The document outlines an agenda for a presentation on virtual private networks (VPNs). It discusses what a VPN is, the different types including site-to-site and remote access, commonly used VPNs like IPSec and MPLS, and key aspects of IPSec VPNs such as the two phases to establish encrypted tunnels and use of encryption, integrity checks, and authentication keys. The presentation also covers VPN concepts like encryption algorithms and hashing for integrity.
MQTT - A practical protocol for the Internet of ThingsBryan Boyd
In today’s mobile world, the volume of connected devices and data is growing at a rapid pace. As more and more “things” become part of the Internet (refrigerators, pacemakers, cows?), the importance of scalable, reliable and efficient messaging becomes paramount. In this talk we will dive into MQTT: a lightweight, open standard publish/subscribe protocol for rapid messaging between “things”.
MQTT is simple to understand, yet robust enough to support interactions between millions of devices and users. MQTT is being used in connected car applications, mobile banking, Facebook Messenger, and many things in between. In this talk you will learn all about the protocol (in 10 minutes!) and see some of its applications: live-tracking, gaming, and more. We’ll walk through designing an MQTT-based API for a ride-share mobile application, and discuss how MQTT and REST APIs can complement each other.
WebRTC is an exciting new technology that lets you easily add realtime communication capabilities to your web and native apps. Learn more about WebRTC in this presentation from the real-life practitioners at Gruveo (www.gruveo.com).
Become Wireshark Certified - https://www.udemy.com/wireshark-tutorial/?couponCode=CEWS Understand Wireshark and how this network analyzer tool can help you succeed in your Wireshark job!
MQTT - A practical protocol for the Internet of ThingsBryan Boyd
In today’s mobile world, the volume of connected devices and data is growing at a rapid pace. As more and more “things” become part of the Internet (refrigerators, pacemakers, cows?), the importance of scalable, reliable and efficient messaging becomes paramount. In this talk we will dive into MQTT: a lightweight, open standard publish/subscribe protocol for rapid messaging between “things”.
MQTT is simple to understand, yet robust enough to support interactions between millions of devices and users. MQTT is being used in connected car applications, mobile banking, Facebook Messenger, and many things in between. In this talk you will learn all about the protocol (in 10 minutes!) and see some of its applications: live-tracking, gaming, and more. We’ll walk through designing an MQTT-based API for a ride-share mobile application, and discuss how MQTT and REST APIs can complement each other.
WebRTC is an exciting new technology that lets you easily add realtime communication capabilities to your web and native apps. Learn more about WebRTC in this presentation from the real-life practitioners at Gruveo (www.gruveo.com).
Become Wireshark Certified - https://www.udemy.com/wireshark-tutorial/?couponCode=CEWS Understand Wireshark and how this network analyzer tool can help you succeed in your Wireshark job!
Jenkins is a Continuous Integration tool to manage your environment that fires off jobs like cron or when a button is pushed. This talk will walk you through setting up a Jenkins site, complete with slave nodes on the servers doing the real work, and some simple jobs to get a feel for what it can do for you.
Real life examples included based on an actual migration between data centers requiring Jenkins had to be installed fresh.
This talk has been presented at:
2016-08-20 in Philadelphia
- https://fosscon.us/
2016-08-26 in Cluj-Napoca, Romania
- http://act.yapc.eu/ye2016/talk/6751
- https://youtu.be/Nj84bBCssps
Presentation from Asterisk conference on designing a High Availability Asterisk cluster. Covers the current state of HA, available open source products vs closed source, VoIP service continuity, synchronization of configuration, etc.
How to manage internet clients of an ISP with PPPoE and MikroTik. For
centralized AAA (Authentication, Authorization and Accounting), freeRadius is used.
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
Intrusion detection system (IDS) is software that automates the intrusion detection process. The primary responsibility of an IDS is to detect unwanted and malicious activities. Intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
Free CCNP switching workbook by networkershome pdfNetworkershome
ccnp workbook and lab manual by NETWORKERS HOME. NETWORKERS HOME understand the importance of CCNP switching workbook when it comes Cisco certification which is why we offered free CCNP switching workbook.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
Jenkins is a Continuous Integration tool to manage your environment that fires off jobs like cron or when a button is pushed. This talk will walk you through setting up a Jenkins site, complete with slave nodes on the servers doing the real work, and some simple jobs to get a feel for what it can do for you.
Real life examples included based on an actual migration between data centers requiring Jenkins had to be installed fresh.
This talk has been presented at:
2016-08-20 in Philadelphia
- https://fosscon.us/
2016-08-26 in Cluj-Napoca, Romania
- http://act.yapc.eu/ye2016/talk/6751
- https://youtu.be/Nj84bBCssps
Presentation from Asterisk conference on designing a High Availability Asterisk cluster. Covers the current state of HA, available open source products vs closed source, VoIP service continuity, synchronization of configuration, etc.
How to manage internet clients of an ISP with PPPoE and MikroTik. For
centralized AAA (Authentication, Authorization and Accounting), freeRadius is used.
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
Intrusion detection system (IDS) is software that automates the intrusion detection process. The primary responsibility of an IDS is to detect unwanted and malicious activities. Intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
Free CCNP switching workbook by networkershome pdfNetworkershome
ccnp workbook and lab manual by NETWORKERS HOME. NETWORKERS HOME understand the importance of CCNP switching workbook when it comes Cisco certification which is why we offered free CCNP switching workbook.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
Présentation des protocoles IKE et IPsec utilisés dans la mise en oeuvre de tunnels VPN Site-to-Site et Remote Access.
Fonctionnement du protocole IKEv1, différences avec IKEv2
Fonctionnement du protocole IPsec et de la mise en place d’un tunnel VPN
Extensions du protocole IKEv1 (KeepAlive, DPD, NAT-T. Mode Config, XAUTH)
Having a stylish home is as important as having a stylish wardrobe or a well kept car.
Here are a few of our top tips for the most fashionable bathroom accessories on the market today.
(NET202) Connectivity Using Software-Defined Networking & Advanced APIAmazon Web Services
"Do you need high performance, global connectivity for your growing business? Learn how you can leverage your existing investments with new software-defined networking technology to securely connect from anywhere in the world to your AWS cloud applications.
Do you need to support multiple lines of business that connect to AWS? Discover how new software technology enables your lines of business to easily and quickly create virtual connections to AWS, resulting in increased agility and reduced costs.
Is your business transforming to the hybrid cloud? Use Multiprotocol Label Switching (MPLS) networking to securely connect from your customer-owned data centers to your applications that run in the AWS cloud, avoiding the risks associated with the Internet.
Session sponsored by AT&T."
Being A Socially Responsible Social Developer: Mobile App SecurityDoug Sillars
Mobile applications collect a wealth of data about our customers. How are we protecting this data from infiltration? Let's look at some common vulnerabilities and how to identify them.
CORD aims to bring the data center economy and cloud agility to the service provider networks and is an end-to-end solution for the next generation central offices. CORD leverages three related technologies: SDN, NFV, and Cloud and builds on merchant silicon, white boxes and open-source platforms such as ONOS, OpenStack, and XOS. ON.Lab, AT&T and partners demonstrated CORD POC at ONS2015 and are now building a CORD POD for a market trial.
The CORD thought leaders and developers introduce CORD, explain the motivation from a service provider perspective, discuss CORD architecture, related services and key use cases including vOLT, vSG and vRouter.
Topics of Discussion
>>> CORD Introduction
>>> Motivation from a Service Provider Perspective
>>> CORD Architecture
>>> Usecases: vOLT, vSG and vRouter
>>> CORD Future Plans
What Makes Mobile Websites Tick - OredevDoug Sillars
A look at the top Mobile websites using WebPageTest.org and the HTTPArchive. What are fast websites doing correctly, and what are some symptoms of slower sites
Is your business taking advantage of Salesforce cloud services? Do you have concerns about secure connectivity to Salesforce? AT&T NetBond is a cloud networking solution that enables secure connectivity to your applications in Salesforce without compromising performance or control.
Companies seeking to migrate to Salesforce cloud platforms consider security, performance and control as barriers to greater adoption. With AT&T NetBond, a cloud networking solution, you can bond your existing AT&T Virtual Private Network (VPN) to Salesforce. The result is a fully integrated solution that leverages our best in class network and market leading cloud service.
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...Amazon Web Services
Learn how the AT&T MPLS VPN with the network of tomorrow’s virtualized network functions and Software Defined Networking (SDN) will help you create and deliver agile workloads for your Enterprise. You’ll also learn how AT&T combines trending viability of open standards-based software for broader network applications. Additionally, you’ll see how the AT&T NetBond API integration with AWS Direct Connect removes the complexity and enables on-demand, private connection within minutes via a self-service portal. AT&T NetBond connects your people, your data, and your business directly to your AWS services. This fast, highly secure, scalable, private network connection increases performance, while improving control and delivering a better ROI for your enterprise applications. Join us for an informative session on how you can enhance your cloud connectivity with AT&T and AWS. Session sponsored by AT&T.
Not If, But When: A CEO's Guide to Cyberbreach ResponseAT&T
When you've invested heavily in preventing cyberbreaches, it's easy to think it can never happen to you. If you're not worried about getting hacked, you should be. Last year, 62% of organizations suffered a data breach. But only 34% say they're ready to respond to a cyberattack. For more, listen to our AT&T security experts discuss: http://soc.att.com/29OfzoP
You’ll never believe the crazy tricks top mobile app developers have learned in order to make their mobile apps run faster and leaner. Embarrassing performance mistakes are much more common that than you might believe…but are insanely easy to fix. In our talk, we’ll walk through five simple steps that will help ensure your mobile application is the fastest, most efficient application on mobile devices today. You’ll walk out of our session with the tools to quickly identify the issues and the knowledge to solve them. It’ll be the most useful talk you’ll hear all day!
Securing the Internet of Things: What the CEO Needs to KnowAT&T
The Internet of Things (IoT) is making businesses more efficient and more productive. The benefits are clear, but many companies fail to recognize that each new connection can introduce another security vulnerability for networks, data, and devices. Learn about the new security challenges presented by IoT and see how you can lead the charge towards secure, hyper-connected enterprise IT.
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14Rustici Software
Companies are using the Tin Can API and Watershed LRS to do things that were never possible with older e-learning standards. We'd like to share the story of AT&T with you, as an example of a company that's doing some very innovative things with Tin Can.
Hear the details of AT&T’s pilot project, and how they’re using the Tin Can API and the Watershed LRS to try new approaches to their learning program.
If you can’t make the webinar but would like to view it later, go ahead and register. We’ll send you the recording shortly after the webinar.
Presenters:
Mike Rustici, President - Rustici Software
Larla Bogle, Lead Training Manager - AT&T
James Merrill - Operations Learning Architect - AT&T
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Estimated duration 00:55
Hello Everyone, how are you?
I hope you are doing fine!
Welcome to this new TDP session, I’m glad to see you again.
In this opportunity, I will bring you the VPN basics. I hope that you find it useful.
Before going forward I would like to thank you Daniel, Sabrina and all the TDP team for the excellent work they are doing. I totally recommend you to visit the TDP site and check the previous sessions. They are all very interesting and the knowledge level of the speakers is very high. Definitively the bar is set higher every year and that is thank you to the speakers and your feedback.
Estimated duration 00:40
Let me introduce myself. That is me on the left. My name is Martin Bratina. I’m 32 Years old and as Daniel said, I have more than 10 years in the Telecommunications industry.
I’ve been in AT&T for a little more than 3 years.
I like to listen music play soccer and drums and now I’m adding golf to my hobbies. I’m pretty bad on all of those things except for listening music.
Estimated duration 00:55
The agenda for today is the following:
I will start explaining what a VPN is for later tell you what types of VPN are and which are the most commonly used.
After that introduction I will go in deepth into IPSec VPNs.
We will have a strong base of technical theory before moving to the LAB.
Once we finish the LAB ,we will have a troubleshooting space. And finally we will move to the Q&As section.
If you are thinking about having a coffee and grab something to eat, now it is the time
Estimated duration 00:40
What is a VPN?
A VPN is a communication path between private sites via an untrusted network
An untrusted network could be Internet, an ISP network, a customer network or an internal network without security.
In a VPN, the original data is encapsulated, encrypted and a new VPN header is added and used for routing
Throughout this session I will use internet for referring to this untrusted network.
Estimated duration 00:10
There are 2 types of VPNs. Site to site VPNs and Remote Access VPNs
Estimated duration 01:15
As the name states, Site to site VPN connects two sites.
The VPN tunnel can be up permanently or can be generated on demand when traffic needs to flow to the remote site.
In the picture you can see the original data from network A network B in site B in black.
The original data is encapsulated and encrypted on the VPN gateway with a new VPN Header. That VPN header is the green one in the picture and you can see that the original data is inside that new packet as payload data.
This new VPN IP header has the VPN peers as source/destination IP addresses, not the originalIPs (Green packet in the drawing). That header is used to transport the information over the untrusted network until It reaches the remote VPN peer.
The remote VPN peer decapsulates and decripts the packet and forwards the original data to the destination.
Estimated duration 00:45
Remote Access VPN is used for provide access for remote users or systems to sites/systems. This scenario is similar to old remote dial-up scenarios.
Users can be mobile users, desktop users, servers, etc
This scenario it is most commonly used for mobile users.
The user has a VPN client application installed on its PC and it is used to connect to the Main site for access to resources.
The traffic towards the main site is encrypted in the same way as site to site VPN
This is how we connect to AT&T network from our PC when doing home work.
Estimated duration 01:00
There are a lot of VPN types used in the real life. The difference between them is how they encapulate and/or encrypt data and what kind of data can they manage, but the main operation idea is the same for all of them, provide a connection over untrusted networks.
Here I mention some of the most commonly used VPNs. I will not get through in detail on each of them but I just mention them to give you an idea about on which layer they operate.
L2 VPNs
L2TP
MPLS VPN. VPLS
L3 VPNs
IPSec
MPLS VPN. Routed
GRE
L5/L6 VPNs
SSL-TLS
Well, fasten your seat belts and take a deep breath because we will start with IP Sec.
Estimated duration 00:55
Estimated duration 00:40
Estimated duration 00:55
Estimated duration 00:40
Estimated duration 00:10
Estimated duration 01:15
Estimated duration 00:45
Estimated duration 01:00
Estimated total time so far: 7 minutes
Estimated duration 02:45
IP Security (IPSec) is a protocol for providing IP data security and integrity services for IPv4 and IPv6
It is defined on RFC 2401 but as it uses many protocols for VPN establishment. There are a lot of more RFCs for those.
(like 2402, 2406, 2408, and so on)
Works at IP layer
Supports only unicast traffic. Because these services are provided at the IP layer, they can be used by any higher layer protocol, e.g., TCP, UDP, ICMP, BGP, etc.
It supports 2 modes of operation: tunnel mode and transport mode
Tunnel mode:
It protects the entire IP packet. Is most commonly used between gateways, or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it.
In transport mode it provides protection primarily for upper layer protocols.
When transport mode is used, IPSec encrypts only the IP payload, not the entire IP packet. Is used between end-stations or between an end-station and a gateway, if the gateway is being treated as a host.
IPSec uses two protocols to provide traffic security
Encapsulation Security Payload – ESP.
Authentication Header- AH.
ESP
ESP encapsulates the entire IP packet and adds a new VPN IP header. It is defined in RFC 2406
IP Protocol number 50
Provides
Data confidentiality
Data integrity
Data origin authentication
Anti-replay services
Can be used in tunnel and transport mode
AH
AH encapsulates the payload of the IP packet and adds a new VPN IP header but uses the original IP header for routing. defined in RFC 2402
Protocol number 51
Provides
Data integrity
Data origin authentication
Anti-replay services
Can be used in tunnel and transport mode
Establishing an IPSec session it is 2 phase process:
Phase 1: Establishes a secure connection channel for Phase 2 negotiations
Phase 2: Establishes a secure connection channel for IPSec secure communication
Estimated duration 01:15
A VPN is secure because private data is encapsulated, encrypted and sent to the remote peer for decryption/de capsulation.
We will later see what encapsulation and encryption is.
There are four major concerns when sending private data over a public medium that IPSec addresses.
One is Anti-replay It Ensures the uniqueness of each IP packet. Anti-replay is also called replay prevention. Anti-replay ensures that data captured by an attacker cannot be reused or replayed to establish a session or gain information illegally.
Confidentiality
Keep data secure and hidden (using Encryption). Ensures that data is only disclosed to intended recipients.
Integrity
Ensure data hasn’t been changed. Protects data from unauthorized modification in transit, ensuring that the data received is exactly the same as the data sent.
Authentication
Verifies if did the traffic really come from the advertised source?
Verifies that a message could only have been sent from a computer that has knowledge of the authentication key
---------------------------------------------------------------------------------------------------------------------
The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality.
Estimated duration 01:45
In this diagram you can see how the IP packet is modified on each IPSec mode usage.
AH in transport mode only adds a new authentication header after the IP header.
In tunnel mode, AH signs the entire IP packet.
-----But not all the IP header fields. There are some fields that need to change like TTL and ToS.
Both AH modes are most used for integrity checks to verify that the IP packet was not modified.
ESP in transport mode only encapsulates the IP payload in an ESP header/trailer
ESP in tunnel mode encapsulates and encrypts the IP payload and also Signs the entire ESP header plus the IP payload
Encapsulation is the process of taking a data and add it into a new format data format
Lets take the example of ESP protocol mode. ESP takes the original IP payload and adds it into a new ESP header and trailer. The IP addresses of the original IP header (who are the ones who belong to the end hosts) are now on the ESP header. The IP header IP addresses are new IP addresses of the VPN peers.
When a devices receives the entire IP packet, it processes first at IP layer, removes the IP header and then process the ESP header for later examine the original IP payload.
Estimated duration 05:00
As I told you before, for establishing an IPSec VPN tunnel we need to configure 2 phases.
Phase 1: Establishes a secure connection channel for Phase 2 negotiations
Phase 1 builds on ISAKMP and OAKLEY protocols
(ISAKMP) The Internet Security Association and Key Management Protocol defines the procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA)
This is needed because in a VPN there is a lot of background work related to key generation and management that it is complex to configure if you want to do it manually.
ISAKMP formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism.
ISAKMP cleanly separate the details of security association management (and key management) from the details of key exchange.
There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP serves as this common framework.
A Security Association (SA) is a relationship between two or more entities that describes how the entities will utilize security services to communicate securely
A security association (SA) is a set of policy and key(s) used to protect information. The ISAKMP SA is the shared policy and key(s) used by the negotiating peers in this protocol to protect their communication
Phase 1 uses Internet Key Exchange (IKE) protocol to negotiate, and provide authenticated keying material for, security associations in a protected manner. IKE uses udp protocol 500
Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. This is called the ISAKMP Security Association (SA)
Establishes Security Associations for Phase 2 negotiated services
The ISAKMP SA is bi-directional. That is, once established, either party may initiate Phase 2 negotiations
Main mode: in main mode the initiator and the requester exchanges 6 messages before having a established SA
Aggressive mode: : in Aggressive mode the initiator and the requester exchanges 3 messages before having a established SA
Main mode is more secure than aggressive mode
Main mode – used when both tunnel peers have static IP addresses configured
Aggressive mode – used when one tunnel peer has a dynamically-assigned IP address
To sum up, Phase 1 is IKE where you start things out...
You will configure the encryption algorithm, the integrity hash, the diffie-hellkman group, the timeout and the authentication mode.
We will see all those parameters options later.
You can define many Phase 1 policies in the sender and all will be sent to the receiver, but it will only choose one.
-------------------------------------------------------------------------------------------------------------------------------------------
Adicional para mi
--------------------------------------------------------------------------------------------------------------------------
Negotiates proposals containing encryption and authentication algorithms
Creates Encryption and Authentication Keys automatically which provides ability to be re-keyed frequently
Provides gateway identity function
After the basic set of security attributes has been agreed upon, initial identity authenticated, and required keys generated, the established SA can be used for subsequent communications by the entity that invoked ISAKMP.
Key Establishment (Key Generation / Key Transport): The two common methods of using public key cryptography for key establishment are key transport and key generation
An example of key transport is the use of the RSA algorithm to encrypt a randomly generated session key (for encrypting subsequent communications) with the recipient's public key. The encrypted random key is then sent to the recipient, who decrypts it using his private key
The Diffie-Hellman (D-H) algorithm illustrates key generation using public key cryptography. The D-H algorithm is begun by two users exchanging public information. Each user then mathematically combines the other's public information along with their own secret information to compute a shared secret value. This secret value can be used as a session key or as a key encryption key for encrypting a randomly generated session key. This method generates a session key based on public and secret information held by both users. The benefit of the D-H algorithm is that the key used for encrypting messages is based on information held by both users and the independence of keys from one key exchange to another provides perfect forward secrecy.
Estimated duration 02:00
Phase 2 is where Security Associations are negotiated on behalf of upper services .
Phase 2 is IPSec where you get into what specifics you set up in your policies to have your keys set. This is the traffic keys themselves. And the traffic is getting encrypted here. IPSec SA is present if everything goes well.
Security Associations are negotiated using a Phase 1 secure channel
Phase 2 is called Quick Mode
Phase 2 uses ESP or AH protocols to protect traffic.
Phase2 SA are unidirectional, therefore 2 SAs needs to be established. One for outgoing traffic and one for incoming traffic.
To establish a Phase 2 you need to define
the encryption algorithm
The integrity hash
The Proxy: interesting traffic for encryption identified using an ACL
SA lifetime
Remote peer ID
And optionally PFS, perfect forward secrecy. PFS is Diffie-Hellman applied on Phase 2 for key generation.
The Diffie-Hellman (D-H) algorithm illustrates key generation using public key cryptography. The D-H algorithm is begun by two users exchanging public information. Each user then mathematically combines the other's public information along with their own secret information to compute a shared secret value. This secret value can be used as a session key or as a key encryption key for encrypting a randomly generated session key.
---------------------------------------------------------------------------------------------------------------------------------------------------------
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Estimated duration 01:00
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it.
The original data is encrypted using an encryption algorithm and a key. The receiver can only read the data if it has the key to decrypt it.
This way, if the data is captured it can only be read if you have the encryption key.
Using a long complex key is recommended in conjunction with a strong encryption algorithm.
Some common encryption algorithms are:
DES
3DES
AES 128, 256
RSA
As you can see in the presentation, after applying the encryption algorithm, the data is changed and there is no way that you can know that the encrypted data with www.att.com
Estimated duration 02:00
Hash message authentication codes (HMAC) sign packets to verify that the information received is exactly the same as the information sent. This is called integrity. HMACs provide integrity through a keyed hash, the result of a mathematical calculation on a message using a hash function combined with a shared, secret key. (a hash function is an algorithm)
The sender takes the data and applies the hash algorithm. The result Hash is appended to the data and then the entire information is sent to the receiver.
The receiver receives the data + hash and separates them. Then it takes the separated data and applies the hash algorithm. As a result, it will have a HASH value for the same data. Finally it compares both Hashes, the one generated by itself and the one received from the sender. If they are equal, then the data was not modified.
Examples
MD5, SHA
MD5 provides 128 bit output
SHA provides 160 bit output
For integrity, you can choose between two hash functions when setting policy:
MD5 Message Digest 5 (MD5) is based on RFC 1321. MD5 completes four passes over the data blocks, using a different numeric constant for each word in the message on each pass. The number of 32-bit constants used during the MD5 computation ultimately produces a 128-bit hash that is used for the integrity check.
SHA1 Secure Hash Algorithm 1 (SHA1) was developed by the National Institute of Standards and Technology as described in Federal Information Processing Standard (FIPS) PUB 180-1. The SHA process is closely modeled after MD5. The SHA1 computation results in a 160-bit hash that is used for the integrity check. Because longer hash lengths provide greater security, SHA is stronger than MD5
Estimated duration 01:00
You can use pre shared keys for the encryption process. Pre shared means that the parties agree on a shared, secret key that is used for encryption /decryption of data.
A pre shared key is a symmetric key
IPSec can use pre shared keys for authentication of the peers.
Estimated duration 02:00
Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked.
The receiver generates 2 keys, one private and one public. The traffic encrypted using the public key can only be decrypted with the private key and vice versa.
The receiver sends its public key to the sender. The sender will use that public key to encrypt traffic. The receiver will decrypt that traffic using its private key.
Asymmetric (public) key: certificates
Ipsec VPN uses Asymetric key
Provides data confidentiality
Data is encrypted and decrypted by using keys
Symmetric (secret) key
Asymmetric (public) key
Symmetric (secret) key: pre shared keys
In this lab we will establish a VPN tunnel between 2 private networks over a public network.
On the left side we have Site A with private network 10.10.1.0/24. The VPN gateway is a Cisco ASA FW and it is connected to internet.
On the right side we have site B with private network 192.168.1.0/24. The VPN gateway is a Cisco 7600 router.
Internet is simulated with a WAN router that connects 2 public networks.
MM_ACTIVE
QM_IDLE
debug
IKE_DECODE SENDING
IKE_DECODE RECEIVED
MM_WAIT_MSG2, MM_WAIT_MSG4, MM_WAIT_MSG6