168.100.33
300 – Engineering 192.168.100.0 255.255.255.224 192.168.100.1
400 - NetMgmt 192.168.100.80 255.255.255.248 192.168.100.81
DHCP
Enabled VLANS:
200 – Production (4 hosts)
300 – Engineering (2 hosts)
400 - NetMgmt
Enabled VLANS:
100 – Administration (2 hosts)
200 – Production (8 hosts)
300 – Engineering (12 hosts)
400 – NetMgmt (1 host)
Enabled VLANS:
100 – Administration (6 hosts)
400 - NetMgmt
Cisco 1841
Cisco C2960GCisco C2960G
Cisco C3750G
Management:
192.168.100.82
Management:
192.168.100.83
Management:
192.168.100.84
Management:
192.168.100.85
Gi1/0/1
Gi1/0/27 Gi1/0/28
Fa0/1Trunk - VLAN(s):
100,200,300,400
Fa0/0
Trunk - VLAN(s): 100,400Trunk - VLAN(s): 200,300,400
Gi0/7 Gi0/7
IP Configuration Plan
IP Configuration Plan - 2
The First & Last IP Address of a Network is Not Useable!
• The First Address = Network Address or “Wire” Address
• The Last Address = Broadcast Address
126 “Useable”
Hosts
/25
62 “Useable”
Hosts
30 “Useable”
Hosts
/26 /27
Network Address
Broadcast Address
Network Address Network Address
Broadcast Address
Broadcast Address
12
8 IP
Ad
dre
sses
32
IP A
dd
ress
es
64
IP A
dd
ress
es
Gateway Address
Gateway Address
46
Gateway Address
ACCESS CONTROL LISTS (ACL)
47
Access Control List“ACL”
• Provides “Basic” Network Access Security Buffer
• Packet Filter Based
• Filter IP Network Packets– Forwarded @ Egress Interface
– Blocked @ Ingress Interface
• Implemented:– Border
– Internally
48
Internet
Network
Apply @ Border
Apply Internally
The “ACL” Rules
• Standard Access List– Can Only Permit or Deny The Source Host IP Address
– Placed Closest to Destination Host
• Extended Access List– Can Permit or Deny Based Upon:
• Source IP Address
• Destination IP Address
• TCP Port #
• UDP Port #
• TCP/IP Protocol
– Placed Closest to Source Network
49
Implementing an Access Control List
50
Egress ACL Filters
Outbound Packets
Ingress ACL Filters
Inbound Packets
Egress ACL Filters
Outbound Packets
Ingress ACL Filters
Inbound Packets
Interface
0/0
Interface
0/1
Permit or Deny:
Source IP Address
Destination IP Address
ICMP
TCP/UDP Source Port
TCP/UDP Destination Port
One ACL per:
Interface
Direction
Protocol
Create
Access Control List
Apply
Access Control List
ACL Implementation ExampleBlock External Users From “Pinging” Inside Network Hosts
51
Router
1
192.168.10.1 /24
192.168.10.2 /24
192.168.10.6 /24
The
“Internet”E0
E1
Create Access List on Router 1:access list 10 deny icmp any any
access-list 10 permit ip any any
Apply Access List to Interface:interface ethernet1
ip access-group 10 in
Configuration Disclaimer:
Exact configuration commands may vary based upon specific equipment models and software version.
Generic “Cisco” commands utilized for illustration purposes.
TAKEAWAYS, REFERENCES, QUESTIONS, AND MAYBE SOME ANSWERS
52
Takeaway Points – Part 4
• Use Segmented Networks Design Techniques:– Performance– Security– Policy
• VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated Networks, Broadcast Domains, or Subnets
• Each Network, Subnet, or VLAN is a Broadcast Domain With a Unique IP Address Scheme
• L2 Ethernet Switches Eliminate Collision Domains• L3 Routers Control Broadcast Domains• NAT Can Be Used to Minimize IPV4 Address Space• IP Addressing Rules Must Be Obeyed:
– Each Network MUST Have a Unique Network ID– Each Host MUST Have a Unique Host ID– Every IP Address MUST Have a Subnet Mask– An IP Address Must Be Unique Globally If Host on the Public Internet– The First & Last IP Address of a Network is Not Useable!
53
My Favorite Reference Texts:
54
55
My Favorite Subnet CalculatorThe “Mask” iOS Subnet Calculator:
http://www.cylineapro.com/cylsoft-portfolio/the-mask-ipv4-ipv6-calculator
57
Thank You for Attending!
Wayne M. [email protected]
979.845.5662
58
Don’t Miss: Webinar #5 - Cybersecurity Fundamentals & Securing the Network
August 29