Præsentation er lastning. Vent venligst

Præsentation er lastning. Vent venligst

IT Arkitektur og Sikkerhed

Lignende præsentationer


Præsentationer af emnet: "IT Arkitektur og Sikkerhed"— Præsentationens transcript:

1 IT Arkitektur og Sikkerhed
Lektion 1 Version 1.02

2 Indhold Underviser Kurset Kursister
Gennemgang af format for forelæsninger, øvelser, og hjemmeopgaver Gennemgang af indholdet i de enkelte forelæsninger Bøger og kompendium Start på materialet

3 Undervisere Michael Strand Tilknyttet ITU som ekstern lektor
Ansat i Deloitte Business Consulting /A Har været i IT branchen siden 1989 DTU fra 1989 til 1992 (Forskningsmedarbejder) NESA fra 1992 til 1995 (Udvikler) HP Danmark fra 1995 til 2002 (Løsningsarkitekt) PFA Pension fra 2003 til 2004 (Afdelingsleder, Chefarkitekt) HP Danmark fra 2004 til 2005 (Senior Løsningsarkitekt) Netcompany fra januar 2006 til april 2008 (Manager) Deloitte Business Consulting fra maj 2008 Fokus er i dag på rådgivning indenfor It arkitektur, systemudvikling og –integration, samt sikkerhedsstyring Arbejdet de sidste år i større SOA systemmoderniseringsprogrammer. Arbejder næsten altid i blandede miljøer med forskellige platforme, teknologier osv.

4 Hvem er jeg? Personlig er jeg meget løsningsorienteret. Det betyder at jeg er fleksibel med teknologi (ikke religiøs) så længe problemet bliver løst på den rigtige måde. Jeg har erkendt at jeg ikke ved alt om alt, så jeg allierer mig gerne med dem der ved hvad jeg ikke ved. Det er også det jeg fokuserer på, når I løser opgaver. Resultatet og de metoder I anvender for at nå frem til resultatet er vigtigere end stavefejl, opsætning, korrekte kildehenvisninger osv.

5 Kurset Dette er 7 gang kurset kører og første gang (så vidt jeg ved) at IT Arkitektur og Sikkerhed er blevet koblet sammen i samme kursus. Kurset er et FÆLLES projekt. I er MEGET med til at forme kurset. Jeres input, hele vejen igennem, er altafgørende for det bedst mulige kursus. Groft sagt handler kurset dog om to ting: IT Arkitektur IT Sikkerhed

6 IT Arkitektur MEGET bred disciplin.
Vi ser bredt og kigger på alt fra netværksarkitektur til applikationsarkitektur til service orienteret arkitektur til enterprise arkitektur. Formålet er, at I som IT-chefer skal have overblik over det meste af det, som jeres ansatte snakker om - hvad end det er netværksfolk eller applikationsudviklere eller konsulenter, der kommer ind og bruger en masse fremmedord og skriver lange rapporter. Kurset er ikke dybt teknisk.

7 IT Sikkerhed MEGET snæver disciplin.
Formålet her er at I skal forstå hvad I er oppe mod. Hvad er trusselsbilledet? Hvordan hacker man? Hvordan beskytter man sig? Hvad siger loven? Hvad er en sikkerhedspolitik osv. Efter kurset vil I være i stand til at evaluere relevante sikkerhedsteknologier og snakke med omkring sikkerhed på et overordnet niveau.

8 Kursister Fortæl kort hvem I er? Hvor I kommer fra?
Hvad I grundlæggende håber at få ud af dette kursus? 15-30 sekunder i alt pr. person.

9 Forelæsninger Gennemgang af udvalgte emner i pensum.
Tager ikke udgangspunkt i at I har læst på forhånd. Hver mandag fra kl. 17 til ca. kl. 19 (alt mellem 1 ½ og 3 timer). Intet krav om at I er til stede. Det kan dog være en god idé i relation til eksamen. Stil spørgsmål ligeså snart I har nogen. Føler jeg, at der er for mange eller at vi kommer ud på et sidespor, skal jeg nok sige til. Pauser efter behov. Præsentationen (PowerPoint og PDF) bliver lagt på kursushjemmeside 1 dag før forelæsningen, dvs. om søndagen. Præsentationen er en disposition for mig, dvs. I skal ikke nødvendigvis regne med at i vil forstå dem uden at have været til forelæsningen.

10 Gruppeopgaver Gruppeopgaver af lidt sværere karakter der relaterer sig til forelæsningsindholdet. I finder selv sammen i grupper, helst 2 eller mere i hver gruppe. Hver mandag efter forelæsninger, fra kl. ca. 19 til 21. Vi er tilstede til at hjælpe jer. Gruppeopgaver bliver ikke besvaret.

11 Hjemmeopgaver og læsning
Frivilligt igen. En service som vi tilbyder. Dog en god idé at lave for forståelse af det vigtigste i pensum. Nogen vil føle af pensum er trivielt. Andre helt det modsatte. Pensum er dog pensum og I forventes at have læst det ved eksamen. Der er forholdsvis meget pensum. Jeg forventer ikke at I kan det udenad, men overordnet forståelse er meget vigtigt. I må gerne have bøger med til eksamen.

12 Hjemmeopgaver og læsning
Da der er fuld besat på kurset (60 elever) skal hjemmeopgaverne afleveres senest torsdag aften efter en undervisningsgang for at blive rettet til næste undervisningsgang. Hvis I sender dem senere end torsdag, vil de blive samlet op og rettet til undervisningsgangen efter igen (altså 2 uger senere). Jeg skal nok rette hvad der kommer!

13 Eksamen Skriftlig med alle hjælpemidler tilladt.
Opgaver vil handle om forståelse af koncepter og helheder mere end en masse spørgsmål i detaljer af pensum. Vis os hvad I kan og har forståelse af og ikke hvad I kan lære udenad.

14 Bøger Der er to bøger og et kompendium. De kan alle købes i Bogladen.
Jeg har to bøger som Jeg bruger meget i kurset og som efterfølgende er gode at have stående som opslagsbøger. Kompendiet er sammensat specielt til kurset. Der vil også som kurset skrider frem komme links til flere artikler på kursushjemmeside. De supplerer det formelle materiale. Kender desværre intet til priserne.

15 Forelæsningsplan L1 Grundlæggende Netværk (U:Michael) L2 IT Infrastruktur (U:Michael) L3 Service Orienteret Arkitektur (U:Jack, Netcompany) L4 Enterprise Arkitektur (U:Michael) L5 IT Arkitektur arbejde i praksis I (U:Michael) L6 IT Arkitektur arbejde i praksis II (U:Michael) L7 EA i praksis på EA foredrag + Prøveeksamen (U:Jess, ATP) L8 Kryptering og Enterprise sikkerhedsmodeller (U:Michael) L9 Hacking (U:Jørgen, Ezenta) L10 Netværks, Internet og applikationssikkerhed (U:Michael) L11 Security awareness, love, politikker og BCP/DRP (U:David, Norske Veritas) L12 Mobil sikkerhed og trådløs teknologier (U:Christian, Microsoft) L13 Risiko vurdering og vurdring af IT sikkerheds løsninger (michael) For detaljer - se

16 Og så går vi rigtigt i gang…

17 I dag vil vi gennemgå… Netværk Internettet, TCP/IP og OSI introduktion
Internetværk Protokol (IP) IP adresser Routing protokoller (RIP, OSPF, BGP) Transport protokoller (TCP, UDP) Domain Name System (DNS)

18 Netværk Et netværk er pr. definition et hierarkisk system af bokse og ledninger organiseret i umiddelbar nærhed af hinanden rent geografisk LAN (Local Area Network) er begrænset til en bygning eller lille område. (eksempel Ethernet) WAN (Wide-Area Network) kan nærmest være vilkårlig stort og sprede sig over store områder i et land eller lande. (eksempel Telekommunikationsnetværk). Advanced Research Projects Agency (ARPA) designede det første netværk ARPANET i 60’erne.

19 Internetværk Internetwork er ensbetydende med at vi forbinder flere netværk via. routing teknologi. Internetwork i dag er baseret på moderne Internet Protokoller og der er som minimum følgende tre variationer Intranet Extranet Internet Intranet An intranet is a set of networks, using the Internet Protocol and IP-based tools such as web browsers and file transfer applications, that is under the control of a single administrative entity. That administrative entity closes the intranet to all but specific, authorized users. Most commonly, an intranet is the internal network of an organization. A large intranet will typically have at least one web server to provide users with organizational information. Extranet An extranet is a network or internetwork that is limited in scope to a single organization or entity but which also has limited connections to the networks of one or more other usually, but not necessarily, trusted organizations or entities (e.g. a company's customers may be given access to some part of its intranet creating in this way an extranet, while at the same time the customers may not be considered 'trusted' from a security standpoint). Technically, an extranet may also be categorized as a CAN, MAN, WAN, or other type of network, although, by definition, an extranet cannot consist of a single LAN; it must have at least one connection with an external network. Internet The Internet is a specific internetwork. It consists of a worldwide interconnection of governmental, academic, public, and private networks based upon the networking technologies of the Internet Protocol Suite. It is the successor of the Advanced Research Projects Agency Network (ARPANET) developed by DARPA of the U.S. Department of Defense. The Internet is also the communications backbone underlying the World Wide Web (WWW). The 'Internet' is most commonly spelled with a capital 'I' as a proper noun, for historical reasons and to distinguish it from other generic internetworks.

20 Internettets struktur
Tæt på hierarkisk I centrum: “Tier-1” ISP’er (f.eks., UUNet, BBN/Genuity, Colt, AT&T) Tier 1 ISP Tier-1 ISP’er forbinder hinanden indbyrdes NAP Tier-1 ISP’er forbindes også ved såkaldte Network Access Points (NAPs) A Tier 1 Network is an IP network (typically but not necessarily an Internet Service Provider) which connects to the entire Internet solely via Settlement Free Interconnection, commonly known as peering. There are many reasons why networking professionals use the "Tier Hierarchy" to describe networks, but the most important one is better understanding of a particular network's political and economic motivations in relationship to how and with whom it peers. * AT&T (AS7018) * Global Crossing (GX) (AS3549) * Level 3 (AS3356) * Verizon Business (formerly UUNET) (AS701) * NTT Communications / (formerly Verio) (AS2914) * Qwest (AS209) * SAVVIS (AS3561) * Sprint Nextel The four Network Access Points (NAPs) were defined under the U.S. National Information Infrastructure (NII) document as transitional data communications facilities at which Network Service Providers (NSPs) would exchange traffic, in replacement of the publicly-financed NSFNet Internet backbone. The National Science Foundation let contracts supporting the four NAPs, one to MFS Datanet for the preexisting MAE in Washington, D.C., and three others to Sprint, Ameritech, and Pacific Bell, for new facilities of various designs and technologies, in Pennsauken, Chicago, and California, respectively. As a transitional strategy, they were effective, giving commercial network operators a bridge from the Internet's beginnings as a government-funded academic experiment, to the modern Internet of many private-sector competitors collaborating to form a network-of-networks, anchored around the Internet Exchange Points we know today. This was particularly timely, coming hard on the heels of the ANS CO+RE scandal, which had shocked the nascent industry and caused commercial operators to realize that they needed to be able to communicate with each other independent of any third parties. Today, the phrase "Network Access Point" is of historical interest only, since the four transitional NAPs disappeared long ago, replaced by modern IXPs, though in Spanish-speaking Latin America, the phrase lives on to a small degree, among those who conflate the NAPs with IXPs.

21 Tier-1 ISP eksempel

22 Internettets struktur
“Tier-2” ISP’er: mindre (typisk regionale/lande) ISP’er Forbinder sig typisk til en eller flere tier-1 ISP’er, og nogle gange andre Tier-2 ISP’er Eksempel: TDC, Telia Tier-2 ISP’er forbinder sig også mange gange med hinanden (UNI-C og TDC) Tier-2 ISP Tier-2 ISP betaler typisk tier-1 ISP’er for forbindelse til Internettet Tier 1 ISP NAP A Tier 2 Network is an Internet service provider who engages in the practice of peering with other networks, but who still purchases IP transit to reach some portion of the Internet. Tier 2 providers are the most common providers on the Internet as it is much easier to purchase transit from a Tier 1 network than it is to peer with them and then attempt to push into becoming a Tier 1 carrier. IP transit is a form by which wholesale Internet bandwidth is sold to Internet service providers (ISPs) and content providers. Pricing is typically offered on a per megabit per second per month basis (Mbit/s/Month) and requires the purchaser to commit to a minimum volume of bandwidth. Pricing for the bandwidth can be reduced significantly by purchasing larger volumes or extending the contract term. Modern IP transit agreements typically provide service level guarantees to almost all of the major Internet Exchange Points within a continental geography such as North America. These service level agreements still provide only best-effort delivery since they do not guarantee service from the Internet Exchange Point to the final destination. Tier 1 ISP Tier 1 ISP

23 Internettets struktur
“Tier-3” ISP’er og lokale ISP’er Agerer typisk sidste hub i forhold til adgang til Internettet. Eksempler er Cybercity, Tele2 osv. lokal ISP Tier 3 Tier-2 ISP Tier 1 ISP Lokale og tier- 3 ISP’er er typisk kunder hos ISP’er højere oppe NAP The term Tier 3 is sometimes also used to describe networks who solely purchase IP transit from other networks (typically Tier 1 or Tier 2 networks) to reach the Internet. Tier 1 ISP Tier 1 ISP

24 Internettets struktur
lokal ISP Tier 3 ISP lokal ISP lokal ISP lokal ISP Tier-2 ISP Tier 1 ISP NAP Tier 1 ISP Tier 1 ISP lokal ISP lokal ISP lokal ISP lokal ISP

25 Protokoller Hvordan snakker forskellige noder og netværk sammen.
Protokoller er til for at skabe orden i kaos.

26 Eksempel – En fly rejse København New York Billet (køb)
Bagage (check-in) Gaten (indstigning) Runway takeoff Fly ruteinfo (ud) Billet (klager) Bagage (bånd) Gates (udstigning) Runway landing Fly ruteinfo (ind) fly international routing København New York En serie veldefinerede skridt Hvert lag tilbyder en service og tilbyder sin egen service til laget ovenpå via veldefinerede interfaces

27 Hvorfor dele det hele i lag?
Smart når man har med komplekse systemer at gøre: Gør det nemt at identificere og forstå de enkelte dele af komplekse systemer i stedet for det hele på en gang. Når ting er nedbrudt i moduler er det nemt at lave små ændringer i moduler uden at påvirke den store sammenhæng. F.eks. er vi ligeglade med hvad der er inden i kasserne så længe service til lag oven over og nedenunder er konsistent. F.eks. at vi ændrer gate fra A7 til B5 ændrer ikke synderligt ved hele flyrejsen og specielt ikke flow beskrevet på forrige slide så længe passageren stadig kan boarde.

28 Internet protokol Application supporterer netværks applikationer
FTP, SMTP, HTTP Transport host til host data transport TCP, UDP Internet routing af data fra source til destination IP, routing protokoller, ICMP, IGMP, ARP Link data transport PPP, Ethernet Physical bits “on the wire” Applikationslag DHCP • DNS • FTP • HTTP • IMAP4 • IRC • MIME • POP3 • SIP • SMTP • SNMP • SSH • TELNET • BGP • RPC • RTP • RTCP • TLS/SSL • SDP • SOAP • L2TP • PPTP Transportlag TCP • UDP Internet IP (IPv4 • IPv6) • ARP • RARP • ICMP • IGMP • RSVP • IPSec Link ATM • DTM • Ethernet • FDDI • Frame Relay • GPRS • PPP Address Resolution Protocol (ARP) is the method for finding a host's hardware address when only its network layer address is known. Due to the overwhelming prevalence of IPv4 and Ethernet, ARP is primarily used to translate IP addresses to Ethernet MAC addresses. The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached. ICMP differs in purpose from TCP and UDP in that it is usually not used directly by user network applications. One exception is the ping tool, which sends ICMP Echo Request messages (and receives Echo Response messages) to determine whether a host is reachable and how long packets take to get to and from that host. The Internet Group Management Protocol is a communications protocol used to manage the membership of Internet Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast routers to establish multicast group memberships

29 Protokol lag og datastrømme
Hvert lag får data fra laget ovenover Adderer header information og danner en ny pakke Sender data til laget nedenunder

30 OSI modellen Open Systems Interconnection (OSI) reference modellen er udviklet af International Organization for Standardization (ISO). 7 lag vs. de 4 lag i TCP/IP Alle referer til OSI og I skal kunne den, men rent praktisk når I skriver programmer eller arbejder med netværk til dagligt, er det TCP/IP modellen der er gældende. Problemet TCP/IP var allerede udbredt og moden. OSI modellen er unødig kompleks og har et par lag for meget In the 1980s, the European-dominated International Organization for Standardization (ISO), began to develop its Open Systems Interconnection (OSI) networking suite. OSI has two major components: an abstract model of networking (the Basic Reference Model, or seven-layer model), and a set of concrete protocols. The seven layer model is sometimes humorously extended to refer to non-technical issues or problems. A common joke is the 10 layer model, with layers 8, 9, and 10 being the "user", "financial", and "political" layers, or the "money", "politics", and "religion" layers. The OSI model has also been jokingly called the "Taco Bell model", since the restaurant chain has been known for their seven layer burrito.

31 OSI protocol stack Application giver adgang for brugere og informations services såsom X.500 (directory), X.400 ( ), etc. Presentation giver kryptering, data konvertering såsom ASCII to EBCDIC, etc Session giver kontrol af session, såsom start, stop etc Transport sikrer at hele fil eller besked leveres Network, link, physical det samme som i Internet model The Application layer provides a means for the user to access information on the network through an application. This layer is the main interface for the user(s) to interact with the application and therefore the network. Some examples of application layer protocols include Telnet, applications which use File Transfer Protocol (FTP), applications which use Simple Mail Transfer Protocol (SMTP) and applications which use Hypertext Transfer Protocol (HTTP). Applications built to utilize a protocol, such as FTP, should not be confused with the protocols themselves, which often reside at the session layer. The Presentation layer transforms data to provide a standard interface for the Application layer. MIME encoding, data compression, data encryption and similar manipulation of the presentation is done at this layer to present the data as a service or protocol developer sees fit. Examples: converting an EBCDIC-coded text file to an ASCII-coded file, or serializing objects and other data structures into and out of, e.g., XML. The Session layer controls the dialogues (sessions) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for either full-duplex or half-duplex operation and establishes checkpointing, adjournment, termination, and restart procedures. The OSI model made this layer responsible for "graceful close" of sessions, which is a property of TCP, and also for session checkpointing and recovery, which is not usually used in the Internet protocols suite.

32 TCP/IP og OSI

33 Internet Protokol (IP)
Lag 3 (OSI) protokol der udfører forward af datagrams på Internettet. Benytter routningstabeller der forberedes af routning protokoller, som f.eks. Open Shortest Path Finder (OSPF), og Routing Information Protokol (RIP) Connectionless vs. Connection-orientated (circuit) IP is a connectionless protocol, which means that IP does not exchange control information (called a handshake) to establish an end-to-end connection before transmitting data. In contrast, a connection-oriented protocol exchanges control information with the remote computer to verify that it is ready to receive data before sending it. When the handshaking is successful, the computers are said to have established a connection. IP relies on protocols in other layers to establish the connection if connection-oriented services are required. IP also relies on protocols in another layer to provide error detection and error recovery. Because it contains no error detection or recovery code, IP is sometimes called an unreliable protocol. The functions performed at this layer are as follows Define the datagram, which is the basic unit of transmission in the Internet. Define the Internet addressing scheme Move data between the Network Access Layer and the Host-to-Host Transport Layer Route datagrams to remote hosts Fragment and reassemble datagrams Each type of network has a maximum transmission unit (MTU), which is the largest packet it can transfer. If the datagram received from one network is longer than the other network's MTU, it is necessary to divide the datagram into smaller fragments for transmission. This division process is called fragmentation. The Internet de facto standard MTU is 576 octets (eight-bit bytes), but ISPs often suggest using 1500 octets (eight-bit bytes)

34 IP datagram Protocol: TCP, UDP m.m. Version: IPv4 eller IPv6
Time To Live (TTL). An 8-bit time to live (TTL) field helps prevent datagrams from persisting (e.g. going in circles) on an internetwork. Historically the TTL field limited a datagram's lifetime in seconds, but has come to be a hop count field. Each packet switch (or router) that a datagram crosses decrements the TTL field by one. When the TTL field hits zero, the packet is no longer forwarded by a packet switch and is discarded. Protocol: TCP, UDP m.m. The biggest problem in IPv4 is the lack of a big enough address field, 32 bits, and its capability was not used very efficiently. IPv6 in the contrary can support at least 10^12 nodes and 10^9 networks. The routing algorithm have no knowledge how the network has been made and can support all IPv4's routing algorithms, and also support much larger number of hops then IPv4 (limit of 256). IPv6 can handle different speed of networks, from Extra Low Frequency networks to very high speed of 500Gbits/s. IPv6 provide a security layer that places "options" in separate extension headers while IPv4 does not. The extension headers can be of arbitrary length and has no limit to the amount of options that can be carried. IPv6 has an anycast address that allows nodes to control the path which their traffic flows, IPv4 does not. IPv6 headers are extensible, the option in IPv4 is not efficient to decode. IPv6 connects to global internet using a combination of it's global prefixes (see details in IPv6 Addressing) , while IPv4 manually renumbers to connect to the internet. IPv6 renumbers automatically. IPv6 2025??

35 IP adresser En IP-adresse består af 32 bits som normalt angives som 4 oktetter enten decimalt eller hexadecimalt. Adressen består af en netværks- og en hostdel som beregnes ud fra subnetmasken. Ved at lave en bitvis logisk AND og NOT operation med IP-adressen og masken findes henholdsvis netværk og host. An identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, could be an IP address. Within an isolated network, you can assign IP addresses at random as long as each one is unique. However, connecting a private network to the Internet requires using registered IP addresses (called Internet addresses) to avoid duplicates. # Class A - supports 16 million hosts on each of 126 networks # Class B - supports 65,000 hosts on each of 16,000 networks # Class C - supports 254 hosts on each of 2 million networks The number of unassigned Internet addresses is running out, so a new classless scheme called CIDR is gradually replacing the system based on classes A, B, and C and is tied to adoption of IPv6. CIDR is principally a bitwise, prefix-based standard for the interpretation of IP addresses. It facilitates routing by allowing blocks of addresses to be grouped together into single routing table entries. These groups, commonly called CIDR blocks, share an initial sequence of bits in the binary representation of their IP addresses. IPv4 CIDR blocks are identified using a syntax similar to that of IPv4 addresses: a four-part dotted-decimal address, followed by a slash, then a number from 0 to 32: A.B.C.D/N

36 IP adresser IP-adresser er opdelt i klasser: A, B og C. Klassen bestemmes af de 3 første bits (fra venstre). # Class A - supports 16 million hosts on each of 126 networks # Class B - supports 65,000 hosts on each of 16,000 networks # Class C - supports 254 hosts on each of 2 million networks

37 IP adresser IP adresser blev indtil 1998 uddelt af EN organisation i verdenen og det er InterNIC (http://www.internic.net) I dag er det ICANN der er ansvarlig, og det er igennem IANA IP adresser allokeres. IANA kontrolleres af ICANN. InterNIC or Internet Network Information Center was the Internet governing body primarily responsible for domain name and IP address allocations until September 18, 1998 when this role was assumed by the ICANN body. ICANN (pronounced "I can") is the Internet Corporation for Assigned Names and Numbers. The tasks of ICANN include managing the assignment of domain names and IP addresses. To date, much of its work has concerned the introduction of new generic top-level domains. The technical work of ICANN is referred to as the IANA function; the rest of ICANN is mostly concerned with defining policy. The Internet Assigned Numbers Authority (IANA) is the entity that oversees global IP address allocation, DNS root zone management, and other Internet protocol assignments. It is operated by ICANN. Both IPv4 and IPv6 addresses are assigned in a delegated manner. Users are assigned IP addresses by Internet service providers (ISPs). ISPs obtain allocations of IP addresses from a local Internet registry (LIR) or national Internet registry (NIR), or from their appropriate Regional Internet Registry (RIR): AfriNIC (African Network Information Centre) - Africa Region APNIC (Asia Pacific Network Information Centre) - Asia/Pacific Region ARIN (American Registry for Internet Numbers) - North America Region LACNIC (Regional Latin-American and Caribbean IP Address Registry) – Latin America and some Caribbean Islands RIPE NCC (Réseaux IP Européens) - Europe, the Middle East, and Central Asia

38 Private IP adresser Alle organisationer kan bruge private IP adresser. Private IP adresser kan IKKE bruges på Internettet.

39 Forward IP datagram C:\TRACERT SUN.COM
Routers leverer IP datagrammer til destinationsnetværk Routers vedligeholder routingtabeller af ”hops” ”Hops” findes IKKE i datagrammerne In the simplest model, hop-by-hop routing, each routing table lists, for all reachable destinations, the address of the next device along the path to that destination; the next hop. Assuming that the routing tables are consistent, the simple algorithm of relaying packets to their destination's next hop thus suffices to deliver data anywhere in a network. In practice, hop-by-hop routing is being increasingly abandoned in favor of layered architectures such as MPLS, where a single routing table entry can effectively select the next several hops, resulting in reduced table lookups and improved performance. The need to record routes to large numbers of devices using limited storage space represents a major challenge in routing table construction. Perhaps the fundamental assumptions of routing is that similar addresses are located near each other in the network, allowing groups of destination addresses to be matched by single routing table entries. The exact nature of how this grouping is done has changed over time and still represents an active area of networking research. In the Internet, the currently dominant address grouping technology is a bitwise prefix matching scheme called Classless Inter-Domain Routing. A mask used to determine what subnet an IP address belongs to. An IP address has two components, the network address and the host address. For example, consider the IP address Assuming this is part of a Class B network, the first two numbers ( ) represent the Class B network address, and the second two numbers ( ) identify a particular host on this network. Subnetting enables the network administrator to further divide the host part of the address into two or more subnets. In this case, a part of the host address is reserved to identify the particular subnet. C:\TRACERT SUN.COM

40 Routing protokoller Et autonomt system er et internetværk der er forbundet af routers under administrativ kontrol af én entitet. Interior Router Protokoller (IRP) (indenfor et autonomt system) Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Exterior Router Protokoller (ERP, EGP) (mellem autonomt systemer) Border Gateway Protocol (BGP) Exterior Gateway Protocol (EGP) Inter-Domain Routing Protocol (IDRP) In the Internet, an autonomous system (AS) is a collection of IP networks and routers under the control of one entity (or sometimes more) that presents a common routing policy to the Internet. See RFC 1930 for additional detail on this updated definition. Networks within an autonomous system communicate routing information to each other using an Interior Gateway Protocol (IGP). An autonomous system shares routing information with other autonomous systems using the Border Gateway Protocol (BGP). Previously, the Exterior Gateway Protocol (EGP) was used. In the future, the BGP is expected to be replaced with the OSI Inter-Domain Routing Protocol (IDRP). IRP/IGP A set of routing protocols that are used within an autonomous system are referred to as interior gateway protocols (IGP). In contrast an exterior gateway protocol is for determining network reachability between autonomous systems (AS) and make use of IGPs to resolve route within an AS. BGP (Border Gateway Protocol) is a protocol for exchanging routing information between gateway hosts (each with its own router) in a network of autonomous systems. BGP is often the protocol used between gateway hosts on the Internet. The routing table contains a list of known routers, the addresses they can reach, and a cost metric associated with the path to each router so that the best available route is chosen. Exterior Gateway Protocol (EGP) is a protocol for exchanging routing information between two neighbor gateway hosts (each with its own router) in a network of autonomous systems. EGP is commonly used between hosts on the Internet to exchange routing table information.

41 RIP Med RIP undersøger routeren hvor mange ”hops” der er til alle destinationer. Dette benyttes til at bestemme bedste route. RIP sørger for at sende oplysninger fra sin routing tabel om ”hops” til sine naboer hver 30 sek. RIP sørger for at sammenligne egen routing tabel med fremsendte oplysninger, og opdatere hvis nødvendigt. RIP is a distance-vector routing protocol, which employs the hop count as a routing metric. The maximum number of hops allowed with RIP is 15, and the hold down time is 180 seconds. Each RIP router transmits full updates every 30 seconds by default, generating large amounts of network traffic in lower bandwidth networks. It runs at the network layer of the Internet protocol suite. A mechanism called split horizon with limited poison reverse is used to avoid routing loops. Routers of some brands also use a holddown mechanism known as heuristics, whose usefulness is arguable and is not a part of the standard protocol. RIPv1 RIPv1, defined in RFC 1058, uses classful routing. The routing updates do not carry subnet information, lacking support for variable length subnet masks (VLSM). This limitation makes it impossible to have different-sized subnets inside of the same network class. In other words, all subnets in a network class must be the same size. There is also no support for router authentication, making RIPv1 slightly vulnerable to various attacks. RIPv2 Due to the above deficiencies of RIPv1, RIPv2 was developed in 1994 and included the ability to carry subnet information, thus supporting Classless Inter-Domain Routing (CIDR). However to maintain backwards compatibility the 15 hop count limit remained. Rudimentary plain text authentication was added to secure routing updates; later, MD5 authentication was defined in RFC 2082. RIPv2 is specified in RFC 2453 or STD 56.

42 OSPF Fixer de problemer der er med RIP m.fl.
I stedet for blot at tælle ”hops” benyttes yderligere netværks oplysninger til at at finde bedste rute. Muliggør load-balancing. Muliggør sikkerhed. Større netværk brydes ned i backbone net, og areas. Hver area har et eller flere subnets. Og for hvert subnet en designated router OSPF (Open Shortest Path First) is a router protocol used within larger autonomous system networks in preference to the Routing Information Protocol (RIP), an older routing protocol that is installed in many of today's corporate networks. Like RIP, OSPF is designated by the Internet Engineering Task Force (IETF) as one of several Interior Gateway Protocols (IGPs). Using OSPF, a host that obtains a change to a routing table or detects a change in the network immediately multicasts the information to all other hosts in the network so that all will have the same routing table information. Unlike the RIP in which the entire routing table is sent, the host using OSPF sends only the part that has changed. With RIP, the routing table is sent to a neighbor host every 30 seconds. OSPF multicasts the updated information only when a change has taken place. Rather than simply counting the number of hops, OSPF bases its path descriptions on "link states" that take into account additional network information. OSPF also lets the user assign cost metrics to a given host router so that some paths are given preference. OSPF supports a variable network subnet mask so that a network can be subdivided. RIP is supported within OSPF for router-to-end station communication. Since many networks using RIP are already in use, router manufacturers tend to include RIP support within a router designed primarily for OSPF.

43 TCP Point-to-Point kommunikation. Der er to slutpunkter.
Connection orienteret. Full duplex kommunikation. Reliable transport Data leveres i rækkefølge. Tabte data pakker sendes igen. Applications send streams of octets (8-bit bytes) to TCP for delivery through the network, and TCP divides the byte stream into appropriately sized segments (usually delineated by the maximum transmission unit (MTU) size of the data link layer of the network to which the computer is attached). TCP then passes the resulting packets to the Internet Protocol, for delivery through a network to the TCP module of the entity at the other end. TCP checks to make sure that no packets are lost by giving each packet a sequence number, which is also used to make sure that the data are delivered to the entity at the other end in the correct order. The TCP module at the far end sends back an acknowledgement for packets which have been successfully received; a timer at the sending TCP will cause a timeout if an acknowledgement is not received within a reasonable round-trip time (or RTT), and the (presumably lost) data will then be re-transmitted. The TCP checks that no bytes are damaged by using a checksum; one is computed at the sender for each block of data before it is sent, and checked at the receiver. To establish a connection, TCP uses a 3-way handshake. Before a client attempts to connect with a server, the server must first bind to a port to open it up for connections: this is called a passive open. Once the passive open is established, a client may initiate an active open. To establish a connection, the three-way (or 3-step) handshake occurs: 1. The active open is performed by sending a SYN to the server. 2. In response, the server replies with a SYN-ACK. 3. Finally the client sends an ACK (usually called SYN-ACK-ACK) back to the server. Connection termination The connection termination phase uses, at most, a four-way handshake, with each side of the connection terminating independently. When an endpoint wishes to stop its half of the connection, it transmits a FIN packet, which the other end acknowledges with an ACK. Therefore, a typical teardown requires a pair of FIN and ACK segments from each TCP endpoint.

44 TCP header The TCP receive window size is the amount of received data (in bytes) that can be buffered during a connection. The sending host can send only that amount of data before it must wait for an acknowledgment and window update from the receiving host. When a receiver advertises the window size of 0, the sender stops sending data and starts the persist timer. The persist timer is used to protect TCP from the dead lock situation. For more efficient use of high bandwidth networks, a larger TCP window size may be used. The TCP window size field controls the flow of data and is limited to between 2 and 65,535 bytes.

45 UDP og UDP header Connection-less end-to-end service.
Unreliable transport Ingen flow control. Ingen fejlhåndtering. Ingen retransmission af tabte pakker. Bruges typisk til Audio/Video Fejl rapportering er valgfrit. The User Datagram Protocol (UDP) is one of the core protocols of the Internet protocol suite. Using UDP, programs on networked computers can send short messages sometimes known as datagrams (using Datagram Sockets) to one another. UDP does not provide the reliability and ordering guarantees that TCP does. Datagrams may arrive out of order or go missing without notice. Without the overhead of checking if every packet actually arrived, UDP is faster and more efficient for many lightweight or time-sensitive purposes. Also, its stateless nature is useful for servers that answer small queries from huge numbers of clients. Compared to TCP, UDP is required for broadcast (send to all on local network) and multicast (send to all subscribers). Common network applications that use UDP include the Domain Name System (DNS), streaming media applications such as IPTV, Voice over IP (VoIP), Trivial File Transfer Protocol (TFTP) and online games.

46 Domain Name Server (DNS)
DNS er det system der oversætter et navn, som vi kan forholde os til, til en IP-adresse. Det kunne fx være som af DNS oversættes til IP-adressen: [ ]. Hvis adressen er registreret i en "reverse lookup zone" kan IP-adressen oversættes tilbage til DNS navnet, det kaldes "reverse DNS lookup" eller blot r-DNS. DNS er altså en klassisk telefonbog. DNS består af to dele, en server og en resolver. Serveren holder informationen om hvilke DNS-navne der svarer til hvilke IP-adresser. Resolveren er den software på klienten, som spørger serveren efter informationen.

47 DNS processen DK ITU A DNS client sends a recursive query to the local DNS server. Before forwarding the request to a root server, the DNS server checks its local cache to determine whether the name has recently been resolved. If there is an entry in the local cache, the IP address is returned to the client. If no entry exists in the cache for the hostname, an iterative query is sent by the DNS server to a root name server. The root name server refers the DNS server to a name server responsible for the first-level domain within the hostname. For example, the root name server would refer the request to the bayside.net DNS server. The original DNS server is referred to second-level DNS servers, and then third-level DNS servers, until one of them can resolve the host-name to an IP address and return the results back to the client. Important categories of data stored in the DNS include the following: An A record or address record maps a hostname to a 32-bit IPv4 address. An AAAA record or IPv6 address record maps a hostname to a 128-bit IPv6 address A CNAME record or canonical name record is an alias of one name to another. The A record that the alias is pointing to can be either local or remote - on a foreign name server. Useful when running multiple services from a single IP address, where each service has its own entry in DNS. An MX record or mail exchange record maps a domain name to a list of mail exchange servers for that domain. A PTR record or pointer record maps an IPv4 address to the canonical name for that host. Setting up a PTR record for a hostname in the in-addr.arpa domain that corresponds to an IP address implements reverse DNS lookup for that address. For example (at the time of writing), has the IP address , but a PTR record maps in-addr.arpa to its canonical name, referrals.icann.org. An NS record or name server record maps a domain name to a list of DNS servers authoritative for that domain. Delegations depend on NS records. An SOA record or start of authority record specifies the DNS server providing authoritative information about an Internet domain, the of the domain administrator, the domain serial number, and several timers relating to refreshing the zone. An SRV record is a generalized service location record.

48 DNS navne corp05.contoso.com. corp01.sales.contoso.com. “.” Root FQDN
DNS Suffix Host Name corp01 = corp05 = com “.” Root contoso sales DNS zone transfer, also sometimes known by its (commonest) opcode mnemonic AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to employ for replicating the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavours, full (opcode AXFR) and incremental (IXFR). Nearly universal at one time, it is now falling by the wayside somewhat, in favour of the use of other database replication mechanisms that modern DNS server packages provide. Master/slave: In the traditional master/slave DNS relationship, (one or more) DNS slave servers load zone data from the master server on startup and at intervals specified in the start of authority (SOA) record for each zone. This method of redundancy has one huge advantage: When a zone file is changed, the changes are automatically propagated to the slave servers. This process normally happens as soon as the changes are made if the NOTIFY DNS feature is supported. Multiple master: If you're more concerned with having DNS available at all times rather than having the convenience provided by a master/slave configuration, you can use a multiple master configuration. This concept is simple: All DNS servers are master servers for each zone. The most difficult part of having multiple master DNS servers comes when a change is made to a zone file or the DNS configuration.

49 Top Level Domains (TLD)
.com Kommercielle organisationer som f.eks. microsoft.com .edu Uddannelse organisationer, som f.eks. Stanford.edu .gov Afdelinger under den amerikanske regering f.eks. fsa.gov .int Internationale organisationer som f.eks. nato.int .mil Det amerikanske militær som f.eks. af.mil for US Air Force .net Netværksrelaterede organisationer som f.eks. internic.net .org Et top-level domæne for de organisationer der ikke passer ind ellers Herudover findes en lang række andre 2 bogstavs TLD'er der har navn efter ISO's bestemmelser om navn og lande. England er dog en undtagelse pga. brugen af .uk, i stedet for ISO's GB. 16. november 2000 vedtog ICANN indførelsen af 7 nye TLD'er. De er .aero, .biz, .coop,.info, .museum, .name og .pro

50 DNS arkitektur DNS-servere løser to opgaver. oversætte mellem domænenavne og IP-adresser for et begrænset antal domæner eller kontakte andre servere for at få oversat et vilkårlig domænenavn. En DNS-server der står for oversættelse kaldes en autoritativ server. For at sikre mod fejl er der for hver DNS-server (primære server) en sekundær server, der kan tage over. Den sekundære server bliver ikke opdateret direkte, men den kontakter regelmæssigt den primære server for at finde ud af, om der er sket ændringer. For at begrænse DNS-trafikken benytter DNS-servere sig af DNS-cache. Her bliver de svar serveren har fået fra øvrige DNS-servere gemt. Hvis man gentog ovenstående eksempel, ville serveren derfor ikke starte forfra med at spørge alle serverne, men i stedet blot kigge på det foregående svar.

51 Opgaver  51 51


Download ppt "IT Arkitektur og Sikkerhed"

Lignende præsentationer


Annoncer fra Google