Wednesday, April 17, 2013

what is difference between iptables and tcp wrappers

There are several ways to control access to a service on a Linux server: 

1) firewall (netfilter), you use iptables command to administer the rules. firewall work at internet layer by allowing or denying access from/to a specific host which in this case using tcp/ip and tcp/udp port number e.g allowing access to port 80 on a web server. With iptables you can restrict access to any ports / protocols or service.

2) tcpwrapper is another method of allowing or denying access to a specific service which work at application layer. Futhermore, tcpwrappers is implemented in the User space of Linux and can be used only with xinetd based services and works at application layer where as IPTABLES is implemented in the Kernel space of Linux and works in internet layer which of course can be extended to other layers by using various modules. 

There are two configuration files involve in this setup:

tcp wrappers is dependent on module 

Not all program/service can utilize tcpwrapper, only a few. 
You use this command to check whether a program/service make use of or not. 

[root@localhost Desktop]# ldd $(which sshd) | grep libwrap => /lib64/ (0x00007fc19ee83000) 

This just the fundamental of tcpwrapper and iptables, you need to look into their manuals for more detail.

Tuesday, April 16, 2013

net flow vs SNMP interface stats

I won't write a lot words to explain what is the netflow and SNMP, if you want to know what is SNMP and netflow, you could google it, normally, the first link would fit your need.

Today, I encountered a problem that my Cacti weathermap and my NFSEN netflow traffic map showed differently.

Cacti output

NFSEN output

In my Cacti, the traffic was around 1.4m, but in my NFSEN, there was around 270konly!

I stuck in there for a while, then I googled with 'netflow' then I figured out what was going on there.

In fact, netflow only records traffic in single direction which goes in or not the specific interface on a netflow exporter, normally the exporter is a router. And what is so called netflow, it will record traffic based on flow, just like a TCP session, it does not read router's interface stats, rather than that it will export all the 'flow' stats to a server, then the server would process those stats then display to you. So you could find a para when you perform config a router, called 'time-out', it Cisco router it looks like:

        ip flow-cache timeout active 5

This value will tell the exporter the flow traffic should always export to analyzer every 5 min, even the flow is not well closed. Because of that, the netflow flow chart from NFSEN could not be used as real time traffic analysis. Even for a short period of network analysis, it won't make sense, due to its flow nature, we could only use it analysis some historical data, which is also very useful, because netflow records packets headers, so we could know which protocol, ip, are consuming our bandwidth, and if necessary we could block/limit access for that IP or protocol. This is very useful for network or security admin. But we have to be aware that, netflow would work only with single direction, which you could either anaylsis inbound data or outbound. For a non-load balance environment, it is OK, but in a load balance or MPLS environment, it becomes a little bit complicated. In a non-load balance environment, we could just easily to enable netflow on both sides then we could get every traffic on the patch. But for a MPLS or load-balance environment, yes, you could do the same thing, but you need to aware that, the inbound and outbound traffic are not thru the same path, that's to say, you have to fully analysis all traffic on all paths that used to balance the traffic. That was what I have encountered this afternoon.

From the screenshot, you could figure out, the NFSEN is similar to Cacti output but there are still different.

Based on the lesson I learned, I figured out that, why we still need SNMP analysis engine like Cacti even we already had netflow feature, Cacti is used to show to pure traffic stats, it will help network admin to understand the bandwidth usage; and netflow will help network admin to figure who is the bad guy to poison your network.