SystemsSec 2018W Lecture 5: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
==Audio== | |||
[http://homeostasis.scs.carleton.ca/~soma/systemssec-2018w/lectures/comp4108-2018w-lec05-22Jan2018.m4a Lecture 5 Audio] | |||
==Notes== | ==Notes== | ||
- Basic structure of the internet | |||
* client => net => server | |||
* basic client server model | |||
* processes on client and server talk to each other | |||
* network firewall sits between net and server, protects the network from malicious incoming traffic | |||
* host firewall sits between net and server, sits in front of server | |||
* each process has a unique port number | |||
* IP address identifies hosts | |||
- IP addresses are very easy to spoof | |||
- Initially, servers would talk to any client, very risky | |||
- Finger daemon lists for finger requests | |||
* process that can find out anyone's personal info (eg. name, phone number, etc.) | |||
* eg: finger soma@homeostasis.scs.carleton.ca | |||
* outputs a "plan" file with user's personal info | |||
- chargen = character generator | |||
- localhost:631 = url for CUPS | |||
* web-based printer management console for unix systems | |||
* config file has basic access control (ie. IP address restriction) | |||
* not openly available, secure for single host, not so good for multiple hosts (ie. network) | |||
- security issues? | |||
* different config files for different OS, tedious to setup | |||
* ideally, we want a uniform way of combining policy | |||
- TCP wrappers "libwrap" | |||
* came before host based, widespread firewall support | |||
- what is a firewall? | |||
* 2 types: host and network, differs by who enforces the rules | |||
- what is a vpn? | |||
* virtual private network | |||
* can be problematic, misused if used to download media onto your machine while connected to a company network | |||
* viruses can enter the network this way | |||
- to increase network security, turn off unnecessary services that don't need to talk over the network like the finger daemon | |||
- outgoing traffic is safe but incoming traffic may not be | |||
- ntpd = network time protocol daemon | |||
- modern architecture uses VMs and containers like Docker | |||
* Processes in Docker separated into groups | |||
* 1 firewall per group |
Latest revision as of 06:55, 30 January 2018
Audio
Notes
- Basic structure of the internet
- client => net => server
- basic client server model
- processes on client and server talk to each other
- network firewall sits between net and server, protects the network from malicious incoming traffic
- host firewall sits between net and server, sits in front of server
- each process has a unique port number
- IP address identifies hosts
- IP addresses are very easy to spoof - Initially, servers would talk to any client, very risky - Finger daemon lists for finger requests
- process that can find out anyone's personal info (eg. name, phone number, etc.)
- eg: finger soma@homeostasis.scs.carleton.ca
- outputs a "plan" file with user's personal info
- chargen = character generator - localhost:631 = url for CUPS
- web-based printer management console for unix systems
- config file has basic access control (ie. IP address restriction)
- not openly available, secure for single host, not so good for multiple hosts (ie. network)
- security issues?
- different config files for different OS, tedious to setup
- ideally, we want a uniform way of combining policy
- TCP wrappers "libwrap"
- came before host based, widespread firewall support
- what is a firewall?
- 2 types: host and network, differs by who enforces the rules
- what is a vpn?
- virtual private network
- can be problematic, misused if used to download media onto your machine while connected to a company network
- viruses can enter the network this way
- to increase network security, turn off unnecessary services that don't need to talk over the network like the finger daemon - outgoing traffic is safe but incoming traffic may not be - ntpd = network time protocol daemon - modern architecture uses VMs and containers like Docker
- Processes in Docker separated into groups
- 1 firewall per group