A characterization is sometimes made that traffic on different subnets is secure because the traffic is constrained to a single subnet domain. The thinking is that there is a logical separation between different groups of addresses that make up the different network access domains. You can provide filters to permit or deny traffic based on subnet addresses. However, as was pointed out in the preceding section, IP
addresses are easy to spoof; other security measures should always be used in conjunction with filtering mechanisms. (Readers not familiar with IP addressing and subnetting can refer to the following sidebar.) IP Addressing
An IP address is a 32-bit address represented by a dotted decimal notation of the form X.Y.Z.K (for example, 6.0.0.6). The following chart lists how the IP address space is divided by function.
Address Range Functionality
1.0.0.0-223.255.255.255 IP unicast address 244.0.0.0-239.255.255.255 IP multicast address
240.0.0.0-255.255.255.254 Reserved for future use
0.0.0.0 An unknown IP address
255.255.255.255 Local segment broadcast
The IP unicast addresses are divided into three classes:
Class Address Range Number of Networks Approximate Number of Hosts Per Single Network
A 1.0.0.0-126.255.255.255 127 16 million
B 128.0.0.0-191.255.255.255 64 65,000
C 192.0.0.0-223.255.255.255 32 254
The 32-bit IP address contains a network portion and a host portion, as shown in Figure 6-7.
Figure 6-7: A Bitmap of Class A, Class B, and Class C Addresses
A network mask is used to separate the network information from the host information. The mask is represented in binary notation as a series of contiguous 1s followed by a series of contiguous 0s. The network mask of the class A, class B, and class C networks in their binary and dotted decimal format is shown in Figure 6-8.
A subnet is a subset of the class A, class B, or class C network. Subnets are created by further extending the network portion of the address into the host portion. The use of subnets increases the number of subnetworks and reduces the number of hosts on each subnetwork. The following chart shows an example of a class C network 192.150.42.0 and the possible ways you can create subnetworks with contiguous subnet masks:
Bits in Subnet Mask
Dotted Decimal Format Number of Networks Number of Hosts in Each Network 0 255.255.255.0 1 254 1 255.255.255.128 2 126 2 255.255.255.192 4 62 3 255.255.255.224 8 30 4 255.255.255.240 16 14 5 255.255.255.248 32 6 6 255.255.255.252 64 2
Let's take the specific example of a 3-bit subnet mask used on the 192.150.42.0 network. This network yields eight separate subnetworks with 30 hosts on each network, as listed here:
Subnet Network Address Broadcast Address Host Address Range
0 192.150.42.0 192.150.42.31 192.150.42.1-192.150.42.30
1 192.150.42.32 192.150.42.63 192.150.42.33-192.150.42.62 2 192.150.42.64 192.150.42.95 192.150.42.65-192.150.42.94 3 192.150.42.96 192.150.42.127 192.150.42.97-192.150.42.126 4 192.150.42.128 192.150.42.159 192.150.42.129-192.150.42.158
5 192.150.42.160 192.150.42.191 192.150.42.161-192.150.42.190 6 192.150.42.192 192.150.42.223 192.150.42.193-192.150.42.222 7 192.150.42.224 192.150.42.255 192.150.42.225-192.150.42.254
Subnetting gives the network administrator several benefits: It provides extra flexibility, makes more efficient the use of network address utilization, and contains broadcast traffic because a broadcast does not cross a router.
Because subnets are under local administration, the outside world sees an organization as a single
network and has no detailed knowledge of the organization's internal structure. However, internally, each subnet constitutes a separate LAN, possibly on a separate physical cable segment (see Figure 6-9).
Figure 6-9: An Example of Subnet Boundaries
The logical infrastructure of any network depends largely on how networks are logically separated into groups using subnets and how traffic is controlled between these subnets. Routing (also known as
Layer-3 switching) is how traffic is controlled between subnets. Where routing information is distributed
and accepted plays a large role in how you gain access to data on various networks. VLANs can also modify traditional subnet physical boundaries.
Routing Boundaries
Routing involves two basic activities: Determining optimal routing paths ●
Transporting packets through an internetwork ●
The latter activity is typically referred to as Layer-3 switching. Switching is relatively straightforward: It involves looking up the destination address in a table that specifies where to send the packet. The table is created as a result of determining the optimal path to a given destination. If the table entry for a given destination is not there, the optimal path must be computed. The computation of the optimal path depends on the routing protocol used and can be a very complex process.
Note Routing fundamentals are beyond the scope of this book. Read Internet Routing Architectures,
A security policy can incorporate detailed routing policies, where routes for separate networks and subnets are announced and accepted on an as-needed basis. Most routers, regardless of the routing protocol used, have features that suppress the announcement of specified routes and can ignore certain received routes and not incorporate them into their tables. Usually, there are many ways to accomplish the same goal. It is best to first design the logical boundaries, decide how open or closed an environment you want, and then implement the policy accordingly.
Filtering routes is one way of exerting some control over who can source traffic and to what destination. Filtering does not protect you from spoofing attacks, but it can make spoofing attacks harder to carry out. Figure 6-10 shows a common scenario of creating logical routing boundaries.
Figure 6-10: An Example of Logical Routing Boundaries
In this scenario, the corporate network is divided into three distinct components: Corporate campus network
●
Internet access ●
Dial-in access ●
The campus network has a class B address of 144.254.0.0, which is subnetted into 256 distinct networks using an 8-bit subnet mask of 255.255.255.0. The Internet access is provided by an unnumbered
interface. The dial-in access is provided by a subnetted class C address of 192.150.42.0 with a 5-bit subnet mask of 255.255.255.248. This corporation allows free access to all corporate campus servers but allows only the branch office network 192.150.42.32 to access the Internet through the campus network. The policy can be implemented as follows:
Allow all 144.254.0.0 routes to be announced everywhere ●
Announce all 192.150.42.0 networks to the main campus ●
Announce the 192.150.42.32 network to the Internet ●
Suppress all other 192.150.42.0 network announcements ●
Static routing protocols offer the ultimate control of routes. However, the management of static routes in environments that exceed 10 or more entries can become an administrative nightmare. A dynamic
routing protocol is much more flexible and can offer similar control for larger environments.
Note Routing can be a very complex subject; it is strongly recommended that you fully understand the
routing protocols used in a given corporate environment and draw out the logical infrastructure before implementing any filtering commands. Where possible, use a modeling tool as a sanity check to verify the assumed logical path of network traffic.
VLAN Boundaries
A VLAN is a group of hosts or network devices---such as routers (running transparent bridging) and bridges---that form a single bridging domain. Layer-2 bridging protocols, such as IEEE 802.10 and Inter-Switch Link (ISL), allow a VLAN to exist across a variety of equipment, such as LAN switches. VLANs are formed to group related users regardless of the physical connections of their hosts to the network. The users can be spread across a campus network or even across geographically dispersed locations. A variety of strategies can be used to group users. For example, the users can be grouped according to their department or functional team. In general, the goal is to group users into VLANs so that most of the user traffic stays within the VLAN. If you do not include a router in a VLAN, no users outside that VLAN can communicate with the users in the VLAN and vice versa.
Typically, although not necessarily, a VLAN corresponds to a particular subnet. Because a VLAN allows you to group end stations even if they are not located physically on the same LAN segment, you must ensure that the VLAN boundaries are properly understood and configured.