Network and Security Network and Security ConceptsConcepts

OverviewOverviewBasic Concepts

◦TCP/IP◦Routing◦DNS◦NAT◦Firewall/Router◦Tunneling◦DMZ

Web & Security Concepts◦Proxy◦Reverse Proxy◦HTTP/HTTPS◦Certificates

@2010 PTC

Basic ConceptsBasic Concepts TCP/IP TCP Uses a Fixed ConnectionTCP is for communication between applications.If one application wants to communicate with another via TCP, it sends a communication request. This request must be sent to an exact address. After a "handshake" between the two applications, TCP will set up a "full-duplex" communication between the two applications.The "full-duplex" communication will occupy the communication line between the two computers until it is closed by one of the two applications.UDP is very similar to TCP, but simpler and less reliable.IP is Connection-LessIP is for communication between computers.IP is a "connection-less" communication protocol.IP does not occupy the communication line between two computers. IP reduces the need for network lines. Each line can be used for communication between many different computers at the same time.With IP, messages (or other data) are broken up into small independent "packets" and sent between computers via the Internet.IP is responsible for "routing" each packet to the correct destination.

@2010 PTC

Basic ConceptsBasic Concepts Routing Routing is the method in which data finds its destination from one computer to the next. In the Internet there are 3 major aspects of routing. 1. Physical Address Finding 2. Determination of inter-network gateways 3. Numeric and symbolic Addresses

If a computer wishes to transmit IP datagram it needs to encapsulate the physical address of the destination network device in the frame. This address can be achieved by using the table that will map the IP address with the physical address. Such table can be configured into a file that can be read into the memory at the boot up time. Computer normally uses the Address Resolution Protocol (ARP), which operates dynamically to maintain the translation table.

@2010 PTC

Basic ConceptsBasic Concepts DNS

The domain name system (DNS) is the way that Internet domain names are located and translated into Internet Protocol addresses. A domain name is a meaningful and easy-to-remember "handle" for an Internet address.Because maintaining a central list of domain name/IP address correspondences would be impractical, the lists of domain names and IP addresses are distributed throughout the Internet in a hierarchy of authority. There is probably a DNS server within close geographic proximity to your access provider that maps the domain names in your Internet requests or forwards them to other servers in the Internet.

@2010 PTC

Basic ConceptsBasic ConceptsNAT (Network Address Translation or Network Address Translator) is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world. NAT is included as part of a router and is often part of a corporate firewall. Network administrators create a NAT table that does the global-to-local and local-to-global IP address mapping. NAT can also be used in conjunction with policy routing. NAT can be statically defined or it can be set up to dynamically translate from and to a pool of IP addresses. Cisco's version of NAT lets an administrator create tables that map:A local IP address to one global IP address staticallyA local IP address to any of a rotating pool of global IP addresses that a company may haveA local IP address plus a particular TCP port to a global IP address or one in a pool of themA global IP address to any of a pool of local IP addresses on a round-robin basis

@2010 PTC

Basic ConceptsBasic Concepts FirewallA system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.There are several types of firewall techniques:Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. In practice, many firewalls use two or more of these techniques in concert. A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.

@2010 PTC

Basic ConceptsBasic Concepts

Tunneling

Tunneling, also known as "port forwarding," is the transmission of data intended for use only within a private, usually corporate network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. Tunneling is generally done by encapsulating the private network data and protocol information within the public network transmission units so that the private network protocol information appears to the public network as data. Tunneling allows the use of the Internet, which is a public network, to convey data on behalf of a private network.

The PPTP makes it possible for authorized users to gain access to

a private network - called a virtual private network (VPN) -through an Internet service provider (ISP) or online service. Another commonly used tunneling protocol is generic routing encapsulation (GRE), developed by Cisco Systems. There are numerous, less common tunneling protocols.

Application uses Remote Method Invocation (RMI) tunneling incase of Split Configuration.

@2010 PTC

Basic ConceptsBasic Concepts

@2010 PTC

In computer networking, DMZ is a firewall configuration for securing local area networks (LANs). In a DMZ configuration, most computers on the LAN run behind a firewall connected to a public network like the Internet. One or more computers also run outside the firewall, in the DMZ. Those computers on the outside intercept traffic and broker requests for the rest of the LAN, adding an extra layer of protection for computers behind the firewall. Traditional DMZs allow computers behind the firewall to initiate requests outbound to the DMZ. Computers in the DMZ in turn respond, forward or re-issue requests out to the Internet or other public network, as proxy servers do. (Many DMZ implementations, in fact, simply utilize a proxy server or servers as the computers within the DMZ.) The LAN firewall, though, prevents computers in the DMZ from initiating inbound requests. DMZ is a commonly-touted feature of home broadband routers. However, in most instances these features are not true DMZs. Broadband routers often implement a DMZ simply through additional firewall rules, meaning that incoming requests reach the firewall directly. In a true DMZ, incoming requests must first pass through a DMZ computer before reaching the firewall.

Web &Security ConceptsWeb &Security Concepts Proxy In an enterprise that uses the Internet, a proxy server is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion.A proxy server receives a request for an Internet service (such as a Web page request) from a user. If it passes filtering requirements, the proxy server, assuming it is also a cache server , looks in its local cache of previously downloaded Web pages. If it finds the page, it returns it to the user without needing to forward the request to the Internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server out on the Internet. When the page is returned, the proxy server relates it to the original request and forwards it on to the user.To the user, the proxy server is invisible; all Internet requests and returned responses appear to be directly with the addressed Internet server. (The proxy is not quite invisible; its IP address has to be specified as a configuration option to the browser or other protocol program.)An advantage of a proxy server is that its cache can serve all users. If one or more Internet sites are frequently requested, these are likely to be in the proxy's cache, which will improve user response time. In fact, there are special servers called cache servers. A proxy can also do logging.

@2010 PTC

Web &Security ConceptsWeb &Security ConceptsReverse Proxy

@2010 PTC

When web server is configured with reverse proxy functionality, it acts as a proxy for one or more backend servers and serves as a single point of access or gateway in a server farm. In a reverse proxy setup, the web server forwards the HTTP request it received from the browser client to the appropriate backend server. The HTML response from the backend server is sent back to the browser through the web server. Thus, the web server with reverse proxy hides the existence of backend servers.

Web &Security ConceptsWeb &Security Concepts HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server. The use of HTTPS protects against eavesdropping and man-in-the-middle attacks. HTTPS was developed by Netscape.HTTPS and SSL support the use of X.509 digital certificates from the server so that, if necessary, a user can authenticate the sender. Unless a different port is specified, HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.

@2010 PTC

CertificatesCertificates

@2010 PTC

The certificates gives 2 important information.

The owner of the certificate, and the authority who signed the certificate.

When Application is used by real company they are using signed certificates by authorities.

If you have to install a test server, you can signed yourself your certificate, but when you will connect to Application you will get a popup stating that the certificate cannot be trusted.