Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux Based Advanced Routing with Firewall and Traffic Control


Published on

This presentation is a presentation of the project work carried out by me during my undergraduate degree

  • Be the first to comment

Linux Based Advanced Routing with Firewall and Traffic Control

  1. 1. Linux Based Advanced Routing with Firewall and Traffic Control <ul><li>Presented By, </li></ul><ul><ul><ul><li>Sandeep Sreenivasan </li></ul></ul></ul><ul><ul><ul><li>B.E Computer Science and Engineering </li></ul></ul></ul><ul><ul><ul><ul><ul><li> </li></ul></ul></ul></ul></ul>
  2. 2. Abstract <ul><li>Routing and Bandwidth management have become essential for every organization because of its limited resource and therefore must be utilized efficiently </li></ul><ul><li>There are various ways to do it either by using hardware or a software . Both methods lets you allocate specific bandwidth to internet traffic that can be further classified into web, mail, ftp etc </li></ul><ul><li>Using a hardware device like a router requires a high cost to maintain and keep it functioning </li></ul>
  3. 3. <ul><li>Using bandwidth management, the traffic of each service or network is at assured level at all times and administrator can change these levels at fixed time slots during the day, which is not possible in a pre tuned hardware device like a router </li></ul><ul><li>Bandwidth Management helps in prioritizing the traffic and hence, makes sure that a rise in one type does not lead to a clogging of another, perhaps a more critical traffic </li></ul>Abstract (Contd…)
  4. 4. OUTLINE <ul><li>Motivation </li></ul><ul><li>Existing System </li></ul><ul><li>Major Problems </li></ul><ul><li>Proposed System </li></ul><ul><li>Project Modules Study </li></ul><ul><li>Working Model Samples </li></ul><ul><li>Performance Analysis </li></ul><ul><li>Future Enhancements </li></ul>
  5. 5. Motivation <ul><li>Routing is fundamental to the design of the Internet Protocol </li></ul><ul><li>Most fully-featured IP-aware networked devices run on UNIX or Linux </li></ul><ul><li>The hardware devices used for routing are very costly as compared to the software routing algorithms </li></ul><ul><li>Finally, Firewalls are easier to implement and more effective in Linux based Systems </li></ul>
  6. 6. Existing System <ul><li>Basic Static routing algorithms implemented in UNIX based systems </li></ul><ul><li>No firewalls or Traffic control mechanisms provided in the system </li></ul><ul><li>Low efficiency of static routing algorithms for heavy traffic flow environments </li></ul><ul><li>Routing tables are manually updated only when damaged route is found by the system </li></ul>
  7. 7. Existing System Workstation N Workstation 2 Workstation 1 Static Software Router ………………
  8. 8. Major Problems <ul><li>Use of Static algorithms causes low bandwidth utilization </li></ul><ul><li>Absence of firewalls causes leakage of information from servers </li></ul><ul><li>Absence of Traffic control mechanisms causes improper delivery of packets </li></ul><ul><li>Routing table updation is not time based but route based </li></ul>
  9. 9. Proposed System <ul><li>This Project is mainly intended to build a system with Advanced Routing and Firewall with Traffic Control mechanisms on Linux Platform to save cost and to do effective management of Traffic </li></ul><ul><li>A system which can do all the necessary functions performed by a router with additional capabilities to filter the packets by using a firewall and complete Traffic control options </li></ul><ul><li>To classify, prioritize, share and limit both inbound and outbound traffic </li></ul>
  10. 10. Proposed System
  11. 11. Hardware and Software Requirements <ul><li>Hardware Requirements:- </li></ul><ul><ul><ul><ul><li>- Intel machines with 512 MB RAM/ 80GB HDD - 10 Nos </li></ul></ul></ul></ul><ul><ul><ul><ul><li>- Two Machines with Two Network Interface Cards and rest with one Network Interface card </li></ul></ul></ul></ul><ul><ul><ul><ul><li>- Internet Connection </li></ul></ul></ul></ul><ul><li>Software Requirements: - </li></ul><ul><ul><ul><li> - Red Hat Enterprise Linux 4.0 </li></ul></ul></ul><ul><ul><ul><li>- Fedora 10 </li></ul></ul></ul><ul><ul><ul><li>- Iproute2 package source </li></ul></ul></ul><ul><ul><ul><li>- Zebra package </li></ul></ul></ul><ul><ul><ul><li>- Bash Shell Scripting </li></ul></ul></ul>
  12. 12. Project Modules Study <ul><li>The various modules of the Project are: </li></ul><ul><ul><ul><ul><ul><li>Module 1 : Dynamic Routing using OSPF Protocol </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Module 2 : Secured Tunneling using GRE </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Module 3 : Firewall and bandwidth management </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Module 4 : Setup Web Server and DNS Server </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Module 5 : Thin Client Setup </li></ul></ul></ul></ul></ul>
  13. 13. <ul><li>Dynamic Routing using OSPF Protocol </li></ul><ul><ul><ul><li>The Dynamic Routing involves setting up OSPF areas to gather data from neighbourhood routers </li></ul></ul></ul><ul><ul><ul><li>and check for live path between fixed time intervals </li></ul></ul></ul><ul><ul><ul><li>In our setup , the router checks for live paths every two seconds and updates the table with alternate path upon detection of a broken link </li></ul></ul></ul><ul><ul><ul><li>Once the areas are configured, then the router functions perfectly with utmost efficiency </li></ul></ul></ul>Module 1
  14. 14. <ul><li>The ZEBRA daemon is used to configure OSPF protocol in Linux </li></ul><ul><li>It links with various protocols like BGP,RIPD etc.. </li></ul>ZEBRA Daemon +-------+ +--------+ +---------+ +-----------+ |bgpd| |ripd| |ospfd| |zebra| +-------+ +--------+ +---------+ +----|-------+ | | |+--------------------------------------------------V-----+| | UNIX Kernel routing table | +----------------------------------------------------------+ ZEBRA ARCHITECTURE
  15. 15. Sample Config File <ul><li>Below is a sample configuration file for the zebra daemon </li></ul><ul><li>! </li></ul><ul><li>! Zebra configuration file ! </li></ul><ul><li>hostname Router </li></ul><ul><li>password zebra </li></ul><ul><li>enable password zebra </li></ul><ul><li>! log stdout ! </li></ul><ul><li>! </li></ul>
  16. 16. OSPF Protocol <ul><li>OSPF is a Open Protocol , used by Cisco in its routers to implement </li></ul><ul><li>We have used this protocol for the very first time in PC based routing technique </li></ul>
  17. 17. Sample Config File <ul><li>Below is a sample configuration file for the OSPF Protocol </li></ul><ul><li>! </li></ul><ul><li>! OSPF configuration file ! </li></ul><ul><li>hostname Router </li></ul><ul><li>password zebra </li></ul><ul><li>network area 0 </li></ul><ul><li>network area 1 </li></ul><ul><li>network area 2 </li></ul><ul><li>! log stdout ! </li></ul><ul><li>! </li></ul>
  18. 18. <ul><li>GRE Tunneling </li></ul><ul><ul><ul><li>Generic Routing Encapsulation techniques is used to create a logical tunnel between two end points for secured data transmission </li></ul></ul></ul><ul><ul><ul><li>GRE Tunnels have the following structure : </li></ul></ul></ul>Module 2 Original Header Original Data Outer Header GRE Header Original Header Original Data New Header New Data
  19. 19. Sample Config File <ul><li>Router A: </li></ul><ul><li>interface Ethernet0/1 ip address </li></ul><ul><li> </li></ul><ul><li>interface Serial0/0 ip address </li></ul><ul><li> </li></ul><ul><li>interface Tunnel0 ip address </li></ul><ul><li> </li></ul><ul><li>tunnel source Serial0/0 </li></ul><ul><li>tunnel destination </li></ul><ul><li>Router B: </li></ul><ul><li>interface FastEthernet0/1 ip address </li></ul><ul><li> </li></ul><ul><li>interface Serial0/0 ip address </li></ul><ul><li> </li></ul><ul><li>interface Tunnel0 ip address </li></ul><ul><li> </li></ul><ul><li>tunnel source Serial0/0 </li></ul><ul><li>tunnel destination </li></ul>
  20. 20. <ul><li>Firewalls </li></ul><ul><ul><ul><li>Internet firewalls are intended to keep the flames of Internet hell out of the private LAN . Or, to keep the members of the LAN pure and chaste by denying them access to all the evil Internet temptations </li></ul></ul></ul><ul><ul><ul><li>The firewall in Linux is based on IPTABLES and its predecessor IPCHAINS, where explicit rules are written to control the operating policies of the firewall </li></ul></ul></ul><ul><ul><ul><li>Two Types of Firewalls: </li></ul></ul></ul><ul><ul><ul><ul><ul><li>Packet Filtering Firewalls :- that block selected network packets </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Proxy Servers :- that make network connections </li></ul></ul></ul></ul></ul>Module 3
  21. 21. <ul><li>Packet Filtering Firewalls </li></ul><ul><ul><ul><li>A filtering firewall works at the network level . Data is only allowed to leave the system if the firewall rules allow it. As packets arrive they are filtered by their type, source address, destination address, and port information contained in each packet </li></ul></ul></ul><ul><ul><ul><li>Filtering firewalls are more transparent to the user . The user does not have to setup rules in their applications to use the Internet. With most proxy servers this is not true </li></ul></ul></ul><ul><ul><ul><li>Filtering firewalls can be thought of as a type of router. Because of this one needs a deep understanding of IP packet structure to work with one </li></ul></ul></ul>
  22. 22. <ul><li>Proxy Servers </li></ul><ul><ul><ul><li>Proxies are mostly used to control, or monitor, outbound traffic . Some application proxies cache the requested data </li></ul></ul></ul><ul><ul><ul><li>This lowers bandwidth requirements and decreases the access of the same data for the next user . It also gives unquestionable evidence of what was transferred </li></ul></ul></ul><ul><ul><ul><li>We have used a Proxy server called SQUID to limit the inbound and outbound traffic by constantly monitoring the visited web pages </li></ul></ul></ul><ul><ul><ul><li>It also prevents access to irrelevant sites and prevents DoS attacks at the client side </li></ul></ul></ul>
  23. 23. <ul><li>Bandwidth Management </li></ul><ul><ul><ul><li>The most essential task for an efficient routing architecture is bandwidth management </li></ul></ul></ul><ul><ul><ul><li>It helps utilize the available bandwidth efficiently by splitting the access between various server types and balancing the load </li></ul></ul></ul><ul><ul><ul><li>We have built a bandwidth managed server that allows 30% bandwidth to FTP and 70% bandwidth to HTTP </li></ul></ul></ul>Module 4
  24. 24. <ul><li>IPROUTE 2 is the daemon in Linux that handles the bandwidth management process </li></ul><ul><li>It supports various protocols and management of each protocol and balances the load automatically between the managed paths </li></ul><ul><li>ip route add default scope global nexthop via $P1 dev $IF1 weight 1 </li></ul><ul><li>nexthop via $P2 dev $IF2 weight 1 </li></ul><ul><li>The above mentioned code is an example of balancing the load between two paths $P1 and $P2 that are connected by devices $IF1 and $IF2 </li></ul><ul><li>The weight parameter is used to specify the load limit of packets in each device </li></ul>IPROUTE 2
  25. 25. <ul><li>Thin Clients </li></ul><ul><ul><ul><li>The thin client is a PC with less of everything . </li></ul></ul></ul><ul><ul><ul><li>In designing a computer system, there are decisions to be made about processing, storage, software and user interface </li></ul></ul></ul><ul><ul><ul><li>A gigabit/s network is faster than a PCI Bus and many hard drives , so each function can be in a different location </li></ul></ul></ul><ul><ul><ul><li>In a thin client/server system, the only software that is installed on the thin client is the user interface, certain frequently used applications, and a networked operating system . </li></ul></ul></ul>Module 5
  26. 26. <ul><li>This software can be loaded from a local drive, the server at boot, or as needed </li></ul><ul><li>By simplifying the load on the thin client, it can be a very small, low-powered device giving lower costs to purchase and to operate per seat </li></ul><ul><li>The server, or a cluster of servers has the full weight of all the applications, services, and data </li></ul><ul><li>Easier system management and lower costs, as well as all the advantages of networked computing: central storage/backup and easier security </li></ul><ul><li>A single PC can usually power five or more thin clients . A more powerful PC or server can support up to a hundred thin clients at a time. A high-end server can power over 700 clients </li></ul>
  27. 27. Thin Client Architecture Thin Client Server
  28. 28. Cost Comparison Chart <ul><li>The Average cost of a PC based CPU client is almost two times that of a thin client based setup. The same set of software can be run on a thin client based system at a minimal cost. </li></ul>Component General PC Client Requirements Thin Client Requirements Hard Disk 80 GB 0 RAM 1 GB 256 MB Motherboard Any Any Processor Intel Dual Core Pentium 3/4 Average Total Cost Rs. 14,000 Rs. 7,000
  29. 29. Advantages of Thin Client <ul><ul><ul><ul><ul><li>Lower IT administration costs </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Easier to secure </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Lower hardware costs </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Less energy consumption </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Easier hardware failure management </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Worth less to most thieves </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Operable in Hostile Environments </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Less network bandwidth </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Thin Clients have various advantages of use over </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>commercial PC based clients. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Some of the noteworthy advantages are: </li></ul></ul></ul></ul></ul>
  30. 30. Working Model Samples 1. Server Widgets (Main, Staff, Student)
  31. 31. <ul><li>2. General Mode Port Configuration Details </li></ul>
  32. 32. <ul><li>3. Routing Table Entry – Before Zebra Starts </li></ul>
  33. 33. 4. Routing Table Entry – After Zebra Starts
  34. 34. 5. GRE Tunnels
  35. 35. 6. DNS Widget
  36. 36. 7. Web Server Widget
  37. 37. 8. General Mode Client Widget
  38. 38. 9. Exam Mode Client Widget
  39. 39. 10. Main Web Page
  40. 40. 11. Year Selection Page
  41. 41. 12. Exam Selection Page
  42. 42. 13. Question Display Page
  43. 43. 14. Required Software Opens
  44. 44. Performance Analysis <ul><ul><ul><ul><ul><li>PERFORMANCE OF LINUX ROUTER – Test Setup </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>The test setup in our computer lab uses a 100Base-T Ethernet . The NICs and switching hubs are 100Base-T . </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>All platforms are running Linux 2.2 kernels , and the Linux router is the default gateway for all of them. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>JMETER software , coded in java was used to provide the necessary node input to simulate as much new node request as required </li></ul></ul></ul></ul></ul>
  45. 45. Node Discovery Time Input Values List Number of Nodes Response Time ( milli sec ) Static Routing Technique Dynamic Routing Technique 100 0.234 0.259 200 0.467 0.49 300 0.662 0.671 400 0.733 0.755 500 0.9 0.985
  46. 46. Node Discovery Time Result Chart
  47. 47. Broken Link Discovery Time TEST SETUP
  48. 48. Broken Link Discovery Time Input Values List Broken Link Name Packet Delivery time ( milli sec ) Dynamic Routing Static Routing (Without Alternate path) Static Routing (With Alternate path) Link 1 0.633 0 0.855 Link 1 and 2 0.945 0 1.33 Link 1,2 and 3 1.233 0 2.56
  49. 49. Broken Link Discovery Time Result Chart
  50. 50. Bandwidth Management Test 10 Mbps LAN Link 50 Kbps Managed Link Test Setup
  51. 51. Bandwidth Management Test Result Chart
  52. 52. Future Enhancements <ul><ul><ul><ul><ul><li>An Improved Hardware Configuration can be used to implement </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>the Thin Clients in Real Time </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Added Firewall rules can be incorporated for efficient packet </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>filtering </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Tunneling can be expanded to all the nodes for a more secured </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>transmission strategy </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Bandwidth can be further managed efficiently by utilizing </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>IPROUTE2 package bandwidth management technology </li></ul></ul></ul></ul></ul>
  53. 53. References <ul><li>Kaleem Anwar, Muhammad Amir, Ahmad Saeed, Muhammad Imran “The Linux Router”, Jan 8th 2006 [ ] </li></ul><ul><li>William Stallings, 1997, Data and Computer Communication Fifth Edition, Prentice Hall of India </li></ul><ul><li>Andrew S.Tenenbaum, 1996, Computer Networks Third Edition, Prentice Hall of India </li></ul><ul><li>Addison Wesley, Fred Hallsall, 1992, Data Communications in Computer Networks and Open Systems, Prentice Hall of India </li></ul>
  54. 54. Thank You Any Queries?