Notes-Main-Dump

All these notes will be split out into weeks

NET 330

Resources:

Basic Subnet Chart: https://www.ad-net.com.tw/subnet-chart-cidr-values/
VLSM Calculator: http://vlsmcalc.com/

OSPF:
https://networklessons.com/ospf/basic-ospf-configuration
https://study-ccna.com/ospf-configuration/

BGP:
https://as2914.net/#/galaxy/internet?cx=-2408&cy=-1426&cz=234&lx=-0.0189&ly=0.2015&lz=-0.0262&lw=0.9790&ml=150&s=1.75&l=1&v=2020-01-28

Class: Refresher

Week 1: 8/29/22

• Dartmouth had hundreds of subnets just in the datacenter
• 2^32 IPv4 addresses | 32 bits

Letter

Packet

Look up recipient address Phone Book? Other Directory? Get zip code and street address Put in addressed envelope Write recipient and return address on envelope Put letter in mailbox Mail carrier picks letter up Take letter to local post office Post Office sorts and sends to next PO facility Uses zip code How does PO know where to send next? Postal Service has “routing lists” Ends up at local PO recipient Mail Carrier delivers to recipient Uses street address

Look up recipient address Domain Name System (DNS) Convert Hostname to IP address Add “Headers” to data (encapsulate) Send packet to network interface controller (NIC) Transmits onto network Sent to local router (AKA default gateway) Router sends packet to next router Uses network part of the IP Address How does the router know where to send next? “Routing table” of IP networks Ends up at local router of recipient Router and switches send to recipient Uses Host part and IP address and Mac address`

• grandma@aol.com
• ^Mailbox ^ Mail server → translates to ip address

TODO:

• Download Packet Tracer 8.1.1

Class: Subnetting, VLANS, & Cisco Commands

Week 2: 9/5/22

• Find the patterns

Subnetting

• Allow very common subnets: **/24 (256 IP’s, 254 Usable), /23 (512 IP’s, 510 Usable), /22 (1024 IP’s, 1022 Usable), /30 (4 IP’s, 2 Usable), /29 **(8 IP’s, 6 Usable)
• Organizations are “assigned” a network address to use on the internet
  • 216.93.144.0/20
    • All champlain IPs start with the same 20 bits
    • Last 12 bits are used for host ID
    • 2^12 IPs can be used
      • All zeros and all 1’s in the host ID can’t be used
• But a /20 network cna support 4094 hosts - do we want them all on the same network?
  • Lots of broadcast packets congest the network
  • Machines are slowed by trying to process them
  • Anyone can contact anyone else on the network!
• Our network ID can’t change but what if we took some host ID bits to create a subnet ID
  • These bits are then ”added” to the network ID
  • For example if we used 4 bits for the subnet ID
• Wireless networks are normally larger networks because most devices are looking for information outside the network. Larger network means less communication inside the network.
• Smaller networks are found in places where devices communicate within the network. For example a data center. (Network to Network firewall rules instead of Host to Host rules)
• Always start with the largest subnet first: Larger subnet boundaries are always valid for smallers ones, but smaller boundaries are not always valid for larger ones
• All 0’s in the Host ID refers to the Network itself - cannot be assigned to a host
• All 1’s in the **Host ID **is the broadcast -cannot be assigned to a host
• So if we have n bits in our Host ID, we can assign 2^2 -2 IP addresses

VLANS

• Multilayer switching
• A virtual LAN is a group of devices on one or more physical LANs that are configured to communicate as if they were on the same LAN.
• VLANs define broadcast domains in a Layer 2 network
• Need a router to pass packets between 2 different VLANs
• Access Ports: Can only be assigned to/carry traffic from a single VLAN
  • Used to connect end device to a switch
• Trunk Ports: Carry traffic from multiple VLANs - used to connect switches
  • Will “tag” packets with the proper VLAN ID

CISCO IOS Config File

• Startup-config: This is the last version that was saved. If the router/switch was restarted, this is the config that would load
• Running-config: Whats running in memory. It has all of the config changes made at the command line since it was last saved.
• User EXEC Mode: Basic monitoring and status commands
  • Prompt it: router>
  • Type enable to get to Privileged
• Privileged EXEC Mode: Administrative access
  • Prompt: router#
  • Type **config **to get to the config mode
• Config EXEC MODE: config mode
  • Prompt: router(config)#
• The question mark ?:
  • Just hit enter and it will show everything you can do
• Tab works in IOS

Homework: Reading 10.10 DHCP

Week 3: 9/12/22

The DHCP Server and Routers

• Allows hosts to dynamically obtain its IP address
  
• Above shows a DHCP server setup on a network which has 3 subnets
• The router must be setup in a way that it knows the IP address of the DHCP server
• DHCP must work across routers or through the intervention of BOOTP relay agents
• DHCP DORA (Discover, Offer, Request, Accept)
• DHCP Port Client 68 and Server 67
  

• DHCP options field:
  • Subnet mask
  • Default Gateway
  • Lease Time
  • DNS Server
• Most DHCP servers are configured to let a client reuse a previously allocated IP
  • This can reduce the amount of broadcast traffic
  • A client will broadcast a DHCPREQUEST message on its local subnet.
    • This message will contain a “Requested IP”

Class: DHCP

Week 3: 9/12/22

Dynamic Host Configuration Protocol
What is DHCP?

• Statically: Manually entered by the administrator (Boo static is for nerds in data centers)
• Dynamically: Automatically assigned by the network
• Key information that we need:
  • IP address
  • Subnet mask
  • Default gateway
  • DNS (Domain Name Server)

How does DHCP Work?

1. Send out Broadcast (Discover)
   1. “I need an IP” - New device
   2. Dest IP: 255.255.255.255:68
   3. Src IP: 0.0.0.0:67
   4. Broadcast will go out any ports on the VLAN
2. DHCP Server sends out Offer (Offer)

a. DHCP over different VLANs:

• Relay Agent (DHCP Relay, DHCP helper) Cisco calls it the IP helper
• Router needs to know the IP address of DHCP Server
  • This is so it can unicast it and send over the information
  • DHCP server: 192.168.10.100 | Relay Agent: 192.168.10.100
    • Router would forwards as unicast to 192.168.10.100
    • Src of unicast: The Default gateway address for the VLAN
      • This is how the DHCP Server knows where to send the Offer
• DHCP is like a person lost in new york
• DHCP uses UDP
• Server Port: 67
• Client Port: 68
• DHCP has two primary Operation Phases:
  • Initialization: Client request
  • Renewal: Client asks to renew its lease
• Key Fields
  • Operation Code:
  • Hardware Type:
  • **Hardware Length: **
• DORA:
  • Discover: Client attempts to discover a DHCP server
    • If you spoof Discover you can take all the IP addresses
  • Offer: IP lease offer from the server to client
  • Request: Client requests to use the IP lease sent by the server
  • Acknowledgement: Server sends ack to client that the lease was accepted
  • Without this process you can have DHCP exhaustion attacks
• DHCP snooping
  • Looks at the access port and if one port is asking for more than 1 IP it will shut it down
• BOOTP: RFC 951
  • Only Discover and Offer
• DHCP Renewal
  • T1 Renewing: Process for client to request continued use of the its lease
    • This is at** 50%** through the lease time
    • Just sends to direct IP address
      • Using unicast because it knows the IP address of the DHCP server
    • The client sends DHCP Request packets directly to the server
    • If the server responds with a DHCP Ack, the IP lease is renewed and its time clock restarts.
  • If server doesn’t respond at T1 then it does to T2
  • T2 Rebinding: If the server doesn’t respond to the clients renewal requests we eventually reach the rebinding phase
    • This is at** 87.5%** through the lease time
    • Gets angry and sends a broadcast to look for another DHCP server
      • So it’s allowed to continue using the same IP
  • **DHCP Expiration: **If nothing responds by the time the lease is over
    • IP goes to a 169.125.4.0
      • Self assign address
  • DHCP Relay:
    • Broadcast are Layer 2 only
      • Need a DHCP relay or Helper
        • Picks up broadcast and turns it to unicast and gets it to the DHCP Server
    • Cisco:
      • CISCO IOS uses the “ip helper-address”
      • If DHCP server is 10.16.1.50
      • (Config) interface vlan 100
      • (Config-IP) ip helper-address 10.16.1.50

Class: Campus and Enterprise Network Design Layers

Week 4: 9/19/22

Campus and Enterprise Routing

Internal
Edge Layer/Access Layer (Layer 2)

• Building Switches - A switch that controls only it’s building
• End points (Drops)
• Access Point (isn’t of VLANs it’s just SSID)

Distribution Layer (Layer 3)

• Internal Router (OSPF most used internal)
• Distribution Router - A router that is a MLS that takes in a other switches
• QoS Policies are managed / Routing filtering

Core Layer (Layer 2)

• High speed layer 2 (Fast!!!!)
• Core Switches - Connect to each other and link the Distributions Area’s
• Just to connect switches on 1 core vlan
• The most powerful in terms of raw forwarding power
• 10, 40, 100 GBps
• Network Backbone

Border (Layer 3)

• External routing (BGP used for external)
• Border Router - Connects to core switch and ISP

External

**Internet 2 **

• https://internet2.edu/

Homework: Reading 2.1 DNS

Week 5: 9/26/22

• DNS RFC 1034
• DNS is a distributed database
• DNS runs on layer 7
• Consists of multiple name servers - Name server is a server that contains IP addresses or serviced linked to different URLs or host names
• Types:
  • A - Name is Hostname Value is IP Address
  • NS Authoritative name server
  • CNAME - canonical name
  • MX - Mail server
• TCP and UDP 53

Class: Campus and Enterprise Network Design Layers

Week 5: 9/26/22

Class: NAT

Week 6: 10/3/22

NAT (Network Address Translation)

• Is a method of remapping on IP address space into another
  
• Rewriting the layer 3 and often layer 4 headers

NAT Router

• Keep track of those translations in a table so it knows how to send inbound packets back to the right client
• This may also require rewriting the Layer 4 header
• Source port TCP/UDP often used to track translations

NAT Security

• Wasn’t intended for security
  • This is because an external IP can’t directly connect to the internal client

IP Masquerading

• The private source ip address that is changed into a public address as the ‘new’ source address
• In Foster and Skiff, we use IP Masquerading for our NAT setup
• The translation tables are flushed after a defined period unless new traffic refreshes their state.
• Masquerading routers keeps stateful translation tables of each conversation to “remember” the original source address

Types of NAT

• One-to-One IP mapping
  • Static NAT
• Many-to-Many IP mapping
  • Dynamic NAT
• Many-to-One IP mapping (Very Common)
  • Port Address Translation
    
  • IP Masquerading
    • Many to one

Static NAT

• Doesn’t scale well
• Allows the Network Admin to configure translation table entries for permanent use

Dynamic NAT

• Set aside a pool of public addresses
• Dynamic NAT is used when PAT is not supported
• This isn’t really used anymore

Port Address Translation (PAT)

• One IP address for lots of internal IP addresses
• Source TCP port number (Ephemeral Port)
• Could have 65k connections to one IP

Configuring NAT in Cisco

1. Define the “inside” and “outside interfaces”
   1. interface serial 0/0/0
   2. (config-if)#ip nat outside
2. Set NAT Rules
   3. Static mappings
   4. PAT/Dynamic pool assignments

Wildcard Subnet Masks

• Just subtract 255.255.255.255 from subnet
• 255.255.255.0 becomes 0.0.0.255
• 255.255.255.252 becomes 0.0.0.3
• 255.255.240.0 becomes 0.0.15.255

Kahoot

• Where does most internal routing occur?
  • Distribution
• /23 has to have an even number in the third octet
• /22 multiple of 4 in the third octet

External
—--------
Border
Core
Distribution
Edge
—--------
Internal

Homework: OSPF

Week 9: 10/23/22

OSPF (Open Shortest Path First)

• Took RIPs position
• Uses the more capable
  • Using link-state, routing algorithm, with each router maintaining a database containing information about the state and topology of the internetwork
• Many of RIP’s problems are due to it being a distance-vector protocol
• OSPF version 2 July 1991
• Developed to be a more capable interior routing protocol

LSDB (Link-State Database)

• Router RA connects to Network N1 to Network N2
• Routers TB and RC connect Network N2 to Network N3
• Router RD connects Network N3 to Network N4
  
  
• Each of the routers running OSPF is considered a peer of the others. They maintain a link-state database that contains information about the topology of the entire AS.

OSPF Hierarchical Topology

• To allow for better control and management over larger internetworks, OSPF allows a large AS to be structured into a hierarchical form.

Router Roles in OSPF Hierarchical Topology

• Internal Routers
  • These are routers that are connected only to other routers or networks within a single area
• Area Border Routers
  • These are routers that connect to routers or networks in more than one area
• Backbone Routers
  • These are tours that are a part of the OSPF backbone. By definition these include all area border routers, since those routers pass routing information between areas.
• Area 1 contains Network N1, Router TA, Network N2, Router RB,. and Router RC
• Area 2 contains Router RB. Router RC, Network N3, Router RD, and Network N4
  
  OSPF Route Determination Using SPF Trees

The SPF Tree

• Router generates a shortest-path first tree (SPF Tree) from its LSDB.
• This step uses more calculations to put cost into the mix

OSPF Router Determination




OSPF General Operations

• Main job is to facilitate the exchange of routing information between routers

OSPF Message Types

• _Hello _| Form of greeting to allow a router to discover other adjacent routers
• Database Description | contain descriptions of the topology. Communicating a large LSDB may require several messages
• _Link State Request _| These messages are used by one router to request updated information about a portion of the LSDB from another router
• _Link State Update _| These messages contain updated information about the state of certain links on the LSDB.
• _Link State Acknowledgment _| These messages provide reliability to the link-state exchange process by explicitly acknowledging receipt of a link state update.

OSPF Common Header Format

Classwork: Interior Routing

Week 9: 10/23/22

Resources:

https://networklessons.com/ospf/basic-ospf-configuration

https://study-ccna.com/ospf-configuration/

What does a router do?

• How does the router over in skiff know about networks in Foster?
• Tell packets where to go
• Switch looks at MAC Address
• Routers reads IP
• Day in the life of a router
  • Finds Path
  • Forward Packet, Forward Packet
  • Find alternate path
  • Forward Packet
  • Repeat until powered off

Routing versus Forwarding

• Routing = building maps and giving directions
• Forwarding = moving packets between interfaces according to the “Directions”

Routing Tables

• Feed the Forwarding tables
  

IP Routing - finding the path

• Path derived from information received from a routing protocol
• Several alternative paths may exist
  • Best path stored in forwarding table
• Decisions are updated periodically or as topology changes

RIBs and FIBs

• FIBs is the Forwarding Table
  • It contains destinations and the interfaces to get to those destinations
  • Used by the router to figure out where to send the packets
  • Careful! Some people still call this route!
• RIB is the Routing Table
  • It contains a list of all the destinations and the various next hops used to get to those destinations - and lots of other information too!
  • One destination can have lots of possible next-hops - only bgest next hop goes into the FIB

Routing Protocols

• Routers use “Routing protocols” to exchange routing information with each other
  • _IGP _(Interior Gateway Protocol) is used to refer to the process running on routers inside an organization’s network
  • _EGP _(Exterior Gateway Protocol) is used to refer to the process running between routers bordering directly connected to networks
• The reason we have 2 different protocols is because of administrative boundaries
  • Don’t want to share your information with the world

What is an IGP?

• Interior Gateway Protocol
• Within an Organization
• Carries information about internal infrastructure prefixes
• Two widely used IGPs:
  • OSPF (Open Shortest Path First)
  • ISIS
  • RIP

What is an EGP?

• Exterior Gateway Protocol
• Used to convey routing information between Organization
• Decoupled from the IGP
• Current widely-used EGP is BGP (Border Gateway Protocol)
  • BGP is the routing protocol of the internet
  • Chinese government uses BGP for the great firewall

Why Do We Need an EGP?

• Scaling to large networking
  • Hierarchy
  • Limit scope of failure
• Define Administrative Boundary
• Policy
  • Control reachability of prefixes
  • Merge separate organizations
  • Connect multiple IGPs
    

Interior versus Exterior Routing Protocols

• Interior
  • Automatic neighbor discovery
  • Generally trust your IGP routers
  • Prefixes go to all IGP routers
  • Binds routers in one Autonomous System (AS) Together
• Exterior
  • Specifically configured peers
  • Connecting with outside networks
  • Set administrative boundaries
  • Binds AS’s together

Dynamic IGP Types

• Distance Vector
  • Routers send out broadcasts/multicasts with their routing table
  • Other routers listen, And update their tables accordingly
  • Typically send tables every 30-60 Seconds
• Routing Preference is based solely on Hops (how many routers between networks)
• Noisy (lot’s of broadcasts), slow to converge, does not scale to large complex networks
• RIP v2 is common example
• Link State IGP
  • More popular method for IGP
  • Routers figure out who their neighbors
  • After initial convergence - only sends Hello’s (keep-alices) and Link State updates with changes
  • Uses more advanced route-selection metrics (notably - bandwidth)
  • Open Shortest Path First (OSPF) is most popular IGP

OSPF

• Does NOT use a transport protocol (UDP or TCP)
  • It is its own layer 4 - IP Protocol 89
• Uses “Area” to determine which routers listen/talk to each other
• Can just be one, or many if you have a large network
• When doing firewalls look out for blocking all non UDP or TCP packets

Configuring OSPF

1. Create an OSPF instance: The Process ID specific to that router
   1. #(config) router ospf _instance_number _(usually just 1)
   2. Do don’t confuse** “instance” **and “area”
      1. Instance: A router can have multiple OSPF Processes running. IMagine a router connecting two totally different organizations and configuring OSPF for both
      2. Area: Must be the same among all routers that need to share information within a particular instance. If single use network use Area 0
2. Add all of the **Directly Connected Networks **on that router
   3. Network address with **wildcard mask **and area #
   4. #(config-router) network 192.168.0.0 0.0.0.255 area 0

Classwork: BGP

Week 10: 10/31/22

BPG - Routing Protocol of Internet

• IGP is interior and BPG is exterior
• **Border Gateway Protocol (BPG): **is the EGP used on the Internet
• Echanges routing and reachability information among autonomous systems (AS) on the Internet
• The protocol is classified as a path vector protocol

AS

• Autonomous Systems
  • A Collection of connected Internet Protocol (IP) routing prefixes
  • Under the control of a single administrative entity (e.g company, university, ISP)

AS Numbers

• A unique ASN is allocated to each AS for use in BGP routing
• AS numbers are important because the ASN uniquely identifies each (aggregated) network on the Internet
• Until 2007, AS numbers were defined as 16-bit integers, which allowed for a maximum of 65536 assignments
• Now, registries can hand out 32 bit AS numbers (over 4 Billion)
  

BGP Operations

• BGP neighbors, called peers, are established by manual configuration between routers
• Creates a TCP session on port 179. Is its own protocol (be mindful of this when setting firewall rules)
• A BGP speaker sends 19-byte keep-alive messages every 60 seconds to maintain the connection
• Amount routing protocols, BPG is unique in using TCP as its transport protocol
  • Others are their own layer 5 Protocols

BGP Peering

• So, organizations must “peer” with their ISP(s) and other networks with which they share an external link.
• This allows for multi-homed networks (aka multiple connections to the Internet).
• Your AS will be advertised through your multiple peers - this allows multiple paths to your IP networks from the Internet
• Other routers pick the best “path” to your network

Multi-homed Peering

BGP - Path Vector Protocol

• Distance Vector Protocols
  • Like TIP- use “distance” as a router selection metric
  • Routing table includes how many hops/routers to a remote network
  • Only knows IP of next router -not the full path to destination
• Path Vector Protocols - Like BGP
  • Routing table includes the “path” of AS numbers to get to remote networks]

Path Vector

BGP - Best Path Algorithm

• Best Path Selection Algorithm is used to choose and install the best routes into the router’s routing table
• The full Internet BGP routing table includes over 400,000 routes
• BGP router can receive numerous copies of these routes from various providers
• So, it has to compare the multiple routing tables and choose the optimal route on the router.

**BGP Attributes for Selecting Path

Configuring BGP

1. Create BGP instance (instance number is the AS number)
2. Identify peer neighbors by IP address
3. Identify any networks that the router is responsible to advertise

Code:
Define Router instance:
router bgp {AS_Number_for_Router}
router bgp 1010

Identify peers
neighbor {ip_of_peer} remote as {as_number_of_peer}
neighbor 192.168.1.2 remote-as 2352

Advertise Networks
network {network} mask {subnet_mask}
network 10.10.52.0 mask 255.255.255.0

Playbook:
enable
config t
router bgp {AS_Number_for_Router}
neighbor {ip_of_peer} remote as {as_number_of_peer}
network {network} mask {subnet_mask}

Classwork: IPSEC

Week 11: 10/7/2022

Site to Site:

VPN

• Encapsulate packet in another header of the destination Router
• Traversing internet → exposed ( Need the encryption from VPN)
• Encrypting layer 3+ for VPN

TCP/IP Security:

TLS/SSL

• Transport Layer Security (TLS)/Secure Sockets Layer (SSL)
• Layer 5+ Protection
• Widely used to protect the data portion of TCP/IP communication
• Protects against eavesdropping (confidentiality) and data payload tampering (integrity).
• Offers certificate-based protection against spoofing (Authentication)

IPSEC

• IS NOT A PROTOCOL - SUITE OF PROTOCOLS
• Internet Protocol Security
• Layer 3 (network layer) protection
• Widely used to secure communications on Virtual Private Networks (VPN)
• Can protect against eavesdropping, tampering, and spoofing

IPSEC Concepts:
Two main wire-level protocols

• AH (Authentication Header): Authentication, Integrity, and Non-repudiation
• ESP (Encapsulating Security Payload): Confidentiality plus Authentication, Integrity and Non-repudiation
• Typically one or the other (although possible to use together)

Two Modes: Both supported by AH and ESP

• **Transport: **Only the payload of IP is encrypted and/or authenticated. IP Header not modified
• **Tunnel: ** The entire IP packet is encrypted and/or authenticated. Encapsulated into an new IP packet with new header

Security Association (SA)

• All of the parameters needed for an IPsex session (modes, algorithms, keys etc…)
• Both sides must agree on the SA for secure communication to work

AH and ESP:
Authentication Header

• Header added to IP packet
• Includes:
  • Security Parameters Index (SPI): 32 bit identifier to tell recipient which IPSEC “conversation” this packet belongs
  • Integrity Check Value (ICV): The output (aka Message Digest) from a hash function (MD5, SHA-256…) performed on the IP packet

Encapsulating Security Payload (ESP)

• Uses agreed upon encryption algorithm and keys to encrypt payload
• Transport Mode encrypts layers 4-7 of original packet
• Tunnel Mode encrypts layers 3-7 of original packet
• Authentication is optional
  • Uses ICV just like AH

Tunnel and Transport Modes
Shaded shows authenticated and/or encrypted components
Transport Mode

• Only the payload is authenticated and/or encrypted
  
  Tunnel Mode
• Entire packet is authenticated and/or encrypted

AH and ESP -Transport and Tunnel
AH IPSEC

ESP IPSEC

The IPSEC Matrix

Security Associations:
Security Association (SA)

• The set of algorithms and keys used to encrypt and/or authenticate **one direction **of a flow.
• Therefore, **normal bi-directional traffic requires a pair of SA’s **to secure the flow.
• Devices keep track of SA’s in the Security Association Database (SADB)
• Security Parameter Index (SPI) is an SA’s 32-bit index id in the SADB
• The SPI plus the destination IP uniquely identifies the SA for a packet

Security Associations and ISAKMP

• **Internet Key Exchange (IKE) **is the set of protocols used to set up a Security Association (SA)
• Internet Security Association and Key Management Protocol (ISAKMP) is the negotiation protocol that lets two hosts agree on how to build an IPsec security association (SA).
• IKE uses ISAKMP to set up the SA for IPsec to use
• IKE creates the cryptography keys used to authenticate peers

SAs and ISAKMP
ISAKMP separates negotiation into two phases

• Phase 1: “Main Mode”
  • Creates a secure channel for IKE to exchange SA key material
• Phase 2: “Quick Mode”
  • Uses the first channel to exchange key material
  • Creates the tunnel that protects the actual data

IPSEC Configuration - Cisco Example
Phase 1 - IKE Policy
enable
config t
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

Phase 2 - Transform Set
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

IPSEC Today

• AH rarely used
• Popular with Site-to-Site VPNs

TLS and IPSEC
TLS

• As it work with Layers 5+ much easier from a networking perspective
• As it work with Layers 5+, applications must be coded to support it
• Great for securing services with many dynamic clients
• Works better with Network Address Translation (NAT)

IPSEC

• Secures all IP flows between the two endpoints
• As it works at Layer 3, no application coding required
• As it works at Layer 3, network must be configured to support it
• Great for securing VPN’s

Tips and Tricks

• Using a “!” will leave a comment in Cisco (good for comments)

Cisco IPsec:
Router A:
Create an ISAKMP policy for Phase 1 negotiations for the L2L tunnels.
enable
config t
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 14

Specify the pre-shared key and the remote peer address | to match for the L2L tunnel.
crypto isakmp key vpnuser address 10.0.0.2

Create the Phase 2 policy for IPsec negotiation.
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
Create an ACL for the traffic to be encrypted. In this example, the traffic from 10.1.1.0/24 to 172.16.2.0/24 is encrypted. The traffic which does not match the access list is unencrypted for the Internet.
access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255

Create the actual crypto map. Specify an access control list (ACL), which defines the proxy identities (local and remote host/networks).
crypto map mymap 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set myset
match address 100
interface GigabitEthernet0/1
ip address 10.1.1.2 255.255.255.0

Apply the crypto map on the outside interface.

interface GigabitEthernet0/0
ip address 172.16.1.1 255.255.255.0
crypto map mymap

Route to the default gateway
ip route 0.0.0.0 0.0.0.0 172.16.1.2

Router B:
Create an ISAKMP policy for Phase 1 negotiations for the L2L tunnels.
enable
config t
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 14

Specify the pre-shared key and the remote peer address to match for the L2L tunnel.
crypto isakmp key vpnuser address 172.16.1.1

Create the Phase 2 policy for IPsec negotiation.
crypto ipsec transform-set myset esp-aes esp-sha256-hmac

Create an ACL for the traffic to be encrypted. In this example, the traffic from 172.16.2.0/24 to 10.1.1.0/24 is encrypted. The traffic which does not match the access list is unencrypted for the Internet.
access-list 100 permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Create the actual crypto map. Specify an access control list (ACL), which defines the proxy identities (local and remote host/networks).
crypto map mymap 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set myset
match address 100
interface GigabitEthernet0/1
ip address 172.16.2.1 255.255.255.0

Apply the crypto map on the outside interface.
interface GigabitEthernet0/0
ip address 10.0.0.2 255.255.255.0
crypto map mymap

Route to the default gateway.
ip route 0.0.0.0 0.0.0.0 10.0.01

Router A:
Verify it’s working
enable
show crypto ipsec sa

Classwork: Zoning and ACL

Week 12: 11/14/2022

Reasons to Segment a Network:

• Reduce size of Broadcast domains
• Restrict unnecessary traffic crossing long distance and/or slow links
• Conserve Public IP addresses with an organized NAT implementation
• Security!

Security and Network Segmentation:

• What is one of the primary rules of information security
• Least Privilege
• Providing network access to servers/services introduces risk- therefore limit access to only those remote systems that need it

Least Privilege for Network Access:

Risk Matrix:

(Want to be as far up this as possible WHILE having functionality)

Network-based Defenses: Access Control

• How is the system connected to the network?
  • Not connected to any network (stand-alone)?
    • The best network defense
  • On a private network (not the Internet)?
    • Highly secure environments (military, utility grid…) may run separate networks
  • On the Internet?
• Use network connections and routing devices to control access to a system

Network Defense Techniques:

• Technical Solutions
  • Network Address Translation (NAT)
  • Access Control Lists (ACLs)
  • Firewalls
• Planning/Layout Solutions
  • Network Zoning

Network-based Defenses: Access Control

• Network Address Translation:
  • Using private IP addresses internally and translating to “public” IP’s when communicating on Internet
• Private IP Address
  • 10.0.0.0
  • 192.168.0.0
  • 172.16.0.0
• Organizations use private addresses on the local network
• Router translates private to public IP’s and keeps track of translation in a table

Access Control-NAT:

Network-based Defenses: Access Control

• Routers: devices that “route” traffic between different networks (think Post Office)
  • Can create routing rule to control which networks can communicate
  • Can create Access Control Lists (ACLs) to drop certain types of traffic
    • Spoofed addresses
    • Certain protocols

Network-based Defenses: Firewalls

• Device that controls traffic in and out of a network based on ruleset
  

Layer 4 Firewalls:
Rules based on Layer 3:

• IP Addresses of both internal and external computers
  • e.g. allow all external systems to 170.129 (Public).20.101
  • Allow 153.104.15.6 to 170.129 (Public).118.112
  • Allow 153.104.15.0/24 to 170.129 (Public).18.0/24
  • Deny Any to 170.129 (Public).15.0/24

And Layer 4 “Port Numbers”

• Such as Port 80 (HTTP), 443 (HTTPS), 3389 (RDP)
  • e.g. allow all external systems to 170.129 (Public).20.101 on port 80
  • Allow 153.104.15.6:3389 to 170.129 (Public).118.112:3389
  • Allow 153.104.15.0/24 to 170.129 (Public).18.0/24 on port 443
  • Deny Any to 170.129 (Public).15.0/24 on port 3389

Layer 7 - Application Firewalls:

• Newer Firewalls
• Can inspect entire packet – including the data
• Can set rules on layers 3 and 4 plus:
  • Info in the data such as URLs
  • Particular applications, regardless of ports
• Examples:
  • Allow port 80 (HTTP) but block Facebook
  • Allow port 80 (HTTP) to 170.129 (Public).20.101 but block if URL contains “/admin.php”
• Layer 7 firewalls can block known bad certificates and certificate authorities

Network Zoning
Designing networks to improve security by:

• Placing systems with similar security requirements in “zones” protected by firewalls
• These requirements can include:
  • Services they run
  • Who accesses them
  • Who manages them
  • Operational criticality
  • Data they store/process
  • Regulatory requirements

Case-Study Network:

• 20,000+ node network managed by central team
• Two primary data centers with 1,000+ servers
• Historical use of firewalls
  • Perimeter firewalls with minimal ruleset put in place a few years ago
  • A few firewall protected VLANs in Data Center for certain administrative and research systems
  • Other data center VLANs a “hodge-podge” of administrative, academic, and research systems

Network Zoning Project - Overview:

• Move all servers into security “zones” behind network firewalls
  • Recognized best-practice (ISO, NIST, SANS, CSC)
  • Hardware firewalls required by policy and regulations (PCI, FISMA)
• Asset-based as opposed to perimeter approach to network traffic flow policy

Network Zoning Goals:

• Place all data center servers behind hardware firewall
• Simplify rulesets as much as possible:
  • Administrative access
  • Services
  • User access
• Quicker troubleshooting and incident response
• Improve intrusion prevention and monitoring
• Defense-in-depth

Firewall Contexts:
Context: Firewall contexts can be viewed as “virtual” firewalls on the same hardware

• Reasons for configuring separate contexts include:
  • Simplify rule sets while maintaining security requirements
  • Isolate systems according to security requirements
  • Comply with policy and regulatory controls for isolations, monitoring, and logging

Planned Contexts:

• PCI: Systems processing credit cards
• HIPAA: Systems processing/storing Protected Health Info (PHI)
• ITS: Systems administered exclusively by central IT team
• General: Systems administered by central IT, other IT, and/or vendors
• Management: Systems used to manage network devices, building control, or other embedded devices
• Other possible:
  • Research projects
  • Professional Schools (Tuck Business, Thayer Engineering)

VLAN Groups:
Grouping of VLANs within a context. These can include:

• DMZ: VLANS with systems directly accessible by Internal and/or External users.
• Production: Production systems only directly accessible by administrators and load balancers.
• Dev/Non-prod: Development and/or non-production systems

VLAN Groups (2):
Grouping of VLANs within a context. These can include:

• DMZ and Production will have both Public and Private (10.x) VLANs
• Dev/Non-prod:
  • Firewall rules update testing
  • Allows different inbound, outbound and back-end rules
  • Policy requirement and best practice
  • Minimal impact for admins (different IP and checkbox on request)

Example Context and VLAN Table:

F5-only means the system only talks to the load balancer. F5 is the maker of big IP which is a data center load balancer.

Data Center Network Zoning Example:

Access-Lists on Cisco:

• Access-lists provide basic firewall capabilities on Cisco Routers.
• Two types:
  • Standard:
    • Apply to source IP address or Network Only.
    • Layer 3
  • Extended:
    • Apply to source and destination IP address and/or network
    • Can also create rule for TCP Ports
    • Layer 3 and 4

Creating Access Lists:
Two-Step Process

• In global config mode – use ip access-list command to create list
• Apply list to interface with ip access-group command
  • Interface config mode
  • Specify in or out.
  • Does list apply to packets entering interface (in) or leaving interface (out)

Step 1 – Extended and Standard:

• Standard is: ip access-list standard name_of_list
  • Then rules: {permit/deny} {ip_address} {wildcard_mask}
• Extended: ip access-list extended name_of_list
  • Rules: {permit/deny} {tcp/udp} {source_ip} {wc_mask} {dst_ip wc_mask} {port}

Standard ACL Example:
1. Create ACL:

• device(config)# ip access-list standard Net1
• device(config-std-nacl-Net1)# deny host 10.157.22.26
• device(config-std-nacl-Net1)# deny 10.16.4.0 0.0.0.255
• device(config-std-nacl-Net1)# permit any** **

2. Apply to interface

• device(config)# int eth 1/1
• device(config-if-e10000-1/1)# ip access-group Net1 in

Extended ACL Example:

1. Create Access List (IP’s are source)

• (config)# ip access-list extended MYACL
• (config-nacl-myacl)# deny tcp host 10.0.0.2 host 10.0.1.2 eq 80
• (config-nacl-myacl)# deny tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 23
• (config-nacl-myacl)# permit ip any any

2. Apply to Interface

• (config)# interface fastEthernet 0/0
• (config-if)# ip access-group MYACL in

Access-list Gotchas

1. Rules applied in order – top to bottom
2. Hidden “Deny all” by default:

• When access lists are applied to an interface, a default “deny all all” is applied at the bottom
• So, must apply a “permit any” at the end of your list if appropriate

3. Regular ACLs cannot be reordered: Must delete and recreate if order is messed up
4. Watch your INs/OUTs: Think of the packet flow. IN is entering the interface, OUT is leaving the interface

Homework:

1. Configure the network to deny all access format he ISP to the file server
   • ISP to router, In Rule
2. Configure only web access to the web server
   • Router 1, Out rule, Allow port 80 to web server and block everything else, permit any any

Quick Review:

• OSPF is Link State routing protocol
  • Sends updates when something changes, more than just hops (cost metrics)
• IP Masquerading is related to?
  • NAT
• Firewalls that can process rules operate at the OSI layer?
  • If URL then Layer 7
• 2 Primary functions of a Router
  • Routing and Forwarding
• Requirement consideration for Network Zoning include all of the following except?
  • Virtual or physical hardware
  • Included is
    • Who manages them
    • Regulatory requirements
    • Types of data
• BGP Peers are?
  • Manually identified neighboring router
• In what year did champlain become co-educational
  • 1884
• In the Hierarchical Internetworking model - where does most internal routing occur?
  • Distribution
• An Organization needs a separate AS Number for every public IP range it is assigned?
  • False
• PAT what is it?
  • Many-to-one IP mapping

Classwork: IPv6

Week 13: 11/21/2022

Classwork: Server Load Balancing

Week 14: 11/28/2022

Load Balancing

• Distribution of workload across multiple computing resources
• Can load-balance many resources including
  • Network lins
  • computers/servers
  • cpu’s
  • Disk drives

Why Load-Balancing

• Geographic
• Allows you to better allocate resources for economic purposes
• Redundancy
• Security
  • Resource isolation and protections
  • Supports “Zoning” efforts
• Elasticity
  • Grow services based on demand
• Performance
  • Maximize throughput
  • Improve performance
• Availability
  • Minimize overload of single resource
  • Increase availability through redundancy
• Efficiency
  • Optimize renounce use

Network vs Server
Network

• Balance traffic across network links

Server

• Providing a single service using multiple servers on the backend

Layer 3 - SLB

• Layer 3 SLB only uses the Ip addresses of different servers
• DNS RoundRobin is an example of Layer 3 LSB
  • Multiple A Records for same hostname
  • Queries yield different answers so different servers are contacted

Layer 4 - SLB

• TCP and UDP ports
• Layer 4 SLB usually uses dedicated load-balancer systems
• Load balancers hosts ”Virtual IPs” (aks Front-ends) with the IP and port that end users use to access a server
• The Load-balancer than brokers the connection with server in the “backend” or “pool”

Layer 7 LB

• Layer 7 LB do Full-Packet Inspection
• Why?
  • Make division based on URLs and/or
  • Headers
  • Content and other tags/metadata

Layer 7 SLB

• Sacrificial Lambs (Grey listing)
  • Where you send the bad traffic
  • If something looks funky just send it to sacrificial lambs
• Integrating with IDS and firewalls
• TLS termination
  • Goes from a public https request to an http request internally

SLB and Security

• End users don’t connect directly to server - but have to pass through the load balancer
• Cloudflare
  • Has so much bandwidth they can’t get taken down by a bot net
    • The attacker can’t “fill up the pipe”
• SSL/TLS Offload
  • SSL/TLS can be processor intensive
  • Allows servers to focus on primary functions

SLB Service Monitoring

• Ping
• SNMP
• Nagios
• Grafana
• Particular protocol response
• Presence of a certain resources

Issues
Access Logging

• Does a backend server know the Ip address of the client/source?
  • No…
    Session Persistence
• Directing a client’s requests to the same backend server for the duration of a “session”
• Types
  • SSl
  • Cookie
  • Simple persistence based on Ip addresses

SLB Software and Devices

• F5 and NetScaler
  • Make hardware applications used in many Data Centers
  • Also have “virtual applications” which perform the same function as the hardware application but run on an organization’s hypervisor.
• NGINX and HAProxy are open-source software LB’s
  • Also very popular and used by many of the most active Internet Sites
  • Software-based - they run on high performance server-hardware
    Notes:
• A major issue is that when looking at requests for servers, it will be written ty load balancer losing the source
• Virtual Servers = Virtual IP that is just a listening port/socket that is just a reverse proxy

Classwork: Quiz Review

Week 15: 12/5/2022

• An Authentication header (AH) Provides all of the following except (Phased out because it doesn’t provide encryption)
  • Confidentiality *
  • Authentication
  • Integrity
  • Non-repudiation
• IPSEC Transport mode encrypts only the payload of a packet (Tunnel mode will encrypt everything)
  • True
• The negotiation protocol that lets two hosts agree on how to build an SA (Secure Association)
  • ISAKMP
• How many bits in an IP address
  • 128
• How many bits for the network prefix
  • 48
    • Prefix + Subnet is 64 and that is the Network ID
    • 64 for the host ID
• Ipv6 header has more fields than the IPv4 Header
  • False
• SLAAC is when you take the MAC address and use it as the host address and add FFFE to the middle
• All of these are reasons to segment a network except
  • Increase hop count between networks
• Make sure to know ACL rules and tricks
• Know what can be used as Access Control Methods