Misc - Networking .. Security ...

 

Legend
E / D : Encrypt / Decrypt
p / c : plain / cipher
PK / SK : public key / secret key
m / s : message / signature

Reminder:

 

Public-key crypto: Data encrypted with a public (or private) key  can be decrypted only with the corresponding private key.
A certificate contains a public key; it's used to verify that an entity is the owner of a particular public key.
You can obtain a certificate from a Certificate Authority (CA).Alternately, you can create a self-signed certificate, in which the owner and the issuer are the same.
Signature (sign/verify):
- Sender: hash and encrypt with secret key (= sign)
- Recipient: decrypt with public key and verify

Kerberos
- symm enc/dec of all exchanges,
- Client / Server, each with its own symm key 
- KDC (kerberos distribution center) single source off all symmetric keys. 

SSL/TLS
- SSl Journey:
  • Website owner get a public/secret key
  • Website owner provide the public key and request for certificate from CA
  • CA issue a certificate to the website owner.
  • Website provide the certificate for each ssl connection handshake
  • The ssl client get and verify the certificate through CA 
  • Basically, http messages (request & response) are encrypted then sent to TCP.
- Asymm both sign/verify and encrypt/decrypt semantics.
- PK /PS policy.
- Force full-https as earlier as possible(e.g DNS bootstrap)
- Openssl vs java keytool

 =========================================================

IP connects / localize computers + routes/breaks packets (datagrams)
TCP control communication (windowing) + error detection
[NAT  / PAT + Subnet masking]  as a mediation / boundary between public and private IPs.
DNS: resolve domain names to IPs (nslookup). DNS caching property. DNS record types (SN, MX, wildcard  ....)
Traffic/Routing diagnosis: tracerout, pathping
DHCP: assign IPs.
IPv4 format: 4 bytes (possible values: 2^(8 * 4) => 2^32)
IPv6 format: 16 bytes (possible values: 2^(8 * 16) => 2^128) 
Binary golden rule: sigma(2^i / i from 0 to n -1) = (2^n) - 1
Why program namespaces are usually inverted (e.g com.github.forks)? maybe inspired from DNS IP resolution (com => github => forks => Ip ).
- Port connectivity: telnet, nmap(not built-in).
Telnet: communicate remotely with a device (e.g send requests to a service port).
SSH: Manage/administrate remotely a device (e.g shell command)

- Basic scenario of internet connectivity
Client host (routing table, ARP)--> router (NAT ...) --> modem --> ISP (internet service provider) router --> ISPs backbone --> modem ---> Server firewall / router (PAT) --> server host


Network packets sniffing:
A packet sniffer copies data as it travels across a network and makes it available for viewing.
why?

  • Identify congested node or link
  • Identify applications that generates most of traffic
  • Identify peaks and troughs on the network demand
  • collect / log data for more advanced analysis
Tools:

  • tcpdump
  • wireshark
  • Fiddler (HTTP capture)

HTTP Caching



Notes

  • Private Network is a set of physical nodes connected each other, without been exposed to the Internet (Intranet, LAN, MAN, WAN ..). The  traffic originating  and  terminating within  a  private  network  traverses  only  those nodes  that  belong  to  the private  network
  • Public Network is any network exchanging traffic through public Internet.
  • VPN: Communication environment constructed by controlled segmentation of a shared  communications infrastructure to emulate the characteristics of a private network
  • Why VPN:
    • Traditional private networks are not cheap to plan and deploy. The costs of dedicated  links are high  when  they involve international locations.
    • Companies need to provide a reliable IT infrastructure so employees can access  from remote locations, without being physically present in their offices.
  • Types of VPN:
    • Site-to-Site VPN: interconnect LANs located at multiple  geographic areas over the shared network infrastructure.
    • Remote access VPN: permit secure, encrypted connections between a company's private network and remote users through a third-party service provider.The third party is usually an  enterprise service provider (ESP). The ESP sets up a network access server (NAS) and provides the remote users with desktop client software for their computers
  • VPN technologies: 
    • Desktop software client for each remote user
    • Dedicated hardware such as a VPN concentrator or secure PIX firewall
    • Dedicated VPN server for dial-up services
    • NAS (network access server) used by service provider for remote-user VPN access 
    • VPN network and policy-management center
  • VPN uses IPsec a standard protocol. Two VPN connectivity modes:
    • Tunnel mode:
      • The original packet is encapsulated entirely (header + payload) by a another IP packet.
      • IPsec wraps the original packet, encrypts it, adds a new IP header and sends it.
      • It is widely implemented in site-to-site VPN scenarios.
      • NAT traversal is supported with the tunnel mode.
    • Transport mode:
      • The transport mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted.
      • The IPsec Transport mode is implemented for client-to-site VPN scenarios.
      • NAT traversal is not supported with the transport mode.


Subnetting

CIDR is a more generic and flexible way (compared to classfull techniques) for IP Assignment and Subnetting.
CIDR RFC: https://tools.ietf.org/html/rfc4632
CIDR for private network: https://tools.ietf.org/html/rfc1918
 

1 comment:

Anonymous said...

Great explanation!