The Internet
(4.9.3)

How
Internet
Works

Connecting Us
ISP - Internet Service Provider, connected thru
ADSL (via telephone line) or F-O (Fibro-Optics)
If no phys. cabling, 3G/4G/satellite tech used;
provide combined device w/ features (ethernet switch etc.)
Router manages outgoing connection, Modem converts signal to suitable outgoing media, phone moves between
Net's seamlessly; router part of larger network of varying
size; WAN - routers connecting LAN together

WANs
LANs connected across company sites
Traditional - Connections between company sites by BT,
'leased lines' - companies lease connection from provider
Now - VPNs used for secure connection, users trans. data
across public telecomm's as if part of private network, reduced cost; WANs are mix of 3G/4G, wireless, satellite,
undersea, powerline, ADSL, Ethernet connections

Routers
Forwards data packets between comp. Net's
Edge Routers - link one network to another
Subscriber Router - routers provided to homes etc. small-scale, lo-cost, 2 interfaces (for each Net),
used internally to link Net segments
Enterprise Router - connect large businesses, ISP Net's
capable of handling hi-vol data
Core Router - routers part of internet backbone,
multiple interfaces working at hi-est speed simult.

Internet
Procedures

Packet Switching
Packets - traffic on internet, contains payload & header
Packet Switching - diff. packets of same convo go diff. routes
'End-to-End' Principle - end points (source/destination) check
everything received (connectionless comm's, not dedicated) Internet is a connectionless network
Router - examines destination address on incoming packet,
chooses interface to send to until at destination
'Home hub' has two interfaces (LAN/WAN), WAN for packets
not for LAN, Core backbone routers have multiple interfaces,
Meshed topology = multiple paths allowed
Routing Table - what to do w/ incoming packet, determine routing decision for each one; Hop - router-to-router link
If comm's fail, different path used instead
Core Routers comm to update routing table for optimals

Packet Troubles
Buffer - faster incoming rate than output rate >> packets buffered in memory = 'high latency'; Sever buffering
= packets discarded, high latency important in calls/gaming
ToS (Type of Service) field - contained in IP Packets, mark
priority level where to place in queue, router may ignore
Lost - packets sent to unreachable destination, routers
pass on to default device causing loop
TTL (Time to Live) - no. of trans. before packet discarded
(on header)

Circuit Switching
Before Internet - similar telephone network, interconnected
devices carry analogue voice signals; To make call - request
sent across connection line, telephone switches then reserve capacity/bandwidth on line, send request on
= path of guaranteed capacity between callers
Link lacks capacity = connection refused, call dropped

Firewalls

Firewalls
Monitors moving network traffic, prevents unauth access
Hardware Firewall - 2 NICs face each network, firewall between netwroks; 'trusted' one side, 'untrusted' other side
Prevent malicious traffic, filter data packets travelling
between 2 networks; Stateful Inspection - intelligent filter
Proxy Server- additional feature

Static Filtering
Check packet headers against filters by net admin
aka ACL (Access Control List), header inc. IP address,
destination IP address, port number, protocol
SSH Protocol - SSH attack, remotely manage comp, uses port 22, usually blocked, packet dropped, connect failed
Stateless - simple firewalls, only monitor headers, not
the state of connection one packets flow


Stateful Inspection
Phishing - if hacker establishes proper TCP connect,
Static filtering can't tell if connect exploited maliciously,
sees all traffic as legit, regardless of data steal, malware
Stateful Inspection - aka dynamic filtering, continuously
monitoring traffic, look in payload, beyond header for sus activity; Firewall keeps connect table (state table), keep track of all convo w/ untrusted network, all traffic is then
expected w/ record of relevant protocol port etc.

Proxy Server
Sits between client device & firewall, gives anonymity
Hides true IP address; faster user access, reduce net traffic
Proxy server may log user activity, (web history etc.)

  1. Client requests page from proxy server
  2. Proxy server checks cache
  3. If not in cache, passes request to firewall
  4. If firewall allows, request forwarded to
    web server, result is cached by proxy server

School's use 'em to prevent adult material (blocklist/safelist)
Hide IP address, geographical location for international access; AND THAT'S WHY TODAY'S SPONSOR IS NORDVPN

Encryption
& Authentication

Symmetric Encryption
Same key used to encrypt/decrypt message,
(e.g. Caesar Cipher, Enigma Machine)
Modern e.g. - RC6, AES (industry standard);
TLS (Transport Layer Security) - underpins HTTPS,
WPA2, uses AES for symmetric encryption

Summary
Firewall sits between trusted/untrusted network
Stateless inspection aka static filtering just checks
header; Stateful Inspection aka dynamic filtering is
more effective, checks payload also, keeps track
of open convo; firewall also contains proxy server
add web filtering features, anonymity, faster
performance caching web sites

Key Exchange
Try prevent attacker interception
1976 - Whitfield Diffie, Martin Hellman publish method
for secure key exchange - Diffie-Hellman Key exchange
1997 - GCHQ declassifies proof that UK discovered it first

  1. Public: A & B choose mod 23, base 5 (5^a % 23)
  2. Private: A chooses 4 (5^4 % 23 = 4) = A's private key
  3. Public: A sends result (4) to B = A's public key
  4. Private: B chooses 3 (5^3 % 23 = 10) = B's private key
  5. Public: A sends result (10) to B = B's public key
  6. Private: A does 10^4 % 23 = 18; B does 4^3 % 23 = 18
  7. A & B share secret number 18, attacker can't
    decrypt w/o knowing private keys chosen

More Key Exchange
Immune to brute-force, if prime number chosen has
>600 digits, takes billions of yrs to solve; security relies
on difficult math problem; D-H key exchange used to
exchange sym. encrypt over TLS at convo start;
(TLS used in many TCP/IP protocols inc. HTTPS)
HTTPS - D-H used to gen key for TLS, pre-shared
key no longer needed, agree on key w/o key transmit

Asymmetric Encryption
For low-volume use where key exchange is impractical/
more security is needed; different keys for encrypt/decrypt
Public key can be shared, private key must be kept secure
Encrypt w/ public, decrypt w/ private; cannot authenticate
who the sender is however; sender knows only receiver
can read message

Authentication
Both A & B publish public key
A encrypts message w/ A's private then B's Public
Sends the result to B
B decrypts message w/ B's private then A's Public
Reveals original message
If message didn't come from A, B can't decrypt
w/ A's public key; more robust now w/ added auth.
Symmetric encrypt is faster but no auth. & requires
Key Exchange

Summary
Encryption use to protect data, ensure unreadable if intercept, change plaintext into cipher text; Types -
symmetric/asymmetric; Sym uses same key, Asym uses
pair of keys (public/private); Authentication - msg encrypt
w/ own private, encrypt resulting ciphertext with b's public

Digital Signatures
& Certificates

Digital Signatures
Prevent altering of message during transit
A runs hash function on plaintext, prod. hash total/digest
Encrypts digest w/ private key = digital signature
Attaches signature to message; Encrypts w/ B's public key
B decrypts msg w/ private for plaintext
B also uses A's public key to decrypt digest
Runs hash function again on plaintext to check match
Verified data signature = msg wasn't changed in transit

Digital Certificate
Anyone can create Digital Signature and claim trustworthy
Cert. verifies sender's identity; Issued by official (CA)
certificate authority (e.g. Let's Encrypt, Verisign). inc. serial number, expiry date, holder's name, holder's public key;
signed by Digital Certificate of issuing CA, so you can verify it is genuine; modern browsers check all websites for cert.
CN (Common Name) - domain listed under cert.
Subjective Alternative Names (SANs) - Avoids cert. per subdomain, other domains cert. is valid for
Used in TLS, superseding SSL (Secure Sockets Layer) as
standard encrypt protocol for internet; TLS used w/in HTTPS to surf net securely