distribution of sessions across ports. A random set of MAC addresses on a network can lead to several dozen sessions passing through one port, and only two or three through another. Port load balancing this algorithm can only be achieved with a large number of computers and communication sessions between them.

There are other ways to distribute sessions across ports. For example, in accordance with the IP addresses of packets that are encapsulated in link-level frames, the types of application protocols (mail on one port, web traffic on another, etc.). It is useful to assign sessions to a port with MAC addresses that have been learned to go through that port - then the session traffic will go through the same port in both directions.

The standard method for creating aggregation links, described in the 802.3ad specification, assumes the ability to create a logical port by combining several physical ports belonging to different switches. To enable switches to automatically provide information about whether a physical port belongs to a specific logical port, the specification proposes a service link control aggregation protocol (LCAP). Therefore, such configurations of aggregated channels are possible that increase the fault tolerance of the network not only in the areas between two switches, but also in more complex topologies (Fig. 14.8).

Aggregate channel

Rice. 14.8. Distributed Link Aggregation

If any trunk link fails, all session packets assigned to that port will be forwarded to one of the remaining ports. Typically, restoring connectivity in the event of such a failure takes from units to tens of milliseconds. This is because in many trunk implementations, after a physical link fails, all MAC addresses that were associated with it are forced to be marked as unlearned. The switch then repeats the process of learning these addresses. After this, the procedure for assigning a session to ports is performed again; naturally, only working ports are taken into account. Since timeouts in LAN protocol sessions are usually short, the connection recovery time is also short.

Traffic filtering

The local network ensures that each node interacts with each other - this is a very useful property, since no special actions are required to ensure that both

to ensure access of node A to node B - it is enough that these nodes are connected to the same local network. At the same time, situations may arise in the network when such total availability of nodes is undesirable. An example would be a financial department server, access to which should preferably be allowed only from the computers of several specific employees of this department. Of course, access can be limited at the level operating system or the database management system of the server itself, but for reliability it is advisable to have several layers of protection and limit access also at the level of network traffic.

Many switch models allow administrators to specify additional frame filtering conditions in addition to the standard frame filtering conditions based on address table information. Such filters are called custom filters.

Custom filter, which is also often called an access list, is designed to create additional barriers to frames, which allows you to limit the access of certain groups of users and usernames Custom

A filter is a set of conditions that restrict the normal transmission of frames by switches.

The simplest are custom filters based on station MAC addresses. Since MAC addresses are the information that the switch works with, it allows you to create such filters in a convenient way for the administrator, perhaps by placing some conditions in an additional field in the address table, for example, a condition to discard frames with a specific address (see Figure 13.6 in chapter 13). In this way, a user working on a computer with a given MAC address is completely prohibited from accessing the resources of another network segment.

Let's consider using a custom filter using the example of the network shown in Fig. 14.9.

Rice. 14.9. Control access to the server using a custom filter

Suppose we want to allow access to server 51 only from computers C 1 and C 3, frames from all other computers should not reach this server. An access list that accomplishes this task might look like this:

		M A C - S 1 M A C - S 1
		M A S - S W MAC - S I
	d e n y a n y a n y

The numbers 10,20 and ZO are line numbers this list. The lines are numbered at intervals of 10 so that in the future it is possible to add other entries to this list, preserving the original sequence of lines. The first condition allows (permit) the transmission of a frame if its source address is MAC-C1 and its destination address is MAC-SI; the second condition does the same, but for a frame with a source address MAC-NW, the third condition prohibits (deny) the transmission of frames with any (any) addresses.

In order for an access list to work, it must be applied to traffic in a certain direction on some switch port: either incoming or outgoing. In our example, we need to apply an access list to outgoing traffic port 1 of switch SW3, to which server 51 is connected. Switch SW3, before transmitting the frame to port 1, will look through the conditions of the access list in turn. If any condition from the list is met, then the switch executes the action of this condition for the frame being processed, and this ends the application of the access list for this frame.

Therefore, when a frame addressed to server 51 arrives from computer C 1, the first condition of the list is met, which allows the transmission of the frame, so the switch performs the standard action of forwarding the frame, and it reaches server 52. A match with the frame from computer S3 occurs during verification the second condition, and it is also transmitted. However, when frames arrive from other computers, for example computer C2, neither the first nor the second conditions are met, but the third condition is met, so the frame is not transmitted but discarded.

Switch access lists do not work with Ethernet broadcast addresses; such frames are always sent to all switch ports. Switch access lists are quite primitive, since they can only operate with data link layer information, that is, MAC addresses. Router access lists are much more flexible and powerful, so they are used much more often in practice.

Sometimes the administrator needs to set more subtle filtering conditions, for example, prohibit a certain user from printing his documents on the server Windows printing, located in a foreign segment, and make the remaining resources of this segment available. To implement such a filter, it is necessary to prohibit the transmission of frames that satisfy the following conditions: firstly, they have a specific MAC address, secondly, they contain SMB packets in the data field, thirdly, in the corresponding field of these packets the service type is indicated seal. Switches do not analyze higher-level protocols, such as SMB, so the administrator must manually define the field by whose value to filter to set filtering conditions. As a filtering sign, the administrator specifies the “offset size” pair relative to the beginning of the data field of the link layer frame, and then also specifies hexadecimal value this field.

Complex filtering conditions are usually written as Boolean expressions generated using logical operators AND and OR.

Virtual LANs

An important property of a local network switch is the ability to control the transfer of frames between network segments. For various reasons (access rights, security policy, etc.), some frames should not be sent to the destination address.

As we found out in the previous section, restrictions of this type can be implemented using custom filters. However, a user filter can prevent the switch from transmitting frames only to specific addresses, and it must transmit broadcast traffic to all network segments. This is what the algorithm requires. Therefore, as already noted, networks created on the basis of switches are sometimes called flat - due to the absence of barriers to broadcast traffic. Virtual local network technology allows you to overcome this limitation.

Virtually^ network group of network nodes,

switching technology, that is, only to the port that is associated with the destination address of the frame.

VLANs can overlap if one or more computers are part of more than one VLAN. In Fig. 14.10 server Email is part of virtual networks 3 and 4. This means that its frames are transmitted by switches to all computers included in these networks. If a computer is part of only virtual network 3, then its frames will not reach network 4, but it can interact with computers on network 4 through a common mail server. This scheme does not completely protect virtual networks from each other; for example, a broadcast storm that occurs on an email server will flood both network 3 and network 4.

They say that a virtual network forms broadcast domain by analogy with the collision domain that is formed by Ethernet repeaters.

Purpose of virtual networks

As we saw in the example from the previous section, using custom filters you can interfere with the normal operation of switches and limit the interaction of local network nodes in accordance with the required access rules. However, the custom switch filter mechanism has several disadvantages:

□ You have to set separate conditions for each network node, while using bulky MAC addresses. It would be much easier to group nodes and describe the conditions of interaction for groups at once.

□ Cannot block broadcast trafficBroadcast traffic may cause network unavailability if some kind its node intentionally or unintentionally generates broadcast frames with great intensity.

The technique of virtual local networks solves the problem of limiting the interaction of network nodes in a different way.

The main purpose of VLAN technology is to facilitate the creation of isolated networks, which are then usually connected to each other using congestion routers. This network design creates powerful barriers to unwanted traffic from one network to another. Today it is considered obvious that any large network must include routers, otherwise streams of erroneous frames, such as broadcasts, will periodically “flood” the entire network through switches transparent to them, rendering it inoperable.

IO^oioinogaomzr^snolsnshvirtu&1нНы*set^ will be confused by the fact that it allows you to add two isolated segments of the network to the logical configuration of switches, resorting to

traitor>physical<жойо^у<1>1>s.

Before the advent of VLAN technology, either physically isolated segments were used to create a separate network coaxial cable, or unconnected segments built on repeaters and bridges. These networks were then connected by routers into a single composite network (Fig. 14.11).

Changing the composition of segments (user moving to another network, splitting large segments) with this approach implies physical reconnection of connectors on

on the front panels of repeaters or on crossover panels, which is not very convenient in large networks - there is a lot of physical work, and there is a high probability of error.

	c ig O
	5 E J L JЗ

Segments on repeaters

Rice. 14.11. Composite network consisting of networks built on the basis of repeaters

To connect virtual networks in shared network fundraising required network layer. It can be implemented in a separate router or as part of the switch software, which then becomes a combined device - a so-called Layer 3 switch (see Chapter 18).

Virtual network technology for a long time was not standardized, although it was implemented in a very wide range of switch models from different manufacturers. The situation has changed after the adoption of the IEEE 802.1Q standard in 1998, which defines the basic rules for constructing virtual local networks, independent of the link layer protocol supported by the switch.

Creating virtual networks based on one switch

When creating virtual networks based on a single switch, the mechanism is usually used port grouping switch (Fig. 14.12). In this case, each port is assigned to one or another virtual network. A frame coming from a port belonging to, for example, virtual network 1 will never be transmitted to a port that does not belong to this virtual network. A port can be assigned to several virtual networks, although in practice this is rarely done - the effect of complete isolation of networks disappears.

Creating virtual networks by grouping ports does not require much work from the administrator self made-it is enough to assign each port to one of several pre-named virtual networks. Typically this operation is performed using special program supplied with the switch.

The second method of creating virtual networks is based on grouping MAC addresses. Each MAC address learned by the switch is assigned to a particular virtual network. When there are many nodes in the network, this method requires a large amount of manual work from the administrator. However, when building virtual networks

based on multiple switches, it turns out to be more flexible than port grouping.

Rice. 14.12. Virtual networks built on a single switch

Creating virtual networks based on several switches

Figure 14.13 illustrates the problem that arises when creating virtual networks based on multiple switches supporting the technology grouping of ports.

				s ,:w.

Rice. 14.13. Building virtual networks on several switches with port grouping

If the nodes of a virtual network are connected to different switches, then a special pair of ports must be allocated on the switches to connect each such network. Otherwise, if the switches are connected by only one pair of ports, information about the ownership of a frame of a particular virtual network will be lost when transmitted from switch to switch. Thus, port trunking switches require as many ports for their connection as the number of virtual networks they support. Ports and cables are used very wastefully in this case. In addition, when connecting virtual networks through a router, for each virtual

network, a separate cable and a separate router port are allocated, which also leads to high overhead costs.

Grouping MAC addresses into a virtual network on each switch eliminates the need to associate them across multiple ports, since the MAC address then becomes the virtual network label. However, this method requires a lot of manual work to mark MAC addresses on each switch in the network.

The two approaches described are based only on adding additional information to the address tables of the switch and they do not have the ability to embed information about the belonging of the virtual network frame into the transmitted frame. Other approaches use existing or additional fields frame to save information about the frame’s membership in a particular virtual local network when it moves between network switches. In this case, there is no need to remember in each switch that all MAC addresses of the composite network belong to virtual networks.

The additional field marked with the virtual network number is used only when the frame is transferred from switch to switch, and when the frame is transferred to the end node, it is usually removed. In this case, the “switch-to-switch” interaction protocol is modified, and the software and Hardware end nodes remains unchanged. Before the adoption of the IEEE 802.1Q standard, there were many proprietary protocols of this type, but they all had one drawback - equipment various manufacturers when VLAN was formed it turned out to be incompatible.

This standard introduces Ethernet frame an additional header called the VLAN tag.

^rrnatlon) - manages for shshshch** which is

	6 bytes 2 bytes 2 bytes	2 bytes	42-1496 bytes
	">Tur9;.-a ‘іЗ ь к:
				Kommersant'<-V"

A priority;

*Fys. 14.14. Structure of a tagged Ethernet frame

TerVLAN is not required for Ethernet frames. A frame that has such a header is called a tagged frame. Switches can simultaneously work with both tagged and untagged frames. Due to the addition of the VLAN tag, the maximum data field length has been reduced by 4 bytes.

In order for local network equipment to distinguish and understand tagged frames, a special EtherType field value of 0x8100 is introduced for them. This value indicates that it is followed by a TCI field; rather than a standard data field. Note that in a tagged frame, the VLAN tag fields are followed by another EtherType field indicating the protocol type whose data is carried by the frame's data field.

The TCI field contains a 12-bit VLAN number (identifier) ​​field called VID. The width of the VID field allows switches to create up to 4096 virtual networks. In addition, a 3-bit frame priority field is placed in the TCI field. The one-bit CFI field was introduced to support the special Token Ring frame format; for Ethernet networks it must contain the value 0.

Using the VID value in tagged frames, network switches perform group filtering of traffic, dividing the network into virtual segments, that is, into VLANs. To support this mode, each switch port is assigned to one or more virtual local networks, that is, port grouping is performed.

To simplify network configuration, the 802.1Q standard introduces the concepts of access line and trunk.

The switch (called in this case the access port) of the second virtual local network.

connects between two ports and switches; All in all!

#$fic of multiple virtual networks. V ,j

Switches that support VLAN technology work like standard switches by default without any special configuration, providing connections from everyone to everyone. In a network formed by such switches, all end nodes by default belong to the conditional network VLAN1 with a VID equal to 1. All ports of this network to which end nodes are connected are, by definition, access ports. VLAN1 can be classified as a virtual local network only conditionally, since untagged frames are transmitted over it.

In order to create a virtual local network in the source network, you must first select a VID value other than 1 for it, and then, using switch configuration commands, assign to this network those ports to which the computers included in it are connected. An access port can only be assigned to one VLAN.

Access ports receive untagged frames from end hosts and tag them with a VLAN tag containing the VID value assigned to that port. When transmitting tagged frames to the end node, the access port removes the VLAN tag.

For a more clear description, let’s return to the previously discussed example of a network. In Fig. Figure 14.15 shows how the problem of selective access to servers is solved based on the VLAN technique.

VLAN-2

VLAN-3

Rice. 14.15. Splitting the network into two virtual local networks

To solve this problem, you can organize two virtual local area networks on the network, VLAN2 and VLAN3 (recall that VLAN1 already exists by default - this is our original network), assigning one set of computers and servers to VLAN2, and the other to KVLAN3.

To assign end nodes to a specific VLAN, the corresponding ports are declared as the access ports of that network by assigning them the appropriate VID. For example, port 1 of SW1 should be declared as an access port of VLAN2 by assigning it VID2, the same should be done with port 5 of SW1, port 1 of SW2 and port 1 of SW3. VLAN3 access ports must be assigned VID3.

In our network we also need to organize trunks - those communication lines that connect ports and switches to each other. Ports connected to trunks do not add or remove tags, they simply transmit frames unchanged. In our example, these ports should be ports 6 of switches SW1 and SW2, as well as ports 3 and 4 of switch SW3. The ports in our example must support VLAN2 and VLAN3 (and VLAN1, if the network contains hosts that are not explicitly assigned to any VLAN).

Switches that support VLAN technology provide additional traffic filtering. If the switch's forwarding table says that the incoming frame should be transmitted to a certain port, before transmission, the switch checks whether the VID value in the VLAN tag of the frame corresponds to the virtual local network that is assigned to this port. If there is a match, the frame is transmitted; if there is a mismatch, it is discarded. Untagged frames are processed in the same way, but using the conditional VLAN1. MAC addresses are learned by network switches separately for each VLAN.

As we can see from the example, the VLAN technique turns out to be very effective for limiting access to servers. Configuring a virtual local network does not require knowledge of the MAC addresses of the hosts; in addition, any change in the network, for example, connecting a computer to another switch, requires configuring only the port of this switch, and all other switches on the network continue to operate without making changes to their configuration.

Alternative routes in virtual local networks

By default, STP/RSTP creates one spanning tree for all VLANs in a network. To allow a network to use different spanning trees for different VLANs, there is a special version of the protocol called multiple spanning tree protocol(Multiple Spanning Tree Protocol, MSTP).

The MSTP protocol allows you to create multiple spanning trees and assign different VLANs to them. Typically a small number of trees, such as two or three, are created to balance the load on the switches, in

otherwise, as we saw in the example in Fig. 14.2 and 14.3, a single spanning tree can completely leave some network switches idle, that is, it underutilizes available network resources.

If we return to our example (see Fig. 14.2), then when creating two spanning trees, we can configure switch priorities so that for one tree the root switch becomes switch 111, and for the second, switch 222 (Fig. 14.16).

IN In this option, we mean that ports 4 of the switches from 555 to 888 are configured as access ports of one VLAN, for example VLAN100,

and ports 3 of the same switches are used as access ports of another virtual local network, for example VLAN200. VLAN100 is assigned to the spanning tree with root switch 111, and VLAN200 is assigned to the spanning tree with root switch 222.

IN In this option, all network switches are used to forward traffic, which improves network performance.

The MSTP protocol is based on the RSTP protocol, so it provides a fast network response to failures.

Quality of service in virtual networks

LAN switches support almost all the QoS mechanisms that we discussed in Chapter 7. This statement applies to LAN switches as a class of communication devices, but each specific switch model may be equipped with only a certain set of mechanisms for maintaining QoS parameters or may not have them at all. Typically, workgroup switches do not support QoS, while core switches require this support.

Traffic classification

LAN switches are second-layer devices that analyze the headers of link-layer protocols only. Therefore, switches are usually used for traffic classification only the source and destination MAC addresses, as well as the port number through which the frame arrived. It is also possible to take into account when classifying the value of an arbitrary subfield within a data field, specified by specifying the offset in bytes. These methods are not very convenient for an administrator who needs, for example, to separate voice traffic from file transfer traffic. Therefore, some switches, without fully supporting upper-level protocols (for example, not using the IP protocol to forward packets), perform classification based on characteristics contained in the packet headers of these protocols - IP addresses and TCP/UDP ports

Traffic tagging

Traffic tagging usually performed at the edge of the network, and then its results are used by all intermediate devices on the network. There is no field in the 802.3 Ethernet frame in which the traffic marking result can be placed. However, this shortcoming is corrected by the 802.1p specification, which has three additional 802.1Q/p header bits to store frame priority.

In fact, these three bits are used to store an indication of one of eight traffic classes. This is exactly how this field is interpreted by the 802.1 D-2004 standard, which included the 802.1p specification. Annex G of the 802.1D-2004 standard provides guidelines for dividing all LAN traffic into seven classes:

□ NC (network control). Network management is given the highest priority during maintenance, since any network characteristics depend on timely decision making and delivery of control information to network devices.

□ VI (video). Video traffic needs to have latency of less than 100 ms.

□ CL (controlled load). Business critical applications require some form of admission control and reserved bandwidth for the stream.

□ EE (enhanced service). This is an enhanced service option where possible and does not provide any throughput guarantees.

□ BE (service as best as possible, or with best efforts). Standard service in local networks.

□ VK (background traffic). The least latency-sensitive traffic, such as backup traffic, whose source can transfer large amounts of data, so it is advisable to separate it into a special class so that it does not slow down the processing of other types of traffic.

Queue management

A switch that supports QoS parameters allows you to use multiple queues to differentiate classes of traffic. Queues can be serviced according to a priority processing algorithm, a weighted service algorithm, or a combination of these algorithms.

The switch typically supports a certain maximum number of queues, which may be less than the required number of traffic classes. In this situation, several classes will be served by one queue, that is, they will actually merge into one class. The 802.1D-2004 standard provides guidance on what classes of traffic should be implemented in a network when there are a limited number of queues in switches (Table 16.1).

When there is only one queue on the network, all classes of traffic are served by that queue. In reality, all classes are served with normal quality (if possible), since quality cannot be improved through queue management, although features such as loopback and bandwidth reservation for general traffic remain.

Two queues make it possible to differentially serve groups of traffic classes - less demanding classes VK, BE and EE in one queue, and more demanding classes VO, CL, VI, NC in another.

A further increase in the number of queues allows for more differentiated servicing of traffic, up to the recommended seven classes. The proposed scheme is only a recommendation; the network administrator can divide traffic into classes at his discretion.

Virtual LANs
Table 16.1. Traffic classes and number of queues
Number of queues	Traffic classes
	(BE, EE, VK, VO, CL, VI, NC)
	(BE, EE, VK)
	(VO, CL, VI, NC)
	(BE, EE, VK)

In addition, it is possible to service individual traffic flows, but each switch must independently select the flow from the general traffic, since the Ethernet frame does not have a field for carrying a flow label through the network. You can use the virtual network number as a sign of traffic class. This attribute can also be combined with frame priority field values ​​to produce a large number of different classes.

Backup and profiling

LAN switches support methods for reserving interface bandwidth for classes of traffic or individual flows. Typically, a switch allows a class or flow to be assigned a minimum data rate, which is guaranteed during periods of congestion, as well as a maximum data rate, which is controlled by a profiling mechanism.

There is no standard resource reservation protocol for LAN switches. Therefore, to perform redundancy, the network administrator must configure each switch in the network separately.

Traffic filtering tools

The tasks of traffic filtering tools are to control network traffic (the contents of network packets) and block (filter) traffic that does not meet specified security rules. Traffic filters monitor and analyze the contents of network packets at the application level, but unlike firewalls, they do not perform an intermediary function between two nodes to prevent their direct interaction (firewalls and proxy servers). Unlike IDS/IPS tools, traffic filters do not detect and prevent network intrusions and attacks.

Traffic filtering tools include:

• network protocol filters;
• content filters, including URL filters;
• spam filters;
• web traffic filters to protect web applications (Web Security).

The specified traffic filtering tools are built-in and used within individual security tools, such as Firewall, Network Antivirus, Proxy Server, IDS/IPS, UTM, WAF, E-Mail Security, HIPS, to solve various problems or are implemented as separate software and hardware - software tools. Additionally, traffic filtering tools are used in billing systems, traffic accounting and tariffication; control, statistics, monitoring of users’ network activity in real time and Internet use, etc.

Filters by network protocols allow traffic through certain network protocols and block traffic from other protocols. These tools are installed at the edge of the network, ensuring that only the necessary network traffic passes through certain protocols into the network and/or into the external network, i.e. ensure the implementation of network policies.

Content filters

Content filters(Content Monitoring and Filtering, CMF) block access to unwanted Internet content. They are web traffic filters (http/https protocols).

Web traffic is filtered by URLs of blacklisted sites (URL filters), keyword, signature or file type, by site content using morphological analysis. Content filters are installed in network gateways (firewalls, proxy servers and etc.) or on workstations in antiviruses (parental control function, for protection against phishing sites), personal firewalls, etc. Can be used as separate software tools.

Web traffic filters (WebSecurity)

Web traffic filters (WebSecurity) used to protect web applications from various types of threats arriving via web traffic, including the penetration of malicious code. They are web traffic filters (http/https protocols). Web traffic filtering functions are used in security tools such as WAF . In order to protect against threats emanating from web traffic, it is recommended to use specialized solutions of the Web Security class.

Main functions of Web Security tools:

• protecting web traffic from viruses and malware;
• blocking access to malicious sites;
• protection against phishing attacks;
• control of user access to various web resources;
• URL filtering and website categorization.

Hi all! You can talk a lot and abstractly about the advantages of the development of the World Wide Web. But for some reason, most users do not think about security issues.

Yes, the development of operating systems requires developers to install more advanced security methods. But, as a rule, they are not actually used, given the fact that most users prefer to “work out of the box” - that is, on a freshly installed system without any additional settings.

And as recent user surveys have shown, very few people are concerned about security issues.

It is quite difficult to identify and consider all methods of protection within one article. But it is worth and necessary to dwell in more detail on the topic of at least minimal traffic filtering, as well as.

What is the system network traffic filtering and why is it necessary?

Traffic filtering involves (and implements) the organization against various types of web threats - ranging from simple “probing” of the system to attacks organized with the aim of stealing information.

It would seem - what can be stolen from a home station? Yes, the same data from bank payment cards, because an increasing number of users make purchases online, without thinking that the data entered during the transaction remains in the system. And for an experienced hacker, having penetrated the system, it will not be difficult to “drain” them and use them at their discretion. There is also confidential correspondence, photographs, etc.

The presence of a traffic filtering system will ensure:

• protection against DDoS attacks, spoofing, zero-day, hidden installation of spyware, etc.
• detection and protection against tracking user activity
• protection from visiting infected sites
• blocking visits to unwanted sites or links to them
• protection against penetration from outside

If we compare website pages developed, say, even 3-5 years ago and now, we will see that the amount of code has increased and, moreover, quite significantly. Yes, expanding and making pages heavier is necessary, especially in light of the fact that pages have become dynamic, focused on working with various devices, including mobile devices, and also provide a large number of online services.

It is the presence of massive code that allows an attacker to quietly place just a few lines (in simple cases) for an attack, and the operation of this code can remain undetected.

So, as can be seen from the above, traffic filtering is necessary. By allowing harmless content to pass through, the filter cuts out all (or almost all) external threats.

Organization of traffic filtering

There are several ways to organize Internet traffic filtering at your home station.

The first and easiest is to use the software provided by the operating system itself.

Windows users

During the installation phase of this operating system, the user is asked to enable protection, which most installers ignore. It is the built-in Windows firewall that allows you to provide almost complete protection of traffic from external threats.

To enable and configure IP traffic filtering You need to go to the application itself in the Control Panel and select “Turn Windows Firewall on or off.”

How to create rules using the command line is a topic for a separate discussion. Here we will consider the minimum necessary settings to ensure a minimum but effective level of security.

The user is immediately prompted to activate recommended settings, as well as make more subtle settings, such as allowing certain network activity for a list of applications. To do this, you need to go to the program management tab and check those that we allow to exchange traffic on the network.

If you go to the advanced settings tab, you can further configure connection rules, create your own rules and enable authentication.

In most cases, this setting is sufficient.

For Nix* and BSD* users

What is said below will be useful not only for users of open operating systems, but also for those who want to understand in more detail how network traffic filtering is actually organized.

All open operating systems include netfilter, the rules for filtering network traffic are performed either on the command line or by editing configuration files.

What can you implement with this application?

• , as well as data transfer protocols
• block or unblock specific hosts, MAC and IP addresses
• configure NAT (internet distribution on a local network)
• protect against DDoS attacks, brute force and spoofing
• limit network activity for applications, users, etc.

As you can see, the user of Nix* systems has more options and this is due precisely to the openness of netfilter itself, as well as full control over the configuration file.

The main utility that is used to manage the filter is iptables, and we will consider setting it up using its example.

By default, there are no filtering rules at first launch. Examples with the simplest settings (roughly corresponding to the Windows security policy) are available in additional files with the extension, as a rule, .example, simple, etc.

The simplest example of traffic filtering:

A INPUT -m conntrack —ctstate RELATED,ESTABLISHED -j ACCEPT

Allows incoming traffic for an already established connection, but “left” traffic can also pass in parallel. In order to cut it off you need to add:

sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Thus, the first and second traffic filtering rules were created. A full description can be found in the instructions for setting up iptables or similar software.

Setting up filtering in the router

Almost all routers have a firewall setting similar to that discussed above. The advantage is the ability to write rules not in configuration files, but using the web interface.

In order to install protection on the router, you need to find the “Firewall” tab and enable it. Then you can do more fine-tuning, for example, by opening or closing certain ports.

So for surfing you need to leave port 80 open, for SSL connections - 443.

Below is a list of the most popular ports in daily work:

20-22 - ftp, pop3

80-83, 443 - browsers

25, 110, 143 - post office

587, 554 - socks

It is worth noting that many programs use non-standard ports, so their opening must be controlled manually.

And finally, a list of ports that can be closed:

135-139 - net bios

113, 5000, 5554, 9996, 18350 are the most frequently attacked.

In the absence of flexible Internet access filtering, unnecessary and dangerous sites visited by employees every day account for almost half of the total traffic.

The leaders in the list of unwanted resources are social networks, portals that post obscene content, online game servers, as well as sites that generate so-called “heavy” traffic and invite visitors to download and view videos and flash banners.

Potential threats that arise as a result of employees visiting various sites not related to their work, in addition to misuse of working time, may look like:

• excessive load on the network caused by uncontrolled downloading of large files from the Internet by employees. In the case when we are talking about a permanent or dedicated connection with a fixed channel speed from a provider, viewing or downloading video files by users will negatively affect the distribution of network resources and the loading of the Internet channel as a whole, as well as the cost of non-targeted traffic;
• irrational use of network resources and working time as a result of the activities of fans of online games with video or voice chats;
• uncontrolled remote connections of employees to working servers of corporate networks through VPN connections or utilities, associated with the risk of infecting the local network with viruses potentially located on the remote computer;
• reducing the security level of the corporate network.

To ensure the security and integrity of the business, block channels of possible information leakage and increase employee productivity, it is necessary to control the flow of Internet traffic entering the local network by filtering Internet requests. By prohibiting access to certain resources by setting filters, you can solve the problems of reducing costs for non-targeted Internet resources, as well as significantly reduce the risk of infection of internal resources of the corporate network.

The use of filtering in NetDefend D-Link firewalls is discussed in the section "IDP, WCF, AV Functions" ("Web Content Filtering (WCF)").

VLANs

VLAN (Virtual Local Area Network). A virtual local network is a logical group of devices that have the ability to communicate with each other directly at the data link level, although they may be physically connected to different network switches. Conversely, traffic from devices located in different VLANs is completely isolated from other network nodes at the data link level, even if they are connected to the same switch. This means that frames cannot be transmitted between different virtual networks based on the MAC address, regardless of the type of address - unique, multicast or broadcast.

VLANs have the following advantages:

• flexibility of implementation - VLANs are an effective way to group network users into virtual workgroups, despite their physical location on the network;
• the use of VLAN provides the ability to control broadcast messages, which increases the bandwidth available to the user;
• the use of VLAN allows you to increase network security by defining, using filters configured on a switch or router, the policy for interaction between users from different virtual networks;

In NetDefendOS, a VLAN can support one or more VLAN interfaces that are associated with a specific physical interface. NetDefend firewalls treat VLAN interfaces as logical interfaces and can access other NetDefendOS interfaces using rule sets and routing tables. VLANs configured in DFL-xxx series firewalls operate at the L3 level.

VLAN is used in several cases. A common application is when one Ethernet interface is exposed as multiple interfaces. This means that the number of physical Ethernet ports on NetDefend firewalls is not limited by the number of external network connections.

VLANs are also used to group individual users so that their traffic is completely separate from other VLANs. Under NetDefendOS, traffic can pass between different VLANs and be filtered using security policies provided by the rules of the NetDefendOS system.

The VLAN configuration of a NetDefendOS system includes a combination of VLAN trunks from NetDefend firewalls to switches whose interfaces are configured as port based VLANs. Any physical firewall interface can allow both VLAN traffic for one or more VLANs and non-VLAN traffic to pass simultaneously.

NetDefendOS fully supports the IEEE 802.1Q standard for VLANs, which operate by adding a VLAN ID to the Ethernet frame header. The VLAN ID is a number from 0 to 4095 used to identify the VLAN to which each frame belongs. Using this mechanism, Ethernet frames can belong to different virtual local networks and still share one physical interface. In NetDefendOS, one physical interface can be assigned a unique VLAN ID and the same VLAN ID can be assigned to other physical interfaces, i.e. the same virtual network allows you to unite user computers connected to different physical interfaces (in Fig. 6.1 - VLAN1 and VLAN2).

Rice. 6.1.

One or more VLANs are configured on the physical interface of the NetDefend firewall and connect directly to the switch. This connection works as a VLAN channel (trunk). The switch must support the port based VLANs type. The switch port that connects to the firewall must be configured to accept VLAN IDs, which will be transmitted through VLAN trunks.

Just as in a wired local network it is possible to use VLANs, so in a wireless network there are mechanisms for distinguishing wireless clients.

Virtual private networks (VPN)

The Internet is increasingly being used as a means of communication between computers because it offers efficient and inexpensive communication. However, the Internet is a public network and in order to ensure secure communication through it, some mechanism is needed that satisfies at least the following tasks:

• confidentiality of information;
• data integrity;
• availability of information;

These requirements are met by a mechanism called VPN(Virtual Private Network) is a generalized name for technologies that make it possible to provide one or more network connections (logical network) over another network (for example, the Internet) using cryptography tools (encryption, authentication, public key infrastructure, means for protecting against repetitions and changes of messages transmitted over the logical network).

Creating a VPN does not require additional investment and allows you to stop using dedicated lines. Depending on the protocols used and purpose, VPN can provide three types of connections: host-to-host, host-to-network and network-to-network.

For clarity, let’s imagine the following example: an enterprise has several geographically distant branches and “mobile” employees working at home or on the road. It is necessary to unite all employees of the enterprise into a single network. The easiest way is to install modems in each branch and organize communications as needed. This solution, however, is not always convenient and profitable - sometimes constant communication and large bandwidth are needed. To do this, you will either have to lay a dedicated line between branches or rent them. Both are quite expensive. And here, as an alternative, when building a single secure network, you can use VPN connections of all branches of the company via the Internet and configure VPN tools on the network hosts.

Rice. 6.5.

In this case, many problems are solved - branches can be located anywhere around the world.

The danger here is that, firstly, an open network is open to attack by attackers all over the world. Secondly, all data is transmitted over the Internet in clear text, and attackers, having hacked the network, will have all the information transmitted over the network. And thirdly, data can not only be intercepted, but also replaced during transmission through the network. An attacker could, for example, violate the integrity of databases by acting on behalf of clients of one of the trusted branches.

To prevent this from happening, VPN solutions use features such as data encryption to ensure integrity and confidentiality, authentication and authorization to verify user rights and allow access to the virtual private network.

A VPN connection always consists of a point-to-point link, also known as tunnel. The tunnel is created on an unprotected network, which most often is the Internet.

Tunneling or encapsulation is a way of transmitting useful information through an intermediate network. This information may be frames (or packets) of another protocol. With encapsulation, the frame is not transmitted as it was generated by the sending host, but is provided with an additional header containing routing information that allows the encapsulated packets to pass through the intermediate network (the Internet). At the end of the tunnel, the frames are de-encapsulated and transmitted to the recipient. Typically, a tunnel is created by two edge devices placed at entry points into a public network. One of the clear advantages of tunneling is that this technology allows you to encrypt the entire source packet, including the header, which may contain data containing information that attackers use to hack the network (for example, IP addresses, number of subnets, etc.) .

Although a VPN tunnel is established between two points, each node can establish additional tunnels with other nodes. For example, when three remote stations need to contact the same office, three separate VPN tunnels will be created to that office. For all tunnels, the node on the office side can be the same. This is possible because a node can encrypt and decrypt data on behalf of the entire network, as shown in the figure:

The user establishes a connection to the VPN gateway, after which the user has access to the internal network.

Inside a private network, encryption itself does not occur. The reason is that this part of the network is considered secure and under direct control, as opposed to the Internet. This is also true when connecting offices using VPN gateways. This ensures that only information transmitted over an insecure channel between offices is encrypted.

There are many different solutions for building virtual private networks. The most famous and widely used protocols are:

• PPTP(Point-to-Point Tunneling Protocol) - this protocol has become quite popular due to its inclusion in Microsoft operating systems.
• L2TP(Layer-2 Tunneling Protocol) – combines the L2F (Layer 2 Forwarding) protocol and the PPTP protocol. Typically used in conjunction with IPSec.
• IPSec(Internet Protocol Security) is an official Internet standard developed by the IETF (Internet Engineering Task Force) community.

The listed protocols are supported by D-Link devices.

The PPTP protocol is primarily intended for virtual private networks based on dial-up connections. The protocol allows for remote access, allowing users to establish dial-up connections with Internet providers and create a secure tunnel to their corporate networks. Unlike IPSec, PPTP was not originally intended to create tunnels between local networks. PPTP extends the capabilities of PPP, a data link protocol that was originally designed to encapsulate data and deliver it over point-to-point connections.

The PPTP protocol allows you to create secure channels for exchanging data over various protocols - IP, IPX, NetBEUI, etc. Data from these protocols is packaged in PPP frames and encapsulated using the PPTP protocol in IP protocol packets. They are then transferred using IP in encrypted form over any TCP/IP network. The receiving node extracts PPP frames from IP packets and then processes them in a standard way, i.e. extracts an IP, IPX, or NetBEUI packet from a PPP frame and sends it over the local network. Thus, the PPTP protocol creates a point-to-point connection in the network and transmits data over the created secure channel. The main advantage of encapsulating protocols such as PPTP is their multi-protocol nature. Those. Data protection at the data link layer is transparent to network and application layer protocols. Therefore, within the network, both the IP protocol (as in the case of VPN based on IPSec) and any other protocol can be used as a transport.

Currently, due to the ease of implementation, the PPTP protocol is widely used both for obtaining reliable secure access to the corporate network and for accessing the networks of Internet providers, when the client needs to establish a PPTP connection with the Internet provider to gain access to the Internet.

The encryption method used in PPTP is specified at the PPP level. Typically, the PPP client is a desktop computer running a Microsoft operating system, and the encryption protocol is Microsoft Point-to-Point Encryption (MPPE). This protocol is based on the RSA RC4 standard and supports 40- or 128-bit encryption. For many applications of this level of encryption, the use of this algorithm is quite sufficient, although it is considered less secure than some of the other encryption algorithms offered by IPSec, in particular, the 168-bit Triple-Data Encryption Standard (3DES).

How is a PPTP connection established?

PPTP encapsulates IP packets for transmission over an IP network. PPTP clients create a tunnel control connection that keeps the channel running. This process is performed at the transport layer of the OSI model. After the tunnel is created, the client computer and the server begin exchanging service packets.

In addition to the PPTP control connection, a connection is created to forward data through the tunnel. Encapsulating data before sending it into the tunnel involves two steps. First, the information part of the PPP frame is created. Data flows from top to bottom, from the OSI application layer to the data link layer. The received data is then sent up the OSI model and encapsulated by upper layer protocols.

Data from the link layer reaches the transport layer. However, the information cannot be sent to its destination, since the OSI data link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes on the second layer functions usually belonging to PPP, i.e., adding a PPP header and trailer to the PPTP packet. This completes the creation of the link layer frame. Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet, which belongs to the network layer. GRE encapsulates network layer protocols such as IP, IPX to enable their transmission over IP networks. However, using only the GRE protocol will not ensure session establishment and data security. This uses PPTP's ability to create a tunnel control connection. Using GRE as an encapsulation method limits the scope of PPTP to IP networks only.

After the PPP frame has been encapsulated in a frame with a GRE header, encapsulation is performed in a frame with an IP header. The IP header contains the source and destination addresses of the packet. Finally, PPTP adds a PPP header and ending.

In Fig. Figure 6.7 shows the data structure for forwarding over a PPTP tunnel:

Establishing a VPN based on PPTP does not require large expenses or complex settings: it is enough to install a PPTP server in the central office (PPTP solutions exist for both Windows and Linux platforms), and perform the necessary settings on client computers. If you need to combine several branches, then instead of setting up PPTP on all client stations, it is better to use an Internet router or a firewall with PPTP support: settings are made only on the edge router (firewall) connected to the Internet, everything is absolutely transparent for users. Examples of such devices are multifunctional Internet routers of the DIR/DSR series and firewalls of the DFL series.

GRE tunnels

Generic Routing Encapsulation (GRE) is a network packet encapsulation protocol that provides tunneling of traffic through networks without encryption. Examples of using GRE:

• transmission of traffic (including broadcasting) through equipment that does not support a specific protocol;
• tunneling IPv6 traffic over an IPv4 network;
• data transfer through public networks to implement a secure VPN connection.

Rice. 6.8.

Between two routers A and B (Fig. 6.8) there are several routers; the GRE tunnel allows you to provide a connection between local networks 192.168.1.0/24 and 192.168.3.0/24 as if routers A and B were connected directly.

Protocol L2TP appeared as a result of the combination of the PPTP and L2F protocols. The main advantage of the L2TP protocol is that it allows you to create a tunnel not only in IP networks, but also in ATM, X.25 and Frame relay networks. L2TP uses UDP as a transport and uses the same message format for both tunnel control and data forwarding.

As with PPTP, L2TP begins assembling a packet for transmission into the tunnel by first adding the PPP header to the PPP information data field, then the L2TP header. The resulting packet is encapsulated by UDP. Depending on the type of IPSec security policy selected, L2TP can encrypt UDP messages and add an Encapsulating Security Payload (ESP) header and ending, as well as an IPSec Authentication ending (see "L2TP over IPSec" section). Then it is encapsulated in IP. An IP header is added containing the sender and recipient addresses. Finally, L2TP performs a second PPP encapsulation to prepare the data for transmission. In Fig. Figure 6.9 shows the data structure for forwarding over an L2TP tunnel.

The receiving computer receives the data, processes the PPP header and termination, and removes the IP header. IPSec Authentication authenticates the IP information field, and the IPSec ESP header helps decrypt the packet.

The computer then processes the UDP header and uses the L2TP header to identify the tunnel. The PPP packet now contains only payload data that is processed or forwarded to the specified recipient.

IPsec(short for IP Security) - a set of protocols to ensure the protection of data transmitted over the Internet protocol IP, allowing for authentication and/or encryption of IP packets. IPsec also includes protocols for secure key exchange over the Internet.

IPSec security is achieved through additional protocols that add their own headers to the IP packet - encapsulation. Because IPSec is an Internet standard, and there are RFCs for it:

• RFC 2401 (Security Architecture for the Internet Protocol) – security architecture for the IP protocol.
• RFC 2402 (IP Authentication header) – IP authentication header.
• RFC 2403 (The Use of HMAC-MD5-96 within ESP and AH) - use of the MD-5 hashing algorithm to create the authentication header.
• RFC 2404 (The Use of HMAC-SHA-1-96 within ESP and AH) – use of the SHA-1 hashing algorithm to create the authentication header.
• RFC 2405 (The ESP DES-CBC Cipher Algorithm With Explicit IV) - use of the DES encryption algorithm.
• RFC 2406 (IP Encapsulating Security Payload (ESP)) – data encryption.
• RFC 2407 (The Internet IP Security Domain of Interpretation for ISAKMP) is the scope of the key management protocol.
• RFC 2408 (Internet Security Association and Key Management Protocol (ISAKMP)) – management of keys and authenticators for secure connections.
• RFC 2409 (The Internet Key Exchange (IKE)) – key exchange.
• RFC 2410 (The NULL Encryption Algorithm and Its Use With IPsec) – null encryption algorithm and its use.
• RFC 2411 (IP Security Document Roadmap) is a further development of the standard.
• RFC 2412 (The OAKLEY Key Determination Protocol) – checking the authenticity of a key.

IPsec is an integral part of the Internet Protocol IPv6 and an optional extension to the Internet Protocol version IPv4.

The IPSec mechanism solves the following problems:

• authentication of users or computers when initializing a secure channel;
• encryption and authentication of data transmitted between secure channel endpoints;
• automatic provision of channel endpoints with secret keys necessary for the operation of authentication and data encryption protocols.

IPSec Components

Protocol A.H.(Authentication Header) – header identification protocol. Ensures integrity by verifying that no bits in the protected portion of the packet were changed during transmission. But using AH can cause problems, for example, when a packet passes through a NAT device. NAT changes the packet's IP address to allow Internet access from a private local address. Because In this case, the packet will change, then the AH checksum will become incorrect (to eliminate this problem, the NAT-Traversal (NAT-T) protocol was developed, which provides ESP transmission via UDP and uses UDP port 4500 in its operation). It's also worth noting that AH was designed for integrity only. It does not guarantee confidentiality by encrypting the contents of the package.

Protocol ESP(Encapsulation Security Payload) provides not only the integrity and authentication of transmitted data, but also data encryption, as well as protection against false replay of packets.

The ESP protocol is an encapsulating security protocol that provides both integrity and confidentiality. In transport mode, the ESP header is located between the original IP header and the TCP or UDP header. In tunnel mode, the ESP header is placed between the new IP header and the fully encrypted original IP packet.

Because Both protocols - AH and ESP - add their own IP headers, each of them has its own protocol number (ID), which can be used to determine what follows the IP header. Each protocol, according to IANA (Internet Assigned Numbers Authority - the organization responsible for the Internet address space), has its own number (ID). For example, for TCP this number is 6, and for UDP it is 17. Therefore, when working through a firewall, it is very important to configure filters in such a way as to allow packets with ID AH and/or ESP protocol to pass through.

To indicate that AH is present in the IP header, the protocol ID is set to 51, and for ESP the number is 50.

ATTENTION: Protocol ID is not the same as port number.

Protocol IKE(Internet Key Exchange) is a standard IPsec protocol used to ensure secure interactions in virtual private networks. The purpose of IKE is to securely negotiate and deliver identified material to a security association (SA).

S.A. is the IPSec term for connection. An established SA (a secure channel called a Security Association or SA) includes a shared secret key and a set of cryptographic algorithms.

The IKE protocol performs three main tasks:

• provides a means of authentication between two VPN endpoints;
• establishes new IPSec connections (creates an SA pair);
• manages existing connections.

IKE uses UDP port number 500. When using the NAT Traversal feature, as mentioned earlier, the IKE protocol uses UDP port number 4500.

Data exchange in IKE occurs in 2 phases. In the first phase, the IKE SA is established. In this case, the channel endpoints are authenticated and data protection parameters are selected, such as an encryption algorithm, session key, etc.

In the second phase, the IKE SA is used to negotiate a protocol (usually IPSec).

When a VPN tunnel is configured, one SA pair is created for each protocol used. SAs are created in pairs, because Each SA is a unidirectional connection, and data must be transferred in two directions. The resulting SA pairs are stored on each node.

Since each node is capable of establishing multiple tunnels with other nodes, each SA has a unique number to identify which node it belongs to. This number is called SPI(Security Parameter Index) or security parameter index.

SA is stored in a database (DB) S.A.D.(Security Association Database).

Each IPSec node also has a second DB − SPD(Security Policy Database) – security policy database. It contains the configured site policy. Most VPN solutions allow the creation of multiple policies with combinations of suitable algorithms for each host to which a connection must be established.

The flexibility of IPSec lies in the fact that for each task there are several ways to solve it, and the methods chosen for one task are usually independent of the methods for implementing other tasks. At the same time, the IETF working group has defined a basic set of supported functions and algorithms, which should be uniformly implemented in all products that support IPSec. The AH and ESP mechanisms can be used with a variety of authentication and encryption schemes, some of which are mandatory. For example, IPSec specifies that packets are authenticated using either a one-way MD5 function or a one-way SHA-1 function, and encryption is performed using the DES algorithm. Manufacturers of products that run IPSec may add other authentication and encryption algorithms. For example, some products support encryption algorithms such as 3DES, Blowfish, Cast, RC5, etc.

To encrypt data in IPSec, any symmetric encryption algorithm that uses secret keys can be used.

Transmitted stream protection protocols (AH and ESP) can operate in two modes: transport mode and in tunneling mode. When operating in transport mode, IPsec works only with transport layer information, i.e. Only the data field of the packet containing TCP/UDP protocols is encrypted (the IP packet header is not changed (not encrypted)). Transport mode is typically used to establish connections between hosts.

In tunneling mode, the entire IP packet is encrypted, including the network layer header. In order for it to be transmitted over the network, it is placed in another IP packet. Essentially, it is a secure IP tunnel. Tunnel mode can be used to connect remote computers to a virtual private network (host-to-network connection scheme) or to organize secure data transfer through open communication channels (for example, the Internet) between gateways to connect different parts of the virtual private network (network connection scheme -net").

IPsec modes are not mutually exclusive. On the same node, some SAs may use transport mode while others use tunnel mode.

During the authentication phase, the ICV (Integrity Check Value) of the packet is calculated. This assumes that both nodes know the secret key, which allows the recipient to calculate the ICV and compare it with the result sent by the sender. If the ICV comparison is successful, the sender of the packet is considered to be authenticated.

In mode transport AH

• the entire IP packet, except for some fields in the IP header that may be modified during transmission. These fields, which are set to 0 for ICV calculation, can be Type of Service (TOS), flags, fragment offset, time to live (TTL), and checksum header;
• all fields in AH;
• IP packet payload.

AH in transport mode protects the IP header (excluding fields for which changes are allowed) and payload in the original IP packet (Figure 3.39).

In tunnel mode, the original packet is placed in a new IP packet, and data transmission is performed based on the header of the new IP packet.

For tunnel mode AH When performing a calculation, the ICV checksum includes the following components:

• all fields of the outer IP header, except some fields in the IP header that may be modified during transmission. These fields, which are set to 0 for ICV calculation, can be Type of Service (TOS), flags, fragment offset, time to live (TTL), and checksum header;
• all fields AH;
• original IP packet.

As you can see in the following illustration, AH tunneling mode protects the entire original IP packet by using an additional outer header, which AH transport mode does not use:

In mode Transport ESP does not authenticate the entire packet, but only protects the IP payload. The ESP header in ESP transport mode is added to the IP packet immediately after the IP header, and the ESP trailer (ESP Trailer) is accordingly added after the data.

ESP transport mode encrypts the following parts of the packet:

• IP payload;
• ESP Trailer.

An encryption algorithm that uses Cipher Block Chaining (CBC) mode has an unencrypted field between the ESP header and the payload. This field is called the IV (Initialization Vector) for the CBC calculation that is performed on the receiver. Because this field is used to begin the decryption process, it cannot be encrypted. Even though the attacker has the ability to view the IV, there is no way for him to decrypt the encrypted portion of the packet without the encryption key. To prevent attackers from changing the initialization vector, it is protected by an ICV checksum. In this case, ICV performs the following calculations:

• all fields in the ESP header;
• payload including plaintext IV;
• all fields in ESP Trailer except the authentication data field.

ESP tunnel mode encapsulates the entire original IP packet in the new IP header, ESP header, and ESP Trailer. To indicate that ESP is present in the IP header, the IP protocol identifier is set to 50, leaving the original IP header and payload unchanged. As with AH tunnel mode, the outer IP header is based on the IPSec tunnel configuration. In the case of ESP tunnel mode, the authentication area of ​​the IP packet shows where the signature was placed to certify its integrity and authenticity, and the encrypted part shows that the information is secure and confidential. The source header is placed after the ESP header. After the encrypted portion is encapsulated in a new tunnel header, which is not encrypted, the IP packet is transmitted. When sent over a public network, the packet is routed to the IP address of the receiving network's gateway, and the gateway decrypts the packet and discards the ESP header using the original IP header to then route the packet to a computer on the internal network. ESP tunneling mode encrypts the following parts of the packet:

• original IP packet;
• ESP Trailer.
• For ESP tunnel mode, ICV is calculated as follows:
• all fields in the ESP header;
• original IP packet including plaintext IV;
• all ESP header fields except the authentication data field.

Summary of the use of IPSec modes:

• Protocol – ESP (AH).
• Mode – tunnel (transport).
• The key exchange method is IKE (manual).
• IKE mode – main (aggressive).
• DH key – group 5 (group 2, group 1) – group number for selecting dynamically created session keys, group length.
• Authentication – SHA1 (SHA, MD5).
• Encryption – DES (3DES, Blowfish, AES).

When creating a policy, it is usually possible to create an ordered list of algorithms and Diffie-Hellman groups. Diffie-Hellman (DH)– an encryption protocol used to establish shared secret keys for IKE, IPSec and PFS (Perfect Forward Secrecy). In this case, the first position that matches on both nodes will be used. It is very important that everything in the security policy allows for this alignment. If everything else matches except for one part of the policy, the nodes will still not be able to establish a VPN connection. When setting up a VPN tunnel between different systems, you need to find out which algorithms are supported by each side so that you can choose the most secure policy possible.

Basic settings that the security policy includes:

1. Symmetric algorithms for data encryption/decryption.
2. Cryptographic checksums to verify data integrity.
3. Node identification method. The most common methods are pre-shared secrets or CA certificates.
4. Whether to use tunnel mode or transport mode.
5. Which Diffie-Hellman group to use (DH group 1 (768-bit); DH group 2 (1024-bit); DH group 5 (1536-bit)).
6. Whether to use AH, ESP, or both.
7. Whether to use PFS.

A limitation of IPSec is that it only supports IP protocol layer communications.

There are two main schemes for using IPSec, differing in the role of the nodes that form the secure channel.

In the first scheme, a secure channel is formed between the end hosts of the network. In this scheme, the IPSec protocol protects the node on which it is running:

Rice. 6.13.

In the second scheme, a secure channel is established between two security gateways. These gateways receive data from end hosts connected to networks located behind the gateways. The end hosts in this case do not support the IPSec protocol; traffic sent to the public network passes through the security gateway, which performs protection on its behalf.

For hosts that support IPSec, both transport and tunnel modes can be used. Gateways are only allowed to use tunnel mode.

VPN installation and support

As mentioned above, installing and maintaining a VPN tunnel is a two-step process. In the first stage (phase), two nodes agree on an identification method, an encryption algorithm, a hash algorithm, and a Diffie-Hellman group. They also identify each other. All this can happen as a result of the exchange of three unencrypted messages (the so-called aggressive mode, Aggressive mode) or six messages, with the exchange of encrypted identification information (standard mode, Main mode).

In Main Mode, it is possible to coordinate all configuration parameters of the sender and recipient devices, while in Aggressive Mode there is no such possibility, and some parameters (Diffie-Hellman group, encryption and authentication algorithms, PFS) must be configured identically in advance on each device. However, in this mode, both the number of exchanges and the number of packets sent are lower, resulting in less time required to establish an IPSec session.

Assuming the operation completed successfully, the first phase SA is created − Phase 1 S.A.(also called IKE SA) and the process moves to the second phase.

In the second stage, key data is generated and nodes agree on the policy to use. This mode, also called Quick mode, differs from the first phase in that it can only be established after the first phase, when all packets of the second phase are encrypted. Correct completion of the second phase results in the appearance of Phase 2 SA or IPSec SA and at this point the installation of the tunnel is considered complete.

First, a packet with a destination address in another network arrives at the node, and the node initiates the first phase with the node responsible for the other network. Let's say a tunnel between nodes has been successfully established and is waiting for packets. However, nodes need to re-identify each other and compare policies after a certain period of time. This period is called Phase One lifetime or IKE SA lifetime.

Nodes must also change the key to encrypt data after a period of time called Phase Two lifetime or IPSec SA lifetime.

Phase Two lifetime is shorter than that of the first phase, because... the key needs to be changed more often. You need to set the same lifetime parameters for both nodes. If you do not do this, then it is possible that the tunnel will initially be established successfully, but after the first inconsistent lifetime the connection will be interrupted. Problems may also arise when the lifetime of the first phase is less than that of the second phase. If a previously configured tunnel stops working, then the first thing that needs to be checked is the lifetime on both nodes.

It should also be noted that if the policy is changed on one of the nodes, the changes will take effect only the next time the first phase occurs. For the changes to take effect immediately, the SA for this tunnel must be removed from the SAD database. This will cause the agreement between nodes to be renegotiated with new security policy settings.

Sometimes when setting up an IPSec tunnel between equipment from different manufacturers, difficulties arise due to the coordination of parameters when establishing the first phase. You should pay attention to such a parameter as Local ID - this is a unique identifier of the tunnel endpoint (sender and recipient). This is especially important when creating multiple tunnels and using the NAT Traversal protocol.

Dead Peer Detection

During the VPN operation, in the absence of traffic between the endpoints of the tunnel, or when the initial data of the remote node changes (for example, changing a dynamically assigned IP address), a situation may arise when the tunnel is essentially no longer a tunnel, becoming, as it were, a ghost tunnel . In order to maintain constant readiness for data exchange in the created IPSec tunnel, the IKE mechanism (described in RFC 3706) allows you to monitor the presence of traffic from a remote node of the tunnel, and if it is absent for a set time, a hello message is sent (in firewalls The message "DPD-R-U-THERE" is sent to D-Link. If there is no response to this message within a certain time, in D-Link firewalls specified by the “DPD Expire Time” settings, the tunnel is dismantled. D-Link firewalls then, using the “DPD Keep Time” settings (Fig. 6.18), automatically try to restore the tunnel.

NAT Traversal Protocol

IPsec traffic can be routed according to the same rules as other IP protocols, but since the router cannot always extract information specific to transport layer protocols, IPsec cannot pass through NAT gateways. As mentioned earlier, to solve this problem, the IETF defined a way to encapsulate ESP in UDP, called NAT-T (NAT Traversal).

The NAT Traversal protocol encapsulates IPSec traffic and simultaneously creates UDP packets that NAT forwards correctly. To do this, NAT-T places an additional UDP header before the IPSec packet so that it is treated as a regular UDP packet throughout the network and the recipient host does not perform any integrity checks. Once the packet arrives at its destination, the UDP header is removed and the data packet continues on its path as an encapsulated IPSec packet. Thus, using the NAT-T mechanism, it is possible to establish communication between IPSec clients on secure networks and public IPSec hosts through firewalls.

When configuring D-Link firewalls on the recipient device, two points need to be noted:

• In the Remote Network and Remote Endpoint fields, specify the network and IP address of the remote sending device. It is necessary to allow translation of the initiator (sender) IP address using NAT technology (Figure 3.48).
• When using shared keys with multiple tunnels connected to the same remote firewall that have been NATed to the same address, it is important to ensure that the Local ID is unique for each tunnel.

Local ID may be one of:

• Auto– the IP address of the outgoing traffic interface is used as a local identifier.
• IP– IP address of the WAN port of the remote firewall
• DNS– DNS address
• Email– Email

IPSec in D-Link firewalls

NetDefend firewalls allow you to create IPSec tunnels based on IKE keys and certificates.

Using Keys (Pre-Shared Key)

With minimal settings for the VPN server to work, you need:

• Create objects (in folder Objects):
  • IP address of the remote endpoint (for example, IPSec_remote_endpoint) and remote network (for example, IPSec_remote_net);
  • key Pre-shared Key (Authentication Objects), an object IKE Algorithms and object IPSec Algorithms (VPN Objects). By default in DFL objects IKE Algorithms, IPSec Algorithms and encryption and hashing algorithms are already specified, but you can change or add algorithms that can be used in key exchange (IKE Algorithms) and traffic encryption itself (IPSec Algorithms).
• Create IPSec Tunnel(in folder Interfaces).
• Create allowing rules (in the folder IP Rules) for traffic access from the tunnel to the internal network and back.

Using Certificates

X.509 certificates are based on a public key encryption method. Each certificate, along with other information (validity period, owner's name, etc.) contains a public key. The owner saves the secret key in a separate file.

Certificates are signed by a Certificate Authority (CA) to verify the authenticity of the certificate, the information contained in the certificate, and ultimately the remote host. The authenticity of a CA is verified according to its certificate, which is publicly available.

Certificates are digital proof of identity and can be used to authenticate individual users or other end users. To set up a VPN tunnel with certificate authentication, the firewall must have its own certificate and a certificate from the remote firewall. These certificates can be either self-signed or signed by a certificate authority (CA).

When setting up a VPN tunnel, the firewall needs to know who it should trust. When using pre-distributed keys, everything is simple. The firewall trusts everyone who has the same key. When using certificates, the firewall must trust anyone whose certificate is signed by a given CA. Before the certificate is accepted, the following steps are performed to verify the authenticity of the certificate:

• a trusted certification path is created to the root CA;
• the signatures of all certificates in the certification path are verified.

Typically a VPN tunnel is established if a remote host certificate signed by a CA is present in the Root certificates in the tab Authentication in the menu of the created VPN tunnel. However, in some cases it becomes necessary to restrict who can establish a VPN tunnel even among hosts signed by the same CA. A list of personalities can be selected in the field Identification List The difference between these two modes is that Aggressive mode will transmit more information in fewer packets (reducing connection time (creating an IPSec tunnel)), but it does not provide authenticity protection.

IKE DH Key Group. DH – Diffie-Hellman is a cryptographic protocol that allows two parties communicating over an insecure network (such as the Internet) to generate a shared secret key, which will subsequently be used to encrypt data between these parties.

The cryptographic strength of the algorithm is determined by the key size: 1 (768 bit), 2 (1024 bit) or 5 (1536 bit). Group 1 DH key size is 768 bits. Group 2 DH key size is 1024 bits. Group 5 DH key size is 1536 bits. The higher the group, the more crypto-proof the algorithm becomes, and the more CPU resources it consumes.

PFS(Perfect Forward Secrecy) – additional encryption during key exchange in the second phase.

If PFS is enabled, a new Diffie-Hellman exchange will be performed for each phase two negotiation, providing new key data. As a result, the system is more resistant to cryptographic attacks. If one key is compromised, another key cannot be obtained using the same information. This increases processor load and reduces overall system performance.

NAT Traversal used if both devices establishing an IPSec tunnel operate under NAT. Options available:

Disabled – the firewall will not send the "vendor ID".

On if supported and NATed – if one of the IPSec tunnel devices operates under NAT and DFL informs the second device about this by sending the “vendor ID” identifier.

On if supported – always use NAT when establishing a tunnel.

Keep-alive sends "ping" messages if one device, when sending data through the tunnel, does not receive a response from the second device. Options available:

Disable – Keep-alive mechanism is disabled

Auto – The firewall will send ICMP ping messages to IP addresses automatically found in the VPN tunnel settings.

To ensure that the user can be online safely, special programs have been developed to filter traffic and web content.

How content filtering works

The main goal of a content filter is to limit access to prohibited or malicious resources. This is achieved using lists of allowed/denied resources.

Every user needs protection, but children and teenagers need it especially badly. After all, many pages contain scenes of violence, erotica, advertising of harmful substances and alcohol. To protect children from such information, it is necessary to use a content filtering system.

Internet traffic filtering

Our company has developed a special Internet traffic filtering mechanism, which not only helps maintain network access in working order, but also ensures the continuity and integrity of business processes. The web filter allows you to manage flows entering the local network, automatically reducing its load. At the same time, the problems of inappropriate access to extraneous resources, irrational use of the network and working time are eliminated

An Internet traffic filtering system is needed at different levels: for home use and for a corporate network. It exists in different forms:

• utilities;
• applications;
• browser add-ons;
• separate server.

A-Real Consulting is actively developing various ways to ensure network security, providing clients with a comprehensive solution. We have extensive experience in implementing Internet content filtering systems in schools and organizations.

Our content filter works based on web traffic data reported by the proxy server module. Then a check is made against the list of prohibited resources. This database includes several million sites divided into categories, which allows you to individually configure web content filtering parameters.

Users of the Internet Control Server filtering system simply need to ban a category, and all sites on this topic will automatically become inaccessible.

Content filtering also includes anti-virus modules, automatically checking all incoming traffic for the presence of malware. Our solution guarantees reliability and security, providing all the tools to manage network access.

Content filtering in schools and educational institutions

According to statistics, more than 100,000 educational institutions have access to the Internet, where students are exposed to a stream of aggressive and potentially dangerous content. Therefore, the Federal System for excluding access to Internet resources that are incompatible with the tasks of upbringing and education of students in the Russian Federation (SID) was approved and approved.

In accordance with Federal Law No. 436 “On the Protection of Children from Information Harmful to Their Health and Development” and Federal Law No. 139 “On Amendments to the Federal Law “On the Protection of Children from Information Harmful to Their Health and Development”, installation of content filtering in an educational institution is a mandatory requirement.

Possible options

Internet filters can be configured in 2 ways:

1. contact your Internet provider for help;
2. install and configure specialized software.

In the second case, you will have to independently download and configure a content filter for a school or other organization. Our company offers to use the IKS Internet gateway. It is regularly updated and contains addresses of resources with information, the distribution of which is prohibited in the Russian Federation, i.e. complies with Federal Law No. 139 “On Black Lists”.

ICS functions for content filtering

• organizing access only to reliable resources;
• security from malicious objects that seek to enter the local network, carried out using a built-in firewall;
• control of user access to the network;
• keeping records of consumed traffic.

Advantages of the Internet gateway ICS

• possibility of preliminary assessment and testing using a demo version for 35 days;
• unlimited duration of the licensed version;
• accessible training in the form of videos;
• free full Lite version for up to 8 users;

ICS setup

Another advantage of ICS is the ease of installation and configuration. To do this you need to perform only 5 actions:

This is how you can easily set up Internet filtering, providing complete protection against external threats.

Type of organization

Select the type of organization Educational institution Budgetary institution Commercial organization

Prices DO NOT APPLY to private non-state institutions and institutions of postgraduate professional education

ICS editions

No ICS required Standard ICS FSTEC

To calculate the cost of FSTEC, contact the sales department

Delivery type

ICS ICS + SkyDNS ICS + Kaspersky Web Filtering

License type

New license Update license

Premium Update License License Extension

Number of users

License extension

C before users