GitHub/quartz
1
0
Fork 2
mirror of https://github.com/jackyzha0/quartz.git synced 2025-12-28 15:24:06 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity
570c2cf13f
quartz/content/notes/25-network-security-2.md
Jet Hughes 8eba9b015a vault backup: 2022-10-20 14:52:58
2022-10-20 14:52:58 +13:00

135 lines
4.2 KiB
Markdown
Raw Blame History

---
title: "25-network-security-2"
aliases:
tags:
- cosc203
- lecture
---
# TLS
- security protocol above transport layer.
- supported by most browsers
- prvides, confidentaility, integrity, authentication
- replaced SSL
- provides API that any application can use
- ![http view of TLS](https://i.imgur.com/c68ksNH.png)
- QUIC and http3: moves transpor tlayer functions to app layer, on top of UDP
how
- handshake: use certificates, private keys to authenticate each other, exchange or create shared secret
- key derivation: use shared secret to derive set of keys
- data transfer: as a series of records, not just one time transactions
- connection closure: special message to close message
protocols
- handshake protocol
- changechipherspec protocol
- choose encryption algerithms
- alert Protocol
- terminate
- error reporting
- record protocol
- divide data to segments
- encrypt and authenticate and send
handshake
- ![](https://i.imgur.com/ROiKXo9.png)
cryptographic keys
- bad to use the same key for more than one crytographic algorithm (encryption and authentication)
- uses master secret
- ![](https://i.imgur.com/ZBiTZsk.png)
record protocol
- encrypt and athenticate data
- ![diagram](https://i.imgur.com/xbM5vm7.png)
- divide in to small segements, encrypt each one, MAC (message authentication code)
changeCipherSpec and alert
https and ssh
- https = http over tls
- ssh
- replacement for telnet
- similar to tls
- data encryption
- authentication
# IPSec
- IP layer security
- datagram level encryption, authentication, integrity
- both user traffic and control traffic
- two modes
- transport mode
- only payload not header encrypted, and authenticated
- tunnel mode
- entire datagram is encrypted
- encrypted datagram encapsulated in new datagram with new IP header, tunneled to destination (new IP different from first e.g., next router)
Authentication header (AH) protocol
- provides source authenticatio and data inegrity not confidentiality
encapsulation security protocol (ESP)
- provides source authentication, data integrity, and confidentiality
- used more than AH
- ![example packet](https://i.imgur.com/yCRWmZH.png)
- ESP trailer: padding for block ciphers
- ESP header: SPI so recieving entity knows what to do
- sequence number, to thwart replay attacks
- MAC in ESP auth field created with shared secret key
- path
- at R1: appends ESP trailer, encrypts result using algorithm and key
- appends header to front
- created authentication MAC
- appends MAC forming payload
- creates new IP header, new IP header fields, addresses to tunnel endpoint
# firewall
- isolates orgs internal network from larger internet, allowiing some packets to pass, blocking others
three types
- stateless packet fiiltering
- filters packet by packet, decision to forward/drop based on
- source, dest IP
- TCP/UDP source, dest port
- ICMP type
- TCP SYN, ACK bits
- e.g., block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23
- ACL access control list:
- ![example](https://i.imgur.com/40mYTDp.png)
- stafeful
- track status of every TCP connection
- using SYN, FIN segments => determine if packets "make sense"
- timeout inactinve connections at firewall: no longer admit packets
- ![](https://i.imgur.com/iytmCh7.png)
- more powerful, more computation
- application gateways
- filters on application data as well as header fields
- e.g., allow seletc internal users to telnet outside
- require all telnet users to go through gateway
- for auth'd users, gateway sets up telnet connection to dest host
- gateway relays data between
- router filter blocks all telnet connections not from gateway
limitaitons
- IP spoofing
- if multiple apps need special treatment, each has own app. gateway
- client software must know how to contact gateway
- e.g., must set IP of proxy in browser
- filters oftenuser all or nothing policy for UDP
- tradeoff: access with security
# IDS
- instrusion detection system
- deep packet inspection
- look at contents (e.g., check strings in packet against DB of known virus, attack strings)
- examine correlation among packets
- port scanning
- network mapping
- DoS attack
multiple IDSs: different types of checking at different locations
Reference in New Issue View Git Blame Copy Permalink