Not every network needs a router. If you operate a small-office LAN, a simple switch-based LAN can provide all the file and print sharing your business needs within the LAN. However, if you have remote locations, or if you connect to the Internet (and who doesn't) then you need a router because of the security features it can provide. One such feature is called Network Address Translation (NAT). NAT allows you to use one or more IP addresses that are valid on the Internet, while using a reserved address space for the computers on the LAN. Although this might not seem important at first glance, keep in mind that it helps prevent computers outside your LAN from learning the addresses of computers inside your LAN. NAT is not the only technology used in a firewall, but it is a good start. For a small office, home office (SOHO) network, a router that performs NAT is a necessity when using a cable modem or DSL to connect to the Internet. As an added bonus, most SOHO routers that perform NAT also act as a DHCP server, preventing the requirement to configure another system on your network to run the DHCP service. Other features that NAT provides include expanding the address space so that you do not have to pay for additional IP addresses that are valid for use on the Internet. The reserved address space used inside the network is all yours to use. There are several other situations in which a router might be needed:
Growing LAN SizesAs a business in today's market grows, so do the computing requirements. A company starting out with only a few computers, or even a few hundred, can easily get by using a LAN constructed with switches. However, there comes a point when you reach the limits of either the traffic capacity of your LAN or the topological restrictions imposed by the type of LAN you create. When this happens, you can segment the network, using a router, thus preventing congestion or topology problems. The IP address space provides a hierarchical addressing structure. Basically, there are different classes of IP addresses; for each type a certain number of bits are set aside to record a network address, and the remaining bits are used to specify the host on that network. By using the hierarchical nature of IP addressing, you can configure your IP subnets using routers, in a manner that reflects your business organization.
Using TCP/IP, each local network generally makes up both a physical and a logical subnet. The physical subnet consists of all the devices attached to the same broadcast domain, which includes all devices attached to the same hub and all hubs connected to that hub, if you are still using this older technology. Unless you've configured Virtual LANs (VLANs), the same goes for most switches, although the broadcast domain concept is limited when using a switch. For all nodes that exist on a particular physical subnet, it is a good idea to assign IP addresses that fall into the same network address or subnetwork address. Again, Chapter 24 explains how the network portion and subnet portion of the IP address work. The thing to remember here is that each separate physical subnet generally uses a separate IP network or subnetwork ID to identify all computers on that LAN segment. A separate host ID is used for each computer on each subnet. VLANs allow you to configure the subnet that a port belongs to on a port-by-port basis. This is covered in the preceding chapter, "Virtual LANs." In this situation, each computer on each segment is a peer to all other computers on the same segment. Communications take place on the local segments at the Ethernet frame level using hardware (MAC) addresses. In Figure 10.1, for example, workstation A and workstation B can send data frames back and forth, and the traffic they generate between them never passes through the router. The local hardware addresses are resolved using ARP (see Chapter 24 for more about ARP), and both nodes can talk directly to each other using Ethernet frames. Figure 10.1. Routers are used to link different network segments to create a larger internetwork.
If workstation A needs to exchange data with workstation D or E, network traffic travels between the different subnets through routers 1 and 2. To carry the concept a step further, workstation A would have to send a data packet through three routers to exchange data with workstations G through L. As you can see, a router works much like a bridge in that it segregates traffic and passes it on to other segments only when the destination address of the packet isn't on the local segment. However, bridges work at layer 2 of the OSI model and use hardware MAC addresses. Routers switch traffic based on layer 3 addresses, such as IP. A router is needed only when a packet needs to travel to a different logical IP subnet or network. Routers come in all sizes and combinations. Some have serial-line ports, Ethernet ports, twisted pair, and fiber-optic ports. If you have reached the limit on your LAN and don't want to add more workstations, consider installing a new LAN segment and connecting both your old and new LANs using a router. Tip Besides making it easy to organize your network layout by matching IP network and subnet addresses to your business organizational chart, you also can organize your Domain Name System (DNS) names to reflect the business organization. Remember that the host and domain names you assign to a particular network device or computer can, but do not have to, relate directly to the underlying IP address. Instead, these are assigned by the network administrator (or by using DHCP with certain scopes of addresses reserved for selected subnets). Thus, it is possible to use both IP addressing and DNS names to add some organization to the madness that typically makes up a large network. For more about using DNS and how fully qualified domain names are translated to IP and other network addresses, see Chapter 29, "Network Name Resolution." Using this method, each subnet has its own unique subnet portion of the IP address space. The router is like all other devices on a traditional Ethernet networkit can see all traffic on the segments attached to it. In modern networks in which switches are used, each computer is configured to use a router (the default gateway) when it needs to send a packet to a network that is not on the same subnet. The router, however, has connections to more than one network segment and can transfer packets of information from one segment to another, based on their network address. Figure 10.1 showed only a simplistic view of how routers can connect different network segments. In practice, you'll most likely have switches or hubs separating your client computers and servers from the hub. Figure 10.2 shows this view. The router is used to connect several LAN segments, each of which may have a switch (with attached workstations) or a powerful server. Additionally, a WAN port on the router is used to connect to the wide area network, such as the Internet. Figure 10.2. In a typical large network, switches or hubs separate individual workstations from the wide-area router connection.As mentioned before, when you configure a client computer to use TCP/IP, you generally specify a default gateway (or this value can be supplied by DHCP when the client boots). The default gateway is the address of the router that attaches the local subnet to the larger network structure. Thus, when a client computer wants to send a packet, or series of packets, to a computer that is on a different logical IP subnet, it sends the packets instead to the default gatewaythe router. The client computer can tell from its own address what subnet it is connected to. The client software knows to direct a packet to the default gateway when the network or subnet address of the packet differs from the sender's own network address. A router makes decisions on where next to send the packet based on routing tables. Routing tables can be configured manually (static routing) by the network administrator, or they can be configured dynamically using various routing protocols. Simple routing protocols are useful for small internetworks, and complicated routing protocols are used by Internet core and border routers. However, the principle of routing is basically the same for all these protocols. Routers make decisions based on the Network Access layer of the OSI model using logical IP addresses. Your local area network uses the ARP protocol to determine the actual hardware address (a flat address space) for communications within the local LAN segment. When a client computer sends a packet to the default gateway router, it uses the source address in the frame header for the address of the router, even though that is not the eventual destination of the frame. The router is just the next hop for the frame. When the router notices a frame on a port that is addressed to it, it unpacks the frame to expose the IP header portion. Using the IP address, the router then decides on the next hop for the packet and reconstructs a frame to transmit the packet to the next hop. This might be another router or a host on another segment attached to the router. As you can see, routers actually change the packet (or frame) as it travels through an internetwork. For example, the Ethernet frame destination address is changed to indicate the next hop for the frame. Inside the IP header, the router changes the TTL (Time to Live) value. When this value reaches zero, the packet has traveled the maximum hops allowed and a router discards it. Because a router must change fields in the IP header, as well as the Ethernet frame header information, it also must recalculate any error-checking fields for these headers. At each hop, a router also can be configured with a set of rules that filters out the packet. This capability provides for some security for your network, because you can prevent certain IP addresses or services from passing between your network and the Internet. One very important concept to grasp is that routers only get a packet delivered to the router port that connects to the network that contains the destination of the packet. After the router determines that the packet should be output through a certain port, the MAC addresses of the networked computers and other devices come into play. That is, the IP address gets the data to the destination network. After the data has arrived, it is the MAC address that is used for the final leg of the journey. On the local subnet the router sends out an ARP frame that contains the IP address of the packet. When a computer recognizes its IP address, it sends a frame back to the router telling the router what its MAC address is. From then on, the router can use the computer's MAC address to send additional packets. Routers keep a cache in memory of MAC addresses for a short period so that a continuous stream of data can be delivered after the router knows the MAC address of a computer on the local network. Delegating Responsibility for Local Area NetworksBecause routers can be used to separate one group of users from another, it makes delegation of administration at the local level much easier. Responsibility implies security. Routers can be programmed using a technique called Access Control Lists (ACLs), which are nothing more than rules that specify the following:
This packet filtering capability lets a local administrator, who understands the router control, restrict access to the local LAN. For security reasons, this can be very important. Most people think of a firewall as a device that sits at the edge of a network and makes the connection to the Internet. That is only one use of a firewall. A second use is to isolate departments within a particular network. For example, it's probably a good idea to isolate the accounting department from other sections of your company. You don't want employees probing around trying to break into your payroll records! With a router, you can configure rules that allow only selected users on other LANs (such as the one that services the executive suite) to pass through your router, while keeping others out. By using controls within your network as well as at the edge, you also can help prevent the spread of any attack or infiltration that does occur. Another important feature that many routers provide is logging. You usually can log both successes and failures to keep track of how your network is being used. If you find a particular workstation trying to Telnet or FTP to a prohibited LAN, you can use this evidence to discipline the employee. Many routers allow you to designate another system as the location for logging files. Typically, this is done using the Unix syslog daemon. This type of feature improves on security. If the router itself is compromised, you will have a record of the events leading up to it. If you regularly review your log files, you can take preventive measures if you suspect that suspicious activity is occurring. Connecting Branch OfficesMany companies have offices in multiple locations. In the early days of computing, when 300 baud modems were the norm, sending data between two sites usually consisted of dial-up access. Today, you can lease lines between central headquarters and multiple branch offices. Additionally, other long-haul services, such as those provided by Frame Relay and Asynchronous Transfer Mode (ATM), can be used to enable you to connect securely to remote branch offices.
Routers come in all sizes and offer various features. You can use a router to connect branch offices easily. All you need to do is to provide a separate network IDor more likely subnet IDfor each location and choose an appropriately sized router for each location. Some routers even allow you to use a dial-up line for a remote connection that is used only infrequently. This situation is ideal when all you need to do is poll remote computers after-hours to get sales totals and other information of that sort. Still other routers, usually at the low end of the line, allow you to connect to a cable modem or a digital subscriber line (DSL) modem and share that single IP address connection with several other computers. This kind of router/switch combination is ideal for a home office or a branch office that has only a few computers that need to be networked. Using a Router to Protect Your NetworkNAT and Packet FilteringChapter 45 demonstrates how routers fit into a well-designed firewall solution. However, this topic is important enough to deserve a brief mention here. When the Internet was first being commercialized, there were lots of IP addresses to go around. It was easy back then to get an ISP to assign you a group of IP addresses that were valid on the Internet. As the Internet has expanded year by year at a phenomenal rate, the IP address space has begun to run out. Most routers provide a function called Network Address Translation (NAT). Briefly, NAT allows your network to use one, or a few, valid IP addresses on the Internet connection side of the router, and a private address space on your local network side of the router. When communications take place between a client on your network and a server on the Internet, the traffic passes through the router, which uses its own valid IP address to make contact with the outside server. Responses received from the server are repackaged and returned to the original client. Besides using IP address substitution, another version of NAT employs a technique of manipulating port addresses to keep track of multiple connections. NAT helps keep your network secure because it helps prevent anyone outside your network from finding out any addressing information about servers or workstations inside your network. One of the most important security goals you can accomplish in network security is preventing outsiders from gaining any knowledge about your network, be it network addresses, hardware platforms, or operating systems and applications. The capability for a router to also block certain ports, as well as addresses, makes your local network even more secure. For example, although you might want to allow your users to browse the Web and possibly establish an FTP session with a remote server to download a new driver or software update, you might not want the reverse to be possible. By appropriately configuring your gateway router, you can pretty much block all but the most persistent hacker from getting into your network. |