This document provides an overview of IP Security (IPSec). It begins with defining what IPSec is and its objectives of protecting IP packet contents and enforcing trusted communication. It then describes how IPSec works, including the Internet Key Exchange (IKE) protocol used to establish security associations (SAs), and how IPSec protects against various attacks. The document outlines best practices for configuring and using IPSec, and discusses some common issues like performance overhead and network address translation traversal support.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
Module 6: IP and System Security
IP security overview-IP security policy-Encapsulating Security payload-intruders-intrusion detectionvirus/worms-countermeasure-need for firewalls-firewall characteristics-types of fire
E-MAIL, IP & WEB SECURITY
E-mail Security: Security Services for E-mail-attacks possible through E-mail – establishing keys privacy-authentication of the source-Message Integrity-Non-repudiation-Pretty Good Privacy-S/MIME. IPSecurity: Overview of IPSec – IP and IPv6-Authentication Header-Encapsulation Security Payload (ESP)-Internet Key Exchange (Phases of IKE, ISAKMP/IKE Encoding). Web Security:
The design criteria behind TLS/SSL, presented at Cal Poly on 2010/6/3. An updated version of a previous talk, this presentation includes descriptions of the Null-byte certificate attack and the recent session renegotiation attack (both from 2009).
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
2. 2
Agenda
What is IPSec?
How does IPSec Work?
Configuring/Using IPSec
Issues
Best Practices
Resources
3. 3
What is IPSec?
Framework of open standards for ensuring private, secure
communications over Internet Protocol (IP) networks
IPSec provides authenticated and encrypted traffic between hosts
at the IP protocol level
Provides aggressive protection against private network and Internet
attacks through end-to-end security.
Protects communication between workgroups, local area network
computers, domain clients and servers, branch offices (which
might be physically remote), extranets, and roving clients.
IPSec is the long-term direction for secure networking
4. 4
IPSec Objectives
To protect the contents of IP packets.
To provide a defense against network attacks through
packet filtering
To enforce trusted communication based on either local
or central policy
These objectives are met through the use of
cryptography-based protection services, security
protocols, dynamic key management and Windows
Group Policy.
5. 5
Why IPSec?
IPv4 not designed with security in mind
Attacks possible with IPv4
• Eavesdropping
• Data modification
• Identity spoofing (IP address spoofing)
• Denial-of-service attack
• Man-in-the-middle attack
These can be avoided by use of IPSec
6. 6
IPSec Protection
Eavesdropping
• The Encapsulating Security Payload (ESP) protocol in IPSec provides data
confidentiality by encrypting the payload of IP packets
Data modification
• Cryptography-based keys, shared only by the sending and receiving computers,
are use to create a cryptographic checksum for each IP packet.
• Modification of the data alters the checksum, which indicates to the receiving
computer that the packet was modified in transit
Identity spoofing
• IPSec allows verification of identities without exposing that information to an
attacker.
• Mutual authentication establishes trust between the hosts.
Man-in-the-middle attacks
• IPSec combines mutual authentication with shared, cryptography-based keys.
Denial-of-service attacks
• IPSec uses IP packet filtering allow, secure, or block traffic based on IP address
ranges, IP protocols, or even specific TCP/UDP ports.
7. 7
Agenda
What is IPSec?
How does IPSec Work?
Configuring/using IPSec
Issues
Best Practices
Resources
8. 8
filtersfiltersfiltersfilters
How Components Interacts?
Internet Key Exchange (IKE) - Identity Protect Mode – defined in RFC 2409
Phase 1 “Main Mode” establishes IKE SA – trusted channel between systems, negotiation establishes
encrypted channel, mutual trust, and dynamically generates shared secret key (“master” key)
Phase 2 “Quick Mode” establishes IPSec SAs – for data protection, one SA for each direction identified by
packet label (SPI), algorithms and packet formats agreed, generates shared “session” secret keys derived
from “master” key
NICNIC
TCPIPTCPIP
ApplicationApplication
Server or GatewayServer or Gateway
IPSecIPSec
DriverDriver
IPSecIPSec
PolicyAgentPolicyAgentIKE (ISAKMP)IKE (ISAKMP)
IPSecIPSec
DriverDriver
IPSecIPSec
PolicyPolicy
AgentAgent IKE (ISAKMP)IKE (ISAKMP)
NICNIC
TCPIPTCPIP
Application/ServiceApplication/Service
clientclient
““IKE Responder”IKE Responder”““IKE Initiator”IKE Initiator”
UDP port 500UDP port 500
negotiationnegotiation
1 IKE SA1 IKE SA
2 IPSec SAs2 IPSec SAs
IP protocol 50/51IP protocol 50/51
9. 9
IPSec Policy
One Active IPSec Policy
• Multiple IPSec Policies can be defined
Policy Consists of
• ISAKMP Policy
• IPSec rules
– An IPSec policy can have many rules
IPSec Rules
• Filter – identifies the traffic to secure/drop/etc
• Filter action – drop, deny, authenticate, encrypt
• Authentication, encryption, etc
10. 10
IPSec Policy Components
Polling interval used to detect changes
in policy
IKE parameters, such as encryption key
lifetimes.
IPSec behavior for the policy
The types of traffic to which an action is
applied
Permit, block, or secure
Kerberos, certificate, or preshared key
LAN, Dialup, or both
11. 11
IPSec packet filtering
Filters allow and block traffic
Filters can overlap
• Most specific match determines action
NO stateful inspection
Example: to open only port 80 on the IIS:
From IP To IP Protocol Src Port Dest Port Action
Any My Internet IP Any n/a n/a Block
Any My Internet IP TCP Any 80 Permit
12. 12
Negotiation of Protection
Require two messages
• Initiator to Responder : (contains proposals)
• Responder to Initiator: (contains a selected proposal)
• Details later!
Protection suites:
Attribute Attribute Value
Encryption algorithm DES, 3DES, Null
Integrity algorithm MD5, SHA-1, Null
Authentication method Kerberos, preshared key, certificate
Diffie-Hellman group Group 1 (768-bit), Group 2 (1024-bit)
13. 13
IPSec Modes
Transport mode
• Used for IPSec peers doing end-to-end security
• Provides protection for upper-layer protocol data units
(PDUs)
Tunnel mode
• Used by network routers to protect IP datagrams passing
across insecure network
• Provides protection for entire IP datagrams
14. 14
Security Associations
Combination of mutually agreed security services, protection
mechanisms, and cryptographic keys
ISAKMP SA
IPSec SAs
• One for inbound traffic
• One for outbound traffic
Security Parameters Index (SPI)
• Helps identify an SA
Creating SAs
• Main Mode for ISAKMP SA
• Quick Mode for IPSec SAs
15. 15
Agenda
What is IPSec?
How does IPSec Work? (at the packet level!)
Configuring/using IPSec
Issues
Best Practices
Resources
16. 16
Internet Key Exchange
How IPSec peers establish SAs
Combines ISAKMP and the Oakley Key
Determination Protocol
• ISAKMP is used to identify and authenticate peers, manage
SAs, and exchange key material
• Oakley Key Determination Protocol is used to generate
secret key material for secure communications (Diffie-
Hellman key exchange algorithm)
17. 17
ISAKMP Message Structure
IP header ISAKMP payloads
UDP message
IP datagram
UDP
header
ISAKMP
header
ISAKMP uses UDP source/destination port 500
20. 20
IPSec Headers
IPSec Headers live inside IP datagrams and define
IPSec contents
Authentication Header (AH)
• Provides data origin authentication, data integrity, and
replay protection for the entire IP datagram
Encapsulating Security Payload (ESP)
• Provides data origin authentication, data integrity, replay
protection, and data confidentiality for the ESP-
encapsulated portion of the packet
24. 24
ESP Transport Mode
IP ESP ESP
Auth
Data
Encrypted
Authenticated
IP Upper layer PDU
Upper layer PDU
25. 25
ESP with AH Transport Mode
IP ESP ESP
ESP
Auth
Encrypted
Authenticated with AH
IP
AH
Upper layer PDU
Upper layer PDU
Authenticated with ESP
26. 26
ESP Tunnel Mode
IP (new) ESP ESP
Auth
Data
IP
Encrypted
Authenticated
IP Upper layer PDU
Upper layer PDU
27. 27
Security Parameters Index
Sequence Number
Payload
Padding
Padding Length
Next Header
Authentication Data
. . .
. . .
. . .
ESP Header and Trailer
28. 28
Internet Key Exchange
Standard that defines a mechanism to establish SAs
Combines ISAKMP and the Oakley Key
Determination Protocol
• ISAKMP is used to identify and authenticate peers, manage
SAs, and exchange key material
• Oakley Key Determination Protocol is used to generate
secret key material for secure communications (Diffie-
Hellman key exchange algorithm)
29. 29
Main Mode Negotiation
Phases of main mode negotiation:
1. Negotiation of protection suites
2. A Diffie-Hellman exchange
3. Authentication
Six ISAKMP messages
• 1, 2 – all authentication types
• 3, 4, 5, and 6 - vary by Authentication type
30. 30
Authentication in MM Negotiation
Kerberos Authentication
• Kerberos Tokens exchanged and validated
Certificate Authentication
• Certificates and signatures exchanged and validated
Preshared Key Authentication
• Hash payloads exchanged and validated
31. 31
Main Mode Negotiation Messages
Message 1
• Sent by initiator
• Contains proposed security association details, vendor ID
Message 2
• Sent by responder
• Contains acceptable SA proposal, vendor ID
These messages negotiate:
• Encryption (DES, 3DES)
• Identity Algorithm (MD5, SHA-1)
• Authentication Method (Kerberos, Pre-shared key, Certificate)
• Diffie-Hellman group (768-bit, 1024-bit, 2048-bit)
32. 32
Main Mode – Kerberos Authentication
Message 3 - Sent from initiator
• Contains key exchange, Nonce, initiator’s Kerberos Token, NAT
Discovery information
Message 4 - Sent from responder
• Contains key exchange, Nonce, responder’s Kerberos Token ,
NAT Discovery information
Message 5 - Sent from initiator (encrypted)
• Contains identification (of initiator), plus hash
Message 6 - Sent from responder (encrypted)
• Contains identification (of responder), plus hash
33. 33
Main Mode – Certificate Authentication
Message 3 - Sent from initiator
• Contains key exchange, Nonce, NAT Discovery information
Message 4 - Sent from responder
• Contains key exchange, Nonce, NAT Discovery information
• Also contains certificate request (list of trusted root CAs)
Message 5 - Sent from initiator (encrypted)
• Contains Initiator’s Certificate, signature
Message 6 - Sent from responder (encrypted)
• Contains Responder’s certificate, signature
34. 34
Main Mode – Pre-Shared Key Authentication
Message 3 - Sent from initiator
• Contains Key Exchange, Nonce, NAT Discovery
Message 4 - Sent from responder
• Contains Key Exchange, Nonce, NAT Discovery
Message 5 - Sent from initiator (encrypted)
• Contains Identification (of initiator), hash
Message 6 - Sent from responder (encrypted)
• Contains Identification (of responder), hash
35. 35
Quick Mode Negotiation
Four ISAKMP messages to determine traffic to be
secured and how it is secured
Initiator and responder exchange:
• SA payloads (how to secure traffic)
• Identification payloads (the traffic to secure)
36. 36
IPSec On the WireIPSec On the Wire
OrOr
Fun With NetMon!Fun With NetMon!
Demo
37. 37
Agenda
What is IPSec?
How does IPSec Work?
Configuring/Using IPSec
Issues
Best Practices
Resources
38. 38
Issues with IPSec
Need for machine certificates
Interoperability
Performance/Overhead
NAT traversal
39. 39
Need for Machine Certificates/Keys
IPSec is based on machine to machine communication
• User credentials not used
• You therefore need machine certificates
For Kerberos
• Machine is the security principal
• Only works for Windows 2000/2003/XP
For Certificate based authentication
• How to manage/deliver certificates
40. 40
Performance/Overhead
IPSec incurs three sets of overhead:
• Startup
• Wire protocol overheads
• Speed of encryption
Start up over-head
• Main Mode – 6 packets
• Quick Mode – 10 packets
42. 42
IPSec Hardware Acceleration
IPSec per-packet hardware acceleration for 10/100 Ethernet
Client/Svr cards retail circa $100
3Com
• 3CR990B-97 - 10/100 UTP
• 3CR990B-FX-97 – 10/100 Fiber
• Wire Speed IPSec
• Max 75 SAs supported
• http://www.3com.com/other/pdfs/products/en/400833.pdf
- Or -
• http://tinyurl.com/3er3f
Intel
• Intel®
PRO/100 S Desktop/Server
• http://www.intel.com/network/connectivity/resources/doc_library/documents/
pdf/intel_ipsec_final.pdf
- Or -
• http://tinyurl.com/37hcn
43. 43
XP IPSec Performance Improvements
Doubled number of new SAs per minute
Reliable delete handling in IKE
Doubled packet filtering speed (throughput)
Client LDAP retrieval of AD policy 5 times faster than Windows
2000
Both Intel and 3Com 32bit x86 10/100Ethernet offload support
shipping in the box
44. 44
IPSec NAT-T
Network Address Translators (NATs) invalidate
IPSec packet protections
IPSec NAT Traversal (NAT-T):
• Encapsulates ESP-protected payloads with a UDP header
• Defines additional Main Mode payloads to detect IPSec
NAT-T-capable peers and whether either is behind a NAT
• Defines an additional Quick Mode payload to indicate
untranslated addresses
• Allows ESP-protected traffic to traverse a NAT
45. 45
Agenda
What is IPSec?
How does IPSec Work?
Configuring/Using IPSec
Issues
Best Practices
Resources
46. 46
Scripting
NETSH –C IPSEC – with Windows Server 2003
Netsh IPsec
No dump command
• It is included
• It does nothing!
Help text has few examples
Error messages generally totally unhelpful
Lots of trial and error seems to be needed!
47. 47
Best Practices
Establish an IP Security deployment plan
Avoid Pre-shared keys
Configuration of certificate requests
Script, script, script
Editor's Notes
#
IPSec driver compares each outbound IP packet against filters contained in IPSec policy
If packet matches a filter, stall packet in queue and call IKE to negotiate IPSec security associations
Right click on IPSec policies and click Manage IP filter lists and filter actions
Click Add on IP filter list
In the IP Filter List dialog, click the Add button. The IP filter wizard starts.
Call the Filter Inbound Web Traffic and unclick use Add Wizard
The source address is Any IP address.
The destination address is A specific IP address. Enter the IP address of the interface that’s connected to the Internet or use My IP address instead.
Choose the appropriate IP protocol. In this example, it’s TCP.
Under ports change the destination port by clicking To this port and enter 80.
Finally, finish the wizard.
Add another filter for SSL but change the port to 443
Under Manage Filter Action create a Block option. Click on Add name the action Block and click Block from the options
Now create IPSec policy called it Allow Web Traffic
Uncheck Activate the default response rule.
Click the Add button to begin the wizard for adding a rule to the policy. The steps are:
For the tunnel endpoint, choose The rule does not specify a tunnel.
The network type is All network connections.
The authentication method is Windows 2000 default (Kerberos V5 protocol). It’s important to understand the following: since your rule actually won’t be negotiating security, it doesn’t matter which authentication method you choose. No authentication happens when rules simply block or allow traffic. Leaving the setting at its default (Kerberos) simplifies the rule creation process, however.
Choose the filter list you created earlier. Following the example, you’d pick Inbound web protocols.
Choose the Permit filter action and click Finish the wizard.
Repeat the process once more, this time associating the All IP Traffic filter list with the Block filter action.
Finish and assign the new policy