mirror of
https://github.com/jackyzha0/quartz.git
synced 2025-12-27 23:04:05 -06:00
vault backup: 2022-10-20 14:35:09
This commit is contained in:
Jet Hughes
parent
d63c563ad2
commit
1064b0e543
@ -43,9 +43,83 @@ cryptographic keys
|
|||||||
- uses master secret
|
- uses master secret
|
||||||
- 
|
- 
|
||||||
|
|
||||||
|
record protocol
|
||||||
|
- encrypt and athenticate data
|
||||||
|
- 
|
||||||
|
- divide in to small segements, encrypt each one, MAC (message authentication code)
|
||||||
|
|
||||||
|
changeCipherSpec and alert
|
||||||
|
|
||||||
|
|
||||||
|
https and ssh
|
||||||
|
- https = http over tls
|
||||||
|
- ssh
|
||||||
|
- replacement for telnet
|
||||||
|
- similar to tls
|
||||||
|
- data encryption
|
||||||
|
- authentication
|
||||||
|
|
||||||
# IPSec
|
# IPSec
|
||||||
|
- IP layer security
|
||||||
|
- datagram level encryption, authentication, integrity
|
||||||
|
- both user traffic and control traffic
|
||||||
|
- two modes
|
||||||
|
- transport mode
|
||||||
|
- only payload not header encrypted, and authenticated
|
||||||
|
- tunnel mode
|
||||||
|
- entire datagram is encrypted
|
||||||
|
- encrypted datagram encapsulated in new datagram with new IP header, tunneled to destination (new IP different from first e.g., next router)
|
||||||
|
|
||||||
|
Authentication header (AH) protocol
|
||||||
|
- provides source authenticatio and data inegrity not confidentiality
|
||||||
|
|
||||||
|
encapsulation security protocol (ESP)
|
||||||
|
- provides source authentication, data integrity, and confidentiality
|
||||||
|
- used more than AH
|
||||||
|
- 
|
||||||
|
- ESP trailer: padding for block ciphers
|
||||||
|
- ESP header: SPI so recieving entity knows what to do
|
||||||
|
- sequence number, to thwart replay attacks
|
||||||
|
- MAC in ESP auth field created with shared secret key
|
||||||
|
- path
|
||||||
|
- at R1: appends ESP trailer, encrypts result using algorithm and key
|
||||||
|
- appends header to front
|
||||||
|
- created authentication MAC
|
||||||
|
- appends MAC forming payload
|
||||||
|
- creates new IP header, new IP header fields, addresses to tunnel endpoint
|
||||||
|
|
||||||
# firewall
|
# firewall
|
||||||
|
- isolates orgs internal network from larger internet, allowiing some packets to pass, blocking others
|
||||||
|
|
||||||
|
three types
|
||||||
|
- stateless packet fiiltering
|
||||||
|
- filters packet by packet, decision to forward/drop based on
|
||||||
|
- source, dest IP
|
||||||
|
- TCP/UDP source, dest port
|
||||||
|
- ICMP type
|
||||||
|
- TCP SYN, ACK bits
|
||||||
|
- e.g., block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23
|
||||||
|
- ACL access control list:
|
||||||
|
- 
|
||||||
|
- stafeful
|
||||||
|
- track status of every TCP connection
|
||||||
|
- using SYN, FIN segments => determine if packets "make sense"
|
||||||
|
- timeout inactinve connections at firewall: no longer admit packets
|
||||||
|
- 
|
||||||
|
- more powerful, more computation
|
||||||
|
- application gateways
|
||||||
|
- filters on application data as well as header fields
|
||||||
|
- e.g., allow seletc internal users to telnet outside
|
||||||
|
- require all telnet users to go through gateway
|
||||||
|
- for auth'd users, gateway sets up telnet connection to dest host
|
||||||
|
- gateway relays data between
|
||||||
|
- router filter blocks all telnet connections not from gateway
|
||||||
|
|
||||||
|
limitaitons
|
||||||
|
- IP spoofing
|
||||||
|
- if multiple apps need special treatment, each has own app. gateway
|
||||||
|
- client software must know how to ocnt
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# IDS
|
# IDS
|
||||||
Loading…
Reference in New Issue
Block a user