Networking Essentials For Firewall-1 Administrators

dargspurNetworking and Communications

Oct 27, 2013 (3 years and 1 month ago)

68 views

1

Networking Essentials For
Firewall
-
1 Administrators

“What You Need To Know

Before The Packets Flow”

2

Brief Networking Review


1. Networking Protocols


2. IP Protocols


3. The OSI Seven
-
Layer Networking Model


4. TCP And UDP


5. IP Addresses, Subnet Masks and Routing


6. Address Resolution Protocol (ARP)


7. Putting It All Together

3

1. Networking Protocols


IP (Internet Protocol)


It’s special for two reasons:


The Official Protocol for the Internet


The
Only

Protocol Supported By VPN
-
1/Firewall
-
1!


IPX (Internetwork Packet eXchange)


AppleTalk


DECnet


NetBEUI


Many, Many Others

4

2. IP Protocols


Some of the Values of the IP Protocol Field:


1: Internet Control Message Protocol (ICMP)


6: Transmission Control Protocol (TCP)


17: User Datagram Protocol (UDP)


50: IP Security Encapsulating Security Payload
(ESP)


51: IP Security Authentication Header (AH)

5

3. The OSI Seven
-
Layer
Networking Model

7. Application

6. Presentation

5. Session

4. Transport

80

3. Network

205.219.84.5

2. Data Link

00
-
06
-
A3
-
43
-
E1
-
F4

1. Physical

6

Why Use The 7 Layer Model?


Outbound Packets:


An outbound packet travels down the stack
and leaves the IP host from below


At many layers, it gets wrapped in
additional headers and a checksum footer

7

Why Use The 7 Layer Model?


Inbound Packets:


An inbound packet enters from below and
travels up the stack


At many layers, it gets unwrapped and a
header and checksum footer gets stripped
off

8

Why Use The 7 Layer Model?


Each layer is effectively using the
packet to communicate with only the
corresponding layer on the partner IP
host

9

Where Does Firewall
-
1 Fit In?



Below Layer 3


Above Layer 2


Both Inbound and Outbound

10

Firewall
-
1 Does These Things
To A Packet


Anti
-
Spoof Checking:


Uses Source IP Address


Filtering:


Uses both Source and Destination IP Address


Uses both Source and Destination Ports


NAT:


Can change Source or Destination IP Address


Can change Source or Destination Port Number


Routing:


Uses Destination IP Address

11

4. TCP And UDP


TCP:


Connection
-
oriented


Missed a packet? Please re
-
send.


Sort of like a phone call


UDP:


Connection
-
less


Missed a packet? Tough.


Sort of like a radio station

12

Port Numbers


Only on TCP and UDP!


Q: How Does Port Address Translation
Disambiguate ICMP Traffic?


A: (Discussion)

13

Common Port Numbers


HTTP: TCP Port 80


Telnet: TCP Port 23


FTP: TCP Port 21


DNS:


Lookups: UDP Port 53


Zone Transfers: TCP Port 53


SMTP: TCP Port 25


POP3: TCP Port 110

14

5. IP Addresses, Subnet
Masks And Routing


Dotted Quad Notation:


This is
only

a way to represent 32 bits in a
human
-
friendly format


Example:


11001101
|
11011011
|
01010100
|
00000101 ==



205
|

219
|

84
|

5 ==


205.219.84.5

15

Dotted Quad Notation


Dotted Quad Notation:


Another Example:


11111111
|
11111111
|
11111111
|
00000000 ==



255
|

255
|

255
|

0 ==


255.255.255.0

16

The Subnet Mask


An IP Address really consists of two
contiguous parts:


A Network Number (the first N bits), followed by


A Host ID (the remaining 32
-
N bits)


Where N is the number of bits in the subnet mask


The bit count always sums to 32 (Assuming
IPv4 here)

17

The Two Most Important
Subnet Mask Facts


A subnet mask is always a continuous
series of 1’s followed by a continuous
series of 0’s, with a total count of 32
binary digits


The traditional dotted quad notation for
a subnet mask is simply the decimal
representation of this 32
-
bit mask

18

00000000
|
00000000
|
00000000
|
00000000

0.0.0.0

/0

10000000
|
00000000
|
00000000
|
00000000

128.0.0.0

/1

11000000
|
00000000
|
00000000
|
00000000

192.0.0.0

/2

11100000
|
00000000
|
00000000
|
00000000

224.0.0.0

/3

11110000
|
00000000
|
00000000
|
00000000

240.0.0.0

/4

11111000
|
00000000
|
00000000
|
00000000

248.0.0.0

/5

11111100
|
00000000
|
00000000
|
00000000

252.0.0.0

/6

11111110
|
00000000
|
00000000
|
00000000

254.0.0.0

/7

There Are Only 33 Possible
Subnet Masks (Page 1 of 5)

19

11111111
|
00000000
|
00000000
|
00000000

255.0.0.0

/8

11111111
|
10000000
|
00000000
|
00000000

255.128.0.0

/9

11111111
|
11000000
|
00000000
|
00000000

255.192.0.0

/10

11111111
|
11100000
|
00000000
|
00000000

255.224.0.0

/11

11111111
|
11110000
|
00000000
|
00000000

255.240.0.0

/12

11111111
|
11111000
|
00000000
|
00000000

255.248.0.0

/13

11111111
|
11111100
|
00000000
|
00000000

255.252.0.0

/14

11111111
|
11111110
|
00000000
|
00000000

255.254.0.0

/15

There Are Only 33 Possible
Subnet Masks (Page 2 of 5)

20

11111111
|
11111111
|
00000000
|
00000000

255.255.0.0

/16

11111111
|
11111111
|
10000000
|
00000000

255.255.128.0

/17

11111111
|
11111111
|
11000000
|
00000000

255.255.192.0

/18

11111111
|
11111111
|
11100000
|
00000000

255.255.224.0

/19

11111111
|
11111111
|
11110000
|
00000000

255.255.240.0

/20

11111111
|
11111111
|
11111000
|
00000000

255.255.248.0

/21

11111111
|
11111111
|
11111100
|
00000000

255.255.252.0

/22

11111111
|
11111111
|
11111110
|
00000000

255.255.254.0

/23

There Are Only 33 Possible
Subnet Masks (Page 3 of 5)

21

11111111
|
11111111
|
11111111
|
00000000

255.255.255.0

/24

11111111
|
11111111
|
11111111
|
10000000

255.255.255.128

/25

11111111
|
11111111
|
11111111
|
11000000

255.255.255.192

/26

11111111
|
11111111
|
11111111
|
11100000

255.255.255.224

/27

11111111
|
11111111
|
11111111
|
11110000

255.255.255.240

/28

11111111
|
11111111
|
11111111
|
11111000

255.255.255.248

/29

11111111
|
11111111
|
11111111
|
11111100

255.255.255.252

/30

11111111
|
11111111
|
11111111
|
11111110

255.255.255.254

/31

There Are Only 33 Possible
Subnet Masks (Page 4 of 5)

22

11111111
|
11111111
|
11111111
|
11111111

255.255.255.255

/32

There Are Only 33 Possible
Subnet Masks (Page 5 of 5)

23

Why Do We Have Subnet
Masks?


So it’s easy to tell whether an IP
address is a member of an IP subnet

24

How Does A Router Route?


Step 1. For each IP interface, use the
subnet mask to mask both the IP
address on the interface and the
destination IP address for the packet in
hand. If they match, the we’re done
with routing and can use Layer 2
(usually Ethernet) to deliver the packet.

25

How Does A Router Route?


Step 2. If this comparison of masked
IP addresses fails for every IP interface,
then iterate through your routing table
to determine the next hop and which
interface to use to get there. Then
send the packet to this next hop by
Ethernet, using ARP if necessary to get
the MAC address of the destination NIC.

26

How Does A Router Route?


This business of determining whether to
deliver a packet by Layer 2 or route it
to its next hop is known as asking
yourself: “Do I Route Or Do I Shout?”


“Route” = = “Not in local network, send
to next hop”


“Shout” == “Resolve by ARP and send
by Layer 2”


27

6. Address Resolution
Protocol (ARP)


Resolves the Forwarding IP Address of a
Node to its Corresponding Media Access
Control (MAC) Address, typically its Ethernet
address


ARP Request Message:


“Any Ethernet host on this segment with the IP
address of 205.219.84.5?”


ARP Reply Message:


“That’s me, at 00
-
03
-
22
-
5E
-
3C
-
21!”

28

Address Resolution Protocol
(ARP)


The ARP Cache Is A RAM
-
Based Table
Of IP
-
to
-
MAC Address Mappings


Cisco IOS:


Timeout is 3 Hours


Windows:


Timeout is 2 Minutes


(Renewable Through Use to 10 Minutes)

29

7. Putting It All Together


Example and Demonstration