network security

¡Supera tus tareas y exámenes ahora con Quizwiz!

A Virtual Private Network (VPN) is a private network that enables remote users (for example, employees, suppliers, partners, and customers) to leverage the inherently insecure public Internet to connect to an enterprise's private network resources in a secure manner. To do this, companies create a secure tunnel from the client to the server and use encryption to keep unauthorized parties from viewing or intercepting the data in transit. A VPN is typically built using keys and certificates that must also be kept secure, but that method is not infallible. It is widely felt, for instance, that massive security breaches perpetrated by Edward Snowden against the allegedly most secure organization in the world, the National Security Administration (NSA), involved, at least in part, compromising keys and certificates and creating and using false credentials. Another way in which VPN security can be compromised is through hairpinning. Hairpinning involves an unauthorized access of a computer connected to a VPN, usually by malicious software, but sometimes by active hacking. For example, malicious software can be surreptitiously loaded on a computer connected to a VPN, which allows the malware to enter the VPN tunnel as valid traffic. In this way, the malware enters the tunnel, without having to break the encryption or deal with any of the protective mechanisms. In other words, it gains access to the network at the other side of the VPN tunnel completely unchallenged. Unfortunately, VPNs are often established and administered by network operations or system administrators with little or no security training. To make matters worse, advances in attack sophistication have rendered the protection tools of the 1990s ineffective, yet not all organizations regularly update their VPN configurations and associated policies. Other organizations are quick to adopt the "latest and greatest" approaches and leave themselves vulnerable to attacks that are as yet unknown within the community of defenders but that are exploited routinely within the attacker community. In light of advances in both attacks and defenses, the configuration of an organization's VPN should be reviewed periodically—some might argue as often as once per month, but in no case less often than annually. In addition, the VPN infrastructure should routinely be subjected to a penetration test to ascertain the likelihood and impact of a potential breach. Any changes to the configuration should be applied uniformly to all VPN connections within the organization. In this lab, you will configure the server side of the pfSense VPN. Only someone with security knowledge and an understanding of the organization's operating environment can properly protect the network's resources. Once the server side of the VPN is configured, the systems operational personnel can apply the configuration to the client devices, reboot both machines, and test the VPN connection. You will configure the other side of the VPN in the Configuring a VPN Client for Secure File Transfers lab later in this lab manual. Upon completing this lab, you will be able to: Configure the server side of a VPN. Describe the advantages and disadvantages of different VPN configuration options. Discuss how to prevent attacks against data in transit using a properly configured VPN. In the first part of the lab, you will use the pfSense firewall to configure a VPN server. In the second part of the lab, you will configure a firewall rule to direct VPN traffic. Note: You will be using pfSense firewall to configure a VPN server using IPsec, the most popular form of VPN in use today. IPsec, short for Internet Protocol Security, authenticates and encrypts packets. IPsec is an end-to-end security technology that operates in the Internet layer of the TCP/IP Model. The IPsec protocol suite supports data-origin authentication, data integrity, network-level peer authentication, and data confidentiality (encryption). Before IPsec can be used as a VPN service, you will need to create two certificates: (1) a certificate authority (CA), which will be used by client system(s) to verify the server and (2) a server certificate. Both certificates include common data. The current standard key length is 2048 bits. Anything larger than this will add additional processing time and could overload the system if processing multiple requests. 23. In the Descriptive name box, type IKEv2VPN, the common name you will give to anyone with permission to access the VPN. Note: Internet Key Exchange v2 (IKEv2) is an IPsec-based VPN protocol that uses NAT transversal (NAT-T). NAT-T allows IPsec traffic to pass through a NAT server. IKEv2 provides significant improvements over IKE and has been adopted by several companies, such as Microsoft, Cisco, and Openswan. IKEv2 requires public key infrastructure PKI support to obtain and use a certificate. 25. In the Common Name box, type 172.30.0.1, the WAN IP address. In an actual configuration, the Common Name would be a Fully Qualified Domain Name (FQDN), but the virtual lab does not use a DNS server, so the IP address is substituted here. 41. From the Authentication Method drop-down list in the Proposal section of the page, select EAP-MSChapv2 to specify Extensible Authentication Protocol-Microsoft Challenge Handshake version 2. EAP-MSCHAPv2 creates a secure tunnel using two-way authentication on both sides of the VPN connection.

43. From the Peer identifier drop-down list, select Any to allow connections from any matching client. 45. In the Phase 1 Proposal (Algorithms) section, verify AES (Advanced Encryption Standard) and 256 bits are selected as the Encryption Algorithm. 46. From the Hash Algorithm drop-down list, select SHA256 to match the certificate option. The default setting for this option is Lan Subnet, which would allow the clients to use a split tunnel. In a split tunnel configuration, clients keep local traffic on their own network while routing any IPsec traffic through the VPN tunnel. This configuration is optimal for performance, but less secure than specifying a network address. 59. In the Hash Algorithms section, verify SHA1 is selected. Though SHA256 is more secure than SHA1, selecting it at this point allows for backward compatibility for legacy devices. Note: In the next steps, you will configure a pre-shared key for this VPN. A pre-shared key is a password that is known to both the server and the client. Because it is used only once during this configuration process, it is good practice to make the password as obscure as possible. In this lab, you will use a simple password (password1). Note: In the next steps, you will configure a pre-shared key for this VPN. A pre-shared key is a password that is known to both the server and the client. Because it is used only once during this configuration process, it is good practice to make the password as obscure as possible. In this lab, you will use a simple password (password1). Note: In this section, you will be using the pfSense firewall to configure an OpenVPN server. OpenVPN is an open source routed VPN. Note: The Key length box is auto-generated by pfSense. The larger the key, the more security it offers, but larger keys take considerably more time to generate, and also take longer to validate. As of 2016, 2048 is the minimum and most common selection and 4096 is the maximum in common use. For this lab, you will use 2048 bits. Field Name Default values Generate TLS Key This option will automatically generate the shared TLS authentication key. TLS Shared Key This field remains blank because the key is auto-generated in the previous field. If you chose to manually create a key, that key would be entered in this box and the Generate TLS Key would be left un-checked. DH Parameters Length The Diffie Hellman key exchange is used for establishing a secure communication channel. Originally conceptualize by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. The default value is 2048 bit. Encryption Algorithm The algorithm used to encrypt traffic between endpoints. This setting must match on the client and server side. The default value is AES-246-CBC (256-bit). Auth Digest Algorithm This method is used to authenticate traffic between endpoints. This setting must match on the client and server side. The default value is SHA1 (160-bit). Hardware Crypto The hardware cryptographic accelerator is used for the VPN connections. The default value is No Hardware Crypto Acceleration. 26. In the DNS Server 1 box under the Client Settings section, type 10.20.1.1, the WAN IP address for the OpenVPN server. 27. In the Advanced box, type push "route 172.30.0.0 255.255.255.0";mute 10;comp-lzo; to predefine a route to direct all connections to the LAN network. Note: In this section, you will continue using the OpenVPN Wizard to configure a firewall rule to allow users the ability to connect with the VPN. Traffic from clients to server Firewall Rule Add a rule to permit connections to this OpenVPN server process from clients anywhere on the Internet. Traffic from clients through VPN OpenVPN rule Add a rule to allow all traffic from connected clients to pass inside the VPN tunnel

What is Patch Management? Patch management is the process of installing (and managing) the latest patches - code changes which improve the system or fix security vulnerabilities — on various systems within a network. Tasks like deciding what patches are appropriate for particular systems, ensuring these patches are installed properly, testing systems after installation, all fall under patch management. The objective of patch management is to keep various systems in a network up-to-date and secure against various kinds of hacking and malware. Patch Management — Manual or Automated? Usually, automated patch management is preferred over manual patch management as the latter involves tasks which are quite tedious for IT admins. Whereas automated enterprise patch management streamlines the entire process by automating the delivery of operating systems and application related updates via a centralized patch management server. How Does Automated Patch Management Work? Most automated enterprise patch management tools carry out the patching process by deploying or installing agents on target computers. These agents provide a connection between the centralized patch server and the computers to be patched. They also carry out patching related tasks like sending alerts to the server, storing patches locally on the target computer prior to installation and automatically retrying failed patch installations etc. Patch Management — Benefits: Some of the benefits of patch management are: Security: Security is the most obvious benefit offered by patch management, as software vendors most often release patches to fix security vulnerabilities which are being exploited by malicious software or people intending to damage the IT systems or network. Applying these security patches at the right time will greatly reduce security breaches of various kinds. Productivity: Another major benefit of patch management is increased productivity. Often patches come with performance improvements for the products they apply to or fix crashes. Helping employees (their systems to be more precise) get rid of these issues will lead to a productivity boost. Which, in turn, means reduced downtime. In Possession of the Latest: The world of technology is moving at a fast pace. And having an automated patch management software in place will help your organization keep up with the latest advancements in the technology without you having to do much about it. Because software patches usually contain new features or functionality and extend support to additional platforms. Patch Management — Essentials: A good patch management solution will contain the following capabilities: Comprehensive Scanning: The patch management tool you use should have comprehensive scanning capabilities. That is, it should be able to scan your network thoroughly and identify missing patches. And the results it produces should be definitive with minimal false positives. It should also take into consideration when patches are updated or superseded. Otherwise, you'll be inundated with outdated and useless information. Efficient Patch Deployment: Your patch management tool should efficiently install patches and updates across your network, taking into consideration bandwidth and other concerns such as spanning multiple domains or IP ranges. Efficient patch deployment is probably why you go for patch management tools. And if they cannot offer it, it's better not to go for such a product.

Detailed Reporting: Reporting is an important feature in virtually every enterprise network management product. IT administrators need a broader view of the overall patch status, current deployment progress, and issues which need addressing. So consider the types of reports you may need and select a patch management tool with reporting capabilities that match your requirements.

Top Tips for Effective Presentations See also: Dealing with Presentation Nerves How can you make a good presentation even more effective? This page draws on published advice from expert presenters around the world, which will help to take your presentations from merely 'good' to 'great'. By bringing together advice from a wide range of people, the aim is to cover a whole range of areas. Whether you are an experienced presenter, or just starting out, there should be ideas here to help you to improve. 1. Show your Passion and Connect with your Audience It's hard to be relaxed and be yourself when you're nervous. But time and again, the great presenters say that the most important thing is to connect with your audience, and the best way to do that is to let your passion for the subject shine through. Be honest with the audience about what is important to you and why it matters. Be enthusiastic and honest, and the audience will respond. 2. Focus on your Audience's Needs Your presentation needs to be built around what your audience is going to get out of the presentation. As you prepare the presentation, you always need to bear in mind what the audience needs and wants to know, not what you can tell them. While you're giving the presentation, you also need to remain focused on your audience's response, and react to that. You need to make it easy for your audience to understand and respond. 3. Keep it Simple: Concentrate on your Core Message When planning your presentation, you should always keep in mind the question: What is the key message (or three key points) for my audience to take away? You should be able to communicate that key message very briefly. Some experts recommend a 30-second 'elevator summary', others that you can write it on the back of a business card, or say it in no more than 15 words. Whichever rule you choose, the important thing is to keep your core message focused and brief. And if what you are planning to say doesn't contribute to that core message, don't say it. 4. Smile and Make Eye Contact with your Audience This sounds very easy, but a surprisingly large number of presenters fail to do it. If you smile and make eye contact, you are building rapport, which helps the audience to connect with you and your subject. It also helps you to feel less nervous, because you are talking to individuals, not to a great mass of unknown people. To help you with this, make sure that you don't turn down all the lights so that only the slide screen is visible. Your audience needs to see you as well as your slides. 5. Start Strongly The beginning of your presentation is crucial. You need to grab your audience's attention and hold it. They will give you a few minutes' grace in which to entertain them, before they start to switch off if you're dull. So don't waste that on explaining who you are. Start by entertaining them. Try a story (see tip 7 below), or an attention-grabbing (but useful) image on a slide. 6. Remember the 10-20-30 Rule for Slideshows This is a tip from Guy Kawasaki of Apple. He suggests that slideshows should: Contain no more than 10 slides; Last no more than 20 minutes; and Use a font size of no less than 30 point. This last is particularly important as it stops you trying to put too much information on any one slide. This whole approach avoids the dreaded 'Death by PowerPoint'. As a general rule, slides should be the sideshow to you, the presenter. A good set of slides should be no use without the presenter, and they should definitely contain less, rather than more, information, expressed simply. If you need to provide more information, create a bespoke handout and give it out after your presentation. 7. Tell Stories Human beings are programmed to respond to stories. Stories help us to pay attention, and also to remember things. If you can use stories in your presentation, your audience is more likely to engage and to remember your points afterwards. It is a good idea to start with a story, but there is a wider point too: you need your presentation to act like a story. Think about what story you are trying to tell your audience, and create your presentation to tell it. Finding The Story Behind Your Presentation To effectively tell a story, focus on using at least one of the two most basic storytelling mechanics in your presentation: Focusing On Characters - People have stories; things, data, and objects do not. So ask yourself "who" is directly involved in your topic that you can use as the focal point of your story. For example, instead of talking about cars (your company's products), you could focus on specific characters like: The drivers the car is intended for - people looking for speed and adventure The engineers who went out of their way to design the most cost-effective car imaginable A Changing Dynamic - A story needs something to change along the way. So ask yourself "What is not as it should be?" and answer with what you are going to do about it (or what you did about it). For example... Did hazardous road conditions inspire you to build a rugged, all-terrain jeep that any family could afford? Did a complicated and confusing food labelling system lead you to establish a colour-coded nutritional index so that anybody could easily understand it? To see 15 more actionable storytelling tips, see Nuts & Bolts Speed Training's post onStorytelling Tips. 8. Use your Voice Effectively The spoken word is actually a pretty inefficient means of communication, because it uses only one of your audience's five senses. That's why presenters tend to use visual aids, too. But you can help to make the spoken word better by using your voice effectively. Varying the speed at which you talk, and emphasising changes in pitch and tone all help to make your voice more interesting and hold your audience's attention. For more about this, see our page on Effective Speaking. 9. Use your Body Too It has been estimated that more than three quarters of communication is non-verbal. That means that as well as your tone of voice, your body language is crucial to getting your message across. Make sure that you are giving the right messages: body language to avoid includes crossed arms, hands held behind your back or in your pockets, and pacing the stage. Make your gestures open and confident, and move naturally around the stage, and among the audience too, if possible. 10. Relax, Breathe and Enjoy If you find presenting difficult, it can be hard to be calm and relaxed about doing it. One option is to start by concentrating on your breathing. Slow it down, and make sure that you're breathing fully. Make sure that you continue to pause for breath occasionally during your presentation too. For more ideas, see our page on Coping with Presentation Nerves. Improve your Presentation Skills

If you can bring yourself to relax, you will almost certainly present better. If you can actually start to enjoy yourself, your audience will respond to that, and engage better. Your presentations will improve exponentially, and so will your confidence. It's well worth a try.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data sent over an Internet Protocol network. It is used in virtual private networks (VPNs). IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).[1] Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. The initial IPv4 suite was developed with few security provisions. As a part of the IPv4 enhancement, IPsec is a layer 3 OSI model or internet layer end-to-end security scheme, while some other Internet security systems in widespread use operate above layer 3, such as Transport Layer Security (TLS) and Secure Shell (SSH), both of which operate at the Application layer. IPsec can automatically secure applications at the IP layer. Contents 1 History 2 Security architecture 2.1 Authentication Header 2.2 Encapsulating Security Payload 2.3 Security association 3 Modes of operation 3.1 Transport mode 3.2 Tunnel mode 4 Cryptographic algorithms 5 Implementations 6 Standards status 7 Alleged NSA interference 8 IETF documentation 8.1 Standards track 8.2 Experimental RFCs 8.3 Informational RFCs 8.4 Best current practice RFCs 8.5 Obsolete/historic RFCs 9 See also 10 References 11 External links History Starting in the early 1970s, the Advanced Research Projects Agency sponsored a series of experimental ARPANET encryption devices, at first for native ARPANET packet encryption and subsequently for TCP/IP packet encryption; some of these were certified and fielded. From 1986 to 1991, the NSA sponsored the development of security protocols for the Internet under its Secure Data Network Systems (SDNS) program.[2] This brought together various vendors including Motorola who produced a network encryption device in 1988. The work was openly published from about 1988 by NIST and, of these, Security Protocol at Layer 3 (SP3) would eventually morph into the ISO standard Network Layer Security Protocol (NLSP).[3] From 1992 to 1995, various research groups improved upon SDNS's SP3. In 1992, the US Naval Research Laboratory (NRL) began the SIPP project to research and implement IP encryption. In December 1993, the experimental Software IP Encryption Protocol (swIPe) was developed on SunOS at Columbia University and AT&T Bell Labs by John Ioannidis and others. Funded by the White House in 1993, Wei Xu at Trusted Information Systems (TIS) followed the swIPe research,[4] enhanced the IP security protocols and developed the device driver of Data Encryption Standard. By December 1994, his team released the TIS Gauntlet Firewall product with the integrated 3DES hardware encryption and provided commercial IP Security at over T1 speeds, securing networks between the US East and West coasts. During this period the Internet Engineering Task Force (IETF) IP Security Working Group formed[5] to standardize these efforts as an open, freely available set of security extensions, called IPsec.[6] In 1995, the working group published RFC-1825 through RFC-1827 with the NRL having the first working implementation.[7] Security architecture The IPsec is an open standard as a part of the IPv4 suite. IPsec uses the following protocols to perform various functions:[8][9] Authentication Headers (AH) provides connectionless data integrity and data origin authentication for IP datagrams and provides protection against replay attacks.[10][11] Encapsulating Security Payloads (ESP) provides confidentiality, connectionless integrity, data-origin authentication, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.[1] Security Associations (SA) provides the bundle of algorithms and data that provide the parameters necessary for AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange,[12] with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.[13][14][15][16] Authentication Header The Security Authentication Header (AH) is derived partially from previous IETF standards work for authentication of the Simple Network Management Protocol (SNMP) version 2. Authentication Header (AH) is a member of the IPsec protocol suite. AH ensures connectionless integrity by using a hash function and a secret shared key in the AH algorithm. AH also guarantees the data origin by authenticating IP packets. Optionally a sequence number can protect the IPsec packet's contents against replay attacks,[17] using the sliding window technique and discarding old packets. In IPv4, AH prevents option-insertion attacks. In IPv6, AH protects both against header insertion attacks and option insertion attacks. In IPv4, the AH protects the IP payload and all header fields of an IP datagram except for mutable fields (i.e. those that might be altered in transit), and also IP options such as the IP Security Option (RFC 1108). Mutable (and therefore unauthenticated) IPv4 header fields are DSCP/ToS, ECN, Flags, Fragment Offset, TTL and Header Checksum.[11] In IPv6, the AH protects most of the IPv6 base header, AH itself, non-mutable extension headers after the AH, and the IP payload. Protection for the IPv6 header excludes the mutable fields: DSCP, ECN, Flow Label, and Hop Limit.[11] AH operates directly on top of IP, using IP protocol number 51.[18] The following AH packet diagram shows how an AH packet is constructed and interpreted:[10][11] Authentication Header format Offsets Octet16 0 1 2 3 Octet16 Bit10 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 0 0 Next Header Payload Len Reserved 4 32 Security Parameters Index (SPI) 8 64 Sequence Number C 96 Integrity Check Value (ICV) ... ... ... Next Header (8 bits) Type of the next header, indicating what upper-layer protocol was protected. The value is taken from the list of IP protocol numbers. Payload Len (8 bits) The length of this Authentication Header in 4-octet units, minus 2. For example, an AH value of 4 equals 3×(32-bit fixed-length AH fields) + 3×(32-bit ICV fields) − 2 and thus an AH value of 4 means 24 octets. Although the size is measured in 4-octet units, the length of this header needs to be a multiple of 8 octets if carried in an IPv6 packet. This restriction does not apply to an Authentication Header carried in an IPv4 packet. Reserved (16 bits) Reserved for future use (all zeroes until then). Security Parameters Index (32 bits) Arbitrary value which is used (together with the destination IP address) to identify the security association of the receiving party. Sequence Number (32 bits) A monotonic strictly increasing sequence number (incremented by 1 for every packet sent) to prevent replay attacks. When replay detection is enabled, sequence numbers are never reused, because a new security association must be renegotiated before an attempt to increment the sequence number beyond its maximum value.[11] Integrity Check Value (multiple of 32 bits) Variable length check value. It may contain padding to align the field to an 8-octet boundary for IPv6, or a 4-octet boundary for IPv4. Encapsulating Security Payload The IP Encapsulating Security Payload (ESP)[19] was researched at the Naval Research Laboratory starting in 1992 as part of a DARPA-sponsored research project, and was openly published by IETF SIPP[20] Working Group drafted in December 1993 as a security extension for SIPP. This ESP was originally derived from the US Department of Defense SP3D protocol, rather than being derived from the ISO Network-Layer Security Protocol (NLSP). The SP3D protocol specification was published by NIST in the late 1980s, but designed by the Secure Data Network System project of the US Department of Defense. Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. It provides origin authenticity through source authentication, data integrity through hash functions and confidentiality through encryption protection for IP packets. ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure.[21][22][23] Unlike Authentication Header (AH), ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. ESP operates directly on top of IP, using IP protocol number 50.[18] The following ESP packet diagram shows how an ESP packet is constructed and interpreted:[1][24] Encapsulating Security Payload format Offsets Octet16 0 1 2 3 Octet16 Bit10 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 0 0 Security Parameters Index (SPI) 4 32 Sequence Number 8 64 Payload data ... ... ... ... ... ... Padding (0-255 octets) ... ... Pad Length Next Header ... ... Integrity Check Value (ICV) ... ... ... Security Parameters Index (32 bits) Arbitrary value used (together with the destination IP address) to identify the security association of the receiving party. Sequence Number (32 bits) A monotonically increasing sequence number (incremented by 1 for every packet sent) to protect against replay attacks. There is a separate counter kept for every security association. Payload data (variable) The protected contents of the original IP packet, including any data used to protect the contents (e.g. an Initialisation Vector for the cryptographic algorithm). The type of content that was protected is indicated by the Next Header field. Padding (0-255 octets) Padding for encryption, to extend the payload data to a size that fits the encryption's cipher block size, and to align the next field. Pad Length (8 bits) Size of the padding (in octets). Next Header (8 bits) Type of the next header. The value is taken from the list of IP protocol numbers. Integrity Check Value (multiple of 32 bits) Variable length check value. It may contain padding to align the field to an 8-octet boundary for IPv6, or a 4-octet boundary for IPv4. Security association Main article: Security association The IPsec protocols use a security association, where the communicating parties establish shared security attributes such as algorithms and keys. As such IPsec provides a range of options once it has been determined whether AH or ESP is used. Before exchanging data the two hosts agree on which algorithm is used to encrypt the IP packet, for example DES or IDEA, and which hash function is used to ensure the integrity of the data, such as MD5 or SHA. These parameters are agreed for the particular session, for which a lifetime must be agreed and a session key.[25] The algorithm for authentication is also agreed before the data transfer takes place and IPsec supports a range of methods. Authentication is possible through pre-shared key, where a symmetric key is already in the possession of both hosts, and the hosts send each other hashes of the shared key to prove that they are in possession of the same key. IPsec also supports public key encryption, where each host has a public and a private key, they exchange their public keys and each host sends the other a nonce encrypted with the other host's public key. Alternatively if both hosts hold a public key certificate from a certificate authority, this can be used for IPsec authentication.[26] The security associations of IPsec are established using the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP is implemented by manual configuration with pre-shared secrets, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), and the use of IPSECKEY DNS records.[16][27][28] RFC 5386 defines Better-Than-Nothing Security (BTNS) as an unauthenticated mode of IPsec using an extended IKE protocol. In order to decide what protection is to be provided for an outgoing packet, IPsec uses the Security Parameter Index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identifies a security association for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers decryption and verification keys from the security association database. For IP multicast a security association is provided for the group, and is duplicated across all authorized receivers of the group. There may be more than one security association for a group, using different SPIs, thereby allowing multiple levels and sets of security within a group. Indeed, each sender can have multiple security associations, allowing authentication, since a receiver can only know that someone knowing the keys sent the data. Note that the relevant standard does not describe how the association is chosen and duplicated across the group; it is assumed that a responsible party will have made the choice. Modes of operation The IPsec protocols AH and ESP can be implemented in a host-to-host transport mode, as well as in a network tunneling mode. IPsec Modes Transport mode In transport mode, only the payload of the IP packet is usually encrypted or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be modified by network address translation, as this always invalidates the hash value. The transport and application layers are always secured by a hash, so they cannot be modified in any way, for example by translating the port numbers. A means to encapsulate IPsec messages for NAT traversal has been defined by RFC documents describing the NAT-T mechanism. Tunnel mode Main article: Tunneling protocol In tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications (e.g. private chat).[29] Tunnel mode supports NAT traversal. Cryptographic algorithms Cryptographic algorithms defined for use with IPsec include: HMAC-SHA1/SHA2 for integrity protection and authenticity. TripleDES-CBC for confidentiality AES-CBC for confidentiality. AES-GCM providing confidentiality and authentication together efficiently. ChaCha20 + Poly1305 providing confidentiality and authentication together efficiently. Refer to [RFC 8221] for details. Implementations The IPsec can be implemented in the IP stack of an operating system, which requires modification of the source code. This method of implementation is done for hosts and security gateways. Various IPsec capable IP stacks are available from companies, such as HP or IBM.[30] An alternative is so called bump-in-the-stack (BITS) implementation, where the operating system source code does not have to be modified. Here IPsec is installed between the IP stack and the network drivers. This way operating systems can be retrofitted with IPsec. This method of implementation is also used for both hosts and gateways. However, when retrofitting IPsec the encapsulation of IP packets may cause problems for the automatic path MTU discovery, where the maximum transmission unit (MTU) size on the network path between two IP hosts is established. If a host or gateway has a separate cryptoprocessor, which is common in the military and can also be found in commercial systems, a so-called bump-in-the-wire (BITW) implementation of IPsec is possible.[31] When IPsec is implemented in the kernel the key management and ISAKMP/IKE negotiation is carried out from user space. The openly specified "PF_KEY Key Management API, Version 2" is often used to enable the application-space key management application to update the IPsec Security Associations stored within the kernel-space IPsec implementation.[32] Existing IPsec implementations usually include ESP, AH, and IKE version 2. Existing IPsec implementations on UNIX-like operating systems, for example, Solaris or Linux, usually include PF_KEY version 2. Embedded IPsec can be used to ensure the secure communication among applications running over constrained resource systems with a small overhead.[33] Standards status IPsec was developed in conjunction with IPv6 and was originally required to be supported by all standards-compliant implementations of IPv6 before RFC 6434 made it only a recommendation.[34] IPsec is also optional for IPv4 implementations. IPsec is most commonly used to secure IPv4 traffic.[citation needed] IPsec protocols were originally defined in RFC 1825 through RFC 1829, which were published in 1995. In 1998, these documents were superseded by RFC 2401 and RFC 2412 with a few incompatible engineering details, although they were conceptually identical. In addition, a mutual authentication and key exchange protocol Internet Key Exchange (IKE) was defined to create and manage security associations. In December 2005, new standards were defined in RFC 4301 and RFC 4309 which are largely a superset of the previous editions with a second version of the Internet Key Exchange standard IKEv2. These third-generation documents standardized the abbreviation of IPsec to uppercase "IP" and lowercase "sec". "ESP" generally refers to RFC 4303, which is the most recent version of the specification. Since mid-2008, an IPsec Maintenance and Extensions (ipsecme) working group is active at the IETF.[35][36] Alleged NSA interference In 2013, as part of Snowden leaks, it was revealed that the US National Security Agency had been actively working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" as part of the Bullrun program.[37] There are allegations that IPsec was a targeted encryption system.[38] The OpenBSD IPsec stack was the first implementation that was available under a permissive open-source license, and was therefore copied widely. In a letter which OpenBSD lead developer Theo de Raadt received on 11 Dec 2010 from Gregory Perry, it is alleged that Jason Wright and others, working for the FBI, inserted "a number of backdoors and side channel key leaking mechanisms" into the OpenBSD crypto code. In the forwarded email from 2010, Theo de Raadt did not at first express an official position on the validity of the claims, apart from the implicit endorsement from forwarding the email.[39] Jason Wright's response to the allegations: "Every urban legend is made more real by the inclusion of real names, dates, and times. Gregory Perry's email falls into this category. ... I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF)."[40] Some days later, de Raadt commented that "I believe that NETSEC was probably contracted to write backdoors as alleged. ... If those were written, I don't believe they made it into our tree."[41] This was published before the Snowden leaks. An alternative explanation put forward by the authors of the Logjam attack suggests that the NSA compromised IPsec VPNs by undermining the Diffie-Hellman algorithm used in the key exchange. In their paper[42] they allege the NSA specially built a computing cluster to precompute multiplicative subgroups for specific primes and generators, such as for the second Oakley group defined in RFC 2409. As of May 2015, 90% of addressable IPsec VPNs supported the second Oakley group as part of IKE. If an organization were to precompute this group, they could derive the keys being exchanged and decrypt traffic without inserting any software backdoors. A second alternative explanation that was put forward was that the Equation Group used zero-day exploits against several manufacturers' VPN equipment which were validated by Kaspersky Lab as being tied to the Equation Group[43] and validated by those manufacturers as being real exploits, some of which were zero-day exploits at the time of their exposure.[44][45][46] The Cisco PIX and ASA firewalls had vulnerabilities that were used for wiretapping by the NSA. Furthermore, IPsec VPNs using "Aggressive Mode" settings send a hash of the PSK in the clear. This can be and apparently is targeted by the NSA using offline dictionary attacks.[47][48][49]

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data sent over an Internet Protocol network. It is used in virtual private networks (VPNs). IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).[1] Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. The initial IPv4 suite was developed with few security provisions. As a part of the IPv4 enhancement, IPsec is a layer 3 OSI model or internet layer end-to-end security scheme, while some other Internet security systems in widespread use operate above layer 3, such as Transport Layer Security (TLS) and Secure Shell (SSH), both of which operate at the Application layer. IPsec can automatically secure applications at the IP layer. Contents 1 History 2 Security architecture 2.1 Authentication Header 2.2 Encapsulating Security Payload 2.3 Security association 3 Modes of operation 3.1 Transport mode 3.2 Tunnel mode 4 Cryptographic algorithms 5 Implementations 6 Standards status 7 Alleged NSA interference 8 IETF documentation 8.1 Standards track 8.2 Experimental RFCs 8.3 Informational RFCs 8.4 Best current practice RFCs 8.5 Obsolete/historic RFCs 9 See also 10 References 11 External links History Starting in the early 1970s, the Advanced Research Projects Agency sponsored a series of experimental ARPANET encryption devices, at first for native ARPANET packet encryption and subsequently for TCP/IP packet encryption; some of these were certified and fielded. From 1986 to 1991, the NSA sponsored the development of security protocols for the Internet under its Secure Data Network Systems (SDNS) program.[2] This brought together various vendors including Motorola who produced a network encryption device in 1988. The work was openly published from about 1988 by NIST and, of these, Security Protocol at Layer 3 (SP3) would eventually morph into the ISO standard Network Layer Security Protocol (NLSP).[3] From 1992 to 1995, various research groups improved upon SDNS's SP3. In 1992, the US Naval Research Laboratory (NRL) began the SIPP project to research and implement IP encryption. In December 1993, the experimental Software IP Encryption Protocol (swIPe) was developed on SunOS at Columbia University and AT&T Bell Labs by John Ioannidis and others. Funded by the White House in 1993, Wei Xu at Trusted Information Systems (TIS) followed the swIPe research,[4] enhanced the IP security protocols and developed the device driver of Data Encryption Standard. By December 1994, his team released the TIS Gauntlet Firewall product with the integrated 3DES hardware encryption and provided commercial IP Security at over T1 speeds, securing networks between the US East and West coasts. During this period the Internet Engineering Task Force (IETF) IP Security Working Group formed[5] to standardize these efforts as an open, freely available set of security extensions, called IPsec.[6] In 1995, the working group published RFC-1825 through RFC-1827 with the NRL having the first working implementation.[7] Security architecture The IPsec is an open standard as a part of the IPv4 suite. IPsec uses the following protocols to perform various functions:[8][9] Authentication Headers (AH) provides connectionless data integrity and data origin authentication for IP datagrams and provides protection against replay attacks.[10][11] Encapsulating Security Payloads (ESP) provides confidentiality, connectionless integrity, data-origin authentication, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.[1] Security Associations (SA) provides the bundle of algorithms and data that provide the parameters necessary for AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange,[12] with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.[13][14][15][16] Authentication Header The Security Authentication Header (AH) is derived partially from previous IETF standards work for authentication of the Simple Network Management Protocol (SNMP) version 2. Authentication Header (AH) is a member of the IPsec protocol suite. AH ensures connectionless integrity by using a hash function and a secret shared key in the AH algorithm. AH also guarantees the data origin by authenticating IP packets. Optionally a sequence number can protect the IPsec packet's contents against replay attacks,[17] using the sliding window technique and discarding old packets. In IPv4, AH prevents option-insertion attacks. In IPv6, AH protects both against header insertion attacks and option insertion attacks. In IPv4, the AH protects the IP payload and all header fields of an IP datagram except for mutable fields (i.e. those that might be altered in transit), and also IP options such as the IP Security Option (RFC 1108). Mutable (and therefore unauthenticated) IPv4 header fields are DSCP/ToS, ECN, Flags, Fragment Offset, TTL and Header Checksum.[11] In IPv6, the AH protects most of the IPv6 base header, AH itself, non-mutable extension headers after the AH, and the IP payload. Protection for the IPv6 header excludes the mutable fields: DSCP, ECN, Flow Label, and Hop Limit.[11] AH operates directly on top of IP, using IP protocol number 51.[18] The following AH packet diagram shows how an AH packet is constructed and interpreted:[10][11] Authentication Header format Offsets Octet16 0 1 2 3 Octet16 Bit10 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 0 0 Next Header Payload Len Reserved 4 32 Security Parameters Index (SPI) 8 64 Sequence Number C 96 Integrity Check Value (ICV) ... ... ... Next Header (8 bits) Type of the next header, indicating what upper-layer protocol was protected. The value is taken from the list of IP protocol numbers. Payload Len (8 bits) The length of this Authentication Header in 4-octet units, minus 2. For example, an AH value of 4 equals 3×(32-bit fixed-length AH fields) + 3×(32-bit ICV fields) − 2 and thus an AH value of 4 means 24 octets. Although the size is measured in 4-octet units, the length of this header needs to be a multiple of 8 octets if carried in an IPv6 packet. This restriction does not apply to an Authentication Header carried in an IPv4 packet. Reserved (16 bits) Reserved for future use (all zeroes until then). Security Parameters Index (32 bits) Arbitrary value which is used (together with the destination IP address) to identify the security association of the receiving party. Sequence Number (32 bits) A monotonic strictly increasing sequence number (incremented by 1 for every packet sent) to prevent replay attacks. When replay detection is enabled, sequence numbers are never reused, because a new security association must be renegotiated before an attempt to increment the sequence number beyond its maximum value.[11] Integrity Check Value (multiple of 32 bits) Variable length check value. It may contain padding to align the field to an 8-octet boundary for IPv6, or a 4-octet boundary for IPv4. Encapsulating Security Payload The IP Encapsulating Security Payload (ESP)[19] was researched at the Naval Research Laboratory starting in 1992 as part of a DARPA-sponsored research project, and was openly published by IETF SIPP[20] Working Group drafted in December 1993 as a security extension for SIPP. This ESP was originally derived from the US Department of Defense SP3D protocol, rather than being derived from the ISO Network-Layer Security Protocol (NLSP). The SP3D protocol specification was published by NIST in the late 1980s, but designed by the Secure Data Network System project of the US Department of Defense. Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. It provides origin authenticity through source authentication, data integrity through hash functions and confidentiality through encryption protection for IP packets. ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure.[21][22][23] Unlike Authentication Header (AH), ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. ESP operates directly on top of IP, using IP protocol number 50.[18] The following ESP packet diagram shows how an ESP packet is constructed and interpreted:[1][24] Encapsulating Security Payload format Offsets Octet16 0 1 2 3 Octet16 Bit10 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 0 0 Security Parameters Index (SPI) 4 32 Sequence Number 8 64 Payload data ... ... ... ... ... ... Padding (0-255 octets) ... ... Pad Length Next Header ... ... Integrity Check Value (ICV) ... ... ... Security Parameters Index (32 bits) Arbitrary value used (together with the destination IP address) to identify the security association of the receiving party. Sequence Number (32 bits) A monotonically increasing sequence number (incremented by 1 for every packet sent) to protect against replay attacks. There is a separate counter kept for every security association. Payload data (variable) The protected contents of the original IP packet, including any data used to protect the contents (e.g. an Initialisation Vector for the cryptographic algorithm). The type of content that was protected is indicated by the Next Header field. Padding (0-255 octets) Padding for encryption, to extend the payload data to a size that fits the encryption's cipher block size, and to align the next field. Pad Length (8 bits) Size of the padding (in octets). Next Header (8 bits) Type of the next header. The value is taken from the list of IP protocol numbers. Integrity Check Value (multiple of 32 bits) Variable length check value. It may contain padding to align the field to an 8-octet boundary for IPv6, or a 4-octet boundary for IPv4. Security association Main article: Security association The IPsec protocols use a security association, where the communicating parties establish shared security attributes such as algorithms and keys. As such IPsec provides a range of options once it has been determined whether AH or ESP is used. Before exchanging data the two hosts agree on which algorithm is used to encrypt the IP packet, for example DES or IDEA, and which hash function is used to ensure the integrity of the data, such as MD5 or SHA. These parameters are agreed for the particular session, for which a lifetime must be agreed and a session key.[25] The algorithm for authentication is also agreed before the data transfer takes place and IPsec supports a range of methods. Authentication is possible through pre-shared key, where a symmetric key is already in the possession of both hosts, and the hosts send each other hashes of the shared key to prove that they are in possession of the same key. IPsec also supports public key encryption, where each host has a public and a private key, they exchange their public keys and each host sends the other a nonce encrypted with the other host's public key. Alternatively if both hosts hold a public key certificate from a certificate authority, this can be used for IPsec authentication.[26] The security associations of IPsec are established using the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP is implemented by manual configuration with pre-shared secrets, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), and the use of IPSECKEY DNS records.[16][27][28] RFC 5386 defines Better-Than-Nothing Security (BTNS) as an unauthenticated mode of IPsec using an extended IKE protocol. In order to decide what protection is to be provided for an outgoing packet, IPsec uses the Security Parameter Index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identifies a security association for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers decryption and verification keys from the security association database. For IP multicast a security association is provided for the group, and is duplicated across all authorized receivers of the group. There may be more than one security association for a group, using different SPIs, thereby allowing multiple levels and sets of security within a group. Indeed, each sender can have multiple security associations, allowing authentication, since a receiver can only know that someone knowing the keys sent the data. Note that the relevant standard does not describe how the association is chosen and duplicated across the group; it is assumed that a responsible party will have made the choice. Modes of operation The IPsec protocols AH and ESP can be implemented in a host-to-host transport mode, as well as in a network tunneling mode. IPsec Modes Transport mode In transport mode, only the payload of the IP packet is usually encrypted or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be modified by network address translation, as this always invalidates the hash value. The transport and application layers are always secured by a hash, so they cannot be modified in any way, for example by translating the port numbers. A means to encapsulate IPsec messages for NAT traversal has been defined by RFC documents describing the NAT-T mechanism. Tunnel mode Main article: Tunneling protocol In tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications (e.g. private chat).[29] Tunnel mode supports NAT traversal. Cryptographic algorithms Cryptographic algorithms defined for use with IPsec include: HMAC-SHA1/SHA2 for integrity protection and authenticity. TripleDES-CBC for confidentiality AES-CBC for confidentiality. AES-GCM providing confidentiality and authentication together efficiently. ChaCha20 + Poly1305 providing confidentiality and authentication together efficiently. Refer to [RFC 8221] for details. Implementations The IPsec can be implemented in the IP stack of an operating system, which requires modification of the source code. This method of implementation is done for hosts and security gateways. Various IPsec capable IP stacks are available from companies, such as HP or IBM.[30] An alternative is so called bump-in-the-stack (BITS) implementation, where the operating system source code does not have to be modified. Here IPsec is installed between the IP stack and the network drivers. This way operating systems can be retrofitted with IPsec. This method of implementation is also used for both hosts and gateways. However, when retrofitting IPsec the encapsulation of IP packets may cause problems for the automatic path MTU discovery, where the maximum transmission unit (MTU) size on the network path between two IP hosts is established. If a host or gateway has a separate cryptoprocessor, which is common in the military and can also be found in commercial systems, a so-called bump-in-the-wire (BITW) implementation of IPsec is possible.[31] When IPsec is implemented in the kernel the key management and ISAKMP/IKE negotiation is carried out from user space. The openly specified "PF_KEY Key Management API, Version 2" is often used to enable the application-space key management application to update the IPsec Security Associations stored within the kernel-space IPsec implementation.[32] Existing IPsec implementations usually include ESP, AH, and IKE version 2. Existing IPsec implementations on UNIX-like operating systems, for example, Solaris or Linux, usually include PF_KEY version 2. Embedded IPsec can be used to ensure the secure communication among applications running over constrained resource systems with a small overhead.[33] Standards status IPsec was developed in conjunction with IPv6 and was originally required to be supported by all standards-compliant implementations of IPv6 before RFC 6434 made it only a recommendation.[34] IPsec is also optional for IPv4 implementations. IPsec is most commonly used to secure IPv4 traffic.[citation needed] IPsec protocols were originally defined in RFC 1825 through RFC 1829, which were published in 1995. In 1998, these documents were superseded by RFC 2401 and RFC 2412 with a few incompatible engineering details, although they were conceptually identical. In addition, a mutual authentication and key exchange protocol Internet Key Exchange (IKE) was defined to create and manage security associations. In December 2005, new standards were defined in RFC 4301 and RFC 4309 which are largely a superset of the previous editions with a second version of the Internet Key Exchange standard IKEv2. These third-generation documents standardized the abbreviation of IPsec to uppercase "IP" and lowercase "sec". "ESP" generally refers to RFC 4303, which is the most recent version of the specification. Since mid-2008, an IPsec Maintenance and Extensions (ipsecme) working group is active at the IETF.[35][36] Alleged NSA interference In 2013, as part of Snowden leaks, it was revealed that the US National Security Agency had been actively working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" as part of the Bullrun program.[37] There are allegations that IPsec was a targeted encryption system.[38] The OpenBSD IPsec stack was the first implementation that was available under a permissive open-source license, and was therefore copied widely. In a letter which OpenBSD lead developer Theo de Raadt received on 11 Dec 2010 from Gregory Perry, it is alleged that Jason Wright and others, working for the FBI, inserted "a number of backdoors and side channel key leaking mechanisms" into the OpenBSD crypto code. In the forwarded email from 2010, Theo de Raadt did not at first express an official position on the validity of the claims, apart from the implicit endorsement from forwarding the email.[39] Jason Wright's response to the allegations: "Every urban legend is made more real by the inclusion of real names, dates, and times. Gregory Perry's email falls into this category. ... I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF)."[40] Some days later, de Raadt commented that "I believe that NETSEC was probably contracted to write backdoors as alleged. ... If those were written, I don't believe they made it into our tree."[41] This was published before the Snowden leaks. An alternative explanation put forward by the authors of the Logjam attack suggests that the NSA compromised IPsec VPNs by undermining the Diffie-Hellman algorithm used in the key exchange. In their paper[42] they allege the NSA specially built a computing cluster to precompute multiplicative subgroups for specific primes and generators, such as for the second Oakley group defined in RFC 2409. As of May 2015, 90% of addressable IPsec VPNs supported the second Oakley group as part of IKE. If an organization were to precompute this group, they could derive the keys being exchanged and decrypt traffic without inserting any software backdoors. A second alternative explanation that was put forward was that the Equation Group used zero-day exploits against several manufacturers' VPN equipment which were validated by Kaspersky Lab as being tied to the Equation Group[43] and validated by those manufacturers as being real exploits, some of which were zero-day exploits at the time of their exposure.[44][45][46] The Cisco PIX and ASA firewalls had vulnerabilities that were used for wiretapping by the NSA. Furthermore, IPsec VPNs using "Aggressive Mode" settings send a hash of the PSK in the clear. This can be and apparently is targeted by the NSA using offline dictionary attacks.[47][48][49]

CHAPTER 3 VPN Fundamentals VIRTUAL PRIVATE NETWORKS (VPNS) allow organizations to transmit private and sensitive data securely over public intermediary networks. The Internet can serve as a cheap long-distance carrier for WAN connections established using VPNs. VPNs use native operating system features or third-party software, as well as hardware devices, including edge routers, firewalls, and VPN appliances. Remote access for mobile users, linked multi-office intranets, and secured access into an extranet are common VPN architecture solutions. The use of VPNs on networks ranging from small home networks to corporate global networks has dramatically expanded the ways people connect and do their work. Through the use of VPNs, telecommuting employees, business partners, traveling workers, suppliers, distributors, and others can benefit from secured connectivity even while geographically distant. With a basic understanding of VPNs, you can begin designing and planning your own VPN solution. Chapter 3 Topics This chapter covers the following topics and concepts: Image What a VPN is and what is it used for Image What the benefits of a VPN are and why you would deploy one Image What the limitations of a VPN are Image What the relationship between encryption and VPNs is Image What VPN authentication is and how is it implemented Image What VPN authorization is and why is it necessary Chapter 3 Goals When you complete this chapter, you will be able to: Image Define VPNs Image Explain the business and personal uses of VPNs Image Describe the pros and cons of VPNs Image Illustrate deployment models or architectures of VPNs, including an edge router, a corporate firewall, a VPN appliance, a remote access server, a site-to-site VPN and supporting devices, and a host-to-host VPN and supporting devices Image Differentiate between a transport-mode VPN and a tunnel-mode VPN Image Describe the importance of encryption, authentication, and authorization to VPNs What Is a Virtual Private Network? A short and direct definition is that a virtual private network (VPN) is a mechanism to establish a secure remote access connection across an intermediary network, often the Internet. VPNs allow remote access, remote control, and highly secured communications within a private network. VPNs employ encryption and authentication to provide confidentiality, integrity, and privacy protection for network communications. A more involved exploration of the phrase "virtual private networks," however, can reveal other import aspects that such a succinct definition overlooks. The term VPN has its origins in the telecommunications world. A telephone VPN created a PBX-like system for businesses without the need for deployment of true private branch exchange (PBX) hardware. Instead, the system used a public telephone service and the PBX services at the telco's central offices. This service/product sold under the name Centrex (a combination of the terms central and exchange) in the 1960s through the 1980s. After the proliferation of computer networks and Internet connectivity, the term VPN evolved to refer to tunneling connections across network links. Early computer VPNs focused on the tunneling or encapsulation processes and rarely included encryption services. Today, VPNs are almost always secured using encryption. However, you should never assume anything is totally secure, especially connections over public networks. You should always confirm that a product performs encryption properly before depending on it for sensitive operations. A VPN creates or simulates a network connection over an intermediary network. But what makes a VPN private? At least three possible mechanisms can work: Image When the primary organization owns all of the network infrastructure components, including switches, routers, and cables. A true private VPN occurs when a single organization owns all of the hardware supporting its VPN. However, few organizations actually own all of the connections between their locations, so this is usually impractical or prohibitively expensive. This wholly owned and operated system constitutes a trusted VPN. Image When a dedicated set of channels is used across leased telco connections. This method provides physical isolation even on third-party equipment; hence privacy is maintained. This type of system is more practical, but is still expensive. This can also be called a trusted VPN, since you must be able to trust the owner of the hosting infrastructure to protect network communications against eavesdropping. Image When encryption ensures privacy even over public networks, such as the Internet. This method is the most reliable, as the other two options are still at risk to eavesdropping. Additionally, encryption to provide privacy is not only practical, it is the least expensive option as well. This system can be called a secured VPN. A fourth type private VPN is possible, known as a hybrid VPN. This form of VPN establishes a secure VPN over trusted VPN connections. A trusted VPN allows an organization to know and control the pathway of its transmissions. However, a trusted VPN does not protect against eavesdropping or alteration. A secure VPN protects the confidentiality and integrity of data, but does not control or ensure the transmission path. When you combine these two VPN techniques, you create a potentially more secure and practical solution. Two possible layouts of hybrid VPNs are shown in Figures 3-1 and 3-2. Image FIGURE 3-1 A hybrid VPN consisting of a secure VPN across an intermediary trusted VPN. Image FIGURE 3-2 A hybrid VPN consisting of a secure VPN segment within a trusted VPN. VPNs are often associated with remote access or remote control. However, these associations need clarification to have value. Remote control is the ability to use a local computer system to remotely take over control of another computer over a network connection. In a way, this process is the application of the thin client concept on a fully capable modern workstation to simulate working against a mainframe or to virtualize your physical presence. This application is generally the same as a VPN, which creates a remote network connection rather than a remote control session. With a remote control connection in place, the local monitor, keyboard, and mouse control a remote system. This process looks and feels like you are physically present at the keyboard of the remote system, which could be located in another city or even on the other side of the world. Every action you perform locally acts as if you were physically present at that remote computer virtually via the remote control connection. The only limitations are the speed of the intermediary network link and the inability to physically insert or remove media and peripherals. You might think of remote control as a form of software-based thin client or terminal client. In fact, many thin client and terminal client products sell as remote control solutions. Many modern operating systems include remote control features, such as Remote Desktop found in most versions of Windows. Once enabled, a Remote Desktop connection remotely controls another Windows system from across the network. Remote access is different from remote control. A remote access link enables access to network resources using a WAN link to connect to the geographically distant network. In effect, remote access creates a local network link for a system not physically near the network. Over a remote access connection, a client system can technically perform all the same tasks as a locally connected client. Network administrators can impose restrictions on what resources and services a remote access VPN client can use. Remote access and VPNs were originally supported over dial-up telephone links using modems. Today, remote access encompasses a variety of connection types including ISDN, DSL, cable modem, satellite, mobile broadband, and more. Due to the wide availability of high-speed Internet connections, VPNs and other remote access solutions have become very popular for both personal and business purposes. In many cases, a remote access connection is created from a remote client back to a primary network. If the remote client needs to connect directly to the LAN, such as over a dial-up connection, a RAS server will host a modem to accept the connection. If the remote client can use the Internet to access the LAN, then a local Internet connection is necessary. Once a normal LAN connection or Internet connection runs from the client, the VPN link is possible. Once the connection is established, the remote client can interact with the network as if it were locally connected. In Figure 3-3, a LAN and a remote client have a connection to the Internet. These two connections are independent of each other. The LAN's connection is usually a permanent or dedicated connection supporting both inbound and outbound activities with the Internet. The remote client can have a dedicated or non-dedicated connection to the Internet. In the latter case, the connection is established before a VPN can be created. Once both endpoints have a connection to the intermediary network, in this case the Internet, the VPN can be created. In Figure 3-4, a new network connection is established from the remote client to the LAN across the intermediary network. This new network connection is the VPN. VPNs can operate over standard Internet connections or dedicated business communication circuits, such as ATM and Frame Relay. However, the additional expense of a dedicated, isolated, and even secured business circuit isn't necessary with a VPN. A VPN can operate securely over the Internet and still provide high levels of security through solid encryption. This allows inexpensive insecure links to replace expensive business-leased lines without sacrificing security. Image FIGURE 3-3 A corporate LAN and a remote client with Internet connections. Image FIGURE 3-4 A VPN established between a remote client and a LAN over the Internet. VPNs are one of the most efficient and cost-effective means to provide secure remote connectivity. VPNs take advantage of cheap long distance connections when established over the Internet, since both endpoints need only a local Internet link. The Internet itself serves as a "free" long distance carrier. Because the speed of the VPN depends on the speed of the local Internet link, you still might want an optical carrier (OC) line (such as an OC-1 at 51.84 Mbps) for high-speed connectivity. Connections from a LAN to an intermediary network can support VPN traffic only or allow a combination of both VPN and normal non-VPN traffic. The latter configuration is less secure, but offers you flexibility as to whether all communications must be VPN-secured or not. An Internet connection reserved solely for VPN use, therefore, is not necessary. An OC-1 line is more than capable of supporting one or more VPN links in addition to numerous non-VPN Internet sessions with no difficulty or latency. Setting up VPNs can require extensive knowledge and expertise on the part of the IT or security administrator. For example, some important concerns of secure VPNs include: Image All VPN traffic must be authenticated and encrypted. A VPN without authentication is not private, and a VPN without encryption is insecure. Image All VPN endpoints must abide by the same security parameters and algorithms. Each VPN tunnel must have corresponding encryption key sets to securely exchange encrypted content. Additionally, the same security policy should govern all endpoints. Image Proper encryption protocols must ensure that no external third party can affect the security of the VPN. Weak encryption makes a "secure" VPN worthless. When you use a trusted VPN, you need to consider its own unique concerns: Image Only the trusted VPN provider should be able to modify the channels or pathway of the VPN. A trusted VPN is based on the provider's ability to limit and control access to the VPN's content. Image Only the trusted VPN provider can add, remove, or change data in the trusted channel. Violating this violates the trust the client places in the provider. Image The addressing and routing performed within the trusted VPN must be defined before the VPN goes online. These services are usually pre-defined in the SLA (service level agreement), but may be dynamically modified for each VPN connection. Even hybrid VPNs have an important focus for concern, namely that the segments of the VPN that are trusted versus secured need clear definition. Mistaking security for trust—or vice versa—can have devastating results. VPNs use tunneling or encapsulation protocols. Tunneling protocols encase the original network protocol so that it can traverse the intermediary network. In many cases, the tunneling protocol employs encryption so that the original data traverses the intermediary network securely. The protocols that create VPNs include IPSec, PPTP, L2TP, SSL, and TLS. The dominant forms of secure VPNs use IPSec or SSL/TLS as the tunneling/encapsulation protocol. Most VPNs use software that operates on top of the operating system of a host. However, some VPN appliances can support VPN connectivity without adding any software to the host. In much the same way that a host firewall works only on the host where it is installed, an appliance firewall provides security services for the entire network. A host VPN software product allows a single host access to VPN services, while a VPN appliance allows an entire network to access VPN services. VPNs simplify many business networking problems by providing an easy and efficient means to securely connect headquarters, remote offices, traveling workers, and telecommuters. What Are the Benefits of Deploying a VPN? The reasons to deploy and use VPNs vary greatly among organizations. Many of the obvious reasons are based on the benefits of a VPN. Nevertheless, other reasons are based on business or personal factors needing the solutions VPNs readily provide. Cost is always a significant factor in any business decision. Budgets are never unlimited, so organizations must shepherd their limited funds to accomplish their missions and goals. One common goal is high productivity. Granting workers the ability to access and use resources in a timely and efficient manner assists in the completion of work. When those resources are computer files or network services, employees no longer need to be in the same building as those resources. Remote access to resources, therefore, is becoming more common than ever. Secure remote access is essential. As the proliferation of access and connectivity spreads from work to home to portable/mobile devices, access to the Internet and private LANs is becoming ubiquitous. Companies must use security controls on resource access or suffer the consequences of insecure access methods. With the removal of physical limitations for access comes the loss of control over where and how workers connect back into the private LAN. Workers connect into the company LAN from mobile phones, through Internet cafés, over hotel networks, and at random Wi-Fi hotspots. Many use personally owned laptop computers and hand-held mobile devices rather than officially issued company systems. All of these are outside the control of the company's IT and security department. The only option is to limit LAN connections to those that can be secured. Thus, VPNs have become a necessity in the brave new mobile and interconnected world. VPNs support remote access from a wide variety of complex devices, reduce risk caused by insecure access locations, and enable interaction with all LAN resources. Furthermore, flexibility, scalability, ease of administration, reliability, and more make VPNs an obvious choice in the face of modern connectivity risks and challenges. Image FIGURE 3-5 A corporate network using dedicated leased lines versus using VPNs over the Internet. Does every worker and every organization need VPNs and remote access? No. For many work situations, VPNs are not the correct solution. These include any form of work that requires special tools, physical access to equipment, or close supervision by managers. Remote access, mobile connectivity, and secured communications are solid reasons to deploy and use a VPN. But are these the only positive aspects of a VPN? The most often touted benefit of VPNs is cost savings. They are a great way to save on long distance charges for telecommuters and traveling workers. They also create huge savings for businesses that would need only local Internet links for a VPN rather than a dedicated leased line between each location (Figure 3-5). The farther away each business location is and the more locations a company has, the more of a cost savings a VPN can generate. Additionally, to truly compare the connectivity that a VPN offers to dedicated leased lines, you need a full mesh of leased lines. A full mesh requires a line between each business location. This allows for direct communication between one site and another. Since a VPN across the Internet would provide the equivalent site-to-site communication capabilities, only a mesh network of dedicated leased lines can truly compare. This solution is obviously very expensive compared to a VPN's significant cost savings. As corporations seek to reduce IT infrastructure costs, a common technique is to allow employees to telecommute. Telecommuting allows workers to access corporate resources whether the employee works from home, while traveling, or while on site with a customer. In the past, telecommuting clearly implied the use of dial-up connections to connect with the company LAN. With the proliferation of high-speed broadband connections and Wi-Fi, telecommuting has become more plausible and realistic. Through the use of VPNs, telecommuting enables a true remote office rather than just a file exchange and communication system. VPNs make telecommuting not only possible, but also practical and secure. VPNs make expanding the workforce no longer a geographically limited proposition. Extranets are often deployed as businesses establish new partnerships or seek more interaction with suppliers, distributors, and other external entities. Extranets are border networks, similar to a DMZ, where resources are hosted for access by external entities. However, unlike a DMZ, an extranet is not open for public use. Only a limited and specific set of users is allowed to connect into an extranet. Often, this limitation means that a specific VPN configuration is necessary to access the extranet's resources. With VPNs, extranets are both possible and practical. VPNs allow system administrators to remotely manage and control a network. VPNs allow employees to work from anywhere. VPNs allow friends to create WAN links to support multiplayer games. VPNs allow technical support to remotely repair client systems. A VPN is the solution anytime a network connection is needed between two systems or two networks, but installing a direct cable connection is unfeasible. Often, the real benefits of a VPN are not from the VPN itself, but from all the new possibilities for work, research, learning, and play feasible because of a VPN. These benefits include: Image Reduced equipment costs Image Unlimited geographic connectivity Image Increased flexibility and versatility of worker location Image Improved privacy and confidentiality due to strong encryption Image Verified transmission integrity Image Fully scalable global infrastructure and architecture Image Rapid deployment options Image Flexible integration with existing networks and technologies Image Faster return on investment (ROI) than traditional WAN infrastructures Image Reduced dependence on long-distance carrier solutions Image Reduced support burden as ISP Individuals and organizations that use VPNs and integrate them in new and unique ways are sure to reap additional benefits. History shows us that as new means of communication are created, they often change and are used in ways that were unpredictable at the beginning of their adoption. However, VPNs are not perfect, and some very real and challenging issues limit the use of VPNs. What Are the Limitations of a VPN? While the use of VPNs has many benefits, you need to evaluate the very real and distinct limitations before you put a VPN in place. Although a VPN connection offers flexible secure communication options, it does not ensure quality of service. A VPN link is dependent upon the stability, throughput, and availability of the ISP connection as well as the intervening network connections between endpoints. VPNs over the Internet can easily suffer from latency, fragmentation, traffic congestion, and dropped packets. This also results in a lack of dedicated bandwidth between business sites because of the volatility of the Internet. technical TIP Encrypted traffic does not compress. Compression reduces the size of a data set, removing redundancies or repeated sections within the data set. Properly encrypted data produces ciphertext that does not contain redundancies or recognizable patterns. If ciphertext did have these characteristics, it would not be as secure. Thus, without these redundancies, it's not possible to compress encrypted data. While VPNs are excellent solutions over nearly every broadband connection option, a VPN can be difficult to maintain over dial-up. VPN traffic is encrypted, and encrypted traffic does not compress. Most dial-up modem connections rely on compression—mainly hardware compression—to improve connection speed. When compression is not possible, a significant and noticeable speed reduction occurs. Additionally, VPN tunnel management can impose a significant increase in management overhead because of changes in protocol headers, potential authentication latency, and a prolonged connection establishment negotiation. Another area of concern is the minor risk or potential of data exposure while in transit over the Internet. This is only a real concern if the VPN does not use encryption, uses poor encryption, or configures the encryption improperly. Proper security management will eliminate this as a serious concern. Vulnerabilities exist at VPN endpoints. With a VPN, side attacks against the encrypted link are nearly eliminated. However, data entering or leaving the VPN is at risk. An end-user computer could be infected by malicious code that can traverse the VPN link into the company LAN. Also, private and confidential data from the company LAN can be copied across the VPN link to the end-user computer. On this computer, that data is less secure and subject to a wider range of threats. You should also consider the increased difficulty in providing technical support remotely. This is especially true when the remote connection itself is not functioning. In addition, it's more difficult to keep remote systems in compliance with security settings, conduct training, allow supervisory oversight, enable HR management, and monitor user activities. Not every person is a good candidate for a remote user. Those who are easily distracted, who are not motivated, or whose home environment is not conducive to work are prime examples of those who should stay in the office rather than work from home. technical TIP The latest generation of traditional telephone modems is often rated with a speed of 56 Kbps. Most of that speed is the result of hardware compression. Without compression, most modem speeds are significantly slower—24 Kbps or less. An even larger concern is granting open or blanket unrestricted network-resource access to those connecting via VPN. You must enforce stronger authentication and authorization limitations on VPN users, especially on VPN telecommuters. Remote users should have access only to those resources necessary for their current tasks. Unlimited access to network resources can quickly result in exploitation and confidential data leakage if the remote user or the remote computer is compromised. If you understand these limitations and address them properly, you can help to avoid catastrophic mistakes when correctly installing and productively using VPNs. One of the primary tools to accomplish this is the VPN policy. What Are Effective VPN Policies? Effective VPN policies are those that clearly define security restrictions imposed on VPNs that align with the overall IT mission and goals of your organization. VPNs can offer numerous exciting possibilities of mobility and interconnection. However, VPNs can also be a risk to the confidentiality and stability of your organization's infrastructure. Like all security policies, your VPN policy should derive from a thorough risk assessment and analysis. Without fully understanding the assets, processes, threats, and risks of VPNs, you can't effectively use or manage them. Developing your VPN security policy is not a simple or straightforward task. You need to plan for time and effort to address a wide variety of issues and concerns. Some of the aspects of design and planning of a VPN policy include (but are not limited to): Image Considering the benefits and drawbacks of software and hardware VPN solutions Image Imposing stringent multifactor authentication on all VPN connections Image Implementing strong access control (authorization) restrictions on all VPN connections Image Defining how the VPN will be managed, through what interfaces, and by whom Image Exploring the complexities of patch management over VPN Image Defining the mechanisms of providing remote technical support for VPN telecommuters Image Enabling detailed auditing on all activities occurring across or through a VPN Image Defining distinct qualifications on granting user access to telecommuting VPNs Image Prescribing the user training requirements for all VPN activities VPN Deployment Models and Architecture One of the first decisions you face when deploying a VPN is, which device will serve as the termination point of the secured tunnel? You have several options, but often the decision rests on where in the network infrastructure you want to position the tunnel endpoint. Additionally, the features the VPN device provides may be a factor in the decision. Such factors include deciding which devices have sufficient processing power to maintain wirespeed even with heavy traffic and complex encryption. Another concern is whether NAT is present, as this can impose problems for tunnel mode encryption. The three primary VPN device models are edge router, corporate firewall, and VPN appliance. In addition to the selection of the VPN device, you have several architectural decisions to make. These focus on the intended purpose, function, or use of the VPN, such as remote access, host-to-host, site-to-site, and extranet access. Edge Router With edge routers as the VPN termination point, the VPN link exists only over the public intermediary networks, not within the private LAN(s). This does require that the edge router support VPN connectivity. Edge router VPN termination ensures that a firewall can filter the traffic exiting the VPN on its way into the LAN. This method ensures that all traffic, regardless of transportation means, complies with the firewall's filtering rules. If the VPN terminates inside the firewall, then traffic from the VPN could potentially violate security because it was not firewall-inspected. VPN termination on edge routers is best suited for controlled access into the DMZ. Such a configuration grants business partners easy access to the DMZ without exposing their traffic to the Internet or granting them unnecessary access to the private LAN. Corporate Firewall Terminating the VPN at the corporate firewall is possible if the firewall supports VPN services. Not all firewalls provide this service, so this depends on your choice of make and model of the firewall product. With a firewall-to-firewall VPN across the public network, users from one network LAN can access resources in another network LAN without additional complexities. Primarily, this configuration treats the VPN link between the firewall endpoints as just another route in the LAN (actually WAN). The benefit here is that users don't need to re-authenticate or abide by additional firewall restrictions when the VPN terminates at the corporate firewall. Corporate firewall termination of the VPN means that the traffic entering or leaving the VPN does not pass through the filtering restrictions of the firewall. Instead, the firewall simply serves as a tethering point for the VPN tunnel endpoint. Any traffic not associated with the VPN, however, is subject to firewall investigation. This configuration has a potential limitation. As the number of VPN links or the traffic load of the VPNs increases, the resulting increase in cryptographic computations could interfere with the firewall's wirespeed filtering performance. In this case, perform a trend analysis to monitor for this condition and improve firewall performance before a bottleneck occurs. VPN Appliance A third device option is a dedicated VPN appliance. Unlike an edge router or firewall termination point, a dedicated VPN appliance specifically handles the load of a VPN instead of VPN support being an add-on service. You can position a VPN appliance outside the corporate firewall, in a similar location to an edge router, so that all VPN traffic passes through firewall filters. A VPN appliance can also reside inside the corporate firewalls to prevent firewall filtration. This deployment is similar to the corporate firewall concept, at least in terms of not filtering VPN traffic. This second deployment method also ensures that no external entity can interfere with the endpoints of the VPN tunnel. Image FIGURE 3-6 A VPN used to connect a single LAN with remote mobile users. These techniques are useful when corporate firewalls already exist that do not support the VPN technology or architecture you want. So rather than replacing the firewalls, you install an additional dedicated VPN appliance. Remote Access The first VPN architecture is basic remote access (Figure 3-6). Remote access VPN is also known as host-to-site VPN since it supports single-host VPN connections into a LAN site. This design grants individual telecommuters or traveling workers easy access into the private LAN. A single LAN can support several remote users with any of the VPN endpoint concepts: edge router, corporate firewall, or VPN appliance. Site-to-Site A second VPN architecture is site-to-site (Figure 3-7). Site-to-site VPNs are also known as LAN-to-LAN VPNs or WAN VPN connections between LANs. Regardless of the name, a site-to-site VPN supports secure connections between LANs over intermediary public networks. When you install it properly, a site-to-site VPN can be an inexpensive mechanism to create a single distributed LAN (also known as a WAN) for a multi-location organization. A site-to-site VPN uses any of the VPN endpoint concepts: edge router, corporate firewall, or VPN appliance. Image FIGURE 3-7 A VPN used to connect multiple LANs. A slight variation on the site-to-site VPN is the site-to-site VPN with remote mobile users. This is a combination of the site-to-site VPN concept with remote access VPNs (Figure 3-8). The benefit of this architecture is the ability to add new employees with secure connections to the LAN without needing additional corporate facilities to provide on-site workspaces. Image FIGURE 3-8 A VPN used to connect a multiple LANs with remote mobile users. Host-to-Host A third VPN architecture is host-to-host. Host-to-host VPNs are also known as client-to-server, remote-to-office, or remote-to-home VPNs. A host-to-host VPN is a direct VPN connection between one host and another. This mechanism operates over a public network or within a private network. Over a public network, a host-to-host VPN provides a connection that is secure from the public. Over a private network, it provides an additional level of security for mission-critical or highly sensitive transactions. Host-to-host VPNs labeled as client-to-server VPNs create secure client interaction with the services of a resource host. This is similar to, but not exactly the same as, a secure Web link between a Web browser and a Web server. SSL can be used for application protocol security, as it is with secure Web sessions, or as a VPN protocol. As a VPN protocol, SSL operates at the Network Layer; as a Web session security tool, it operates at the top of the Transport Layer. A remote-to-office VPN is a direct link between a portable or home system and an office workstation. This VPN link allows a user to work from home or while traveling without sacrificing access to resources, services, or applications that might only be installed (or licensed) for use on the office workstation computer. This VPN can establish a remote control session as commonly as a remote access session. A remote-to-home VPN connects a work computer or a portable computer back to a home system, effectively the opposite configuration of the remote-to-office. The remote-to-home VPN grants you access to a home computer while you are away from the house. The host-to-host VPN variations usually depend on software VPN solutions native to the operating system or third-party applications installed on the host. However, some VPN appliances are adaptable to these simpler host-to-host connectivity architectures. Extranet Access A fourth VPN architecture is extranet access. With a VPN tunnel endpoint positioned at or inside the perimeter of an extranet, this option serves as a pathway for business partners, distributors, suppliers, and so forth to gain access to corporate resources without exposing their traffic to the Internet or granting them unnecessary access to the private LAN. Additionally, a VPN linked into the extranet, as opposed to the DMZ, provides greater security to the remote entities. A VPN link to the DMZ exposes the remote entities to any threats found in the DMZ. Since the DMZ is publicly accessible, it's risky. An extranet VPN grants the remote entity secure communications without significant risks at the VPN termination point.

VPNs commonly serve as a choke point to control which external entities have access to the extranet. Only those granted specific access, assigned user accounts, and provided configuration details are able to configure and establish a VPN link with an extranet. Tunnel Versus Transport Mode VPNs can use two main types of encapsulation encryption. These are known as tunnel mode and transport mode encryption. Tunnel mode encryption protects the entire original IP packet's header and payload. This encrypted packet becomes the payload of a new IP packet with a new IP header. This form of encryption ensures that the identities of the original endpoints of the communication are kept confidential while the traffic traverses the secured link. Tunnel mode encryption is commonly used by VPNs linking network sites together or providing secure remote access. Transport mode encryption protects only the original IP packet's payload. The encrypted payload retains its original IP header. This form of encryption protects only the payload, not the identities of the endpoints. Transport mode encryption helps VPNs link individual computers together. The Relationship Between Encryption and VPNs Encryption and a secure VPN are virtually inseparable. A secure VPN exists only because its traffic is encrypted. But some trusted VPNs may or may not use encryption. To fully understand and appreciate the operations of VPNs, you need a reasonable understanding of encryption. Encryption is just one aspect of the larger topic of cryptography. Cryptography is the art and science of hiding information from unauthorized third parties. Cryptography occurs through a complementary and reversible process: encryption and decryption. Encryption is the process of converting original usable form data, called plaintext, into an unusable chaotic form, called ciphertext. Decryption is the process of converting ciphertext back into plaintext. A real-world communication product must provide both encryption and decryption. Modern cryptography is based on algorithms. An algorithm is a set of rules and procedures, usually mathematical in nature, that define how the encryption and decryption processes operate. Algorithms are often very complex. Many algorithms are publicly known and anyone can investigate and analyze the strengths and weaknesses of an algorithm. technical TIP Less than 10 years ago, 64 bits was considered strong encryption. Today, 128 bits is the smallest symmetric key length that can be considered strong. Is a key of twice the size of the previous key length stronger? Actually, while a 128-bit key is twice as long as a 64-bit key in that it has twice as many digits, the former creates a keyspace much more than twice the size of the latter. Every time an additional bit is added to a key length binary number, it doubles the size of the possible keyspace. A 128-bit key creates a keyspace that is doubled 64 times that of a 64-bit key. That is 2^64 or 1.8 × 10^19 times as large as that of a 64-bit keyspace. Encryption algorithms use a key. The key is a unique and secret number that controls the encryption and decryption processes performed by the algorithm. A key is a very large binary number measured or defined in terms of its bit length. The bit length of the key is the number of binary digits that compose the key. For example, a key of 128 bits is 128 binary digits long. The bit length of an algorithm's key defines that algorithm's keyspace. The keyspace is the range of keys that are valid for use for that specific algorithm. Any key created using the specific number of binary digits of the key length is part of that algorithm's keyspace. This keyspace includes every number between a key of all zeros to a key of all ones (remember this is binary code with only ones and zeros as digits). This means that 2^128 number of keys are available to an algorithm with a key length of 128 bits. 2^128 in decimal is over 3.4 × 10^38. Three main types of algorithms operate within the realm of cryptography: symmetric, asymmetric, and hashing. Symmetric Cryptography Symmetric cryptography is based on algorithms that use a single, shared secret key. A common way to remember the type of key used by symmetric is to remember a synonym for symmetric: same. The same key must encrypt and decrypt data and the same key must be shared with all communication partners of the same session. Symmetric cryptography is very fast in comparison to asymmetric cryptography, typically 10,000 times as fast with similar key length and message size. Generally, the longer the length of a symmetric key, the stronger the encryption produced. Most algorithms have one or only a few key length options, so picking an algorithm with a longer key often ensures stronger encryption. Keys shorter than 128 bits are considered weak, keys of 128 to 256 bits are considered strong, and keys longer than 256 bits are considered very strong. That's why when you select a symmetric cryptography product, you should only use solutions employing 128-bit or longer keys. Selecting a strong algorithm is more involved than just key length; you also need to consider other issues, such as use of random numbers, use of the avalanche effect, and resistance to reverse engineering attacks. Most weak algorithms do not survive long once released to the public, so most consumers do not need to focus as much on the details of the algorithm as to look for algorithms that support longer keys. The general rule (which does gloss over some of the details) is that longer keys are better. For more information on cryptography, selection of algorithms, and the internal workings of algorithms, please consult Schneier's Cryptography Classics Library or Introduction to Modern Cryptography. Image NOTE Hypothetical communication partners Bob and Alice are commonly used to describe and discuss the functions of cryptography. Image FIGURE 3-9 The symmetric cryptography process. Symmetric cryptography works as follows (Figure 3-9): 1. Bob and Alice exchange a symmetric key (K1). (This process is normally performed by an asymmetric process or out of band communication.) 2. Bob encrypts a message with the shared symmetric key. 3. Bob transmits the message to Alice. 4. Alice decrypts the message using the shared symmetric key. The security service provided by symmetric cryptography is confidentiality. Symmetric encryption, with a reasonably long key, prevents unauthorized third parties from accessing or viewing the contents of communications or stored data files. Symmetric cryptography protects files on storage devices, as well as data in transit. In fact, due to its strength and efficiency, symmetric cryptography is the preferred method to secure data in storage or in transit of any size. Some examples of symmetric cryptography algorithms or systems include DES, 3DES, AES, CAST, RC4, RC5, RC6, RC7, IDEA, Twofish, and Blowfish. VPN solutions employ symmetric cryptography to protect communications in transit. This protection prevents unauthorized eavesdropping or midstream modifications. Asymmetric Cryptography Asymmetric cryptography is based on algorithms that use either key pairs or some other special mathematical mechanism. Asymmetric cryptography that uses key pairs is commonly known as public key cryptography. All public key cryptography is asymmetric, but some asymmetric algorithms are not public key algorithms. A common way to remember the types of keys or non-keys that are used by asymmetric cryptography is to remember a synonym for asymmetric: different. Different keys are used for different purposes, different keys are used by different members of the communication session, and some systems use something different from keys altogether. technical TIP Keep in mind that an average 2,048-bit asymmetric key is not just 8 times as long as a very strong 256 symmetric key; in fact, it has a keyspace that is doubled 1,792 times that of the keyspace of a 256-bit key, an astronomically large number: 2^1,792 or 2.79 × 10^539 times that of a 256-bit keyspace. Numbers of this size are very hard to manage, much less run through complex mathematical computations. Asymmetric cryptography is very slow in comparison to symmetric cryptography. This is due to the complexity of the math used by these algorithms, as well as the length of asymmetric keys (when there are keys). Public key cryptography uses keys that are 1,024 to 8,192 bits long (and sometimes longer). Asymmetric cryptography also uses math based on a concept known as one-way functions. A one-way function is a mathematical operation performed in one direction relatively easily, but impossible or nearly so to reverse. This type of math was formalized into cryptographic algorithms only in the late 1970s. Asymmetric cryptography, therefore, is slow in comparison to symmetric due to its extremely long keys and its extraordinarily complex mathematical functions. Thus, asymmetric is generally not suitable for encrypting bulk data for storage or transmission; instead, this type of encrypting is best suited for identity proofing and key exchange. The protections provided by asymmetric cryptography are authenticity and nonrepudiation. Authenticity is a term used to convey the combination of authentication and access control. Based on usage, especially with public key cryptography, asymmetric solutions can prove the identity of the source of a message (authentication) or control the destination or receiver of a message (access control). Additionally, when used properly, asymmetric cryptography may provide proof that a sender sent a message and prevent that sender from being able to credibly deny sending it. This is known as nonrepudiation. Public key cryptography, a subset of asymmetric cryptography, is based on key pairs. Each participant in a communication or community has a discrete key pair set. The key pair set consists of a private key and a public key. The private key is kept secure and private at all times. The public key is put out for open public access and use. The key pairs work together as opposites. The encryption or encoding that one of the keys performs can only be undone by the opposite key of the pair. One mechanism afforded by asymmetric cryptography is a digital envelope. It works as follows (Figure 3-10): Image FIGURE 3-10 The asymmetric cryptography process of digital envelope. 1. Bob obtains Alice's public key. 2. Bob encodes a message with Alice's public key. 3. Bob sends the message to Alice. 4. Alice decodes the message using her private key. The encoded message is readable only by Alice, who has the corresponding private key. A digital envelope ensures that the message is accessible only by the intended recipient, namely the owner of the corresponding private key. The mechanism of digital envelope exchanges symmetric keys between communication partners. In this mechanism, one side of the conversation performs key generation, and then exchanges that key securely. This is the mechanism VPNs use to exchange keys securely. Another mechanism afforded by asymmetric cryptography is a digital signature. A digital signature proves the identity of the sender. It works as follows (Figure 3-11): 1. Alice uses her private key to encode a message. 2. Alice sends the encoded message to Bob. 3. Bob accesses Alice's public key. 4. Bob uses Alice's public key to unlock the encoding. This process proves to Bob that the message came from Alice. This is authenticity. A digital signature does not prevent others from viewing the message or confirming the source of the message. A digital signature is not encryption; it does not provide confidentiality protection. VPNs use digital signatures, but they usually employ the version that uses hashing as part of the process (see the next example). Image FIGURE 3-11 The asymmetric cryptography process of digital signature. This mechanism of digital signatures improves through the addition of hashing. (Hashing is described in more detail in the next section.) A digital signature using hashing is a bit more complex, and uses the following procedure (Figure 3-12): 1. Alice computes the hash value of a message. 2. Alice encodes the hash value with her private key. This encoded hash is the digital signature. 3. Alice adds the encoded hash to the message. 4. Alice transmits the message. 5. Bob strips off Alice's digital signature. 6. Bob hashes the original message to compute its hash. 7. Bob obtains Alice's public key. 8. Bob decodes Alice's digital signature to reveal Alice's original hash. 9. Bob compares Alice's original hash to the hash Bob calculated. If the hashes are the same, Bob accepts the message as retaining its integrity. This has also proved that the message was from Alice (authenticity). Furthermore, this process ensures that Alice cannot deny having sent it (nonrepudiation). VPNs commonly employ this form of digital signature to prove the identity of the endpoints and confirm the integrity of transmissions. Image FIGURE 3-12 The asymmetric encryption process of digital signature with hashing. Some examples of asymmetric cryptography algorithms or systems that are not public key cryptography are Diffie-Hellmann, El Gamal, and elliptical curve cryptography (ECC). The most common example of an asymmetric cryptography algorithm or system that is public key cryptography is Rivest-Shamir-Adleman (RSA). VPN solutions employ asymmetric cryptography to secure symmetric key exchange (via digital envelopes), authenticate VPN link endpoints or users (via digital signatures), and, when used in conjunction with hashing, verify source and integrity of transmitted messages (also digital signatures). Hashing Hashing is the cryptographic function that takes the input of a file or message and creates a fixed length output. The input can be of any size, but the output is a fixed length based on the hashing algorithm used. Hashing does not modify or alter the original data in any way; it simply uses the original data to generate a hash value as a new data item. Common hash value output lengths include 128 bits (such as those produced by MD5), 160 bits (such as those produced by SHA-1), and even 512 bits or more (such as those produced by various members of the SHA-2 family). The output of a hash algorithm can be called a hash, a hash value, a message digest, a message authenticating code, a fingerprint, a digital value, or a checksum. Hashing checks integrity. Hashing computes a hash value upon storage or transmission of a file or message, then computes another hash value at the end of the storage period or upon receipt of the transmission. If the before and after hash values are the same, then the message has retained its integrity. If the before and after hash values are different, then the message has lost its integrity and is no longer trustworthy or usable. Hashing verifies integrity based on the complex mathematical functions used in the hashing algorithm itself. A central component or feature of these functions is the avalanche effect. This effect ensures that small changes in the input data produce large changes in the outputted hash value. A single binary digit change in a file should produce a clearly recognizable difference in the resultant hash value. Hashes are a one-way function. A hash value cannot be reversed directly back into the original data file from which it was calculated. Thus, if an attack obtains a hash value, the data is not at significant risk of being extracted from the hash. Some examples of hashing algorithms or systems include MD5, HAVAL, SHA-1, and the SHA-2 variants (SHA-256, SHA-384, SHA-512, etc.). VPNs employ hashing, often as part of digital signatures, as a method to confirm that transmitted data has retained its integrity. Any mismatching of hash values discards the received data and requests a retransmission. This ensures that either end of a VPN connection accepts only fully valid and true data. Establishing VPN Connections with Cryptography Now that you know about symmetric cryptography, asymmetric cryptography, and hashing, let's take a look at the overall process VPNs use to provide secure communications. A basic VPN setup process occurs as follows: 1. Bob computes the hash from a message (Figure 3-13). 2. Bob encodes the hash using his private key to create a digital signature. 3. Bob generates a random symmetric key (K1). 4. Bob uses K1 to encrypt the message. 5. Bob obtains Alice's public key. 6. Bob encodes K1 with Alice's public key to create a digital envelope. 7. Bob sends the digital signature, the encrypted message, and the digital envelope to Alice. 8. Alice uses her private key to decode the digital envelope to reveal K1 (Figure 3-14). 9. Alice uses K1 to decrypt the message. 10. Alice computes the hash of the message. 11. Alice obtains Bob's public key. 12. Alice decodes the digital signature with Bob's public key to obtain Bob's hash value. Alice compares the pre- and post-hash values. If the hash values are the same, then the message has retained its integrity. Thus, the correct public key decoded the digital signature. Bob's identity is verified (authenticity and nonrepudiation). This exchange enables the symmetric key to secure subsequent messages from Bob to Alice or from Alice to Bob (Figure 3-15). Once a VPN has been established between Bob and Alice, an exchanged session key (K1) exists at both endpoints. Using this shared session key, Bob can encrypt messages (envelope #1) to send to Alice and Alice can encrypt messages (envelope #2) to send to Bob (Figure 3-15). Image FIGURE 3-13 The overall cryptographic process of establishing a VPN connection (1/3). Image FIGURE 3-14 The overall cryptographic process of establishing a VPN connection (2/3). Variations on this basic VPN session establishment are possible. One variation would be to encrypt both the message and the digital signature with K1. Another variation would have Bob digitally sign K1 with his private key before using Alice's public key to encode it into a digital envelope. This initial symmetric key exchange establishes the encryption that will protect all subsequent messages for the current communication session. When this session ends and a new VPN session begins, a new symmetric key will initiate the process. However, as long as the current session lasts, the same symmetric key applies. Image FIGURE 3-15 The overall cryptographic process of establishing a VPN connection (3/3). Reusing a symmetric key poses a slight risk, even for multiple messages in the same session or conversation. To minimize or reduce this risk, some VPNs use rekeying processes. Rekeying discards the current in use key and generates and exchanges a new symmetric key. Rekeying comes in several types: Image Time rekeying—Rekeying triggers at a specific time. Image Idle rekeying (lag or delay)—Rekeying triggers when a specific amount of idle, lag, or delay in the conversation occurs. Image Volume rekeying—Rekeying triggers when a specific amount of traffic is transmitted. Image Random rekeying—Rekeying triggers at random time intervals. Image Election rekeying—Either member of a VPN session can elect to rekey at any time If a VPN solution performs mid-session rekeying, you may or may not have an administrative configuration option to manage the rekeying processes. Rekeying may be embedded in the encryption algorithms. One-time pad encryption systems are also possible. A one-time pad system uses a unique and random symmetric key for each segment of a communication. This is a more complex system, but offers greater security. Attempting to crack a multi-random-key encryption scheme is one of the most difficult attacks against encryption known. Image NOTE Technically, computers provide pseudo one-time pads, as they are currently unable to produce true random numbers. Instead, a pseudo random number generator (PRNG) is used. A PRNG uses a complex algorithm and the timing chip to produce seemingly random numbers. The result is very good, but not truly random. Digital Certificates You can increase the reliability of authenticity and nonrepudiation by using digital certificates instead of plain public and private keys. A digital certificate is a public key and private key pair digitally signed by a trusted third party. This third party is a certificate authority (CA). The CA first verifies the identity of the person or company, then crafts and issues the digital certificates. In addition to improved reliability, certificates also resolve a scalability issue with public key cryptography systems. Without certificates, each system has to manage an ever-expanding library of public keys. With a third-party certificate-based system, each system no longer needs to retain public keys. Instead, they are exchanged at the beginning of each session with the assistance of the CA. Each host stores only the trusted public keys of the CA. The CA's public keys are stored in the trusted roots list (TRL). Any certificate issued by a trusted CA is accepted as valid, providing the certificate has not expired and has not been revoked. The process is similar to the overall cryptographic process to establish a VPN connection. The primary difference is that instead of a sender's generic private key, the sender's digital certificate encodes the message. Then, the recipient uses the CA's public key to start the unpacking process. The CA's public key decodes the CA's private key encoding around the sender's public key. (This is the sender's digital certificate.) This confirms the identity of the sender through the CA's issued digital certificates. Then, the recipient uses the sender's public key to decode the sender's private key encoding on the message. The use of digital certificates adds a few additional steps to the overall process, but this improves the identity verification of the participants in the secured communication. Once a communication session ends, the recipient can discard the sender's public key. Each time a new session starts, the sender's public key will be re-exchanged via the digital certificate process. This reduces the burden of public key management and makes any secure communication service, including VPNs, much more scalable. What Is VPN Authentication? Authentication is the process of confirming or proving the identity of a user and is of significant importance for VPNs. Since VPNs allow external entities to connect to and interact with a private network (or system), verifying the identity before granting access is paramount. VPN authentication takes place on two levels: connectivity and user. When a VPN link starts, the hardware and software components at each endpoint must authenticate to establish the connection. Once the communication link begins, the user performs a separate and distinct authentication process. If either of these identity proofs fail, the VPN is severed. The actual mechanism of authentication used in either case can vary. Options include username and password, smart cards, token devices, digital certificates, and even biometrics. As a rule of thumb, you should avoid username- and password-only solutions and lean toward multifactor authentication options. Password-only authentication is notoriously exploitable and is not reliably secure enough for a VPN. The VPN services, whether software or hardware, may support authentication directly or indirectly when offloaded to dedicated authentication servers. Offloading can point to any number of widely used authentication, authorization, and accounting (AAA) services or technologies, including RADIUS, TACACS, 802.1x, LDAP, and Active Directory. When selecting an authentication solution for a VPN, consider the strengths and weaknesses of the authentication factors independently of their VPN integration. If an authentication factor has weaknesses on its own, these are not relieved when used with a VPN. VPN authentication should be scalable and support interoperability among potential connecting hosts. Don't use authentication that cannot support more than a few dozen users or hosts. Likewise, using a form of authentication that is available on only one platform or operating system will impose limitations difficult and expensive to resolve later. VPN Authorization Authorization is controlling what users are allowed and not allowed to do. Authorization is also known as access control. You must establish clearly defined policies as to what activities will and will not be supported for VPN connections. An initial concern is defining who is and who is not allowed to establish a VPN connection. By considering VPN a resource rather than just a method of connectivity, clearly not all users should have access to all resources. If VPN connectivity is neither essential to nor conducive of a worker's assigned tasks and responsibilities, he or she should not be allowed to open or use VPN connections. Authentication can help enforce this access control issue. Whenever a user account that is not authorized to use VPN attempts to authenticate across a VPN, that attempt should fail. In fact, automatically locking such an account is a reasonable security response. Users should have a clear understanding of whether or not they have been granted the privilege of VPN use. Any access of a non-VPN approved user across a VPN, therefore, is either a sign of a policy-violating employee or an outside intrusion attempt. In addition to locking down use of the VPN itself, you should restrict access to resources across a VPN, even for authorized users. A VPN does establish a network connection indistinguishable except for speed from a local direct-wired connection, but that does not mean that the same level of authorization is necessary, required, or even recommended. A stronger application of the principle of least privilege is needed with VPN connectivity. Not all of the tasks and resources employees use when on site are necessarily required for activities they perform remotely. A user should have one level or sphere of access when on site and a different, smaller sphere of access when connecting through a VPN. This, of course, will depend upon the assignments of the worker and the sensitivity of the resources needed to carry out those assignments, but thoroughly consider this issue before granting default or wholesale access. Mission-critical resources, processes, and information may be at risk if they're exposed to users connecting over a VPN. Since a remote user's computer is potentially less secure than workstations on site, the additional risk may be significant. Does a telecommuter or traveling worker actually need access to a specific resource? If not, block access. Should a remote VPN user be able to transfer sensitive, private, or valuable data to the remote host? This is the risk of information leakage. Once data leaves the LAN, the corporate security infrastructure loses its ability to fully control and protect the information. On a remote host, once the VPN disconnects, the LAN's security protections disappear. The only remaining security left is on the host and practiced by the user. Remote access is inappropriate or just impractical for some resources. For example, consider preventing printer access by remote VPN users. Do traveling workers need to print documents they are unable to physically handle? Yes, in some situations, remote printing makes sense. But should you allow every local activity over a VPN just because it's possible? Another authorization concern is whether or not to allow Internet communication for VPN users. If local LAN users are able to access the Internet, then technically so can VPN users. But should they? Is this an additional risk or just an additional bandwidth consumption burden? If VPN users are unable to access the Internet from the LAN through the VPN, can they access the Internet simultaneously over the same ISP link as their VPN link to the LAN? This configuration is known as a split tunnel. Many organizations see this as a significant risk. This scenario makes it possible for an Internet attack to breach the remote host, and then use the VPN to access the private LAN. This would be a nearly unrestricted pathway between the Internet and the LAN. Most organizations employ VPN connection solutions that prevent simultaneous local VPN and Internet connectivity on remote hosts. Even with these VPN authentication issues, the overall process of enforcing access control is essentially the same for both local and remote hosts. In most cases, access control is defined on the resource itself, regardless of where the users are. Keep this in mind as you craft policies defining the parameters of VPN management and use. Image CHAPTER SUMMARY VPNs are mechanisms to remotely connect LANs and mobile hosts. VPNs save money and offer worker flexibility. VPNs secure communications over public intermediary networks. VPNs should be used whenever infrastructure costs are high or you need mobile access and flexibility. VPNs can't guarantee quality of service over the Internet or protect against endpoint device/host vulnerabilities. You should deploy VPNs based on thoroughly researched VPN policies. VPNs offer many advantages, including a wide range of implementation choices. Various devices and software products support VPN connections. VPNs' endpoints can be inside, on, or outside a firewall. VPNs can support remote access for mobile hosts, create links between individual systems, and support channels between networks. VPNs can employ either tunnel-mode or transport-mode encryption. They can use the same authentication and authorization techniques that you deploy elsewhere for general network security. Image KEY CONCEPTS AND TERMS Algorithm Asymmetric cryptography Authentication, authorization, and accounting (AAA) services Authenticity Avalanche effect Certificate authority (CA) Channel Ciphertext Client-to-server VPN Compression Corporate firewall Cryptography Decryption Dedicated connection Dedicated leased line Digital certificate Digital envelope Digital signature Distributed LAN Eavesdropping Edge router Extranet VPN Fragmentation Hardware VPN Hash Hash algorithm Hash value Hashing Host-to-host VPN Host-to-site VPN Host VPN Hybrid VPN Identity proofing Intermediary network Key or encryption key Key exchange Key pair Keyspace LAN-to-LAN VPN Leased line Multifactor authentication Non-dedicated connection Nonrepudiation One-time pad One-way function Optical carrier (OC) Out of band Private branch exchange (PBX) Private key Pseudo random number generator (PRNG) Public key Public key cryptography Public network Rekeying Remote access VPN Remote-to-home VPN Remote-to-office VPN Scalability Secured VPN Site-to-site VPN Software VPN Split tunnel Symmetric cryptography Telecommuting Traffic congestion Trusted third party Trusted VPN Virtual private network (VPN) VPN appliance WAN VPN Image CHAPTER 3 ASSESSMENT 1. Which of the following is not a valid example of a VPN? A. A host links to another host over an intermediary network. B. A host connects to a network over an intermediary network. C. A network communicates with another network over an intermediary network. D. A host takes control of another remote host over an intermediary network. E. A mobile device interacts with a network over an intermediary network. 2. Which of the following is not ensured or provided by a secured VPN? A. Confidentiality B. Quality of service C. Integrity D. Privacy E. Authentication 3. Which of the following techniques make(s) a VPN private? A. A single organization owning all the supporting infrastructure components B. Leasing dedicated WAN channels from a telco C. Encrypting and encapsulating traffic D. Both A and B E. Items A, B, and C 4. What is the primary difference between a VPN connection and a local network connection? A. Speed B. Resource access C. Security D. Access control models E. Authentication factors 5. Which of the following is not a true statement? A. VPN traffic should be authenticated and encrypted. B. VPNs require dedicated leased lines. C. Endpoints of a VPN should abide by the same security policy. D. VPNs perform tunneling and encapsulation. E. VPNs can be implemented with software or hardware solutions. 6. What is a hybrid VPN? A. A VPN with a software endpoint and a hardware endpoint B. A VPN supporting remote connectivity and remote control C. A VPN consisting of trusted and secured segments D. A VPN supporting both symmetric and asymmetric cryptography E. A VPN using both tunneling and encapsulation 7. What is the most commonly mentioned benefit of a VPN? A. Cost savings B. Remote access C. Secure transmissions D. Split tunnels E. Eavesdropping 8. Which of the following is a limitation or drawback of a VPN? A. Intermediary networks are insecure. B. VPNs are not supported by Linux OSs. C. VPNs are expensive. D. VPNs reduce infrastructure costs. E. Vulnerabilities exist at endpoints. 9. On what is an effective VPN policy based? A. A thorough risk assessment B. Proper patch management C. Business finances D. Flexibility of worker location E. Training 10. What form of VPN deployment prevents VPN traffic from being filtered? A. Edge router B. Extranet VPN C. Corporate firewall D. Appliance VPN E. Host-to-site VPN 11. What form of VPN deployment requires additional authentication for accessing resources across the VPN? A. Site-to-site VPN B. Corporate firewall C. Host-to-site VPN D. Edge router E. Remote access VPN 12. Which of the following is not a name for a VPN between individual systems? A. Client-to-server B. Host-to-host C. Remote-to-home D. Host-to-site E. Remote-to-office 13. Which of the following is the primary distinction between tunnel mode and transport mode VPNs? A. Whether or not it can support network to network links B. Whether or not the payload is encrypted C. Whether or not it can support host-to-host links D. Whether or not the header is encrypted E. Whether or not it supports integrity checking 14. What VPN implementation grants outside entities access to secured resources? A. Edge router VPN B. Corporate firewall VPN C. Site-to-site VPN D. Extranet VPN E. Remote control VPN 15. What form of cryptography encrypts the bulk of data transmitted between VPN endpoints? A. Symmetric B. Hashing C. Public key D. Transport mode E. Asymmetric 16. What components create a digital signature that verifies authenticity and integrity? A. Public key and session key B. Private key and hashing C. Hashing and shared key D. Session key and public key E. Shared key and hashing 17. By what mechanism do VPNs securely exchange session keys between endpoints? A. Digital envelope B. Digital forensics C. Digital encapsulation D. Digital certificate E. Digital signature 18. What are the two most important characteristics of VPN authentication? A. Single factor and replayable B. Scalable and interoperable C. Transparent and efficient D. Interoperability and single factor E. Replayable and scalable 19. What VPN access control issue can be enforced through VPN authentication? A. Blocking unauthorized VPN users B. Restricting access to the Internet C. Limiting access to files D. Filtering access to network services E. Controlling access to printers 20. When designing the authorization for VPNs and VPN users, what should be the primary security guideline? A. Scalability B. Multifactor C. Distributed trust D. Principle of least privilege E. Grant by default, deny by exception 21. All of the following statements about a host-to-host VPN are true except: A. A host-to-host VPN is commonly supported by the host OS. B. A host-to-host VPN must be implemented with VPN appliances. C. A host-to-host VPN can be interoperable between different OS products. D. A host-to-host VPN usually employs transport mode encryption. E. A host-to-host VPN can be established within a private network. Image FIGURE 3-16 The seven domains of a typical IT infrastructure. 22. All of the following are commonly used in supporting a site-to-site VPN except: A. VPN appliance B. Commercial firewall C. Client VPN software D. Edge router E. VPN gateway proxy 23. A VPN used to connect geographically distant users with the private network is located within which domain from the seven domains of a typical IT infrastructure (Figure 3-16)? A. LAN Domain B. User Domain C. System/Application Domain D. Remote Access Domain E. LAN-to-WAN Domain 24. What feature or function in tunnel mode encryption is not supported in transport mode encryption? A. The header is encrypted. B. The payload is encrypted. C. The source address is encrypted, but not the destination address. D. A footer is added to contain the hash value. E. It provides encryption protection from the source of a conversation to the destination. 25. All of the following statements are true except: A. Encryption ensures VPN traffic remains confidential. B. It is possible to have a private VPN without encryption. C. VPN authentication ensures only valid entities can access the secured connection. D. Authorization over a VPN consists exclusively of granting or denying access to file resources. E. VPN authentication can include multifactor options.

circumtance

condition

contingency

A possible future event that must be prepared for or guarded against; possibility

Symmetric Cryptography Symmetric cryptography is based on algorithms that use a single, shared secret key. A common way to remember the type of key used by symmetric is to remember a synonym for symmetric: same. The same key must encrypt and decrypt data and the same key must be shared with all communication partners of the same session. Symmetric cryptography is very fast in comparison to asymmetric cryptography, typically 10,000 times as fast with similar key length and message size. Generally, the longer the length of a symmetric key, the stronger the encryption produced. Most algorithms have one or only a few key length options, so picking an algorithm with a longer key often ensures stronger encryption. Keys shorter than 128 bits are considered weak, keys of 128 to 256 bits are considered strong, and keys longer than 256 bits are considered very strong. That's why when you select a symmetric cryptography product, you should only use solutions employing 128-bit or longer keys. Selecting a strong algorithm is more involved than just key length; you also need to consider other issues, such as use of random numbers, use of the avalanche effect, and resistance to reverse engineering attacks. Most weak algorithms do not survive long once released to the public, so most consumers do not need to focus as much on the details of the algorithm as to look for algorithms that support longer keys. The general rule (which does gloss over some of the details) is that longer keys are better. For more information on cryptography, selection of algorithms, and the internal workings of algorithms, please consult Schneier's Cryptography Classics Library or Introduction to Modern Cryptography. Image NOTE

What Are the Limitations of a VPN? While the use of VPNs has many benefits, you need to evaluate the very real and distinct limitations before you put a VPN in place. Although a VPN connection offers flexible secure communication options, it does not ensure quality of service. A VPN link is dependent upon the stability, throughput, and availability of the ISP connection as well as the intervening network connections between endpoints. VPNs over the Internet can easily suffer from latency, fragmentation, traffic congestion, and dropped packets. This also results in a lack of dedicated bandwidth between business sites because of the volatility of the Internet. technical TIP Encrypted traffic does not compress. Compression reduces the size of a data set, removing redundancies or repeated sections within the data set. Properly encrypted data produces ciphertext that does not contain redundancies or recognizable patterns. If ciphertext did have these characteristics, it would not be as secure. Thus, without these redundancies, it's not possible to compress encrypted data. While VPNs are excellent solutions over nearly every broadband connection option, a VPN can be difficult to maintain over dial-up. VPN traffic is encrypted, and encrypted traffic does not compress. Most dial-up modem connections rely on compression—mainly hardware compression—to improve connection speed. When compression is not possible, a significant and noticeable speed reduction occurs. Additionally, VPN tunnel management can impose a significant increase in management overhead because of changes in protocol headers, potential authentication latency, and a prolonged connection establishment negotiation. Another area of concern is the minor risk or potential of data exposure while in transit over the Internet. This is only a real concern if the VPN does not use encryption, uses poor encryption, or configures the encryption improperly. Proper security management will eliminate this as a serious concern. Vulnerabilities exist at VPN endpoints. With a VPN, side attacks against the encrypted link are nearly eliminated. However, data entering or leaving the VPN is at risk. An end-user computer could be infected by malicious code that can traverse the VPN link into the company LAN. Also, private and confidential data from the company LAN can be copied across the VPN link to the end-user computer. On this computer, that data is less secure and subject to a wider range of threats. You should also consider the increased difficulty in providing technical support remotely. This is especially true when the remote connection itself is not functioning. In addition, it's more difficult to keep remote systems in compliance with security settings, conduct training, allow supervisory oversight, enable HR management, and monitor user activities. Not every person is a good candidate for a remote user. Those who are easily distracted, who are not motivated, or whose home environment is not conducive to work are prime examples of those who should stay in the office rather than work from home.

DES key length and brute-force attacks. The Data Encryption Standard is a block cipher, meaning a cryptographic key and algorithm are applied to a block of data simultaneously

rather than one bit at a time. To encrypt a plaintext message, DES groups it into 64-bit blocks.Nov 12, 2014

resilience

the ability to adapt effectively in the face of threats. the personal strength that helps most people cope with stress and recover from adversity and even trauma

The 10 Best Project Management Software With Time Tracking There's no substitute for great project management software. However, more managers are realizing that time tracking has the potential to improve the process of planning work, estimating more accurately, and billing clients with great precision. Thus, the need for project management with integrated time tracking software continues to grow. These time and project management tools make it incredibly easy for team leaders and managers to keep track of absolutely everything, without burdening team members with additional work. A whole range of software has been created to help make project management easier and more efficient. Each solution offers a range of features that can help transform the daily life of a project manager. Because of the sheer number of project management software solutions out there, you might find it hard to decide which one is perfect for your team—that's why we've taken the lead and collected the 10 of the best options for project and time management available. Looking for software that combines project management and time tracking? Here are the 10 best toolsCLICK TO TWEET1. Hubstaff Tasks + Hubstaff Hubstaff is a leading time tracking software that was created to help remote and growing teams work better. Hubstaff integrates with 30 project management tools, apps, and software platforms so that your team doesn't have to adapt or change processes to track time more efficiently. Whether you're using Asana or Basecamp, Github or Redbooth, this software pulls in data from all of them and helps you to understand how much time your team is spending on each task. The software also has a wealth of features perfect for every project manager. Using Hubstaff allows you to assign tasks to team members that they can track time toward (regardless of whether they're sitting at the same desk space, or on the other side of the world). Hubstaff allows you to check in on the productivity of each team member with activity levels, app, and URL tracking. What's more, you can turn on or off random screenshots for each team member to help you gain a better understanding of how work gets done. The in-depth reporting features can also help you make informed staffing and planning decisions that are crucial for business success. For the whole team, all it takes is one click to get going. Each person can see the total number of hours they have worked anytime. And with Hubstaff's time off management feature, scheduling holidays and time away from work has never been easier. Beyond this, Hubstaff makes it incredibly easy to pay your employees and freelancers by automatically calculating payments based on the number of tracked hours and their hourly pay rate. From there, you have the option to approve or deny timesheets built into the process. The essential employee data tracked by Hubstaff are gathered into a single report, making payments as simple as a few clicks. This, along with the ability to set hours and budget limits, means that you can spend more time working on projects, and less time tied up in payroll and admin tasks. Invoicing with Hubstaff is organized and seamless. With project budgeting, Hubstaff removes the need to constantly check the budget, an extremely time-consuming task. Hubstaff will automatically notify you if the limit is almost reached, allowing you to make the right decisions in a more timely manner. Hubstaff pricing starts at just $5/user per month, with a premium plan that includes all of these time-saving features for only $10/user per month. As of now, Hubstaff also integrates with our brand new Hubstaff Tasks, a visual drag and drop Agile project management software designed to increase team productivity and help you collaborate better as a team. Hubstaff Tasks lets managers automate processes, create workflows, and gain visibility into team and project work. The ease of which it integrates with Hubstaff Time Tracking enables managers to see the most profitable clients or projects, as well as send clients detailed invoices with task breakdowns, all within a few clicks. Even better, it's completely free for teams of up to five. See pricing here. Track project work with Hubstaff time tracker Make sure your team is working efficiently Grab Your Free Trial! 2. Mavenlink Built specifically for agency teams, Mavenlink helps project managers get the best out of their team. It is a dedicated project management system with time tracking features. Mavenlink allows project managers to gain an in-depth insight into the workings of their teams and the progress of their projects. How? Via complex, but informative, reports and data outputs. The time tracking features mean that it's possible to track team productivity and activity so that you can increase efficiency and minimize time waste. These features, coupled with the in-depth reporting, mean that you can quickly identify which tasks and employees are slowing projects down and preventing things from moving forward. In-app Gantt charts, resource allocation features, and team collaboration features (like chat and file sharing), mean that it's easy to organize your team members and make sure that projects are running smoothly. Mavenlink also includes accounting features that mean that you can track employee expenses, set budgets, and receive payments with minimal time and effort. Because of its ability to track changes in real-time, Mavenlink empowers you to control your budget and manage client expectations at a glance. Pricing for Mavenlink's professional plan (which includes the widest range of features) starts at $39/user per month. 3. Replicon An enterprise-grade project management and time tracking solution that's made up of multiple products, Replicon is perfect for project managers who oversee large teams. Built around a cloud-based system with a focus on security, Replicon's apps work across a whole range of devices so that your team members can track their time and their work anywhere. Replicon TimeAttend allows you to capture every billable hour, so that projects are fully paid for, and that there is no time or resource waste. This feature, supported by comprehensive reports, makes it easy for you to accurately improve project costing by giving you better insights into how your team runs and how long projects take. Replicon also allows enterprise customers to track time and attendance. So you are fully compliant with labor regulations. RepliconPPM is a project management system that allows you to create multi-level hierarchies, establish project milestones, set budgets, and time limits, and get a real-time overview of project progress. PPM also allows you to allocate resources in seconds and makes it possible for you to forecast resource requirements for future projects. Replicon is ideal for enterprise project managers looking for comprehensive solutions that are suited to large organizations. However, the need for multiple software packages can be off-putting to those looking for a streamlined solution. Replicon TimeAttend starts from $30/month for 5 users. 4. Wrike Wrike is a great platform that combines project management features with extensive collaboration support and time tracking capabilities. It is used by leading companies around the world, from Amazon to Capgemini. Wrike features tools that will make every product manager's life a dream. Wrike has: custom dashboards workload systems interactive project timelines a real-time newsfeed (so you can see what tasks are being completed right now) and document sharing Wrike stands out from other project management in its ability to mention team members, assign them to tasks, and collaborate with them on an on-going basis. The time tracking features allow you to keep a close eye on how your team members are tackling projects and individual tasks. You can dial resources up or down accordingly and are always informed of every development. Wrike has native iOS and Android apps and supports a range of desktop operating systems. Your team can, therefore, keep the devices they love, and still benefit from every feature. The tool is free for up to 5 users (with limited features) and then starts at $10/user per month. 5. AceProject This web-based project management app is perfect for teams looking for a less feature-rich solution. Unlike other tools, AceProject has minimal features, but each one is executed well. The web app allows you to create projects from templates (or make them yourself). You can create Gantt charts to manage projects visually, and generate timesheets and reports. AceProject also lets you manage your team members' tasks by offering you the ability to allocate responsibilities. If tasks depend on each other, AceProject allows you to dynamically set dependencies. This helps ensure your tasks are completed in the right order. Time tracking is supported, and integrates with the timesheet and reporting features. But it lacks powerful features like application and URL monitoring that are offered by other solutions. AceProject offers a free tier that extends to 2 projects and a maximum of 5 users; paid plans range from $24/month (for 10 projects and 10 users) to $199/month (for unlimited projects and unlimited users). 6. Trigger Trigger was built specifically for consulting teams. It offers a portal for all the work your team does for every client. This is perfect for project managers who look after multiple teams for different clients. Trigger makes it easy to group every bit of information into a centralized location. Each portal supports an individual activity stream, projects, tasks, timesheets, auto-invoices, and online reporting. This means that you no longer have to create multiple accounts for multiple clients. Nor do you have to balance different projects and workloads across different apps. What's more, Trigger offers automatic time tracking features. This means that your employees never have to click more than one button to get going. Timesheets are also generated automatically, so you never have to pull your team away from their work. Unlike other tools, Trigger doesn't track which applications or websites your team members are using or visiting. This can be a disadvantage if you are managing remote teams. Trigger's pricing is incredibly simple. It offers all features for $11 per employee, per month—a 30-day free trial is also available. 7. 5pm Loved by companies like McDonald's and Autodesk, 5pm has a range of powerful tools that help you to work better. Its team collaboration features let you share projects, tasks, notes and files, and interactive timelines that let you get a clear overview of projects and your workload. 5pm also has fully customizable dashboards and reports that allow you to tailor your experience directly to your needs. Alongside this, 5pm is available in 26 languages. It has a social toolbar so that you can see which members of your team are online at any time, and even chat with them in the app. While other project management solutions have built-in time tracking functionality, 5pm relies on a third-party application to help you keep track of everything your employees are working on. It doesn't have the powerful features that Hubstaff has, but it offers basic time tracking and timesheet maintenance. Pricing ranges from $24/month for 5 users and 10 active projects, to $199/month for unlimited projects and unlimited users. 8. Avaza Avaza provides powerful and easy-to-use tools to assist in running a business. Project managers can take advantage of the drag-and-drop task management (that offers support for estimates and real-time progress), planning tools, and automatic task reminders. Avaza integrates with email so that your teams are able to collaborate on projects in real-time. Supporting this is a content management system that lets you store documents online for your whole team to access. Time tracking features allow you to optimize your business and track every hour your employees work so that you can bill for full amounts. The features also offer integrated project management so you can see how long tasks are taking and plan accordingly. Tracked time can be exported to in-depth reports that can be used for internal performance reviews, or sent to clients for their consideration. Beyond this, Avaza offers bank-grade security, support for expense tracking and invoicing, and integrations for several leading apps like Zapier and Stripe. Avaza has a free tier which supports 10 customers and 5 active projects. Paid plans range in price from $9.95 per month (for unlimited customers and 20 active projects) to $39.95 per month (for unlimited customers and unlimited projects). 9. Harvest Harvest is an application for those focused on tracking the time their employees spend per project. It also helps those who want the ability to manage tasks and projects simultaneously. With advanced time tracking features that let your team track the hours they spend working on all of their devices (Harvest supports Android, iPhone, Apple Watch and a range desktop operating systems), the app also analyzes your team's data so that you don't have to. It generates reports that can give you information on billable and non-billable time for all of your team members. Harvest also supports expense logging, auto-invoice generation, and timesheet approval systems. This allows you to remove friction in your business and focus on providing high-quality service tor your clients. Another great feature is that it also integrates with 80 popular apps. So you can manage projects (using Asana, Trello, or Basecamp), track employee time spent working in Zendesk, and accept payments using Stripe. Pricing for Harvest is $12/user per month with an unlimited number of projects. 10. Dovico Dovico is a leading project management system with time tracking. Their clients range from Allianz to Burt's Bees. Dovico Timesheet is offered as a base product with a range of free app add-ons. Its powerful features can help you to track all of your employees, and manage large teams. With support for time and expense tracking, with added functionality that lets you measure billable and non-billable time, and automated e-mail notifications that help you to remember to do important tasks, Dovico offers a useful and easy-to-learn software solution. D

ovico also supports task assignments and has a project dashboard so you can monitor your tasks and projects at a glance. Dovico is trusted by many large companies. But, its time tracking and project management features are less extensive than other alternatives. Dovico's time tracking doesn't have an automated feature. It also and doesn't monitor activity or applications and URL visits. In other words, you are unable to get a deep insight into how your employees work. Pricing for Dovico is a flat $15/user per month, although there are discounts available for large purchases. Have you found the right project management and time tracking solution? Project time tracker comes with many different features for many different teams. There's something out there for every need and budget. If you know of any other great project management and time tracking solutions, let us know in the comments!

To be, or not to be, that is the question:Whether 'tis Nobler in the mind to sufferThe Slings and Arrows of outrageous Fortune,Or to take Arms against a Sea of troubles... "To be or not to be" is the opening phrase of a soliloquy in William Shakespeare's play "Hamlet". It is perhaps the most famous of all literary quotations, but there is deep disagreement on the meaning of both the phrase and the speech. Whilst we won't be solving that disparity in this article, we will discuss the disagreements amongst the global engineering community as to whether the 5 Whys process is sufficient enough to effectively identify the root causes and ultimately, the solutions, for a particular problem. Why - Why - Why - Why - Why? The 5 Whys is a question-asking technique used to explore the cause-and-effectrelationships underlying a particular problem. The primary goal of the technique is to determine the root cause of a defect or problem. The technique was originally developed by Sakichi Toyoda and was used within the ToyotaMotor Corporation during the evolution of its manufacturing methodologies. It is a critical component of problem-solving training, delivered as part of the induction into the Toyota Production System. The architect of the Toyota Production System, Taiichi Ohno, described the 5 Whys method as "the basis of Toyota's scientific approach . . . by repeating why five times, the nature of the problem as well as its solution becomes clear." However, whilst the tool may have had success in the automotive industry it has received criticism from within other industries for being too basic and not complex enough to analyze root causes to the depth that is needed to ensure that solutions are identified and the problem is fixed. There are several reasons for this criticism of the 5 Whys method: Tendency for investigators to stop at symptoms rather than going on to lower-level root causes Inability to go beyond the investigator's current knowledge - cannot find causes that they do not already know Lack of support to help the investigator ask the right "why" questions Results are not repeatable - different people using 5 Whys come up with different causes for the same problem Tendency to isolate a single root cause, whereas each question could elicit many different root causes Considered a linear method of communication for what is often a non-linear event Many companies we work with for training and engineering services successfully utilize the 5 Why technique for very basic incidents or failures. By utilizing the correct placement of triggers, organizations can use the 5 Why for its basic problem solving and then move to a form of Cause and Effect analysis like the Apollo RCA method for more complex problems. A disciplined problem solving approach should push teams to think outside the box, identifying root causes and solutions that will prevent reoccurrence of the problem, instead of just treating the symptoms. Any effective problem solving technique should meet the following six criteria: Clearly defines the problem Clearly delineates the known causal relationships that combined to cause the problem Clearly establishes causal relationships between the root cause(s) and the defined problem Clearly presents the evidence used to support the existence of identified causes Clearly explains how the solutions will prevent recurrence of the identified problem Clearly documents criteria 1 through 5 in a final RCA report so others can easily follow the logic of the analysis RealityCharting has come up with a simple, free tool that can be used to help with a 5 Why investigation. RC Simplified, the free to download version can be utilized on smaller issues as it allows the user to build a cause and effect chart that is no greater than 4 causes high and 5 causes deep. This means the user of a 5 Whys approach can create a Realitychart using the same thought process adopted in the Apollo Root Cause AnalysisTM methodology. It also demonstrates a non-linear output to what was originally considered a linear type problem.

So when looking for problem solving tools or root cause methodologies, be willing to "think outside the box" and utilize a number of resources depending on the complexity of the problem and the significance of the incident. We believe that the 5 Why's approach definitely has a time and place to be utilized. However, if the problem is more complex, don't limit yourself to a 5 Why approach as you will likely not be satisfied with the solutions generated.

pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network. It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.[2][3] Contents 1 History 2 See also 3 References 4 Further reading 5 External links History

The pfSense project started in 2004 as a fork of the m0n0wall project by Chris Buechler and Scott Ullrich and the first release was in 2006.[4] The name was derived from the fact that the software uses the packet-filtering tool, PF.[5] On Sept 24, 2018 version 2.4.4 was released.[6] In November 2017, a World Intellectual Property Organization panel found that Netgate, the copyright holder of pfSense, had been using the domain opnsense.com in bad faith to discredit OPNsense, a competing open source firewall forked from pfSense. It compelled Netgate to transfer the domain to Deciso, the developer of OPNsense.[7]

The recent U.S. elections served up plenty of drama and even more suspense as the campaign entered its final stretch. Pollsters and forecasters crunched data continuously to accurately predict the paths to victory or defeat for both parties. One of the most publicised concepts was the supposed "blue firewall", a group of states that had consistently voted for the Democratic party in past elections. If the Democrats could hold onto their lead in these states, they'd all but guarantee victory, or so the polling experts predicted... We all know now how that ended. The blue firewall created a false sense of security after all. Media pundits asked the prognosticators to answer the burning question: How did this seemingly secure firewall get breached? In many ways, the answer to this question reveals the cause of not only the blue firewall breach, but also of a firewall in your organisation: Merely having one in place is not enough to prevent a breach. Firewall, NGFW, and UTM appliances require you to dedicate resources just to maintain the status quo for your environment. When your security needs surpass your appliance's capacity, your IT is often faced with the unenviable decision of switching off network security features to make up for it. And it's such compromises that could come back and expose your network's security. The firewall appliance: Capacity constraints lead to limited security As a physical appliance residing in your local branch office, a firewall requires ongoing management, time and budget just to stay effective. It is designed to inspect incoming and outgoing traffic and enforce policies for your corporate network, but it ultimately requires you to devote the time and resources to support and secure your organisation. As your business grows, your IT must apply upgrades to add more functional capabilities and support greater bandwidth and throughput. As for security, you need to configure policies and authentication rules and keep tabs on vulnerabilities discovered by your firewall security vendor. Knowing a vulnerability exists is only half of the patch management battle. You then need to create a patch and deploy it to your firewall appliances in each physical location. This is where resources are often outpaced by the volume of vulnerabilities, leading to delays in distributing patches throughout the network. This leaves critical gaps in security that can be exploited and result in the theft of critical proprietary data. One recent example of this is the breach of Cisco's firewalls, routers, switches. A hacker group, called Shadow Brokers, discovered a previously unknown vulnerability that has been a key tool for the NSA's hacking team. Not long after exposing this vulnerability (CVE-2016-6415) on the web, it was used to breach Cisco's firewalls and compromise client data. While Cisco will soon have a patch available for this specific vulnerability, applying it to firewall appliances across distributed enterprises is a resource-intensive process. Meanwhile, the exploit window remains open. This is merely one example of many where the capacity constraints associated with managing firewall and UTM appliances become an anchor that weighs on your resources and forces your IT to compromise on security. A 2015 report on data breaches by Verizon found that 99.9 per cent of exploited vulnerabilities were compromised more than a year after the CVE was published. Patching is indeed a gaping hole in many IT organisations. The lesson to be learned here is: A firewall that isn't patched is like having no firewall at all. Let's digress for a minute and revisit the blue firewall. Data began mounting to show that the Democrats needed to spend more campaign resources to solidify their lead in these "firewall states". The Republicans targeted the blue firewall by devoting ad money and holding rallies in states like Michigan and Wisconsin to galvanise supporters and increase voter turnout. With their resources focused elsewhere, the Democrats left the firewall states largely undefended for months, failing to nurture their lead, thereby leaving exploit windows open. In the final days, statisticians revealed that the firewall may have been breached and that the race had tightened. But by then it was too late to patch up the vulnerabilities, and the blue firewall was breached. The way forward: Take patch management off IT's plate The question that remains, of course, is "How can the IT organisation improve its security posture to better mitigate against firewall vulnerabilities?" The first step is to become less reliant on multiple point solutions and distributed appliances, which by design fragment patch management processes and tax people and financial resources. The ability to centralise the delivery of network security capabilities today can be simplified tremendously by moving these functions to a managed SaaS model. Firewall-as-a-Service (FWaaS) effectively eliminates the need to apply patches altogether; the provider's security research team ensures a cloud-based NGFW is continuously up-to-date. This not only takes the burden away from IT, but a scalable cloud platform also removes the limits that capacity constraints can impose on enabling security capabilities, making the entire network less vulnerable. Furthermore, physical appliances and publicly available firmware can be obtained and reverse-engineered by hackers. By using a FWaaS model, these resources are simply not accessible which greatly mitigates these risks. External, unauthorised attempts to access cloud infrastructure also raise a red flag that can be detected and addressed by the security team. In short, the IT organisation no longer needs to be shackled by the lifecycle management constraints of physical appliances and the domino effect this holds for budget and IT resources. One, centralised network security model ensures defences are up-to-date and optimal. And, going forward a cloud-based network security service is not subject to physical limits of appliances, or the human capital needed to keep them up and running.

In a recent global research initiative, more than 700 networking, security and IT executives were asked to identify their top network and security challenges. Not surprisingly, more than 50 percent of CIO-level respondents said they plan to eliminate hardware appliances from their infrastructure in 2017; it wassurprising, however, that 41 per cent of respondents overall identified FWaaS as the most promising infrastructure protection technology. Just as Gartner predicts SD-WAN is primed to replace edge routers, so, too is security as a service becoming understood in new ways to protect the network's edge.

The term firewall is actually adopted from the aircraft and auto engineering industries. The firewall in an aircraft or car, just as it does in network security, blocks bad stuff from the area that contains people. In an aircraft or car, the firewall is the actual physical fireproof wall between the cockpit and the passenger compartment, or between the engine compartment and the driver and passengers. In networking, a firewall is either software or dedicated hardware that exists between the network and the resource being protected. The firewall used in this virtual environment is pfSense firewall. The pfSense firewall, like other firewalls on the market, relies on Network Address Translation (NAT) to expose an IP address from the private network and bind it to an address on the public network. NAT enables internal resources to be used over the public networks and helps to preserve the limited remaining IPv4 addresses available on the Internet today. In this lab, you will configure the pfSense firewall to protect an Internet-facing server. You will configure NAT on a pfSense firewall, creating a CARP (Common Address Redundancy Protocol) VIP (Virtual IP) 10.20.1.3 public address to an internal server (172.30.0.10). Finally, you will add firewall rules granting limited access to the services running on the internal server. Upon completing this lab, you will be able to: Configure the physical connectivity of a firewall that protects a server. Understand how Network Address Translation (NAT) allows access from the public to the private network. Configure NAT using a pfSense firewall. Configure WAN-side firewall rules to expose an internal (private) server. Each section of this lab is assigned at your instructor's discretion. Please consult your instructor to confirm which sections you are required to complete for your lab assignment. SECTION 1 of this lab has two parts which should be completed in the order specified. In the first part of the lab, you will use NAT to bind a public Internet address to an internal server. In the second part of the lab, you will configure the firewall to allow limited access to services (for example, HTTP, DNS, and SMTP) hosted on the internal server. SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will also access the TargetWindows02 server from the external network using a Virtual IP address. Finally, if assigned by your instructor, you will explore the virtual environment on your own in SECTION 3 of this lab to answer a set of questions and challenges that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation. Note: This lab contains two networks separated by a pfSense firewall. The 172.30.0.0/24 network represents the private (inside) network and 10.20.1.0/24 represents the public (outside) network. It's important to understand that firewalls separate more secure environments from less secure environments, and it is common to have more than a single firewall between a client system and the actual Internet, though this lab relies on only a single firewall. For the 172.30.0.10 Windows server to be accessible from the outside, you must take an address on the outside and bind it (translate it) to the inside address (Network Address Translation, or NAT). Typically, when an organization purchases Internet access from an Internet Service Provider (ISP), the ISP will grant it several public IP addresses that it can use for NAT. In the next steps, you will assign a Common Address Redundancy Protocol (CARP) virtual address (10.20.1.3) to a private Windows server (172.30.0.10) and then bind the public 10.20.1.3 IP address to the virtual IP address (VIP). Network topology On the vWorkstation desktop, drag the PFSENSE-FW-PLANNER file into the File Transfer folder to download the file to your local computer. Use this spreadsheet on your local computer to document the configuration changes you make during Part 2 of this lab. At the end of the lab, you will submit your updated spreadsheet as part of the deliverables. On the vWorkstation desktop, double-click the Connections folder. In the Connections folder, double-click the pfSense shortcut to launch the pfSsense application in a browser window. At the login page, type the following credentials and press Enter to log in to the pfSense application. Username: admin Password: pfsense If necessary, maximize the browser window. pfSense firewall overview From the pfSense menu bar, click Firewall and select Virtual IPs to open the Firewall / Virtual IPs page. The first step in binding an IP address is to create the Common Address Redundancy Protocol (CARP) virtual address to attach a public address to the WAN interface. On the Firewall / Virtual IPs page, click the green Add button to add a new virtual IP address to the firewall. Adding the Virtual IP address Use the following information to complete the Edit Virtual IP form, then click the Save button to return to the Firewall / Virtual IPs page. Unless specified in the following list, accept the default value in the form. Type: CARP Interface: WAN Address(es) 10.20.1.3 Virtual IP Password: password Description: WAN VIP for 172.30.0.10 Virtual IP Addresses form On the Firewall / Virtual IPs page, click the Apply Changes button to activate the new virtual IP address. Virtual IP address table Make a screen capture showing the Virtual IP Address table and paste it into your Lab Report file. From the pfSense menu bar, click Firewall and select NAT to open the Firewall / NAT / Port Forward page, then click the 1:1 link to configure the NAT mapping. On the Firewall / NAT / 1:1 page, click either green Add button to add a new 1:1 NAT rule that will bind the new WAN IP address to the internal network. Adding the new 1:1 NAT rule Use the following information to complete the Edit NAT 1:1 Entry form, then click the Save button to return to the Firewall / NAT / 1:1 page. Unless specified in the following list, accept the default value in the form. External subnet IP: 10.20.1.3 Internal IP Type: Single host Internal IP Address: 172.30.0.10 Description: NAT 10.20.1.3 to 172.30.0.10 NAT Mappings form On the Firewall / NAT / 1:1 page, click the Apply Changes button to activate the new 1:1 NAT rule. Make a screen capture showing the NAT Mappings table and paste it into your Lab Report file. Note: This lab contains two networks separated by a pfSense firewall. The 172.30.0.10/24 network represents the private (inside) network and 10.20.1.2/32 represents the public (outside) network. It's important to understand that firewalls separate more secure environments from less secure environments, and it is common to have more than a single firewall between a client system and the actual Internet, though this lab relies on only a single firewall. For the 172.30.0.10 Windows server to be accessible from the outside, you must take an address on the outside and bind it (translate it) to the inside address (Network Address Translation, or NAT). Typically, when an organization purchases Internet access from an Internet Service Provider (ISP), the ISP will grant it several public IP addresses that it can use for NAT. In the next steps, you will assign a Common Address Redundancy Protocol (CARP) virtual address (10.20.1.3) to a private Windows server (172.30.0.10) and then bind the public 10.20.1.3 IP address to the virtual IP address (VIP). Network topology On the vWorkstation desktop, drag the PFSENSE-FW-PLANNER file to the File Transfer folder to download the file to your local computer. Use this spreadsheet on your local computer to document the configuration changes you make during this lab. At the end of the lab, you will submit your updated spreadsheet as part of the deliverables. From the vWorkstation desktop, open the Connections folder and use the pfSense shortcut to launch the pfSense application in a new browser window. Enter the following credentials to log in to the pfSense application. Username: admin Password: pfsense From the pfSense menu bar, select Firewall > Virtual IPs. The first step in binding an IP address is to create the Common Address Redundancy Protocol (CARP) virtual address to attach a public address to the WAN interface. On the Firewall / Virtual IPs page, add a new virtual IP address to the firewall. Use the following information to complete the Edit Virtual IP form, then Save and Apply Changes. Unless specified in the following list, accept the default value in the form. Type: CARP Interface: WAN Address(es) 10.20.1.3 Virtual IP Password: password Description: WAN VIP for the 172.30.0.10 Network Make a screen capture showing the Virtual IP Address table and paste it into your Lab Report file. From the pfSense menu bar, select Firewall > NAT, then click the 1:1 tab to configure the NAT mapping. On the NAT Mappings page, select Add to bind the new WAN IP address to the internal network. Use the following information to complete the Edit NAT 1:1 Entry form, then Save and Apply Changes. Unless specified in the following list, accept the default value in the form. External subnet: 10.20.1.3 Internal IP Type: Single host Internal IP Address: 172.30.0.10 Description: NAT 10.20.1.3 to 172.30.0.10 Make a screen capture showing the NAT Mappings table and paste it into your Lab Report file.

Part 2: Allow Access from a Public Address Note: At this point, you have attached the 10.20.1.3 public address to the WAN interface and bound it to the 172.30.0.10 private address. This lays the groundwork for exposing the 172.30.0.10 Windows server to the public network. However, the default WAN rule set on the pfSense firewall is to simply deny all traffic from the public network. To make the 172.30.0.10 server accessible, you will need to create WAN rules that allow traffic to pass from the public network to the private network. From the pfSense menu bar, select Firewall > Rules to open the WAN Rules table. Notice there are no rules on the WAN tab. The note on the WAN tab reminds you that "All incoming connections on this interface will be blocked until pass rules are added." That's exactly what you'll do in the next steps. Add new WAN rules to allow incoming connections to 172.30.0.10 for the following services, then apply the changes. HTTP (Web Browsing) HTTPS (Secure Web) DNS (Domain Name Service) SMTP (Mail) Note: The first rule can be interpreted as "Permit TCP traffic from any source, on any port, destined for 172.30.0.10 on port 80 (HTTP)". However, clients on the public side will not try to access 172.30.0.10; they will use 10.20.1.3. The combination of NAT and the firewall rule you just configured enables external clients to reach the internal resource using an external IP. The NAT process is how organizations expose internal servers to the Internet. Make a screen capture showing the completed WAN Rules table and paste it into your Lab Report file. Close the pfSense firewall window. On the Lab View toolbar, select TargetWindows01 from the Virtual Machine dropdown menu. Virtual Machine dropdown menu On the TargetWindows01 machine, launch a Command Prompt window. At the command prompt, execute route add 172.30.0.0 mask 255.255.255.0 10.20.1.1 to route the incoming traffic. From the TargetWindows01 taskbar, launch Internet Explorer and navigate to http://10.20.1.3. Make a screen capture showing the http://10.20.1.3 IIS default page and paste it into the Lab Report file. On your local computer, save the updated spreadsheet as yourname_PFSENSE-FW-PLANNER-NAT-S2.xls, replacing yourname with your own name. Note: This completes Section 2 of this lab. Submit the yourname_PFSENSE-FW-PLANNER-NAT-S2.xls file you just completed as part of your deliverables.

Hi my name is Mo...today I will talk bout Intrusion Assessment Even with security measures such as firewalls, properly configured Virtual Private Networks (VPN), and secure network procedures, security incidents can arise from a number of sources. Sometimes, an incident is caused by human error or mistakes. Other times, a security incident can occur as a result of deliberate actions intended to cause loss or harm to the organization. To reduce the impact of security incidents and minimize the costs to the organization, actions must be taken to prevent, detect, respond, control, and document security incidents. System administrators and incident response teams use a variety of automated tools to investigate and respond to security incidents. These tools range from basic system utilities that report on the performance and configuration of a single workstation or server to enterprise-wide tools capable of finding, identifying, scanning, and reconfiguring information systems. System information tools such as Windows Computer Management and Windows Task Manager, provide information about the current operating state of a computer system. Windows Task Manager provides information about currently running tasks, use of system resources, and system performance. Windows Computer Management provides more detailed information about the system including: lists of services (applications and operating system components) and their current state, computer hardware configuration, security and system events, and scheduled tasks. Slide2 System configuration tools are used to scan an operating system and key software applications for security issues. Microsoft Baseline Security Analyzer (MBSA) is a system-scanning tool that scans workstations and servers running Microsoft Windows operating systems. MBSA will check for system administration and misconfiguration problems, application software issues including missing patches and updates, and missing or partially installed system security updates. Use system administration tools to gather information. Scan a computer system for vulnerabilities using automated tools. In this part of the lab, we looked at the running processes to see if remote desktop services are available. In an enterprise environment, the support technician might walk a user through this verification and, if necessary, provide instruction on how to enable remote desktop services so that the technician can log into the workstation to gather additional information and run tests. Remote desktop services can save an organization significant amounts of time and money by eliminating the need for many desk-side support visits by IT Help Desk technicians, We Scanned a Windows 2012 Server for Vulnerabilities Note: In the next steps, you will use Microsoft Baseline Security Analyzer to scan the Windows 2012 server for vulnerabilities. MBSA can be configured to check for missing updates and recommended security settings for Internet Explorer, Internet Information Server (IIS), Microsoft Office, and SQL Server. MBSA is more powerful than Windows Update because it checks system and software settings in the registry in addition to checking for required software updates. After the scan completes, MBSA will generate a report that identifies security issues and provides recommendations for system configuration changes required to mitigate or remove the vulnerabilities associated with those issues. 1. The scan will take several minutes. The report details will rank the severity of the results. 7. In the Additional System Information section of the report, review the issue related to Shares. Shares refers to shared folders on the scanned system. In a shared network environment, resources should be restricted to the users that are required to use those resources to perform their jobs. The more people who have access to a resource, the higher the potential for misuse of that resource. This process will reach out to Microsoft and query their update agent to analyze the server and determine which updates are not installed. This will take about 5-10 minutes. You will notice that there are more than 100 important updates, which would take at least an hour to download and require almost 1 Gigabyte of space, but you will only be installing one of the critical updates you identified in step 4, so your time will be considerably faster. 9. Slide 3 A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers. An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit this vulnerability, an attacker must be able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network. The update addresses the vulnerability by issuing a warning to users who attempt to install untrusted printer drivers. This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network. This security update is rated Critical for all supported releases of Microsoft Windows The update addresses the vulnerabilities by: · Correcting how the Windows Print Spooler service writes to the file system · Issuing a warning to users who attempt to install untrusted printer drivers Slide 4 What is Patch Management? Patch management is the process of installing (and managing) the latest patches - code changes which improve the system or fix security vulnerabilities — on various systems within a network. Tasks like deciding what patches are appropriate for particular systems, ensuring these patches are installed properly, testing systems after installation, all fall under patch management. The objective of patch management is to keep various systems in a network up-to-date and secure against various kinds of hacking and malware. Patch Management — Manual or Automated? Usually, automated patch management is preferred over manual patch management as the latter involves tasks which are quite tedious for IT admins. Whereas automated enterprise patch management streamlines the entire process by automating the delivery of operating systems and application related updates via a centralized patch management server. How Does Automated Patch Management Work? Most automated enterprise patch management tools carry out the patching process by deploying or installing agents on target computers. These agents provide a connection between the centralized patch server and the computers to be patched. They also carry out patching related tasks like sending alerts to the server, storing patches locally on the target computer prior to installation and automatically retrying failed patch installations etc. Patch Management — Benefits: Some of the benefits of patch management are: 1. Security: Security is the most obvious benefit offered by patch management, as software vendors most often release patches to fix security vulnerabilities which are being exploited by malicious software or people intending to damage the IT systems or network. Applying these security patches at the right time will greatly reduce security breaches of various kinds. 2. Productivity: Another major benefit of patch management is increased productivity. Often patches come with performance improvements for the products they apply to or fix crashes. Helping employees (their systems to be more precise) get rid of these issues will lead to a productivity boost. Which, in turn, means reduced downtime. 3. In Possession of the Latest: The world of technology is moving at a fast pace. And having an automated patch management software in place will help your organization keep up with the latest advancements in the technology without you having to do much about it. Because software patches usually contain new features or functionality and extend support to additional platforms. Patch Management — Essentials: A good patch management solution will contain the following capabilities: 1. Comprehensive Scanning: The patch management tool you use should have comprehensive scanning capabilities. That is, it should be able to scan your network thoroughly and identify missing patches. And the results it produces should be definitive with minimal false positives. It should also take into consideration when patches are updated or superseded. Otherwise, you'll be inundated with outdated and useless information. 2. Efficient Patch Deployment: Your patch management tool should efficiently install patches and updates across your network, taking into consideration bandwidth and other concerns such as spanning multiple domains or IP ranges. Efficient patch deployment is probably why you go for patch management tools. And if they cannot offer it, it's better not to go for such a product. 3. Detailed Reporting: Reporting is an important feature in virtually every enterprise network management product. IT administrators need a broader view of the overall patch status, current deployment progress, and issues which need addressing. So consider the types of reports you may need and select a patch management tool with reporting capabilities that match your requirements. I have a bit of a funny situation that occurred several years ago when I was just starting off as a network administrator. I wasn't very well-versed at configuring firewalls at the time and I was trying to teach myself how to configure things on routers in my spare time at home. At the time, I had a router with DD-WRT (a Linux-based firmware for overwriting default router firmware to give more advanced functionality) installed on it and I had tinkered around with it before but I only really played around with some of the more advanced WiFi settings and basic port forwarding for remotely accessing the device. I thought I was ready for doing more advanced tasks so I decided that I wanted to try printing from my laptop remotely through the router to my home printer. DD-WRT uses iptables commands for the firewall and at the time I was at the stage of learning where I just mostly copied and pasted configuration settings from online forums, not really knowing what I was doing. I had pretty much no experience at the time with VPN's so after days of trying to figure out how to VPN into my router to print, I just about gave up. It then occurred to me that my network printer utilized a certain port for printing and I had the not so bright idea of just opening up all ports to that particular IP address so I could just dial into the IP address of my house directly and directly map the printer using the exposed port. And it worked! I thought I was so smart that I figured out an alternative method of mapping the printer over the Internet other than using a VPN...until I got home. I got home and my printer was going off like crazy and it printed every single page I had in the tray with random messages like "You have been hacked by the hacked god" and other random things like that. Apparently I was not the only one who could connect to that printer as all ports were exposed. I immediately took that printer offline and closed the ports and decided to learn how to properly do what I wanted through a VPN. Although nothing serious was compromised, this could have turned out a lot worse for me as my printer only had very basic authentication (default user admin with a short password over an unencrypted connection) and I put my home network at risk by opening up all ports for that device. If compromised, the attacker could have then pivoted on my network to compromise my other devices. The blue firewall - a group of states that had consistently voted for the Democratic party in past elections - created a false sense of security. One of the most publicised concepts was the supposed "blue firewall", a group of states that had consistently voted for the Democratic party in past elections. If the Democrats could hold onto their lead in these states, they'd all but guarantee victory, or so the polling experts predicted... We all know now how that ended. The blue firewall created a false sense of security after all. Media pundits asked the prognosticators to answer the burning question: How did this seemingly secure firewall get breached? In many ways, the answer to this question reveals the cause of not only the blue firewall breach, but also of a firewall in your organisation: Merely having one in place is not enough to prevent a breach. Firewall, NGFW, and UTM appliances require you to dedicate resources just to maintain the status quo for your environment. The firewall appliance: Capacity constraints lead to limited security One recent example of this is the breach of Cisco's firewalls, routers, switches. A hacker group, called Shadow Brokers, discovered a previously unknown vulnerability that has been a key tool for the NSA's hacking team. Not long after exposing this vulnerability (CVE-2016-6415) on the web, it was used to breach Cisco's firewalls and compromise client data. While Cisco will soon have a patch available for this specific vulnerability, applying it to firewall appliances across distributed enterprises is a resource-intensive process. Meanwhile, the exploit window remains open. This is merely one example of many where the capacity constraints associated with managing firewall and UTM appliances become an anchor that weighs on your resources and forces your IT to compromise on security. A 2015 report on data breaches by Verizon found that 99.9 per cent of exploited vulnerabilities were compromised more than a year after the CVE was published. Patching is indeed a gaping hole in many IT organisations. The lesson to be learned here is: A firewall that isn't patched is like having no firewall at all. Let's digress for a minute and revisit the blue firewall. Data began mounting to show that the Democrats needed to spend more campaign resources to solidify their lead in these "firewall states". The Republicans targeted the blue firewall by devoting ad money and holding rallies in states like Michigan and Wisconsin to galvanise supporters and increase voter turnout. With their resources focused elsewhere, the Democrats left the firewall states largely undefended for months, failing to nurture their lead, thereby leaving exploit windows open. In the final days, statisticians revealed that the firewall may have been breached and that the race had tightened. But by then it was too late to patch up the vulnerabilities, and the blue firewall was breached. Physical appliances and publicly available firmware can be obtained and reverse-engineered by hackers. By using a FWaaS model, these resources are simply not accessible which greatly mitigates these risks. External, unauthorised attempts to access cloud infrastructure also raise a red flag that can be detected and addressed by the security team.

In a recent global research initiative, more than 700 networking, security and IT executives were asked to identify their top network and security challenges. Not surprisingly, more than 50 percent of CIO-level respondents said they plan to eliminate hardware appliances from their infrastructure in 2017; it wassurprising, however, that 41 per cent of respondents overall identified FWaaS as the most promising infrastructure protection technology. Just as Gartner predicts SD-WAN is primed to replace edge routers, so, too is security as a service becoming understood in new ways to protect the network's edge. https://www.itproportal.com/features/the-breached-blue-firewall-you-dont-want-it-in-your-data-centre/

Pop-up ads or pop-ups are forms of online advertising on the World Wide Web.[1] A pop-up is a graphical user interface (GUI) display area, usually a small window, that suddenly appears ("pops up") in the foreground of the visual interface. The pop-up window containing an advertisement is usually generated by JavaScript that uses cross-site scripting (XSS), sometimes with a secondary payload that uses Adobe Flash.[2] They can also be generated by other vulnerabilities/security holes in browser security. A variation on the pop-up window, the pop-under advertisement, opens a new browser window under the active window. Pop-unders do not interrupt the user immediately, but appear when the user closes the covering window, making it more difficult to determine which website created them.

Pop-up ads originated on the Tripod.com webpage hosting site in the late 1990s. JavaScript provided the capability for a web page to open another window. Ethan Zuckerman claims he used that capability to launch advertisements in separate windows as a response to complaints from advertisers about their ads appearing on pages with sexual content.[3] Zuckerman later apologized for the unforeseen nuisance pop-up ads had evolved into.[4] Pop-up ads originated on the Tripod.com webpage hosting site in the late 1990s. JavaScript provided the capability for a web page to open another window. Ethan Zuckerman claims he used that capability to launch advertisements in separate windows as a response to complaints from advertisers about their ads appearing on pages with sexual content.[3] Zuckerman later apologized for the unforeseen nuisance pop-up ads had evolved into.[4] Pop-up blocking Web development and design technologies allow an author to associate any item on a pop-up with any action, including with a cancel or innocent looking button. Because of bad experiences and apprehensive of possible damage that they may cause, some users do not click on or interact with any item inside a pop-up window whatsoever,[5] and may leave the site that generated them or block all pop-ups. Opera was the first major browser to incorporate tools to block pop-up ads; the Mozilla browser later improved on this by blocking only pop-ups generated as the page loads.[citation needed] In the early 2000s, all major web browsers except Internet Explorer let users block unwanted pop-ups almost completely. In 2004, Microsoft released Windows XP SP2, which added pop-up blocking to Internet Explorer.[6] Most modern browsers provide pop-up blocking tools; third-party tools add other features, such as ad filtering. Fake close buttons Users of websites and web applications continuously experience unwanted pop up ads through the course of their normal interaction with a web browser.[7] Ordinarily, users respond by dismissing the pop-up through the "close" or "cancel" feature of the window hosting the pop-up. Because this is a typical response, some authors of pop-up advertising depend on this, and create on-screen buttons or controls that look similar to a "close" or "cancel" option. When the user chooses one of these "simulated cancel" options, however, the button performs an unexpected or unauthorized action (such as opening a new pop-up, or downloading an unwanted file on the user's system).[5] Circumventing pop-up blockers Main article: Hover ad A hover ad or in-page pop-up uses DHTML to combine a banner ad and a pop-up window that appears in front of the browser screen. JavaScript imposes an advertisement over a webpage in a transparent layer. This advertisement can appear in a variety of forms. For example, an advertisement can contain an Adobe Flash animation that links to the advertiser's site. An advertisement can also look like a regular window. Pop-up blockers cannot block the ad because it is a part of the webpage, but it can be blocked with third-party ad blockers such as AdBlock and Adblock Plus, or by using custom style sheets. URL redirection URLs are sometimes redirected to advertisement pages by URL redirection. URLs are sometimes opened in a new tab and then the content of the old background tab will be replaced with an advertisement page by URL redirection, other times it switches the tab the user is on to the advertisement tab. Adblock Plus,[8] uBlock[citation needed] and NoScript[citation needed] cannot block these redirects. Techniques "Pop-ups" Certain types of downloaded content, such as images, free music, and others, can cause pop-ups, and therefore should not be trusted, especially pornographic sites' pop-ups (known as a "pornado" or "porn-storm", as coined by John C. Dvorak.)[9] Also, the pop-ups sometimes look like ordinary web pages, and the name of the site shows up in a search bar. Many websites use pop-ups to display information without disrupting the page currently open. For example, they may provide needed extra guidance when filling in a form on a web page, without causing loss of any information already entered into the form. Most pop-up blockers allow this kind of pop-up. Some, however, reload the page, losing any information the user entered. Some web based installers, such as that used by McAfee, use a pop-up to install software. On many internet browsers, holding down the ctrl key while clicking a link makes it bypass the popup filter.[10] Clicking (even accidentally) on one pop-up may open other pop-up ads. Pop-under ads Pop-under ads are similar to pop-up ads, but the ad window appears hidden behind the main browser window rather than superimposed in front of it. As pop-up ads became more widespread and more intrusive, often taking up whole computer screen, many users would immediately close the pop-up ads that appeared over a site without looking at them. Pop-under ads do not immediately impede the view of content, but remain unnoticed until the user closes or minimizes the main browser window. Pop-under ad technology A pop-under ad involves two JavaScript functions introduced in 1997 with the Netscape 2.0B3 browser. Modern web publishers and advertisers use it to create a window in front of the users screen, load an advertisement, and then send it behind the screen. // create a new window in front of the current site window.open( URL, windowName[, windowFeatures] ); // push the loaded advertisement back behind the browser window.focus(); Most modern browsers allow window.open to execute only if it was called by a user interaction (e.g., a mouse click) event handler. Any non-interactive calls (timer callback, load events, etc.) to window.open result in the new window being blocked. To bypass this restriction, most pop-under ads trigger on a mouse click event listener attached directly to the document or the document's body. This enables catching all mouse click events that were not consumed by other click event handlers, and calling window.open without being blocked. For example, when the user selects a text, the mouse click triggers the mouse click handler attached to the document and a pop-under opens using the above code. Notice that there are more techniques to bypass the window.open call restriction by "hijacking" mouse clicks. Patent controversy ExitExchange.com filed for a patent in 2000 on a subset of pop-under advertising called an exit pop. After years of controversy and numerous articles on the pop-under patent, the patent was awarded by the United States Patent and Trademark Office (USPTO) in April and June 2008.[11] The respective patent numbers are U.S. Patent 7,386,555 and U.S. Patent 7,353,229. Patent 7,386,555 is related to the method of opening an exit pop from a toolbar or software application on a computing device, whereas Patent 7,353,229 covers the method used to open an exit pop from an embedded script found within a media file (e.g., JavaScript code on a web page).

The USG is a small, portable hardware USB firewall that isolates a potentially harmful device from your computer. It's designed to prevent malicious USB sticks and devices laden with malware from infecting your computer. SECURITY 101 How to protect your privacy from hackers, spies, and the government Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy. Read More You might be thinking, "What's the point?" The problem is that most computers automatically trust every USB device that's plugged in, which means malicious code can run without warning. It's not just computers: Cars, cash registers, and some ATMs also come with USB ports, all of which can be vulnerable to cyberattacks from a single USB stick. Enter the USG, a nifty tool for the privacy-minded and super paranoid that aims to solve that problem. Every USB device has its own micro-computer that runs its own firmware. It only takes one malicious USB stick to send a malicious message to your computer to cause damage. Top Google Chrome extensions for security,...SEE FULL GALLERY 1 - 5 of 64 NEXT That's where the USG firewall comes in. You plug in one end to your computer, and you plug in a suspect USB device into the other. A simple hardware serial link that only accepts a very few select number of safe commands, which prevents the device from executing system commands or intercepting network traffic. That means the data can flow from the USB device but effectively blocks other USB exploits. Avast Business Patch Management Keeps your Operating System and other third-party software applications up-to-date and protected against vulnerabilities and attacks with Avast Business Patch Management. Downloads provided by Avast Business These kinds of attacks might be rare, compared to spam, ransomware, and other kinds of malware, but they can still do considerable damage. Take Stuxnet, for example, the virus that damaged Iran's nuclear capabilities after a virus on a USB stick was smuggled in on a flash drive in 2010. The virus is thought to have been developed by the American and Israeli intelligence communities. Other previous research shows how easy it is to turn a normal USB stick into a BadUSB device, a benign-looking flash or thumb drive that's covertly running malicious firmware. And it's not just flash drives -- any kind of USB device, from webcams to keyboards and mice, can lead to a malware infection. While the USG will protect against low-level USB attacks, it won't protect against malware stored on the flash drive itself. Fisk explained on his Github page, where the code is available, that the project is "particularly useful for individuals and organizations that face advanced threats including corporate espionage or state sponsored attacks." Should you trust the USG? There's no reason not to. Robert Fisk, creator of the USG, the only developer of the USG firewall, says his "reputation hinges on the integrity of this project." He open-sourced the firmware so anyone can inspect the code, as well as compile it themselves on the device itself, and he has published the specifications of the USG hardware, so anyone can build one. Anyone can order one for $60.

ZDNET INVESTIGATIONS Researchers say a breathalyzer has flaws, casting doubt on countless convictions Lawsuits threaten infosec research — just when we need it most NSA's Ragtime program targets Americans, leaked files show Leaked TSA documents reveal New York airport's wave of security lapses US government pushed tech firms to hand over source code Millions of Verizon customer records exposed in security lapse Meet the shadowy tech brokers that deliver your data to the NSA Inside the global terror watchlist that secretly shadows millions 198 million Americans hit by 'largest ever' voter records leak Britain has passed the 'most extreme surveillance law ever passed in a democracy' Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it Leaked document reveals UK plans for wider internet surveillance

Even with security measures such as firewalls, properly configured Virtual Private Networks (VPN), and secure network procedures, security incidents can arise from a number of sources. Sometimes, an incident is caused by human error or mistakes. Other times, a security incident can occur as a result of deliberate actions intended to cause loss or harm to the organization. To reduce the impact of security incidents and minimize the costs to the organization, actions must be taken to prevent, detect, respond, control, and document security incidents. This five-step formula serves as the basis for incident response processes and procedures. System administrators and incident response teams use a variety of automated tools to investigate and respond to security incidents. These tools range from basic system utilities that report on the performance and configuration of a single workstation or server to enterprise-wide tools capable of finding, identifying, scanning, and reconfiguring information systems. System information tools such as Windows Computer Management and Windows Task Manager, provide information about the current operating state of a computer system. Windows Task Manager provides information about currently running tasks, use of system resources, and system performance. Windows Computer Management provides more detailed information about the system including: lists of services (applications and operating system components) and their current state, computer hardware configuration, security and system events, and scheduled tasks. System configuration tools are used to scan an operating system and key software applications for security issues. Microsoft Baseline Security Analyzer (MBSA) is a system-scanning tool that scans workstations and servers running Microsoft Windows operating systems. MBSA will check for system administration and misconfiguration problems, application software issues including missing patches and updates, and missing or partially installed system security updates. Upon completing this lab, you will be able to: Use system administration tools to gather information. Scan a computer system for vulnerabilities using automated tools. Explain the use of automated tools to gather information as part of an incident response process. Note: System performance information supplements information gathered by automated tools. Some IT Help Desks will ask an end user to perform these tasks while on the phone with a Level 1 support technician. In this part of the lab, you will also look at the running processes to see if remote desktop services are available. In an enterprise environment, the support technician might walk a user through this verification and, if necessary, provide instruction on how to enable remote desktop services so that the technician can log into the workstation to gather additional information and run tests. Remote desktop services are a double-edged sword. Remote desktop services can save an organization significant amounts of time and money by eliminating the need for many desk-side support visits by IT Help Desk technicians, but those same remote login services can become a vulnerability to be exploited by both internal and external threat agents. 1. On the vWorkstation desktop, double-click the Connections folder. 2. In the Connections folder, double-click the TargetWindows05 RDP shortcut to open a remote connection to the TargetWindows05 machine. If prompted, type the following credentials and click OK to open the remote connection. Username: Administrator Password: P@ssw0rd! The remote desktop opens with the IP address of TargetWindows05 (172.30.0.31) in the title bar at the top of the window. 3. On the TargetWindows05 desktop, right-click the taskbar and select Task Manager from the context menu to launch the Windows Task Manager. If necessary, click the More details link in the lower left corner of the Task Manager window to match the following figure. Figure 1 Windows Task Manager 4. In the Task Manager window, click the Services tab to view the complete list of system services. 5. On the Services tab, click the Name column to sort the list of services alphabetically. 6. Scroll through the list of services until you find a process associated with Remote Desktop Services. Figure 2 Windows Task Manager dialog box: Services tab 7. Repeat steps 5-6 for the Description column. As you can see, the words Remote Desktop Services might appear in either the Name or Description columns. 8. Make a screen capture showing all the processes associated with Remote Desktop Services and paste it into your Lab Report file. 9. In the Task Manager window, click the Performance tab and wait 45-60 seconds for the history graphs to display data on 50% or more of the graph. Figure 3 Windows Task Manager dialog box: Performance tab 10. Make a screen capture showing the current system performance and paste it into your Lab Report file. 11. Close the Windows Task Manager. 12. From the TargetWindows05 taskbar, right-click the Windows Start button and select Control Panel to open the Control Panel window. 13. In the Search Control Panel box, type Administrative Tools and press Enter to search for the Administrative Tools. Figure 4 Control Panel search 14. From the search results, click the Administrative Tools link to open the Administrative Tools window. 15. In the right pane of the Administrative Tools window, double-click the Computer Management shortcut to launch the Computer Management tool. If necessary, maximize the window. Figure 5 Computer Management application window 16. In the left pane of the Computer Management window, navigate to the Application Log (System Tools > Event Viewer > Windows Logs > Application). The Windows Application Log records information about events. It will record successful operations, system warnings, error messages about failed operations, as well as information about both successful and unsuccessful logon attempts. The log is dynamic; your results will not match the following figures. Figure 6 Windows Application Log 17. Make a screen capture showing the Windows Application Log and paste it into your Lab Report file. 18. In the Actions pane on the right-hand side of the window, click Filter Current Log to open the Filter Current Log form. 19. In Filter Current Log form, under the Event level section, click each of the following checkboxes to select these event levels, then verify that the Verbose and Information checkboxes are unchecked. Critical Warning Error Figure 7 Filter Current Log form 20. Click OK to filter the log entries. 21. In the filtered log list, click the first Error line item, then review the Log Entry in the bottom pane. If necessary, drag the top border of the bottom pane up to view the entire event. Figure 8 Filtered Application Log 22. Make a screen capture showing the entire event entry for the error and paste it into your Lab Report file. Note: Many log files contain thousands of entries, making them difficult to scan by eye when looking for evidence. Using a filter can help an analyst to quickly find events of interest, especially when other information is available about the type of attack or when the attack occurred. The drawback to using filtering to reduce the number of entries is that the filter might exclude events that would be of interest if the analyst had seen them. 23. In the left pane of the Computer Management window, click the Security link to open the Security Log, then compare the information gathered in this log with that displayed in the Application Log. 24. In the left pane of the Computer Management window, click the System link to open the System Log, then compare the information gathered in this log with that displayed in the other logs. 25. In the left pane of the Computer Management window, navigate to the Services link (Services and Applications > Services). 26. At the bottom of the Computer Management window, click the Standard tab to change the view. 27. In the Services list, use the scrollbar to locate the group of services that manage the Remote Desktop Services. Figure 9 List of Windows services that manage the Remote Desktop Services 28. Make a screen capture showing the Status and Startup Type columns for the Windows services that manage Remote Desktop Services and paste it into your Lab Report file. 29. Close any open windows. Part 2: Scan a Windows 2012 Server for Vulnerabilities Note: In the next steps, you will use Microsoft Baseline Security Analyzer to scan the Windows 2012 server for vulnerabilities. MBSA can be configured to check for missing updates and recommended security settings for Internet Explorer, Internet Information Server (IIS), Microsoft Office, and SQL Server. MBSA is more powerful than Windows Update because it checks system and software settings in the registry in addition to checking for required software updates. After the scan completes, MBSA will generate a report that identifies security issues and provides recommendations for system configuration changes required to mitigate or remove the vulnerabilities associated with those issues. 1. On the TargetWindows05 desktop, double-click the Microsoft Baseline Security Analyzer 2.3 icon to launch the Microsoft Baseline Security Analyzer application. If necessary, resize the window so it fills the screen. Figure 10 Microsoft Baseline Security Analyzer 2. On the MBSA landing page, click the Scan a computer link to configure the security scan. 3. In the Options section of the page, verify that the Check for security updates checkbox is selected. 4. In the Options section of the page, click the Advanced Update Service Options checkbox, then click the Scan using Microsoft Update only option to confine the update scan to Microsoft updates. Figure 11 Setting scan options 5. Click the Start Scan button to begin the scan. The scan will take several minutes. The report details will rank the severity of the results. Use the scrollbar to review the results. Figure 12 Report details 6. Make a screen capture showing the first page of the report, including the header, and paste it into your Lab Report file. 7. In the Additional System Information section of the report, review the issue related to Shares. Shares refers to shared folders on the scanned system. In a shared network environment, resources should be restricted to the users that are required to use those resources to perform their jobs. The more people who have access to a resource, the higher the potential for misuse of that resource. Figure 13 Additional System Information report 8. For the Shares issue, click the What was scanned link to display the results in a new window. Figure 14 What was scanned 9. Close the What was scanned window. 10. For the Shares issue, click the Results Details link to display the results in a new window. 11. Make a screen capture showing the result details for the Shares issue and paste it into your Lab Report file. 12. Close any open windows. 13. Close the remote TargetWindows05 connection. Note: This completes Section 1 of this lab. There are no deliverable files for this section. Note: System performance information supplements information gathered by automated tools. Some IT Help Desks will ask an end user to perform these tasks while on the phone with a Level 1 support technician. In this part of the lab, you will also look at the running processes to see if remote desktop services are available. In an enterprise environment, the support technician might walk a user through this verification and, if necessary, provide instruction on how to enable remote desktop services so that the technician can log into the workstation to gather additional information and run tests. Remote desktop services are a double-edged sword. Remote desktop services can save an organization significant amounts of time and money by eliminating the need for many desk-side support visits by IT Help Desk technicians; but, those same remote login services can become a vulnerability that is exploited by both internal and external threat agents. 1. Open a remote connection to the TargetWindows05 machine. If prompted, enter the following credentials to log on to the server. Username: Administrator Password: P@ssword! 2. Launch the Task Manager. If necessary, click the More details link in the lower left corner of the Task Manager window to match the following figure. Figure 15 Windows Task Manager 3. In the Task Manager, click the Services tab and locate the processes associated with Remote Desktop Services. The words Remote Desktop Services might appear in either the Name or Description columns. 4. Make a screen capture showing all the processes associated with Remote Desktop Services and paste it into the Lab Report file. 5. In the Task Manger, click the Performance tab and wait 45-60 seconds for the history graphs to display data on 50% or more of the graph. Figure 16 Windows Task Manager dialog box: Performance tab 6. Make a screen capture showing the current system performance and paste it into the Lab Report file. 7. From the Performance tab, launch the Resource Monitor and review the data gathered on each tab. 8. On the Memory tab of the Resource Monitor, locate all of the processes associated with AVG. 9. Make a screen capture showing the AVG processes on the Memory tab and paste it into the Lab Report file. 10. On the Network tab of the Resource Monitor, expand the Network Activity section. 11. Launch the AVG application. Position the windows to view the Network processes behind the AVG window. In the next step, you will update the AVG definition files and make a screen capture showing the URL AVG accesses during the update process. If you miss the screen capture, you can click the update icon in the lower-right corner of the AVG window to repeat the scan and attempt the screen capture process again. Figure 17 Position open windows 12. In the AVG window, click the Fix Now button, then make a screen capture showing the AVG update URL in the Resource Monitor and paste it into the Lab Report file. 13. Close any open windows. 14. Launch a Command Prompt window and execute compmgmt to launch the Computer Management tool. Figure 18 Computer Management application window 15. In the Computer Management tool, navigate to the Windows Application Log (Computer Management (Local) > System Tools > Event Viewer > Windows Logs > Application). The Windows Application Log records information about events. It will record successful operations, system warnings, error messages about failed operations, as well as information about both successful and unsuccessful logon attempts. This will take about 2 minutes to populate with information. 16. From the Actions pane, filter the log to show only the following event levels. Critical Warning Error 17. Make a screen capture showing the entire entry for the first Application error and paste it into the Lab Report file. Note: Many log files contain thousands of entries making them difficult to scan by eye when looking for evidence. Using a filter can help an analyst to quickly find events of interest especially when other information is available about the type of attack or when the attack occurred. The drawback to using filtering to reduce the number of entries is that the filter might exclude events that would be of interest if the analyst had seen them. 18. Repeat steps 15-17 for the System Log. 19. In the Computer Management tool, navigate to the Windows Security Log (Computer Management (Local) > System Tools > Event Viewer > Windows Logs > Security). 20. Make a screen capture showing the entire entry for the first Security issue and paste it into the Lab Report file. 21. In the Computer Management tool, navigate to the Services list (Services and Applications > Services), then click the Standard tab at the bottom of the window to change the view. 22. In the Services list, locate the group of services associated with Remote Desktop Services. 23. Make a screen capture showing the Status and Startup Type columns for the Windows services that manage Remote Desktop Services and paste it into the Lab Report file. 24. In the Services list, double-click the Remote Desktop Services service to open the Remote Desktop Services Properties dialog box, then click the Dependencies tab. 25. Make a screen capture showing the Dependencies tab and paste it into the Lab Report file. 26. Close any open windows. Part 2: Scan a Windows 2012 Server for Vulnerabilities Note: In the next steps, you will use Microsoft Baseline Security Analyzer to scan the Windows 2012 server for vulnerabilities. MBSA can be configured to check for missing updates and recommended security settings for Internet Explorer, Internet Information Server (IIS), Microsoft Office, and SQL Server. MBSA is more powerful than Windows Update because it checks system and software settings in the registry in addition to checking for required software updates. After the scan completes, MBSA will generate a report that identifies security issues and provides recommendations for system configuration changes required to mitigate or remove the vulnerabilities associated with those issues. 1. From the TargetWindows05 desktop, launch the Microsoft Baseline Security Analyzer 2.3 application. If necessary, maximize the window. 2. Click the Scan a computer link and configure and run a scan that will check for security updates using the Advanced Update Services and only search Microsoft Update. 3. Make a screen capture showing the report header and the Security Update Scan Results and paste it into the Lab Report file. 4. Review the Result Details for the Windows Security Updates Issue. 5. Make a screen capture showing the ID numbers and KB (Knowledge Base) numbers for the first page of critical updates and paste it into the Lab Report file. This page should include 3 critical updates with an MS ID number. 6. Close any open windows. 7. On the TargetWindows05 desktop, right-click the This PC icon and select Properties from the context menu to open the System window. 8. From the left pane, click the Windows Update link, then click the Check for updates button. This process will reach out to Microsoft and query their update agent to analyze the server and determine which updates are not installed. This will take about 5-10 minutes. You will notice that there are more than 100 important updates, which would take at least an hour to download and require almost 1 Gigabyte of space, but you will only be installing one of the critical updates you identified in step 4, so your time will be considerably faster. 9. When the query is complete, click the important updates are available link to select specific updates. Figure 19 Specify updates 10. De-select the entire list of updates and select one of the three critical updates with an MS ID number identified in step 5. The updates in MBSA are identified by an ID number. The updates in the Windows Update tool are identified by a KB (Knowledge Base) number. You will need to scan the entire list to find one of the security updates identified in step 5. 11. At the bottom of the Windows Update window, click the Install button to begin the installation process. This process may take up to 20 minutes to complete. During the installation process, do not touch any keys or interact with the lab, as the update process is very CPU-intensive and may result in the virtual machine freezing. 12. When prompted, click the Restart now button to restart

TargetWindows05. While the TargetWindows05 machine will shut down quickly, the backend process for resetting the lab will take about 10 minutes to complete. When the Connections folder on the vWorkstation is displayed, wait another 10 minutes before proceeding. 13. From the Connections folder, open a remote connection to TargetWindows05. 14. Launch MBSA and repeat the scan you configured in step 2. 15. Make a screen capture showing the scan results that do not include the update you just installed and paste it into the Lab Report file. 16. In the Lab Report file, identify the KB number of the update that you installed. 17. Close any open windows. Note: This completes Section 2 of this lab. There are no deliverable files for this section.

Firewall Best Practices - Egress Traffic Filtering In Spanish Too many network administrators think only to protect their private network resources from external attacks when assessing security threats. Today's landscape is littered with threats that emanate from malware-infected endpoints. Attackers can use these to collect and forward sensitive information from your network or to attack or spam other networks. Companies large and small are better served when network administrators are equally concerned with threats that are associated with outbound connections. In this column, I discuss ways organizations can improve their risk profile and be better 'netizens by implementing egress traffic filtering. Filter Egress Traffic to Protect Yourself If you don't restrict the services that hosts in your internal networks can access, malware will inevitably find its way onto some of your hosts and may exfiltrate data to a location that an attacker controls. Data exfiltration could be also unintentional, i.e., an insider might incorrectly attach sensitive information an email message to upload it to a document sharing service. Sadly, data exfiltration often results from configuration error: misconfigured NetBIOS, DNS, or other service traffic can leak from your trusted networks and be captured or exploited by external parties. Irrespective of the cause, data exfiltration is a threat you can't mitigate without egress traffic enforcement, and one you can't readily detect if you don't log and monitor traffic behavior associated with permitted and prohibited services. Filter Egress Traffic to Do No Harm to Others In the most lax of configurations - and sadly, in many default configurations - a firewall or router may treat and forward traffic it receives from any source address as valid. Fred Avolio calls this "The Nefarious Any". Such configurations are green fields for attacks that make use of forged source IP addresses (IP spoofing). Compromised or unauthorized hosts that gain access to your local networks often use IP spoofing to attack (DDoS) other networks, to store child abuse or other illegal material, or to conduct spam or phishingcampaigns. This is problem enough in NAT environments: in poorly implemented router configurations, especially where you have multiple access points to the Internet, your organization can inadvertently behave as a transit network for forged, malicious traffic emanating from other organizations. Compromised or unauthorized systems can play roles in criminal activities without the use of spoofed addresses, too. A compromised server or user device on any of your internal networks (trusted, DMZ, guest) can be used to generate spam, host malware or phishing sites. A compromised DNS name server can host zone data for a malicious domain. Improperly configured, your DNS resolver - or possibly any UDP-based service you use (chargen, NTP) - can support a criminal conspiracy! Just as egress traffic filtering can help mitigate data exfiltration from your networked assets, so can it help you protect the world from your network. Step #1: Egress Traffic Enforcement Policy Motivated? Good. Begin by consulting your company's Security Policy and/or Acceptable Use Policy (AUP). If you don't have such policies, gather stakeholders and define them. Include as stakeholders individuals who are not only responsible for implementing your company's network security but also those individuals who are party to risk management and mitigation. Without clearly-defined notions of network security and a strict application and traffic policy you intend to enforce, your firewall configuration will end up being little more than an ad hoc and troublesome listing of outbound rules to meet users' perceived needs, instead of a well conceived policy designed to protect the company's resources. Compose a list of the approved Internet-accessible services. For an organization that outsources email and DNS, this list might include DNS, POP/IMAP, SMTP, NTP, and HTTP/HTTPS. Think, too, about malicious destinations - botnet C&Cs, hijacked address space, notorious (bad) hosting providers - and how you might block these. If your organization supports services like email and DNS from its own internal servers, compose a list of these services and service hosts (domain names and IP addresses). List any Internet servers these must communicate with. If, for example, you run a split-DNS then include any public servers your DNS server contacts for zone transfers, uses as resolvers, etc. If you run SMTP, include any mail servers with which you exchange mail directly (typically, your ISP's mail hosts). If you intend to implement content exit controlat a proxy or firewall, enumerate the types of content you will permit or deny. You many also find it necessary to identify permission sets for user groups if your content exit control is not a "one glove fits all" policy. Accept the fact that your firewall configuration will deviate from the ideal enforcement policy you develop following this exercise. Such deviations or exceptions may be necessary to accommodate senior management, business relationships, or sometimes for lack of a better or more secure path to completing a critical project. Assess the risk of each deviation, call attention to the security risks inherent in any alteration you are required to make to the firewall's egress policy, and consider how you might compensate by implementing a complementary security measure. Step #2: Kill the Nefarious ANY The best way to configure egress traffic filtering policies is to begin with a DENY ALL outbound policy, packet filter, or firewall rule. This creates a "nothing leaves my network without explicit permission" security baseline. Next, add rules to allow authorized access to the external services identified in your egress traffic enforcement policy. Add granular, restrictive rules to allow administrators access to network and security systems outside your firewall. Lastly, add rules to allow servers you operate from your trusted network to communicate with Internet-hosted servers. Let's examine each of these general policies in some detail. Restrict Internet Access to Authorized Sources In many firewalls, the default egress traffic policy for trusted networks is to allow any source address in outbound packets: literally, if the source address is syntactically correct, your firewall will forward it. This is overly permissive for any network, large or small. Prune it. List the IP subnet numbers or individual IP addresses of hosts that are authorized (trusted) to make use of externally hosted services. Limit the addresses allowed to send traffic to Internet destinations by configuring policies such as these: Block IP spoofing. Only allow source addresses from the IP network numbers you assign to internal networks to pass through your firewall (trusted, DMZ, guest). This includes primary and secondary network numbers, and subnets that are routed to the Internet through your firewall (including addresses reserved for VPN clients). Only allow traffic from address space you actually use. Apply appropriate subnet masks to internal networks, i.e., masks that are sufficiently long to identify only that fragment of the IP network number that you are using. For example, if you are using an RFC 6761 Private Address from 172.16.0.0 and only assigning numbers from 172.16.1.x, use 255.255.255.0 (or /24) and not 255.255.0.0 (or /16) as your subnet mask. (Same rule applies for RFC 4913 Private addresses for IPv6. Block traffic from any RFC 6761 or RFC 4913 private addresses from being forwarded over your Internet access circuit. Many ISPs block incoming traffic containing private addresses but you're forcing your ISP to process traffic you ought to block. Block outbound traffic from VLAN workgroups or entire network segments that has no business establishing client connections to Internet servers. Block broadcast traffic. Most Internet-facing firewalls operate in routed mode where broadcasts will not pass across LAN segments. Understand the implications(limitations?) of using transparent (layer 2) firewalls in Internet firewall deployments. Block all outbound traffic from internal servers that have no business establishing client connections to destinations outside your trusted networks. An example might be an intranet server that relies entirely on internally provided services (DNS, mail, time, etc.) and by design uses no applications that require Internet access. Block outbound traffic with destinations that are listed on DROP (Don't router or peer) or BGP filter lists. Spamhaus, for example, maintains lists of networks that have been hijacked by spammers, phishers, botnet C&C's and other malicious traffickers. Data centers, universities, and large end user networks especially benefit from this kind of filtering when their ISPs do not implement them. Restrict Internet-Accessible Services (Destinations) The Nefarious ANY appears again in the default egress traffic policy of firewalls that allow hosts on internal networks to access any service (port) on Internet hosts if forwarding to the destination is permitted. Limit the destination ports on Internet-directed traffic in the following ways: Only allow outbound connections to those services your egress traffic enforcement policy allows. Only allow client hosts to access authorized services from authorized external servers. If your employees use your ISP for email services, for example, limit outbound SMTP and POP connections to your ISP's POP and SMTP servers. Only allow client hosts to send DNS queries to resolvers you manage or responsibly managed open resolvers. Open resolvers are routinely exploited in DDoS attacks: harden your resolvers and don't use others that operate "open" badly. For inter-server communications involving external servers, only allow access to service ports your internal servers must use to operate correctly. If you operate your own mail servers, make certain that only these servers establish outbound SMTP connections. If you operate an HTTP proxy, or a proxy system that performs some form of web URL or content filtering, only allow outbound connections through your firewall from the proxy(ies). If you provide DNS internally, or use a split DNS, use internal resolvers as forwarders for your internal networks. If you make use of a private namespace that is not delegated from the public DNS, consider measures to prevent private name space queries from leaking into the public DNS (hard) or use a FQDN (fully qualified domain) for your private name space. Block routing protocols at your firewall. This is important for large enterprises with multiple firewalls and Internet access routers as well as small businesses with broadband connections that use a firewall to exchange and negotiate PPP over Ethernet (PPPoE). If your firewall is participating in external routing, make certain your advertisements correctly enumerate your IP networks. If you authorize services that make use of unique ports for remote desktop, subscription, licensing channels (e.g., GoToMyPC, BackWeb, Microsoft), only allow access to these services from hosts that are authorized to use them. Testing and Monitoring Egress Traffic Policies Firewall configuration testing remains an acquired skill, effectively performed by firewall experts, auditors or security professionals with this special expertise. Because many egress traffic-handling policies will be source address dependent, you can achieve some confidence that your configuration satisfies your policies by logging intensely, running address and port scanning tools, and confirming that your allow/deny results are what you expect. Rigorous logging of denied outbound connections could help identify scofflaws that are either ignorant or defiant of your AUP, as well as provide early warning of infections. Where possible, cause potentially dangerous denied outbound packets to trigger notification for further investigation. Consider, too, tools like ftester (now deprecated but still available), NMAP, Nessus, or some of the commercial software listed at Security Wizardry if you are looking for automated alternatives. nd here.

Conclusion When I first wrote this article with Nathan Buff in 2003 we concluded that configuring egress traffic policies is admittedly more time consuming than not, and that your organization should rightly assess whether the time invested and the improved risk profile you achieve when you take this initiative is justified. This was perhaps too soft a sell. Events throughout the past 18 months (2013-2014) bear evidence that motives to exfiltrate data will only increase. I now believe that governments and private organizations are near the tipping point and no longer willing to passively accept the current threat condition but now actively investigating ways to mitigate harm resulting from the lax security practices of others. It may only be a small matter of time before regulatory compliance or fear of being held contributory to a criminal act or liable for financial loss will drive many organizations to choose to implement stringent egress traffic policies. Use the time wisely. The original (2003) version of this article can be fou

Have a question? Ask or enter a search term. SEARCH Symmetric vs. Asymmetric Encryption - What are differences? SSL Information Information security has grown to be a colossal factor, especially with modern communication networks, leaving loopholes that could be leveraged to devastating effects. This article presents a discussion on two popular encryption schemes that can be used to tighten communication security in Symmetric and Asymmetric Encryption. In principle, the best way to commence this discussion is to start from the basics first. Thus, we look at the definitions of algorithms and key cryptographic concepts and then dive into the core part of the discussion where we present a comparison of the two techniques. Algorithms An algorithm is basically a procedure or a formula for solving a data snooping problem. An encryption algorithm is a set of mathematical procedure for performing encryption on data. Through the use of such an algorithm, information is made in the cipher text and requires the use of a key to transforming the data into its original form. This brings us to the concept of cryptography that has long been used in information security in communication systems. Cryptography Cryptography is a method of using advanced mathematical principles in storing and transmitting data in a particular form so that only those whom it is intended can read and process it. Encryption is a key concept in cryptography - It is a process whereby a message is encoded in a format that cannot be read or understood by an eavesdropper. The technique is old and was first used by Caesar to encrypt his messages using Caesar cipher. A plain text from a user can be encrypted to a ciphertext, then send through a communication channel and no eavesdropper can interfere with the plain text. When it reaches the receiver end, the ciphertext is decrypted to the original plain text.

Cryptography Terms Encryption: It is the process of locking up information using cryptography. Information that has been locked this way is encrypted. Decryption: The process of unlocking the encrypted information using cryptographic techniques. Key: A secret like a password used to encrypt and decrypt information. There are a few different types of keys used in cryptography. Steganography: It is actually the science of hiding information from people who would snoop on you. The difference between steganography and encryption is that the would-be snoopers may not be able to tell there's any hidden information in the first place. Symmetrical Encryption Symmetric Encryption This is the simplest kind of encryption that involves only one secret key to cipher and decipher information. Symmetrical encryption is an old and best-known technique. It uses a secret key that can either be a number, a word or a string of random letters. It is a blended with the plain text of a message to change the content in a particular way. The sender and the recipient should know the secret key that is used to encrypt and decrypt all the messages. Blowfish, AES, RC4, DES, RC5, and RC6 are examples of symmetric encryption. The most widely used symmetric algorithm is AES-128, AES-192, and AES-256. The main disadvantage of the symmetric key encryption is that all parties involved have to exchange the key used to encrypt the data before they can decrypt it. Asymmetrical Encryption Asymmetric Encryption Asymmetrical encryption is also known as public key cryptography, which is a relatively new method, compared to symmetric encryption. Asymmetric encryption uses two keys to encrypt a plain text. Secret keys are exchanged over the Internet or a large network. It ensures that malicious persons do not misuse the keys. It is important to note that anyone with a secret key can decrypt the message and this is why asymmetrical encryption uses two related keys to boosting security. A public key is made freely available to anyone who might want to send you a message. The second private key is kept a secret so that you can only know. A message that is encrypted using a public key can only be decrypted using a private key, while also, a message encrypted using a private key can be decrypted using a public key. Security of the public key is not required because it is publicly available and can be passed over the internet. Asymmetric key has a far better power in ensuring the security of information transmitted during communication. Asymmetric encryption is mostly used in day-to-day communication channels, especially over the Internet. Popular asymmetric key encryption algorithm includes EIGamal, RSA, DSA, Elliptic curve techniques, PKCS. Asymmetric Encryption in Digital Certificates To use asymmetric encryption, there must be a way of discovering public keys. One typical technique is using digital certificates in a client-server model of communication. A certificate is a package of information that identifies a user and a server. It contains information such as an organization's name, the organization that issued the certificate, the users' email address and country, and users public key. When a server and a client require a secure encrypted communication, they send a query over the network to the other party, which sends back a copy of the certificate. The other party's public key can be extracted from the certificate. A certificate can also be used to uniquely identify the holder. SSL/TLS uses both asymmetric and symmetric encryption, quickly look at digitally signed SSL certificates issued by trusted certificate authorities (CAs). Comodo COMODO CERTIFICATES Symantec SYMANTEC CERTIFICATES GlobalSign GLOBALSIGN CERTIFICATES GeoTrust GEOTRUST CERTIFICATES Thawte THAWTE CERTIFICATES RapidSSL RAPIDSSL CERTIFICATES AlphaSSL ALPHASSL CERTIFICATES Difference Between Symmetric and Asymmetric Encryption Symmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetrical encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating. Symmetric encryption is an old technique while asymmetric encryption is relatively new. Asymmetric encryption was introduced to complement the inherent problem of the need to share the key in symmetrical encryption model, eliminating the need to share the key by using a pair of public-private keys. Asymmetric encryption takes relatively more time than the symmetric encryption. Conclusion When it comes to encryption, the latest schemes may necessarily the best fit. You should always use the encryption algorithm that is right for the task at hand. In fact, as cryptography takes a new shift, new algorithms are being developed in a bid to catch up with the eavesdroppers and secure information to enhance confidentiality. Hackers are bound to make it tough for experts in the coming years, thus expect more from the cryptographic community!

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms.[1]

IDS types range in scope from single computers to large networks.[2] The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). A system that monitors important operating system files is an example of an HIDS, while a system that analyzes incoming network traffic is an example of an NIDS. It is also possible to classify IDS by detection approach: the most well-known variants are signature-based detection (recognizing bad patterns, such as malware); and anomaly-based detection (detecting deviations from a model of "good" traffic, which often relies on machine learning), another is reputation-based detection (recognizing the potential threat according to the reputation scores). Some IDS products have the ability to respond to detected intrusions. Systems with response capabilities are typically referred to as an intrusion prevention system.[3] Intrusion detection systems can also serve specific purposes by augmenting them with custom tools, such as using a honeypot to attract and characterize malicious traffic.[4]

Fundamentals of Firewall Deployment INTRODUCTION Unit 4 continues the technical overview of network security, firewalls, and virtual private networks (VPNs), with a particular focus on firewall technologies. A firewall is typically an important feature of an enterprise network infrastructure, and may range from quite simple to extremely complex in design. You learn about how firewalls interact with intrusion detection and other monitoring systems. A focus on firewall design principles, including least privilege, simplicity, defense in depth, and universal participation informs your understanding of firewall deployment considerations. In the hands-on lab you configure a firewall server. LEARNING ACTIVITIES Collapse All Toggle Drawer[u04s1] Unit 4 Study 1 Studies Reading Read the following in Network Security, Firewalls, and VPNs: Chapter 7, "Firewall Basics," pages 213-243. Chapter 8, "Firewall Deployment Considerations," pages 248-269. Read the following in the Capella Library: Kumar, M., Kaur, N., Kaur, S., & Singh, R. (2016). Different security threats and its prevention in computer network. International Journal of Advanced Research in Computer Science, 7(6), 85-88.This resource identifies network security threats and details preventative measure to protect a computer network. Dhore, M. L., & Aldhaheri, R. (2017). Case study on firewall rules analysis for CWN. International Journal of Computer Networks and Communications Security, 5(2), 20-27.This resource explains an approach for analyzing rules implemented on a firewall to find hidden anomalies. Skillsoft Resources In CompTIA Network+ N10-006: Network Security [Tutorial], view: Network Access Control Models. Learning Components This activity will help you achieve the following learning components: Understand the security issues related to spoofing, and broadcast and outbound traffic. Review examples of firewall rules. Understand the principles behind spoofing, and broadcast and outbound traffic. Toggle Drawer[u04d1] Unit 4 Discussion 1 Firewall Breaches Research a specific case, or speak from your own personal or professional experience, of a significant firewall breach of an enterprise network environment, and discuss the attack vectors and techniques used to carry out the attack, the probable motivation of the attacker, how the incident was detected, and the steps taken to mitigate the effects of the attack. Response Guidelines Read the posts of your peers and respond to two (minimum) and expand on the concepts covered in their initial post. The quantity and quality of your posts will determine the value of the group's learning experience. Provide a substantive and appropriate response. Resources Discussion Participation Scoring Guide. Toggle Drawer[u04v1] Unit 4 Virtual Resource 1 Configuring a pfSense Firewall on the Server Read the requirements for all related course activities before completing this lab. Take notes as needed as you complete the lab to help you complete those activities. Select the linked title heading above to access a lab arranged through the textbook publisher. Follow the lab instructions carefully. Note: You are only responsible for completing sections 1 and 2 of the lab. Download the Assignment Template found in the Resources and use it for both your lab screenshots and your assignment responses. Take the following screenshots during the lab:Section 1:Part 1 - Steps 10 and 15.Part 2 - Step 7.Section 2:Part 1 - Steps 7 and 11.Part 2 - Steps 3 and 9. Jones & Bartlett Technical Support If you have technical issues pertaining to accessing JBL virtual labs, contact JBL Technical Support: E-mail: [email protected] Phone: 1-800-832-0034, option 5. Resources Assignment Template. Toggle Drawer[u04a1] Unit 4 Assignment 1 Firewall Rules By now you should have finished Sections 1 and 2 of the unit lab and saved your screenshots to a Word document. Scenario

Imagine that you are a security consultant working to test a firewall security solution in a small enterprise network. You discover that the enterprise's firewall has permit and deny rules applied only to ingress traffic. The enterprise's security policy explicitly requires that the firewall block egress IP spoofing, block broadcast traffic, and block all outbound traffic from internal servers. Directions Consider your lab work and other studies to address each of the following in the Word document that contains your lab screenshots. Clearly label each section. Describe briefly what you learned or observed in the lab and include it in the section with your screenshots. Be specific. Explain the reasons for having the firewall rules stated in the scenario above. Construct a firewall rule to block each of the following from internal servers on the 209.222.18.0 network (Note: use this structure: [Protocol] [Source Address] [Source Port] [Target Address] [Target Port] [Action]:Egress IP spoofing.Broadcast traffic.Outbound traffic. Submission Instructions Submit your assignment in a Word document with well-labeled responses. Resources

The Target incident opened a lot of eyes to the potential impacts of a security breach. While a lot is still unknown, there is significant information available about what happened and it's worth taking a closer look at steps that enterprise security teams can employ to prevent their organizations from becoming victims of similar attacks. Based on the reported details, clearly malware, even well-known attack variants familiar to security vendors and researchers, remains highly difficult to detect and deter altogether. The attack that compromised Target's point-of-sale devices was no cutting-edge advanced persistent threat, but rather a variation on a well-known piece of code available for only $2,000. These details highlight the fact that despite continued evolution of malware analysis engines and solutions, some percentage of attacks will always evade initial detection and subsequent prevention. That said - what approach could security and IT risk management officials at Target and other enterprises invoke to prevent a repeat of such devastating results? For starters, there's absolutely no reason that once a malware threat compromised one of Target's point of sale systems, or even a small subset linked together for business purposes, this should have resulted in successful compromise of many other POS devices, or even the organization's underlying core systems. Whether the campaign was in fact launched via a POS system itself or from deeper within Target's network, clearly existing security controls that could prevent propagation across the larger environment were not functioning effectively. Without question organizations of this scale have many different types of such network defenses in place (including firewalls, IDS, SIM, DLP etc.), but in this case the attack escalation was not be mitigated. Every security and IT risk management official reviewing the Target attacks should be asking if their organization is vulnerable to similar campaigns. And, they should examine the enforcement capabilities of their existing network security controls to serve in just such a manner. Security teams should be conducting a tactical attack vector analysis on every available pathway of access existing across their networks that could potentially expose critical systems, including, where applicable, POS devices, among others. And while it may still be impossible to prevent every malware infection, effective network segmentation and security device policy enforcement can be leveraged very effectively to limit the impact of attacks if they circumvent initial anti-virus controls. No one would still be talking about Target if one store's POS systems were compromised, versus the reality that the involved attack was able to propagate across its larger network. Traditional security technologies including firewalls and next generation firewalls will continue to play a critical role in limiting risk of malware infection, as well as the spread and success of modern threats. However, if you don't have the detailed information to identify gaps in network security - preventing, mitigating and remediating security breaches will remain a significant challenge. Today's enterprises already have the security capabilities in place to stop attacks such as the one that affected Target from escalating throughout their environment. They need greater visibility into how those defenses are aligned, arguably in real-time, and more conclusive security intelligence regarding their overall level of IT risk exposure, in general.

The FireMon Security Manager platform was designed for the specific purpose of providing enterprise practitioners with continuous visibility into the current alignment of their network security device infrastructure, as well as the related exposure of underlying vulnerabilities. By gaining control of network access and isolating every pathway available across infrastructure that could be leveraged to introduce or escalate attacks, organizations can significantly limit their risk of falling prey to attacks such as the one experienced by Target. Request an in-depth demonstration of FireMon Security Manager today and learn how more effective management of existing network security defenses can prevent and contain attacks, before your organization is forced to react and spend resources looking at past events, instead of stopping those of tomorrow.


Conjuntos de estudio relacionados

motivación emoción examen final

View Set

Regulations - Securities Exchange Act of 1934

View Set

Compact English-Russian Phrase-Book

View Set

Fiscal Policy, Income and expenditures equilibrium

View Set

Computer Session Java Programming

View Set