Linux Based Advanced Routing with Firewall and Traffic Control
-
Upload
sandyvasan -
Category
Documents
-
view
2.910 -
download
0
description
Transcript of Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced
Routing with Firewall and
Traffic ControlPresented By,
Sandeep Sreenivasan
B.E Computer Science and Engineering
Abstract
• Routing and Bandwidth management have become essential for every organization because of its limited resource and therefore must be utilized efficiently
• There are various ways to do it either by using hardware or a software. Both methods lets you allocate specific bandwidth to internet traffic that can be further classified into web, mail, ftp etc
• Using a hardware device like a router requires a high cost to maintain and keep it functioning
• Using bandwidth management, the traffic of each service or network is at assured level at all times and administrator can change these levels at fixed time slots during the day, which is not possible in a pre tuned hardware device like a router
• Bandwidth Management helps in prioritizing the traffic and hence, makes sure that a rise in one type does not lead to a clogging of another, perhaps a more critical traffic
Abstract (Contd…)
OUTLINE
Motivation
Existing System
Major Problems
Proposed System
Project Modules Study
Working Model Samples
Performance Analysis
Future Enhancements
Motivation
• Routing is fundamental to the design of the Internet
Protocol
• Most fully-featured IP-aware networked devices run on
UNIX or Linux
• The hardware devices used for routing are very costly as
compared to the software routing algorithms
• Finally, Firewalls are easier to implement and more
effective in Linux based Systems
Existing System
• Basic Static routing algorithms implemented in UNIX
based systems
• No firewalls or Traffic control mechanisms provided in
the system
• Low efficiency of static routing algorithms for heavy
traffic flow environments
• Routing tables are manually updated only when
damaged route is found by the system
Existing System
Workstation NWorkstation 2
Workstation 1
Static Software Router
………………
Major Problems
• Use of Static algorithms causes low bandwidth utilization
• Absence of firewalls causes leakage of information from
servers
• Absence of Traffic control mechanisms causes improper
delivery of packets
• Routing table updation is not time based but route based
Proposed System
• This Project is mainly intended to build a system with Advanced
Routing and Firewall with Traffic Control mechanisms on Linux
Platform to save cost and to do effective management of Traffic
• A system which can do all the necessary functions performed by a
router with additional capabilities to filter the packets by using a
firewall and complete Traffic control options • To classify, prioritize, share and limit both inbound and outbound
traffic
Proposed System
Hardware and Software Requirements• Hardware Requirements:-
- Intel machines with 512 MB RAM/ 80GB HDD - 10 Nos
- Two Machines with Two Network Interface Cards and rest with one Network Interface card
- Internet Connection
• Software Requirements: -
- Red Hat Enterprise Linux 4.0 - Fedora 10 - Iproute2 package source - Zebra package - Bash Shell Scripting
Project Modules Study
• The various modules of the Project are:
» Module 1: Dynamic Routing using OSPF Protocol
» Module 2: Secured Tunneling using GRE
» Module 3: Firewall and bandwidth management
» Module 4: Setup Web Server and DNS Server
» Module 5: Thin Client Setup
• Dynamic Routing using OSPF Protocol
• The Dynamic Routing involves setting up OSPF areas to gather data from neighbourhood routers
and check for live path between fixed time intervals
• In our setup, the router checks for live paths every two seconds and updates the table with alternate path upon detection of a broken link
• Once the areas are configured, then the router functions perfectly with utmost efficiency
Module 1
ZEBRA Daemon
• The ZEBRA daemon is used to configure OSPF protocol in Linux
• It links with various protocols like BGP,RIPD etc..
+-------+ +--------+ +---------+ +-----------+|bgpd| |ripd| |ospfd| |zebra|+-------+ +--------+ +---------+ +----|-------+ | ||+--------------------------------------------------V-----+| | UNIX Kernel routing table |+----------------------------------------------------------+
ZEBRA ARCHITECTURE
Sample Config File
• Below is a sample configuration file for the zebra daemon
! ! Zebra configuration file !
hostname Router
password zebra
enable password zebra
! log stdout !
!
OSPF Protocol• OSPF is a Open Protocol, used by Cisco in its routers to
implement
• We have used this protocol for the very first time in PC based routing technique
Sample Config File
• Below is a sample configuration file for the OSPF Protocol
!
! OSPF configuration file !
hostname Router
password zebra
network 192.168.0.0/24 area 0
network 200.0.0.0/24 area 1
network 10.0.0.0/8 area 2
! log stdout !
!
• GRE Tunneling
• Generic Routing Encapsulation techniques is used to create a logical tunnel between two end points for secured data transmission
• GRE Tunnels have the following structure:
Module 2
Original Header Original Data
Outer Header GRE Header Original Header Original Data
New Header New Data
Sample Config File
• Router A:
interface Ethernet0/1 ip address
10.2.2.1 255.255.255.0
interface Serial0/0 ip address
192.168.4.1 255.255.255.0
interface Tunnel0 ip address
1.1.1.2 255.0.0.0
tunnel source Serial0/0
tunnel destination 192.168.4.2
• Router B:
interface FastEthernet0/1 ip address
10.1.1.1 255.255.255.0
interface Serial0/0 ip address
192.168.4.2 255.255.255.0
interface Tunnel0 ip address
1.1.1.1 255.0.0.0
tunnel source Serial0/0
tunnel destination 192.168.4.1
Module 3
• Firewalls
• Internet firewalls are intended to keep the flames of Internet hell out of the private LAN. Or, to keep the members of the LAN pure and chaste by denying them access to all the evil Internet temptations
• The firewall in Linux is based on IPTABLES and its predecessor IPCHAINS, where explicit rules are written to control the operating policies of the firewall
• Two Types of Firewalls:» Packet Filtering Firewalls :- that block selected network packets
» Proxy Servers :- that make network connections
• Packet Filtering Firewalls
• A filtering firewall works at the network level. Data is only allowed to leave the system if the firewall rules allow it. As packets arrive they are filtered by their type, source address, destination address, and port information contained in each packet
• Filtering firewalls are more transparent to the user. The user does not have to setup rules in their applications to use the Internet. With most proxy servers this is not true
• Filtering firewalls can be thought of as a type of router. Because of this one needs a deep understanding of IP packet structure to work
with one
• Proxy Servers
• Proxies are mostly used to control, or monitor, outbound traffic. Some application proxies cache the requested data
• This lowers bandwidth requirements and decreases the access of the same data for the next user. It also gives unquestionable evidence of what was transferred
• We have used a Proxy server called SQUID to limit the inbound and outbound traffic by constantly monitoring the visited web pages
• It also prevents access to irrelevant sites and prevents DoS attacks at the client side
• Bandwidth Management
• The most essential task for an efficient routing architecture is bandwidth management
• It helps utilize the available bandwidth efficiently by splitting the access between various server types and balancing the load
• We have built a bandwidth managed server that allows 30% bandwidth to FTP and 70% bandwidth to HTTP
Module 4
IPROUTE 2
• IPROUTE 2 is the daemon in Linux that handles the bandwidth management process
• It supports various protocols and management of each protocol and balances the load automatically between the managed paths
ip route add default scope global nexthop via $P1 dev $IF1 weight 1nexthop via $P2 dev $IF2 weight 1
• The above mentioned code is an example of balancing the load between two paths $P1 and $P2 that are connected by devices $IF1 and $IF2
• The weight parameter is used to specify the load limit of packets in each device
Module 5
• Thin Clients
• The thin client is a PC with less of everything.
• In designing a computer system, there are decisions to be made about processing, storage, software and user interface
• A gigabit/s network is faster than a PCI Bus and many hard drives, so each function can be in a different location
• In a thin client/server system, the only software that is installed on the thin client is the user interface, certain frequently used applications, and a networked operating system.
• This software can be loaded from a local drive, the server at boot, or as needed
• By simplifying the load on the thin client, it can be a very small, low-powered device giving lower costs to purchase and to operate per seat
• The server, or a cluster of servers has the full weight of all the applications, services, and data
• Easier system management and lower costs, as well as all the advantages of networked computing: central storage/backup and easier security
• A single PC can usually power five or more thin clients. A more powerful PC or server can support up to a hundred thin clients at a time. A high-end server can power over 700 clients
Thin Client Architecture
Thin Client Server
Cost Comparison Chart
ComponentGeneral PC Client
RequirementsThin Client
Requirements
Hard Disk 80 GB 0
RAM 1 GB 256 MB
Motherboard Any Any
Processor Intel Dual Core Pentium 3/4
Average Total Cost
Rs. 14,000 Rs. 7,000
• The Average cost of a PC based CPU client is almost two times that of a thin client based setup. The same set of software can be run on a thin client based system at a minimal cost.
Advantages of Thin Client
Lower IT administration costs
Easier to secure
Lower hardware costs
Less energy consumption
Easier hardware failure management
Worth less to most thieves
Operable in Hostile Environments
Less network bandwidth
• Thin Clients have various advantages of use over commercial PC based clients.
• Some of the noteworthy advantages are:
Working Model Samples
1. Server Widgets (Main, Staff, Student)
2. General Mode Port Configuration Details
3. Routing Table Entry – Before Zebra Starts
4. Routing Table Entry – After Zebra Starts
5. GRE Tunnels
6. DNS Widget
7. Web Server Widget
8. General Mode Client Widget
9. Exam Mode Client Widget
10. Main Web Page
11. Year Selection Page
12. Exam Selection Page
13. Question Display Page
14. Required Software Opens
Performance Analysis
• PERFORMANCE OF LINUX ROUTER – Test Setup
The test setup in our computer lab uses a 100Base-T Ethernet. The NICs and switching hubs are 100Base-T.
All platforms are running Linux 2.2 kernels, and the Linux router is the default gateway for all of them.
JMETER software, coded in java was used to provide the necessary node input to simulate as much new node request as required
Node Discovery Time
Number of Nodes
Response Time ( milli sec )
Static Routing Technique
Dynamic Routing Technique
100 0.234 0.259
200 0.467 0.49
300 0.662 0.671
400 0.733 0.755
500 0.9 0.985
Input Values List
Node Discovery Time
Result Chart
Broken Link Discovery Time
TEST SETUP
Broken Link Name
Packet Delivery time( milli sec )
Dynamic Routing
Static Routing(Without
Alternate path)
Static Routing
(With Alternate
path)
Link 1 0.633 0 0.855
Link 1 and 2 0.945 0 1.33
Link 1,2 and 3 1.233 0 2.56
Broken Link Discovery Time
Input Values List
Broken Link Discovery Time
Result Chart
Bandwidth Management Test
10 Mbps LAN Link
50 Kbps Managed Link
Test Setup
Bandwidth Management Test
Result Chart
Future Enhancements
• An Improved Hardware Configuration can be used to implement the Thin Clients in Real Time
• Added Firewall rules can be incorporated for efficient packet filtering
• Tunneling can be expanded to all the nodes for a more secured transmission strategy
• Bandwidth can be further managed efficiently by utilizing IPROUTE2 package bandwidth management technology
References
• Kaleem Anwar, Muhammad Amir, Ahmad Saeed, Muhammad Imran
“The Linux Router”, Jan 8th 2006 [www.linuxjournal.com/article/5826]
• William Stallings, 1997, Data and Computer Communication Fifth
Edition, Prentice Hall of India
• Andrew S.Tenenbaum, 1996, Computer Networks Third Edition,
Prentice Hall of India
• Addison Wesley, Fred Hallsall, 1992, Data Communications in
Computer Networks and Open Systems, Prentice Hall of India