DESIGN PROBLEM # 4

OF
CSE- 356
(DATA COMMUNICATION &
NETWORKING)
DOS: 21-11-2010
SUBMITTED TO:- MR. RAVI SHANKAR

SUBMITTED BY:-

NAME:- SUDIPTA GHOSH

ROLL NO.- RA6805 B 25
REG. No. -10806924
SECTION:-A6805
B.TECH(HONS)-M.TECH (ECE)

Design problem networks

Design of firewall

You are having two networks IPs ranging from

Network A 192.168.1.0-255 and
Network B 192.168.2.0-255
The proxy server is situated on 192.168.3.24 develop IPTABLES rules to
masquerade the requests from both the networks to connect to an external
DNS(basically it is acting as proxy server to provide internet connection to client
machines behind it) with the server IP on port 3128. Many firewalls block ports up to
1024 from external access, but leave higher ports open, since these ports are
dynamically assigned to client-side programs. It is possible to run a server on a port
that's different from the designated port - web servers sometimes run on 8080
instead of 80. With NAT you can redirect connections to open ports to locked ones.
Please note that this technique can be used for vicious purposes ("man in the
middle attack"). But it could also be used in valid ways It's just a means to have finer
control over your host and router. Write IPTABLES rules to block all TCP state NEW
connections to your
Host on ports < 1024 from 192.168.2.38/24 (using -m state). The host machine is
different from the server host can be any client in your networks assume the subnet
255.255.255.0 where ever not mentioned.
Mention a rule which also stops ping requests to your proxy server in your rule of
IPTABLES.

1: Allow all traffic from a selection of ip subnets (for example,

allow 192.168.1.0 thru to 192.168.10.0). They should have full access
to all ports.
2. Allow access to port 22 (ssh) and 8001 (weblogic) using tcp/http
traffic from specific ip address (for example 192.168.168.168).
3. Deny everything else.

What is Firewall:-
A firewall is a part of a computer system or network that is designed to block
unauthorized access while permitting authorized communications. It is a device
or set of devices that is configured to permit or deny network transmissions
based upon a set of rules and other criteria.

Firewalls can be implemented in either hardware or software, or a combination

of both. Firewalls are frequently used to prevent unauthorized Internet users
from accessing private networks connected to the Internet, especially intranets.
All messages entering or leaving the intranet pass through the firewall, which
inspects each message and blocks those that do not meet the specified security
criteria.

There are several types of firewall techniques:

1. Packet filter: Packet filtering inspects each packet passing through the
network and accepts or rejects it based on user-defined rules. Although
difficult to configure, it is fairly effective and mostly transparent to its
users. It is susceptible to IP spoofing.
2. Application gateway: Applies security mechanisms to specific
applications, such as FTP and Telnet servers. This is very effective, but
can impose a performance degradation.
3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP
connection is established. Once the connection has been made, packets
can flow between the hosts without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network.
The proxy server effectively hides the true network addresses.
HISTORY:-

The term firewall/fireblock originally meant a wall to confine a fire or potential

fire within a building; cf. firewall (construction). Later uses refer to similar
structures, such as the metal sheet separating the engine compartment of a
vehicle or aircraft from the passenger compartment.The Morris Worm spread
itself through multiple vulnerabilities in the machines of the time. Although it
was not malicious in intent, the Morris Worm was the first large scale attack on
Internet security; the online community was neither expecting an attack nor
prepared to deal with one

TYPES:-
There are several classifications of firewalls depending on where the
communication is taking place, where the communication is intercepted and the
state that is being traced.

Network layer and packet filters

Network layer firewalls, also called packet filters, operate at a relatively low
level of the TCP/IP protocol stack, not allowing packets to pass through the
firewall unless they match the established rule set. The firewall administrator
may define the rules; or default rules may apply. The term "packet filter"
originated in the context of BSD operating systems.

Network layer firewalls generally fall into two sub-categories, stateful and
stateless. Stateful firewalls maintain context about active sessions, and use that
"state information" to speed packet processing. Any existing network
connection can be described by several properties, including source and
destination IP address, UDP or TCP ports, and the current stage of the
connection's lifetime (including session initiation, handshaking, data transfer, or
completion connection). If a packet does not match an existing connection, it
will be evaluated according to the ruleset for new connections. If a packet
matches an existing connection based on comparison with the firewall's state
table, it will be allowed to pass without further processing.

Stateless firewalls require less memory, and can be faster for simple filters that
require less time to filter than to look up a session. They may also be necessary
for filtering stateless network protocols that have no concept of a session.
However, they cannot make more complex decisions based on what stage
communications between hosts have reached.

Modern firewalls can filter traffic based on many packet attributes like source
IP address, source port, destination IP address or port, destination service like
WWW or FTP. They can filter based on protocols, TTL values, netblock of
originator, of the source, and many other attributes.

Commonly used packet filters on various versions of Unix are ipf (various),
ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs),
iptables/ipchains (Linux).

Application-layer

Application-layer firewalls work on the application level of the TCP/IP stack

(i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets
traveling to or from an application. They block other packets (usually dropping
them without acknowledgment to the sender). In principle, application firewalls
can prevent all unwanted outside traffic from reaching protected machines.

On inspecting all packets for improper content, firewalls can restrict or prevent
outright the spread of networked computer worms and trojans. The additional
inspection criteria can add extra latency to the forwarding of packets to their
destination.

Proxies

A proxy device (running either on dedicated hardware or as software on a

general-purpose machine) may act as a firewall by responding to input packets
(connection requests, for example) in the manner of an application, whilst
blocking other packets.

Proxies make tampering with an internal system from the external network
more difficult and misuse of one internal system would not necessarily cause a
security breach exploitable from outside the firewall (as long as the application
proxy remains intact and properly configured). Conversely, intruders may
hijack a publicly-reachable system and use it as a proxy for their own purposes;
the proxy then masquerades as that system to other internal machines. While
use of internal address spaces enhances security, crackers may still employ
methods such as IP spoofing to attempt to pass packets to a target network.

Network address translation

Firewalls often have network address translation (NAT) functionality, and the
hosts protected behind a firewall commonly have addresses in the "private
address range", as defined in RFC 1918. Firewalls often have such functionality
to hide the true address of protected hosts. Originally, the NAT function was
developed to address the limited number of IPv4 routable addresses that could
be used or assigned to companies or individuals as well as reduce both the
amount and therefore cost of obtaining enough public addresses for every
computer in an organization. Hiding the addresses of protected devices has
become an increasingly important defense against network reconnaissance.

How Firewalls Work :-

If you have been using the Internet for any length of time, and especially if you
work at a larger company and browse the Web while you are at work, you have
probably heard the term firewall used. For example, you often hear people in
companies say things like, "I can't use that site because they won't let it through
the firewall." If you have a fast Internet connection into your home (either a
DSL connection or a cable modem), you may have found yourself hearing about
firewalls for your home network as well. It turns out that a small home network
has many of the same security issues that a large corporate network does. You
can use a firewall to protect your home network and family from offensive Web
sites and potential hackers. Basically, a firewall is a barrier to keep destructive
forces away from your property. In fact, that's why its called a firewall. Its job is
similar to a physical firewall that keeps a fire from spreading from one area to
the next. As you read through this article, you will learn more about firewalls,
how they work and what kinds of threats they can protect you from.

Firewall Configuration
Firewalls are customizable. This means that you can add or
remove filters based on several conditions. Some of these are:

• IP addresses - Each machine on the Internet is assigned a

unique address called an IP address. IP addresses are 32-
bit numbers, normally expressed as four "octets" in a
"dotted decimal number." A typical IP address looks like
this: 216.27.61.137. For example, if a certain IP address
outside the company is reading too many files from a
server, the firewall can block all traffic to or from that IP
address.
• Domain names - Because it is hard to remember the string
of numbers that make up an IP address, and because IP
addresses sometimes need to change, all servers on the
Internet also have human-readable names, called domain
names. For example, it is easier for most of us to
remember www.howstuffworks.com than it is to remember
216.27.61.137. A company might block all access to
 certain domain names, or allow access only to specific
domain names.
• Protocols - The protocol is the pre-defined way that
someone who wants to use a service talks with that
service. The "someone" could be a person, but more often
it is a computer program like a Web browser. Protocols are
often text, and simply describe how the client and server
will have their conversation. The http in the Web's
protocol. Some common protocols that you can set firewall
filters for include:
 IP (Internet Protocol) - the main delivery system for
information over the Internet
 TCP (Transmission Control Protocol) - used to break
apart and rebuild information that travels over the
Internet
 HTTP (Hyper Text Transfer Protocol) - used for Web
pages
 FTP (File Transfer Protocol) - used to download and
upload files
 UDP (User Datagram Protocol) - used for information
that requires no response, such as streaming audio
and video
 ICMP (Internet Control Message Protocol) - used by a
router to exchange the information with other routers
 SMTP (Simple Mail Transport Protocol) - used to send
text-based information (e-mail)
 SNMP (Simple Network Management Protocol) - used
to collect system information from a remote
computer
 Telnet - used to perform commands on a remote
computer

A company might set up only one or two machines to handle a specific

protocol and ban that protocol on all other machines.

• Ports - Any server machine makes its services available to

the Internet using numbered ports, one for each service
that is available on the server (see How Web Servers Work
for details). For example, if a server machine is running a
Web (HTTP) server and an FTP server, the Web server
would typically be available on port 80, and the FTP server
would be available on port 21. A company might block
 port 21 access on all machines but one inside the
company.
• Specific words and phrases - This can be anything. The
firewall will sniff (search through) each packet of
information for an exact match of the text listed in the
filter. For example, you could instruct the firewall to block
any packet with the word "X-rated" in it. The key here is
that it has to be an exact match. The "X-rated" filter would
not catch "X rated" (no hyphen). But you can include as
many words, phrases and variations of them as you need.

Some operating systems come with a firewall built in. Otherwise, a software
firewall can be installed on the computer in your home that has an Internet
connection. This computer is considered a gateway because it provides the only
point of access between your home network and the Internet.

With a hardware firewall, the firewall unit itself is normally the gateway. A
good example is the Linksys Cable/DSL router. It has a built-in Ethernet card
and hub. Computers in your home network connect to the router, which in turn
is connected to either a cable or DSL modem. You configure the router via a
Web-based interface that you reach through the browser on your computer. You
can then set any filters or additional information.

Hardware firewalls are incredibly secure and not very expensive. Home
versions that include a router, firewall and Ethernet hub for broadband
connections can be found for well under $100.

Installation of firewall

Firewalls for Small Offices and Home Offices

Firewalls used to be only for large corporate networks—but then again, Internet
connections used to be only for large networks, too. Now that high-speed,
always-on Internet connectivity is becoming more and more common, so too are
attacks against connected computers. Firewalls help protect you against such
attacks by screening out many types of malicious traffic. In addition, firewalls
can help keep your computer from participating in attacks on others without
your knowledge. The good news is that consumer-level firewalls provide good
security without requiring that you be a computer security expert.
The router is generally a separate device from the cable or DSL modem—it’s
important to understand that most cable and DSL modems offer your small
office network no protection whatsoever. If you didn’t choose to pay extra for
security features, you probably don’t have any. If you’re unsure about your
modem, ask your ISP what level of protection your modem provides.
If you decide to use a hardware firewall, select one that has enough network
ports to allow you to connect all computers and other network devices directly
to it. As shown in Figure 8, wiring a firewall into your network is as simple as
adding an answering machine to your phone line. Simply unplug the Ethernet
connection between your cable/DSL modem and your PC, and plug it into the
firewall. Then connect your computer and other network devices into your
firewall.

The following are some of the popular hardware firewall products available:
Linksys Routers, NETGEAR Routers, and SMC Routers.
Home and small office computers that are directly connected to the Internet
require the added security of a firewall. The least expensive way to do this is to
enable both ICF and ICS on a system, and allow all networked computers to
connect through that system. You can enable ICS on only one Internet
connection on your network, and you should protect this connection by enabling
ICF. ICF can check only the communications that cross the Internet connection
on which it’s enabled. The following types of network topologies, are safe and
the most recommended:
You should avoid topologies with multiple Internet connections. If you must
have multiple direct Internet connections on your network, you should ensure
that ICF is enabled on each direct Internet connection in order to protect your
network. However, because ICF works on a per-connection basis, this topology
is still not a recommended topology because there’s no central point of
administration through which you can ensure the continuous protection of all
Internet connections.

Likewise, providing Internet connectivity to your network by connecting your

network hub directly to the Internet causes similar vulnerabilities and isn’t a
recommended topology.

Enabling ICF on this type of network topology disrupts some network

communications and provides protection only for the computer on which it’s
enabled. The other computers have direct connections to the Internet through
the hub and aren’t protected.
Firewalls for Enterprises

Organizations of all sizes want secure network connectivity to their business

data and applications. The need to connect and collaborate with partners,
customers, and remote/mobile employees anytime and anywhere has expanded
network connectivity requirements beyond traditional wired local area networks
(LANs) to include dial-up remote access, VPNs, and wireless networks. To
enable greater access to the network and higher productivity, customers must
address issues around security, management complexity, and cost. With
Windows Server 2003, Windows 2000, Windows XP, and a carefully designed
firewall architecture, administrators can provide secure and integrated network
connectivity to business-critical applications and data.
When addressing secure network connectivity, administrators need to consider
the following:
• Security: Employees not only work from corporate offices, but also from
branch offices, home offices, or the road. Providing remote connectivity
requires solutions that are secure, standards-based, and manageable.
• Management complexity: Many vendors offer dedicated product
solutions with little integration with other products and infrastructure.
Setting up wireless clients with centralized authentication and policies
can be a challenge unless there are integrated solutions.
• Lowering cost: Secure networking can be expensive if there are multiple
products and technologies with separate licensing, support contracts, and
training. For example, a secure VPN implementation might require a
separate certificate authority for PKI, a separate authentication model,
client-side software, and additional server gateways and firewalls.

By addressing these key secure connectivity challenges, organizations can

achieve greater employee productivity, decrease costs, and improve business
integration.

Using a Demilitarized Zone

A DMZ consists of front-end servers, back-end servers, and firewalls. The

firewalls protect the front-end servers from the public network and filter traffic
between the corporate network and back-end servers. A DMZ provides a
multilayer protection system between the Internet and the internal network of an
organization.
To provide protection, the DMZ comprises:
• A firewall that protects the front-end servers from Internet traffic.
• A set of “security-hardened” servers that support the services the
application provides. You set up these servers so that dangerous Internet
services, such as file sharing and Telnet, are disabled.
• A firewall that separates the back-end servers from the corporate
networks and enables communication between the back-end servers and a
few servers within the corporate network.

A DMZ is an important element for securing a site. You need to take additional
security measures to protect data the back-end servers store. You can also store
extremely sensitive data or data that’s needed elsewhere in your enterprise
outside the DMZ, although doing so has negative performance implications and
runs the risk, however small, of opening your corporate network to hacking.
At the very least, a DMZ requires a router. A more sophisticated design would
include two routers and a firewall. How complex your configuration needs to be
depends on factors such as:
• How much security you need
• What sort of connectivity your system maintains to other networks
(internal—corporate network; external—Internet)
• How many servers you need to protect
After DMZ topology, the most important step in securing the environment is
controlling its traffic. You need to determine who’s allowed to connect and who
isn’t, and then enforce those rules, usually with routers and firewalls. Routers
can provide packet filtering, which controls traffic flow between two nodes, but
this tends to decrease router performance, so you have to be careful not to
overuse it. Check your router utilization before and after.
You must give particular attention to each server in the DMZ to ensure they’re
capable of withstanding malicious attacks. You can harden the exposed servers
by using the Security Tools and Checklists for your servers’ operating systems.
You can also implement low-level filtering policies and close selective ports.
For example, you should configure a host-based firewall on systems in a DMZ.

Standard DMZ Web Site Architectures

If you’re going to implement an e-commerce or enterprise application, you have

to be concerned with the security of your systems and data to ensure that people
who shouldn’t be accessing data can’t get at it and to ensure that your system
will be available despite attempts at a DoS attack. For enterprise applications,
the main worry is unscrupulous employees—so security is typically enforced by
using Windows and AD authentication and authorization.
But malicious attackers can also attack e-commerce applications from outside
your company via the Internet. And since it’s not practical to give every
anonymous customer their own Windows logon ID, you’ll need to use a
different sort of authentication. Because the network is the Internet, instead of
an intranet that you control, you’ll also have to prepare your servers to make
other sorts of attacks impossible or ineffective. Finally, you’ll have to be
especially careful protecting customer data, such as credit card numbers.
If you plan to host the site at your corporate facilities, you’ll need to use a
DMZ. The Internet-facing firewall must provide access to services such as
HTTP, HTTPS, FTP, and SMTP mail. If you’re collocating your servers at a
hosting provider’s network, a single Internet-facing firewall might be sufficient.
However, you’ll also need to use a VPN to securely manage the site from your
corporate network.
In general, here’s what happens: Clients access the application over the Internet.
Requests pass through a firewall, which filters out packets sent to the wrong
address or wrong ports. The external firewall filters these requests, ensuring
they originate from a valid address and are destined for a valid address and port
number. If the firewall is an application-layer firewall, it will verify that the
name of the page requested is valid and the request is well-formed. A Web
server running IIS handles the requests, typically by using an ASP.NET page,
and requests information from the database servers as needed. The Web servers
may make requests to resources located within the corporate network. The
DMZ’s internal firewall—a final layer of protection for the internal network—
filters these requests. This additional protection is critical since the risk of an
attacker compromising externally facing Web servers is much higher than other
internal servers, and an attacker might leverage them as a launching point for
further attacks against the internal network.

Proxy Servers and DMZ

A function that is often combined with a firewall is a proxy server. The proxy
server is used to access Web pages by the other computers. When another
computer requests a Web page, it is retrieved by the proxy server and then sent
to the requesting computer. The net effect of this action is that the remote
computer hosting the Web page never comes into direct contact with anything
on your home network, other than the proxy server.

Proxy servers can also make your Internet access work more efficiently. If you
access a page on a Web site, it is cached (stored) on the proxy server. This
means that the next time you go back to that page, it normally doesn't have to
load again from the Web site. Instead it loads instantaneously from the proxy
server.

There are times that you may want remote users to have access to items on your
network. Some examples are:

• Web site
• Online business
 • FTP download and upload area

In cases like this, you may want to create a DMZ (Demilitarized Zone).
Although this sounds pretty serious, it really is just an area that is outside the
firewall. Think of DMZ as the front yard of your house. It belongs to you and
you may put some things there, but you would put anything valuable inside the
house where it can be properly secured.

Setting up a DMZ is very easy. If you have multiple computers, you can choose
to simply place one of the computers between the Internet connection and the
firewall. Most of the software firewalls available will allow you to designate a
directory on the gateway computer as a DMZ.

Once you have a firewall in place, you should test it. A great way to do this is to
go to and try their free Shields Up! security test. You will get immediate
feedback on just how secure your system is.

What Firewall Software Does

A firewall is simply a program or hardware device that filters the information

coming through the Internet connection into your private network or computer
system. If an incoming packet of information is flagged by the filters, it is not
allowed through.

Let's say that you work at a company with 500 employees. The company will
therefore have hundreds of computers that all have network cards connecting
them together. In addition, the company will have one or more connections to
the Internet through something like T1 or T3 lines. Without a firewall in place,
all of those hundreds of computers are directly accessible to anyone on the
Internet. A person who knows what he or she is doing can probe those
computers, try to make FTP connections to them, try to make telnet connections
to them and so on. If one employee makes a mistake and leaves a security hole,
hackers can get to the machine and exploit the hole.

With a firewall in place, the landscape is much different. A company will place
a firewall at every connection to the Internet (for example, at every T1 line
coming into the company). The firewall can implement security rules. For
example, one of the security rules inside the company might be:

Out of the 500 computers inside this company, only one of them is
permitted to receive public FTP traffic. Allow FTP connections only to
that one computer and prevent them on all others.
A company can set up rules like this for FTP servers, Web servers, Telnet
servers and so on. In addition, the company can control how employees connect
to Web sites, whether files are allowed to leave the company over the network
and so on. A firewall gives a company tremendous control over how people use
the network.

Firewalls use one or more of three methods to control traffic flowing in and out
of the network:

• Packet filtering - Packets (small chunks of data) are analyzed against a

set of filters. Packets that make it through the filters are sent to the
requesting system and all others are discarded.
• Proxy service - Information from the Internet is retrieved by the firewall
and then sent to the requesting system and vice versa.
• Stateful inspection - A newer method that doesn't examine the contents
of each packet but instead compares certain key parts of the packet to a
database of trusted information. Information traveling from inside the
firewall to the outside is monitored for specific defining characteristics,
then incoming information is compared to these characteristics. If the
comparison yields a reasonable match, the information is allowed
through. Otherwise it is discarded.

Why Firewall Security?

There are many creative ways that unscrupulous people use to access or abuse
unprotected computers:

• Remote login - When someone is able to connect to your computer and

control it in some form. This can range from being able to view or access
your files to actually running programs on your computer.
• Application backdoors - Some programs have special features that allow
for remote access. Others contain bugs that provide a backdoor, or
hidden access, that provides some level of control of the program.
• SMTP session hijacking - SMTP is the most common method of
sending e-mail over the Internet. By gaining access to a list of e-mail
addresses, a person can send unsolicited junk e-mail (spam) to thousands
of users. This is done quite often by redirecting the e-mail through the
SMTP server of an unsuspecting host, making the actual sender of the
spam difficult to trace.
 • Operating system bugs - Like applications, some operating systems
have backdoors. Others provide remote access with insufficient security
controls or have bugs that an experienced hacker can take advantage of.
• Denial of service - You have probably heard this phrase used in news
reports on the attacks on major Web sites. This type of attack is nearly
impossible to counter. What happens is that the hacker sends a request to
the server to connect to it. When the server responds with an
acknowledgement and tries to establish a session, it cannot find the
system that made the request. By inundating a server with these
unanswerable session requests, a hacker causes the server to slow to a
crawl or eventually crash.
• E-mail bombs - An e-mail bomb is usually a personal attack. Someone
sends you the same e-mail hundreds or thousands of times until your e-
mail system cannot accept any more messages.
• Macros - To simplify complicated procedures, many applications allow
you to create a script of commands that the application can run. This
script is known as a macro. Hackers have taken advantage of this to
create their own macros that, depending on the application, can destroy
your data or crash your computer.
• Viruses - Probably the most well-known threat is computer viruses. A
virus is a small program that can copy itself to other computers. This way
it can spread quickly from one system to the next. Viruses range from
harmless messages to erasing all of your data.
• Spam - Typically harmless but always annoying, spam is the electronic
equivalent of junk mail. Spam can be dangerous though. Quite often it
contains links to Web sites. Be careful of clicking on these because you
may accidentally accept a cookie that provides a backdoor to your
computer.
• Redirect bombs - Hackers can use ICMP to change (redirect) the path
information takes by sending it to a different router. This is one of the
ways that a denial of service attack is set up.
• Source routing - In most cases, the path a packet travels over the Internet
(or any other network) is determined by the routers along that path. But
the source providing the packet can arbitrarily specify the route that the
packet should travel. Hackers sometimes take advantage of this to make
information appear to come from a trusted source or even from inside the
network! Most firewall products disable source routing by default.

Some of the items in the list above are hard, if not impossible, to filter using a
firewall. While some firewalls offer virus protection, it is worth the investment
to install anti-virus software on each computer. And, even though it is annoying,
some spam is going to get through your firewall as long as you accept e-mail.
The level of security you establish will determine how many of these threats can
be stopped by your firewall. The highest level of security would be to simply
block everything. Obviously that defeats the purpose of having an Internet
connection. But a common rule of thumb is to block everything, then begin to
select what types of traffic you will allow. You can also restrict traffic that
travels through the firewall so that only certain types of information, such as e-
mail, can get through. This is a good rule for businesses that have an
experienced network administrator that understands what the needs are and
knows exactly what traffic to allow through. For most of us, it is probably better
to work with the defaults provided by the firewall developer unless there is a
specific reason to change it.

One of the best things about a firewall from a security standpoint is that it stops
anyone on the outside from logging onto a computer in your private network.
While this is a big deal for businesses, most home networks will probably not
be threatened in this manner. Still, putting a firewall in place provides some
peace of mind.

Multilayer Firewall Web Site Architectures

Many organizations have security requirements that necessitate placing a

firewall between the front-end Web servers and the back-end database servers.
Figure 16 shows an example architecture that meets those requirements, and
provides redundancy, while minimizing cost by using multihued redundant
firewalls. In this architecture, requests the Web servers send to the database
servers must pass through the redundant firewalls. The firewalls can verify the
source and destination of the address, and validate that it’s a legitimate request.
This example architecture is placed at an Internet data center where
administrators perform management of the systems remotely. Therefore, the
firewalls have VPN capability, allowing administrators to securely access the
Web and database servers from the corporate network
Proxy Services
If you have or are planning to have a home or small office network, you’ll have
to create a gateway from your firewall to the rest of the network. If you’re
implementing a software firewall on a specific computer, this means that you’ll
need at least two network cards in that machine. You attach one network card to
the public interface (such as a DSL or cable modem), and You attach the other
network card to your internal network. You then have to configure the computer
to allow traffic on one side of the network to communicate with the other. ICS
allows you to do this in both Windows 2000 and Windows XP.
However, at this stage in the game, many small office users decide to buy a
dedicated residential gateway These units plug directly into the DSL router or
cable modem and provide the functionality of a firewall and network hub. You
need to configure a residential gateway to act in the stead of the computer
running ICS when contacting the ISP. For example, if you had a static IP
address, you would have to assign that IP address to the gateway instead of your
computer. You could either assign a new IP address to your computer, or, more
likely, instruct the computer to ask the gateway for an IP address.
If a small business is using the 192.168.0.0 network ID for its intranet and its
ISP has granted it the public address of w1.x1.y1.z1, then Network Address
Translation (NAT) maps all private addresses on 192.168.0.0 to the IP address
of w1.x1.y1.z1. If NAT maps multiple private addresses to a single public
address, it uses dynamically chosen TCP and UDP ports to distinguish one
intranet location from another.
Note: The use of w1.x1.y1.z1 and w2.x2.y2.z2 is intended to represent valid
public IP addresses assigned by an ISP.

If a private user at 192.168.0.10 uses a Web browser to connect to the Web

server at w2.x2.y2.z2, the user’s computer creates an IP packet with the
following information:
• Destination IP address: w2.x2.y2.z2
• Source IP address: 192.168.0.10
• Destination port: TCP port 80
• Source port: TCP port 5000

The private user’s computer then forwards this packet to the NAT server, which
translates the addresses of the outgoing packet to the following:
• Destination IP address: w2.x2.y2.z2
• Source IP address: w1.x1.y1.z1
• Destination port: TCP port 80
• Source port: TCP port 1025

The NAT server keeps the mapping of {192.168.0.10, TCP 1025} to

{w1.x1.y1.z1, TCP 5000} in a table.
The NAT server then sends the translated packet over the Internet to the Web
server. The Web server sends the response back to the NAT server. When the
NAT server receives the packet, the packet contains the following public
address information:
• Destination IP address: w1.x1.y1.z1
• Source IP address: w2.x2.y2.z2
• Destination port: TCP port 1025
• Source port: TCP port 80

The NAT server checks its translation table and maps the public addresses to
private addresses and forwards the packet to the computer at 192.168.0.10. The
forwarded packet contains the following address information:
• Destination IP address: 192.168.0.10
• Source IP address: w2.x2.y2.z2
• Destination port: TCP port 5000
• Source port: TCP port 80

For outgoing packets from the NAT server, the NAT server maps the source IP
address (a private address) to the ISP allocated address (a public address), and
maps the TCP/UDP port numbers to a different TCP/UDP port number.
For incoming packets to the NAT server, the NAT server maps the destination
IP address (a public address) to the original intranet address (a private address),
and maps the TCP/UDP port numbers back to their original TCP/UDP port
numbers.

Reverse Proxy Services

Most proxy servers offer services beyond the standard functionality discussed
above. Reverse proxy enables the firewall to provide secure access to an
internal Web server (not exposing it to the outside) by redirecting external
HTTP (application proxy) requests to a single designated machine. This isn’t
suitable for multiserver Web hosting (reverse hosting—described next—takes
care of this), but it can be quite valuable when working with a single site.
Reverse hosting allows the firewall to redirect HTTP (application proxy)
requests to multiple internal Web servers. One method/way is to provide access
to multiple servers as subwebs of one large aggregate Web site or as multiple
independent Web servers. More flexible than reverse proxy but equally secure,
this method enables you to abstract the physical architecture of your Web sites
by mapping multiple servers to a single logical one. Both options allow the
firewall to offer caching functionality, which can improve responsiveness.
Reverse proxy can be very useful. For instance, suppose you need to allow a
Web server to query an internal database. There are several ways to do this. You
could replicate the database to the outside (if it’s not too large), but this puts the
contents’ integrity at risk. It might make more sense to move the Web and
database servers behind the firewall and use reverse proxy or reverse hosting to
get at the site. This option is very secure, although the overhead of running
multiple Web servers behind the proxy might tax the proxy’s ability to service
Web requests from internal clients.
A third alternative is better yet: Place the Web server in the demilitarized zone
(DMZ) and use the server proxy functionality of the firewall to query the
database. This option provides good security and performance. Before you
select any of these options, you should analyze your requirements so that you
can balance necessary security against performance/usability.

Man in the middle attack:

The man-in-the-middle attack (often abbreviated MITM), or bucket-brigade

attack, or sometimes Janus attack, is a form of active eavesdropping in which
the attacker makes independent connections with the victims and relays
messages between them, making them believe that they are talking directly to
each other over a private connection, when in fact the entire conversation is
controlled by the attacker. The attacker must be able to intercept all messages
going between the two victims and inject new ones, which is straightforward in
many circumstances (for example, an attacker within reception range of an
unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-
middle).

A man-in-the-middle attack can succeed only when the attacker can

impersonate each endpoint to the satisfaction of the other. Most cryptographic
protocols include some form of endpoint authentication specifically to prevent
MITM attacks. For example, SSL authenticates the server using a mutually
trusted certification authority.
Routing tables
Now first of all we will discuss about IPTABLES rules. If we consider the case of given
designed problem. We have two networks A (192.168.1.0-255) and B (192.168.2.0-255)
behind a proxy server which is located at 192.168.3.24 masquerade the requests from both
the networks to connect to an external DNS. This can be understood by following diagram.

NETWORK – A

192.168.1. (0-
255)
PROXY ISP
SERVER

(INTERNET)
NETWORK – B 192.168.3.
24
192.168.2. (0-
255)

Routers are responsible for forwarding traffic on an IP internetwork. Each

router accepts datagrams from a variety of sources, examines the IP address of
the destination and decides what the next hop is that the datagram needs to take
to get it that much closer to its final destination

Each router maintains a set of information that provides a mapping between

different network IDs and the other routers to which it is connected. This
information is contained in a data structure normally called a routing table.
Each entry in the table, unsurprisingly called a routing entry, provides
information about one network (or sub network, or host). It basically says “if
the destination of this datagram is in the following network, the next hop you
should take is to the following device”. Each time a datagram is received the
router checks its destination IP address against the routing entries in its table to
decide where to send the datagram, and then sends it on its next hop.

Obviously, the fewer the entries in this table, the faster the router can decide
what to do with datagram. (This was a big part of the motivation for classless
addressing, which aggregates routes into “supernets” to reduce router table size,
as we will see in the next topic.) Some routers only have connections to two
other devices, so they don't have much of a decision to make. Typically, the
router will simply take datagram coming from one of its interfaces and if
necessary, send them out on the other one. For example, consider a small
company's router acting as the interface between a network of three hosts and
the Internet. Any datagram sent to the router from a host on this network will
need to go over the router's connection to the router at the ISP.
When a router has connections to more than two devices, things become
considerably more complex. Some distant networks may be more easily
reachable if datagram are sent using one of the routers than the other. The
routing table contains information not only about the networks directly
connected to the router, but also information that the router has “learned” about
more distant networks.

IP Datagram Direct Delivery and Indirect Delivery (Routing)

the overall job of the Internet Protocol is to transmit messages from higher layer
protocols over an internetwork of devices. These messages must be packaged
and addressed, and if necessary fragmented, and then they must be delivered.
The process of delivery can be either simple or complex, depending on the
proximity of the source and destination devices.

Datagram Delivery Types

Conceptually, we can divide all IP datagram deliveries into two general types,
shown graphically
Direct and Indirect (Routed) Delivery of IP Datagrams

This diagram shows three examples of IP datagram delivery. The first

transmission (highlighted in green) shows a direct delivery between two devices
on the local network. The second (purple) shows indirect delivery within the
local network, between a client and server separated by a router. The third shows
a more distant indirect delivery, between a client on the local network and a
server across the Internet.
Direct Datagram Deliveries: When datagram are sent between two devices on
the same physical network, it is possible for datagram to be delivered directly
from the source to the destination. Imagine that you want to deliver a letter to a
neighbor on your street. You probably wouldn't bother mailing it through the
post office; you'd just put the neighbor’s name on the envelope and stick it right
into his or her mailbox.

Indirect Datagram Deliveries: When two devices are not on the same physical
network, the delivery of datagram from one to the other is indirect. Since the
source device can't see the destination on its local network, it must send the
datagram through one or more intermediate devices to deliver it. Indirect
delivery is analogous to mailing a letter to a friend in a different city. You don't
deliver it yourself—you put it into the postal system. The letter journeys
through postal system, possibly taking several intermediate steps, and ends up
in your friend's neighborhood, where a postal carrier puts it into his or her
mailbox.

IP Routing Concepts and the Process of Next-Hop Routing

When a datagram is sent between source and destination devices that are not on
the same physical network, the datagram must be delivered indirectly between
the devices, a process called routing. It is this ability to route information
between devices that may be far away that allows IP to create the equivalent of
a virtual internetwork that spans potentially thousands of physical networks, and
lets devices even on opposite ends of the globe communicates. The process of
routing in general terms is too complex to get into in complete detail here, but I
do want to take a brief look at key IP routing concepts.

Overview of IP Routing and Hops

To continue with our postal system analogy, I can send a letter from my home
in the United States to someone in, say, India, and the postal systems of both
countries will work to deliver the letter to its destination. However, when I drop
a letter in the mailbox, it's not like someone shows up, grabs the letter, and
hand-delivers it to the right address in India. The letter travels from the mailbox
to my local post office. From there, it probably goes to a regional distribution
center, and then from there, to a hub for international traffic. It goes to India,
perhaps (likely) via an intermediate country. When it gets to India, the Indian
postal system uses its own network of offices and facilities to route the letter to
its destination. The envelope “hops” from one location to the next until it
reaches its destination.
IP Datagram Next-Hop Routing

This is the same diagram as that shown in above figure except this time I have
explicitly shown the hops taken by each of the three sample transmissions. The
direct delivery of the first (green) transmission has only one hop (remember that
the switch doesn’t count because it is invisible at layer three). The local indirect
delivery passes through one router, so it has two hops. The Internet delivery in
this case has six hops; actual Internet routes can be much longer.

Routing Tables in an Example Internetwork

Let’s consider an example below with routers R1, R2 and R3 connected in a

“triangle”, so that each router can send directly to the others, as well as to its
own local network. Suppose R1's local network is 11.0.0.0/8, R2's is 12.0.0.0/8
and R3's is 13.0.0.0/8. (I'm just trying to keep this simple. J) R1 knows that any
datagram it sees with 11 as the first octet is on its local network. It will also
have a routing entry that says that any IP address starting with “12” should go to
R2, and any starting with “13” should go to R3.
IP Routing and Routing Tables

This diagram shows a small, simple internetwork consisting of four LANs each
served by a router. The routing table for each lists the router to which datagram
for each destination network should be sent, and is color coded to match the
colors of the networks. Notice that due to the “triangle”, each of R1, R2 and R3
can send to each other. However, R2 and R3 must send through R1 to deliver to
R4, and R4 must use R1 to reach either of the others.

Let's suppose that R1 also connects to another router, R4, which has 14.0.0.0/8
as its local network. R1 will have an entry for this local network. However, R2
and R3 also need to know how to reach 14.0.0.0/8, even though they don't
connect to it its router directly. Most likely, they will have an entry that says
that any datagram intended for 14.0.0.0/8 should be sent to R1. R1 will then
forward them to R4. Similarly, R4 will send any traffic intended for 12.0.0.0/8
or 13.0.0.0/8 through R1.

Route Determination

Now, imagine that this process is expanded to handle thousands of networks

and routers. Not only do routers need to know which of their local connections
to use for each network, they want to know, if possible, what is the best
connection to use for each network. Since routers are interconnected in a mesh
there are usually multiple routes between any two devices, but we want to take
the best route whenever we can. This may be the shortest route, the least
congested, or the route considered optimal based on other criteria.

Determining what routes we should use for different networks turns out to be an
important but very complex job. Routers must plan routes and exchange
information about routes and networks, which can be done in a variety of ways.
This is accomplished in IP using special IP routing protocols. It is through these
protocols that R2 and R3 would find out that 14.0.0.0/8 exists and that it is
connected to them via R1

Modern Protocol Types: Interior and Exterior Routing Protocols

The different nature of routing within an AS and between ASes can be seen in
the fact that distinct sets of TCP/IP routing protocols are used for each type:

o Interior Routing Protocols: These protocols are used to exchange routing

information between routers within an autonomous system. Interior
routing protocols are not used between ASes.

o Exterior Routing Protocols: These protocols are used to exchange routing

information between autonomous systems. They may in some cases be
used between routers within an AS, but primarily deal with exchanging
information between autonomous systems.

Since autonomous systems are just sets of routers, this means that ASes are
connected by linking a router in one AS to a router in another AS.
Architecturally, an AS consists of a set of routers with two different types of
connectivity:

o Internal Routers: Some routers in an AS connect only to other routers in

the same AS. These run interior routing protocols.

o Border Routers: Some routers in an AS connect both to routers within the

AS and to routers in one or more other ASes. These devices are
responsible for passing traffic between the AS and the rest of the
internetwork. They run both interior and exterior routing protocols.

Due to its advantages, the autonomous system architecture, an example of

which can be seen in Figure below, has become the standard for TCP/IP
networks, most notably the Internet. The division of routing protocols into the
interior and exterior classifications has thus also become standard, and all
modern TCP/IP routing protocols are first subdivided by type in this manner.
You can see this reflected in the subsection titles in the rest of this section on
routing protocols.

TCP/IP Autonomous System (AS) Routing Architecture

This diagram shows a simplified internet organized into three autonomous

systems (ASes), each of which is managed independently of the others.
Communication within each AS is done using an interior routing protocol
chosen by that AS’s administrators (blue links); communication between ASes
must be done using a common exterior routing protocol (red links). Internal
routers are shown in blue and border routers in red.
Routing Protocol Algorithms and Metrics

Another key differentiation of routing protocols is on the basis of the algorithms

and metrics they use. An algorithm refers to a method that the protocol uses for
determining the best route between any pair of networks, and for sharing
routing information between routers. A metric is a measure of “cost” that is
used to assess the efficiency of a particular route. Since internetworks can be
quite complex, the algorithms and metrics of a protocol are very important, and
can be the determining factor in deciding that one protocol is superior to
another.

There are two routing protocol algorithms that are most commonly encountered:
distance-vector and link-state. There are also protocols that use a combination
of these methods, or others.

Distance-Vector (Bellman-Ford) Routing Protocol Algorithm

A distance vector routing algorithm, also called a Bellman-Ford algorithm after

two of its inventors, is one where routes are selected based on the distance
between networks. The distance metric is something simple—usually the
number of “hops”, or routers between them.

Routers using this type of protocol maintain information about the distance to
all known networks in a table. They regularly send that table to each router they
immediately connect with (their neighbors or peers). These routers then update
their tables and send to their neighbors. This causes distance information to
propagate across the internetwork, so that eventually each router obtains
distance information about all networks on the internet.

Distance-vector routing protocols are somewhat limited in their ability to

choose the best route. They also are subject to certain problems in their
operation that must be worked around through the addition of special heuristics
and features. Their chief advantages are simplicity and history (they have been
used for a long time).

Link-State (Shortest Path First) Routing Protocol Algorithm:

A link-state algorithm selects routes based on a dynamic assessment of the

shortest path between any two networks, and is for that reason also called a
shortest-path first method. Each router maintains a map describing the current
topology of the internetwork. This map is updated regularly by testing
reachability of different parts of the internet, and by exchanging link-state
information with other routers. The determination of the best route (“shortest
path”) can be made based on a variety of metrics that indicate the true cost of
sending a datagram over a particular route.

Link-state algorithms are much more powerful than distance-vector algorithms.

They adapt dynamically to changing internetwork conditions, and also allow
routes to be selected based on more realistic metrics of cost than simply the
number of hops between networks. However, they are more complicated to set
up and use more computer processing resources than distance-vector
algorithms, and aren't as well-established.

Hybrid Routing Protocol Algorithms

There are also hybrid protocols that combine features from both types of
algorithms, and other protocols that use completely different algorithms. For
example, the Border Gateway Protocol (BGP) is a path-vector algorithm, which
is somewhat similar to the distance-vector algorithm, but communicates much
more detailed route information. It includes some of the attributes of distance-
vector and link-state protocols, but is more than just a combination of the two.

Static and Dynamic Routing Protocols

You may also occasionally see routing protocols categorized by type as static
and dynamic, so this is the last concept I want to discuss in this overview. This
terminology is somewhat misleading. The term “static routing” simply refers to
a situation where the routing tables are manually set up, so they remain static. In
contrast, “dynamic routing” is the subject of this entire section: the use of
routing protocols to dynamically update routing tables. Thus, all routing
protocols are “dynamic”. There is no such thing as a “static routing protocol”
unless you consider a network administrator editing a routing table a “protocol”.

Routing Protocol Concepts: Architectures, Protocol Types, Algorithms and

Metrics

Routing protocols play an important part in the overall process of routing in an

internetwork. It is therefore easiest to understand them in the scope of an overall
discussion of routing. It's difficult to describe the individual TCP/IP routing
protocols without some background information on how routing protocols work.
For this reason, I feel it is worth taking a brief look at key routing protocol
concepts here, so that you will have more luck making sense of the rest of the
routing protocol topics in this section.
Routing Protocol Architectures

Let's start with a look at routing protocol architectures. In this context, the word
architecture refers to the way that an internetwork is structured. Once we have a
number of networks and routers we wish to connect together, there is any
number of ways that we can do this. The architecture we choose is based on the
way that routers are linked up, and this has an impact on the way that routing is
done, and how routing protocols operate.

Core Architecture

TCP/IP and the Internet were developed simultaneously, so TCP/IP routing

protocols evolved as the Internet itself did. Early architecture of the Internet
consisted of a small number of core routers that contained comprehensive
information about the internetwork. When the Internet was very small, it was
expanded by adding more routers to this core. However, each time the core was
expanded, the amount of routing information that needed to be maintained
grew.

Eventually, the core became too large, so a two-level hierarchy was formed to
allow further expansion. Non-core routers were located on the periphery of the
core and contained only partial routing information; they relied on the core
routers for transmissions that went across the internetwork. A special routing
protocol called the Gateway-to-Gateway Protocol (GGP) was used within the
core of the internetwork, while another protocol called the Exterior Gateway
Protocol (EGP) was used between non-core and core routers. The non-core
routers were sometimes single, stand-alone routers that connected a single
network to the core, or they could be sets of routers for an organization.

This architecture served for a while, but itself did not scale very well as the
Internet grew. The problem was mainly due to the fact that there was only a
single level to the architecture: every router in the core had to communicate
with every other. Even with peripheral routers being kept outside the core, the
amount of traffic in the core kept growing.

Autonomous System (AS) Architecture

To resolve the limitations of the early core system, a new architecture was
created that moved away from the centralized concept of a core towards an
architecture that was better suited to a larger and growing internetwork. This
decentralized architecture treats the Internet as a set of independent groups,
which each group called an autonomous system (AS). An AS consists of a set of
routers and networks controlled by a particular organization or administrative
entity, which uses a single consistent policy for internal routing.
The power of this system is that routing on the internetwork as a whole occurs
between Ashes and not individual routers. Information is only shared between
one or maybe a couple of routers in each AS, not every router in each AS. The
details of routing within an AS are also hidden from the rest of the internetwork.
This provides both flexibility for each AS to do routing as it sees fit (thus the
name autonomous) and efficiency for the overall internetwork. Each AS has its
own number, and the numbers are globally managed to make sure they are
unique across an internetwork (such as the Internet).