Routers, Switches & Firewalls (includes port blocking)
From MODwiki
Navigation Shortcuts
Contents |
[edit] Overview
The content that moves across the Internet, through enterprise and institutional level networks, around small offices, and into individual desktop or laptop computers is about data being shuttled from a source to a destination.
There are numerous levels of traffic cops throughout these systems that determine the pathways along which the data is delivered. Some of these traffic cops are designed to handle the heavy lifting required and managed at the Internet level, evaluating IP addresses and expediting data delivery to designated IP addresses (routers). Hierarchically below them are other devices that direct content by establishing connections between specific segments managed at a local area network level, evaluating specific hardware Media Access Control addresses (MAC), and expediting data delivery to those devices (switches).
The actual configuration of computers on a network is variable; sometimes portions of the network may shuttle data to a shared-bandwidth junction (hub) whose purpose is to pass along data to and from individual devices and computers on the network (nodes), with no regard for filtering or routing, since that function was handled at a higher level.
What is truly amazing about the transport of data through all of these channels, is that content is never sent as a single stream or monstrous, network-clogging package of data. A file is parsed up into smaller chunks or individual packets, along with organizing information about how the puzzle of packets fit together on final delivery. In order to maximize efficiency and delivery speed at all levels of the Internet and networks, the traffic cops of the system (routers and switches) determine and dispatch individual packets on individual pathways, opportunistically chosen to deliver data quickly to its destination. Millions of information packages are routed every second.
If this flood of data were funneled through unmanaged channels, and everyone in the community behaved ethically, all would be well. But nefarious forces attempt to disrupt the free flow of information by impeding its efficient delivery, by attaching viruses and data-killing programs to unassuming content, or by hacking their way into stores of private data at corporate, institutional, and personal levels, either corrupting that data or stealing it for purposes outside the law. Specifically, the abuse of unprotected computers includes remote login, application backdoors, spam (SMTP session hijacking), bugs in operating systems, denials of service, e-mail bombs, intrusive macros, viruses, and forced source routing of data packets (data wolves in sheeps' clothing).
Thus are introduced barriers into the data flow in order to keep these destructive forces at bay, acting as a Border Protection Device. These are commonly known as firewalls, and are a form of security designed to control traffic between networks that have differing zones of trust. The Internet could be considered a free-for-all zone with no or limited trust (unless security measures and encrypted data are implemented). An internal network within a corporation, enterprise, or institution is likely an area where data is shared with a high degree of trust. The goal of firewalls is to deploy interfaces between zones of differing trust levels, checking and controlling for dark forces, according to policies and procedures set in place within an organization or even at the personal/home level. Firewalls can be either hardware-based or software-based.
Various methods are in use by firewalls to control or stop the flow of data.
- Packet Filtering
- Filters are installed to test and detect for certain conditions, even words, that are present in the data packets. Data is either blocked or passed depending on the results of the filtration.
- Proxy Service
- Like a nanny protecting what her charges are exposed to, a proxy server stands outside the trusted network, retrieving Internet data, evaluating it, and forwarding safe content to a requesting system.
- Stateful Inspection
- Rather than asking the firewall to examine the actual contents of data packets, a comparison can be made between key parts of data and a database of characteristics that are considered trustworthy. For example, if a request for content is made from within the firewall, and the content being supplied back to the original requester matches key criteria, then the data is passed along.
Firewalls are configurable, according to the security policies or preferences in place. Customization is based on detecting for certain information, conditions, or repeating offenses. The following can be scrutinized...
- IP Address Blocking
- If an IP address falls outside a specified pre-approved range, or if an IP address is detected making repeated requests for files from within the firewall, that address can be blocked.
- Protocol Blocking
- The different services that a server offers use different protocols for data sharing. The protocols define the way information is organized, packaged, and interpreted between systems and services. Examples of common protocols are...
- IP (Internet Protocol) - the Internet's delivery method
- TCP (Transmission Control Protocol) - parsing and recombining data packets
- HTTP (Hyper Text Transfer Protocol) - web page display and presentation rules
- FTP (File Transfer Protocol) - uploading and downloading files
- UDP (User Datagram Protocol) - requires no response and is often used for streaming audio and video
- ICMP (Internet Control Message Protocol) - router to router communications
- SMTP (Simple Mail Transport Protocol) - e-mail text
- SNMP (Simple Network Management Protocol) - remote collection of system data
- Telnet - remote copmmand control of computers
- Port Blocking
- The services provided by a server send and receive their data through specific, numbered ports. Clients connect to a particular service by locating an individual IP address with a functioning service port. Ports can be disabled or protected. Common port assignments are...
- 7 = echo
- 13 = daytime
- 17 = qotd (Quote of the Day)
- 21 = ftp
- 23 = telnet
- 25 = smtp (Simple Mail Transfer, meaning e-mail)
- 37 = time
- 43 = nicname (Who Is)
- 53 = nameserver
- 70 = gopher
- 79 = finger
- 80 = web/HTTP
How does the channeling of data through routers and switches impact the delivery of Media On Demand? It becomes clear that if a certain type of media uses a specific protocol or accesses specific server ports, and those protocols are monitored or disabled by a firewall configuration, the requested media is undeliverable. One of the most blocked media forms at all levels of network configurations is streaming audio and video, which typically uses the UDP-User Datagram Protocol.
[edit] Guidelines
To what extent does an organization engage firewalls and configure filters on routers and switchers? A perspective is offered from a series of articles by Jeff Tyson on "How Firewalls Work" ...
- The level of security you establish will determine how many of these threats can be stopped by your firewall. The highest level of security would be to simply block everything. Obviously that defeats the purpose of having an Internet connection. But a common rule of thumb is to block everything, then begin to select what types of traffic you will allow. You can also restrict traffic that travels through the firewall so that only certain types of information, such as e-mail, can get through. This is a good rule for businesses that have an experienced network administrator that understands what the needs are and knows exactly what traffic to allow through.
Obviously, from a policies and procedures point of view, the University of Utah will need to evaluate the types of media it anticipates sharing and delivering, what their protocols and ports are, and how a consistent set of guidelines and configuration specfiications can be established across departments, colleges, administrative offices, servers, switches, and routers throughout the campus infrastructure. These will be considered by the Office of Information Technology, likely adhering to its own strategy of building central coordination of initiatives with distributed local control of day-to-day operations.
[edit] Resources
- How Web Servers Work
- http://www.howstuffworks.com/web-server.htm
- How Routers Work
- http://www.howstuffworks.com/router.htm
- Wikipedia article on "Routers"
- http://en.wikipedia.org/wiki/Router
- How LAN Switches Work
- http://computer.howstuffworks.com/lan-switch7.htm
- Wikipedia article on "Network switch"
- http://en.wikipedia.org/wiki/Lan_switch
- Wikipedia article on "Firewall (networking)"
- http://en.wikipedia.org/wiki/Firewall_(networking)
- How Firewalls Work
- http://computer.howstuffworks.com/firewall.htm
- Firewalls--FAQs by Matt Curin and Marcus J. Ranum
- http://www.faqs.org/faqs/firewalls-faq/
- Wikipedia article on "Internet Protocol"
- http://en.wikipedia.org/wiki/Internet_Protocol
- Wikipedia article on "TCP and UDP port"
- http://en.wikipedia.org/wiki/TCP_and_UDP_port
- Wikipedia article on "List of TCP and UDP port numbers"
- http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
- Wikipedia article on "Data Packets"
- http://en.wikipedia.org/wiki/Data_packets
Navigation Shortcuts
- MODWiki Table of Contents (Main Page)
- ...go to The University of Utah Office of Information Technology website
- ...go to The University of Utah Media On Demand Committee Minutes & Reports
- A Quickie Wiki Guide to Editing Content
