network map

Christos Ricudis ricudis at komodino.itc.auth.gr
Thu Sep 20 11:28:25 EEST 2007


Palias Panagiotis wrote:
> On Wed, 19 Sep 2007 14:48 , Christos Ricudis <ricudis at komodino.itc.auth.gr> sent:
>> Kai? Ayto kanei ena PIX ligotero "software firewall" kai perissotero 
>> "hardware firewall" apo ena Linux+IP tables? Sou 8ymizw oti kai ta dyo 
>> trexoun praktika sto idio akribws hardware.
 >
> Katalabainw to skeptiko me to opoio ta bazeis sto idio tsoubali. Alla ti
> diaxwrismo 8a mporouses na baleis se ena PIX kai ena linux+iptables? To ena den
> mporei na xrhsimopoih8ei se kati allo, eno to allo mporei mesw tou software pou exei.
> 8umizei ligo Apple to skhniko

Den diafwnw sxetika me to modularity tou leitourgikou tou PIX (einai 
modular, apla to modularity tou den eksartatai apo ton teliko xrhsth, alla 
apo thn cisco). Apla lew oti einai ena custom leitourgiko pou trexei se 
generic hardware (ousiastika ena PC).

Apla to epixeirhma ksekinhse apo edw pera 
(http://lists.hellug.gr/pipermail/linux-greek-users/2007-September/070091.html): 


"FYI oi monoi pragmatika hardware firewalls einai oi PIX kai ASA ths
Cisco. Oi upoloipoi trexoun kapoio OS kai panw tou mia efarmogh pou
kanei to firewall."

...pragma poy einai la8os kai sta 2 shmeia :

1) oti to PIX/ASA einai "pragmatika hardware firewall", kai
2) oti "oi ypoloipoi trexoun kapoio OS kai panw tou mia efarmogh pou kanei 
to firewall".

To firewall sta linuxobsdia DEN einai to /sbin/iptables kai to /sbin/pfctl, 
ayto einai apla to userland interface. Ston kernel ginetai to filtering se 
oles tis periptwseis.

>> Poies anaba8miseis, twn userland tools? To epixeirhma sou einai IRRELEVANT.
>>
>> An to PIXos htan open source, 8a mporouse kapoios na tou kshlwsei to packet 
>> filter kai na balei sth 8esh tou ena IPF, leme twra. Ayto 8a to ekane 
>> "extra" kai "mh enswmatwmeno"?
> 
> Moiazei me to pws eixan paliotera ton call-manager pou etrexe se windows, enw
> twra dinoun to kouti etoimo me to unixoeides software panw. Kapws etsi 8a to
> antilambanomoun kalutera. 8a mporouses na ekanes kati sto PIXos an edinan ton
> kwdika, alla dustuxws den to kanoun :)

OK, as paroume ayto to paradeigma tote, afou se boleyei kalytera. To :

"diko sou PC + windows pou ta sthneis monos sou + callmanager pou ton 
sthneis monos sou"

einai "non-hardware call manager", enw to

"whatever OEM PX + preinstalled Solaris/X86 + preinstalled callmanager"

einai enas "hardware call manager" ?

>> Anaferesai sto control plane policing, poy apla sou epitrepei na 
>> diaforopoihseis to Quality of Service tou traffic pou proorizetai gia to 
>> control plane. Mporei na se swsei apo denial of service attacks, alla 
>> eksakolou8ei na mhn se swzei apo overflows ("klatarismata apo kapoio 
>> periergo paketo").
> 
> Oxi sto control plane tou QoS. Einai ena kainourgio xarakthristiko kainourgiwn
> monadwn (sto 3800 an 8umamai kala) pou sou dinei th dunatothta na exeis prosbash
> se ka8e periptwsh sto mhxanhma, ektos apo hardware failure.

Katalabes ti eipa?

Oxi.

E as to ksanapw.

Control Plane onomazei h cisco to process group pou apotelei to frontend 
interface tou IOS - CLI, SNMP, ton HTTP server, kai kapoia alla pragmata. 
Apla sou dinoun th dynatothta na kaneis prioritize to traffic pou 
apey8ynetai s'ayto to process group, wste na exeis kapoio tropo na kaneis 
manage th syskeyh katw apo syn8hkes denial-of-service attack, kai isws kai 
na ginontai reserve kapoia CPU/memory resources gi'ayto to process group. 
Ayta ta dyo einai sthn ousia QoS features.

Pou8ena den exw dei na anaferetai oti efarmozetai memory protection se 
epipedo leitourgikou gia prostasia tou control plane apo allou eidous 
epi8eseis (p.x. buffer overflows), h oti to control plane trexei se 
ksexwristo hardware module (poy 8a mporouse). Logika an krasareis to IOS, 
exeis xasei KAI to control plane.

>> Kai pali la8os. Mhpws eisai CCNA/CCNP? Tosa apanwta la8h mono apo CCNA/CCNP 
>> certified people akouw synh8ws :P
> +ccip :P
>> Ti paei na pei "dieksodikos elegxos"? Exeis A) ena paketo, B) kapoio state, 
>> C) kapoia filtering rules. Ayta ta tria einai pou ka8orizoun thn apofash tou 
>> an 8a kaneis drop h process to paketo. Den yparxei pio dieksodikos h 
>> ligotero dieksodikos elegxos. Kapoioi syndiasmoi twn triwn aytwn paragontwn 
>> epitrepoun mia efficient ylopoihsh se hardware, kai kapoioi alloi oxi. Einai 
>> *ka8ara kai mono* 8ema performance, kai *oxi* 8ema "riskou tou na kopei h na 
>> perasei la8os paketo".

> Den eimai dikhgoros ths Cisco gia na apologh8w gia ton tropo pou ta ulopoiei me
> ton enan 'h ton allon tropo. E3allou ta atoma ekei einai arketa peiragmena an
> krinw apo osa exw dei kata kairous, opote to 8ewrw askopo na tous krinw 'h na
> prospa8hsw na katalabw giati to ekanan etsi kai oxi alliws :D

Den einai 8ema tou ti narkwtika pinoun sthn California, an kai exei 
syzhth8ei ektenws to 8ema se palio thread. Einai zhthma aplhs logikhs kai 
8ewrias :)

-- 
Christos Ricudis




More information about the Linux-greek-users mailing list