Networking, Security, and Phishing Detection_ Application Layer & Protocols

Phishing Detection Tools

Tools that can detect phishing attacks by analyzing packet bits, such as Gigamon, Splunk, Syslog.

Application Layer Actions

Actions that include Web & HTTP, E-mail (SMTP, IMAP), DNS, P2P applications, Video streaming, Socket programming with UDP and TCP.

IMAP (Internet Message Access Protocol)

Allows email applications like Outlook to download emails onto a local machine instead of leaving them on the server.

DNS (Domain Name System)

Resolves a domain name into an IP address.

P2P Applications

Examples include payment apps and BitTorrent.

Socket Programming

Involves using UDP and TCP to send and receive messages through sockets.

Network Applications in Application Layer

Includes Social Networking, Web, Text Messaging, E-Mail, Multiplayer Games, Streaming, P2P File Sharing, VOIP, Real-Time Video Conferencing, Internet Search, Remote Login.

Socket in Networking

A 'door' through which a process sends and receives messages.

Sending Process Using a Socket

Shoves the message out the socket 'door,' relying on transport infrastructure to deliver it to the receiving socket.

Application-Layer Protocol Definition

Defines types of messages exchanged, message syntax, message semantics, rules for sending/responding to messages, and open or proprietary status.

Open Protocol Examples

HTTP, SMTP, among others, defined in RFCs.

Proprietary Protocol Example

Skype.

Transport Services Needed by Apps

Include data integrity, throughput, timing, and security.

Packet Throughput Requirement

If a packet doesn't meet throughput requirements, it must be resent.

Handling Delayed Packets

Time-sensitive apps discard delayed packets and use the latest ones to stay up to date.

Limitation of TCP and UDP

No encryption; cleartext passwords traverse the Internet unencrypted.

Encrypted TCP Connections

Provide data integrity and end-point authentication.

TLS Implementation Location

Implemented at the application layer; apps use TLS libraries that rely on TCP.

TLS Socket API Functionality

Cleartext sent into the socket is encrypted before traversing the Internet.

TLS Certificates Application

Applied to the NIC of servers to verify communication; certificate must be renewed if the NIC is replaced.

Port for Encrypted File Transfer

Port 22 (SSH).

Non-Persistent HTTP Definition

Opens a TCP connection, sends at most one object, then closes the connection; multiple connections are needed for multiple objects.

Persistent HTTP Definition

Opens a TCP connection, sends multiple objects over a single connection, then closes it.

TCP Connections Needed for a Webpage

11 connections needed for a webpage with text and 10 JPEGs in non-persistent HTTP.

POST Request Purpose

Sends user input to the server in the entity body of the request.

GET Request Data Sending

Includes user data in the URL field (following a '?').

HEAD Request Function

Requests only the headers that would be returned by a GET request for the specified URL.

PUT Request Function

Uploads a new file to the server, replacing the existing file at the specified URL.

Cookie Definition

A file on the client machine storing info about a web session, allowing state maintenance despite HTTP's stateless nature.

Components of Cookies

Include cookie header in HTTP response, cookie header in next HTTP request, cookie file on user's host, back-end database at the website.

Web Cache Definition

Satisfies client requests without involving the origin server; acts as both client and server.

Who Installs a Web Cache

Typically installed by ISPs, universities, companies, or residential ISPs.

Benefits of Web Caches

Reduce response time, reduce traffic on access links, and enable effective content delivery for poor providers.

Internet Caches Density Reason

Caches reduce traffic and improve delivery efficiency.

OSI Model Definition

Provides a theoretical framework for understanding how network communication works.

Layers in the OSI Model

Seven layers: Physical, Data Link, Network, Transport, Session, Presentation, Application.

Ethernet Layer

Belongs to the Data Link Layer (Layer 2).

Layer for IP Addressing and Routing

Network Layer (Layer 3).

Transport Layer Protocols

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

Function of the Transport Layer

Provides end-to-end communication and ensures data delivery reliability.

TCP Reliability

Ensures reliability by using sequence numbers and acknowledgments to track and reassemble packets.

Difference between TCP and UDP

TCP is reliable but slower; UDP is faster but less reliable.

Data Formatting Layer

Presentation Layer (Layer 6) is responsible for encrypting and formatting data.

Common Application Layer Protocols

Include HTTP, HTTPS, DNS, FTP, SMTP.

Encapsulation in Networking

The process of adding headers at each OSI layer before data transmission.

L4 Load Balancer

Operates at the Transport Layer (TCP/UDP).

L7 Load Balancer

Operates at the Application Layer (HTTP/HTTPS).

Domain Name System Function

Translates human-readable domain names (e.g., google.com) into machine-readable IP addresses.

Transport Layer Protocol for DNS

UDP (User Datagram Protocol), port 53.

Reason DNS Uses UDP

UDP is faster and more efficient for quick lookups.

Well-Known Port Definition

A pre-assigned port number used by common services, like UDP 53 for DNS and TCP 80 for HTTP.

Source Port Definition

A randomly selected port above 1024 that a client assigns to track its own outgoing requests.

Destination Port Definition

Indicates which service should handle the request on the receiving end (e.g., HTTP uses port 80).

Tracking Multiple Outgoing Requests

By assigning different source ports for each request.

MAC Address Definition

A unique hardware identifier assigned to network devices.

TCP/IP Stack Encapsulation

Adds headers at each layer of the TCP/IP stack before data is transmitted.

TCP/IP Stack Layers

Application, Transport, Network, Data Link, and Physical Layer.

Application Layer Function

Adds service-specific data (e.g., HTTP request).

Transport Layer Function

Adds TCP/UDP headers with source/destination ports.

Network Layer Function

Adds IP addresses to route the packet.

Data Link Layer Function

Adds MAC addresses for local delivery.

Physical Layer Function

Transmits bits over the network.

TCP vs UDP for Web Browsing

TCP ensures reliable delivery, while UDP is faster but can drop packets.

Ethernet Address at Layer 2

Identifies devices within a local network before packets are forwarded.

HTTPS Definition

A secure version of HTTP that encrypts communication using TLS.

TLS Definition

Transport Layer Security - the protocol that encrypts HTTPS traffic.

TLS Handshake Purpose

Establishes a secure connection between a client and server before encrypted data is exchanged.

Steps in the TLS Handshake

Client Hello, Server Hello, Key Exchange, secure communication begins.

Asymmetric and Symmetric Encryption in HTTPS

Asymmetric encryption (RSA) is used to exchange the symmetric session key, which encrypts bulk data.

Difference Between TLS 1.2 and TLS 1.3

TLS 1.3 reduces handshake time from two round trips to one round trip, improving speed.

Common Encryption Algorithms in TLS

RSA (older), Diffie-Hellman (modern), AES for bulk encryption.

Content Delivery Network (CDN) Definition

A network of distributed servers that caches content closer to users for improved speed.

Points of Presence (PoPs) in a CDN

Strategically placed servers that store cached content.

Routing Methods Used by CDNs

DNS-based routing and Anycast routing.

CDN Website Performance Improvement

Caches static content, reduces latency, and offloads traffic from origin servers.

Edge Computing in a CDN

Processes requests closer to users at the edge of the network, reducing response time.

CDN and Security

Mitigates DDoS attacks, provides TLS termination at the edge, and applies traffic filtering.

Reverse Proxy Role in a CDN

Handles requests for origin servers, caches content, and improves performance.