The Internet
(4.9.3)
How
Internet
Works
Connecting Us
ISP - Internet Service Provider, connected thru
ADSL (via telephone line) or F-O (Fibro-Optics)
If no phys. cabling, 3G/4G/satellite tech used;
provide combined device w/ features (ethernet switch etc.)
Router manages outgoing connection, Modem converts signal to suitable outgoing media, phone moves between
Net's seamlessly; router part of larger network of varying
size; WAN - routers connecting LAN together
WANs
LANs connected across company sites
Traditional - Connections between company sites by BT,
'leased lines' - companies lease connection from provider
Now - VPNs used for secure connection, users trans. data
across public telecomm's as if part of private network, reduced cost; WANs are mix of 3G/4G, wireless, satellite,
undersea, powerline, ADSL, Ethernet connections
Routers
Forwards data packets between comp. Net's
Edge Routers - link one network to another
Subscriber Router - routers provided to homes etc. small-scale, lo-cost, 2 interfaces (for each Net),
used internally to link Net segments
Enterprise Router - connect large businesses, ISP Net's
capable of handling hi-vol data
Core Router - routers part of internet backbone,
multiple interfaces working at hi-est speed simult.
Internet
Procedures
Packet Switching
Packets - traffic on internet, contains payload & header
Packet Switching - diff. packets of same convo go diff. routes
'End-to-End' Principle - end points (source/destination) check
everything received (connectionless comm's, not dedicated) Internet is a connectionless network
Router - examines destination address on incoming packet,
chooses interface to send to until at destination
'Home hub' has two interfaces (LAN/WAN), WAN for packets
not for LAN, Core backbone routers have multiple interfaces,
Meshed topology = multiple paths allowed
Routing Table - what to do w/ incoming packet, determine routing decision for each one; Hop - router-to-router link
If comm's fail, different path used instead
Core Routers comm to update routing table for optimals
Packet Troubles
Buffer - faster incoming rate than output rate >> packets buffered in memory = 'high latency'; Sever buffering
= packets discarded, high latency important in calls/gaming
ToS (Type of Service) field - contained in IP Packets, mark
priority level where to place in queue, router may ignore
Lost - packets sent to unreachable destination, routers
pass on to default device causing loop
TTL (Time to Live) - no. of trans. before packet discarded
(on header)
Circuit Switching
Before Internet - similar telephone network, interconnected
devices carry analogue voice signals; To make call - request
sent across connection line, telephone switches then reserve capacity/bandwidth on line, send request on
= path of guaranteed capacity between callers
Link lacks capacity = connection refused, call dropped
Firewalls
Firewalls
Monitors moving network traffic, prevents unauth access
Hardware Firewall - 2 NICs face each network, firewall between netwroks; 'trusted' one side, 'untrusted' other side
Prevent malicious traffic, filter data packets travelling
between 2 networks; Stateful Inspection - intelligent filter
Proxy Server- additional feature
Static Filtering
Check packet headers against filters by net admin
aka ACL (Access Control List), header inc. IP address,
destination IP address, port number, protocol
SSH Protocol - SSH attack, remotely manage comp, uses port 22, usually blocked, packet dropped, connect failed
Stateless - simple firewalls, only monitor headers, not
the state of connection one packets flow
Stateful Inspection
Phishing - if hacker establishes proper TCP connect,
Static filtering can't tell if connect exploited maliciously,
sees all traffic as legit, regardless of data steal, malware
Stateful Inspection - aka dynamic filtering, continuously
monitoring traffic, look in payload, beyond header for sus activity; Firewall keeps connect table (state table), keep track of all convo w/ untrusted network, all traffic is then
expected w/ record of relevant protocol port etc.
Proxy Server
Sits between client device & firewall, gives anonymity
Hides true IP address; faster user access, reduce net traffic
Proxy server may log user activity, (web history etc.)
- Client requests page from proxy server
- Proxy server checks cache
- If not in cache, passes request to firewall
- If firewall allows, request forwarded to
web server, result is cached by proxy server
School's use 'em to prevent adult material (blocklist/safelist)
Hide IP address, geographical location for international access; AND THAT'S WHY TODAY'S SPONSOR IS NORDVPN
Encryption
& Authentication
Symmetric Encryption
Same key used to encrypt/decrypt message,
(e.g. Caesar Cipher, Enigma Machine)
Modern e.g. - RC6, AES (industry standard);
TLS (Transport Layer Security) - underpins HTTPS,
WPA2, uses AES for symmetric encryption
Summary
Firewall sits between trusted/untrusted network
Stateless inspection aka static filtering just checks
header; Stateful Inspection aka dynamic filtering is
more effective, checks payload also, keeps track
of open convo; firewall also contains proxy server
add web filtering features, anonymity, faster
performance caching web sites
Key Exchange
Try prevent attacker interception
1976 - Whitfield Diffie, Martin Hellman publish method
for secure key exchange - Diffie-Hellman Key exchange
1997 - GCHQ declassifies proof that UK discovered it first
- Public: A & B choose mod 23, base 5 (5^a % 23)
- Private: A chooses 4 (5^4 % 23 = 4) = A's private key
- Public: A sends result (4) to B = A's public key
- Private: B chooses 3 (5^3 % 23 = 10) = B's private key
- Public: A sends result (10) to B = B's public key
- Private: A does 10^4 % 23 = 18; B does 4^3 % 23 = 18
- A & B share secret number 18, attacker can't
decrypt w/o knowing private keys chosen
More Key Exchange
Immune to brute-force, if prime number chosen has
>600 digits, takes billions of yrs to solve; security relies
on difficult math problem; D-H key exchange used to
exchange sym. encrypt over TLS at convo start;
(TLS used in many TCP/IP protocols inc. HTTPS)
HTTPS - D-H used to gen key for TLS, pre-shared
key no longer needed, agree on key w/o key transmit
Asymmetric Encryption
For low-volume use where key exchange is impractical/
more security is needed; different keys for encrypt/decrypt
Public key can be shared, private key must be kept secure
Encrypt w/ public, decrypt w/ private; cannot authenticate
who the sender is however; sender knows only receiver
can read message
Authentication
Both A & B publish public key
A encrypts message w/ A's private then B's Public
Sends the result to B
B decrypts message w/ B's private then A's Public
Reveals original message
If message didn't come from A, B can't decrypt
w/ A's public key; more robust now w/ added auth.
Symmetric encrypt is faster but no auth. & requires
Key Exchange
Summary
Encryption use to protect data, ensure unreadable if intercept, change plaintext into cipher text; Types -
symmetric/asymmetric; Sym uses same key, Asym uses
pair of keys (public/private); Authentication - msg encrypt
w/ own private, encrypt resulting ciphertext with b's public
Digital Signatures
& Certificates
Digital Signatures
Prevent altering of message during transit
A runs hash function on plaintext, prod. hash total/digest
Encrypts digest w/ private key = digital signature
Attaches signature to message; Encrypts w/ B's public key
B decrypts msg w/ private for plaintext
B also uses A's public key to decrypt digest
Runs hash function again on plaintext to check match
Verified data signature = msg wasn't changed in transit
Digital Certificate
Anyone can create Digital Signature and claim trustworthy
Cert. verifies sender's identity; Issued by official (CA)
certificate authority (e.g. Let's Encrypt, Verisign). inc. serial number, expiry date, holder's name, holder's public key;
signed by Digital Certificate of issuing CA, so you can verify it is genuine; modern browsers check all websites for cert.
CN (Common Name) - domain listed under cert.
Subjective Alternative Names (SANs) - Avoids cert. per subdomain, other domains cert. is valid for
Used in TLS, superseding SSL (Secure Sockets Layer) as
standard encrypt protocol for internet; TLS used w/in HTTPS to surf net securely