Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 10: How Middleboxes Impact Performance

Published byEverett Esmond Cobb Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 10: How Middleboxes Impact Performance"— Presentation transcript:

1 Module 10: How Middleboxes Impact Performance

2 WHAT IS A MIDDLEBOX? What is a middlebox?
“Any intermediate device performing functions other than the normal, standard functions of an IP router on the datagram path between a source host and a destination host.” Network Working Group, RFC 3234, Middleboxes: Taxonomy and Issues. Network 1 2 Source Middlebox Destination

3 WHAT DO MIDDLEBOXES DO? Middleboxes may:
Drop, insert or modify packets. Terminate one IP packet flow and originate another. Transform or divert an IP packet flow in some way. Middleboxes are never the ultimate end-system of an application session.

4 EXAMPLES OF MIDDLEBOXES
Firewalls Network Address Translators Traffic Shapers Load Balancers

5 MIDDLEBOXES AND ‘CLASSIC’ TCP / IP
Traditionally: Networks have ceded control to the end-points of a connection. Only function carried out ‘in the middle’ was IP routing Middleboxes change this: They spread functionality throughout the network.

6 WHAT ISSUES DO MIDDLEBOXES INTRODUCE?
Challenges represented by middleboxes: Networking protocols were not designed with middleboxes in mind. We have to deal with connections that are compromised by crashed middleboxes. Middleboxes are often hidden points of failure. Middleboxes may require configuration and management. You must take middleboxes into account when diagnosing network failures or poor performance. Some key services may not operate ‘through’ middleboxes (e.g. video conferencing)

7 FIREWALLS A firewall is an agent that screens network traffic, blocking traffic that it believes to be inappropriate or dangerous. Examples: Block telnet connections from the internet Block FTP connections to the internet from internal systems not authorised to send files Act as an intermediate server handling SMTP and HTTP connections Can be divided into two categories: IP Firewalls Application Firewalls

8 FIREWALLS IN THE PATH: EXAMPLE
Backbone Network NREN A Network NREN B Campus X Network Campus Y Video conference connection Firewalls are potential obstacles to (UDP) media streams

9 IP FIREWALLS Features of an IP firewall:
Simplest form of firewall, usually contained in a router Inspects each individual packet’s IP and Transport headers. Decides whether to forward or discard based on configured policies. Examples: Disallows incoming traffic to certain port numbers Disallows traffic to certain subnets Does not alter the packets it allows through Not visible as protocol end-point By rejecting some packets, may cause connectivity problems that are difficult to identify and resolve.

10 APPLICATION FIREWALLS
Features of an application firewall: Acts as protocol end-point and relay E.g. SMTP client / server or web proxy agent May: Implement ‘safe’ subset of the protocol Perform extensive protocol validity checks Use an implementation methodology to minimise likelihood of bugs Run in an insulated ‘safe’ environment

11 PROBLEMS ASSOCIATED WITH FIREWALLS
ICMP (Internet Control Message Protocol) messages are often blocked, as they may be perceived as a security risk. Applications dependent upon them, such as PING, will return fallacious results Path discovery black holes can be created Legitimate traffic can be delayed or completely blocked

12 NETWORK ADDRESS TRANSLATORS
What does a Network Address Translator do? Dynamically assigns unique address to a host Translates appropriate address field in inbound and outbound packets Network Address Translation is often built into routers.

13 LOAD BALANCERS Motivation is typically to balance load across a pool of servers. Divert packets from intended IP destination or make the destination ambiguous. Session state? Debugging? Sometimes it works, sometimes it doesn’t

Download ppt "Module 10: How Middleboxes Impact Performance"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Firewall Lalitha Jammalamadaka. Agenda 1. Introduction 2.Types of firewalls 3.How a software firewall works 4.Methods to control traffic 5.Making the.

Firewall Lalitha Jammalamadaka. Agenda 1. Introduction 2.Types of firewalls 3.How a software firewall works 4.Methods to control traffic 5.Making the.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
CCNA 1 v3.1 Module 11 Review.

CCNA 1 v3.1 Module 11 Review.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

Similar presentations

Ads by Google