From 1064b0e543955b2d25f24d530fc7ca0f8abd77c1 Mon Sep 17 00:00:00 2001
From: Jet Hughes <jethughes0@gmail.com>
Date: Thu, 20 Oct 2022 14:35:09 +1300
Subject: [PATCH] vault backup: 2022-10-20 14:35:09

---
 content/notes/25-network-security-2.md | 74 ++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)

diff --git a/content/notes/25-network-security-2.md b/content/notes/25-network-security-2.md
index 8062766a1..4d6e56e2f 100644
--- a/content/notes/25-network-security-2.md
+++ b/content/notes/25-network-security-2.md
@@ -43,9 +43,83 @@ cryptographic keys
 - uses master secret
 - ![](https://i.imgur.com/ZBiTZsk.png)
 
+record protocol
+- encrypt and athenticate data
+- ![diagram](https://i.imgur.com/xbM5vm7.png) 
+- divide in to small segements, encrypt each one, MAC (message authentication code)
+
+changeCipherSpec and alert
+
+
+https and ssh
+- https = http over tls
+- ssh
+	- replacement for telnet
+	- similar to tls
+		- data encryption
+		- authentication
 
 # IPSec
+- IP layer security
+- datagram level encryption, authentication, integrity
+	- both user traffic and control traffic
+- two modes
+	- transport mode
+		- only payload not header encrypted, and authenticated
+	- tunnel mode
+		- entire datagram is encrypted
+		- encrypted datagram encapsulated in new datagram with new IP header, tunneled to destination (new IP different from first e.g., next router)
+
+Authentication header (AH) protocol
+- provides source authenticatio and data inegrity not confidentiality
+
+encapsulation security protocol (ESP)
+- provides source authentication, data integrity, and confidentiality
+- used more than AH
+- ![example packet](https://i.imgur.com/yCRWmZH.png)
+- ESP trailer: padding for block ciphers
+- ESP header: SPI so recieving entity knows what to do
+- sequence number, to thwart replay attacks
+- MAC in ESP auth field created with shared secret key
+- path
+	- at R1: appends ESP trailer, encrypts result using algorithm and key
+	- appends header to front
+	- created authentication MAC
+	- appends MAC forming payload
+	- creates new IP header, new IP header fields, addresses to tunnel endpoint
 
 # firewall
+- isolates orgs internal network from larger internet, allowiing some packets to pass, blocking others
+
+three types
+- stateless packet fiiltering
+	- filters packet by packet, decision to forward/drop based on
+		- source, dest IP
+		- TCP/UDP source, dest port
+		- ICMP type
+		- TCP SYN, ACK bits
+	- e.g., block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23
+	- ACL access control list:
+	- ![example](https://i.imgur.com/40mYTDp.png)
+- stafeful
+	- track status of every TCP connection
+		- using SYN, FIN segments => determine if packets "make sense"
+	- timeout inactinve connections at firewall: no longer admit packets
+	- ![](https://i.imgur.com/iytmCh7.png)
+	- more powerful, more computation
+- application gateways
+	- filters on application data as well as header fields
+	- e.g., allow seletc internal users to telnet outside
+		- require all telnet users to go through gateway
+		- for auth'd users, gateway sets up telnet connection to dest host
+			- gateway relays data between
+		- router filter blocks all telnet connections not from gateway
+
+limitaitons
+- IP spoofing
+- if multiple apps need special treatment, each has own app. gateway
+- client software must know how to ocnt
+
+
 
 # IDS
\ No newline at end of file