SystemsSec 2018W Lecture 5

Audio

Lecture 5 Audio

Notes

- Basic structure of the internet

• client => net => server
• basic client server model
• processes on client and server talk to each other
• network firewall sits between net and server, protects the network from malicious incoming traffic
• host firewall sits between net and server, sits in front of server
• each process has a unique port number
• IP address identifies hosts

- IP addresses are very easy to spoof - Initially, servers would talk to any client, very risky - Finger daemon lists for finger requests

• process that can find out anyone's personal info (eg. name, phone number, etc.)
• eg: finger soma@homeostasis.scs.carleton.ca
• outputs a "plan" file with user's personal info

- chargen = character generator - localhost:631 = url for CUPS

• web-based printer management console for unix systems
• config file has basic access control (ie. IP address restriction)
• not openly available, secure for single host, not so good for multiple hosts (ie. network)

- security issues?

• different config files for different OS, tedious to setup
• ideally, we want a uniform way of combining policy

- TCP wrappers "libwrap"

• came before host based, widespread firewall support

- what is a firewall?

• 2 types: host and network, differs by who enforces the rules

- what is a vpn?

• virtual private network
• can be problematic, misused if used to download media onto your machine while connected to a company network
• viruses can enter the network this way

- to increase network security, turn off unnecessary services that don't need to talk over the network like the finger daemon - outgoing traffic is safe but incoming traffic may not be - ntpd = network time protocol daemon - modern architecture uses VMs and containers like Docker

• Processes in Docker separated into groups
• 1 firewall per group