3. Basic Concepts
TCP/IP
TCP Uses a Fixed Connection
TCP is for communication between applications.
If one application wants to communicate with another via TCP, it sends a communication request. This request must
be sent to an exact address. After a "handshake" between the two applications, TCP will set up a "full-duplex"
communication between the two applications.
The "full-duplex" communication will occupy the communication line between the two computers until it is closed
by one of the two applications.
UDP is very similar to TCP, but simpler and less reliable.
IP is Connection-Less
IP is for communication between computers.
IP is a "connection-less" communication protocol.
IP does not occupy the communication line between two computers. IP reduces the need for network lines. Each
line can be used for communication between many different computers at the same time.
With IP, messages (or other data) are broken up into small independent "packets" and sent between computers via
the Internet.
IP is responsible for "routing" each packet to the correct destination.
@2010 PTC
4. Basic Concepts
Routing
Routing
is the method in which data finds its destination from one computer to the next. In the
Internet there are 3 major aspects of routing.
1. Physical Address Finding
2. Determination of inter-network gateways
3. Numeric and symbolic Addresses
If
a computer wishes to transmit IP datagram it needs to encapsulate the physical address of the
destination network device in the frame. This address can be achieved by using the table that will
map the IP address with the physical address. Such table can be configured into a file that can be
read into the memory at the boot up time. Computer normally uses the Address Resolution
Protocol (ARP), which operates dynamically to maintain the translation table.
@2010 PTC
5. Basic Concepts
DNS
The
domain name system (DNS) is the way that Internet domain names are located
and translated into Internet Protocol addresses. A domain name is a meaningful and easyto-remember "handle" for an Internet address.
Because
maintaining a central list of domain name/IP address correspondences would
be impractical, the lists of domain names and IP addresses are distributed throughout the
Internet in a hierarchy of authority. There is probably a DNS server within close
geographic proximity to your access provider that maps the domain names in your
Internet requests or forwards them to other servers in the Internet.
@2010 PTC
6. Basic Concepts
NAT (Network Address Translation or Network Address Translator) is the translation of an Internet Protocol
address (IP address) used within one network to a different IP address known within another network. One
network is designated the inside network and the other is the outside.
Typically, a
company maps its local inside network addresses to one or more global outside IP addresses and
unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since
each outgoing or incoming request must go through a translation process that also offers the opportunity to
qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of
global IP addresses that a company needs and it lets the company use a single IP address in its communication
with the world.
NAT
is included as part of a router and is often part of a corporate firewall. Network administrators create a
NAT table that does the global-to-local and local-to-global IP address mapping. NAT can also be used in
conjunction with policy routing. NAT can be statically defined or it can be set up to dynamically translate from and
to a pool of IP addresses. Cisco's version of NAT lets an administrator create tables that map:
A
local IP address to one global IP address statically
A
local IP address to any of a rotating pool of global IP addresses that a company may have
A
local IP address plus a particular TCP port to a global IP address or one in a pool of them
A
global IP address to any of a pool of local IP addresses on a round-robin basis
@2010 PTC
7. Basic Concepts
Firewall
A
system designed to prevent unauthorized access to or from a private network. Firewalls can be
implemented in both hardware and software, or a combination of both. Firewalls are frequently used
to prevent unauthorized Internet users from accessing private networks connected to the Internet,
especially intranets. All messages entering or leaving the intranet pass through the firewall, which
examines each message and blocks those that do not meet the specified security criteria.
There
are several types of firewall techniques:
Packet
filter: Looks at each packet entering or leaving the network and accepts or rejects it based
on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to
configure. In addition, it is susceptible to IP spoofing. Application gateway: Applies security
mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can
impose a performance degradation. Circuit-level gateway: Applies security mechanisms when a TCP
or UDP connection is established. Once the connection has been made, packets can flow between
the hosts without further checking. Proxy server: Intercepts all messages entering and leaving the
network. The proxy server effectively hides the true network addresses. In practice, many firewalls
use two or more of these techniques in concert. A firewall is considered a first line of defense in
protecting private information. For greater security, data can be encrypted.
@2010 PTC
8. Basic Concepts
Tunneling
Tunneling, also known as "port forwarding," is the transmission of data intended
for use only within a private, usually corporate network through a public
network in such a way that the routing nodes in the public network are unaware
that the transmission is part of a private network.Tunneling is generally done by
encapsulating the private network data and protocol information within the
public network transmission units so that the private network protocol
information appears to the public network as data.Tunneling allows the use of
the Internet, which is a public network, to convey data on behalf of a private
network.
The PPTP makes it possible for authorized users to gain access to a private
network - called a virtual private network (VPN) -through an Internet service
provider (ISP) or online service. Another commonly used tunneling protocol is
generic routing encapsulation (GRE), developed by Cisco Systems. There are
numerous, less common tunneling protocols.
Application uses Remote Method Invocation (RMI) tunneling incase of Split
Configuration.
@2010 PTC
9. Basic Concepts
In computer networking, DMZ is a firewall configuration for securing local area networks (LANs). In a DMZ configuration,
most computers on the LAN run behind a firewall connected to a public network like the Internet. One or more computers
also run outside the firewall, in the DMZ. Those computers on the outside intercept traffic and broker requests for the rest
of the LAN, adding an extra layer of protection for computers behind the firewall.
Traditional DMZs allow computers behind the firewall to initiate requests outbound to the DMZ. Computers in the DMZ in
turn respond, forward or re-issue requests out to the Internet or other public network, as proxy servers do. (Many DMZ
implementations, in fact, simply utilize a proxy server or servers as the computers within the DMZ.) The LAN firewall,
though, prevents computers in the DMZ from initiating inbound requests.
DMZ is a commonly-touted feature of home broadband routers. However, in most instances these features are not true
DMZs. Broadband routers often implement a DMZ simply through additional firewall rules, meaning that incoming
requests reach the firewall directly. In a true DMZ, incoming requests must first pass through a DMZ computer before
reaching the firewall.
@2010 PTC
10. Web &Security Concepts
Proxy
In an enterprise that uses the Internet, a proxy server is a server that acts as an intermediary between a
workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching
service. A proxy server is associated with or part of a gateway server that separates the enterprise network from
the outside network and a firewall server that protects the enterprise network from outside intrusion.
A
proxy server receives a request for an Internet service (such as a Web page request) from a user. If it passes
filtering requirements, the proxy server, assuming it is also a cache server , looks in its local cache of previously
downloaded Web pages. If it finds the page, it returns it to the user without needing to forward the request to the
Internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its
own IP addresses to request the page from the server out on the Internet. When the page is returned, the proxy
server relates it to the original request and forwards it on to the user.
To
the user, the proxy server is invisible; all Internet requests and returned responses appear to be directly with
the addressed Internet server. (The proxy is not quite invisible; its IP address has to be specified as a configuration
option to the browser or other protocol program.)
An
advantage of a proxy server is that its cache can serve all users. If one or more Internet sites are frequently
requested, these are likely to be in the proxy's cache, which will improve user response time. In fact, there are
special servers called cache servers. A proxy can also do logging.
@2010 PTC
11. Web &Security Concepts
Reverse
Proxy
When web server is configured with reverse proxy functionality, it acts as a proxy for one or
more backend servers and serves as a single point of access or gateway in a server farm. In a
reverse proxy setup, the web server forwards the HTTP request it received from the browser
client to the appropriate backend server. The HTML response from the backend server is sent
back to the browser through the web server. Thus, the web server with reverse proxy hides the
existence of backend servers.
@2010 PTC
12. Web &Security Concepts
over SSL or HTTP Secure) is the use
of Secure Socket Layer (SSL) or Transport Layer
Security (TLS) as a sublayer under regular HTTP
application layering. HTTPS encrypts and decrypts
user page requests as well as the pages that are
returned by the Web server. The use of HTTPS
protects against eavesdropping and man-in-themiddle attacks. HTTPS was developed by Netscape.
HTTPS and SSL support the use of X.509 digital
certificates from the server so that, if necessary, a
user can authenticate the sender. Unless a different
port is specified, HTTPS uses port 443 instead of
HTTP port 80 in its interactions with the lower
layer, TCP/IP.
HTTPS (HTTP
@2010 PTC
13. Certificates
The certificates gives 2 important information.
The owner of the certificate, and the authority
who signed the certificate.
When Application is used by real company
they are using signed certificates by
authorities.
If you have to install a test server, you can
signed yourself your certificate, but when
you will connect to Application you will get
a popup stating that the certificate cannot
be trusted.
@2010 PTC