GitHub/quartz
1
0
Fork 2
mirror of https://github.com/jackyzha0/quartz.git synced 2025-12-27 14:54:05 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity
75354f91df
quartz/content/notes/25-network-security-2.md
Jet Hughes 1c8d8bd131 vault backup: 2022-11-14 10:03:32
2022-11-14 10:03:32 +13:00

4.3 KiB
Raw Blame History

title aliases tags sr-due sr-interval sr-ease
25-network-security-2
cosc203
lecture
2022-12-06 22 270

TLS

  • security protocol above transport layer.

    • supported by most browsers
    • prvides, confidentaility, integrity, authentication

  • replaced SSL

  • provides API that any application can use

  • http view of TLS

  • QUIC and http3: moves transpor tlayer functions to app layer, on top of UDP

how

  • handshake: use certificates, private keys to authenticate each other, exchange or create shared secret
  • key derivation: use shared secret to derive set of keys
  • data transfer: as a series of records, not just one time transactions
  • connection closure: special message to close message

protocols

  • handshake protocol
  • changechipherspec protocol
    • choose encryption algerithms
  • alert Protocol
    • terminate
    • error reporting
  • record protocol
    • divide data to segments
    • encrypt and authenticate and send

handshake

cryptographic keys

  • bad to use the same key for more than one crytographic algorithm (encryption and authentication)
  • uses master secret

record protocol

  • encrypt and athenticate data
  • diagram
  • divide in to small segements, encrypt each one, MAC (message authentication code)

changeCipherSpec and alert

https and ssh

  • https = http over tls
  • ssh
    • replacement for telnet
    • similar to tls
      • data encryption
      • authentication

IPSec

  • IP layer security
  • datagram level encryption, authentication, integrity
    • both user traffic and control traffic
  • two modes
    • transport mode
      • only payload not header encrypted, and authenticated
    • tunnel mode
      • entire datagram is encrypted
      • encrypted datagram encapsulated in new datagram with new IP header, tunneled to destination (new IP different from first e.g., next router)

Authentication header (AH) protocol

  • provides source authenticatio and data inegrity not confidentiality

encapsulation security protocol (ESP)

  • provides source authentication, data integrity, and confidentiality
  • used more than AH
  • example packet
  • ESP trailer: padding for block ciphers
  • ESP header: SPI so recieving entity knows what to do
  • sequence number, to thwart replay attacks
  • MAC in ESP auth field created with shared secret key
  • path
    • at R1: appends ESP trailer, encrypts result using algorithm and key
    • appends header to front
    • created authentication MAC
    • appends MAC forming payload
    • creates new IP header, new IP header fields, addresses to tunnel endpoint

firewall

  • isolates orgs internal network from larger internet, allowiing some packets to pass, blocking others

three types

  • stateless packet fiiltering
    • filters packet by packet, decision to forward/drop based on
      • source, dest IP
      • TCP/UDP source, dest port
      • ICMP type
      • TCP SYN, ACK bits
    • e.g., block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23
    • ACL access control list:
    • example
  • stafeful
    • track status of every TCP connection
      • using SYN, FIN segments => determine if packets "make sense"
    • timeout inactinve connections at firewall: no longer admit packets
    • more powerful, more computation
  • application gateways
    • filters on application data as well as header fields
    • e.g., allow seletc internal users to telnet outside
      • require all telnet users to go through gateway
      • for auth'd users, gateway sets up telnet connection to dest host
        • gateway relays data between
      • router filter blocks all telnet connections not from gateway

limitaitons

  • IP spoofing
  • if multiple apps need special treatment, each has own app. gateway
  • client software must know how to contact gateway
    • e.g., must set IP of proxy in browser
  • filters oftenuser all or nothing policy for UDP
  • tradeoff: access with security

IDS

  • instrusion detection system
  • deep packet inspection
    • look at contents (e.g., check strings in packet against DB of known virus, attack strings)
  • examine correlation among packets
    • port scanning
    • network mapping
    • DoS attack

multiple IDSs: different types of checking at different locations