Lesson 7: Examining the Challenges of Accurately Simulating Network Routing

Prof Wool: Firewall Management 201 | Lesson 7: Examining the Challenges of Accurately Simulating Network Routing Subscribe

Firewall Management 201: Lesson 7
In this lesson, Professor Wool examines the complex challenges of accurately simulating network routing, specifically drilling into three options for extracting the routing information from your network: SNMP, SSH and HSRP or VRPP.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello and welcome to firewall management tool 1 I'm professor wool today we're going to be talking about the challenges of accurate simulation of network routing so to familiarize ourselves with the issue suppose you have a network that's organized more or less like this so you have several firewalls and then you have like a DMZ network with some other firewalls behind it and then the core backbone and behind that some more firewall doff silos and you want to be able to simulate the paths that a packet would take when it's starting from one of these sides until it gets to its destination which path would it take how would you go about simulating this path so basically you need to look at each of these routing elements and simulate the routing decision on that element discover what is the next hop gateway go to it simulate the routing decision on that and so on and so forth until you get to the final destination and a piece of to be able to do that you need to extract the routing tables from all the relevant routing elements so that you can simulate their decisions so how would you do that how would you extract the routing information from all of these devices in your network well the first thing that comes to mind is to use the simple network management protocol SNMP probably all the routing elements are in your environment respond to SNMP so if as long as you know the password that devices require their community string you can use SNMP to query the devices and extract the routing tables through SNMP or so you would think there are some challenges though where this approach is limited it's good but it's limited one of the challenges is that in current networking there is a big trend on virtualization so if you consider one of these routers for instance you might discover that even though it's one big router physically inside it's actually organized as several different routing elements virtual routing elements or vr af-s for short and each of these separate VR FS has its own routing table and it runs it makes its own routing decisions so if you connect to the physical router using SNMP and extract the routing table what will you get well what usually happens is that you're going to get a mixture of the routing tables of all these via reps you wouldn't get each of them separately and if you get a mixture of all the routes you really are not accurately representing the routing decision because in fact for any given packet only one of the vrs will make a routing decision and you need to identify which one it is and get that routing table separate from the rest basically what this means is if you have a multi vrf router using SNMP is probably not going to give you the results that you want you'll get wrong routing information out of the device so you have to resort to a different mechanism of extracting the routes for instance using SSH to the command line of the device and if you connect that way you can extract each routing table separately issuing the appropriate commands and specifying the name of the vrf that you're interested in but if you're using SSH you have a different challenge that you have to worry about and that is not all routes are equal there are two broad classes of routes that a router manages there are the static routes and then there they're not dynamic routes remember these routers are probably constantly exchanging routing information between them using some routing protocols such as BGP OSPF rip or some other routing protocol and all of these dynamic routes are critical to the accuracy of the routing decision so you need to be able to extract both the static routes and the dynamic routes and the distinction is that typically there are different commands that extract these types of routes so you have to remember to issue both types of commands to extract both the static and the dynamic routes otherwise you only have a partial picture of the routing that that router is implementing a third challenge that I'd like to bring up is the case of router redundancy so what is that all about well if you look at one of your big core routers in your backbone you might discover that for high availability reasons that router is not just a single device it's actually a pair of devices it really looks like this where you have two physical devices next to each other and backing each other up so they are synchronized they're they they are running some sort of high availability router redundancy protocol usually either an HS R P or vrrp that synchronizes the routing state and the state tables between those two devices so that if one of them goes down the other one takes over and all the routes continue seamlessly well how does that work one aspect of these protocols is that the interfaces on these two shadowing routers are paired so for every interface coming out of the primary router there's also a second interface out of the secondary router and they're both connected to the same subnets and they have very similar IP addresses but different so one is like a dot one and the other is a dot two and each each of these pairs of inter interfaces back back each other up so how does that work in terms of the upstream router that tries to route to r2 how does that how does the upstream router let's say r3 refer to a route to r2 it cannot refer to the dot one or to the dot to IP address because if artoo fails over all of a sudden the IP address will be different so the way this is resolved is that there's a third IP address that's usually called the virtual IP or VIP and that third IP floats between the two interfaces and is associated with one interface or the other depending on which physical router is currently the primary and which is the secondary so in order to understand the routing on the upstream devices you have to realize that your router is actually a pair of routers and you have to identify all these IP addresses the physical IP addresses and also the virtual IP address is floating between them otherwise you are going to misunderstand the routes on the upstream routers as they refer to this high availability pair so these are just some of the challenges that you have to face when you're trying to simulate the routing decision on a complex network thank you for your attention and hope to see you next in one of the future classes

Videos

Prof Wool: Firewall Management 201 | Lesson 7: Examining the Challenges of Accurately Simulating Network Routing Subscribe

Related videos

Lesson 15: How to Synchronize Object Management with a CMDB

Lesson 16: How to Take Control of a Firewall Migration...

Lesson 14: Synchronized Object Management in a...

Sharing Network Security Information with the Wider IT...