Concepts

With the advent of the internet and the proliferation of users and businesses attached to it, the need for being able to keep sensitive information private has become more and more important. Additionally, the threat of malicious attacks on the IT environment grows almost daily. In order to allow users access to information via the Internet, whilst at the same time denying improper use of sensitive information and attacks by hackers, the concept of firewalls was introduced. In general, a firewall may be defined as a method for filtering the flow of data communication between one network and another. The actual filtering is accomplished based on different criteria.


Networking Basics

This section provides a brief introduction to some of the IP networking basics. Each topic is explained to the level needed to understand the firewall concepts.

Nodes, Addresses and Ports

Each system, printer, router or any other device (node) connected to local network or global internet is identified with its IP address. This IP address must be unique within the network the node is connected to. This means that nodes participating in the global internet must have their IP addresses unique at the global level. On the other hand, two nodes communicating on a private, isolated network must have their IP addresses unique on this particular local level.

The IP addresses are numerical, four-byte quantities, usually presented in so-called dotted decimal notation.

Most network nodes, especially general purpose computer systems, usually run a wide variety of different programs, some of them reachable over the network. In order to be able to distinguish between these programs, each of them monitors the network requests at different port. There are 65535 ports available at each network node. The first 1024 ports (0 through 1023) are special and reserved for well known services.

IP, TCP, UDP

IP (Internet Protocol), TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) denote different layers on the network protocol stack. Each of them has different tasks and functions to perform. The hierarchy of IP, TCP and UDP layers and their position within the original four layer TCP/IP Internet network model is the following:

 

Identifying Source and Destination

Both TCP and UDP use the following quadruple to identify the sending and receiving application:

<source IP address, source port, destination IP address, destination port>

TCP uses the above quadruple also to identify the applications which established the virtual connection. The destination IP address and destination port number are normally determined by the sending application and contain the target node IP address and target application listening port. The source IP address is automatically determined by using the IP address of sending network node. The only undefined part of the quadruple is the source port. Normally, the TCP/IP stack API implementations uses the randomly selected ports in the range
1024-65535.

Telnet session example

Interprocess Communication Using DCE

Remote procedure calls (RPCs) are at the heart of client-server applications built with DCE. The interaction between the client and server is defined in terms of procedure calls. In order for the client to call a remote procedure call supported by a server, the client needs a binding handle. The binding handle is used to associate a client with a server so that the RPC mechanism knows where and how to make the remote procedure calls. The binding handle contains the network address of the server, the protocol (TCP, UDP, etc.) and the endpoint (for UDP and TCP, this is a port number).

DCE provides a service called endpoint mapping which allows the client to determine the endpoint for a given server. To use endpoint mapping, the server must register with the local endpoint map. This registration will include the interface, protocol, and endpoint. On UNIX, either the rpcd or dced process manages the endpoint map. On Windows NT/2000, the rpcss process manages the endpoint map.

OV Performance Agent (OVPA) and OV Performance Manager (OVPM) utilize both TCP socket and DCE RPCs for interprocess communication

OVPA Interprocess Communication

OVPM Interprocess Communication

Protocols

Protocols specify how data is transmitted between computers and how the computers should respond to various conditions that might arise. DCE defines a set of protocol sequences that specify the type of RPC protocol and the underlying networking protocols to use. The most common DCE protocol sequences are

ncadg_ip_udp

and

ncacn_ip_tcp.

The RPC datagram protocol (abbreviated dg) is used with network datagram protocols, such as UDP (connectionless protocol). The advantages of the datagram protocol are independent packets and low overhead. The disadvantages are unreliable delivery and limited packet lengths.

The RPC connection-oriented protocol (abbreviated cn) is used with network connection-oriented protocols, such as TCP (Transmission Control Protocol. TCP is a connection based protocol). The advantages of a connection-oriented protocol are a dedicated connection between the sender and receiver and reliable delivery. The disadvantage is more connection overhead.


next