This sprang up on our Linux list...
---------- Forwarded Message ----------
Subject: Re: [LeapList]Re: next version of ipcop -- bridging L2 Ethernet
v. routing/filtering L3 IP
Date: 26 May 2002 02:54:29 -0400
From: "Bryan J. Smith" <b.j.smith@...>
On Sun, 2002-05-26 at 02:13, Bryan J. Smith wrote:
> Actually it's quite simple. When you create a new zone, you use a
> new subnet. Just remember that and everything will be easy.
> Anything that is physically separated should be on a new subnet --
> don't bridge to the same subnet.
> Bridging Ethernet (layer 2) is NOT Routing IP (layer 3). To route
> between IP networks, they need to be on different IP subnets -- not
> bridged so they are the same IP subnet. I know this is a bit
> confusing, but if you spend a little time learning the OSI model and
> the technology used (especially at layers 2-4), it makes a heck of a
> lot more sense.
Here's the short version ...
- Internet Protocol (IP) and Filtering at OSI layers 3 and higher ...
IPCop is an IP packet filter (as are most firewalls) between different
IP [sub]net[works]. Typical IP subnets on a firewall include the LAN,
the Internet and one or more de-militarized zones (DMZ). IPCop
inspects IP packets as are received from one IP subnet, like the
Internet, that is destined for another, like the LAN. If the IP
packet matches some rules, it either drops it (if the matching rule
says to do so) or it accepts it (if the matching rule says to do so)
and then "routes" it to its destination.
IP is an OSI layer 3 protocol. Typical IP packets are organized into
layer 4 ICMP, UDP or TCP packets, which contain data organized in layer
5+ streams (web, ftp, etc...). Don't worry about knowing all this,
just know that IP involves OSI layers 3+. Any packet organized at a
higher layer than 3 eventually has to be send over layer 3. If the
packet is arriving from a remote IP subnet, it has to be "routed" at
some stage. This would then include passing through your layer 3 IP
packet filter which is IPCop.
- IEEE 802 Local Area Networking (LAN), OSI layers 2 and lower ...
Ethernet (IEEE 802.3 aka CSMA/CD -- long story) and Wireless LAN (WLAN,
IEEE 802.11 aka CSMA/CA -- long story) are OSI layer 2 mediums. Unlike
layer 3 IP, they are not designed to be for global communication, but
only local. Although different Ethernet and/or WLAN trunks can be
"bridged" between each other, again, this is only for short distances.
What confuses most people is that most WLAN access points (APs) are
just WLAN-to-Ethernet bridges. So you are directly and transparently
turning 802.11 WLAN frames into 802.3 Ethernet frames and vice-versa.
Because Ethernet and/or WLAN work at layer 2, even when "bridged," if
they are on the same layer 3 subnet, they do NOT need to be "routed".
Layers only talk directly to each other via lower layers, not higher
ones. Therefore they will NOT pass through your layer 3 IP router,
which is usually your layer 3 IP packet filter in IPCop**. So you must
put your Ethernet and WLAN nodes on _different_ layer 3 IP subnets,
which means different ports on the IPCop firewall** so they are
inspected as they pass to/from each other.
[ **NOTE: This is somewhat of a simplification. Although you _can_
filter packets between nodes on the same subnet/port, it's far more
complex of a setup and not ideal in the great majority of cases. And
its a security nightmare as people can "sniff" the wire, even if they
cannot directly access the IP addresses, long story. As such, the
great majority of firewalls out there don't offer this. ]
- IEEE 802 WLAN Security
Which leads us back to Wired Equivalent Privacy (WEP), MAC address
restriction and other developments. These are basically "filters" at
layer 2 to prevent different layer 2 nodes from talking to each other.
WEP is an encryption mechanism used by AP to both prevent access to the
AP and all the other WLAN nodes on it (which includes any bridges to an
Ethernet trunk) as well as encrypt the packets sent over the air to the
AP and its nodes. The cipher is a poor choice (RC4, like SSL), and the
negotiation is even worse (very simplistic, far worse than SSL).
You can also limit access to APs based on the [usually] hardcoded MAC
address in a WLAN NIC. Of course, this is something that can be
circumvented with OEM NIC tools.
Lastly are newer developments trying to address WEP weaknesses. One
such development is an adaptation of 802.1x**. Several "high-end" APs
and routers/firewalls with integrated WLAN ports are adopting 802.1x
approaches (e.g., usually in conjunction with a Radius server for
authentication). I don't want to go deep into this because its not
very applicable to most end-users, and I myself haven't dove into it
too much yet.
[ **NOTE: IEEE 802 consists of several committees. 802.3+ are the
specific, "media access control" (MAC) layers for different mediums.
E.g., 802.3 for Ethernet, 802.5 for Token Ring, 802.11 for WLAN,
802.15 for Bluetooth, etc... Then there is the link logical layer
(LLC), 802.2, which forms the "basis" for data organization for _all_
of the MACs. I.e., in general, OSes/system software only need to
organize data for 802.2/LLC, instead of having specific ones for 802.3
Ethernet, 802.11 WLAN, etc... 802.1 is pretty much a "hodgepodge" of
_optional_ 802 add-ons, technologies and other details. E.g., 802.1q
is virtual LANs (VLAN) which is important when you get into Gigabit
Ethernet (at least important if you know what you are doing ;-),
although its applicable to any other medium/speed as well. ]
The US government could be 100x more effective, and 1/100th the
Constitutional worry, if it dictated its policy to Microsoft as
THE MAJOR CUSTOMER it is, and not THE REGULATOR it fails to be.
Bryan J. Smith, SmithConcepts, Inc. mailto:b.j.smith@...
Engineers and IT Professionals http://www.SmithConcepts.com
LeapList mailing list