Notes - MIECT
Segurança Em Redes De Comunicações
Notes - MIECT
Segurança Em Redes De Comunicações
  • Segurança Em Redes De Comunicações
  • Corporate Networks Topics
    • Objectives of Network Design
    • Equipments
    • Hierarchical Network Model
    • Modular Network Design
    • Designing the Access Layer
    • Designing the Core Layer
    • Virtual LANs
      • VLANs on Access Points
    • Spanning Tree Protocol
    • IP Routing Overview
  • Introduction to Network Security
    • Type of Attacks
    • Attacks Phases
      • Infiltration Phase
      • Propagation Phase
      • Aggregation and Exfiltration Phase
    • Defenses
    • Security Metrics
  • Network Access Control
    • AAA Architecture
      • TACACS+
      • RADIUS
      • DIAMETER
    • IEEE 802.11 services
    • Joining a BSS
      • WLAN Frames
      • Joining BSS with AP
    • WPA and 802.11i (WPA2)
  • Network Flow Control
    • Network Security Systems
    • Firewalls
    • High-Availability
    • Load Balancing Firewall Load
    • Best Practices and Recommendations
    • IP Spoofing
    • Half-Open TCP Connection Problem
    • DDoS Mitigation at Source
    • Cisco’s Access Control Lists (ACL)
    • Linux IPTables
    • Control By Analysis of Higher Layers
  • Secure Communications
    • Public Key Infrastructure (PKI)
    • X.509 Certificate Contents
    • Traffic Tunnel Concept
      • Next Hop Resolution Protocol (NHRP)
      • Hub-Spoke vs. Spoke-Spoke
    • IPSec
    • Establishing SA and Cryptographic Keys
    • Virtual Private Networks (VPN)
    • Management of Asymmetric Keys
  • Remote Access
    • Remote Access
    • IPsec NAT Transversal
    • Integration with Flow Control
  • Intrusion Detection and Prevention
    • Intrusion Detection and Prevention
    • Host-Based vs. Network-Based
    • Signature vs. Anomaly Based
    • Network Deployment
  • Network Monitoring SIEM
    • Core and End-to-End Monitoring
    • Node Monitoring
    • End-User/Host/App Monitoring
    • Server/Service/Cloud Monitoring
    • Per-Service Detailed Monitoring
    • Data Sources
      • SNMP
      • NetFlow
    • Network Passive Probing Packet Capturing
    • Remote CLI Access
    • Log Files Access
      • Log Management Systems (LMS)
      • Security Information and Events Management (SIEM)
Powered by GitBook
On this page
  • Tunnel End-Points
  • Virtual Tunnel Interface (VTI)
  • Requirements
  • Loopback Interfaces as End-Points
  • IP Tunnel Types
  • Overlay Network
  • Full/Partial Overlay Mesh
  • Routing Through/Between Tunnels
  • Static Routes
  • Policy Based Routing (route-maps)
  • Dynamic Routing
  • Multipoint Tunnels
  1. Secure Communications

Traffic Tunnel Concept

PreviousX.509 Certificate ContentsNextNext Hop Resolution Protocol (NHRP)

Last updated 2 years ago

Main purposes:

  • Guarantee that a packet that reaches a network node will reach a specific secondary network node independently of the intermediary node's routing processes.

  • Guarantee the delivery of a packet to a remote node when the intermediary nodes do not support the original packet network protocol.

  • Define a virtual channel that adds additional data transport features in order to provide differentiated QoS, security requirements, and/or optimized routing.

Achieved by adding, at the tunnel entry point, one or more protocol headers to the original packets to handle their delivery to the tunnel exit point.

Tunnel End-Points

Virtual Tunnel Interface (VTI)

Logical construction creates a virtual network interface that can be handled as any other network interface within network equipment.

A tunnel does not require to have any network addresses other than the ones already bound to the end-point router.

However, most implementations impose that a network address must be bound to a tunnel interface in order to enable IP processing on the interface.

  • The tunnel interface may have an explicitly bound network address or reuse an address of another interface already configured on the router.

Requirements

A numeric identifier.

A bounded IP address will enable IP processing.

  • Add the tunnel interface to the routing table and allow routing via the interface.

A defined mode or type of tunnel.

  • The availability of tunnel models depends on the Router model, operating software, and licenses.

Tunnel source.

  • Defined as the name of the local interface or IPv4/IPv6 address depending on the type of the tunnel.

Tunnel destination.

  • Defined as a domain name or IPv4/IPv6 address depending on the type of the tunnel.

  • This definition is not mandatory for all types of tunnels because in some cases the tunnel end-point is determined dynamically.

May optionally have additional configurations for routing, security, and QoS purposes.

Loopback Interfaces as End-Points

Loopback interface is another logical construction that creates a virtual network interface completely independent from the remaining physical and logical router network interfaces.

The main purpose of a loopback interface is to provide a network address to serve as a router identifier in remote network configurations and distribute algorithms.

The main advantage of using loopback interfaces as tunnel end-points is the creation of a tunnel not bound to any individual network card/link that may fail.

IP Tunnel Types

  • IPv4-IPv4

    • Original IPv4 packets are delivered using IPV4 as a network protocol.

  • GRE IPv4

    • Original packets protocol (any network protocol) is defined by the GRE header and delivered using IPv4 as a network protocol.

  • IPv6-IPv6

    • Original IPv6 packets are delivered using IPv6 as a network protocol.

  • GRE IPv6

    • Original packets protocol (any network protocol) is defined by a GRE header and delivered using IPv6 as a network protocol.

  • IPv6-IPv4

    • Original IPv6 packets are delivered using IPv4 as a network protocol.

  • IPv4-IPv6

    • Original IPv4 packets are delivered using IPv6 as a network protocol.

Overlay Network

An overlay network can be defined as a virtual network defined over another network.

  • For a specific purpose like private transport/routing policies, QoS, or security.

The underlying network can be physical or also virtual.

  • This may result in multiple layers of overlay networks.

When any level of privacy protocol is present on an overlay network is designated by Virtual Private Network (VPN).

Full/Partial Overlay Mesh

Routing Through/Between Tunnels

Static Routes

Policy Based Routing (route-maps)

Dynamic Routing

Multiple (distinct) routing processes.

  • One per overlay network, and

  • One for the underlying network.

Multipoint Tunnels

In a scenario with many nodes to interconnect, the simpler and more efficient approach is to have a single tunnel that interconnects multiple nodes - a multipoint tunnel.

Directly connect using a single virtual overlay IP network, defined within a multipoint tunnel.

In a multipoint tunnel scenario, the delivery header address is determined based on the address of the next hop within the overlay network.

Address mapping between overlay and underlying network addresses may be statically defined or dynamically obtained.