SlideShare a Scribd company logo

How to encrypt everything that moves and keep it usable

Download as PPTX, PDF
Denis Gundarev
Denis Gundarev

Introduction to PKI and encryption

Software
1 of 38
UNCLASSIFIED//COMSEC//CRYPTO UNCLASSIFIED//COMSEC//CRYPTO nsa How to Encrypt Everything That Moves and Keep It Usable Denis Gundarev, Application Solutions Architect, VMware dgundarev@vmware.com @fdwl Delivered From: @FDWL Dated: 20150722 Page 0
UNCLASSIFIED//COMSEC//CRYPTO UNCLASSIFIED//COMSEC//CRYPTO nsafdwl@E0D23:~# gpg –d message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi %username%, my name is Denis Gundarev, I’m a Senior MTS/Architect at VMware I hope you understand that the opinions expressed here represent my own and not those of my employer. All data and information provided in this presentation is for informational purposes only. -----BEGIN PGP SIGNATURE----- iD8DBkjNWQIQFFxqRFCkjNWQIMEeCgg7y6IUikeCgg7yjNWQIW6eCgg7y3QE= =aAhr -----END PGP SIGNATURE-----
FIPS 140-2 Compliant & Common Criteria Certified Certified Security Worldwide recognition as the industry standard for App and Desktop security XenApp & XenDesktop are Common Criteria Certified XenApp & XenDesktop are FIPS compliant, simplifying highly regulated compliance FIPS Compliance Documents http://www.citrix.com/about/legal/security-compliance/security-standards.html Common Criteria Certificates http://www.cesg.gov.uk/finda/Pages/CCITSECResults.aspx?post=1&company=Citrix+Systems+Inc&status=Certified&sort=name
Workspace PortalHorizon Clients Virtual Desktops RDS Hosted DesktopsRDS Hosted Applications Horizon 6 Enterprise App Volumes Desktop PoolsApp Pools
Agenda  Introduction to PKI  TLS for you  IPsec is your friend  Security regulations in a real world 7
Introduction to Public Key Infrastructure (PKI)
Certificates
Root Certification Authority Subordinate Certification Authority Certificate Certificate Certificate Certificate Public Key Infrastructure
Privet! I will send you encrypted message, use secret word “secret” to decrypt it! Hello x secret= ЙЦГШЩЗЪФ ЮБЬИЧЯЖД / secret = Nice to meet you ЙЦГШЩЗЪФ! ЙЦГШЩЗЪФ / secret= HelloЮБЬИЧЯЖД! Nice to meet you x secret= ЮБЬИЧЯЖД Got It! Symmetric Encryption
I want to send you a private message but don’t want anyone else to read it… Hello x a12f2d8ac = ЙЦГШЩЗЪФ ЙЦГШЩЗЪФ! ЙЦГШЩЗЪФ / privatesecret= Hello Got It! Not a problem, here’s my public key – a12f2d8ac Asymmetric Encryption
Howdy-doo! hablemos español! Here’s my ID, public key and my 6bcfae6a Privet! I want to speak privately with Yosemite Sam. I can speak Russian, Chinese, Spanish and English here’s my random e77dfb41 Hmm, California, USA, ok I trust your ID Encrypt (convertir en Español (E77dfb41 + 6bcfae6a)) Here’s pre- master, en español, encrypted with your private Decrypt (pre- master) Lo tengo! (Got it!) 𝑀𝐴𝐶 = 𝑏2 − 4𝑎𝑐 2𝑎 𝑀𝐴𝐶 = 𝑏2 − 4𝑎𝑐 2𝑎 es tan genial para hablar en privado sí, es difícil hablar libre en estos días SSL/TLS Handshake Hmm, California, USA, ok I trust your ID
Just need to see your I.D. please. Sorry, but we don’t sell beer to Russians
20
I heard that self- signed certificates are not secure!!!
Keep Private Keys Private  NTFS ACL  Windows private key ACL  Use Hardware Security modules  Windows support out of the box  Apache support  Avoid using shared wildcard certificates
Subordinate Certification Authority ESX Hosts Network equipment Users Public Key Infrastructure Root Certification Authority Mobile devices
TLS recommendations  Use TLS or DTLS for everything that moves over the wire  RDP https://technet.microsoft.com/en-us/magazine/ff458357.aspx  XenDesktop http://blogs.citrix.com/2014/10/16/xenapp-and-xendesktop-7-6-security-fips-140-2-and-ssl- to-vda/  Horizon View https://pubs.vmware.com/horizon-view-60/topic/com.vmware.ICbase/PDF/horizon-view- 60-scenarios-ssl-certificates.pdf  SQL Server http://blogs.msdn.com/b/sqlserverfaq/archive/2012/04/04/can-tls-certificate-be-used-for- sql-server-encryption-on-the-wire.aspx  LDAP http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps- certificate.aspx  Use other encryption methods for other protocols  SMB Encryption http://blogs.technet.com/b/filecab/archive/2012/05/03/smb-3-security-enhancements- in-windows-server-2012.aspx  Horizon View https://pubs.vmware.com/horizon-view-60/topic/com.vmware.ICbase/PDF/horizon-view- 60-security.pdf
TLS recommendations  Disable weak ciphers and SSL 3.0  Windows https://support.microsoft.com/en-us/kb/245030  Apache https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html  Nginx https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html  NetScaler http://www.antonvanpelt.com/make-netscaler-ssl-vips-secure/  F5 https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html  Use TLS internally  Use an appropriate Certification Authority  Switch to SHA256 - http://blogs.technet.com/b/pki/archive/2013/09/19/upgrade-certification- authority-to-sha256.aspx
Know the difference  Self-signed vs. preinstalled certificate  Check the date/name  Intended usage  Make sure that you use correct templates  Encryption vs. Obfuscation  Unsecured private key = obfuscation
IPSec is so 90s!!!
Demo time
FIPS/Common Criteria  Remember who do you trust  Certified software/hardware doesn’t secure you automatically.  Security policy “System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.” does not affect third-party and breaks .net  Certification may take years, release cycle usually shorter
Compliance  A foolproof plan for security  Nothing is foolproof to a sufficiently talented fool  Standardized environments are easier to hack  Additional budget for IT  Enforcing documentation  Just a checklist to impress auditor
your questions. It’s now safe to ask

Recommended

Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI securityDenis Gundarev
 
Citrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & TroubleshootingCitrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & TroubleshootingDenis Gundarev
 
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevBriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevDenis Gundarev
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...Denis Gundarev
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat Security Conference
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....Denis Gundarev
 
VMware App Volumes Troubleshooting
VMware App Volumes TroubleshootingVMware App Volumes Troubleshooting
VMware App Volumes TroubleshootingDenis Gundarev
 
Zumasys Citrix Top 10 Tips and Tricks
Zumasys Citrix Top 10 Tips and TricksZumasys Citrix Top 10 Tips and Tricks
Zumasys Citrix Top 10 Tips and TricksFrank A. Petillo, Sr.
 

Recommended

Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI securityDenis Gundarev
 
Citrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & TroubleshootingCitrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & TroubleshootingDenis Gundarev
 
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevBriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevDenis Gundarev
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...Denis Gundarev
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat Security Conference
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....Denis Gundarev
 
VMware App Volumes Troubleshooting
VMware App Volumes TroubleshootingVMware App Volumes Troubleshooting
VMware App Volumes TroubleshootingDenis Gundarev
 
Zumasys Citrix Top 10 Tips and Tricks
Zumasys Citrix Top 10 Tips and TricksZumasys Citrix Top 10 Tips and Tricks
Zumasys Citrix Top 10 Tips and TricksFrank A. Petillo, Sr.
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsecCyber Security Alliance
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...CODE BLUE
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Louis Göhl
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually PwnedClaudio Criscione
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
TekCERT Manual
TekCERT ManualTekCERT Manual
TekCERT ManualYasin KAPLAN
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
 
How to configure esx to pass an audit
How to configure esx to pass an auditHow to configure esx to pass an audit
How to configure esx to pass an auditConcentrated Technology
 
McAfee Foundstone Update
McAfee Foundstone UpdateMcAfee Foundstone Update
McAfee Foundstone Updatewebhostingguy
 
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeDenis Gundarev
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 

More Related Content

What's hot

Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...CODE BLUE
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Louis Göhl
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
 
McAfee Foundstone Update
McAfee Foundstone UpdateMcAfee Foundstone Update
McAfee Foundstone Updatewebhostingguy
 

What's hot (20)

Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Hack any website
Hack any websiteHack any website
Hack any website
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
 
TekCERT Manual
TekCERT ManualTekCERT Manual
TekCERT Manual
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
 
How to configure esx to pass an audit
How to configure esx to pass an auditHow to configure esx to pass an audit
How to configure esx to pass an audit
 
McAfee Foundstone Update
McAfee Foundstone UpdateMcAfee Foundstone Update
McAfee Foundstone Update
 

Viewers also liked

Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeDenis Gundarev
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 
Drupal 8 and NGINX
Drupal 8 and NGINX Drupal 8 and NGINX
Drupal 8 and NGINX NGINX, Inc.
 
Encryption Boot Camp on the JVM
Encryption Boot Camp on the JVMEncryption Boot Camp on the JVM
Encryption Boot Camp on the JVMMatthew McCullough
 
New in russia electronic (digital) signatures, electronic vat invoices, elect...
New in russia electronic (digital) signatures, electronic vat invoices, elect...New in russia electronic (digital) signatures, electronic vat invoices, elect...
New in russia electronic (digital) signatures, electronic vat invoices, elect...Awara Direct Search
 
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...Michelle Holley
 
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...Advanced monitoring
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzMike Schwartz
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityMike Schwartz
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDenis Gundarev
 
DaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDenis Gundarev
 
Mule security - saml
Mule security - samlMule security - saml
Mule security - samlcharan teja R
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationMike Schwartz
 
Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 ChicagoDan Brinkmann
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDenis Gundarev
 
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5Denis Gundarev
 
Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Mike Schwartz
 

Viewers also liked (20)

Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
Drupal 8 and NGINX
Drupal 8 and NGINX Drupal 8 and NGINX
Drupal 8 and NGINX
 
Encryption Boot Camp on the JVM
Encryption Boot Camp on the JVMEncryption Boot Camp on the JVM
Encryption Boot Camp on the JVM
 
New in russia electronic (digital) signatures, electronic vat invoices, elect...
New in russia electronic (digital) signatures, electronic vat invoices, elect...New in russia electronic (digital) signatures, electronic vat invoices, elect...
New in russia electronic (digital) signatures, electronic vat invoices, elect...
 
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
Unleashing End-to_end TLS Security Leveraging NGINX with Intel(r) QuickAssist...
 
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike Schwartz
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud Identity
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat Messaoud
 
DaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo Murris
 
Mule security - saml
Mule security - samlMule security - saml
Mule security - saml
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher Education
 
Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 Chicago
 
The Tools I Use
The Tools I UseThe Tools I Use
The Tools I Use
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris Rogers
 
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
 
Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014
 

Similar to How to encrypt everything that moves and keep it usable

DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiMackenzie Morgan
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Stanfy
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conferencexsist10
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Rt2870 Software Release Note For Windows Ce
Rt2870 Software Release Note For Windows CeRt2870 Software Release Note For Windows Ce
Rt2870 Software Release Note For Windows Ceguesta5887e6b
 
Présentation Ikoula au Meet-up Docker à l'école 42
Présentation Ikoula au Meet-up Docker à l'école 42Présentation Ikoula au Meet-up Docker à l'école 42
Présentation Ikoula au Meet-up Docker à l'école 42Ikoula
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerNicolas Trauwaen
 
How to Install SSL Certificate in Red Hat Linux Apache Web Server
How to Install SSL Certificate in Red Hat Linux Apache Web ServerHow to Install SSL Certificate in Red Hat Linux Apache Web Server
How to Install SSL Certificate in Red Hat Linux Apache Web ServerAboutSSL
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 

Similar to How to encrypt everything that moves and keep it usable (20)

DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFi
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
 
Rhel5
Rhel5Rhel5
Rhel5
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Rt2870 Software Release Note For Windows Ce
Rt2870 Software Release Note For Windows CeRt2870 Software Release Note For Windows Ce
Rt2870 Software Release Note For Windows Ce
 
Présentation Ikoula au Meet-up Docker à l'école 42
Présentation Ikoula au Meet-up Docker à l'école 42Présentation Ikoula au Meet-up Docker à l'école 42
Présentation Ikoula au Meet-up Docker à l'école 42
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous docker
 
How to Install SSL Certificate in Red Hat Linux Apache Web Server
How to Install SSL Certificate in Red Hat Linux Apache Web ServerHow to Install SSL Certificate in Red Hat Linux Apache Web Server
How to Install SSL Certificate in Red Hat Linux Apache Web Server
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 

More from Denis Gundarev

Citrix Internals: ICA Connectivity
Citrix Internals: ICA ConnectivityCitrix Internals: ICA Connectivity
Citrix Internals: ICA ConnectivityDenis Gundarev
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSDenis Gundarev
 
How to fail or succeed with desktop virtualization and workspace mobility
How to fail or succeed with desktop virtualization and workspace mobilityHow to fail or succeed with desktop virtualization and workspace mobility
How to fail or succeed with desktop virtualization and workspace mobilityDenis Gundarev
 
Application Virtualization overview - BayCUG
Application Virtualization overview - BayCUGApplication Virtualization overview - BayCUG
Application Virtualization overview - BayCUGDenis Gundarev
 
Deep dive in Citrix Troubleshooting
Deep dive in Citrix TroubleshootingDeep dive in Citrix Troubleshooting
Deep dive in Citrix TroubleshootingDenis Gundarev
 
DaaS/IaaS Forum Moscow - Rick Dehlinger
DaaS/IaaS Forum Moscow - Rick DehlingerDaaS/IaaS Forum Moscow - Rick Dehlinger
DaaS/IaaS Forum Moscow - Rick DehlingerDenis Gundarev
 
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-VRUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-VDenis Gundarev
 
Anton Zhbankov: 7. Back side of the cloud
Anton Zhbankov: 7. Back side of the cloudAnton Zhbankov: 7. Back side of the cloud
Anton Zhbankov: 7. Back side of the cloudDenis Gundarev
 
RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...
RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...
RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...Denis Gundarev
 
RUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter
RUCUG: 11. Rick Dehlinger BYOC: Beware the PerimeterRUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter
RUCUG: 11. Rick Dehlinger BYOC: Beware the PerimeterDenis Gundarev
 
RUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войны
RUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войныRUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войны
RUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войныDenis Gundarev
 
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDX
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDXAlexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDX
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDXDenis Gundarev
 
RUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностей
RUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностейRUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностей
RUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностейDenis Gundarev
 
RUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущего
RUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущегоRUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущего
RUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущегоDenis Gundarev
 
Citrix XenApp — будущее и настоящее
Citrix XenApp — будущее и настоящееCitrix XenApp — будущее и настоящее
Citrix XenApp — будущее и настоящееDenis Gundarev
 
Citrix и мобильность
Citrix и мобильностьCitrix и мобильность
Citrix и мобильностьDenis Gundarev
 
техники vs. маркетологи — разбор терминологии Citrix + Новости Citrix Synergy
техники vs. маркетологи — разбор терминологии Citrix + Новости Citrix Synergyтехники vs. маркетологи — разбор терминологии Citrix + Новости Citrix Synergy
техники vs. маркетологи — разбор терминологии Citrix + Новости Citrix SynergyDenis Gundarev
 
xen server 5.6, provisioning server 5.6 — технические детали и планы на будущее
xen server 5.6, provisioning server 5.6 — технические детали и планы на будущееxen server 5.6, provisioning server 5.6 — технические детали и планы на будущее
xen server 5.6, provisioning server 5.6 — технические детали и планы на будущееDenis Gundarev
 

More from Denis Gundarev (19)

Citrix Internals: ICA Connectivity
Citrix Internals: ICA ConnectivityCitrix Internals: ICA Connectivity
Citrix Internals: ICA Connectivity
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
 
How to fail or succeed with desktop virtualization and workspace mobility
How to fail or succeed with desktop virtualization and workspace mobilityHow to fail or succeed with desktop virtualization and workspace mobility
How to fail or succeed with desktop virtualization and workspace mobility
 
Application Virtualization overview - BayCUG
Application Virtualization overview - BayCUGApplication Virtualization overview - BayCUG
Application Virtualization overview - BayCUG
 
Deep dive in Citrix Troubleshooting
Deep dive in Citrix TroubleshootingDeep dive in Citrix Troubleshooting
Deep dive in Citrix Troubleshooting
 
DaaS/IaaS Forum Moscow - Rick Dehlinger
DaaS/IaaS Forum Moscow - Rick DehlingerDaaS/IaaS Forum Moscow - Rick Dehlinger
DaaS/IaaS Forum Moscow - Rick Dehlinger
 
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-VRUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
 
Anton Zhbankov: 7. Back side of the cloud
Anton Zhbankov: 7. Back side of the cloudAnton Zhbankov: 7. Back side of the cloud
Anton Zhbankov: 7. Back side of the cloud
 
RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...
RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...
RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...
 
RUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter
RUCUG: 11. Rick Dehlinger BYOC: Beware the PerimeterRUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter
RUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter
 
RUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войны
RUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войныRUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войны
RUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войны
 
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDX
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDXAlexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDX
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDX
 
RUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностей
RUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностейRUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностей
RUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностей
 
RUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущего
RUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущегоRUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущего
RUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущего
 
Citrix XenApp — будущее и настоящее
Citrix XenApp — будущее и настоящееCitrix XenApp — будущее и настоящее
Citrix XenApp — будущее и настоящее
 
Citrix и мобильность
Citrix и мобильностьCitrix и мобильность
Citrix и мобильность
 
техники vs. маркетологи — разбор терминологии Citrix + Новости Citrix Synergy
техники vs. маркетологи — разбор терминологии Citrix + Новости Citrix Synergyтехники vs. маркетологи — разбор терминологии Citrix + Новости Citrix Synergy
техники vs. маркетологи — разбор терминологии Citrix + Новости Citrix Synergy
 
xen server 5.6, provisioning server 5.6 — технические детали и планы на будущее
xen server 5.6, provisioning server 5.6 — технические детали и планы на будущееxen server 5.6, provisioning server 5.6 — технические детали и планы на будущее
xen server 5.6, provisioning server 5.6 — технические детали и планы на будущее
 

Recently uploaded

EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 

Recently uploaded (20)

EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 

How to encrypt everything that moves and keep it usable

  • 1. UNCLASSIFIED//COMSEC//CRYPTO UNCLASSIFIED//COMSEC//CRYPTO nsa How to Encrypt Everything That Moves and Keep It Usable Denis Gundarev, Application Solutions Architect, VMware dgundarev@vmware.com @fdwl Delivered From: @FDWL Dated: 20150722 Page 0
  • 2. UNCLASSIFIED//COMSEC//CRYPTO UNCLASSIFIED//COMSEC//CRYPTO nsafdwl@E0D23:~# gpg –d message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi %username%, my name is Denis Gundarev, I’m a Senior MTS/Architect at VMware I hope you understand that the opinions expressed here represent my own and not those of my employer. All data and information provided in this presentation is for informational purposes only. -----BEGIN PGP SIGNATURE----- iD8DBkjNWQIQFFxqRFCkjNWQIMEeCgg7y6IUikeCgg7yjNWQIW6eCgg7y3QE= =aAhr -----END PGP SIGNATURE-----
  • 3.
  • 4. FIPS 140-2 Compliant & Common Criteria Certified Certified Security Worldwide recognition as the industry standard for App and Desktop security XenApp & XenDesktop are Common Criteria Certified XenApp & XenDesktop are FIPS compliant, simplifying highly regulated compliance FIPS Compliance Documents http://www.citrix.com/about/legal/security-compliance/security-standards.html Common Criteria Certificates http://www.cesg.gov.uk/finda/Pages/CCITSECResults.aspx?post=1&company=Citrix+Systems+Inc&status=Certified&sort=name
  • 5.
  • 6. Workspace PortalHorizon Clients Virtual Desktops RDS Hosted DesktopsRDS Hosted Applications Horizon 6 Enterprise App Volumes Desktop PoolsApp Pools
  • 7. Agenda  Introduction to PKI  TLS for you  IPsec is your friend  Security regulations in a real world 7
  • 8. Introduction to Public Key Infrastructure (PKI)
  • 10. Root Certification Authority Subordinate Certification Authority Certificate Certificate Certificate Certificate Public Key Infrastructure
  • 11.
  • 12.
  • 13.
  • 14. Privet! I will send you encrypted message, use secret word “secret” to decrypt it! Hello x secret= ЙЦГШЩЗЪФ ЮБЬИЧЯЖД / secret = Nice to meet you ЙЦГШЩЗЪФ! ЙЦГШЩЗЪФ / secret= HelloЮБЬИЧЯЖД! Nice to meet you x secret= ЮБЬИЧЯЖД Got It! Symmetric Encryption
  • 15. I want to send you a private message but don’t want anyone else to read it… Hello x a12f2d8ac = ЙЦГШЩЗЪФ ЙЦГШЩЗЪФ! ЙЦГШЩЗЪФ / privatesecret= Hello Got It! Not a problem, here’s my public key – a12f2d8ac Asymmetric Encryption
  • 16. Howdy-doo! hablemos español! Here’s my ID, public key and my 6bcfae6a Privet! I want to speak privately with Yosemite Sam. I can speak Russian, Chinese, Spanish and English here’s my random e77dfb41 Hmm, California, USA, ok I trust your ID Encrypt (convertir en Español (E77dfb41 + 6bcfae6a)) Here’s pre- master, en español, encrypted with your private Decrypt (pre- master) Lo tengo! (Got it!) 𝑀𝐴𝐶 = 𝑏2 − 4𝑎𝑐 2𝑎 𝑀𝐴𝐶 = 𝑏2 − 4𝑎𝑐 2𝑎 es tan genial para hablar en privado sí, es difícil hablar libre en estos días SSL/TLS Handshake Hmm, California, USA, ok I trust your ID
  • 17.
  • 18. Just need to see your I.D. please. Sorry, but we don’t sell beer to Russians
  • 19.
  • 20. 20
  • 21.
  • 22.
  • 23. I heard that self- signed certificates are not secure!!!
  • 24.
  • 25. Keep Private Keys Private  NTFS ACL  Windows private key ACL  Use Hardware Security modules  Windows support out of the box  Apache support  Avoid using shared wildcard certificates
  • 26. Subordinate Certification Authority ESX Hosts Network equipment Users Public Key Infrastructure Root Certification Authority Mobile devices
  • 27. TLS recommendations  Use TLS or DTLS for everything that moves over the wire  RDP https://technet.microsoft.com/en-us/magazine/ff458357.aspx  XenDesktop http://blogs.citrix.com/2014/10/16/xenapp-and-xendesktop-7-6-security-fips-140-2-and-ssl- to-vda/  Horizon View https://pubs.vmware.com/horizon-view-60/topic/com.vmware.ICbase/PDF/horizon-view- 60-scenarios-ssl-certificates.pdf  SQL Server http://blogs.msdn.com/b/sqlserverfaq/archive/2012/04/04/can-tls-certificate-be-used-for- sql-server-encryption-on-the-wire.aspx  LDAP http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps- certificate.aspx  Use other encryption methods for other protocols  SMB Encryption http://blogs.technet.com/b/filecab/archive/2012/05/03/smb-3-security-enhancements- in-windows-server-2012.aspx  Horizon View https://pubs.vmware.com/horizon-view-60/topic/com.vmware.ICbase/PDF/horizon-view- 60-security.pdf
  • 28. TLS recommendations  Disable weak ciphers and SSL 3.0  Windows https://support.microsoft.com/en-us/kb/245030  Apache https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html  Nginx https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html  NetScaler http://www.antonvanpelt.com/make-netscaler-ssl-vips-secure/  F5 https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html  Use TLS internally  Use an appropriate Certification Authority  Switch to SHA256 - http://blogs.technet.com/b/pki/archive/2013/09/19/upgrade-certification- authority-to-sha256.aspx
  • 29. Know the difference  Self-signed vs. preinstalled certificate  Check the date/name  Intended usage  Make sure that you use correct templates  Encryption vs. Obfuscation  Unsecured private key = obfuscation
  • 30.
  • 33.
  • 34. FIPS/Common Criteria  Remember who do you trust  Certified software/hardware doesn’t secure you automatically.  Security policy “System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.” does not affect third-party and breaks .net  Certification may take years, release cycle usually shorter
  • 35. Compliance  A foolproof plan for security  Nothing is foolproof to a sufficiently talented fool  Standardized environments are easier to hack  Additional budget for IT  Enforcing documentation  Just a checklist to impress auditor
  • 36.
  • 37.

Editor's Notes

  1. 4