network map

Christos Ricudis ricudis at komodino.itc.auth.gr
Wed Sep 19 12:43:19 EEST 2007 

Palias Panagiotis wrote:

> 
> De diafwnw, allwste einai leitourgika ths idias etairias. Ekei pou diafwnoume
> einai oti esu 8ewreis ta PIX/ASA software firewalls giati einai koina pc pou
> trexoun kapoio leitourgiko pou kanei th diaxeirish, swsta?

Ma ayto akribws einai.

> Auto pou lew einai oti to PIXOS (akoma ki an exei omoiothtes me to IOS se
> kommatia opws interface configuration, vlans, routing, vpn) den pairnei extra
> panw tou kapoio iptable-oeides firewall, to exei enswmatomeno. 

Ti paei na pei "extra", kai ti shmainei "enswmatwmeno" ?

To firewall sto PIX OS kai sto IOS einai *akribws* oso enswmatwmeno einai 
kai to iptables sto Linux. To filtering sto linux ginetai se kernel space, 
sto userspace brisketai aplws to user interface. Sto PIX/IOS, pou den exeis 
etsi ki alliws th dynatothta na ekteleseis arbitrary code, den exei kai toso 
nohma o diaxwrismos  userspace / kernelspace, kai den eimai kan sigouros oti 
yparxei.

Sthn periptwsh tou PIX eidika, pou den paizei kan specialized hardware, 
exeis mono ena pi8ano data path : hardware => driver -> (IP -> TCP stack) -> 
firewall. Einai akribws to idio data path pou exeis sto Linux me iptables h 
sto pf me to BSD.

An epaize special hardware assistance sto PIX, 8a isxye EN MEREI ayto poy 
les, kai einai gnwstos tropos na kaneis optimization se kapoia special 
cases. Opws blepw thn arxitektonikh tou PIX, den mporei na ylopoihsei kanena 
apo ayta ta optimizations, poy anaferw parakatw :

Aplopoihmeno paradeigma. Estw oti lew sto firewall :

"Block all IP traffic coming from IP 1.2.3.4".

Aytos o kanonas ylopoieitai eykola se epipedo hardware - sth sygkekrimenh 
periptwsh, olh h plhroforia pou xreiazesai gia na deis an to paketo 
dikaioutai na prow8h8ei pros ta panw (dhladh to "Einai IP traffic?" kai to 
"Einai to source IP tou 1.2.3.4?"), brisketai se fixed positions mesa sto 
ethernet frame, ara enas aplos comparator arkei gia na parei thn apofash, 
kai ayto mporei na ylopoih8ei kallista se hardware sto idio to ethernet 
interface.

An o kanonas einai pio periplokos (p.x. perilambanei o,tidhpote afora to TCP 
layer, h gia opoiodhpote logo prepei na "doun" to paketo ypshlotera layers), 
tote anagkastika 8a prepei na akolou8h8ei mia pio "makria" diadromh, kai h 
apofash 8a lhf8ei telika apo to software.

Paromoia optimizations mporoun na ylopoih8oun gia apofaseis routing, 
switching, ktl. Oso pio aplos einai enas matching kanonas, toso pio eykola 
ylopoieitai se xamhlotera epipeda tou systhmatos, xwris na xreiazetai 
aparaithta to ypoloipo systhma na "dei" to paketo.

Oloi aytoi oi mhxanismoi ylopoiountai sto IOS se kapoious syndiasmous 
hardware - 8a prosekseis oti sto IOS yparxoun toulaxiston tria pi8ana
paths :

Cisco Express Forwarding,
Fast Switching, kai
Process Switching.

Analogws twra tou poia features xrhsimopoieis, ti hardware exeis, poia 
version tou IOS, ti mera tou mhna einai, th fash ths selhnhs, an katourhse o 
skylos sou to prwi me thn oura pros to noto, ktl, to paketo mporei na 
perasei apo ena apo ayta ta tria paths. To ka8e path ylopoieitai se ligo 
diaforetiko layer, me diaforetiko performance impact sthn ka8e periptwsh.

Des kai ayto edw pera : http://www.cisco.com/warp/public/105/cef_whichpath.html

-- 
Christos Ricudis

More information about the Linux-greek-users mailing list