What is a Network?
A network consists of two or more computers that are linked in order to share resources (such as printers and CDs), exchange files, or allow electronic communications. The computers on a network may be linked through cables, telephone lines, radio waves, satellites, or infrared light beams. [source]
After the definition of network, I guess you've already known, we can take a look to OSI networking stack and describing the network layers.
OSI Network Stack
It stands for Open Systems Interconnection. This model describes seven layers that computer systems use to communicate over a network.
- Layer 1 - Physical: Optical, Frequency and cable is transfer medium
It defines how to transmit and receive wave-lengths, ones/zeroes, voltages and radio frequencies. - Layer 2 - Data Link: MAC Address, Frame, Named connection
There is shared transfer medium so it decides who can talk and when. Avoiding cross-talk. Allows for backoff and retransmission. Think like a traffic cop or traffic lights. - Layer 3 - Network: Public IP Address, Packets, Single Stream for a node
Packet encapsulated and un-encapsulated at each step. - Layer 4 - Transport: TCP/UDP , Segments
TCP reliable, UDP fast unreliable. TCP uses segments to ensure data is received in correct order. Error checking, ports that allow different streams on the same host. - Layer 5 - Session: Session concept, Security groups, Stateful firewalls
Initiating traffic and response traffic are part of same connection. - Layer 6 - Presentation: Data conversion, encryption and compression
Standards for L7 can use. HTTPS; TLS encryption happens here. - Layer 7 - Application: Application data, Body and HTTP headers
Your application or protocol data will be hold here.
IP Addressing and CIDR
IP Address is consisted host and port. Subnet Mask or Prefix helps you to understand where the split occurs.
This [page] describes the subnet mask and details of CIDR.
CIDR stands for classless inter-domain routing. It allows more effecting allocation and sub networking.
10.0.0.0/24 : The first 24 bit is network. The last 8 bit is address of node in network. The number after the slash is subnet indicator. So it means, the 3x8 = first 24 bit is the network address. 32-24 = 8 bit will usable by nodes.
0 and 255 is reserved for network broadcast and gateway. That means you will have 253 usable IP address.
Subnetting
Process of breaking a network down into smaller subnetworks.
Split VPC into individual subnets. Subnet is present inside an availability zone.
By implementing subnets you can spread your infra across different availability zones that allow you to build in high availability into your infrastructure.
- 10.0.0.0/16
32-16=16 -> 2^16 -> Available IP Address: 65536 - 2 for reserved IPs
First IP: 10.0.0.0 , Last IP: 10.0.0.255 - 10.0.0.0/17
32-17= 15 -> 2^15 -> Available IP Address: 32768 - 2 for reserved IPs
First IP: 10.0.0.0 , Last IP: 10.0.127.255 - 10.0.128.0/17
32-17= 15 -> 2^15 -> Available IP Address: 32768 - 2 for reserved IPs
First IP: 10.0.128.0 , Last IP: 10.0.0.255.255
Routing
Getting packets from your location to the destination where it's another location and network. IP routing happens in 3 factor. (LAN, MAN, WAN)
LAN
- Local, Same network/subnet
- ARP request is used to get MAC. Because you don't need to know IP address of other devices to communicate in same subnet. But generally apps and us prefer to use IP or DNS.
ARP: Make a broadcast, who has this IP? I would like to learn the MAC of it. - Send frames with MAC to target.
- Layer 2, Router doesn't need.
- Peer to Peer communication
MAN
- Known locations, 2 Subnet communication
- Check the target is in local? Answers that question by using the subnet masks and own ip address. If target is not in local, then follow below steps :)
- We should forward that packet, there is one option that is default gateway.
- Find MAC of gateway. Gateway is a router device. Generally first ip of network.
- Send packet to router/gateway.
- Router tries to find target node.
- Find the MAC of next
- Deliver the packet.
WAN
- Unknown locations, Internet
- There are extra steps to MAN.
- We know the target, because it was in other subnet. (Remember we had got 2 subnets) In wan there are a lots of networks.
- We use the BGP protocol to find the location of target. Backbone IP.
- Backbone router looks how can I send packet to target. Calculates the best way to deliver packets.
Firewalls
They are barrier of networks and security devices to analyze incoming and outgoing traffic. They work in rule based. It matches rules with the traffic and makes decisions about the status of traffic, allow or deny traffic?
Firewalls are classified according to their ability to work in different network layers. Layer 3,4,5,7 Firewalls.
Proxy Server
It's another type of gateway. Sits between public and private network.
Client makes a connection to public internet, this request goes to proxy server. Proxy server makes a request to destination and delivers the response to client which is present in private network.
- Proxy server needs application support, configured in OS, browser or app
- Caching: The clients connects to same destination, proxy server caches the common large files and images then instead of re-request these files from remote. Proxy delivers files from cache. Bandwidth effective usage
- Filtering: The clients are accessing indirectly to remote. Therefore proxy server can filter out content that might have child safety.
- Proxy server can perform authentication or validation. Proxy server can check the client has a valid corporate ID.
Inside AWS we have a lot of filtering products such as NACLs, SecurityGroups. These filters based on network level factors. Nothing over layer 5 in AWS.
If you want to filter out based on profile, age, department by using corporate ID, you should install a proxy server on EC2.