What Is an Internetwork?
An internetwork is a collection of individual networks, connected by intermediate networking devices, that functions as a single large network. Internetworking refers to the industry, products, and procedures that meet the challenge of creating and administering internetworks. Figure 7.1 illustrates different kinds of network technologies that can be interconnected by routers and other networking devices to create an internetwork.
Fig 7.1: Different Network Technologies can be connected to create an Internetwork
We use the term “internetwork,” or sometimes just “internet” to refer to an arbitrary collection of networks interconnected to provide some sort of host-to-host packet delivery service. Fig.7.1 shows an example of internetowork. An internetwork is often referred to as a “network of networks” because it is made up of lots of smaller networks. In this figure, We see Ethernets, an FDDI ring, and a point-to-point link. Each of these is a single-technology network. The nodes that interconnect the networks are called routers.
Internetworking devices are divided into four categories: repeaters, bridges, routers, and gateways.
Each of these four device types interacts with protocols at different layers of the OSI Model. Repeaters act only upon the electrical components of a signal and therefore active only at the physical layer. Bridges utilize addressing protocols and can affect the flow control of a single LAN; they are most active at the data link layer. Routers provide links between two separate but same- type LANs and the most active in the network layer. Finally, gateways provide translation services
Repeaters:
A repeater(or regenerator) is an electronic device that operates on only the physical layer of the OSI model.
Fig. 7.2: A repeater in the OSI model
Signals that carry information within a network can travel a fixed distance before attenuation endangers the integrity of the data. A repeater installed on a link receives the signal before it becomes too weak or corrupted, regenerates the original bit pattern, and puts the refreshed copy back onto the link.
A repeater allows us to extend only the physical length of a network. The repeater does not change the functionality of the network in any way. The two sections are connected by the repeater in fig 7.3. If station A sends a frame to station B, all stations (including C and D) will receive the frame, just as they would without the repeater. The repeater does not have the intelligence to keep the frame from passing to the right side when it is meant for a station on the left. The difference is that, with the repeater, stations C and D receive a truer copy of the frame than would otherwise have been possible.
Fig. 7.3: A repeater
Not an amplifier
It is tempting to compare a repeater to an amplifier, but the comparison is inaccurate. An amplifier cannot discriminate between the intended signal and noise; it amplifies equally everything fed into it. A repeater does not amplify the signal; it regenerates it. When it receives a weekend or corrupted signal, it creates a copy bit for bit, at the original strength. A repeater is a regenerative, not an amplifier
Bridges
Fig. 7.4: A Bridge in the OSI model
Bridges operate in both the physical and the data link layers of the OSI model (see Figure 7.4) Bridges can divide a large network into smaller segments (Fig 7.5).
Fig 7.5: A Bridge
They can also relay frames between two originally separate LANs, unlike repeaters, however, bridges contain logic that allows them to keep the traffic for each segment separate. In this way, they filter traffic, a fact that makes them useful for controlling congestion and isolating problem links. Bridges can also provide security through this partitioning of traffic.
A bridge operates at the data link layer, giving it access to the physical addresses of all stations connected to it. When a frame enters a bridge, the bridge not only regenerates the signal but checks the address of the destination and forwards the new copy only to the segment to which the address belongs. As a bridge encounters a packet, it reads the address contained in the frame and compares that address with a table of all the stations on both segments. When it finds a match, it discovers to which segment the station belongs and relays the packet only to that segment.
Fig. 7.6: Function of a bridge
A packet from station A addressed to station D arrives at the bridge. Station A is on the same segment as station D; therefore, the packet is blocked from crossing into the lower segment instead the packet is relayed to the entire upper segment and received by station D.
In fig b, a packet generated by station A is intended for station G. The bridge allows the packet to cross and relays it to the entire lower segment, where it is received by station G.
Types of Bridges
To select between segments, a bridge must have a look-up table that contains the physical addresses of every station connected to it. The table indicates to which segment each station belongs.
Simple Bridge
Simple Bridges are the most primitive and least expensive type of bridge. A simple bridge links two segments and contains a table that lists the addresses of all the stations included in each of them. What makes it primitive is that these addresses must be entered manually. Before a simple bridge can be used, an operator must sit down and enter the addresses of every station.
Whenever a new station is added, the table must be modified. If a station is removed, the newly invalid address must be deleted. The logic included in a simple bridge, therefore, is of the pass/no pass variety, a configuration that makes a simple bridge straightforward and inexpensive to manufacture. Installation and maintenance of simple bridges are time-consuming and potentially more trouble than the cost savings are worth.
Multiport Bridge
A multiport Bridge can be used to connect more than two LANs. In figure7.7, the bridge has three tables, each one holding the physical addresses of stations reachable through the corresponding port.
Fig 7.7: Multiport bridge
Transparent Bridge
A transparent, or learning, bridge builds its table of station addresses on its own as it performs its bridge functions. When the transparent bridge is first installed, its table is empty. As it encounters each packet, it looks at both the destination and the source addresses. It checks the destination to decide where to send the packet. If it does not yet recognize the destination address, it relays the packet to all of the stations on both segments. It uses the source address to build its table. As it reads the source address, it notes which side the packet came from and associates that address with the segment to which it belongs. For example, if the bridge in fig 7.6. is a transparent bridge, then when station A sends its packet to station G, the bridge learns that packets coming A are coming from the upper segment, and that station A must be located in the upper segment. Now, whenever the bridge encounters packets addressed to A, it knows to relay them only to the upper segment.
With the first packet transmitted by each station, the bridge learns the segment associated with that station. Eventually it has a complete table of station addresses and their respective segment stored in its memory.
By continuing this process even after the table is complete, a transparent bridge is also self- updating. Suppose the person at station A trades offices with the person at station G, and they both take their computers(including their NICs) with them. All of a sudden, the stored segment locations for both stations are wrong. But because the bridge is constantly checking the source address of received packets, it notices that packets from station A are now coming from the lower segment and that packets from station G are coming from the upper segment and updates its table accordingly.
Routers
Repeaters and bridges are simple hardware devices capable of executing specific tasks. Routers are more sophisticated. They have access to network layer addresses and contain software that enables them to determine which of several possible paths between those addresses is the best for particular transmission. Routers operate in the physical, data link, and network layers of the OSI model.
Fig. 7.8: A router in the OSI model
Routers relay packets among multiple interconnected networks. They route packets from one network to any of a number of potential destination networks on an internet. Fig 7.9 shows
A possible internet work of five networks. A packet sent from a station on one network to a station on a neighboring network goes first to the jointly held router, which switches it over to the
destination network. If there is no one router connected to both the sending and receiving
networks, the sending router transfers the packet across one of its connected networks to the next router in the direction of the ultimate destination. That router forwards the packet to the next router on the path and so on, until destination is reached.
Routers act like stations on a network. But unlike most stations, which are members of only one network, routers have addresses on, and links to, two or more networks at the same time. In their simplest function, they receive packets from one connected network and pass them to a second connected network. However, if a received packet is addressed to a node on a network of which the router is not a member, the router is capable of determining which of its connected networks is the best next relay point for the packet. Once a router has identified the best route for a packet to travel, it passes the packet along the appropriate network to another router. That router checks the destination address, finds what it considers the best route for the packet, and passes it to the destination network (if that network is a neighbor) or across a neighboring network to the next router on the chosen path.
In internetworking, the process of moving a packet of data from source to destination is involved. Routing is usually performed by a dedicated device called a router. Routing is a key feature of the Internet because it enables messages to pass from one computer to another and eventually reach the target machine. Each intermediary computer performs routing by passing along the message to the next computer. Part of this process involves analyzing a routing table to determine the best path.
Routing: In computer networking the term routing refers to selecting paths in a computer network along which to send data.
Routing is often confused with bridging, which performs a similar function. The principal difference between the two is that bridging occurs at a lower level and is therefore more of a hardware function whereas routing occurs at a higher level where the software component is more important. And because routing occurs at a higher level, it can perform more complex analysis to determine the optimal path for the packet.
Gateways
Gateways potentially operate in all seven layers of the OSI model. See Figure 7.10
Fig 7.10: A gateway in the OSI model
A gateway is a protocol converter. A router by itself transfers, accepts, and relays packets only across networks using similar protocols. A gateway on the other hand, can accept a packet formatted for one protocol and convert it to a packet formatted for another protocol.(eg. TCP/IP ) before forwarding it
A gateway is generally software installed within a router. The gateway understands the protocols used by each network linked into the router and is therefore able to translate from one to another. In some cases, the only modifications necessary are the header and trailer of the packet. In other cases, the gateway must adjust the data rate, size and format as well. Fig 7.11 shows a gateway connecting an SNA network (IBM) to a NetWare network (Novell).
What is a network firewall?
A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy. If you don't have a good idea what kind of access you want to permit or deny, or you simply permit someone or some product to configure a firewall based on what they or it think it should do, then they are making policy for your organization as a whole.
Why would I want a firewall?
The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic equivalent of writing on other people's walls with spray paint, tearing their mailboxes off, or just sitting in the street blowing their car horns. Some people try to get real work done over the Internet, and others have sensitive or proprietary data they must protect. Usually, a firewall's purpose is to keep the jerks out of your network while still letting you get your job done. Many traditional-style corporations and data centers have computing security policies and practices that must be adhered to. In a case where a company's policies dictate how data must be protected, a firewall is very important, since it is the embodiment of the corporate policy. Frequently, the hardest part of hooking to the Internet, if you're a large company, is not justifying the expense or effort, but convincing management that it's safe to do so. A firewall provides not only real security - it often plays an important role as a security blanket for management. Lastly, a firewall can act as your corporate "ambassador" to the Internet. Many corporations use their firewall systems as a place to store public information about corporate products and services, files to download, bug- fixes, and so forth. Several of these systems have become important parts of the Internet service structure (e.g.: UUnet.uu.net, whitehouse.gov, gatekeeper.dec.com) and have reflected well on their organizational sponsors.
What can a firewall protect against?
Some firewalls permit only Email traffic through them, thereby protecting the network against any attacks other than attacks against the Email service. Other firewalls provide less strict protections, and block services that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated interactive logins from the "outside" world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network-borne attack if you unplug it.
Firewalls are also important since they can provide a single "choke point" where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective "phone tap" and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the
administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc.
What can't a firewall protect against?
Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape can just as effectively be used to export data. Many organizations that are terrified (at a management level) of Internet connections have no coherent policy about how dial-in access via modems should be protected. It's silly to build a 6-foot thick steel door when you live in a wooden house, but there are a lot of organizations out there buying expensive firewalls and neglecting the numerous other back-doors into their network. For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic, and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all: they shouldn't be hooking up to the internet in the first place, or the systems with the really secret data should be isolated from the rest of the corporate network.
Another thing a firewall can't really protect you against is traitors or idiots inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far more likely means for information to leak from your organization than a firewall! Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering; an attacker may be able to break into your network by completely bypassing your firewall, if he can find a "helpful" employee inside who can be fooled into giving access to a modem pool.
What about viruses?
Firewalls can't protect very well against things like viruses. There are too many ways of encoding binary files for transfer over networks, and too many different architectures and viruses to try to search for them all. In other words, a firewall cannot replace security- consciousness on the part of your users. In general, a firewall cannot protect against a data-driven attack -- attacks in which something is mailed or copied to an internal host where it is then executed. This form of attack as occurred in the past against various versions of Sendmail and GhostScript, a freely-available PostScript viewer.
Organizations that are deeply concerned about viruses should implement organization-wide virus control measures. Rather than trying to screen viruses out at the firewall, make sure that every vulnerable desktop has virus scanning software that is run when the machine is rebooted. Blanketing your network with virus scanning software will protect against viruses that come in via floppy disks, modems, and Internet. Trying to block viruses at the firewall will only protect against viruses from the Internet - and the vast majority of viruses are caught via floppy disks.
Firewall technology
First, a definition "A component or set of components that restricts access between a protected network and the internet, or between other sets of networks." The firewall can be hardware in the form of a router or a computer, software running on a gateway system, or some combination. Each type of implementation has inherent pros and cons, and each specific implementation likewise has good and bad points, strengths and weakness. With that in mind, let's consider the two main types of firewalls.
VPN
Virtual Private Network (VPN) is defined as customer connectivity deployed on a shared
infrastructure with the same policies as a private network. The shared infrastructure can leverage a