|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Head of IT Section, Administrator
Devices used for network coupling such as routers, bridges or gateways not only connect networks, but can also be used for the physical or logical segmentation of networks. Availability can be enhanced by segmenting large networks into sub-networks, as a failure then affects only a limited part of the network and can be located more quickly. With an increasing number of network stations, response times can become unacceptable, and the need may arise to establish sub-networks for load balancing. Protection of sensitive information may be another reason for segmentation of networks so as to ensure that such information is not available throughout the network. For protection against external perpetrators, it may be advisable to allow transfer of packets only from a secure to a non-secure network; on the other hand, for protection of confidential data it may be advisable to bar transfer of packets from a secure to a non-secure network.
A segmentation or coupling of networks can be performed on various layers in accordance with the OSI model. In this model, network coupling elements comprise, for example, repeaters on the physical layer (layer 1), bridges on the data link layer (layer 2), routers on the network layer (layer 3) and, in general, gateways on the application layer (layer 7). The illustration below is intended to provide a clearer understanding of the OSI model.
The OSI/ISO reference model
Connection with another network on a higher layer (from layer 3 onwards) of the OSI model allows, for example, the data flow to be regulated in accordance with security requirements, and thus achieves a controlled linkage between insecure networks and networks requiring protection.
On the other hand, it might become necessary to separate two networks if one needs to be protected against access from the other and vice versa, if the network availability in the event of a failure needs to be increased, or if the load on the individual network segments needs to be decreased.
To prevent manipulation, all network coupling devices must be installed so that only authorised persons have physical access to them.
Repeaters
Repeaters operate on layer 1 of the OSI model, and simply comprise signal amplifiers. As a result, they allow the maximum cable length of an existing network segment to be increased, or several network segments to be linked together. In an Ethernet network based on coaxial cables, for example, repeaters can be used to extend the maximum cable length to more than 185 m and 500 m respectively (for thin and thick Ethernet cables). Observance is required here of the configuration rules for repeaters, which impose constraints on the number and arrangement of repeaters.
In the case of twisted-pair cabling, repeaters are often used as central or decentral network nodes for the purpose of linking individual network subscribers. As several repeaters need to be connected together in one device for this purpose, such a device is termed multi-port repeater. Multiport repeaters are often also identified as hubs or mini-hubs.
The separation thus achieved on layer 1 of the network restricts electrical errors to just one segment. However, this does not apply to errors occurring on higher layers (e.g. excessively frequent collisions or broadcast storms). Some manufacturers now also offer multi-port repeaters which evaluate information from layer 2 (but do not act as bridges), thus allowing the implementation of access restrictions. With such devices, for example, it is possible to grant network access only to certain network users.
Bridges
Connection of networks on layer 2 of the ISO/OSI reference model is performed using bridges. A bridge connects two networks which generally use the same logical link control protocol (LLC), but different medium access control (MAC) protocols. For instance, a bridge can connect an Ethernet with a Token-Ring network. Such a bridge is termed translation bridge or T-bridge.
This results in three essential advantages:
Switches (Ethernet, Token-Ring, ATM)
A switch is a variant of a bridge which links several logical LAN segments (multi-port bridge), and operates on layer 2 of the OSI model. Some new products also implement a switching functionality on layer 3 of the OSI model, thus allowing segmentation on this layer.
An Ethernet switch consists of several bridges connected together internally in an appropriate manner (e.g. via a switching matrix).
An Ethernet switch provides the advantages of a bridge for several ports (8 to 32 ports per switch are standard at present), i.e. every subscriber and every segment at a switch port comprises a separate collision domain, and connections are established on demand. This allows every connected segment to communicate with any other segment, irrespective of the network traffic and load, provided that it is not already busy. Switches are particularly suitable for load separation and as central coupling elements for several sub-segments. Cascading switches, i.e. connecting secondary switches to a central switch, allow the formation of extremely high-performance networks, given that an appropriate, logical network structure has been selected.
Ethernet switches which operate in accordance with the IEEE standard for bridges use the store-and-forward technique. With this technique, the entire Ethernet packet of the source port is first read in and checked for correctness. Only packets which have been received correctly and completely are forwarded to the target segment. Such switches generate relatively long delay times, but also guarantee that no faulty packets are routed to other segments. The use of such store-and-forward switches is advisable in situations where maximum availability and integrity are of greater importance than bandwidth.
In contrast, alternative techniques which have also been developed increase the throughput of an Ethernet switch, i.e. shorten the delay times involved in the processing of data packets. One such technique, termed on-the-fly or cut-through, does not read in and check entire data packets; instead, it just evaluates the target address of a packet and then sends the whole packet immediately to this address. On-the-fly switches are thus up to 20 times faster than store-and-forward switches. However, they can also route faulty packets to other segments, thus impairing the bandwidth and, under certain circumstances, the availability of the segments in question. For this reason, on-the-fly switches should be used in networks characterised by an infrequent occurrence of faulty packets and requiring the maximum throughput. Most manufacturers now offer switches which incorporate both technologies and can thus be configured as required.
Some products now also support switching on layer 3 of the OSI model. In this case, network subscribers are no longer distinguished by their MAC address (layer 2 switching), but by the addresses on layer 3 (for the TCP/IP protocol stack, this is the IP address). Layer-3 switching can further enhance performance; for this though, the switch must be able to process the protocols used on layer 3, similar to a router.
In terms of their function, switches for ATM and Token-Ring are very similar to Ethernet switches, i.e. a switch for these protocols also allows two network subscribers or segments to communicate with each other, independently of the remaining subscribers / segments. In fact, the underlying design of an ATM network makes the use of switches mandatory in such a network.
During the selection of switches intended to realise a collapsed backbone, the available port density must be taken into account. A collapsed backbone should not involve the use of several switches, if these switches do not have a common (high-speed) backplane (refer to S 5.2 Selection of an appropriate network topography).
Routers
Routers separate or link networks on layer 3 of the OSI model. Routers thus do not operate independent from network protocols (like repeaters and bridges do, for example), but need to process the protocols in use on the network layer too. As a result, routers significantly retard the flow of data between two connected subnetworks, as they need to evaluate every packet on layer 3.
Due to their ability to process protocols, routers are used mainly for LAN-LAN and LAN-WAN coupling. For example, a router can link two LANs via an ISDN line. In this case, the LAN protocol is encapsulated in its original form in the WAN protocol and then transferred. Another protocol which can be used here is the X.25 protocol. In large networks consisting of many subnetworks which are linked together via routers, one important task performed by these routers is routing between the subnetworks, i.e. forwarding of data packets between these subnetworks. A fundamental distinction can be made between two techniques here:
Filters can also be used to ensure access control, i.e. to specify which systems are allowed to communicate with each other via the router in which directions using which protocols.
Concentrators and hubs
A Hub is an element which incorporates one or more active network coupling components and allows these components to communicate with each other via an internal backplane (also refer to S 5.2 Selection of an appropriate network topography). Hubs which can incorporate several network coupling components, if required, are termed modular hubs. Accordingly, hubs which can only incorporate one coupling component are termed non-modular hubs. If it is possible to connect the backplanes of several hubs together, these hubs are termed stackable hubs. The use of a hub or concentrator results - at least to a partial extent - in a star-shaped wiring of the terminal devices; for this reason, hubs and concentrators are also termed star couplers.
As already mentioned in the case of repeaters, the smallest form of a concentrator or a hub is a multi-port repeater. In contrast, modular hubs allow the integration of various coupling elements (e.g. repeaters, bridges, routers) which, in turn, can operate on several layers. This concentration of network coupling components at a single point gives rise to advantages which facilitate the administration of the network, although a failure of such a central hub would affect the entire network. Appropriate precautionary measures, e.g. redundant arrangement of the network components, should be taken for such a contingency (refer to S 6.53 Redundant arrangement of network components).
Gateway
A gateway links two networks on the application layer (layer 7) of the OSI model. For this reason, a gateway not only converts network protocols, but also transports data on the application layer and, if necessary, modifies this data and evaluates it from the perspective of security. One typical application of a gateway is communications between systems in a TCP/IP network and a SNA host. In this case, the gateway consists of a combination of hardware and software. However, there are also gateways based purely on software. These include, for example, mail gateways which can recognise and convert different mail formats.
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |