network map

Christos Ricudis ricudis at komodino.itc.auth.gr
Wed Sep 19 14:48:20 EEST 2007 

Palias Panagiotis wrote:
> On Wed, 19 Sep 2007 12:43 , Christos Ricudis <ricudis at komodino.itc.auth.gr> sent:
> 
>> Palias Panagiotis wrote:
>>
>>> De diafwnw, allwste einai leitourgika ths idias etairias. Ekei pou diafwnoume
>>> einai oti esu 8ewreis ta PIX/ASA software firewalls giati einai koina pc pou
>>> trexoun kapoio leitourgiko pou kanei th diaxeirish, swsta?

>> Ma ayto akribws einai.

> Me th diafora oti to PIXos einai leitourgiko mono gia firewall, enw to linux 'h
> to bsd einai multi-purpose leitourgiko sto opoio pros8etoume th dunatothta gia
> firewall bazontas ta iptables ipfilter.

Kai? Ayto kanei ena PIX ligotero "software firewall" kai perissotero 
"hardware firewall" apo ena Linux+IP tables? Sou 8ymizw oti kai ta dyo 
trexoun praktika sto idio akribws hardware.

>>> Auto pou lew einai oti to PIXOS (akoma ki an exei omoiothtes me to IOS se
>>> kommatia opws interface configuration, vlans, routing, vpn) den pairnei extra
>>> panw tou kapoio iptable-oeides firewall, to exei enswmatomeno. 

>> Ti paei na pei "extra", kai ti shmainei "enswmatwmeno" ?

> Auto pou eipa pio panw, oti sto PIXos kaneis anaba8mish ena mono pragma kai exeis
> neo leitourgiko me to firewall mazi. Enw an exeis ena linuxaki me iptables prepei
> na kaneis 3exwrista tis anaba8miseis.

Poies anaba8miseis, twn userland tools? To epixeirhma sou einai IRRELEVANT.

An to PIXos htan open source, 8a mporouse kapoios na tou kshlwsei to packet 
filter kai na balei sth 8esh tou ena IPF, leme twra. Ayto 8a to ekane 
"extra" kai "mh enswmatwmeno"?

H ta exeis mperdepsei teleiws, h apla prospa8eis na xwseis ena tetragwno 
epixeirhma se mia stroggylh trypa.

>> To firewall sto PIX OS kai sto IOS einai *akribws* oso enswmatwmeno einai 
>> kai to iptables sto Linux. To filtering sto linux ginetai se kernel space, 
>> sto userspace brisketai aplws to user interface. Sto PIX/IOS, pou den exeis 
>> etsi ki alliws th dynatothta na ekteleseis arbitrary code, den exei kai toso 
>> nohma o diaxwrismos  userspace / kernelspace, kai den eimai kan sigouros oti 
>> yparxei.

> Den prepei na einai diaxwrismena. Ektos tou oti den mporeis na tre3eis kapoio
> programma, se palioteres ekdoseis IOS mporouses na pagwseis to mhxanhma an tou
> petages mia malakia 'h an klatare apo kapoio periergo paketo.
> Aplws twra gia na to antimetwpisoun auto exoun to control plane wste na exeis
> dia8esimh thn console 'h to telnet gia paradeigma, akoma ki an kollhsei to
> upoloipo mhxanhma.

Anaferesai sto control plane policing, poy apla sou epitrepei na 
diaforopoihseis to Quality of Service tou traffic pou proorizetai gia to 
control plane. Mporei na se swsei apo denial of service attacks, alla 
eksakolou8ei na mhn se swzei apo overflows ("klatarismata apo kapoio 
periergo paketo").

>> Oloi aytoi oi mhxanismoi ylopoiountai sto IOS se kapoious syndiasmous 
>> hardware - 8a prosekseis oti sto IOS yparxoun toulaxiston tria pi8ana
>> paths :
>>
>> Cisco Express Forwarding,
>> Fast Switching, kai
>> Process Switching.
>>
>> Analogws twra tou poia features xrhsimopoieis, ti hardware exeis, poia 
>> version tou IOS, ti mera tou mhna einai, th fash ths selhnhs, an katourhse o 
>> skylos sou to prwi me thn oura pros to noto, ktl, to paketo mporei na 
>> perasei apo ena apo ayta ta tria paths. To ka8e path ylopoieitai se ligo 
>> diaforetiko layer, me diaforetiko performance impact sthn ka8e periptwsh.
>>
>> Des kai ayto edw pera : http://www.cisco.com/warp/public/105/cef_whichpath.html

> Dikio exeis se auta pou les. Auto pou 3erw einai oti gia to CEF as poume
> prospa8ousan na er8oun pio konta sto layer 2 gia dromologhsh. Ypoti8etai oti ston
> tomea tou firewall den ekanan kati tetoio giati 8ewroun risko to na kopei 'h na
> perasei kapoio paketo xwris na elegx8ei die3odika.

Kai pali la8os. Mhpws eisai CCNA/CCNP? Tosa apanwta la8h mono apo CCNA/CCNP 
certified people akouw synh8ws :P

Ti paei na pei "dieksodikos elegxos"? Exeis A) ena paketo, B) kapoio state, 
C) kapoia filtering rules. Ayta ta tria einai pou ka8orizoun thn apofash tou 
an 8a kaneis drop h process to paketo. Den yparxei pio dieksodikos h 
ligotero dieksodikos elegxos. Kapoioi syndiasmoi twn triwn aytwn paragontwn 
epitrepoun mia efficient ylopoihsh se hardware, kai kapoioi alloi oxi. Einai 
*ka8ara kai mono* 8ema performance, kai *oxi* 8ema "riskou tou na kopei h na 
perasei la8os paketo".

-- 
Christos Ricudis

More information about the Linux-greek-users mailing list