The document discusses network security and VPN tunnelling. It introduces VPN tunnelling as a way to secure communications over an unsecured network by encrypting the traffic. It describes how tunnelling works by encrypting the traffic and creating a secure tunnel for data transmission. It also discusses SSL/TLS and how it can be used to implement VPN tunnelling by encrypting the traffic and authenticating devices and packets.
Darkweb + Python: discover, analyze and extract information from hidden servicesJose Manuel Ortega Candel
The talk will start explaining how Tor project can help us to the research and development of tools for online anonymity and privacy of its users while surfing the Internet, by establishing virtual circuits between the different nodes that make up the Tor network. In addition, we will review how Tor works from anonymity point of view, preventing websites from tracking you. Python help us to automate the process to search an discover hidden services thanks to packages like requests,requesocks and sockspy,At this point we will review the crawling process and show tools in python ecosystem available for this task(https://github.com/jmortega/python_dark_web)
These could be the talking points:
-Introduction to Tor project and hidden services
-Discovering hidden services.
-Modules and packages we can use in python for connecting with Tor network
-Tools that allow search hidden services and atomate the crawling process in Tor network
Darkweb + Python: discover, analyze and extract information from hidden servicesJose Manuel Ortega Candel
The talk will start explaining how Tor project can help us to the research and development of tools for online anonymity and privacy of its users while surfing the Internet, by establishing virtual circuits between the different nodes that make up the Tor network. In addition, we will review how Tor works from anonymity point of view, preventing websites from tracking you. Python help us to automate the process to search an discover hidden services thanks to packages like requests,requesocks and sockspy,At this point we will review the crawling process and show tools in python ecosystem available for this task(https://github.com/jmortega/python_dark_web)
These could be the talking points:
-Introduction to Tor project and hidden services
-Discovering hidden services.
-Modules and packages we can use in python for connecting with Tor network
-Tools that allow search hidden services and atomate the crawling process in Tor network
Handy Networking Tools and How to Use ThemSneha Inguva
When I joined the networking team at DigitalOcean a few years ago, I dove into an entirely different world of software-defined networking in the data center. Virtual switches, networking protocols — these were concepts that I had encountered at the surface level before — but now I frequently found myself debugging them. With time, I came to rely on a variety of Linux networking tools for introspecting, troubleshooting, and examining network state. In this talk, I’ll share some of my favorite Linux networking tools and discuss scenarios in which they are quite helpful.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
WiFi practical hacking "Show me the passwords!"DefCamp
Konrad Jędrzejczyk in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Finding target for hacking on internet is now easierDavid Thomas
Finding target on internet for penetration testing involves searching internet using google or using Google Hacking/Dorking. There are google hacking queries available on internet, according to ethical hacking researcher of International Institute of Cyber Security it is the main source of passive attacks on internet. This whole process of finding target on internet using GHDB is automated using python based framework named as Katana framework.
Explains the basics of IPsec: why IPsec, main IPsec protocols (Authentication Header or AH/Encapsulating Security Payload or ESP), modes (tunnel/transport) and ciphers (MD5/AES).
Explains how IPv4 packets are being transformed with IPsec protocols, what are the issues with NAT and what is NAT traversal.
At the very end of the presentation there is a real life example for secure communication between two Linux hosts (using ip xfrm).
" Breaking Extreme Networks WingOS: How to own millions of devices running on...PROIDEA
Extreme network's embedded WingOS (Originally created by Motorola) is an operating system used in several wireless devices such as access points and controllers. This OS is being used in Motorola devices, Zebra devices and Extreme network's devices. This research started focusing in an access point widely used in many Aircrafts by several worldwide airlines but ended up in something bigger in terms of devices affected as this embedded operating system is not only used in AP's for Aircrafts but also in Healthcare, Government, Transportation, Smart cities, small to big enterprises... and more. Based on public information, we will see how vulnerable devices are actively used (outdoors) in big cities around the world. But also in Universities, Hotels,Casinos, Big companies, Mines, Hospitals and provides the Wi-Fi access for places such as the New york City Subway. In this presentation we will show with technical details how several critical vulnerabilities were found in this embedded OS. First we will introduce some internals and details about the OS and then we will show the techniques used to reverse engineering the mipsN32 ABI code for the Cavium Octeon processor. It will be discussed how some code was emulated to detect how a dynamic password is generated with a cryptographic algorithm for a root shell backdoor. Besides, it will be shown how some protocols used by some services were reverse engineered to find unauthenticated heap and stack overflow vulnerabilities that could be exploitable trough Wireless or Ethernet connection. This OS also uses a proprietary layer 2/3 protocol called MiNT. This protocol is used for communication between WingOS devices through VLAN or IP. This protocol was also reverse engineered and remote heap/stack overflow vulnerabilities were found on services using this protocol and will be shown. As a demonstration, 2 devices will be used to exploit a remote stack overflow chaining several vulnerabilities as the attacker could do inside an aircraft (or other scenarios) through the Wi-Fi. As there are not public shellcodes for mipsN32 ABI, the particularities of creating a Shellcode for mipsN32 ABI will be also discussed.
Passive Fingerprinting of HTTP/2 Clients by Ory SegalCODE BLUE
HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.
Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.
In the presentation, we intend provide the following:
*HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform
*Examples of common HTTP/2 Implementations & Client fingerprints collected during the research
*HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)
*Review of attacks over HTTP/2 observed on Akamai’s platform
Handy Networking Tools and How to Use ThemSneha Inguva
When I joined the networking team at DigitalOcean a few years ago, I dove into an entirely different world of software-defined networking in the data center. Virtual switches, networking protocols — these were concepts that I had encountered at the surface level before — but now I frequently found myself debugging them. With time, I came to rely on a variety of Linux networking tools for introspecting, troubleshooting, and examining network state. In this talk, I’ll share some of my favorite Linux networking tools and discuss scenarios in which they are quite helpful.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
WiFi practical hacking "Show me the passwords!"DefCamp
Konrad Jędrzejczyk in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Finding target for hacking on internet is now easierDavid Thomas
Finding target on internet for penetration testing involves searching internet using google or using Google Hacking/Dorking. There are google hacking queries available on internet, according to ethical hacking researcher of International Institute of Cyber Security it is the main source of passive attacks on internet. This whole process of finding target on internet using GHDB is automated using python based framework named as Katana framework.
Explains the basics of IPsec: why IPsec, main IPsec protocols (Authentication Header or AH/Encapsulating Security Payload or ESP), modes (tunnel/transport) and ciphers (MD5/AES).
Explains how IPv4 packets are being transformed with IPsec protocols, what are the issues with NAT and what is NAT traversal.
At the very end of the presentation there is a real life example for secure communication between two Linux hosts (using ip xfrm).
" Breaking Extreme Networks WingOS: How to own millions of devices running on...PROIDEA
Extreme network's embedded WingOS (Originally created by Motorola) is an operating system used in several wireless devices such as access points and controllers. This OS is being used in Motorola devices, Zebra devices and Extreme network's devices. This research started focusing in an access point widely used in many Aircrafts by several worldwide airlines but ended up in something bigger in terms of devices affected as this embedded operating system is not only used in AP's for Aircrafts but also in Healthcare, Government, Transportation, Smart cities, small to big enterprises... and more. Based on public information, we will see how vulnerable devices are actively used (outdoors) in big cities around the world. But also in Universities, Hotels,Casinos, Big companies, Mines, Hospitals and provides the Wi-Fi access for places such as the New york City Subway. In this presentation we will show with technical details how several critical vulnerabilities were found in this embedded OS. First we will introduce some internals and details about the OS and then we will show the techniques used to reverse engineering the mipsN32 ABI code for the Cavium Octeon processor. It will be discussed how some code was emulated to detect how a dynamic password is generated with a cryptographic algorithm for a root shell backdoor. Besides, it will be shown how some protocols used by some services were reverse engineered to find unauthenticated heap and stack overflow vulnerabilities that could be exploitable trough Wireless or Ethernet connection. This OS also uses a proprietary layer 2/3 protocol called MiNT. This protocol is used for communication between WingOS devices through VLAN or IP. This protocol was also reverse engineered and remote heap/stack overflow vulnerabilities were found on services using this protocol and will be shown. As a demonstration, 2 devices will be used to exploit a remote stack overflow chaining several vulnerabilities as the attacker could do inside an aircraft (or other scenarios) through the Wi-Fi. As there are not public shellcodes for mipsN32 ABI, the particularities of creating a Shellcode for mipsN32 ABI will be also discussed.
Passive Fingerprinting of HTTP/2 Clients by Ory SegalCODE BLUE
HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.
Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.
In the presentation, we intend provide the following:
*HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform
*Examples of common HTTP/2 Implementations & Client fingerprints collected during the research
*HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)
*Review of attacks over HTTP/2 observed on Akamai’s platform
Semua jaringan dapat ditembus itu kesimpulan studi ISACA dan EY dalam Responding to Targeted Cyberattacks, ISBN: 978-1-60420-337-0 tahun 2013. Dalam presentasi ini ISACA menjabarkan sertifikasi personal terkait cyber dari Cybersecurity Fundamental, CYbersecurity Practioner dengan lima spesialisasi keahlian teknik Identity, Detect, Protect, Respond dan Recover serangan cyber.
Kemuadian sertifikasi personel yang paling atas adalah CSX Expert.
National Cybersecurity - Roadmap and Action PlanDr David Probert
Analysis, strategies and practical action plans for National Government Cybersecurity based upon the United Nations - International Telecommunications Union - UN/ITU Cybersecurity Framework and their Global Cybersecurity Agenda - GCA.
CyberTerror-CyberCrime-CyberWar! - Crucial Role of CyberSecurity in "War on T...Dr David Probert
Now we see the evolution of Hybrid Warfare, Cybercrime and Terrorism. To mitigate to Terror Attacks we urgently need to integrate Real-Time Cybersecurity Solutions with Physical Surveillance in Business, Campus, Cities And Nationwide! In this presentation we discuss both Historic & Current Cyber Threats and practical options to minimise the risks of future Terror Attacks through Integrated Physical-Cybersecurity Solutions. We briefly review the United Nations/ITU, NATO and NIST Cybersecurity Frameworks, and the threats on Critical National Information Infrastructure. Finally we suggest the TOP Actions for Chief Security Officers (CSO) to mitigate Attacks within their own Security Operations. This invited presentation was given @ the International East-West Security Conference at the Marriott Courtyard Hotel in Prague - June 2016.
Complete description of Ethernet Protocol - Used to show technicians how to troubleshoot Ethernet issues. This slide show is part of a large program available for purchase and my not be copied.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
Was ist dieses Ethernet, was haben wir da für Geräte und warum? Was tun die? Was hat das mit Bäumen zu tun und wer ist dieses MAC?
Was ist eine IP-Adresse? Wie funktioniert Subnetting mit CIDR und was sind eigentlich diese Netzwerkklassen von denen immernoch Menschen reden? Was sind private und öffentliche IPs und wo bekomme ich die her? Wie konfiguriere ich das alles unter Linux? Was sind Routingtabellen und warum habe ich davon eigentlich mindestens drei Stück?
Dieser Vortrag gibt Antworten auf alle diese Fragen und noch einige mehr. Subnetting nach CIDR bildet die Grundlagen für Routing in heutigen IP-Netzwerken;
RFC1918, RFC3927 und RFC6598 definieren jeweils “private” IP-Bereich für interne Nutzung, für öffentliche IPs haben wir in Europa das RIPE. Eine Einführung in iproute2 zeigt, wie man all das unter Linux “zu Fuß” konfiguriert und wie man die Netzwerkkonfiguration am Beispiel von Debian reboot-save einrichtet.
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
Open vSwitch (OVS) has long been a critical component of the Neutron's reference implementation, offering reliable and flexible virtual switching for cloud environments.
Being an early adopter of the OVS technology, Neutron's reference implementation made some compromises to stay within the early, stable featureset OVS exposed. In particular, Security Groups (SG) have been so far implemented by leveraging hybrid Linux Bridging and IPTables, which come at a significant performance overhead. However, thanks to recent developments and ongoing improvements within the OVS community, we are now able to implement feature-complete security groups directly within OVS.
In this talk we will summarize the existing Security Groups implementation in Neutron and compare its performance with the Open vSwitch-only approach. We hope this analysis will form the foundation of future improvements to the Neutron Open vSwitch reference design.
The Raspberry Pi is a series of credit card–sized single-board computers developed in the UK by the Raspberry Pi Foundation with the intention of promoting the teaching of basic computer science in schools.
The original Raspberry Pi and Raspberry Pi 2 are manufactured in several board configurations through licensed manufacturing agreements with Newark element14 (Premier Farnell), RS Components and Egoman. These companies sell the Raspberry Pi online. Egoman produces a version for distribution solely in China and Taiwan, which can be distinguished from other Pis by their red colouring and lack of FCC/CE marks. The hardware is the same across all manufacturers.
The original Raspberry Pi is based on the Broadcom BCM2835 system on a chip (SoC), which includes an ARM1176JZF-S 700 MHz processor, VideoCore IV GPU, and was originally shipped with 256 megabytes of RAM, later upgraded (models B and B+) to 512 MB. The system has Secure Digital (SD) (models A and B) or MicroSD (models A+ and B+) sockets for boot media and persistent storage.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
The Indian economy is classified into different sectors to simplify the analysis and understanding of economic activities. For Class 10, it's essential to grasp the sectors of the Indian economy, understand their characteristics, and recognize their importance. This guide will provide detailed notes on the Sectors of the Indian Economy Class 10, using specific long-tail keywords to enhance comprehension.
For more information, visit-www.vavaclasses.com
Ethnobotany and Ethnopharmacology:
Ethnobotany in herbal drug evaluation,
Impact of Ethnobotany in traditional medicine,
New development in herbals,
Bio-prospecting tools for drug discovery,
Role of Ethnopharmacology in drug evaluation,
Reverse Pharmacology.
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
Andreas Schleicher presents at the OECD webinar ‘Digital devices in schools: detrimental distraction or secret to success?’ on 27 May 2024. The presentation was based on findings from PISA 2022 results and the webinar helped launch the PISA in Focus ‘Managing screen time: How to protect and equip students against distraction’ https://www.oecd-ilibrary.org/education/managing-screen-time_7c225af4-en and the OECD Education Policy Perspective ‘Students, digital devices and success’ can be found here - https://oe.cd/il/5yV
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
This is a presentation by Dada Robert in a Your Skill Boost masterclass organised by the Excellence Foundation for South Sudan (EFSS) on Saturday, the 25th and Sunday, the 26th of May 2024.
He discussed the concept of quality improvement, emphasizing its applicability to various aspects of life, including personal, project, and program improvements. He defined quality as doing the right thing at the right time in the right way to achieve the best possible results and discussed the concept of the "gap" between what we know and what we do, and how this gap represents the areas we need to improve. He explained the scientific approach to quality improvement, which involves systematic performance analysis, testing and learning, and implementing change ideas. He also highlighted the importance of client focus and a team approach to quality improvement.
1. Author: Prof Bill Buchanan
Advanced
Crypto
Alice
Eve
Trent
Bob
6. Tunnelling
http://asecuritysite.com/crypto
Introduction
2. VPNNetworkSecurity
Issues involved
Bob Alice
Eve could
eavesdrop on the
public
communications
Eve
Gateway Gateway
Eve
Eve could
change the
data packets
What is required is:
· Encryption.
· Authentication of
devices (to
overcome
spoofing)
· Authentication of
packets (for
integrity)
Untrusted network
Gateway
Eve
Eve could
setup an
alternative
gateway
3. VPNNetworkSecurity
Tunnelling mode or transport mode
Bob Alice
Tunelling mode (over
untrusted connections)
Traffic is encrypted
over the untrusted
network.
Bob Alice
Transport mode.
End-to-end (host-to-
host) tunnelling
Unencrypted traffic
Encrypted traffic
Unencrypted traffic
4. IntroductionNetworkSecurity
Author: Prof Bill Buchanan
Example Infrastructure
Intrusion
Detection
System
Intrusion
Detection
System
Firewall (Packet
filter)
Internet
Switch
Router (NAT)
Proxy
server
Email
server
Web
server
DMZ
FTP
server
Firewall
(Statefull)
Bob
Alice
5. IntroductionNetworkSecurity
Author: Prof Bill Buchanan
Example Infrastructure
Application
(FTP, Telnet, etc)
L4. Transport
(TCP)
L3. Internet (IP)
L2. Network
(Ethernet)Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
Email
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
Physical security requires restricted
areas and padlocked equipment
Bob
VLAN 1 VLAN 2
Restricted
areas
Restricted
areas
6. IntroductionNetworkSecurity
Author: Prof Bill Buchanan
Example Infrastructure
Application
(FTP, Telnet, etc)
L4. Transport
(TCP)
L3. Internet (IP)
L2. Network
(Ethernet)Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
Email
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
Different VLANs cannot communication
directly, and need to go through a router
to communicate
Bob
VLAN 1 VLAN 2
7. IntroductionNetworkSecurity
Author: Prof Bill Buchanan
Example Infrastructure
Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
Email
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
Different VLANs cannot communication
directly, and need to go through a router
to communicate
Bob
VLAN 1 VLAN 2
VLAN 1
802.1q
Trunk
8. IntroductionNetworkSecurity
Author: Prof Bill Buchanan
Example Infrastructure
Application
(FTP, Telnet, etc)
L4. Transport
(TCP)
L3. Internet (IP)
L2. Network
(Ethernet)Intrusion
Detection
System
Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
Email
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
Screening Firewalls
filter for IP and TCP packet details, such
as addresses and TCP ports, for
incoming/outgoing traffic
Bob
Alice
9. StatefulfirewallNetworkSecurity
Stateful firewall
Originator Recipient
1. CLOSED LISTEN
2. SYN-SENT <SEQ=999><CTL=SYN> SYN-RECEIVED
3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> SYN-RECEIVED
4. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK> ESTABLISHED
5. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK><DATA> ESTABLISHED
Intrusion
Detection
System
Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
Email
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
SYN
SYN
SYN
10. StatefulfirewallNetworkSecurity
Stateful firewall
Originator Recipient
1. CLOSED LISTEN
2. SYN-SENT <SEQ=999><CTL=SYN> SYN-RECEIVED
3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> SYN-RECEIVED
4. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK> ESTABLISHED
5. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK><DATA> ESTABLISHED
Intrusion
Detection
System
Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
Email
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
SYN
SYN,ACK
SYN,ACK
SYN
SYN,ACK
11. StatefulfirewallNetworkSecurity
Stateful firewall
Originator Recipient
1. CLOSED LISTEN
2. SYN-SENT <SEQ=999><CTL=SYN> SYN-RECEIVED
3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> SYN-RECEIVED
4. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK> ESTABLISHED
5. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK><DATA> ESTABLISHED
Intrusion
Detection
System
Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
Email
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
SYN
SYN,ACK
ACK
ACK
ACK
SYN,ACK
SYN
14. Author: Prof Bill Buchanan
Advanced
Crypto
Alice
Eve
Trent
Bob
6. Tunnelling
http://asecuritysite.com/crypto
SSL/TLS
15. StackTunnelling
Author: Prof Bill Buchanan
Network protocols
Cables, Signals
Ethernet,
PPP, HDLC
IP, IPX, ARP,
ICMP
TCP, UDP, SPX
HTTP, FTP
Telnet, POP-3
IMAP, SMTP
Physical
Data Link
Network
Transport
Application
16. StackTunnelling
Author: Prof Bill Buchanan
Network protocols
Cables, Signals
Ethernet,
PPP, HDLC
IP, IPX, ARP,
ICMP
TCP, UDP, SPX
HTTP, FTP
Telnet, POP-3
IMAP, SMTP
Physical
Data Link
Network
Transport
Application
Physical
Data Link
Network
Transport
Application
SSL
HTTPS (HTTP + SSL)
FTP (FTP+SSL)
SSH (Telnet+SSL)
Ports
HTTP 80 HTTPs 443
TELNET 23 SSH 22
SMTP 25 SMTPs 465
POP-3 110 POP-3s 995
SSL 1.0
SSL 2.0
SSL 3.0 [0x0300]
SSL 3.1 (TLS 1.0) [0x0301]
TLS 1.1 and 1.2 [0x0302]
Secure Socket Layer
Transport Layer Socket
17. StackTunnelling
Author: Prof Bill Buchanan
TLS
Physical
Data Link
Network
Transport
Application
SSL
TCP [SYN] to Port 443
TCP [SYN,ACK] from Port 443
TCP [ACK] to Port 443
Client Hello (Start of Handshake)
20. TCDiskEncryption
Author: Prof Bill Buchanan
TrueCrypt
billbuchanan@Bills-MacBook-Pro:~$ openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIISVyALWN+akUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
---
SOx4I5L0D0jZYqKfJuImGcFwdIETq0EpCmkhJfGNHjVdzC/h/T61TmaY
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3719 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 9D92CEC32FA9F86C6D902081EE186C4FC68234FFF7B903D6621A86C98092BD51
Session-ID-ctx:
Master-Key:
B8A14DB1D3021E80B53F30EA94D2EEA155A995B926879B08E3D971EB16873D16F62929899E2FA368D374716DB14A412
B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - fa 8d cb 50 53 3d 99 c8-b4 11 20 0c ca 53 e9 bd ...PS=.... ..S..
0010 - f8 8e 15 14 ec 82 c1 56-ab d9 9b 36 c2 56 b0 db .......V...6.V..
0020 - 2b d4 07 56 a5 02 ac 1f-34 fa 72 21 fd 7c ba 97 +..V....4.r!.|..
0030 - 2a ae e9 20 04 ef 8a e5-a0 57 28 3a c7 67 04 ac *.. .....W(:.g..
0040 - 7d 14 bf b0 6d 96 9f cb-eb 0c 0a 40 07 5f a6 84 }...m......@._..
0050 - e2 3b 98 0b e7 f4 b1 e1-04 be 15 6b 36 a5 57 b3 .;.........k6.W.
0060 - 11 98 f2 f4 20 fe b5 7f-6b 10 4e 7a f9 b5 6d 02 .... ...k.Nz..m.
0070 - 30 ec 07 e6 f0 c0 49 81-31 6b 30 f9 b0 d3 c4 25 0.....I.1k0....%
0080 - 62 f3 92 33 e8 25 cc 22-32 84 54 e6 0e 76 b1 45 b..3.%."2.T..v.E
0090 - 3a 60 83 cf 1b b0 97 7d-05 03 47 20 29 12 d9 8d :`.....}..G )...
00a0 - 6f 5a b4 f2 oZ..
Start Time: 1413136351
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
TLS_RSA_WITH_AES_256_CBC_SHA256
Key: RSA Enc: AES_256_CBC Hash: SHA256
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
Key ex: DH_DSS Enc: 3DES_EDE_CBC Hash: SHA
Client Hello:
Versions:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
(rfc5246)
Server Hello:
Version:
TLS_RSA_WITH_RC4_128_SHA
Key Exchange:
Public key (RSA)
Encryption: RC4
Hash: 128-bit
SHA (SHA-1)
21. SSLTunnelling
Author: Prof Bill Buchanan
SSL Tunnelling
Client Hello:
Versions:
TLS_RSA_WITH_RC4_128_SHA
(rfc5246)
Server Hello:
Version:
TLS_RSA_WITH_RC4_128_SHA
Key Exchange:
Public key (RSA)
Encryption: RC4
Hash: 128-bit
SHA (SHA-1)
Session key
Public key
Private key
Tunnel created (RC4, Hash: SHA-1)
22. TCDiskEncryption
Author: Prof Bill Buchanan
TrueCrypt
billbuchanan@Bills-MacBook-Pro:~$ openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIISVyALWN+akUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
---
SOx4I5L0D0jZYqKfJuImGcFwdIETq0EpCmkhJfGNHjVdzC/h/T61TmaY
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3719 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 9D92CEC32FA9F86C6D902081EE186C4FC68234FFF7B903D6621A86C98092BD51
Session-ID-ctx:
Master-Key:
B8A14DB1D3021E80B53F30EA94D2EEA155A995B926879B08E3D971EB16873D16F62929899E2FA368D374716DB14A412
B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - fa 8d cb 50 53 3d 99 c8-b4 11 20 0c ca 53 e9 bd ...PS=.... ..S..
0010 - f8 8e 15 14 ec 82 c1 56-ab d9 9b 36 c2 56 b0 db .......V...6.V..
0020 - 2b d4 07 56 a5 02 ac 1f-34 fa 72 21 fd 7c ba 97 +..V....4.r!.|..
0030 - 2a ae e9 20 04 ef 8a e5-a0 57 28 3a c7 67 04 ac *.. .....W(:.g..
0040 - 7d 14 bf b0 6d 96 9f cb-eb 0c 0a 40 07 5f a6 84 }...m......@._..
0050 - e2 3b 98 0b e7 f4 b1 e1-04 be 15 6b 36 a5 57 b3 .;.........k6.W.
0060 - 11 98 f2 f4 20 fe b5 7f-6b 10 4e 7a f9 b5 6d 02 .... ...k.Nz..m.
0070 - 30 ec 07 e6 f0 c0 49 81-31 6b 30 f9 b0 d3 c4 25 0.....I.1k0....%
0080 - 62 f3 92 33 e8 25 cc 22-32 84 54 e6 0e 76 b1 45 b..3.%."2.T..v.E
0090 - 3a 60 83 cf 1b b0 97 7d-05 03 47 20 29 12 d9 8d :`.....}..G )...
00a0 - 6f 5a b4 f2 oZ..
Start Time: 1413136351
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
TLS_RSA_WITH_AES_256_CBC_SHA256
Key: RSA Enc: AES_256_CBC Hash: SHA256
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
Key ex: DH_DSS Enc: 3DES_EDE_CBC Hash: SHA
Client Hello:
Versions:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
(rfc5246)
Server Hello:
Version:
TLS_RSA_WITH_RC4_128_SHA
Key Exchange:
Public key (RSA)
Encryption: RC4
Hash: 128-bit
SHA (SHA-1)
23. Author: Prof Bill Buchanan
Advanced
Crypto
Alice
Eve
Trent
Bob
6. Tunnelling
http://asecuritysite.com/crypto
Heartbleed
24. Author: Prof Bill Buchanan
NetworkSecurity
VPNs
Proxy
VPN
Eve
Bob
Alice
25. VPNNetworkSecurity
Tunnelling methods
Bob Alice
Eve
Gateway Gateway
What is required is:
· Encryption.
· Authentication of
devices (to
overcome
spoofing)
· Authentication of
packets (for
integrity)
Untrusted network
PPTP (Point-to-point Tunneling Protocol). Created by
Microsoft and is routable. It uses MPPE (Microsoft
Point-to-point Encryption) and user authentication.
L2TP (Layer 2 Tunneling Protocol). Works at Layer 2 to
Forward IP, IPX and AppleTalk (RFC2661). Cisco,
Microsoft, Ascent and 3Com developed it. User and
machine authentication, but no encryption (but can be used
with L2TP over IPSec).
IPSec. An open standard. Includes both encryption and
Authentication.
27. VPNNetworkSecurity
Tunnelling mode or transport mode
Intrusion
Detection
System
Intrusion
Detection
System
Firewall
Firewall
Internet
Switch
Router
Proxy
server
Email
server
Web
server
FTP
server
Switch
Bob Alice
Traffic
only
encrypted
over the
public
channel
Traffic is encrypted
and cannot be
checked by firewalls,
IDS, and so on
29. VPNNetworkSecurity
IPSec
ESP
Auth.
IP packet contents
ESP
trailer
IP packet contents IP header
IP packet
(encrypted)
ESP
header
IP header
ESP transport mode method
(Weakness: Replay attack)
IP packet contents IP header
AH
header
New
IP header
AH transport method
(Provides complete
authentication for the packet)
Authentication scope
Authentication scope
The IPSec protocol has:
· ESP (Encapsulated Security Protocol).
ESP takes the original data packet, and
breaks off the IP header. The rest of the
packet is encrypted, with the original header
added at the start, along with a new ESP
field at the start, and one at the end. It is
important that the IP header is not encrypted
as the data packet must still be read by
routers as it travels over the Internet. Only
the host at the other end of the IPSec tunnel
can decrypt the contents of the IPSec data
packet.
· AH (Authentication Header). This encrypts
the complete contents of the IP data packet,
and adds a new packet header. ESP has the
weakness that an intruder can replay
previously sent data, whereas AH provides a
mechanism of sequence numbers to reduce
this problem.
30. VPNNetworkSecurity
IPSec
IPIP TCPTCP Higher-level protocol/dataHigher-level protocol/data
VersionVersion Header lengthHeader length Type of serviceType of service
Total lengthTotal length
IdentificationIdentification
00 DD MM Fragment OffsetFragment Offset
Time-to-LiveTime-to-Live ProtocolProtocol
Header ChecksumHeader Checksum
Source IP AddressSource IP Address
Destination IP AddressDestination IP Address
1 ICMP Internet Control Message [RFC792]
6 TCP Transmission Control [RFC793]
8 EGP Exterior Gateway Protocol [RFC888]
9 IGP any private interior gateway [IANA]
47 GRE General Routing Encapsulation
(PPTP)
50 ESP Encap Security Payload [RFC2406]
51 AH Authentication Header [RFC2402]
55 MOBILE IP Mobility
88 EIGRP EIGRP [CISCO]
89 OSPFIGP OSPFIGP [RFC1583]
115 L2TP Layer Two Tunneling Protocol
VPNNetworkSecurity
IPSec
IPIP TCPTCP Higher-level protocol/dataHigher-level protocol/data
VersionVersion Header lengthHeader length Type of serviceType of service
Total lengthTotal length
IdentificationIdentification
00 DD MM Fragment OffsetFragment Offset
Time-to-LiveTime-to-Live ProtocolProtocol
Header ChecksumHeader Checksum
Source IP AddressSource IP Address
Destination IP AddressDestination IP Address
1 ICMP Internet Control Message [RFC792]
6 TCP Transmission Control [RFC793]
8 EGP Exterior Gateway Protocol [RFC888]
9 IGP any private interior gateway [IANA]
47 GRE General Routing Encapsulation
(PPTP)
50 ESP Encap Security Payload [RFC2406]
51 AH Authentication Header [RFC2402]
55 MOBILE IP Mobility
88 EIGRP EIGRP [CISCO]
89 OSPFIGP OSPFIGP [RFC1583]
115 L2TP Layer Two Tunneling Protocol
31. VPNNetworkSecurity
IPSec
Bob@
home
VPN
Remote
Access VPN
Bob Co.
Phase 1 (IKE – Internet Key Exchange)
UDP port 500 is used for IKE
Define the policies between the peers
IKE Policies
· Hashing algorithm (SHA/MD5)
· Encryption (DES/3DES)
· Diffie-Hellman agreements
· Authentication (pre-share, RSA nonces, RSA sig).
Phase 2
Defines the policies for transform sets, peer IP
addresses/hostnames and lifetime settings.
Crypto maps are exchanged
· AH, ESP (or both)
· Encryption (DES, 3DES)
· ESP (tunnel or transport)
· Authentication (SHA/MD5)
· SA lifetimes defined
· Define the traffic of interest
isakmp enable outside
isakmp key ABC&FDD address 176.16.0.2 netmask
255.255.255.255
isakmp identity address
isakmp policy 5 authen pre-share
isakmp policy 5 encrypt des
isakmp policy 5 hash sha
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400
sysopt connection permit-ipsec
crypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmac
crypto map MYIPSEC 10 ipsec-isakmp
access-list 111 permit ip 10.0.0.0 255.255.255.0 176.16.0.0
255.255.255.0
crypto map MYIPSEC 10 match address 111
crypto map MYIPSEC 10 set peer 176.16.0.2
crypto map MYIPSEC 10 set transform-set MYIPSECFORMAT
crypto map MYIPSEC interface outside
35. VPNNetworkSecurity
After connecting to the VPN
Bob@
home
VPN
Remote
Access VPN
Bob Co.
C:>route print
===========================================================================
Interface List
21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter
10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet
7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connectio
1 ........................... Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
146.176.0.0 255.255.0.0 On-link 146.176.212.218 281
146.176.1.0 255.255.255.0 146.176.0.1 146.176.212.218 100
146.176.2.0 255.255.255.0 146.176.0.1 146.176.212.218 100
...
===========================================================================
Persist
146.176.212.218
192.168.0.3
146.176.0.1
VPN connection
All other traffic goes
not on 146.176.0.0
network goes through
non-VPN connection
36. VPNNetworkSecurity
Traceroute for VPN
Bob@
home
VPN
Remote
Access VPN
Bob Co.
C:>tracert www.napier.ac.uk
Tracing route to www.napier.ac.uk [146.176.222.174]
over a maximum of 30 hops:
1 57 ms 58 ms 57 ms 146.176.210.2
2 58 ms 56 ms 57 ms www.napier.ac.uk [146.176.222.174]
3 58 ms 59 ms 56 ms www.napier.ac.uk [146.176.222.174]
146.176.212.218 146.176.0.1
VPN connection
C:>tracert www.napier.ac.uk
Tracing route to www.napier.ac.uk [146.176.222.174]
over a maximum of 30 hops:
1 2 ms 2 ms 6 ms 192.168.0.1
2 36 ms 38 ms 38 ms cr0.escra.uk.easynet.net [87.87.249.224]
3 31 ms 31 ms 30 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129]
4 43 ms 43 ms 43 ms be2.er10.thlon.ov.easynet.net [195.66.224.43]
5 48 ms 45 ms 45 ms linx-gw1.ja.net [195.66.224.15]
6 45 ms 44 ms 45 ms so-0-1-0.lond-sbr4.ja.net [146.97.35.129]
7 49 ms 79 ms 49 ms so-2-1-0.leed-sbr1.ja.net [146.97.33.29]
8 58 ms 56 ms 56 ms EastMAN-E1.site.ja.net [146.97.42.46]
9 59 ms 57 ms 57 ms vlan16.s-pop2.eastman.net.uk [194.81.56.66]
10 57 ms 59 ms 58 ms gi0-1.napier-pop.eastman.net.uk [194.81.56.46]
11
Before VPN connection
After VPN connection
37. VPNNetworkSecurity
Traceroute for VPN
Bob@
home
VPN
Remote
Access VPN
Bob Co.
C:>tracert www.intel.com
Tracing route to a961.g.akamai.net [90.223.246.33]
over a maximum of 30 hops:
1 3 ms 1 ms 1 ms 192.168.0.1
2 35 ms 43 ms 36 ms cr0.escra.uk.easynet.net [87.87.249.224]
3 32 ms 31 ms 32 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129]
4 46 ms 45 ms 45 ms te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109]
5 46 ms 47 ms 47 ms 5adff621.bb.sky.com [90.223.246.33]
146.176.212.218 146.176.0.1
VPN connection
C:>tracert www.intel.com
Tracing route to a961.g.akamai.net [90.223.246.33]
over a maximum of 30 hops:
1 3 ms 1 ms 1 ms 192.168.0.1
2 35 ms 43 ms 36 ms cr0.escra.uk.easynet.net [87.87.249.224]
3 32 ms 31 ms 32 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129]
4 46 ms 45 ms 45 ms te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109]
5 46 ms 47 ms 47 ms 5adff621.bb.sky.com [90.223.246.33]
Before VPN connection
After VPN connection
38. Author: Prof Bill Buchanan
Advanced
Crypto
Alice
Eve
Trent
Bob
6. Tunnelling
http://asecuritysite.com/crypto
Introduction