DIOTP - C6 - HackMD

# DIOTP - C6 ## Data transmission - in internet --- # Motivation Collect event-based data securely. --- # Topics 1. Network 2. Protocols & Services 3. Securing data transfer 4. Collecting strategies --- # Protocols & Services --- ## Protocols for Data Transmission - IP(v4 & v6) (Internet Protocol) - TCP/IP (Transmission Control Protocol) - UDP (User Datagram Protocol) - HTTP/HTTPS (Hypertext Transfer Protocol) - FTP/SFTP (File Transfer Protocol / Secure FTP) - SMB (Server Message Block) - CIFS (Common Internet File System) - SSH (Secure Shell) --- ## Services for Data Transmission **Server-side:** - HTTP(S) -> Nginx, Apache, HAProxy... - SSH/SFTP -> OpenSSH Server **Client-side:** - HTTP: Browser (Chrome/Firefox...) - HTTP: cURL - HTTP: SDKs (developers) - SSH: WinSCP - SSH: rsync & scp --- # Network ![intel-x520-da2](https://hackmd.io/_uploads/H1zDzg-Jyg.png) --- ## Network Interface Configurations in Linux - Network Interface Configuration (using ip, ifconfig, nmcli) - Setting static IP vs DHCP - Configuring DNS (using /etc/resolv.conf) - Firewall setup (using iptables, ufw) --- ## Network Configurations in Azure - Public IP -> WAN_IP - WAN_IP:port -> LAN_IP:port (NAT) - Firewall configurations (Allow protocols) --- # Securing data transfer --- ## SSL & TLS - SSL (Secure Socket Layer) - TLS (Transport Layer Security (v1, v2, v3)) SSL and TLS are cryptographic protocols that provide authentication and data encryption between servers. TLS is newer and replacing older SSL. --- ## HTTPS HTTPS("HTTP Secure") uses SSL/TLS for encrypting data transmission between client and server. Security is based on SSL/TLS Cerficicates issued by CA(Certificate Authorities) to the server. Clients do trust Certificate Authorities (or their certificates) in data encryption, which is key in establishing secure connection. --- ## Securing HTTP Server - theory Securing is based on three essential steps: 1. Choosing Certificate Authority 2. Cerfiticate Sign process for server 3. Redirecting all http traffic to the https --- ## Securing HTTP Server - Practice One example to establish security in HTTP Server is to use [Certbot](https://certbot.eff.org/) Steps: 1. Prepare server for ACME challenge 2. Install Certbot 3. Run Certbot - Uses [Let's Encrypt](https://letsencrypt.org/) CA 4. Test HTTPS connection See more specific instructions in [https://certbot.eff.org/instructions](https://certbot.eff.org/instructions) --- # Data collect strategies --- ## Ways to send data - Asynchronous (internet) - Unicast - single <-> single (e.g., HTTP) - Multicast - single <-> multiple (e.g, streaming) - [Connectionless(UDP), Connection-oriented(TCP)](https://www.geeksforgeeks.org/difference-between-connection-oriented-and-connection-less-services/) --- ## Store and forward - Email systems (SMTP) - Messaging queues (MQTT Broker) - Data Agent (e.g., [Telegraf](https://github.com/influxdata/telegraf)) --- # Summary Network configurations HTTP -> Well-established, requires active client Security -> TLS Services between client and database --- # Collect data How do we get started with data collection? ![itko_pipeline_plain](https://hackmd.io/_uploads/BJEEvWWyke.png) --- ## Login to the virtual machine Login requirements to the VPS: - SSH_CLIENT - VM_PUBLIC_IP - USERNAME or IDENTITYFILE --- or use SSH_CONFIG. See the config: ```bash= cat ~/.ssh/config ``` to edit SSH_CONFIG, use Nano: ```bash nano ~/.ssh/config ``` --- Connect to the VPS: ```bash ssh -i ~/path/to/key username@ip.or.fqdn.here # or ssh host # from ~/.ssh/config ``` --- ## Configure HTTPS 1/2 ```bash= # Step 1 - View current nginx site config cat /etc/nginx/sites-enabled/default # Step 2 - Read instructions: # https://certbot.eff.org/instructions?ws=nginx&os=pip # Step 3 - Fetch update information sudo apt update # Step 4 - Install packages sudo apt install -y python3 python3-venv libaugeas0 # Step 5 - Prepare environment for the certbot sudo python3 -m venv /opt/certbot/ sudo /opt/certbot/bin/pip install --upgrade pip ``` --- ## Configure HTTPS 2/2 ```bash # Step 6 - Install certbot into the environment sudo /opt/certbot/bin/pip install certbot certbot-nginx # Step 7 - Symbolic link sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot # Before step 8 - make sure FQDN is pointed # Step 8 - Run certbot sudo certbot --nginx # 1. Add email or run previous command with `--register-unsafely-without-email` # 2. Read the Terms of Service # https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf # 3. Agree Terms of service => Y # 4. Enter domain name(s) (comma separated) ``` --- # Point FQDN in Azure Navigate to the VPS