Fundamentals of IP Networking 2017 Webinar Series Part 4 Building a Segmented IP Network Focused On Performance & Security Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services KAMU Public Broadcasting
Fundamentals of IP Networking 2017 Webinar Series Advertised Presentation Scope Part 1- Introduction to IP Networking Standards & the Physical Layer Part 2 - Ethernet Switching Fundamentals and Implementation Part 3 - IP Routing and Internetworking Fundamentals Part 4 - Building a Segmented IP Network Focused On Performance & Security - July 25 Part 4 will bring the conceptual aspects of previous webinars together to understand how to design and implement a segmented network infrastructure designed for performance and security. Best practice approaches will be presented to insure network performance and security. Specific topics will include developing an IP addressing plan, segmentation techniques, and Access Control List (ACL) implementation. Part 5 - Cybersecurity Fundamentals & Securing the Network - August 29 2
Today s Outline: Takeaway Review From Webinar 3 Brief Overview of Layer 4 and above Network Design Considerations Segmented Network Design IP Addressing Plan Access Control Lists (ACL) Takeaways, References, Questions, and Maybe Some Answers 3
Takeaway Points Layer 3 The Network Layer Focus Upon Packet Delivery to a Network IP Routing Protocol IP Address Contains Network Address IP Routing Protocols Internal External Best Protocol = Best Fit for Your Network Environment IP Addressing Rules Must Be Obeyed: Each Network MUST Have a Unique Network ID Each Host MUST Have a Unique Host ID Every IP Address MUST Have a Subnet Mask An IP Address Must Be Unique Globally If Host on the Public Internet The First & Last IP Address of a Network is Not Useable! VLSM Widely Used Today Subnet Mask Explicated Stated (CIDR notation) Public IPv4 Address Space is Limited IPv6 Provides Expanded Address Space + IP Re-Engineering IPv6 is NOT Backward Compatible With IPv4 (but Migration Friendly) Future - IPv6: A Must to Add Hosts to the Internet Restores Host-Host Communications That IP is Based Upon 4
BRIEF OVERVIEW OF LAYER 4 AND ABOVE 5
TCP Basics Transmission Control Protocol RFC 675 and later v4 in RFC 793 Connection Oriented Protocol Connection Establishment Segmentation & Sequencing Acknowledgement Flow Control or Windowing Guaranteed Or Reliable Data Delivery Acknowledgment of Packet Receipt Retransmission Occurs if Packet Not Received High Overhead Requires Establishment of a Session TCP Windowing Feature Dynamic Window Sizing Slow-Start 6
TCP 3-Way Handshake Host 1 Host 2 Host 1 Initiates Connection to Host 2 Host 2 Responds With Acknowledgement Plus Sends It s Own Synchronization Message to Host 1 SYN SYN + ACK ACK Host 1 Sends Synchronize Message to Host 2 Host 1 Completes the 3-Way Handshake By Sending Acknowledgement to Host 2 7
The TCP Session Summary Network Connection Closed SYN Sent SYN + ACK ACK SYN Listen SYN Received Data Segment 1 ACK Connection Established Data Segment 2 ACK Connection Established Data Segment 3 ACK FIN FIN Wait 1 FIN Wait 2 ACK FIN ACK CLOSE Wait Last ACK 8 Time Connection Closed
UDP Basics User Datagram Protocol RFC 768 Connectionless Protocol Simple or Lightweight, but Inherently Unreliable Best Effort Data Delivery Low Overhead, Thus Low Latency Why Use? Required for Real-Time Applications: VOIP or Video Over IP or Voice Over IP AOIP or Audio Over IP Latency More Detrimental Than Data Loss 9
UDP Session Network SYN ACK SYN + ACK TCP Used to Establish UDP Session Data Data Data Data Data Time 10
TCP Connection Oriented Guaranteed Delivery Acknowledgments Sent Reliable, But Higher Latency Segments & Sequences Data Resends Dropped Segments Provides Flow Control Performs CRC Uses Port Numbers for Multiplexing TCP vs UDP UDP Connectionless Not Guaranteed No Acknowledgements Unreliable, But Low Latency No Sequencing No Retransmission No Flow Control Performs CRC Uses Port Numbers for Multiplexing 11
12 TCP and UDP Headers
RTP Real Time Protocol RFC 3550 UDP Based Real-time Streaming Media Delivery RTP Provides: Packet Sequencing Timestamping Payload Type RTP Stream Overview (encapsulated in UDP segments): RTP Data Transfer (time stamped) RTCP QoS Feedback (receiver to sender) Frame Layer 2 Packet Layer 3 Segment Layer 4 Layer 5 Ethernet Header IP Header UDP Header RTP Header RTP Payload 13
A Few Words About Port Numbers RFC 6335 Applications Are Indexed by a Port Number Allows Differentiation of Multiple Applications Port Numbers Can Be Between 0 65,535 0 1,023 Are Considered Reserved or System Ports 1,024 49,151 User Ports Can Be Registered 49,152 65,535 Are Considered Dynamic or Private 65,535 TCP and 65,535 UDP Port Numbers Reserved & Registered Ports Numbers: http://www.iana.org/assignments/port-numbers 14
Examples: Well Known System Port Numbers Port 20 / 21 FTP File Transfer Protocol Port 23 TELNET Port 53 DNS Domain Name Service Port 80 HTTP Port 110 POP3 Post Office Protocol Port 123 NTP Network Time Protocol Port 161 SNMP Simple Network Management Protocol (UDP) Port 443 - HTTPS
Sockets A Socket Is a Combination of an IP Address & A Port Number Allows Multiple Network Services to Exist on the Same Host (IP Address) IP Address + Port Number = Socket IP Address: 192.168.100.10 Port Number: 8080 Yields Socket: 192.168.100.10:8080 Server Email Web Server Stream Media Server 192.168.100.100 User PC Email Ap Browser AP Media Player Ap SMTP Server HTTP Server Stream Media Server Mail Client Web Browser Stream Media Player TCP UDP TCP UDP 192.168.100.100 192.168.100.002 192.168.100.100 TCP 25-192.168.100.002 TCP 1245 192.168.100.100 TCP 80-192.168.100.002 TCP 1328 16 192.168.100.100 UDP 1755-192.168.100.002 UDP 1873
NETWORK DESIGN CONSIDERATIONS 17
The Building Blocks: Hubs, Switches, & Routers Hub Layer 1 Device Acts as a Repeater - All Incoming Frame FWD Out Every Other Port X Half-Duplex Based CSMA/CD Algorithm Controlled No Intelligence Collision & Broadcast Domain Across All Ports Switch Layer 2 Device Originally Called Forwarding - Then Bridging - Now Called Switching Full Duplex Based Intelligence Based Selectively Forwards Frame to a Port Each Port is a Collision Domain (assuming one device per port) Each Switch is Within a Broadcast Domain Router Layer 3 Device Forwards Packets Between Different Networks Creates Broadcast Domains Each Interface is a Broadcast Domain 18
The Flat Network Legacy Network Architecture 192.168.1.0.1.2.3.4.5.6.7.8.9.10.11.12 A Single Broadcast Domain Common Addressed Subnet Challenges: Manageability, Security, Scalability, Reliability 19
The Hierarchical Network 192.168.1.0 Organize By: Geographic Policy / Regulation Security Performance 192.168.1.0 /26 192.168.1.128 /26 192.168.1.64 /26 20
Network Design Considerations Understand Your Environment Each Network is Different! IP Addressing Considerations VLAN Configuration Routing Protocol Selection Network Service(s) Selection (DNS, DHCP, etc) Security Aspects Access, Management, Documentation, & Monitoring Physical Layer Scheme Hardware (Switch & Router) Selection
Network Architecture Considerations Layer 3 Core or Backbone Layer 2 Classic Layered Approach Distribution Access
Ethernet Switch Considerations Network Role & Location Self-Contained Stackable Modular (chassis + cards) Interface Requirements Capabilities - Range Interface Density Layer 3 Capability? Processor/Memory/MAC Addresses Supported/Multicast IGMP Backplane Fabric Throughput /Forwarding Rate (Gbps) Redundancy (power, processor, interfaces) PoE Requirements / Switch Capacity: (48vdc nominal) 802.af (15w) Class 3 802.at (25w) PoE+
Router Considerations Network Role & Location Self-Contained Modular (chassis + cards) Interface Requirements Capabilities (LAN/WAN) Processor/Memory/Route Capacity Fabric/Backplane Throughput (packets per second PPS ) Redundancy (power, processor, interfaces) Required Feature Set: Security / IDS QoS MPLS VOIP NetFlow
SEGMENTED NETWORK DESIGN 25
Logical Networks Production VLAN Administration VLAN Engineering VLAN Engineering Rack Room Production Island Administrative Suites 26
ISP CAT5 TP Cisco 1841 Router CAT5 TP Cisco 3750G Switch MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch HP ProCurve 2530 Switch
The Ennes Network Architecture for KSBE Ennes Router VLAN Configuration: Internet DHCP Cisco 1841 100 - Administration 200 - Production 300 - Engineering 400 - NetMgmt Cisco C2960G Prod Switch EngRack Switch Admin Switch Cisco C2960G Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) 400 - NetMgmt Cisco C3750G Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) 400 - NetMgmt
EngRack Switch to Ennes Router Interface Gi1/0/1 Fa0/1 VLAN 100 Fa0/1.1 Trunk Interface VLAN 200 VLAN 300 Fa0/1.2 Fa0/1.3 Sub-Interface VLAN 400 Fa0/1.4 802.1Q Trunk Link
What is Wrong With This Design? ISP Cisco 3750G Switch CAT5 TP CAT5 TP Cisco 1841 Router 100Mbps Why a 100 Mbps Link Here? GigE MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch
ISP CAT5 TP Let s Fix It! Cisco 1841 Router Cisco 3750G Switch MM Fiber Then Re-Configure Ports: Switch & Router MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch
Another Approach! ISP CAT5 TP Cisco 3750G Switch Use a Layer 3 Switch MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch
IP ADDRESSING PLAN 33
IP Addressing Considerations IP Address Planning (range) Current Needs Scalability Organize Subnets (Hierarchical) IP Address Host Allocation Public vs Private (RFC 1918) Static vs Dynamic Policy Assignment Documentation (IPAM sys) What About IPv6? Implementation Factors Migration Plan
Network Address Translation NAT RFC 3022 Types of NAT: Static One-to-One Translation Dynamic Pool of Public Addresses Made Available to Outbound Traffic Client Traffic NAT Overloading or Port Address Translation (PAT) Translates to a Single Public IP by Use of a Unique Port Number NAT Addressing Terminology: Inside Local or Inside Private Inside Global or Inside Global Outside Global or Outside Public Outside Local or Outside Private Inside Local In General: Inside Addresses Are Local Global Addresses Are Public Outside Local Inside Global Inside Network (private) Gateway Router w/ NAT Services Outside Network Outside Global 35
Static NAT Source IP Address Changed by NAT Simple Layer 3 Packet 10.0.0.2 128.194.300.2 Payload 128.194.247.2 128.194.300.2 Payload Source IP Destination IP 10.0.0.2 /24 10.0.0.2 mapped to 128.194.247.2 10.0.0.3 mapped to 128.194.247.3 10.0.0.4 mapped to 128.194.247.4 Public Network Space 10.0.0.3 /24 Private Network Space 10.0.0.0/24 Gateway Router w/ NAT Services 128.194.247.0 /24 10.0.0.4 /24 Simple Layer 3 Packet 128.194.247.2 mapped to 10.0.0.2 128.194.247.3 mapped to 10.0.0.3 128.194.247.4 mapped to 10.0.0.4 Source IP 128.194.300.2 /24 Destination IP 128.194.247.2 10.0.0.2 Payload 128.194.300.2 128.194.247.2 Payload Destination IP Address Changed by NAT 36
Dynamic NAT 10.0.0.2 /24 Pool Of AVAILABLE Public IP Addresses Public Network Space 10.0.0.3 /24 Private Network Space Gateway Router w/ NAT Services 10.0.0.4 /24 NAT Table 10.0.0.2 128.194.247 10 IP Address Chosen from Pool of Public IP Addresses: 128.194.247.2 128.194.247.14 Dynamic Entry Remains if Traffic Flows (timeout) Common to Have More Private Hosts Than Public IP Address Space 37
NAT Overloading or PAT Port Address Translation Single Address NAT / Port-Level Multiplexed NAT 10.0.0.3 /24 10.0.0.2 /24 Private Network Space 10.0.0.4 /24 Gateway Router w/ NAT Services Public Network Space 128.194.247.10 Source Address & Port NAT Table Inside Local Inside Global 10.0.0.2:1024 128.194.247.10:1024 10.0.0.3:1026 128.194.247.10:1026 10.0.0.4:1028 128.194.247.10:1028 Destination Address & Port 38
NAT Drawbacks! Accountability Limited Globally Multiple Internal Hosts Share Global IP Address Breaks IP Concept of End-End Connectivity Complicates Process of Allowing a Global IP Host to Establish Session With an Internal Host 39
The Ennes Network Architecture for KSBE Ennes Router VLAN Configuration: Internet DHCP Cisco 1841 100 - Administration 200 - Production 300 - Engineering 400 - NetMgmt Cisco C2960G Prod Switch EngRack Switch Admin Switch Cisco C2960G Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) 400 - NetMgmt Cisco C3750G Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) 400 - NetMgmt Subnet # Hosts Subnet Address Mask 1 st IP Address Last IP Address Size Broadast Network # Hosts HOSTS Subnet Administration 8 10 Production Engineering 12 14 15 17 Consider Growth 20% NetMgmt 4 5
IP Address Block Size Based Upon 2 n LSB 2 n 128 64 32 16 8 4 2 1 41
16 32 IP Addressing Plan Base Network: 192.168.100.0 /25 32 8 Use a VLSM Subnet Calculator: http://subnettingpractice.com/vlsm.html
The Ennes Network Architecture for KSBE Internet DHCP Fa0/0 Ennes Router Management: 192.168.100.82 Cisco 1841 Cisco C2960G Management: 192.168.100.83 Prod Switch Trunk - VLAN(s): 200,300,400 Gi0/7 Management: 192.168.100.84 Fa0/1 Gi1/0/1 EngRack Switch Gi1/0/27 Gi1/0/28 Cisco C3750G Trunk - VLAN(s): 100,200,300,400 Gi0/7 Admin Switch Cisco C2960G Management: 192.168.100.85 Trunk - VLAN(s): 100,400 Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) 400 - NetMgmt Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) 400 - NetMgmt VLAN IP Address Configuration: VLAN: Network: Mask: Default Gateway: 100 Administration 192.168.100.64 255.255.255.240 192.168.100.65 200 Production 192.168.100.32 255.255.255.224 192.168.100.33 300 Engineering 192.168.100.0 255.255.255.224 192.168.100.1 400 - NetMgmt 192.168.100.80 255.255.255.248 192.168.100.81
IP Configuration Plan
IP Configuration Plan - 2
The First & Last IP Address of a Network is Not Useable! The First Address = Network Address or Wire Address The Last Address = Broadcast Address /25 /26 /27 Network Address Gateway Address 64 IP Addresses Network Address 62 Useable Hosts 32 IP Addresses Network Address 30 Useable Hosts Gateway Address Broadcast Address 128 IP Addresses 126 Useable Hosts Gateway Address Broadcast Address Broadcast Address 46
ACCESS CONTROL LISTS (ACL) 47
Access Control List ACL Provides Basic Network Access Security Buffer Packet Filter Based Filter IP Network Packets Forwarded @ Egress Interface Blocked @ Ingress Interface Implemented: Border Internally Internet Network Apply @ Border 48 Apply Internally
Standard Access List The ACL Rules Can Only Permit or Deny The Source Host IP Address Placed Closest to Destination Host Extended Access List Can Permit or Deny Based Upon: Source IP Address Destination IP Address TCP Port # UDP Port # TCP/IP Protocol Placed Closest to Source Network 49
Implementing an Access Control List One ACL per: Interface Direction Protocol Ingress ACL Filters Inbound Packets Egress ACL Filters Outbound Packets Egress ACL Filters Outbound Packets Ingress ACL Filters Inbound Packets Interface 0/0 Interface 0/1 Create Access Control List Permit or Deny: Source IP Address Destination IP Address ICMP TCP/UDP Source Port TCP/UDP Destination Port Apply Access Control List 50
ACL Implementation Example Block External Users From Pinging Inside Network Hosts 192.168.10.2 /24 192.168.10.1 /24 E0 E1 The Internet Router 1 192.168.10.6 /24 Create Access List on Router 1: access list 10 deny icmp any any access-list 10 permit ip any any Apply Access List to Interface: interface ethernet1 ip access-group 10 in 51 Configuration Disclaimer: Exact configuration commands may vary based upon specific equipment models and software version. Generic Cisco commands utilized for illustration purposes.
TAKEAWAYS, REFERENCES, QUESTIONS, AND MAYBE SOME ANSWERS 52
Takeaway Points Part 4 Use Segmented Networks Design Techniques: Performance Security Policy VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated Networks, Broadcast Domains, or Subnets Each Network, Subnet, or VLAN is a Broadcast Domain With a Unique IP Address Scheme L2 Ethernet Switches Eliminate Collision Domains L3 Routers Control Broadcast Domains NAT Can Be Used to Minimize IPV4 Address Space IP Addressing Rules Must Be Obeyed: Each Network MUST Have a Unique Network ID Each Host MUST Have a Unique Host ID Every IP Address MUST Have a Subnet Mask An IP Address Must Be Unique Globally If Host on the Public Internet The First & Last IP Address of a Network is Not Useable! 53
My Favorite Reference Texts: 54
55 My Favorite Subnet Calculator The Mask ios Subnet Calculator: http://www.cylineapro.com/cylsoft-portfolio/the-mask-ipv4-ipv6-calculator
Web Reference Sources: www.packetlife.net 56
57
Thank You for Attending! Wayne M. Pecena wpecena@sbe.org 979.845.5662 Don t Miss: Webinar #5 - Cybersecurity Fundamentals & Securing the Network August 29 58