NET 102 - Networking Essentials II

Chapter 7, Routing; Chapter 8, Firewalls

Objectives:

This lesson discusses routing issues and firewalls, which are often contained in routers. Objectives important to this lesson:

1. Router tasks
2. Routing tables
3. Convergence
4. Routing protocols:RIP, OSPF, EIGRP, IS-IS, BGP
5. Network Address Translation (NAT)
6. Administrative distance (cost), route summarization, redundant gateways
7. Router troubleshooting
8. Types of firewalls
9. Commonly used ports
10. Network design with firewalls
11. Access Control Lists (ACLs)
    

Concepts:

Chapter 7, Routing

Testout begins chapter 7 with a discussion of routers that reminds us that a router connects networks together, and that its purpose is to pass traffic from one network to another. A router is also a host device on each network it is directly connected to. This becomes important in the discussion. Network addresses are used to pass data from one network to another, but hardware addresses are usually used to pass data to hosts on the same network.

For a router to function, it must have information about several things:

• Remote Networks - networks that the router is not directly connected to
• Neighbor Routers - routers on the same networks this router is connected to
• Possible routes to remote networks - either stored in memory by network administrators (static) or advertised by routers connected to those networks (dynamic)
• The best route to all remote networks - This is an exaggeration. It really means the best route of the known routes, based on defined metrics.
• Updated routing information - This can mean that network administrators update the information, or that the router sends and receives updates dynamically.

Routers pass signals from one network to another. Routers use software addresses instead of hardware addresses. This makes them independent of protocols used at lower layers. Almost. Example: a transmission is sent from a host on network 10.25.0.0 to a host on network 10.28.0.0. It could travel along several different routes. What happens is like this:

• The Network Layer header of the outgoing message has a place to write information about the sender and the intended receiver. We are talking about IP addresses. The sender's IP address is saved in the Network Layer header, along with the IP address for the recipient. This data stays in the Network Layer header until the intended recipient breaks down the header.
  

  Layer	Source info	Destination info
  Network layer	Sender's IP	Receiver's IP
  Data Link layer

  
  
• The Data Link Layer header also has a place to write down the address of the sender and the receiver, the difference being that this layer uses MAC addresses. Since the intended recipient is not on the sender's network, the sending station sets the Data Link Layer address of the recipient to the MAC address of the router (default gateway) on its network, and sends the message as a frame to that router. If necessary, an ARP signal is sent to determine the MAC address of the default gateway router.
  

  Layer	Source info	Destination info
  Network layer	Sender's IP	Receiver's IP
  Data Link layer	Sender's MAC	Default Gateway MAC

  
  
• The router on the sender's network gets the frame, erases the sender and recipient addresses in the Data Link Layer (the green layer), and decides on a route to the recipient's network (which is written on the header of the Network layer, remember?). The next router in a logical chain is selected. If necessary, ARP is used to find the MAC address of the next router. The next router's MAC address is written in the Data Link Layer header as the "recipient", and the current router's MAC address is written to the Data Link Layer header as the "sender". The frame is forwarded to the next router.

  Layer	Source info	Destination info
  Network layer	Sender's IP	Receiver's IP
  Data Link layer	Default Gateway MAC	Next router's MAC

  
  
• The process in the step above is repeated until a router on the intended recipient's network gets the frame. Then, the final router's MAC information and the receiver's MAC information are written to the Data Link Layer header, and the frame is delivered, where it is unpacked and handed to the IP protocol on the Network layer, and up the stack of layers.
  

  Layer	Source info	Destination info
  Network layer	Sender's IP	Receiver's IP
  Data Link layer	Final router's MAC	Receiver's MAC

Back to subnet masks for a bit. They are useful to know, but they are a bit bulky. There is another way to pass along subnet mask information. What if I was told that a message was meant for the address 10.28.33.44/16? What's the /16 part for? That's CIDR notation. Classless InterDomain Routing information tells you the subnet mask that an address uses. /16 means that the network the address refers to uses 16 network bits, which is the same thing as saying it has a subnet mask of 255.255.0.0, which is the same as 11111111.11111111.00000000.00000000, but not nearly as boring, or nearly as prone to error.

In a sequence like this, the text asks you to determine the destination address of a frame, and an IP packet leaving a host. Remember that the destination address of an IP packet is the final destination address. The destination address of a frame is always the MAC address of the next device that takes us closer to the final device. A text may try to confuse you by throwing switches into the mix. Switches are not relevant to this kind of problem.

Obviously, this system would fail if routers did not have the ability to learn what routers can reach what networks. Passing a packet from one router to another is called a hop. Routers keep tables of router names, networks those routers can connect to, and how many hops away a network is through a given router. Some routers also track a cost value, which can be based on line speed. Route tables are usually constructed by using a route discovery protocol.

Static Routing

You need to know that static routing is not practical unless you are doing it for a small network. Every router that is added to the network must be added to the routing table of every other router. The command to set up static routing starts in configuration mode.

Router(config)#ip route remote_network_address remote_network_mask next_hop

The command is ip route. It is followed by the address of another network. That address is followed by the subnet mask used on that other network. The phrase next_hop stands for the address of the next router to send to, or the port on the current router that leads to the next router. You are only allowed to use a port name if the connection is point-to-point, such as a WAN link or a direct connection to another router. Example: assume we are configuring a route on a router whose address is 192.168.1.2. It is on network 192.168.1.0. We want a route to network 192.168.3.0.

ip route 192.168.3.0 255.255.255.0 192.168.1.4 100

This means that we are telling our current router that there is a route to network 192.168.3.0, which uses subnet mask 255.255.255.0. The route from here leads to a router addressed as 192.168.1.4. (That is its address on the .1 network. It has another address on the .3 network as well.) The final number is an Administrative Distance. The text explains it as a trustworthiness rating for the route. You can also think of it as a "cost" to use this route. Routers use the assigned cost of different routes to help choose the best one available.

Default Routing

Default routing is used when you only have one route out of your network, which means that all traffic leaving your network must pass through your router, and your router must have only one other router to hand off to. To use this in the example above, lets assume that:

• The 192.168.1.4 router is our only gateway.
• Instead of being on the same network, lets say the second router is on a VLSM network that links our router to it. They are the only two devices on that point-to-point connection.

ip route 0.0.0.0 0.0.0.0 192.168.1.2

This means the route to any network not listed in our routing table, with any subnet mask, is to pass the data to the router at address 192.168.1.2. Default routing may not work unless you configure the router with the command ip classless. This allows the router to hand off to subnets. In version 12.x of the Cisco IOS, this command is on by default.

The text tells us that setting a default route is also called setting a gateway of last resort. This setting can be accomplished with the command as shown above, or by using a port name instead of an IP address for the next hop router. It can also be set by using another command. In this example it would look like this:

ip route default-network 192.168.1.0

Note that this version of the command specifies the network the router is on, not the address of the router. The default-network command is only valid if there is only one route out of the network. Such a network is called a stub network. If this command is used, the route specified is automatically given an Administrative Distance of 0.

Dynamic Routing

Dynamic routing is less labor intensive for administrator, according the text, but more processor intensive for routers. Of course, this is what routers are for, so the warning in the text is hard to take seriously.

• Routing protocols - Routers communicate (advertise) information about the routes they know about to other routers using routing protocols. You have heard of some of them already, other will be discussed soon: RIP, RIPv2, IGRP, EIGRP, OSPF
• Routed protocols - Routed protocols are used to discover and choose routes, and to send traffic across those routes. Routed protocols are also "bound" to NICs. IP and IPX are routed protocols.

Some basic information about IP networks may help:

• IP networks can be divided into autonomous systems. Each autonomous system can be administered independently. This is like the concept of container administration in Active Directory or eDirectory. The text tells us that one way of defining an autonomous system (AS) is that all the routers in it share the same information.
• Routers in this kind of system are also called gateways. Routing protocols used inside an autonomous system are called interior gateway protocols (IGPs). Two IGPs are RIP and OSPF.
• Autonomous systems are connected with exterior gateway protocols (EGPs). Two of these are the Border Gateway Protocol and the Exterior Gateway Protocol. (This is confusing because the same phrase is used as a generic term, when in lower case, and as a proper noun, when in upper case.) Therefore, two EGPs are EGP and BGP.

The text returns to the concept of Administrative Distance. The value of AD can be any integer from 0 to 255. 0 is most trusted, 255 is not trusted. Cisco assigns AD values based on how a route is assigned, reached, or advertised.

• A direct connection to a network is given an AD of 0.
• A static route is given an AD of 1 by default. As noted above, a static route can be given a different AD, if desired.
• A route advertised by EIGRP is given an AD of 90.
• A route advertised by IGRP is given an AD of 100.
• A route advertised by OSPF is given an AD of 110.
• A route advertised by RIP is given an AD of 120.
• A route advertised by External EIGRP is given an AD of 170.
• A route advertised by an unknown protocol is given an AD of 255. It will not be used.

Most routing protocols fall into two classes. Cisco describes a third, which is a mixture of the other two.

• Distance Vector - The first method discussed is the Distance Vector method, known as the bad method. (Think Distance Vector... DV... Darth Vader: bad.) This is a verbose method in which routers communicate with each other, sending their entire tables to each other with each message. Its advantage is that it is easy to set up and administer. Its disadvantage becomes obvious once you know that routers talk to each other all the time, sending table data to each other, attempting to reach convergence, the state of all routers knowing the information in each others' tables. Convergence takes a lot of traffic and a lot of time using the Distance Vector method. Tables are constantly in flux, and updates are sent at intervals ranging from 10 seconds to two minutes; default is every 30 seconds. RIP has protocol versions used in IP and IPX networks. This protocol is susceptible to the count-to-infinity problem. RIP and IGRP are Distance Vector protocols.
• Link State - The second method is the Link-State method, known as the good method. (Think Link State... LS... Luke Skywalker: good.) This method is less verbose, since the routers only send messages with their whole tables when they first come on line. After that, they send messages about changes in routes to each other, making the messages less frequent and less verbose. Only first hand information is sent. This avoids the count-to-infinity problem. The routers send Link State Packets (LSPs) which contain only information about networks the routers connect to directly. IP networks use the OSPF protocol and IPX networks use the NLSP protocol. OSI has a protocol for Link State called IS-IS.
• Hybrid protocols use features of both Distance Vector and Link State protocols. EIGRP is a hybrid protocol.

The count-to-infinity problem exists only in Distance Vector routing. As I have come to expect, our author calls this by a different name: a routing loop. It works like this:

• All routers track the hops to other networks.
• If a router is not connected to a given network, it must connect to it through another router.
• Routers read the table information sent to them from other routers, and correct their own tables. They assume that the number of hops to a given network is the number of hops to another router, plus however many hops that router says it is to the other network.
• When a router goes down, the other routers continue to update. If the router that is down is the only connection to a network, that network is unavailable.
• The other routers will continue to send information to each other about how many hops away from the "down net" they are (not knowing it is down). Assume Router A was one hop away from the down router, and it will not get updates from the down router. It will now learn from its upstream neighbor, Router B, that Router B is two hops from the missing net. Router A will now assume it is three hops from the missing net, and tell other routers, who will update their tables.
• Since there is no real connection to the missing net, the tables will continue to increment the assumed number of hops to it, approaching infinity. The maximum value allowed for hops is generally 15, so for the purposes of RIP 16 equals infinity.

To combat the count-to-infinity problem, two methods are used:

• Split horizon (also known as best information) - a router is not allowed to advertise information about a path on the path that it is received from
• Split horizon with poison reverse (also known as poison reverse) - the routers do advertise paths to themselves, but they show them as infinity (16)

Some protocols do not allow VLSM. The text refers to these as classful protocols. RIPv1 and IGRP are classful protocols. These protocols do not allow the use of summary routes, which you would expect if you are not subnetting subnets. Protocols that do allow VLSM are called classless protocols.

More terminology: a route that goes up and down is said to be flapping. This causes an update each time its state changes, which is not necessarily helpful. A holddown timer is like an automatic timeout that starts when a router announces that a working route is no longer working. The reason it waits is to give the down route time to come back up, which would eliminate the need to remove it from the routing tables. The holddown is released if the route comes back up, or if a better route becomes available.

RIP

The chapter continues with a discussion of configuring RIP on routers. RIP has several timers to be aware of:

• update timer - RIP sends a router's routing table to other routers according to this timer. By default it is 30 seconds.
• invalid timer - this is the amount of time a route must be down before the router providing it marks it as bad. Default is 180 seconds. If this much time goes by, the router marks the route as bad in its own routing table, and sends an update. It is not erased from the table yet: see below.
• holddown timer - as discussed above, when an update is received about a route being down, routers start this timer. They do not update their tables about this route unless a better route is advertised while the timer is still ticking, or the timer expires. Default value is 180 seconds.
• flush timer - This one is puzzling. The invalid timer (see above) is the amount of time that a route has to be down before a router connected to it considers it down. The flush timer is the amount of time that route has to be down before it is removed from the associated router's table. That means that the router will advertise the route as down, then wait a while longer before giving up all hope. This timer must be longer than the invalid timer. By default, it is 240 seconds.

If you have set up static IP routes, you can remove them with the same commands that created them, preceded by the word no. If the command was:
ip route 192.168.3.0 255.255.255.0 192.168.1.4
the command to remove it would be:
no ip route 192.168.3.0 255.255.255.0 192.168.1.4

To activate RIP on your router, you use a sequence of commands:
router rip
network address_of_directly_connected_network
ctrl-Z

You repeat the middle command for each network directly connected to the router. This is one of the reasons people use RIP: it is easy to set up. You tell each router about the routes connected to it. It advertises them to other routers, and those routers add to their own routing tables. Then the routers keep telling each other everything they know. Over and over and over again, even if there are no changes.

Once you have enabled RIP on your router, you can check the routing table on it with this command:
show ip route
The result should be several lines long. It may start with several lines of a legend, indicating the meaning of each code at the start of each line. (See page 233 of the text for an example.)

• Static route lines start with an S.
• The line for each route that was entered as a direct connection will start with a C.
• Routes that were added to the table by RIP advertisements will start with an R. The text refers to these as "RIP-injected" routes.

Each R line will have new information after the IP address, in the format [DDD/hh]. The part I have indicate with DDD will be the Administrative Distance of the route. The part I have indicated by hh will be the number of hops. Remember that RIPv1 will only allow 15 hops in a working route. This information will allow the router to decide whether this route to a network is better, worse, or the same as a route it may already know about. In general, the table will only hold one route line for each network, as long as one is better than the others. If a route to that network is advertised that has a lower AD than the existing route in its table, the router will replace the existing line with the new route. If they have the same AD, a lower hop count makes a route better, so the route with the lower hop count is written to the table. RIP allows a router to have up to 6 equal cost routes to a network in the routing table. The default number of equal cost routes is 4.

The text notes that if our router holds a route to a network that takes 15 hops, it will still advertise that route to other routers, even though there is no point to it. Why? Because if our router is 15 hops away from a network, that means that another router would have to hop to our router to use that route, which makes it 16 hops long, which is unusable.

It is not a good idea to advertise routes outside our own networks. On the router that connects to the Internet, the port that does so should be configured with the command passive-interface port_designation.

RIPv2

RIPv2 works a lot like RIP. Both are Distance Vector protocols, both allow only 15 hops in a route. RIPv2, however, allows you to send subnet mask information with a route advertisement, so it is considered classless and it supports VLSM. To use RIPv2 use the same commands shown above, but insert one new line before pressing ctrl-Z:
version 2

RIPv2 should be used if you are connecting LANs that would otherwise use RIP but cannot due to differing subnet masks.

IGRP

The next improved routing protocol in the text is IGRP. It is still a Distance Vector protocol, but it has several improvements over RIP:

• Maximum hop count for IGRP is 255. Default is 100.
• Uses bandwidth and line delay as metrics for routes
• Update timer: 90 seconds
• Invalid timer: 270 seconds (default: 3 times the update timer)
• Holddown timer: 280 seconds (default: 3 times the update timer plus 10 seconds)
• Flush timer: 630 seconds (default: 7 times the update timer)
• AD value is 100. RIP's AD is 120, so IGRP routes are preferred over RIP routes.

When you configure IGRP on a router, you declare it to have an Autonomous System number. Only routers with the same number will share routes with each other over this protocol. To activate IGRP, enter configuration mode and enter these commands:
router igrp autonomous_system_number
network address_of_directly_connected_network
ctrl-Z

The text notes that you must enter the classful address of each network you add in the configuration. If you are subnetting, ignore that fact for the configuration of this protocol.

As with RIP, you can check the routing table on it with this command:
show ip route
The result should be several lines long. Each route added by IGRP will be tagged with an I, each route configured as directly connected will start with a C. Each IGRP line will have new information after the IP address, in the format [DDD/cccccc]. The part I have indicate with DDD will be the Administrative Distance of the route. The part I have indicated by cccccc will be a composite metric based on bandwidth and data rate. The lower the number, the better.

IGRP allows up to six routes in the table for a given network. Unlike RIP, those six routes do not need to have equal ratings. They are used for load balancing, which gives better performance than using only one route to a destination. In addition to using multiple routes, IGRP is better for larger networks than RIP.

Even though the CCNA test covers both RIP and IGRP protocols, the author advises us that it would be better to use neither of these protocols, but one of the Link State protocols from the next chapter.

The text reminds us again that we can check configuration settings with show ip route. Several command options are discussed.

• show ip route: displays the routing table
• show ip protocols -shows protocols and their timer settings
• debug ip rip - lets you watch routing updates on a terminal emulator
• debug ip igrp events - shows a summary of the IGRP routing information that is running on the network.
• debug ip igrp transactions - shows the separate IGRP transmissions on the network

Within any organization, IP addresses in private address ranges may be used without registering the addresses with IANA. Each address you use within your network must still be unique in your network. The problem is that there is no guarantee whatsoever that any address I use in my organization is not already in use in your organization, which makes direct networking between our networks unreliable, if not impossible.

The magic part: To access the Internet, traffic from a private address network passes through a router that acts as a proxy server, providing a shared connection with a registered address. That router has both a private address on your network, and a registered public address that lets it communicate with other networks. The proxy server shares its public address with the devices on your network, allowing them to send signals to other networks through it. The service that does this sharing of the address is called Network Address Translation (NAT). This may be done on a server or on a router that provides this service.

The text abruptly jumps to the topic of firewalls, which we are told may be classified three different ways:

• by their processing type
• by their evolutional generation
• by the way they are implemented (structure).
  

Firewalls by Processing type:

1. Packet-filtering firewalls

Traffic on a network is broken into packets, smaller message units. Each packet must hold at least two addresses: that of the sender and that of the recipient. A packet-filtering firewall will hold a database of rules that tell it what to do with packets. Often the rules are based on the addresses mentioned above and the protocol (network rules) the packet is being sent under. The rules may include all three ideas, such as the three rules shown in a previous text:

• The first rule says if the packet is from any address on the 172.16.0.0 network (172.16.x.x) and being sent to any address on the 10.10.0.0 network, using any protocol (Any), drop the packet (Deny). The x characters are used as wildcards on some firewalls, as the text mentions later. Other firewalls might use zeros instead, so you need to know the syntax for the firewall you are configuring.
  
• The second rule says if the packet is from any address on the 192.168.0.0 network (192.168.x.x) and being sent to the specific address 10.10.10.25 (10.10.10.25), using the HTTP protocol (HTTP is hypertext transfer protocol), let that packet through (Allow). This tells me that 10.10.10.25 is the address of a web server on that network, because HTTP is for web pages.
• The third rule says if the source address is specifically 192.168.0.1 (192.168.0.1) and the destination address is specifically 10.10.10.10, and the protocol is FTP (FTP is file transfer protocol), then let the packet through (Allow).
  

Packet filtering firewalls come in three types.

• static - a system administrator sets the rules for the firewall
  
• dynamic - the firewall sets some rules for itself, such as dropping packets from an address that is sending many bad packets
  
• stateful - packets sent by an attacker often are sent to a port that the attacker has guessed is open; a stateful firewall denies packets sent to any port unless a connection to that port has already been negotiated; this kind of checking puts more processing overhead on the firewall
  

2. Application gateway firewalls

To understand this one and the next two, I have to explain the ISO-OSI Network Model. In fact, it will help you to understand all of these processing types. The ISO-Open Systems Interconnect networking model has seven layers that describe what happens to a packet as it is prepared to be sent out on a network, and what happens when that packet is received by the machine that is meant to act on it.

Packets leaving a device start at the top layer of the model (Application, layer 7) and are processed down to stack to the bottom layer (Physical, layer 1). Packets being received by a device arrive at the Physical layer, and are handed off to each successive layer until they are received by an application at layer 7.

The chart below shows the seven layers of the ISO-OSI model, the firewall types associated with several layers, and a summary of the many things that happen on each layer. Do you need to know all the material in the third column? Not for this lesson, but eventually you will.

So, what's an application gateway? The text tells us that a proxy server, discussed in the last lesson, is an example of an application gateway. It acts as an intermediary between a requester and a more protected device. The text tells us that it is probably dedicated to one application, then confuses the issue by listing five protocols. The protocols listed correspond to particular services on a network, whose functions live on layer 7: FTP is for file service, Telnet is for remote sessions, HTTP is for web pages, SMTP is for mail service, and SNMP is for managing a network. The proxy server can make the connection, and can examine the data for allowable content. For example, a business may set up a proxy server that runs an application to prevent staff from accessing particular kinds of web sites, such as gambling, gaming, or sports sites.

3. Circuit gateways

This kind of firewall lives on the transport layer, which is associated with guaranteed delivery of packets, Other than that, the explanation in our last text was very unclear. The explanation at the PCStats web site is clearer. It explains that the function of the circuit gateway is less analytical than the proxy server, but that it does serve as an intermediary as well, making sure that only requested data is returned to the requester. It will not examine the data for content.

4. MAC layer firewalls

The MAC sublayer of the ISO-OSI Data Link layer is concerned with MAC addresses, the hard coded addresses that are generally burned into network cards when they are manufactured. This kind of firewall will check the MAC address of a requester to determine whether the device being used to make the connection is authorized to access the data in question. This would be useful in situations where devices are placed in lobbies for customers who are allowed to browse a catalog, but not allowed to place orders that would affect inventory.

5. Hybrids - the fifth processing firewall type combines features of the other four.

Firewalls by Generation type

• First generation - static packet filtering
  
• Second generation - application level
  
• Third generation - stateful inspection
  
• Fourth generation - dynamic packet filtering
  
• Fifth generation - examines packets at several layers
  

Firewalls by Structure

• Commercial appliances - runs on a custom operating system, on a dedicated device
  
• Commercial systems - a software solution that runs on a computer that may or may not be dedicated
  
• Small Office - Home Office appliances - device may actually be a cable modem, or DSL modem, may also include router and WAP services, may include intrusion protection
  
• Residential (consumer) software - typically a combination of anti-virus, firewall, intrusion detection software; should be run on all devices that connect to a home network
  

Note that none of the firewall solutions discussed will protect a network from user error. You can still trigger an incident by following a link to a malware site that is not forbidden, by running a Trojan or a worm, or by any other action that a user is allowed to take.

Let's move ahead to where the text discusses some advice for configuring firewalls.

• All traffic from the trusted network (our network) is allowed out. (This assumes our network and its hosts are not infected.)
• Firewalls are not configurable from the public facing part of the network. This makes sense: we should manage our best protection devices from inside the network, to remove the possibility that a hacker could modify the firewall's rules.
• Mail traffic sent by SMTP is sent to a mail gateway. Some may be allowed, some denied, but all should be examined by a dedicated device.
• All ICMP (ping) packets from outside our network should be denied. This is not always done in practice. You should try to ping a few public web serves to see if it works in our classroom.
• Telnet requests from the outside should blocked. This technology is not often used any more, but it is a potential hack that could be used to control our servers.
• Public facing web servers should be in a DMZ, should use the secure form of HTTP (HTTPS), and should block requests made on them to contact our trusted network assets.
• Deny traffic that has not been authenticated.
  

There are some rules that could be set on most firewalls. A typical approach to firewall rules is to decide what is allowed, write rules allowing those things, and then deny everything else. An alternative is to write rules for everything you want to deny, then allow everything else. It is not uncommon for a rule database to contain a mixture of rules that allow and deny packets. This is probably the most common approach. The section on firewall rules is pretty extensive, and a bit beyond what we want for this course, so we will continue to the next item.