## 1. Networking Recap

* A **computer network** is a group of connected devices that exchange information.
* Devices use different methods to send data: WiFi (radio waves), cables (electricity), fiber optics (light).
* Each device has an address called a **MAC address**.
* Data travels through many **hops** (e.g., your PC → home router → university router → server).
* Different protocols exist for different levels:

  * Application to Application: HTTP
  * Network to Network: IP
  * Device to Device: Ethernet
* **Main problem:**
  Network protocols are **insecure by default**:

  * Data can be modified (spoofing).
  * Data can be read (lack of confidentiality).
  * Fake data can be sent (lack of authenticity).
* More secure protocols (e.g., IPsec) exist but are harder to set up.

---

## 2. Firewalls

### What is a Firewall?

* A **firewall** controls what data can enter or leave a network or device.
* Usually placed at the network boundary (like a router).
* Can also protect individual devices.
* Implemented as software or hardware with special network access.

---

### Packet-filtering Firewalls

* The most common type.
* Works by applying **rules** to packets (small data pieces).
* Rules check things like source IP, destination IP, port, and protocol.
* Actions can be: ACCEPT, REJECT, or DROP packets.

**Example Rules:**

| Rule | Src IP       | Dest IP     | Protocol | Src Port | Dest Port | Action |
| ---- | ------------ | ----------- | -------- | -------- | --------- | ------ |
| 1    | Your home IP | Your PC     | TCP      | \*       | 22        | ACCEPT |
| 2    | \*           | Your PC     | TCP      | \*       | 80        | ACCEPT |
| 3    | Not your IP  | Not your IP | \*       | \*       | \*        | DROP   |

---

### Stateless vs Stateful Firewalls

* **Stateless:** Checks packets individually, no memory of past packets.
* **Stateful:** Keeps track of connections, more secure.

---

### Advantages of Packet-filtering Firewalls

* Protect whole network by blocking bad packets early.
* Simple and fast.
* Widely available with good support.

### Disadvantages

* Cannot block all attacks.
* Can be tricked by hiding traffic in allowed ports.
* Complex rule sets can be hard to manage.
* Only works if traffic passes through firewall (mobile data bypasses it).

---

### Proxy Firewalls

* Works at **Application layer** (Layer 7).
* Acts as an intermediary:

  1. Client sends request to proxy.
  2. Proxy sends request to target server.
  3. Proxy receives response and sends it back to client.
* Can be **explicit** (client knows about proxy) or **transparent** (client doesn’t know).
* Can require authentication.

**Advantages:**

* Logs all activity (good for accountability).
* Can cache content to reduce bandwidth.
* Filters traffic more intelligently.

**Disadvantages:**

* Complex to set up and maintain.
* Can slow down performance.
* Must trust proxy with sensitive data (proxy sees all traffic).

---

### Tiered Architecture

* Combining different firewalls (packet-filtering + proxy) for better protection.
* Layers of security between internet and internal network.

---

## 3. Intrusion Detection Systems (IDS)

* IDS **monitor network or system events** to detect unauthorized activity.
* **Intrusion Prevention Systems (IPS)** can also take action to stop attacks (e.g., block traffic).

### Types of IDS

* **NIDS (Network-based IDS):** Listens to network traffic at key points like routers or switches.
  Example tools: Snort, Suricata.

* **HIDS (Host-based IDS):** Monitors activities on a specific device (logs, files, system calls).
  Example tool: OSSEC.

---

### Event Analysis Methods

#### Signature-based Detection

* Uses known patterns (signatures) of attacks.
* Fast and accurate if signatures are updated.
* Can miss new or unknown attacks.
* Example: Detects ping scans (nmap) by looking for empty ICMP packets.

#### Anomaly-based Detection

* Learns normal behavior and alerts on deviations.
* Can detect new attacks.
* Hard to configure and can cause false alarms.
* Requires good training data.

---

### Base Rate Fallacy in IDS

* If attacks are rare, even good IDS produce many false alarms.
* Increasing sensitivity reduces missed attacks but increases false positives.
* Decision on sensitivity depends on **threat model** and **risk tolerance**.

---

## 4. Tunneling

### Why Tunneling?

* Even if data is encrypted (like HTTPS), **metadata** (packet headers) is visible.
* Metadata reveals who you talk to and when, which can reveal sensitive info.

### Tunneling Concept

* Encapsulate your packets inside another secure tunnel through a trusted middleman.
* Examples:

  * **Proxy:** Tunnels for specific applications.
  * **VPN:** Tunnels all network traffic.
* This hides your real origin and encrypts more data.
* Used to securely access private networks remotely.

---

### TOR (Onion Routing)

* Multi-layer tunneling (tunnels inside tunnels).
* Each relay removes one encryption layer, no single node knows the full path.
* Provides strong anonymity but slower.
* Not fully secure if you reveal your identity (logging in with real name).

---

# Summary

| Topic             | Key Points                                                                                  |
| ----------------- | ------------------------------------------------------------------------------------------- |
| Firewalls         | Control network traffic using rules or proxies. Protect networks or devices.                |
| Packet-filtering  | Simple, efficient, but limited in filtering ability.                                        |
| Proxy firewalls   | More detailed filtering, logs, caching, but complex and needs trust.                        |
| IDS               | Detect unauthorized activity using signatures or anomaly detection.                         |
| Base rate fallacy | Balancing sensitivity of IDS to avoid too many false alarms or missed attacks.              |
| Tunneling         | Protects metadata by wrapping packets in secure tunnels. VPN and Proxy are common examples. |
| TOR               | Multi-layer encrypted routing for anonymity.                                                |
