Symantec™ Security Gateways Reference Guide - Sawmill

34 Security gateway fundamentalsRoutesRouting TCP/IP packetsConceptually, IP routing is straightforward. Packets follow a logical and ordered approach to move fromone host to another. Listed below are the steps that all protocol stacks follow when routing packets usingthe TCP/IP protocol suite.■■■■■■■■The application layer creates a packet, beginning with the application header (information about thepacket) and ending with the data from the original packet. The new packet is then sent down the stackto the host-to-host transport layer.The host-to-host transport layer follows what the previous layer did, and creates a new TCP packet,having its own header information first, and then the application packet information. The host-to-hosttransport layer then pushes the packet down to the Internet layer.The Internet layer determines what to do next with the packet by:■ Searching the internal routing table for an entry that matches the complete destination IPaddress. If found, the packet is sent to the next-hop router, or to the directly connected networkinterface.■ Next, searching the internal routing table for an entry that just matches the destination networkID. If found, the packet is sent to the indicated next-hop router, or to the directly connectedinterface.■ Lastly, searching the routing table for an entry marked “default.” If found, the packet is sent to thenext hop-router.Once the host-to-host transport layer determines where the packet goes next, an IP header is added andthe packet is pushed down the stack to the network access layer.At the Network Access layer, a header and footer are added, and the entire frame is now pushed alongthe physical layer (network connection) until the frame hits the destination machine. Each machine onthe network checks the header to determine if the frame belongs to their machine. If not, the frame isquietly ignored. If the frame is intended for a machine, however, that machine pulls the frame off of thenetwork connection, strips off the header and footer, and pushes it up its own protocol stack to theInternet layer.The Internet layer follows the same three steps it did in step 3 on the prior host to determine whatneeds to happen to the packet. If this is the last machine (our intended destination), then the packet IPheader is stripped off and sent up to the host-to-host transport layer. If this was not the intendedmachine, step 4 would be called again, and the packet would continue on its way.The host-to-host transport layer checks the packet for accuracy and proper checksum, and if thepacket’s information is correct, strips off the TCP header and sends the packet to the application layer.The application layer then directs the packet to an application or process operating on the machine.This process occurs for each packet, until all the necessary information is transferred in both directions.This process also depends on all of the machines involved in the entire delivery path being correctlyconfigured, and with their routing tables properly set up.Static routesIf your network consists of a series of smaller networks, it is considered a routed network, as opposed to aflat network which consists of only one subnet. Because the security gateway follows the process forrouting TCP/IP packets outlined earlier, if one of your internal subnets is not connected directly to thesecurity gateway, any packets hitting the security gateway go out through the default gateway. In mostcases, the default gateway is the router or connection you have to your ISP.A problem arises, however, if a packet comes in to the security gateway, destined for a machine on one ofyour internal subnets, but not directly visible to the security gateway. The packet is rejected and neverreaches its intended destination. To correct this problem, you must define static routes to tell the securitygateway about other hosts or networks, not directly visible to the security gateway, but to which thesecurity gateway should route traffic.