How does the router determine what path to send the message to get to the destination network?

Destination-Based Static Routes

Destination-based static routes use the destination network to determine what path to take to get the traffic to the destination. They have the following properties:

Virtual Router This is the VR the static route will be applied in.

IP Address/Netmask The IP address and subnet mask you want to create a route for. This is known as the destination network.

Next Hop You have two options for specifying the next hop for a static route. The first is Virtual Router. Use this option to specify what VR the traffic should be forwarded to for routing. The second option is Gateway. Once a selection is made, the firewall then forwards the traffic to the destination of this next hop which then continues to pass it along to the destination.

Interface This is the interface to forward the traffic out of.

Gateway IP Address This is the next hop's IP address to forward the traffic to.

Permanent This allows you to keep a route in the routing table even if it is not active.

Tag This allows you to set the route tag.

Metric This is the metric for this route.

Preference This is the routing preference for this route. This is used to determine whether the route should be preferred over the same route announced by another routing protocol.

Equal-Cost Multipaths

There are usually multiple ways to reach the same destination network that the routing protocol will compute as having the same cost. When equal-cost paths exist, OSPF routers can find and use equal-cost paths. This means that there can be multiple next hops installed in a forwarding table with OSPF. OSPF does not specify how to use these multipaths: Routers can use simple round-robin per packet, round-robin per flow, hashing, or other mechanisms. Equal cost multipath (ECMP) is also of great value in other routing protocols such as BGP.

4.4.1 Routers and routing

Data routing follows the same general method as IP routing, matching destination networks and replicating traffic to the next hop. Where more than one path would be possible, traffic will be sent over all available (acyclic) paths. Although the routing uses IP addresses, it is implemented on a Layer 2 network topology. This will ignore potential data leaks via ARP broadcasts, but is generally a sound model for how the packet will travel.

For example, assume VM1 and VM2 in Figure 1 to have IP addresses 192.167.1.1 and 192.167.1.2, respectively. Both nodes are part of network 192.167.1.0/24, and are connected by switch SW1 with a default gateway on VFW. The resulting basic model is part of Figure 2 and the textual representation of the involved processes and policies is shown in Listing 22.1.

Each node is annotated with its kind and its domain, and has a policy and processes. The policies specify which other nodes are allowed to communicate with this node, and which form of messages are allowed to be sent; policies basically realize the network infrastructure and the kind of protocol supported. For example, SW1 accepts packages from VM1, VM2, or VFW in the form of IP packages. Policies thus specify the trigger points introduced above, through which communication can happen.

The processes specify how the node reacts to triggers, basically by describing how to react to different kinds of messages received. This is similar to pattern matching. For example, the node SW1 defines three processes that are all triggered by receiving an IP message. For the sake of simplicity we assume that all packets have the form of 7 tuples consisting of the tag “IP,” the source address and source port, the destination address and destination port, the request, and a user name. Depending on the scenario in question this can be adjusted. Each routing process consists of inputting a tuple based on a pattern, and routing the tuple to the correct next hop. Processes use the exclamation mark for binding variables to values and the ∼ operator for matching addresses. Processes are ordered by mask size, so the first match is the route taken. Empty tuple elements are wildcards, so ("TAG", 192.167.1.1, "Content1", "Content2") would match ("TAG", !addr∼192.167.0.0/16,,) while binding the variable addr to the address 192.167.1.1.

For the specification in Listing 22.1 the switch SW1 sends packets for VM1 and VM2 directly to them, and packets for any other address to VFW.

ICMP Network Scan

Juniper firewalls can even detect an ICMP scan across multiple systems (PING sweep). Attackers will sweep the destination network address space to discover the hosts there. This will usually be followed up with host scans to discover the open ports on each host.

IP Address Sweep Protection This controls how many ICMP packets per second per single IP source are permitted before the firewall begins dropping ICMP packets from that source. Packets are dropped for the remainder of the second. The configuration actually detects a quick series of 10 packet probes in a user-definable period of microseconds. To increase the detection rate, lower the period. To decrease the detection rate, increase the period. The lowest possible detection rate is 10 packets in a period of 1,000,000 microseconds (one second). No sessions are set up for dropped packets.

A good starting number for IP address sweep protection is 100,000 microseconds. (Ten packets in 100,000 microseconds is 100 packets per second.) Network management packages, which perform network discovery and health checks, can be located in a separate security zone with higher thresholds.

Bandwidth issues

When you are scanning a single target over a business broadband connection, you likely will not be affecting the destination network even if you thread up a few scans simultaneously. If you do the same thing for 20+ targets, the network may start to slow down. Unless you are performing a DoS test, this is a bad idea because you may be causing negative conditions for your target and excessive bandwidth usage is one of the first things a competent system administrator will notice. Even a system administrator who is not exceptionally security conscious will notice when the helpdesk phone board is lit up with “I can’t reach my e-mail!” messages. Also, sometimes you will need to scan targets that are located over connections such as satellite or microwave. In those situations, you definitely need to be aware of bandwidth issues with every action you take. Nothing is worse than shutting down the sole communications link for a remote facility due to a missed flag or option.

ICMP

The most common tool associated with ICMP is called ping. ping utilizes ICMP packets to verify that a given destination network device is reachable from the source device. It does this by sending a message from the source to the destination using the ICMP protocol that includes specific flags to designate the type of ICMP message being sent. If the destination device responds, then it is considered available and the ping utility will typically show how long it took for the destination device to respond and other useful information. A simple example of how this is used is shown in Figure 2.9.

ping is often used when troubleshooting to confirm connectivity to the destination device at the Internet layer, however, there are some valid cases where a ping test will fail but connectivity between the devices is still functional. Based on the original Request for Comments (RFC) that defined ICMP, it was intended that ICMP support be required on all network devices and that the device should respond to all ICMP requests. Due to security concerns however, ICMP is frequently disabled or blocked which prevents ping from being used to check for connectivity to a network device. If ICMP is enabled and nothing is blocking the transmission of ICMP packets, the test should be successful.

DUAL

One of the most powerful components of EIGRP is the DUAL. DUAL is used for selecting and maintaining the best possible path to each destination network and handling these tasks in a completely loop-free manner. This makes it possible for all routers affected by a network change to synchronize updates at the same time and routers that are not affected by the change to remain out of the recomputation process. This also contributes to EIGRP's capability for rapid convergence. In fact, convergence time using DUAL rivals that of any other existing routing protocol.

The DUAL finite state machine keeps track of all routes advertised by all neighbors to make effective decisions on which routes to place in the routing table. DUAL uses the metric information to select the successor for the routing table and the feasible successors to include in the topology table. If no feasible successors exist in the topology table when the successor is no longer available, DUAL determines if other routers are still advertising the destination. If so, a recomputation occurs to select a new successor.

An entry is copied from the topology table to the routing table when there is a feasible successor. All paths to the destination network that have the minimum costs are considered to be a set. Any neighbors from the set with an advertised metric less than the current metric in the routing table are considered to be feasible successors. If a neighbor's advertised metric changes or a change occurs to the network, it may be necessary to reevaluate the set of feasible successors. This is not considered a route recomputation.

Anytime DUAL can obtain a feasible successor that already exists in the topology table, rapid convergence can occur. If it's necessary to perform a route recomputation, the convergence will be delayed. Route entries in the topology table are either in a Passive state or in an Active state. A route is in an Active state if there are no feasible successors and is a route computation occurring.

A route recomputation begins with a router sending a query packet to all neighboring routers. The neighbors then either reply that they have feasible successors or return their own query to say that they are in the process of a route recomputation. The router cannot change the next-hop information for a route if the route is in an Active state. The route will return to Passive state once all the replies have been returned for the query, then DUAL can select the new successor.

Controlling Routing Behavior with Network Rules

Even though you've created a new Network, you can't use it for anything until you define the route relationship between that Network and other Networks it communicates with. You control this route relationship using Network Rules.

There are three route relationships available when you create a Network Rule.

▪

Route The ISA firewall documentation defines a route relationship as a “reciprocal” relationship. In practice, you use a route relationship when the Source and Destination Network defined by the Network Rule support routing between them. For example, if the source Network and the Destination Network both use public addresses, then you can define a Route relationship. If both the source and destination Network use private addresses, then you can use a route relationship. If the source network uses private addresses and the destination uses public addresses, then you can't use a route relationship (in most cases, there are exceptions when the ISA firewall is configured with a routing table entry that allows routing from private to public networks). Another key feature of the route relationship is that the source IP address is always preserved (with the exception of Publishing Rules, where you can control whether or not the source IP address is preserved, and the Server IP address is always replaced by the listener address). Use a Route relationship when the source and destination Networks support a route relationship, and you need to support protocols that are not NAT friendly.

NAT The ISA firewall documentation defines a NAT relationship as directional. The directional nature of the NAT relationship means that you have to be mindful of the Source and Destination Network when configuring the Network Rule. When you use a NAT relationship, the source IP address is replaced with the address on the interface that connection is exiting. For example, suppose you create a NAT relationship between the default Internal Network and the DMZ Network. The source Network is the Internal Network and the destination Network is the DMZ Network. When communications leave the Internal Network to the DMZ Network, the source IP address is changed to the address on the network interface the communication is exiting, which in this case is the DMZ interface. If you created a Network Rule where the DMZ Network is the Source Network and the Internal Network is the Destination Network, then communications leaving the DMZ Network would have the source IP address replaced with the interface that the communication is exiting, which in this case is the Internal Network interface. Also note that when you define a NAT relationship, communications are one-way for both Web Publishing and Access Rules.

You must create a Network Rule for any communication between a specific Source and Destination Network. We've seen a number of situations where everything was set up right on the ISA firewall, but a particular Access Policy did not work because either there was no Network Rule controlling the route relationship between the Source and Destination, or the wrong route relationship was configured. We'll talk more about these route relationships later in this chapter in the discussions on the various ISA firewall Network Templates.

In the following exercise, you'll create a Network Rule that controls the route relationship between the Internal Network and the DMZ Network. Because both Networks are using private addresses we'll configure a Route relationship between the Networks. We prefer to use a Route relationship in this scenario because it allows us greater flexibility in the protocols we can pass between the Internal Network and the DMZ. However, if you want to hide the IP addresses of the hosts on the Internal Network when they're connecting to hosts on the DMZ Network, then you should use a NAT relationship, while keeping in mind that you'll not have support for protocols that do not work with NAT.

Perform the following steps to create the Network Rule:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then expand the Configuration node. Click on the Networks node.

On the Networks node, click the Network Rules tab in the Details pane of the console.

On the Task pane, click the Tasks tab. Click the Create a New Network Rule link.

On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example we'll name the rule Internal

On the Network Traffic Sources page, click Add.

In the Add Network Entities dialog box, click the Networks folder. Double-click the Internal network. Click Close.

Click Next on the Network Traffic Sources page.

On the Network Traffic Destinations page, click Add.

In the Add Network Entities dialog box, click the Networks folder. Double-click the DMZ network. Click Close.

Click Next on the Network Traffic Destinations page.

On the Network Relationship page, select the Route option (see Figure 4.35). Click Next.

lick Finish on the Completing the New Network Rule Wizard page.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

You will see the new Network Rule on the Network Rules tab in the Details pane of the Microsoft Internet Security and Acceleration Server 2004 management console.

3.1.3 Handover execution

Right after releasing the previous connections, a new connection’s establishment is preceded. The handover execution phase cannot be started unless the UE receives a confirmation that the destination network resources are ready and apt to adopt the ongoing communication by providing a performing communication quality. As a matter of fact, in order to obtain a seamless and lossless handover with high-quality communications, two essential metrics are used to evaluate the handoff performance, which are the handover latency and the QoS. The latter criteria should not exceed few hundred milliseconds. The further is derived from both the source and the target schemes should be approximately identical. Thus, and in order to boost the cited metrics, handover process must be upgraded by integrating mechanisms for uninterrupted and seamless services and higher-speed applications. Eventually, the venerable resources are discharged and a new connection is built and established at this final phase. After receiving the response message of the Handover Request, the eNodeB source triggers the handover by sending a RRC message to the UE, which indicates in particular:

the target cell [frequency, if different, and its physical cell identifier (PCI)];

its Cell Radio Network Temporary Identity (C-RNTI) in that cell;

security settings (eg. algorithms) enabling it to derive the new encryption keys and RRC integrity.

On receiving this message, the UE must immediately attempt to switch to the target cell, even if it could not acknowledge the RRC message reception [Automatic Repeat reQuest (ARQ) or Hybrid Automatic Repeat reQuest (HARQ) acknowledgments/RLC]. It resets the MAC layer and proceeds to reestablish its RLC and PDCP layers. The RRC layer configures the PHY Layer, MAC, RLC layers, and PDCP according to the parameters provided by the target eNodeB and transmitted by the eNodeB source in the RRC Connection Reconfiguration message. The UE then derives the new KeNB, either from the current Key Access Security Management Entity (KASME) key (means the one used for the calculation of the current eNodeB key) or from the new KASME key if the NAS security proceeding was performed. The eNodeB indicates to the UE which of the two mechanisms to use for this derivation. The UE then conducts random access on the random-access channel (RACH) of the target cell and, if successful, sends the RRC Connection Reconfiguration Complete message to the eNodeB, which finishes the signaling procedure. The access to the RACH can be achieved with a dedicated preamble, if the target cell was provided to the source cell in the preparation phase. This method has the advantage of removing the risk of collision with other UE preambles, thus increasing the chances of success of the procedure and tending to reduce the overall time. Finally, the UE lifts periodic measurements enabled on the source cell and removes the configuration of the measurement intervals used for interfrequencies or intersystem measurements. Registration process is always done right after IP assignment. In this final phase, the new base station allocates the new resources. This operation is known as channel assignment, which can be seen as an important element of resource management and CAC.

Subnet Mask and Subnetting

Each class of a network address has an associated subnet mask as represented in Table 27.5. The IP protocol uses the subnet mask associated with the class of network address to extract the destination network address from the IP address of the destination node from the IP datagram, and thus make a routing decision. IP is a routable protocol; hence IP datagrams can be routed. In classful routing, each interface on the network must be assigned a subnet mask corresponding to its class of network address. This scheme enables the interface in making the routing decision for the IP datagram.

Table 27.5. Subnet Mask.

Subnetting is a mechanism by which a given network address is divided into several logical groups of networks. The subnetting allows managing, supervising, and securing a large number of hosts, such that each of the subnets can be assigned a security policy independent of other subnets. Routing of IP datagram from one subnet to another subnet requires the subnets to be interconnected using a set of routers. These routers run a set of routing protocols.