application layer
DESCRIPTION
detai of application layearesTRANSCRIPT
Application Layer
Chapter -9 ,Unit 7
shanti verma 1
Fundamental of Networking
8/13/2014
OutlineIntroduction
Domain Name System (DNS)
DNS
Registration Process
The Name servers
Resource Records
Dynamic DNS
The WWW and HTTP
HTTP Query and Response
The structure of the Query and Response
Persistent connection with HTTP 1.1
Cookies
session Variables
Proxies as gateway
The Dynamic Web
Bluetooth
Introduction
Architecture
Protocol Stack
Pairing Process
Security
8/13/2014 shanti verma 2
Introduction: Application Layer Application layer acts as an interface between the system and its
users.
There is an important difference between application and application layer.
Browsers and FTP clients are few examples of applications that work at the application layer.
Applications interact with the transport layer to establish connection with the other end of application and transfer data as per user requirements.
Applications are programmed to communicate with TCP or UDP to get their job done.
Firefox browser is application communicate with TCP.
Application layer is the place where both the clients and servers run.
The application layer’s job is to standardize the communication) i.e. come out with a protocol) in a way that any arbitrary client can talk to any arbitrary server.
Firefox browser talks to Apache in one case and IIS in another case.
At the application layer, the protocols are plenty and still counting. Transport layer has TCP and UDP, Network Layer has IP.
shanti verma 38/13/2014
Domain Name System (DNS) DNS is an application which a normal a normal user does
not encounter unless he uses NSLookup. NSLookup is an online web tool that queries the DNS to extract he IP
address of websites.
What is need of DNS◦ addresses are hard for people to remember
◦ sending e-mail to [email protected] means that if Tana's ISP or organization moves the mail server to a different machine with a different IP address, her e-mail address has to change
◦ Hence ASCII names were introduced
◦ Nevertheless, the network itself understands only numerical addresses
To map a name onto an IP address, ◦ an application program calls a library procedure called the resolver, passing it the
name as a parameter.
** Revolvers are the routines that take queries from browser-like applications and start querying the name servers.
◦ The resolver sends a UDP packet to a local DNS server,
◦ which then looks up the name and returns the IP address to the resolver, which then returns it to the caller
shanti verma 48/13/2014
The Domain Namespace
shanti verma 58/13/2014
The Domain Namespace
The domain namespace is the representation of domain names as a part of hierarchy starting from the root server.
www.google.com is an example of domain name space.
This name represents a hierarchy; .com is the highest level, googlecomes under it and ‘www’ is at lowest level.
The domain name either represents a bunch of computer or single computer.
The top-level domains come in two flavors: ◦ generic.
com (commercial), edu (educational institutions), gov (the U.S. Federal Government), int (certain international organizations), mil (the U.S. armed forces), net (network providers), and org (nonprofit organizations).
◦ Countries The country domains include one entry for every country, as
defined in ISO 3166.
shanti verma 68/13/2014
Domain Namespace
Requirements Domain names are case insensitive
Component names can be up to 63 characters long,
full path names must not exceed 255 characters
To create a new domain, permission is required of the domain in which it will be included
Efficient i.e. not take an inordinate amount of time to convert a domain name to an IP address.
Continue working despite break downs
It should not introduce additional overheads to any part of the internet by increasing the number of queries or replies in a region.
Information available from the nearby servers
It should contain a few additional information like official mail server for a specified organization, the name and mail address of a person looking after a website etc.
A single server can manage multiple networks.
It should be secure enough (not provided)
shanti verma 78/13/2014
DNS poisoning
When the system is poisoned with
incorrect information, the users
faithfully type the specified company’s
URL are switched to some other
place. This is known as DNS
poisoning.
shanti verma 88/13/2014
Labels and Domain
shanti verma 98/13/2014
Labels and Domain
Domains are quite generic in nature.
A domain may represent multiple sub domains and
not having any machine attached to it directly. For example: most of the sub domains of a top level domain
like com or org do not have any computer attached to them
directly. They are divided in to multiple sub domains.
A domain name can be of two types: Fully qualified: A fully qualified name for google is
google.com. The last dot is not accidental; it represents an
empty string (root server) coming next to com.
Partially qualified: like abciet.org (without the last dot) or
abciet can also be used if the context is clear.
shanti verma 108/13/2014
Domain Hierarchy
Lower level domain are part of higher level domain. Three
different domains are shown here, the in domain, the ac.in
domain and the ABC.ac.in domain. The entire domain name
space consists of various such domains.
shanti verma 118/13/2014
Advantages of Hierarchy
Space constraint
Processing time constraint
Congestion near the server
Organized form of information
Efficient resolution of domain names
A comparatively static database is better to be
organized this way
Clear cut controlling infrastructure
Delegation of authority is clearly defined
Autonomous control
shanti verma 128/13/2014
The Distributed Database
The information about the domains are not stored
at a central location but distributed across various
servers- root servers, the TLD (Top Level Domain)
server, the Local server deployed at a specific
organizations and ISPs, and other servers in
between.
The distributed organization is better because most
of the queries are resolved locally. For example: in above figure ABC server contains information
about ABC domain machines only, both of them only have
pointers to their respective sub domains.
shanti verma 138/13/2014
Advantages of Distributed
database in DNS
Load on big servers like TLD’s and root servers is reduced to a large extent.◦ Most of the queries in DNS are resolved with in the local
server’s scope.
Distributed database reduces the network traffic◦ Queries are resolved by nearby server and responses do
not have to travel long.
No single point of failure◦ If a few servers go dawn at the same pointy of time, most
of the internet users remain unaffected.
Easy maintenance◦ Maintaining a single huge data base is much more difficult
than some comparatively small-sized databases.
Can be easily managed
shanti verma 148/13/2014
For the above domain hierarchy figure
database tables are as follows
shanti verma 15
Database for ‘in’
ac Address of ac
mil
Address of mil
edu
Address of edu
… …
Database for ‘ac’
A Address of ABC
… …
Database for ‘ABC’
ict Address of ict
ibm Address of ibm
Address of
8/13/2014
Search Mechanism and Name
Resolution: Searching an IP address for a given domain is the most important and
most frequent operation on DNS. It is also referred as name resolution.
The resolution process begins when a local server asks any of theservers for the information.
There are two ways of resolution possible in a DNS Recursive name resolution Method
First, the client asks for a resolution to a name server and the nameserver getting the same name by asking in the hierarchy up if it doesnot contain the required value. Thus the client will get the answerwithout having to ask anybody else.
Iterative name resolution Method
Second, when the name server does not contain the address, it passesthe address to the next level of the server and then the client contactthe server directly. Here the client must be able to send query again toa higher level, in case the queried DNS server is unable to answer.
DNS uses both types of name resolution. It also provides clients andservers to negotiate about their choice of name resolution.
shanti verma 168/13/2014
Recursive name resolution
method
shanti verma 178/13/2014
Recursive name resolution
method The local machine (client) can ask for a recursive
answer from a name server. This means the revolver expects the server to supply the final answer.
Local machine sends the query about abcict.org.
If the server is the authority fro the domain name, it checks its database and responds. If not it sends the request to another server (the parent usually) and wait for the response.
Local DNS server does not have the address of abcict.org so it send request to root server and wait for request.
If the parent is the authority, it responds; otherwise, it sends the query to yet another server.
Root server does not have the address of abcict so it send request to org server.
When the query is finally resolved, the response travels back until it finally reaches the requesting client.
shanti verma 188/13/2014
Iterative name resolution
method
shanti verma 198/13/2014
Iterative name resolution
method If the client does not ask for recursive answer, the mapping can
be done iteratively.
If the server (Local DNS server) is an authority for the name, it
sends the answer. If it is not, it returns to the client (local
machine) the IP address of the server (root server) that it thinks
can resolve the query. Local DNS server does not have the address of abcict.org so it sends IP address of
root server.
The client (Local machine) is responsible for repeating the query
to this second server (root server).
Root server does not have address of abcict so it sends an IP
address of org server. Now the client (Local machine) must
repeat the query to this third server (org server).
Now an org server has an IP address of abcict so it returns an IP
address of the abcict.
The client repeats the same query to multiple servers, that’s why
this process is called Iterative Resolution.shanti verma 208/13/2014
The Zone What a server is responsible for, or has authority over, is
called a zone.
If a server accepts responsibility for a domain and does not
divide the domain into smaller domains, the domain and the
zone refer the same thing.
The server makes a database called a zone file and keeps all
the information for every node under that domain.
If the server divides its domain into sub domains and
delegates parts of its authority to the other servers, domain
and zone refer to different things.
The information about the nodes in the sub domains is stored
in the servers at the lower levels, with the original server
keeping some sort of reference to these lower level servers.
A server can also divide its domain and delegate
responsibility but still keep part of the domain for it self.
In this case, its zone is made of detailed information for the part of the
domain that is not delegated and references to those parts that are
delegated. shanti verma 218/13/2014
The Zone
shanti verma 228/13/2014
The Zone
In the figure shows one server which manages ABC.ac.in
domain also ict. ABC.ac.in, ibm. ABC.ac.in, ica. ABC.ac.in,
thus are under same zone.
Similarly presidentofindia.nic.in, vicepresidentofindia.nic.in are
managed by nic and come under same zone.
Nic also manages some other government websites like
dae.gov.in (department of atomic energy) and cic.gov.in
(central information commission), thus it forms a zone
managed by a different server.
shanti verma 238/13/2014
The Registration Process
shanti verma 248/13/2014
Contd… Registration process is required to register company or institutes and obtain a
suitable domain name.
ICANN (Internet Corporation of Assigned Names and Numbers) makes sure that
anybody who needs a domain name gets a unique one.
The organization that wants to act as a registrar must get an accreditation from
ICANN.
Registrars usually charge some fees for registering a user.
For government and educational institutes, special registrar is appointed. In India NIC (National Informatics Center) is the registrar for government organizations.
ERNET (Education and Research Network) acts as a registrar for educational institutes (either ac.in
or edu.in)
For registering a domain name, the following steps are taken:
Get a unique domain name under your choice of domain.
Pay a little amount of fee for registering your choice of domain name to the
registrar of your choice.
Register your domain name first and then register your web server and also a
mail server.
Registration involves running the primary and backup name servers. For small
organization ISPs provide their own servers for rent.
The web and mail servers also need to be installed and running for registration.
Additionally, ISPs usually provide an additional service of registering your domain
in search engines. shanti verma 258/13/2014
The Name Servers
Root Name servers: contacted by local name
server that can not resolvename
root name server:◦ contacts authoritative name
server if name mapping notknown
◦ gets mapping
◦ returns mapping to localname server
Top-level domain (TLD)servers:◦ responsible for com, org, net, edu,
etc, and all top-level countrydomains uk, fr, ca, jp.
◦ Network Solutions maintainsservers for com TLD
◦ Educause for edu TLD
shanti verma 26
The servers that host some part of domain name hierarchy are known
as name servers.
There are three different types of name servers
Root servers
Top Level Domain (TLD) servers
Authoritative servers
8/13/2014
The Name Servers
Authoritative DNS
servers:
◦ organization’s DNS servers,
providing authoritative
hostname to IP mappings
for organization’s servers
(e.g., Web, mail).
◦ can be maintained by
organization or service
provider
shanti verma 27
Fig: Name Servers. The ABC server can process queries from ABC.org as well as ABC.ac.in and also the domains
below them. On the contrary, large domains like ‘edu’and ‘in’ need more than one server to handle queries.
8/13/2014
Resource Records
The DNS database is stored as resource records
The resource record is a record containing five different fields describing each of such entries.
Domain name ◦ tells the domain to which this record applies
Time to_live◦ gives an indication of how stable the record is
◦ 60 to 86400
Class ◦ Which type of info for internet always IN
Type ◦ What kind of record this is.
Value◦ Value base on Type
shanti verma 288/13/2014
Contd…
shanti verma 29
Type Meaning Value
A IPv4 address 32-bit value
AAAA IPv6 address 128-bit value
CNAME Canonical Name Alias name for host
PTR Pointer IP address (IPv4 or IPv6)
NS Name Server Name server(s)
SOA Start of Authority Zone name etc
MX Mail Exchanger mail server/exchanger
HINFO Host Info Optional information
SPF Sender Policy Framework Identify mail servers
TXT Text Text information
DNSKEY DNS Key Public key of domain
RRSIG R R Signature Resource Record Signature
Resource Records may be of many types. Some of the important one are listed below in
table
8/13/2014
Contd…
shanti verma 30
The file described in the table below contains few examples of resource
records.Domain Time-to-live Class Type Value
207.118.130.194 / 24 172800 IN PTR abcict.org.
ftp.abcict.org. 172800 IN CNAME Vishwanath.abcict.org.
abcict.org. 172800 IN NS ns2.webmastersindia.com.
abcict.org. 172800 IN NS ns1.webmastersindia.com.
abcict.org. 172800 IN A 207.118.130.194
abcict.org. 172800 IN MX (10) mail.abcict.org.
172800 IN MX (20) Vishwanath.abcict.org
172800 IN MX (30) Ponting.abcict.org
mail.abcict.org. 172800 IN A 207.118.130.194
www.abcict.org. 172800 IN CNAME Ponting.abcict.org
www.abcict.org. 172800 IN CNAME abcict.org.
Ponting.abcict.org. 172800 IN A 208.118.130.194
Ponting.abcict.org. 172800 IN HINFO HP laptop with RHEL 9
Vishwanath.abcict.org. 172800 IN A 209.118.130.194
172800 IN HINFO HP I3
laser.abcict.org 172800 IN A 210.118.130.194
172800 IN HINFO The laser printer
Table: The zone files of ‘abcict’
8/13/2014
Dynamic DNS
DDNS is a system which allows thedomain name to be updated in realtime instead of in a few days
The most common use for this is inallowing a domain name to be assignedto a computer with a varying IP address
This makes it possible for other sites onthe Internet to establish connections tothe machine without needing to track theIP address themselves
shanti verma 318/13/2014
Dynamic DNS
shanti verma 328/13/2014
Why Use DDNS?
Make your server accessible on the
Internet even though it has a dynamic
IP address
Make your domain name point to your
PC even though its IP address
changes
Run your own servers at home –
Internet, E-Mail, FTP
shanti verma 338/13/2014
How Does DDNS Work?
Sign up for a DDNS account
Enter your DDNS registration
information in your router or use
DDNS client software
Set up your router and Web service to
use the DDNS configuration
shanti verma 348/13/2014
DNSSEC Mechanisms
New Resource Records
Setting Up a Secure Zone
Delegating Signing Authority
35shanti verma8/13/2014
Secondary
DNS
primary
DNS
Registrars
& Registrants
Registry
Secondary
DNS
Data flow through the DNS
Where are the vulnerable
points?
Server vulnarability
Man in the Middle
spoofing
&
Man in the Middle
36shanti verma8/13/2014
What does DNSSEC provide
provides message authentication and integrity
verification through cryptographic signatures
◦ You know who provided the signature
◦ No modifications between signing and validation
It does not provide authorization
It does not provide confidentiality
It does not provide protection against DDOS
37shanti verma8/13/2014
WWW Background
1989-1990 – Tim Berners-Lee inventsthe World Wide Web at CERN◦ Means for transferring text and graphics
simultaneously
◦ Client/Server data transfer protocol Communication via application level protocol
System ran on top of standard networkinginfrastructure
◦ Text mark up language Not invented by Bernes-Lee
Simple and easy to use
Requires a client application to render text/graphics
shanti verma 388/13/2014
WWW Components
Structural Components
◦ Clients/browsers – to dominant implementations
◦ Servers – run on sophisticated hardware
◦ Caches – many interesting implementations
◦ Internet – the global infrastructure which facilitates data
transfer
Semantic Components
◦ Hyper Text Transfer Protocol (HTTP)
◦ Hyper Text Markup Language (HTML)
eXtensible Markup Language (XML)
◦ Uniform Resource Identifiers (URIs)
shanti verma 398/13/2014
WWW Structure
Clients use browser application to send URIs via HTTP to servers requesting a Web page
Web pages constructed using HTML (or other markup language) and consist of text, graphics, sounds plus embedded files
Servers (or caches) respond with requested Web page◦ Or with error message
Client’s browser renders Web page returned by server◦ Page is written using Hyper Text Markup Language (HTML)
◦ Displaying text, graphics and sound in browser
◦ Writing data as well
The entire system runs over standard networking protocols (TCP/IP, DNS,…)
shanti verma 408/13/2014
HTTP Request and its
Response
shanti verma 41
Web
Browser
SearchEngines
Servlet
“I want to search for
Bill Gates on Google”
“Go to Google”
“I want to search for
Bill Gates on Google”
“Your results…”
8/13/2014
Client Request Data
When a user submits a browser request to
a web server, it sends two categories of
data:
◦ Form Data: Data that the user explicitly typed
into an HTML form.
For example: registration information.
◦ HTTP Request Header Data: Data that is
automatically appended to the HTTP Request
from the client.
For example: cookies, browser type, etc,
shanti verma 428/13/2014
Uniform Resource Identifiers
Web resources need names/identifiers – Uniform Resource Identifiers (URIs)◦ Resource can reside anywhere on the Internet
URIs are a somewhat abstract notion◦ A pointer to a resource to which request methods can be applied
to generate potentially different responses A request method is eg. fetching or changing the object
Instance: http://www.foo.com/index.html◦ Protocol, server, resource
Most popular form of a URI is the Uniform Resource Locator (URL)◦ Differences between URI and URL are beyond scope
◦ RFC 2396
shanti verma 438/13/2014
HTTP Basics
Protocol for client/server communication
◦ The heart of the Web
◦ Very simple request/response protocol
Client sends request message, server replies with response message
◦ Stateless
◦ Relies on URI naming mechanism
Three versions have been used
◦ 09/1.0 – very close to Berners-Lee’s original
RFC 1945 (original RFC is now expired)
◦ 1.1 – developed to enhance performance, caching, compression
RFC 2068
◦ 1.0 dominates today but 1.1 is catching up
shanti verma 448/13/2014
HTTP Request Messages
GET – retrieve document specified by URL
PUT – store specified document under given URL
HEAD – retrieve info. about document specified by URL
OPTIONS – retrieve information about available options
POST – give information (eg. annotation) to the server
DELETE – remove document specified by URL
TRACE – loopback request message
CONNECT – for use by caches
shanti verma 458/13/2014
HTTP Request Format
First type of HTTP message: requests◦ Client browsers construct and send
message
Typical HTTP request:◦ GET http://www.cs.wisc.edu/index.html
HTTP/1.0
shanti verma 46
request-line ( request request-URI HTTP-version)
headers (0 or more)
<blank line>
body (only for POST request)
8/13/2014
HTTP Response Format
Second type of HTTP message: response
◦ Web servers construct and send response messages
Typical HTTP response:
◦ HTTP/1.0 301 Moved Permanently
Location: http://www.wisc.edu/cs/index.html
shanti verma 47
status-line (HTTP-version response-code
response-phrase)
headers (0 or more)
<blank line>
body
8/13/2014
HTTP Response Codes
1xx – Informational – request received, processing
2xx – Success – action received, understood, accepted
3xx – Redirection – further action necessary
4xx – Client Error – bad syntax or cannot be fulfilled
5xx – Server Error – server failed
shanti verma 488/13/2014
HTTP Headers
Both requests and responses can contain a variable number of header fields
◦ Consists of field name, colon, space, field value
◦ 17 possible header types divided into three categories Request
Response
Body
Example: Date: Friday, 27-Apr-01 13:30:01 GMT
Example: Content-length: 3001
shanti verma 498/13/2014
HTTP/1.0 Network Interaction
Clients make requests to port 80 on servers
◦ Uses DNS to resolve server name
Clients make separate TCP connection for each
URL
◦ Some browsers open multiple TCP connections
Netscape default = 4
Server returns HTML page
◦ Many types of servers with a variety of implementations
◦ Apache is the most widely used
Freely available in source form
Client parses page
◦ Requests embedded objects
shanti verma 508/13/2014
HTTP/1.1 Performance
Enhancements HTTP/1.0 is a “stop and wait” protocol◦ Separate TCP connection for each file Connect setup and tear down is incurred for each file
Inefficient use of packets
Server must maintain many connections in TIME_WAIT
◦ Resulted in HTTP/1.1 specification focused on performance enhancements Persistent connections
Pipelining
Enhanced caching options
Support for compression
shanti verma 518/13/2014
Persistent Connections and
Pipelining Persistent connections◦ Use the same TCP connection(s) for transfer of
multiple files
◦ Reduces packet traffic significantly
◦ May or may not increase performance from client perspective Load on server increases
Pipelining◦ Pack as much data into a packet as possible
◦ Requires length field(s) within header
◦ May or may not reduce packet traffic or increase performance Page structure is critical
shanti verma 528/13/2014
Persistent Connection
shanti verma 538/13/2014
HTML Basics
Hyper-Text Markup Language◦ A subset of Standardized General Markup Language (SGML)
◦ Facilitates a hyper-media environment Embedded links to other documents and applications
Documents use elements to “mark up” or identify sections of text for different purposes or display characteristics
Mark up elements are not seen by the user when page is displayed
Documents are rendered by browsers
NOTE: Not all documents in the Web are HTML!
Most people use WYSIWYG editors (MS Word) to generate HTML
shanti verma 548/13/2014
HTML Example
shanti verma 55
<HTML>
<HEAD>
<TITLE> PB’s HomePage </TITLE>
</HEAD>
<BODY>
<CENTER><IMG SRC = “bad_picture.gif” ALT = “
“><BR></CENTER>
<P><CENTER><H1>UW Computer Science
Department</H1></CENTER>
Welcome to my goofy HomePage!
…
<A HREF = http://www.cs.wisc.edu/~pb/mydogs_page.html> Spot’s
Page </A>
</BODY>
</HTML>8/13/2014
The structure of request and
response
56shanti verma8/13/2014
Components of request and
response
57shanti verma8/13/2014
Complete request structure
58shanti verma8/13/2014
Complete response structure
59shanti verma8/13/2014
Cookies & Sessions
Cookies◦ Cookies are a mechanism for storing data in
the remote browser and thus tracking or identifying return users.
Sessions◦ Session support in PHP consists of a way to
preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.
60shanti verma8/13/2014
What is a Cookie?
A cookie is a small file that theserver embeds on the user'scomputer. Each time the samecomputer requests for a pagewith a browser, it will send thecookie too. With PHP, you canboth create and retrieve cookievalues.
61shanti verma8/13/2014
The role of cookies
shanti verma 628/13/2014
How to Create a Cookie
The setcookie() function is used to create cookies.Note: The setcookie() function must
appear BEFORE the <html> tag.
setcookie(name, [value], [expire], [path], [domain], [secure]);
This sets a cookie named "uname" - that expires after ten hours.
<?php setcookie("uname", $name, time()+36000); ?>
<html> <body> …
63shanti verma8/13/2014
How to Retrieve a Cookie Value
To access a cookie you just refer to the cookie name as a variable or use $_COOKIE array
Tip: Use the isset() function to find out if a cookie has been set.
<html> <body>
<?php
if (isset($uname))
echo "Welcome " . $uname . "!<br />";
else
echo "You are not logged in!<br />"; ?>
</body> </html>
64shanti verma8/13/2014
How to Delete a Cookie
It will expire
or
Cookies must be deleted with the same parameters as they were set with. If the value argument is an empty string (""), and all other arguments match a previous call to setcookie, then the cookie with the specified name will be deleted from the remote client.
65shanti verma8/13/2014
What is a Session?
The session support allows you to register arbitrary numbers of variables to be preserved across requests.
A visitor accessing your web site is assigned an unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.
66shanti verma8/13/2014
How to Create a Session
The session_start() function is
used to create cookies.
<?php
session_start();
?>
67shanti verma8/13/2014
How to Retrieve a Session Value
Register Session variable session_register('var1','var2',...); // will also create a
session
PS:Session variable will be created on using even if you will notregister it!
Use it<?php
session_start();
if (!isset($_SESSION['count']))
$_SESSION['count'] = 0;
else
$_SESSION['count']++;
?>
68shanti verma8/13/2014
How to Delete a Session Value
session_unregister(´varname´
);
How to destroy a session:
session_destroy()
69shanti verma8/13/2014
Proxy Servers
Part of an overall Firewall strategy
Sits between the local network and the external network
◦ Originally used primarily as a caching strategy to minimize
outgoing URL requests and increase perceived browser
performance
◦ Primary mission is now to insure anonymity of internal users
Still used for caching of frequently requested files
Also used for content filtering
Acts as a go-between, submitting your requests to the
external network
◦ Requests are translated from your IP address to the Proxy’s IP
address
◦ E-mail addresses of internal users are removed from request
headers
◦ Cause an actual break in the flow of communications
70shanti verma8/13/2014
TCP Connection Termination
Both the outgoing and incoming TCP connections are terminated
prevents a hacker from hijacking a stale connection on a service that is being proxied
ex . HTTP page request
Use
rProxy Serve
r
request
packet
request
packet’
response packet’response
packet
Connection left open until
the proxy closes it after
receiving response packet
and sending it back to user
Connection only left open
until server closes the
connection after sending the
response packet 71shanti verma8/13/2014
Performance Aspects
Caching
◦ By keeping local copies of frequently accessed file the proxy can
serve those files back to a requesting browser without going to
the external site each time, this dramatically improves the
performance seen by the end user
◦ Only makes sense to implement this at the ISP rather than the
small business level because of the number of pages available
◦ Because of dynamic content many pages are invalidated in the
cache right away
Load balancing
◦ A proxy can be used in a reverse direction to balance the load
amongst a set of identical servers (servers inside the firewall and
users outside)
◦ Used especially with web dynamic content (.asp, .php,.cfm,.jsp)
72shanti verma8/13/2014
Proxy Liabilities Single point of failure
◦ if the proxy dies , no one can get to the external network
Client software must usually be designed to use a proxy
Proxies must exist for each service
Doesn’t protect the OS
◦ proxies run at the application level
Usually optimized for performance rather than security
◦ WINGATE was installed to be easy to configure; opened a winsock proxy to the external interface, which let hackers essentially hijack the machine
Create a service bottleneck
◦ solved via parallelism (more proxies, and load balance)
73shanti verma8/13/2014
This Proxy designed according to the client/server-programming
model. It consists of six modules:
Architecture - Overview
• Manager - a configuration module.
• Syntaxer - responsible for HTTP support: generation,
parsing and modification of HTTP messages.
• Server - a module that interacts with proxy clients.
• Mediator - an interface layer between Server and
Client.
• Client - accepts requests from Mediator and executes
them.
• Cache - a part of mediator that keeps copies of
received data.
74shanti verma8/13/2014
Architecture – Data flow diagram
PROXY
Server
Module
Client
Module
Mediator
Module
Cache
Module
UserRemote
Host
Request
Response
Request Request
Response
75shanti verma8/13/2014
How Proxy works
76shanti verma8/13/2014
shanti verma 77
Dynamic Web
8/13/2014
What is Bluetooth?
A cable-replacement technology that can be used to connect almost any device to any other device
Radio interface enabling electronic devices to communicate wirelessly via short range (10 meters) ad-hoc radio connections
a standard for a small , cheap radio chip to be plugged into computers, printers, mobile phones, etc
78shanti verma8/13/2014
What is Bluetooth?
Uses the radio range of 2.45 GHz
Theoretical maximum bandwidth is 1 Mb/s
Several Bluetooth devices can form an ad hoc network called a “piconet”◦ In a piconet one device acts as a master (sets
frequency hopping behavior) and the others as slaves
◦ Example: A conference room with many laptops wishing to communicate with each other
79shanti verma8/13/2014
History
Harald Bluetooth : 10th century Danish King,
managed to unite Denmark and Norway
Bluetooth SIG (Special Interest Group) :
◦ Founded in 1998 by : Ericsson, Intel, IBM, Toshiba
and Nokia
◦ Currently more than 2500 adopter companies
◦ Created in order to promote, shape an define the
specification and position Bluetooth in the market
place Current specification : Bluetooth 2.1
80shanti verma8/13/2014
Bluetooth Architecture
Piconet◦ Each piconet has one master and up to 7 simultaneous
slaves
Master : device that initiates a data exchange.
Slave : device that responds to the master
Scatternet
◦ Linking of multiple piconets through the master or slave devices
◦ Bluetooth devices have point-to-multipoint capability to engage in Scatternet communication.
81shanti verma8/13/2014
Piconet All devices in a piconet hop together
◦ Master gives slaves its clock and device ID
Non-piconet devices are in standby
MS
S
SP
P
SB
SB
M=Master P=Parked
S=Slave SB=Standby
82shanti verma8/13/2014
Scatternet Devices can be slave in one piconet and master
of another
MS
S
SP
PSB
SB
M
S
S
SB
P
83shanti verma8/13/2014
Physical links
Between master and slave(s), different
types of links can be established. Two link
types have been defined:
◦ Synchronous Connection-Oriented (SCO) link
◦ Asynchronous Connection-Less (ACL) link
84shanti verma8/13/2014
Physical links
Synchronous Connection Oriented (SCO)
◦ Support symmetrical, circuit-switched, point-to-point connections
◦ Typically used for voice traffic.
◦ Data rate is 64 kbit/s.
Asynchronous Connection-Less (ACL)
◦ Support symmetrical and asymmetrical, packet-switched, point-to-multipoint connections.
◦ Typically used for data transmission .
◦ Up to 433.9 kbit/s in symmetric or 723.2/57.6 kbit/s in asymmetric
85shanti verma8/13/2014
Bluetooth Protocol Stack
Bluetooth Radio
Baseband
LMP
L2CAPAudio
RFCOMM
PPP
IP
UDP TCP
WAP
WAE
OBEX
vCard/vCal
AT-
CommandsTCS BIN
Host Controller Interface (HCI)
Bluetooth Core Protocol
Adopted Protocol
Cable Replacement Protocol
SDP
Telephony Protocol86shanti verma8/13/2014
Bluetooth Protocol Stack
Bluetooth Radio : specifics details of the air interface, including frequency, frequency hopping, modulation scheme, and transmission power.
Baseband: concerned with connection establishment within a piconet, addressing, packet format, timing and power control.
Link manager protocol (LMP): establishes the link setup between Bluetooth devices and manages ongoing links, including security aspects (e.g. authentication and encryption), and control and negotiation of baseband packet size
87shanti verma8/13/2014
Bluetooth Protocol Stack
Logical link control and adaptation protocol (L2CAP): adapts upper layer protocols to the baseband layer. Provides both connectionless and connection-oriented services.
Service discovery protocol (SDP): handles device information, services, and queries for service characteristics between two or more Bluetooth devices.
Host Controller Interface (HCI): provides an interface method for accessing the Bluetooth hardware capabilities. It contains a command interface, which acts between the Baseband controller and link manager
88shanti verma8/13/2014
Bluetooth Protocol Stack TCS BIN (Telephony Control Service): bit-oriented
protocol that defines the call control signaling for theestablishment of voice and data calls between Bluetoothdevices.
OBEX(OBject EXchange) : Session-layer protocol for theexchange of objects, providing a model for object andoperation representation
RFCOMM: a reliable transport protocol, which providesemulation of RS232 serial ports over the L2CAP protocol
WAE/WAP: Bluetooth incorporates the wireless applicationenvironment and the wireless application protocol into itsarchitecture.
89shanti verma8/13/2014
Connection Establishment States
Standby
◦ State in which Bluetooth device is inactive, radio not switched on, enable low power operation.
Page
◦ Master enters page state and starts transmitting paging messages to Slave using earlier gained access code and timing information.
Page Scan
◦ Device periodically enters page state to allow paging devices to establish connections.
90shanti verma8/13/2014
Connection Establishment States
Inquiry
◦ State in which device tries to discover all Bluetooth enabled devices in the close vicinity.
Inquiry scan
◦ Most devices periodically enter the inquiry scan state to make themselves available to inquiring devices.
91shanti verma8/13/2014
Inquiry and Page
Inquiry
Page
Inquiryscan
Masterresponse
Inquiryresponse
Pagescan
Slaveresponse
Connection Connection
(1) ID packet (Broadcast)
(2) FHS packet
(4) ID packet
(6) ID packet
(7) ID packet
Standby Standby
Master Slave
92shanti verma8/13/2014
Bluetooth Security
There are three modes of security for Bluetooth access between two devices.◦ non-secure
◦ service level enforced security
◦ link level enforced security
Device security level
◦ Trusted
◦ untrusted
Service security level
◦ Authorization and Authentication
◦ Authentication only
◦ Open to all devices
93shanti verma8/13/2014
Bluetooth Security
The following are the three basic security
services specified in the Bluetooth standard:
◦ Authentication
verifying the identity of communicating devices. User
authentication is not provided natively by Bluetooth.
◦ Confidentiality
preventing information compromise caused by eavesdropping
by ensuring that only authorized devices can access and view
data.
◦ Authorization
allowing the control of resources by ensuring that a device is
authorized to use a service before permitting it to do so.
94shanti verma8/13/2014
THANK YOU
shanti verma 958/13/2014