Computer network notes-3

Others 2021-02-27 18:03:56 views: null

Computer network notes-3

Firewall

Two commonly used firewalls: proxy firewall and packet filtering firewall. The
main difference: the protocol stack level to be operated and the use of the IP address and port number determined thereby

Proxy firewall

A proxy firewall is a host running a multi-application layer gateway, which can relay traffic between two connections at the application layer. Terminate the connection between TCP and UDP

Assign a global routing IP to the external network interface, and assign a private IP to the internal network interface

There are two forms of proxy firewall , HTTP firewall and SOCKS firewall

  • HTTP firewall
    HTTP firewall is similar to a web server, providing a web caching function, and also as a content filter, which can block users from accessing certain web sites based on a blacklist.
  • SOCKS firewall
    SOCKS firewall is widely used, supports proxy transmission, IPv6 addressing, etc.

Packet filtering firewall

  • As an Internet router, a packet filtering firewall is configured to discard or forward packets that meet (or do not meet) certain standards in the packet header, and these standards become filters
  • The access control list ACT lists the basic policy of what type of data packets need to be discarded or forwarded
  • The filter will block malicious traffic from the external network to the internal network, but will not restrict the internal network to the external network.

DMZ

The DMZ is an area of ​​the network. A special area between the external network and the internal network is also an isolated zone. It is a buffer zone set up to solve the problem that the external network cannot access the internal network after the firewall is installed.
In general, there are two ways for the external network to access the internal network:

  • 1. The host is placed in the internal network LAN, port mapping is done on the router or firewall, and the port of the router or firewall and the port of the host are opened. In this case, after the port is opened on the firewall, the firewall becomes insecure.
  • 2. The server is placed in the DMZ area, the DMZ network is established, and the DMZ settings are directly set on the router or firewall.

Access rules

  1. The internal network can access the external network
    . Intranet users obviously need to freely access the external network. In this strategy, the firewall needs to perform source address translation.
  2. Intranet can access the DMZ.
    This strategy is to facilitate the use and management of servers in the DMZ for intranet users.
  3. The external network cannot access the internal network
    . Obviously, the internal network stores the company's internal data, and these data are not allowed to be accessed by users on the external network.
  4. The external network can access the DMZ
    . The server in the DMZ itself is to provide services to the outside world, so the external network must be able to access the DMZ. At the same time, to access the DMZ from the external network, the firewall must complete the conversion from the external address to the actual address of the server.
  5. The DMZ cannot access the intranet
    . Obviously, if this strategy is violated, when the intruder compromises the DMZ, he can further attack the important data of the intranet.
  6. DMZ cannot access the external network
    There are exceptions to this policy. For example, when a mail server is placed in the DMZ, it needs to access the external network, otherwise it will not work properly. In the network, the demilitarized zone (DMZ) refers to an isolated network segment that provides services for untrusted systems. Its purpose is to separate sensitive internal networks from other networks that provide access services, and prevent direct communication between the internal network and the external network. Ensure the safety of the intranet.

The difference between DMZ and port mapping

The DMZ and port mapping of NAT are essentially different. Because NAT itself is a firewall, it prevents unauthorized external data packets from passing through the router.

  • On the premise that the DMZ function is not turned on, all external data packets that do not conform to the NAT table entry arrive at the router as unauthorized data packets and are all discarded.
  • When the router turns on the DMZ function, such unauthorized data packets will be directly forwarded to the DMZ host. At this time, the DMZ is actually completely exposed on the Internet, which can be considered as a host on the Internet, which is more dangerous; if the DMZ host IP When it does not exist, the function is quite incapable of opening the DMZ, but the router adds a burden of forwarding.

Port mapping is just a mapping between a single external port and a single internal host port. In fact, a static item is created in the NAT translation table. Any external data packet that conforms to the NAT table entry is directly forwarded to a certain internal host.
Port mapping is just Mapping designated ports, DMZ is equivalent to mapping all ports and directly exposing the host to the gateway, which is more convenient than port mapping but insecure.

NAT

NAT separates the address space of the internal system from the address space of the Internet, and all internal systems can access the Internet using a locally assigned private IP.
The working principle of NAT is to rewrite the identification information of data packets passing through the router. (Modify the source IP address of the data packet to the address of the internet-facing network interface, and modify the check code at the same time)

NAT is divided into basic NAT and NAPT

  • Basic NAT uses the address in the address pool to rewrite the IP. Two IPs are required from the same port
  • NAPT will rewrite the port number to distinguish traffic from different hosts

The host in the NAT initiates the TCP connection process

  1. The destination is the Web server host (IPv4 address 212.110.167.157), and the data packet is represented as (source IP: port is 10.0.0.126: 9200, destination IP: port is 212.110.167.157: 80).
  2. As the default router, NAT will receive this packet. Note that the SYN flag in the TCP header is open, which is a new connection. The source IP in the data packet will be modified to the IP of the external interface of the NAT router (source IP: port is 63.204.134.177: 9200, destination IP: port is 212.110.167.157: 80), and then the data packet is forwarded.
  3. NAT also creates an internal state (NAT session) that represents the processing of new connections. The state includes at least the source port and IP of the client, which is called NAT mapping.
  4. The server replies with the NAT external address and initial port (port reserved). After NAT receives it, it compares the mapping and determines the internal host.

Gateway and routing

Gateway

  • The essence of the gateway

A gateway is essentially an IP address from a network to other networks. Only when the IP address of the gateway is set, the TCP/IP protocol can realize the communication between different networks.

  • Gateway's IP

The IP address of the gateway is the IP address of the device with routing function, including: routers, routing protocol-enabled servers, and proxy servers

  • The function of the gateway

The gateway is used to connect the subnets that execute different protocols on the network layer, and can realize the communication of heterogeneous devices. The main functions are: conversion protocol, conversion data format, conversion rate to achieve unity.

  • Default gateway

The default gateway is the concept of the network layer. The host itself does not have routing addressing capabilities, so the PC sends all IP packets to a default transit address for forwarding, which is the default gateway.

routing

  • Understanding of routing

Routing is the act and action of transferring data from one place to another. A router is a machine that performs such actions.
Routers are used to connect network devices on multiple networks or network segments. The main job is to find an optimal transmission path for each data frame passing through the router, and effectively transmit the data to the destination site.

  • The function of routing

Main functions:
1. Network interconnection. The router supports various LAN and WAN interfaces. It is mainly used to interconnect the LAN and WAN and realize the communication between different networks;
2. Data processing, including packet filtering, packet forwarding, priority, and multiplexing. Functions such as usage, encryption, compression and firewall;
3. Network management. The router provides functions including configuration management, performance management, fault-tolerant management and flow control.

the difference

The difference between gateway and router is whether to connect to different networks
. Different networks at the logical level refer to public and private networks
. Different networks at the physical level refer to different network media, such as Ethernet, SDH, and ATM.
The gateway is a logical concept, the router is a physical device, the router can be used as a gateway, and the router can realize the function of the gateway.

ICMP

ICMP Internet Message Control Protocol

  • Used to transfer control messages between IP hosts and routers, including packet error information, network status information, and host status information.
  • Cooperate with IP data packet submission to improve reliability. Encapsulated in IP data packets for transmission.

ICMP messages are divided into error report messages and query messages

  • Error type: purpose unreachable, redirection, timeout, etc.
  • Query messages usually appear in pairs, and echo request/response messages are widely used, usually called ping

The ICMP message is encapsulated in an IP datagram and sent. The host sending the request can receive the response message, indicating that the IP protocol can be used to communicate between the two hosts, and it can also prove that the source host and the destination host are all The router's receiving, processing, and forwarding functions are normal.

Guess you like

Origin blog.csdn.net/MinutkiBegut/article/details/113848335
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com