Network Architecture Fundamentals

Niranjana.S.Karandikar

Networking Devices

• Hub• Switch• Router• Gateway• Modem• Firewall

• IPS• IDS• DHCP• DNS• UTM• Server

HUB•Depending upon the topology the placement of the hub varies•Asks every node its identity and forwards the frame

Switch

Smarter than the hub

Smarter—WHY???• Contains ARP table• ARP table contains:• Ports( switch ports not system ports)• IP• MAC• Load balancing capability• Incase of DOS, acts like HUB

Router

Router

• Forwards data packets BETWEEN networks• Contains routing configuration tables:-• Information on which connections lead to

particular groups of addresses• Priorities for connections to be used• Rules for handling both routine and special

cases of traffic

Jobs

• Ensures that information doesn't go where it's not needed

• Information does make it to the intended destination

Switch,Hub,Router???

Intelligence is the key difference!!!

Segments,Packets,Frames• Each layer have its header, as you can see:• Segments: Transport layer (TCP/UDP) = transport header + data (from

upper layer)• Packet: Internet layer (IP) = network header + transport header and

data (both transport and data from upper layers)• Frames: Network layer (Ethernet) = frame header + network , transport

header and data (from three upper layers).• So, answering to your question, the difference between segment,

packet and frames are basically what it's respective layer consider as "data". On a segment, data comes from the application layer, on a packet, data comes from the transport layer (transport header + data) and on a frame, the data comes from the internet layer (transport and internet headers + data from application layer).

To be precise…

• Segment = original data + Transport Layer

header.

• Packet = Segment + Network Layer header.

• Frame = Packet + Data Link Layer header.

• So basically that means that if we put the

headers aside, Segments = Packets = Frames.

Gateway

• A gateway is the same as a router, except in that it also translates between one network system or protocol and another.

• The NAT protocol for example uses a NAT gateway to connect a private network to the Internet.

Modem

• Modulator• Demodulator

Firewall

Types

• Packet filtering• Application Level- - -Proxy Servers• Circuit level Gateways• Stateful Multilayer Inspection(Dynamic)

Working Principle

• ACL : Access Control Lists• Black ListingAllow: ALL Deny: LISTED• White ListingDeny : ALLAllow: LISTED

IDS

• Intrusion “Detection” System• PASSIVE• Monitors• Identifies Malicious or Suspicious activity• Generates logs(useful for auditing and

implementation)• ALERTS

IDS-Architecture

Types

• NIDS• HIDS• Signature based• Heuristic or Anomaly based

Signature based

• Pattern matching: :Black listing• Allows all except the listed ones in the DB• New or Modified Attacks!!!

Heuristic based

• Looks for behavior that is distinct from the formed baseline of process

• Acceptable events are predefined• Activity classified as:i. Good/benignii. Suspiciousiii. unknown

IPS• Intrusion “Prevention” System• ACTIVE• Takes actions such as:• Sending an alarm to the administrator (as

would be seen in an IDS)• Dropping the malicious packets• Blocking traffic from the source address• Resetting the connection

Methods of Detection

• Signature based• Anomaly Based

Signature Based

• As an exploit is discovered, its signature is recorded and stored in a continuously growing dictionary of signatures.

• Signature detection for IPS breaks down into two types:

• Exploit-facing• Vulnerability-facing

Exploit Facing

• Exploit-facing signatures identify individual exploits by triggering on the unique patterns of a particular exploit attempt.

• The IPS can identify specific exploits by finding a match with an exploit-facing signature in the traffic stream

Vulnerability Facing

• Vulnerability-facing signatures are broader signatures that target the underlying vulnerability in the system that is being targeted.

• These signatures allow networks to be protected from variants of an exploit that may not have been directly observed in the wild, but also raise the risk of false-positives.

DHCP

• Dynamic Host Configuration “Protocol”• that assigns unique IP addresses to devices,• then releases and renews these addresses as• devices leave and re-join the network.• Used in both IPv4 as well as IPv6

DNS

• Domain Name Server• Table containing IP addresses and Domain

names• Total 13 DNS servers globally• Many sub DNS• Local DNS

UTM

• Unified Threat Management• Combo of devices• Integrated devices• Eg: Router+Firwall+IDS+IPS

Server

• Central Repository

VPN

• Virtual Private Network• Private Network In Public Network• Data transmitted through encrypted channels

DMZ

• Demilitarized Zone or Perimeter Network• Public Facing• Web servers• Mail servers• FTP servers• VoIP servers