RA 6805 b 25 CSE 356 design problem 2

8/7/2019 RA 6805 b 25 CSE 356 design problem 2

1/37

DESIGN PROBLEM # 4

OF CSE- 356

(DATA COMMUNICATION &NETWORKING)

DOS: 21-11-2010

SUBMITTED TO:- MR. RAVI SHANKAR

SUBMITTED BY:-

NAME:- SUDIPTA GHOSH

ROLL NO.- RA6805 B 25

REG. No. -10806924

SECTION:-A6805

B.TECH(HONS)-M.TECH (ECE)

Design problem networks


2/37

Design of firewall

You are having two networks IPs ranging fromNetwork A 192.168.1.0-255 and

Network B 192.168.2.0-255The proxy server is situated on 192.168.3.24 develop IPTABLES rules tomasquerade the requests from both the networks to connect to an externalDNS(basically it is acting as proxy server to provide internet connection to clientmachines behind it) with the server IP on port 3128. Many firewalls block ports up to1024 from external access, but leave higher ports open, since these ports aredynamically assigned to client-side programs. It is possible to run a server on a portthat's different from the designated port - web servers sometimes run on 8080instead of 80. With NAT you can redirect connections to open ports to locked ones.Please note that this technique can be used for vicious purposes ("man in themiddle attack"). But it could also be used in valid ways It's just a means to have finer

control over your host and router. Write IPTABLES rules to block all TCP state NEWconnections to your

Host on ports < 1024 from 192.168.2.38/24 (using -m state). The host machine isdifferent from the server host can be any client in your networks assume the subnet255.255.255.0 where ever not mentioned.Mention a rule which also stops ping requests to your proxy server in your rule ofIPTABLES.

1: Allow all traffic from a selection of ip subnets (for example,allow 192.168.1.0 thru to 192.168.10.0). They should have full accessto all ports.2. Allow access to port 22 (ssh) and 8001 (weblogic) using tcp/httptraffic from specific ip address (for example 192.168.168.168).3. Deny everything else.

What is Firewall:-


3/37

A firewall is a part of a computer system or network that is designed to blockunauthorized access while permitting authorized communications. It is a deviceor set of devices that is configured to permit or deny network transmissionsbased upon a set of rules and other criteria.

Firewalls can be implemented in either hardware or software, or a combinationof both. Firewalls are frequently used to prevent unauthorized Internet usersfrom accessing private networks connected to the Internet, especially intranets.All messages entering or leaving the intranet pass through the firewall, whichinspects each message and blocks those that do not meet the specified securitycriteria.

There are several types of firewall techniques:

1. Packet filter: Packet filtering inspects each packet passing through thenetwork and accepts or rejects it based on user-defined rules. Althoughdifficult to configure, it is fairly effective and mostly transparent to itsusers. It is susceptible to IP spoofing.

2. Application gateway: Applies security mechanisms to specificapplications, such as FTP and Telnet servers. This is very effective, butcan impose a performance degradation.

3. Circuit-level gateway: Applies security mechanisms when a TCP or UDPconnection is established. Once the connection has been made, packets

can flow between the hosts without further checking.4. Proxy server: Intercepts all messages entering and leaving the network.

The proxy server effectively hides the true network addresses.


4/37

HISTORY:-

The term firewall/fireblockoriginally meant a wall to confine a fire or potentialfire within a building; cf. firewall (construction). Later uses refer to similarstructures, such as the metal sheet separating the engine compartment of avehicle or aircraft from the passenger compartment.The Morris Worm spreaditself through multiple vulnerabilities in the machines of the time. Although itwas not malicious in intent, the Morris Worm was the first large scale attack onInternet security; the online community was neither expecting an attack norprepared to deal with one

TYPES:-


5/37

There are several classifications of firewalls depending on where thecommunication is taking place, where the communication is intercepted and thestate that is being traced.

Network layer and packet filters

Network layer firewalls, also called packet filters, operate at a relatively lowlevel of the TCP/IP protocol stack, not allowing packets to pass through thefirewall unless they match the established rule set. The firewall administratormay define the rules; or default rules may apply. The term "packet filter"originated in the context of BSD operating systems.

Network layer firewalls generally fall into two sub-categories, stateful andstateless. Stateful firewalls maintain context about active sessions, and use that

"state information" to speed packet processing. Any existing networkconnection can be described by several properties, including source anddestination IP address, UDP or TCP ports, and the current stage of theconnection's lifetime (including session initiation, handshaking, data transfer, orcompletion connection). If a packet does not match an existing connection, itwill be evaluated according to the ruleset for new connections. If a packetmatches an existing connection based on comparison with the firewall's statetable, it will be allowed to pass without further processing.

Stateless firewalls require less memory, and can be faster for simple filters thatrequire less time to filter than to look up a session. They may also be necessaryfor filtering stateless network protocols that have no concept of a session.However, they cannot make more complex decisions based on what stagecommunications between hosts have reached.

Modern firewalls can filter traffic based on many packet attributes like sourceIP address, source port, destination IP address or port, destination service likeWWW or FTP. They can filter based on protocols, TTL values, netblock oforiginator, of the source, and many other attributes.

Commonly used packet filters on various versions of Unix are ipf (various),ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs),iptables/ipchains (Linux).

Application-layer

Application-layer firewalls work on the application level of the TCP/IP stack(i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets

traveling to or from an application. They block other packets (usually dropping
http://en.wikipedia.org/wiki/IP_addresshttp://en.wikipedia.org/wiki/IPFilterhttp://en.wikipedia.org/wiki/Ipfirewallhttp://en.wikipedia.org/wiki/IPFilterhttp://en.wikipedia.org/wiki/Ipfirewallhttp://en.wikipedia.org/wiki/IP_address


6/37

them without acknowledgment to the sender). In principle, application firewallscan prevent all unwanted outside traffic from reaching protected machines.

On inspecting all packets for improper content, firewalls can restrict or prevent

outright the spread of networked computer worms and trojans. The additionalinspection criteria can add extra latency to the forwarding of packets to theirdestination.

Proxies

A proxy device (running either on dedicated hardware or as software on ageneral-purpose machine) may act as a firewall by responding to input packets

(connection requests, for example) in the manner of an application, whilstblocking other packets.

Proxies make tampering with an internal system from the external networkmore difficult and misuse of one internal system would not necessarily cause asecurity breach exploitable from outside the firewall (as long as the applicationproxy remains intact and properly configured). Conversely, intruders mayhijack a publicly-reachable system and use it as a proxy for their own purposes;the proxy then masquerades as that system to other internal machines. While

use of internal address spaces enhances security, crackers may still employmethods such as IP spoofing to attempt to pass packets to a target network.

Network address translation

Firewalls often have network address translation (NAT) functionality, and thehosts protected behind a firewall commonly have addresses in the "privateaddress range", as defined in RFC 1918. Firewalls often have such functionalityto hide the true address of protected hosts. Originally, the NAT function wasdeveloped to address the limited number of IPv4 routable addresses that could

be used or assigned to companies or individuals as well as reduce both theamount and therefore cost of obtaining enough public addresses for everycomputer in an organization. Hiding the addresses of protected devices hasbecome an increasingly important defense against network reconnaissance.

How Firewalls Work :-

If you have been using the Internet for any length of time, and especially if youwork at a larger company and browse the Web while you are at work, you haveprobably heard the term firewall used. For example, you often hear people in


7/37

companies say things like, "I can't use that site because they won't let it throughthe firewall." If you have a fast Internet connection into your home (either aDSL connection or a cable modem), you may have found yourself hearing aboutfirewalls for your home network as well. It turns out that a small home network

has many of the same security issues that a large corporate network does. Youcan use a firewall to protect your home network and family from offensive Websites and potential hackers. Basically, a firewall is a barrier to keep destructiveforces away from your property. In fact, that's why its called a firewall. Its job issimilar to a physical firewall that keeps a fire from spreading from one area tothe next. As you read through this article, you will learn more about firewalls,how they work and what kinds of threats they can protect you from.

Firewall Configuration

Firewalls are customizable. This means that you can add or

remove filters based on several conditions. Some of these are:

IP addresses - Each machine on the Internet is assigned aunique address called an IP address. IP addresses are 32-bit numbers, normally expressed as four "octets" in a"dotted decimal number." A typical IP address looks like

this: 216.27.61.137. For example, if a certain IP addressoutside the company is reading too many files from aserver, the firewall can block all traffic to or from that IPaddress.

Domain names - Because it is hard to remember the stringof numbers that make up an IP address, and because IPaddresses sometimes need to change, all servers on theInternet also have human-readable names, called domainnames. For example, it is easier for most of us to

remember www.howstuffworks.com than it is to remember216.27.61.137. A company might block all access to


8/37

certain domain names, or allow access only to specificdomain names.

Protocols - The protocol is the pre-defined way thatsomeone who wants to use a service talks with that

service. The "someone" could be a person, but more oftenit is a computer program like a Web browser. Protocols areoften text, and simply describe how the client and serverwill have their conversation. The http in the Web'sprotocol. Some common protocols that you can set firewallfilters for include:

IP (Internet Protocol) - the main delivery system forinformation over the Internet

TCP (Transmission Control Protocol) - used to break

apart and rebuild information that travels over theInternet HTTP (Hyper Text Transfer Protocol) - used for Web

pages FTP (File Transfer Protocol) - used to download and

upload files UDP (User Datagram Protocol) - used for information

that requires no response, such as streaming audioand video

ICMP (Internet Control Message Protocol) - used by arouter to exchange the information with other routers SMTP (Simple Mail Transport Protocol) - used to send

text-based information (e-mail) SNMP (Simple Network Management Protocol) - used

to collect system information from a remotecomputer

Telnet - used to perform commands on a remotecomputer

A company might set up only one or two machines to handle a specificprotocol and ban that protocol on all other machines.

Ports - Any server machine makes its services available tothe Internet using numbered ports, one for each servicethat is available on the server (see How Web Servers Workfor details). For example, if a server machine is running aWeb (HTTP) server and an FTP server, the Web serverwould typically be available on port 80, and the FTP server

would be available on port 21. A company might block


9/37

port 21 access on all machines but one inside thecompany.

Specific words and phrases - This can be anything. Thefirewall will sniff (search through) each packet of

information for an exact match of the text listed in thefilter. For example, you could instruct the firewall to blockany packet with the word "X-rated" in it. The key here isthat it has to be an exact match. The "X-rated" filter wouldnot catch "X rated" (no hyphen). But you can include asmany words, phrases and variations of them as you need.

Some operating systems come with a firewall built in. Otherwise, a softwarefirewall can be installed on the computer in your home that has an Internet

connection. This computer is considered a gateway because it provides the onlypoint of access between your home network and the Internet.

With a hardware firewall, the firewall unit itself is normally the gateway. Agood example is the Linksys Cable/DSL router. It has a built-in Ethernet cardand hub. Computers in your home network connect to the router, which in turnis connected to either a cable or DSL modem. You configure the router via aWeb-based interface that you reach through the browser on your computer. Youcan then set any filters or additional information.

Hardware firewalls are incredibly secure and not very expensive. Homeversions that include a router, firewall and Ethernet hub for broadbandconnections can be found for well under $100.

Installation of firewall

Firewalls for Small Offices and Home Offices

Firewalls used to be only for large corporate networksbut then again, Internetconnections used to be only for large networks, too. Now that high-speed,always-on Internet connectivity is becoming more and more common, so too areattacks against connected computers. Firewalls help protect you against suchattacks by screening out many types of malicious traffic. In addition, firewallscan help keep your computer from participating in attacks on others withoutyour knowledge. The good news is that consumer-level firewalls provide goodsecurity without requiring that you be a computer security expert.

The router is generally a separate device from the cable or DSL modemitsimportant to understand that most cable and DSL modems offer your small


10/37

office network no protection whatsoever. If you didnt choose to pay extra forsecurity features, you probably dont have any. If youre unsure about yourmodem, ask your ISP what level of protection your modem provides.

If you decide to use a hardware firewall, select one that has enough network

ports to allow you to connect all computers and other network devices directlyto it. As shown in Figure 8, wiring a firewall into your network is as simple asadding an answering machine to your phone line. Simply unplug the Ethernetconnection between your cable/DSL modem and your PC, and plug it into thefirewall. Then connect your computer and other network devices into yourfirewall.

The following are some of the popular hardware firewall products available:Linksys Routers, NETGEAR Routers, and SMC Routers.

Home and small office computers that are directly connected to the Internet

require the added security of a firewall. The least expensive way to do this is toenable both ICF and ICS on a system, and allow all networked computers toconnect through that system. You can enable ICS on only one Internetconnection on your network, and you should protect this connection by enablingICF. ICF can check only the communications that cross the Internet connectionon which its enabled. The following types of network topologies, are safe andthe most recommended:
http://technet.microsoft.com/en-us/library/Cc700820.fire08_big(en-us,TechNet.10).gif


11/37

You should avoid topologies with multiple Internet connections. If you musthave multiple direct Internet connections on your network, you should ensurethat ICF is enabled on each direct Internet connection in order to protect your

network. However, because ICF works on a per-connection basis, this topologyis still not a recommended topology because theres no central point ofadministration through which you can ensure the continuous protection of allInternet connections.

Likewise, providing Internet connectivity to your network by connecting yournetwork hub directly to the Internet causes similar vulnerabilities and isnt arecommended topology.

Enabling ICF on this type of network topology disrupts some networkcommunications and provides protection only for the computer on which itsenabled. The other computers have direct connections to the Internet throughthe hub and arent protected.


12/37

Firewalls for Enterprises

Organizations of all sizes want secure network connectivity to their businessdata and applications. The need to connect and collaborate with partners,

customers, and remote/mobile employees anytime and anywhere has expandednetwork connectivity requirements beyond traditional wired local area networks(LANs) to include dial-up remote access, VPNs, and wireless networks. Toenable greater access to the network and higher productivity, customers mustaddress issues around security, management complexity, and cost. WithWindows Server 2003, Windows 2000, Windows XP, and a carefully designedfirewall architecture, administrators can provide secure and integrated networkconnectivity to business-critical applications and data.

When addressing secure network connectivity, administrators need to consider

the following: Security: Employees not only work from corporate offices, but also from

branch offices, home offices, or the road. Providing remote connectivity

requires solutions that are secure, standards-based, and manageable.

Management complexity: Many vendors offer dedicated product

solutions with little integration with other products and infrastructure.

Setting up wireless clients with centralized authentication and policies

can be a challenge unless there are integrated solutions.

Lowering cost: Secure networking can be expensive if there are multiple

products and technologies with separate licensing, support contracts, and

training. For example, a secure VPN implementation might require a

separate certificate authority for PKI, a separate authentication model,

client-side software, and additional server gateways and firewalls.

By addressing these key secure connectivity challenges, organizations canachieve greater employee productivity, decrease costs, and improve businessintegration.

Using a Demilitarized Zone

A DMZ consists of front-end servers, back-end servers, and firewalls. Thefirewalls protect the front-end servers from the public network and filter trafficbetween the corporate network and back-end servers. A DMZ provides a


13/37

multilayer protection system between the Internet and the internal network of anorganization.

To provide protection, the DMZ comprises:

A firewall that protects the front-end servers from Internet traffic. A set of security-hardened servers that support the services the

application provides. You set up these servers so that dangerous Internet

services, such as file sharing and Telnet, are disabled.

A firewall that separates the back-end servers from the corporate

networks and enables communication between the back-end servers and a

few servers within the corporate network.

A DMZ is an important element for securing a site. You need to take additionalsecurity measures to protect data the back-end servers store. You can also storeextremely sensitive data or data thats needed elsewhere in your enterpriseoutside the DMZ, although doing so has negative performance implications andruns the risk, however small, of opening your corporate network to hacking.

At the very least, a DMZ requires a router. A more sophisticated design wouldinclude two routers and a firewall. How complex your configuration needs to be

depends on factors such as: How much security you need

What sort of connectivity your system maintains to other networks

(internalcorporate network; externalInternet)

How many servers you need to protect


14/37

After DMZ topology, the most important step in securing the environment iscontrolling its traffic. You need to determine whos allowed to connect and whoisnt, and then enforce those rules, usually with routers and firewalls. Routerscan provide packet filtering, which controls traffic flow between two nodes, butthis tends to decrease router performance, so you have to be careful not to

overuse it. Check your router utilization before and after.You must give particular attention to each server in the DMZ to ensure theyrecapable of withstanding malicious attacks. You can harden the exposed serversby using the Security Tools and Checklists for your servers operating systems.You can also implement low-level filtering policies and close selective ports.For example, you should configure a host-based firewall on systems in a DMZ.

Standard DMZ Web Site Architectures

If youre going to implement an e-commerce or enterprise application, you haveto be concerned with the security of your systems and data to ensure that peoplewho shouldnt be accessing data cant get at it and to ensure that your systemwill be available despite attempts at a DoS attack. For enterprise applications,the main worry is unscrupulous employeesso security is typically enforced byusing Windows and AD authentication and authorization.

But malicious attackers can also attack e-commerce applications from outsideyour company via the Internet. And since its not practical to give everyanonymous customer their own Windows logon ID, youll need to use a

different sort of authentication. Because the network is the Internet, instead ofan intranet that you control, youll also have to prepare your servers to makeother sorts of attacks impossible or ineffective. Finally, youll have to beespecially careful protecting customer data, such as credit card numbers.

If you plan to host the site at your corporate facilities, youll need to use aDMZ. The Internet-facing firewall must provide access to services such asHTTP, HTTPS, FTP, and SMTP mail. If youre collocating your servers at ahosting providers network, a single Internet-facing firewall might be sufficient.However, youll also need to use a VPN to securely manage the site from your

corporate network.
http://www.microsoft.com/technet/scriptcenter/tools/default.mspxhttp://www.microsoft.com/technet/security/chklist/default.mspxhttp://www.microsoft.com/technet/scriptcenter/tools/default.mspxhttp://www.microsoft.com/technet/security/chklist/default.mspx


15/37


16/37

FTP download and upload area

In cases like this, you may want to create a DMZ (Demilitarized Zone).Although this sounds pretty serious, it really is just an area that is outside the

firewall. Think of DMZ as the front yard of your house. It belongs to you andyou may put some things there, but you would put anything valuable inside thehouse where it can be properly secured.

Setting up a DMZ is very easy. If you have multiple computers, you can chooseto simply place one of the computers between the Internet connection and thefirewall. Most of the software firewalls available will allow you to designate adirectory on the gateway computer as a DMZ.

Once you have a firewall in place, you should test it. A great way to do this is to

go to and try their free Shields Up! security test. You will get immediatefeedback on just how secure your system is.

What Firewall Software Does

A firewall is simply a program or hardware device that filters the informationcoming through the Internet connection into your private network or computersystem. If an incoming packet of information is flagged by the filters, it is notallowed through.

Let's say that you work at a company with 500 employees. The company willtherefore have hundreds of computers that all have network cards connectingthem together. In addition, the company will have one or more connections tothe Internet through something like T1 or T3 lines. Without a firewall in place,all of those hundreds of computers are directly accessible to anyone on theInternet. A person who knows what he or she is doing can probe thosecomputers, try to make FTP connections to them, try to make telnet connectionsto them and so on. If one employee makes a mistake and leaves a security hole,

hackers can get to the machine and exploit the hole.

With a firewall in place, the landscape is much different. A company will placea firewall at every connection to the Internet (for example, at every T1 linecoming into the company). The firewall can implement security rules. Forexample, one of the security rules inside the company might be:

Out of the 500 computers inside this company, only one of them is

permitted to receive public FTP traffic. Allow FTP connections only to

that one computer and prevent them on all others.


17/37

A company can set up rules like this for FTP servers, Web servers, Telnet

servers and so on. In addition, the company can control how employees connect

to Web sites, whether files are allowed to leave the company over the network

and so on. A firewall gives a company tremendous control over how people use

the network.

Firewalls use one or more of three methods to control traffic flowing in and outof the network:

Packet filtering - Packets (small chunks of data) are analyzed against aset of filters. Packets that make it through the filters are sent to therequesting system and all others are discarded.

Proxy service - Information from the Internet is retrieved by the firewall

and then sent to the requesting system and vice versa. Stateful inspection - A newer method that doesn't examine the contents

of each packet but instead compares certain key parts of the packet to adatabase of trusted information. Information traveling from inside thefirewall to the outside is monitored for specific defining characteristics,then incoming information is compared to these characteristics. If thecomparison yields a reasonable match, the information is allowedthrough. Otherwise it is discarded.

Why Firewall Security?

There are many creative ways that unscrupulous people use to access or abuse

unprotected computers:

Remote login - When someone is able to connect to your computer andcontrol it in some form. This can range from being able to view or accessyour files to actually running programs on your computer.

Application backdoors - Some programs have special features that allowfor remote access. Others contain bugs that provide a backdoor, orhidden access, that provides some level of control of the program.

SMTP session hijacking - SMTP is the most common method ofsending e-mail over the Internet. By gaining access to a list of e-mailaddresses, a person can send unsolicited junk e-mail (spam) to thousandsof users. This is done quite often by redirecting the e-mail through theSMTP server of an unsuspecting host, making the actual sender of thespam difficult to trace.


18/37

Operating system bugs - Like applications, some operating systemshave backdoors. Others provide remote access with insufficient securitycontrols or have bugs that an experienced hacker can take advantage of.

Denial of service - You have probably heard this phrase used in news

reports on the attacks on major Web sites. This type of attack is nearlyimpossible to counter. What happens is that the hacker sends a request tothe server to connect to it. When the server responds with anacknowledgement and tries to establish a session, it cannot find thesystem that made the request. By inundating a server with theseunanswerable session requests, a hacker causes the server to slow to acrawl or eventually crash.

E-mail bombs - An e-mail bomb is usually a personal attack. Someonesends you the same e-mail hundreds or thousands of times until your e-

mail system cannot accept any more messages. Macros - To simplify complicated procedures, many applications allow

you to create a script of commands that the application can run. Thisscript is known as a macro. Hackers have taken advantage of this tocreate their own macros that, depending on the application, can destroyyour data or crash your computer.

Viruses - Probably the most well-known threat is computer viruses. Avirus is a small program that can copy itself to other computers. This wayit can spread quickly from one system to the next. Viruses range fromharmless messages to erasing all of your data.

Spam - Typically harmless but always annoying, spam is the electronicequivalent of junk mail. Spam can be dangerous though. Quite often itcontains links to Web sites. Be careful of clicking on these because youmay accidentally accept a cookie that provides a backdoor to yourcomputer.

Redirect bombs - Hackers can use ICMP to change (redirect) the pathinformation takes by sending it to a different router. This is one of theways that a denial of service attack is set up.

Source routing - In most cases, the path a packet travels over the Internet

(or any other network) is determined by the routers along that path. Butthe source providing the packet can arbitrarily specify the route that thepacket should travel. Hackers sometimes take advantage of this to makeinformation appear to come from a trusted source or even from inside thenetwork! Most firewall products disable source routing by default.

Some of the items in the list above are hard, if not impossible, to filter using afirewall. While some firewalls offer virus protection, it is worth the investmentto install anti-virus software on each computer. And, even though it is annoying,

some spam is going to get through your firewall as long as you accept e-mail.


19/37

The level of security you establish will determine how many of these threats canbe stopped by your firewall. The highest level of security would be to simplyblock everything. Obviously that defeats the purpose of having an Internetconnection. But a common rule of thumb is to block everything, then begin to

select what types of traffic you will allow. You can also restrict traffic thattravels through the firewall so that only certain types of information, such as e-mail, can get through. This is a good rule for businesses that have anexperienced network administrator that understands what the needs are andknows exactly what traffic to allow through. For most of us, it is probably betterto work with the defaults provided by the firewall developer unless there is aspecific reason to change it.

One of the best things about a firewall from a security standpoint is that it stopsanyone on the outside from logging onto a computer in your private network.While this is a big deal for businesses, most home networks will probably notbe threatened in this manner. Still, putting a firewall in place provides somepeace of mind.

Multilayer Firewall Web Site Architectures

Many organizations have security requirements that necessitate placing afirewall between the front-end Web servers and the back-end database servers.Figure 16 shows an example architecture that meets those requirements, and

provides redundancy, while minimizing cost by using multihued redundantfirewalls. In this architecture, requests the Web servers send to the databaseservers must pass through the redundant firewalls. The firewalls can verify thesource and destination of the address, and validate that its a legitimate request.This example architecture is placed at an Internet data center whereadministrators perform management of the systems remotely. Therefore, thefirewalls have VPN capability, allowing administrators to securely access theWeb and database servers from the corporate network


20/37

Proxy Services

If you have or are planning to have a home or small office network, youll have

to create a gateway from your firewall to the rest of the network. If youreimplementing a software firewall on a specific computer, this means that youllneed at least two network cards in that machine. You attach one network card tothe public interface (such as a DSL or cable modem), and You attach the othernetwork card to your internal network. You then have to configure the computerto allow traffic on one side of the network to communicate with the other. ICSallows you to do this in both Windows 2000 and Windows XP.

However, at this stage in the game, many small office users decide to buy adedicated residential gateway These units plug directly into the DSL router or

cable modem and provide the functionality of a firewall and network hub. Youneed to configure a residential gateway to act in the stead of the computerrunning ICS when contacting the ISP. For example, if you had a static IPaddress, you would have to assign that IP address to the gateway instead of yourcomputer. You could either assign a new IP address to your computer, or, morelikely, instruct the computer to ask the gateway for an IP address.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_checklistw.mspxhttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_host_computer.mspxhttp://www.microsoft.com/windows2000/en/professional/help/howto_share_conn.htmhttp://support.microsoft.com/default.aspx?scid=kb;en-us;314066&sd=techhttp://technet.microsoft.com/en-us/library/Cc700820.fire05_big(en-us,TechNet.10).gifhttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_checklistw.mspxhttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_host_computer.mspxhttp://www.microsoft.com/windows2000/en/professional/help/howto_share_conn.htmhttp://support.microsoft.com/default.aspx?scid=kb;en-us;314066&sd=tech


21/37

If a small business is using the 192.168.0.0 network ID for its intranet and itsISP has granted it the public address of w1.x1.y1.z1, then Network AddressTranslation (NAT) maps all private addresses on 192.168.0.0 to the IP addressof w1.x1.y1.z1. If NAT maps multiple private addresses to a single public

address, it uses dynamically chosen TCP and UDP ports to distinguish oneintranet location from another.

Note: The use of w1.x1.y1.z1 and w2.x2.y2.z2 is intended to represent validpublic IP addresses assigned by an ISP.

If a private user at 192.168.0.10 uses a Web browser to connect to the Webserver at w2.x2.y2.z2, the users computer creates an IP packet with thefollowing information:

Destination IP address: w2.x2.y2.z2

Source IP address: 192.168.0.10

Destination port: TCP port 80

Source port: TCP port 5000

The private users computer then forwards this packet to the NAT server, which

translates the addresses of the outgoing packet to the following: Destination IP address: w2.x2.y2.z2

Source IP address: w1.x1.y1.z1



The NAT server keeps the mapping of {192.168.0.10, TCP 1025} to

{w1.x1.y1.z1, TCP 5000} in a table.


22/37

The NAT server then sends the translated packet over the Internet to the Webserver. The Web server sends the response back to the NAT server. When theNAT server receives the packet, the packet contains the following publicaddress information:

Destination IP address: w1.x1.y1.z1




The NAT server checks its translation table and maps the public addresses toprivate addresses and forwards the packet to the computer at 192.168.0.10. The

forwarded packet contains the following address information:

Destination IP address: 192.168.0.10




For outgoing packets from the NAT server, the NAT server maps the source IPaddress (a private address) to the ISP allocated address (a public address), andmaps the TCP/UDP port numbers to a different TCP/UDP port number.

For incoming packets to the NAT server, the NAT server maps the destinationIP address (a public address) to the original intranet address (a private address),and maps the TCP/UDP port numbers back to their original TCP/UDP portnumbers.

Reverse Proxy Services

Most proxy servers offer services beyond the standard functionality discussedabove. Reverse proxy enables the firewall to provide secure access to aninternal Web server (not exposing it to the outside) by redirecting externalHTTP (application proxy) requests to a single designated machine. This isntsuitable for multiserver Web hosting (reverse hostingdescribed nexttakescare of this), but it can be quite valuable when working with a single site.

Reverse hosting allows the firewall to redirect HTTP (application proxy)requests to multiple internal Web servers. One method/way is to provide access

to multiple servers as subwebs of one large aggregate Web site or as multipleindependent Web servers. More flexible than reverse proxy but equally secure,


23/37

this method enables you to abstract the physical architecture of your Web sitesby mapping multiple servers to a single logical one. Both options allow thefirewall to offer caching functionality, which can improve responsiveness.

Reverse proxy can be very useful. For instance, suppose you need to allow a

Web server to query an internal database. There are several ways to do this. Youcould replicate the database to the outside (if its not too large), but this puts thecontents integrity at risk. It might make more sense to move the Web anddatabase servers behind the firewall and use reverse proxy or reverse hosting toget at the site. This option is very secure, although the overhead of runningmultiple Web servers behind the proxy might tax the proxys ability to serviceWeb requests from internal clients.

A third alternative is better yet: Place the Web server in the demilitarized zone(DMZ) and use the server proxy functionality of the firewall to query thedatabase. This option provides good security and performance. Before youselect any of these options, you should analyze your requirements so that youcan balance necessary security against performance/usability.

Man in the middle attack:

The man-in-the-middle attack (often abbreviated MITM), or bucket-brigadeattack, or sometimes Janus attack, is a form of active eavesdropping in whichthe attacker makes independent connections with the victims and relaysmessages between them, making them believe that they are talking directly to

each other over a private connection, when in fact the entire conversation iscontrolled by the attacker. The attacker must be able to intercept all messagesgoing between the two victims and inject new ones, which is straightforward inmany circumstances (for example, an attacker within reception range of anunencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).

A man-in-the-middle attack can succeed only when the attacker canimpersonate each endpoint to the satisfaction of the other. Most cryptographic

protocols include some form of endpoint authentication specifically to prevent
http://en.wikipedia.org/wiki/Janushttp://en.wikipedia.org/wiki/Eavesdroppinghttp://en.wikipedia.org/wiki/Wi-Fihttp://en.wikipedia.org/wiki/Wireless_access_pointhttp://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/Janushttp://en.wikipedia.org/wiki/Eavesdroppinghttp://en.wikipedia.org/wiki/Wi-Fihttp://en.wikipedia.org/wiki/Wireless_access_pointhttp://en.wikipedia.org/wiki/Authentication


24/37

MITM attacks. For example, SSL authenticates the server using a mutuallytrusted certification authority.
http://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Certificate_Authorityhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Certificate_Authority


25/37

Routing tables


26/37

Now first of all we will discuss about IPTABLES rules. If we consider the case of given

designed problem. We have two networks A (192.168.1.0-255) and B (192.168.2.0-255)

behind a proxy server which is located at 192.168.3.24 masquerade the requests from both

the networks to connect to an external DNS. This can be understood by following diagram.

Routers are responsible for forwarding traffic on an IP internetwork. Each

router accepts datagrams from a variety of sources, examines the IP address of

the destination and decides what the next hop is that the datagram needs to take

to get it that much closer to its final destination

Each router maintains a set of information that provides a mapping betweendifferent network IDs and the other routers to which it is connected. Thisinformation is contained in a data structure normally called a routing table.Each entry in the table, unsurprisingly called a routing entry, providesinformation about one network (or sub network, or host). It basically says ifthe destination of this datagram is in the following network, the next hop youshould take is to the following device. Each time a datagram is received therouter checks its destination IP address against the routing entries in its table todecide where to send the datagram, and then sends it on its next hop.

Obviously, the fewer the entries in this table, the faster the router can decidewhat to do with datagram. (This was a big part of the motivation for classlessaddressing, which aggregates routes into supernets to reduce router table size,as we will see in the next topic.) Some routers only have connections to twoother devices, so they don't have much of a decision to make. Typically, therouter will simply take datagram coming from one of its interfaces and ifnecessary, send them out on the other one. For example, consider a smallcompany's router acting as the interface between a network of three hosts andthe Internet. Any datagram sent to the router from a host on this network will

need to go over the router's connection to the router at the ISP.

NETWORK A

192.168.1. (0-

255)

NETWORK B

192.168.2. (0-

255)

PROXY

SERVER

192.168.3.

24

ISP

(INTERNET)
http://c/Users/Naveen/Desktop/networking/q.mht#http://www.tcpipguide.com/free/t_IPRoutingConceptsandtheProcessofNextHopRouting.htmhttp://c/Users/Naveen/Desktop/networking/q.mht#http://www.tcpipguide.com/free/t_IPClasslessAddressingClasslessInterDomainRoutingCI.htmhttp://www.tcpipguide.com/free/t_IPClasslessAddressingClasslessInterDomainRoutingCI.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables.htmhttp://c/Users/Naveen/Desktop/networking/q.mht#http://c/Users/Naveen/Desktop/networking/q.mht#http://c/Users/Naveen/Desktop/networking/q.mht#http://www.tcpipguide.com/free/t_IPRoutingConceptsandtheProcessofNextHopRouting.htmhttp://c/Users/Naveen/Desktop/networking/q.mht#http://www.tcpipguide.com/free/t_IPClasslessAddressingClasslessInterDomainRoutingCI.htmhttp://www.tcpipguide.com/free/t_IPClasslessAddressingClasslessInterDomainRoutingCI.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables.htmhttp://c/Users/Naveen/Desktop/networking/q.mht#http://c/Users/Naveen/Desktop/networking/q.mht#


27/37

When a router has connections to more than two devices, things becomeconsiderably more complex. Some distant networks may be more easilyreachable if datagram are sent using one of the routers than the other. Therouting table contains information not only about the networks directly

connected to the router, but also information that the router has learned aboutmore distant networks.

IP Datagram Direct Delivery and Indirect Delivery (Routing)

the overall job of the Internet Protocol is to transmit messages from higher layer

protocols over an internetwork of devices. These messages must be packaged

and addressed, and if necessary fragmented, and then they must be delivered.

The process of delivery can be either simple or complex, depending on the

proximity of the source and destination devices.

Datagram Delivery Types

Conceptually, we can divide all IP datagram deliveries into two general types,shown graphically


28/37

Direct Datagram Deliveries: When datagram are sent between two devices onthe same physical network, it is possible for datagram to be delivered directlyfrom the source to the destination. Imagine that you want to deliver a letter to aneighbor on your street. You probably wouldn't bother mailing it through thepost office; you'd just put the neighbors name on the envelope and stick it rightinto his or her mailbox.

Indirect Datagram Deliveries: When two devices are not on the same physicalnetwork, the delivery of datagram from one to the other is indirect. Since thesource device can't see the destination on its local network, it must send thedatagram through one or more intermediate devices to deliver it. Indirectdelivery is analogous to mailing a letter to a friend in a different city. You don't

deliver it yourselfyou put it into the postal system. The letter journeysthrough postal system, possibly taking several intermediate steps, and ends up

Direct and Indirect (Routed) Delivery of IP Datagrams

This diagram shows three examples of IP datagram delivery. The firsttransmission (highlighted in green) shows a direct delivery between two deviceson the local network. The second (purple) shows indirect delivery within thelocal network, between a client and server separated by a router. The third showsa more distant indirect delivery, between a client on the local network and aserveracross the Internet.
http://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htmhttp://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htmhttp://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htmhttp://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htmhttp://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htmhttp://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htmhttp://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htmhttp://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htm


29/37

in your friend's neighborhood, where a postal carrier puts it into his or hermailbox.

IP Routing Concepts and the Process of Next-Hop Routing

When a datagram is sent between source and destination devices that are not onthe same physical network, the datagram must be delivered indirectly between

the devices, a process called routing. It is this ability to route information

between devices that may be far away that allows IP to create the equivalent of

a virtual internetwork that spans potentially thousands of physical networks, and

lets devices even on opposite ends of the globe communicates. The process of

routing in general terms is too complex to get into in complete detail here, but I

do want to take a brief look at key IP routing concepts.

Overview of IP Routing and Hops

To continue with ourpostal system analogy, I can send a letter from my homein the United States to someone in, say, India, and the postal systems of bothcountries will work to deliver the letter to its destination. However, when I dropa letter in the mailbox, it's not like someone shows up, grabs the letter, andhand-delivers it to the right address in India. The letter travels from the mailboxto my local post office. From there, it probably goes to a regional distributioncenter, and then from there, to a hub for international traffic. It goes to India,

perhaps (likely) via an intermediate country. When it gets to India, the Indianpostal system uses its own network of offices and facilities to route the letter toits destination. The envelope hops from one location to the next until itreaches its destination.
http://www.tcpipguide.com/free/t_IPRoutingConceptsandtheProcessofNextHopRouting.htmhttp://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htmhttp://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htmhttp://www.tcpipguide.com/free/t_IPRoutingConceptsandtheProcessofNextHopRouting.htmhttp://www.tcpipguide.com/free/t_IPRoutingConceptsandtheProcessofNextHopRouting.htmhttp://www.tcpipguide.com/free/t_IPRoutingConceptsandtheProcessofNextHopRouting.htmhttp://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htmhttp://www.tcpipguide.com/free/t_IPDatagramDirectDeliveryandIndirectDeliveryRouting.htmhttp://www.tcpipguide.com/free/t_IPRoutingConceptsandtheProcessofNextHopRouting.htmhttp://www.tcpipguide.com/free/t_IPRoutingConceptsandtheProcessofNextHopRouting.htm


30/37

IP Datagram Next-Hop Routing

This is the same diagram as that shown in above figure except this time I haveexplicitly shown the hops taken by each of the three sample transmissions. Thedirect delivery of the first (green) transmission has only one hop (remember thatthe switch doesnt count because it is invisible at layer three). The local indirect

delivery passes through one router, so it has two hops. The Internet delivery inthis case has six hops; actual Internet routes can be much longer.

Routing Tables in an Example Internetwork

Lets consider an example below with routers R1, R2 and R3 connected in atriangle, so that each router can send directly to the others, as well as to itsown local network. Suppose R1's local network is 11.0.0.0/8, R2's is 12.0.0.0/8and R3's is 13.0.0.0/8. (I'm just trying to keep this simple. J) R1 knows that any

datagram it sees with 11 as the first octet is on its local network. It will alsohave a routing entry that says that any IP address starting with 12 should go toR2, and any starting with 13 should go to R3.
http://www.tcpipguide.com/free/t_IPRoutingConceptsandtheProcessofNextHopRouting.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables-2.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables-2.htmhttp://www.tcpipguide.com/free/t_IPRoutingConceptsandtheProcessofNextHopRouting.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables-2.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables-2.htm


31/37

IP Routing and Routing Tables

This diagram shows a small, simple internetwork consisting of fourLANs eachserved by a router. The routing table for each lists the router to which datagramfor each destination network should be sent, and is color coded to match thecolors of the networks. Notice that due to the triangle, each of R1, R2 and R3can send to each other. However, R2 and R3 must send through R1 to deliver toR4, and R4 must use R1 to reach either of the others.

Let's suppose that R1 also connects to another router, R4, which has 14.0.0.0/8as its local network. R1 will have an entry for this local network. However, R2

and R3 also need to know how to reach 14.0.0.0/8, even though they don'tconnect to it its router directly. Most likely, they will have an entry that saysthat any datagram intended for 14.0.0.0/8 should be sent to R1. R1 will thenforward them to R4. Similarly, R4 will send any traffic intended for 12.0.0.0/8or 13.0.0.0/8 through R1.

Route Determination

Now, imagine that this process is expanded to handle thousands of networksand routers. Not only do routers need to know which of their local connections

to use for each network, they want to know, if possible, what is the bestconnection to use for each network. Since routers are interconnected in a mesh
http://www.tcpipguide.com/free/t_IPRoutesandRoutingTables-2.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables-2.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables-3.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables-3.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables-2.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables-3.htmhttp://www.tcpipguide.com/free/t_IPRoutesandRoutingTables-3.htm


32/37

there are usually multiple routes between any two devices, but we want to takethe best route whenever we can. This may be the shortest route, the leastcongested, or the route considered optimal based on other criteria.

Determining what routes we should use for different networks turns out to be animportant but very complex job. Routers must plan routes and exchangeinformation about routes and networks, which can be done in a variety of ways.This is accomplished in IP using special IP routing protocols. It is through theseprotocols that R2 and R3 would find out that 14.0.0.0/8 exists and that it isconnected to them via R1

Modern Protocol Types: Interior and Exterior Routing Protocols

The different nature of routing within an AS and between ASes can be seen inthe fact that distinct sets of TCP/IP routing protocols are used for each type:

o Interior Routing Protocols: These protocols are used to exchange routinginformation between routers within an autonomous system. Interiorrouting protocols are not used between ASes.

o Exterior Routing Protocols: These protocols are used to exchange routinginformation between autonomous systems. They may in some cases beused between routers within an AS, but primarily deal with exchanginginformation between autonomous systems.

Since autonomous systems are just sets of routers, this means that ASes areconnected by linking a router in one AS to a router in another AS.Architecturally, an AS consists of a set of routers with two different types ofconnectivity:

o Internal Routers: Some routers in an AS connect only to other routers in

the same AS. These run interior routing protocols.

o Border Routers: Some routers in an AS connect both to routers within theAS and to routers in one or more other ASes. These devices areresponsible for passing traffic between the AS and the rest of theinternetwork. They run both interior and exterior routing protocols.

Due to its advantages, the autonomous system architecture, an example ofwhich can be seen in Figure below, has become the standard for TCP/IPnetworks, most notably the Internet. The division of routing protocols into the

interior and exterior classifications has thus also become standard, and all
http://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-2.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-2.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-2.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-2.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-2.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-2.htm


33/37

modern TCP/IP routing protocols are first subdivided by type in this manner.You can see this reflected in the subsection titles in the rest of this section onrouting protocols.

TCP/IP Autonomous System (AS) Routing Architecture

This diagram shows a simplified internet organized into three autonomoussystems (ASes), each of which is managed independently of the others.Communication within each AS is done using an interior routing protocolchosen by that ASs administrators (blue links); communication between ASesmust be done using a common exterior routing protocol (red links). Internalrouters are shown in blue and border routers in red.
http://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-2.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-2.htm


34/37

Routing Protocol Algorithms and Metrics

Another key differentiation of routing protocols is on the basis of the algorithmsand metrics they use. An algorithm refers to a method that the protocol uses for

determining the best route between any pair of networks, and for sharingrouting information between routers. A metric is a measure of cost that isused to assess the efficiency of a particular route. Since internetworks can bequite complex, the algorithms and metrics of a protocol are very important, andcan be the determining factor in deciding that one protocol is superior toanother.

There are two routing protocol algorithms that are most commonly encountered:distance-vector and link-state. There are also protocols that use a combinationof these methods, or others.

Distance-Vector (Bellman-Ford) Routing Protocol Algorithm

A distance vector routing algorithm, also called a Bellman-Ford algorithm aftertwo of its inventors, is one where routes are selected based on the distancebetween networks. The distance metric is something simpleusually thenumber of hops, or routers between them.

Routers using this type of protocol maintain information about the distance to

all known networks in a table. They regularly send that table to each router theyimmediately connect with (their neighbors or peers). These routers then updatetheir tables and send to their neighbors. This causes distance information topropagate across the internetwork, so that eventually each router obtainsdistance information about all networks on the internet.

Distance-vector routing protocols are somewhat limited in their ability tochoose the best route. They also are subject to certain problems in theiroperation that must be worked around through the addition of special heuristicsand features. Their chief advantages are simplicity and history (they have beenused for a long time).

Link-State (Shortest Path First) Routing Protocol Algorithm:

A link-state algorithm selects routes based on a dynamic assessment of theshortest path between any two networks, and is for that reason also called ashortest-path first method. Each router maintains a map describing the currenttopology of the internetwork. This map is updated regularly by testingreachability of different parts of the internet, and by exchanging link-state

information with other routers. The determination of the best route (shortest
http://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-3.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-3.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-3.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-3.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-3.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP-3.htm


35/37

path) can be made based on a variety of metrics that indicate the true cost ofsending a datagram over a particular route.

Link-state algorithms are much more powerful than distance-vector algorithms.

They adapt dynamically to changing internetwork conditions, and also allowroutes to be selected based on more realistic metrics of cost than simply thenumber of hops between networks. However, they are more complicated to setup and use more computer processing resources than distance-vectoralgorithms, and aren't as well-established.

Hybrid Routing Protocol Algorithms

There are also hybrid protocols that combine features from both types ofalgorithms, and other protocols that use completely different algorithms. For

example, the Border Gateway Protocol (BGP) is a path-vector algorithm, whichis somewhat similar to the distance-vector algorithm, but communicates muchmore detailed route information. It includes some of the attributes of distance-vector and link-state protocols, but is more than just a combination of the two.

Static and Dynamic Routing Protocols

You may also occasionally see routing protocols categorized by type as staticand dynamic, so this is the last concept I want to discuss in this overview. This

terminology is somewhat misleading. The term static routing simply refers toa situation where the routing tables are manually set up, so they remain static. Incontrast, dynamic routing is the subject of this entire section: the use ofrouting protocols to dynamically update routing tables. Thus, all routingprotocols are dynamic. There is no such thing as a static routing protocolunless you consider a network administrator editing a routing table a protocol.

Routing Protocol Concepts: Architectures, Protocol Types, Algorithms and

Metrics

Routing protocols play an important part in the overall process of routing in aninternetwork. It is therefore easiest to understand them in the scope of an overalldiscussion of routing. It's difficult to describe the individual TCP/IP routingprotocols without some background information on how routing protocols work.For this reason, I feel it is worth taking a brief look at key routing protocolconcepts here, so that you will have more luck making sense of the rest of the

routing protocol topics in this section.
http://www.tcpipguide.com/free/t_TCPIPBorderGatewayProtocolBGPBGP4.htmhttp://www.tcpipguide.com/free/t_TCPIPBorderGatewayProtocolBGPBGP4.htm


36/37

Routing Protocol Architectures

Let's start with a look at routing protocol architectures. In this context, the wordarchitecture refers to the way that an internetwork is structured. Once we have a

number of networks and routers we wish to connect together, there is anynumber of ways that we can do this. The architecture we choose is based on theway that routers are linked up, and this has an impact on the way that routing isdone, and how routing protocols operate.

Core Architecture

TCP/IP and the Internet were developed simultaneously, so TCP/IP routingprotocols evolved as the Internet itself did. Early architecture of the Internetconsisted of a small number of core routers that contained comprehensive

information about the internetwork. When the Internet was very small, it wasexpanded by adding more routers to this core. However, each time the core wasexpanded, the amount of routing information that needed to be maintainedgrew.

Eventually, the core became too large, so a two-level hierarchy was formed toallow further expansion. Non-core routers were located on the periphery of thecore and contained only partial routing information; they relied on the corerouters for transmissions that went across the internetwork. A special routing

protocol called the Gateway-to-Gateway Protocol (GGP) was used within thecore of the internetwork, while another protocol called the Exterior GatewayProtocol (EGP) was used between non-core and core routers. The non-corerouters were sometimes single, stand-alone routers that connected a singlenetworkto the core, or they could be sets of routers for an organization.

This architecture served for a while, but itself did not scale very well as theInternet grew. The problem was mainly due to the fact that there was only asingle level to the architecture: every router in the core had to communicatewith every other. Even with peripheral routers being kept outside the core, theamount of traffic in the core kept growing.

Autonomous System (AS) Architecture

To resolve the limitations of the early core system, a new architecture wascreated that moved away from the centralized concept of a core towards anarchitecture that was better suited to a larger and growing internetwork. Thisdecentralized architecture treats the Internet as a set of independent groups,which each group called an autonomous system (AS). An AS consists of a set of

routers and networks controlled by a particular organization or administrativeentity, which uses a single consistent policy for internal routing.
http://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP.htmhttp://www.tcpipguide.com/free/t_OverviewOfKeyRoutingProtocolConceptsArchitecturesP.htm


37/37

The power of this system is that routing on the internetwork as a whole occursbetween Ashes and not individual routers. Information is only shared betweenone or maybe a couple of routers in each AS, not every router in each AS. Thedetails of routing within an AS are also hidden from the rest of the internetwork.

This provides both flexibility for each AS to do routing as it sees fit (thus thename autonomous) and efficiency for the overall internetwork. Each AS has itsown number, and the numbers are globally managed to make sure they areunique across an internetwork (such as the Internet).

Documents

RA 6805 b 25 CSE 356 design problem 2