Fundamentals of IP Networking 2017 Webinar Series Part 4 Building a Segmented IP Network Focused On Performance & Security

Transcription

1 Fundamentals of IP Networking 2017 Webinar Series Part 4 Building a Segmented IP Network Focused On Performance & Security Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services KAMU Public Broadcasting

2 Fundamentals of IP Networking 2017 Webinar Series Advertised Presentation Scope Part 1- Introduction to IP Networking Standards & the Physical Layer Part 2 - Ethernet Switching Fundamentals and Implementation Part 3 - IP Routing and Internetworking Fundamentals Part 4 - Building a Segmented IP Network Focused On Performance & Security - July 25 Part 4 will bring the conceptual aspects of previous webinars together to understand how to design and implement a segmented network infrastructure designed for performance and security. Best practice approaches will be presented to insure network performance and security. Specific topics will include developing an IP addressing plan, segmentation techniques, and Access Control List (ACL) implementation. Part 5 - Cybersecurity Fundamentals & Securing the Network - August 29 2

3 Today s Outline: Takeaway Review From Webinar 3 Brief Overview of Layer 4 and above Network Design Considerations Segmented Network Design IP Addressing Plan Access Control Lists (ACL) Takeaways, References, Questions, and Maybe Some Answers 3

4 Takeaway Points Layer 3 The Network Layer Focus Upon Packet Delivery to a Network IP Routing Protocol IP Address Contains Network Address IP Routing Protocols Internal External Best Protocol = Best Fit for Your Network Environment IP Addressing Rules Must Be Obeyed: Each Network MUST Have a Unique Network ID Each Host MUST Have a Unique Host ID Every IP Address MUST Have a Subnet Mask An IP Address Must Be Unique Globally If Host on the Public Internet The First & Last IP Address of a Network is Not Useable! VLSM Widely Used Today Subnet Mask Explicated Stated (CIDR notation) Public IPv4 Address Space is Limited IPv6 Provides Expanded Address Space + IP Re-Engineering IPv6 is NOT Backward Compatible With IPv4 (but Migration Friendly) Future - IPv6: A Must to Add Hosts to the Internet Restores Host-Host Communications That IP is Based Upon 4

5 BRIEF OVERVIEW OF LAYER 4 AND ABOVE 5

6 TCP Basics Transmission Control Protocol RFC 675 and later v4 in RFC 793 Connection Oriented Protocol Connection Establishment Segmentation & Sequencing Acknowledgement Flow Control or Windowing Guaranteed Or Reliable Data Delivery Acknowledgment of Packet Receipt Retransmission Occurs if Packet Not Received High Overhead Requires Establishment of a Session TCP Windowing Feature Dynamic Window Sizing Slow-Start 6

7 TCP 3-Way Handshake Host 1 Host 2 Host 1 Initiates Connection to Host 2 Host 2 Responds With Acknowledgement Plus Sends It s Own Synchronization Message to Host 1 SYN SYN + ACK ACK Host 1 Sends Synchronize Message to Host 2 Host 1 Completes the 3-Way Handshake By Sending Acknowledgement to Host 2 7

8 The TCP Session Summary Network Connection Closed SYN Sent SYN + ACK ACK SYN Listen SYN Received Data Segment 1 ACK Connection Established Data Segment 2 ACK Connection Established Data Segment 3 ACK FIN FIN Wait 1 FIN Wait 2 ACK FIN ACK CLOSE Wait Last ACK 8 Time Connection Closed

9 UDP Basics User Datagram Protocol RFC 768 Connectionless Protocol Simple or Lightweight, but Inherently Unreliable Best Effort Data Delivery Low Overhead, Thus Low Latency Why Use? Required for Real-Time Applications: VOIP or Video Over IP or Voice Over IP AOIP or Audio Over IP Latency More Detrimental Than Data Loss 9

10 UDP Session Network SYN ACK SYN + ACK TCP Used to Establish UDP Session Data Data Data Data Data Time 10

11 TCP Connection Oriented Guaranteed Delivery Acknowledgments Sent Reliable, But Higher Latency Segments & Sequences Data Resends Dropped Segments Provides Flow Control Performs CRC Uses Port Numbers for Multiplexing TCP vs UDP UDP Connectionless Not Guaranteed No Acknowledgements Unreliable, But Low Latency No Sequencing No Retransmission No Flow Control Performs CRC Uses Port Numbers for Multiplexing 11

12 12 TCP and UDP Headers

13 RTP Real Time Protocol RFC 3550 UDP Based Real-time Streaming Media Delivery RTP Provides: Packet Sequencing Timestamping Payload Type RTP Stream Overview (encapsulated in UDP segments): RTP Data Transfer (time stamped) RTCP QoS Feedback (receiver to sender) Frame Layer 2 Packet Layer 3 Segment Layer 4 Layer 5 Ethernet Header IP Header UDP Header RTP Header RTP Payload 13

14 A Few Words About Port Numbers RFC 6335 Applications Are Indexed by a Port Number Allows Differentiation of Multiple Applications Port Numbers Can Be Between 0 65, ,023 Are Considered Reserved or System Ports 1,024 49,151 User Ports Can Be Registered 49,152 65,535 Are Considered Dynamic or Private 65,535 TCP and 65,535 UDP Port Numbers Reserved & Registered Ports Numbers: 14

15 Examples: Well Known System Port Numbers Port 20 / 21 FTP File Transfer Protocol Port 23 TELNET Port 53 DNS Domain Name Service Port 80 HTTP Port 110 POP3 Post Office Protocol Port 123 NTP Network Time Protocol Port 161 SNMP Simple Network Management Protocol (UDP) Port HTTPS

16 Sockets A Socket Is a Combination of an IP Address & A Port Number Allows Multiple Network Services to Exist on the Same Host (IP Address) IP Address + Port Number = Socket IP Address: Port Number: 8080 Yields Socket: :8080 Server Web Server Stream Media Server User PC Ap Browser AP Media Player Ap SMTP Server HTTP Server Stream Media Server Mail Client Web Browser Stream Media Player TCP UDP TCP UDP TCP TCP TCP TCP UDP UDP 1873

17 NETWORK DESIGN CONSIDERATIONS 17

18 The Building Blocks: Hubs, Switches, & Routers Hub Layer 1 Device Acts as a Repeater - All Incoming Frame FWD Out Every Other Port X Half-Duplex Based CSMA/CD Algorithm Controlled No Intelligence Collision & Broadcast Domain Across All Ports Switch Layer 2 Device Originally Called Forwarding - Then Bridging - Now Called Switching Full Duplex Based Intelligence Based Selectively Forwards Frame to a Port Each Port is a Collision Domain (assuming one device per port) Each Switch is Within a Broadcast Domain Router Layer 3 Device Forwards Packets Between Different Networks Creates Broadcast Domains Each Interface is a Broadcast Domain 18

19 The Flat Network Legacy Network Architecture A Single Broadcast Domain Common Addressed Subnet Challenges: Manageability, Security, Scalability, Reliability 19

20 The Hierarchical Network Organize By: Geographic Policy / Regulation Security Performance / / /26 20

21 Network Design Considerations Understand Your Environment Each Network is Different! IP Addressing Considerations VLAN Configuration Routing Protocol Selection Network Service(s) Selection (DNS, DHCP, etc) Security Aspects Access, Management, Documentation, & Monitoring Physical Layer Scheme Hardware (Switch & Router) Selection

22 Network Architecture Considerations Layer 3 Core or Backbone Layer 2 Classic Layered Approach Distribution Access

23 Ethernet Switch Considerations Network Role & Location Self-Contained Stackable Modular (chassis + cards) Interface Requirements Capabilities - Range Interface Density Layer 3 Capability? Processor/Memory/MAC Addresses Supported/Multicast IGMP Backplane Fabric Throughput /Forwarding Rate (Gbps) Redundancy (power, processor, interfaces) PoE Requirements / Switch Capacity: (48vdc nominal) 802.af (15w) Class at (25w) PoE+

24 Router Considerations Network Role & Location Self-Contained Modular (chassis + cards) Interface Requirements Capabilities (LAN/WAN) Processor/Memory/Route Capacity Fabric/Backplane Throughput (packets per second PPS ) Redundancy (power, processor, interfaces) Required Feature Set: Security / IDS QoS MPLS VOIP NetFlow

25 SEGMENTED NETWORK DESIGN 25

26 Logical Networks Production VLAN Administration VLAN Engineering VLAN Engineering Rack Room Production Island Administrative Suites 26

27 ISP CAT5 TP Cisco 1841 Router CAT5 TP Cisco 3750G Switch MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch HP ProCurve 2530 Switch

28 The Ennes Network Architecture for KSBE Ennes Router VLAN Configuration: Internet DHCP Cisco Administration Production Engineering NetMgmt Cisco C2960G Prod Switch EngRack Switch Admin Switch Cisco C2960G Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) NetMgmt Cisco C3750G Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) NetMgmt

29 EngRack Switch to Ennes Router Interface Gi1/0/1 Fa0/1 VLAN 100 Fa0/1.1 Trunk Interface VLAN 200 VLAN 300 Fa0/1.2 Fa0/1.3 Sub-Interface VLAN 400 Fa0/ Q Trunk Link

30 What is Wrong With This Design? ISP Cisco 3750G Switch CAT5 TP CAT5 TP Cisco 1841 Router 100Mbps Why a 100 Mbps Link Here? GigE MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch

31 ISP CAT5 TP Let s Fix It! Cisco 1841 Router Cisco 3750G Switch MM Fiber Then Re-Configure Ports: Switch & Router MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch

32 Another Approach! ISP CAT5 TP Cisco 3750G Switch Use a Layer 3 Switch MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch

33 IP ADDRESSING PLAN 33

34 IP Addressing Considerations IP Address Planning (range) Current Needs Scalability Organize Subnets (Hierarchical) IP Address Host Allocation Public vs Private (RFC 1918) Static vs Dynamic Policy Assignment Documentation (IPAM sys) What About IPv6? Implementation Factors Migration Plan

35 Network Address Translation NAT RFC 3022 Types of NAT: Static One-to-One Translation Dynamic Pool of Public Addresses Made Available to Outbound Traffic Client Traffic NAT Overloading or Port Address Translation (PAT) Translates to a Single Public IP by Use of a Unique Port Number NAT Addressing Terminology: Inside Local or Inside Private Inside Global or Inside Global Outside Global or Outside Public Outside Local or Outside Private Inside Local In General: Inside Addresses Are Local Global Addresses Are Public Outside Local Inside Global Inside Network (private) Gateway Router w/ NAT Services Outside Network Outside Global 35

36 Static NAT Source IP Address Changed by NAT Simple Layer 3 Packet Payload Payload Source IP Destination IP / mapped to mapped to mapped to Public Network Space /24 Private Network Space /24 Gateway Router w/ NAT Services / /24 Simple Layer 3 Packet mapped to mapped to mapped to Source IP /24 Destination IP Payload Payload Destination IP Address Changed by NAT 36

37 Dynamic NAT /24 Pool Of AVAILABLE Public IP Addresses Public Network Space /24 Private Network Space Gateway Router w/ NAT Services /24 NAT Table IP Address Chosen from Pool of Public IP Addresses: Dynamic Entry Remains if Traffic Flows (timeout) Common to Have More Private Hosts Than Public IP Address Space 37

38 NAT Overloading or PAT Port Address Translation Single Address NAT / Port-Level Multiplexed NAT / /24 Private Network Space /24 Gateway Router w/ NAT Services Public Network Space Source Address & Port NAT Table Inside Local Inside Global : : : : : :1028 Destination Address & Port 38

39 NAT Drawbacks! Accountability Limited Globally Multiple Internal Hosts Share Global IP Address Breaks IP Concept of End-End Connectivity Complicates Process of Allowing a Global IP Host to Establish Session With an Internal Host 39

40 The Ennes Network Architecture for KSBE Ennes Router VLAN Configuration: Internet DHCP Cisco Administration Production Engineering NetMgmt Cisco C2960G Prod Switch EngRack Switch Admin Switch Cisco C2960G Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) NetMgmt Cisco C3750G Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) NetMgmt Subnet # Hosts Subnet Address Mask 1 st IP Address Last IP Address Size Broadast Network # Hosts HOSTS Subnet Administration 8 10 Production Engineering Consider Growth 20% NetMgmt 4 5

41 IP Address Block Size Based Upon 2 n LSB 2 n

42 16 32 IP Addressing Plan Base Network: / Use a VLSM Subnet Calculator:

43 The Ennes Network Architecture for KSBE Internet DHCP Fa0/0 Ennes Router Management: Cisco 1841 Cisco C2960G Management: Prod Switch Trunk - VLAN(s): 200,300,400 Gi0/7 Management: Fa0/1 Gi1/0/1 EngRack Switch Gi1/0/27 Gi1/0/28 Cisco C3750G Trunk - VLAN(s): 100,200,300,400 Gi0/7 Admin Switch Cisco C2960G Management: Trunk - VLAN(s): 100,400 Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) NetMgmt Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) NetMgmt VLAN IP Address Configuration: VLAN: Network: Mask: Default Gateway: 100 Administration Production Engineering NetMgmt

44 IP Configuration Plan

45 IP Configuration Plan - 2

46 The First & Last IP Address of a Network is Not Useable! The First Address = Network Address or Wire Address The Last Address = Broadcast Address /25 /26 /27 Network Address Gateway Address 64 IP Addresses Network Address 62 Useable Hosts 32 IP Addresses Network Address 30 Useable Hosts Gateway Address Broadcast Address 128 IP Addresses 126 Useable Hosts Gateway Address Broadcast Address Broadcast Address 46

47 ACCESS CONTROL LISTS (ACL) 47

48 Access Control List ACL Provides Basic Network Access Security Buffer Packet Filter Based Filter IP Network Packets Egress Interface Ingress Interface Implemented: Border Internally Internet Network Border 48 Apply Internally

49 Standard Access List The ACL Rules Can Only Permit or Deny The Source Host IP Address Placed Closest to Destination Host Extended Access List Can Permit or Deny Based Upon: Source IP Address Destination IP Address TCP Port # UDP Port # TCP/IP Protocol Placed Closest to Source Network 49

50 Implementing an Access Control List One ACL per: Interface Direction Protocol Ingress ACL Filters Inbound Packets Egress ACL Filters Outbound Packets Egress ACL Filters Outbound Packets Ingress ACL Filters Inbound Packets Interface 0/0 Interface 0/1 Create Access Control List Permit or Deny: Source IP Address Destination IP Address ICMP TCP/UDP Source Port TCP/UDP Destination Port Apply Access Control List 50

51 ACL Implementation Example Block External Users From Pinging Inside Network Hosts / /24 E0 E1 The Internet Router /24 Create Access List on Router 1: access list 10 deny icmp any any access-list 10 permit ip any any Apply Access List to Interface: interface ethernet1 ip access-group 10 in 51 Configuration Disclaimer: Exact configuration commands may vary based upon specific equipment models and software version. Generic Cisco commands utilized for illustration purposes.

52 TAKEAWAYS, REFERENCES, QUESTIONS, AND MAYBE SOME ANSWERS 52

53 Takeaway Points Part 4 Use Segmented Networks Design Techniques: Performance Security Policy VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated Networks, Broadcast Domains, or Subnets Each Network, Subnet, or VLAN is a Broadcast Domain With a Unique IP Address Scheme L2 Ethernet Switches Eliminate Collision Domains L3 Routers Control Broadcast Domains NAT Can Be Used to Minimize IPV4 Address Space IP Addressing Rules Must Be Obeyed: Each Network MUST Have a Unique Network ID Each Host MUST Have a Unique Host ID Every IP Address MUST Have a Subnet Mask An IP Address Must Be Unique Globally If Host on the Public Internet The First & Last IP Address of a Network is Not Useable! 53

54 My Favorite Reference Texts: 54

55 55 My Favorite Subnet Calculator The Mask ios Subnet Calculator:

56 Web Reference Sources: 56

57 57

58 Thank You for Attending! Wayne M. Pecena Don t Miss: Webinar #5 - Cybersecurity Fundamentals & Securing the Network August 29 58