This document discusses various network security concepts including firewalls, proxies, NAT, and VPNs. It provides examples of network infrastructures using different types of firewalls such as packet filtering, stateful, and proxy firewalls. It also discusses standard and extended access control lists (ACLs) used with firewalls to filter traffic. Finally, it covers network address translation (NAT) and port address translation (PAT) which help hide private network addresses from the public internet.
Spanning Tree Protocol (STP) is used to prevent loops from forming on redundant networks. STP uses different port states and timers to logically prevent loops by electing a root bridge and designating root ports on each switch. Rapid PVST+ is an enhancement of STP that provides faster convergence time of less than 6 seconds compared to 50 seconds for STP, while also supporting VLANs to prevent loops between redundant switches in a VLAN.
Securing network switches at the layer 2 level is important to prevent various attacks. The document outlines steps to secure administrative access to switches, protect the management port, turn off unused services and interfaces, and use features like DHCP snooping, dynamic ARP inspection (DAI), port security, and VLANs to mitigate attacks like VLAN hopping, STP manipulation, DHCP spoofing, ARP spoofing, CAM table overflows, and MAC address spoofing. Following configuration best practices and securing switches at layer 2 helps strengthen network security.
This document discusses various cybersecurity threats and fundamentals. It begins with an introduction to fundamentals of security including authentication, confidentiality, integrity, and assurance. It then describes different types of threats such as visual spying, eavesdropping, spoofing, trojan horses, logic bombs, denial of service attacks, and more. It also discusses security challenges across different budget levels and contexts like internal vs. external threats.
This document discusses security information and event management (SIEM) systems. It describes how a SIEM system collects and analyzes log and event data from various sources like firewalls, intrusion detection systems, applications, and networks. It then uses rule-based and statistical correlation to parse, normalize, and process large amounts of semi-structured data to identify security incidents and threats. The SIEM system helps aggregate millions of events into meaningful security alerts and assists in incident response investigations.
This document discusses security information and event management (SIEM) systems. It describes how a SIEM system collects and analyzes log and event data from various sources like firewalls, intrusion detection systems, applications, and networks. It then uses rule-based and statistical correlation to parse, normalize, and process large amounts of semi-structured data to identify security incidents and threats. The SIEM system helps aggregate millions of events into meaningful security alerts and assists in incident response investigations.
Snort is an open source intrusion detection and prevention system that uses rules written in its own language to inspect network traffic in real-time, detect anomalous activity, and generate alerts. It works by matching packets against signatures in its rules database to identify attacks and exploits, and can detect protocol anomalies, custom signatures, and payload analysis. Snort rules allow it to detect specific patterns in network traffic including payload signatures, TCP flags, and port numbers to identify malicious activity.
The document discusses various topics related to incident response, including risk analysis, common threats, and investigation techniques. It provides an overview of risk analysis frameworks, outlines some typical threats like rogue wireless access points and password reuse, and describes approaches for gathering evidence from network logs, user devices, and other sources during an investigation.
The document describes Windows Credentials Editor (WCE), a tool that manipulates Windows logon sessions to dump and modify credentials in memory. WCE has two main features - it can dump in-memory credentials like usernames, domains, and NTLM hashes from current, future, and terminated logon sessions; and it supports pass-the-hash by allowing changes to NTLM credentials or creation of new logon sessions with arbitrary credentials. The document discusses two methods WCE could use - directly calling authentication package APIs, which requires running code in LSASS; or reading LSASS memory to locate logon session and credential structures and decrypt credentials without injecting code.
Spanning Tree Protocol (STP) is used to prevent loops from forming on redundant networks. STP uses different port states and timers to logically prevent loops by electing a root bridge and designating root ports on each switch. Rapid PVST+ is an enhancement of STP that provides faster convergence time of less than 6 seconds compared to 50 seconds for STP, while also supporting VLANs to prevent loops between redundant switches in a VLAN.
Securing network switches at the layer 2 level is important to prevent various attacks. The document outlines steps to secure administrative access to switches, protect the management port, turn off unused services and interfaces, and use features like DHCP snooping, dynamic ARP inspection (DAI), port security, and VLANs to mitigate attacks like VLAN hopping, STP manipulation, DHCP spoofing, ARP spoofing, CAM table overflows, and MAC address spoofing. Following configuration best practices and securing switches at layer 2 helps strengthen network security.
This document discusses various cybersecurity threats and fundamentals. It begins with an introduction to fundamentals of security including authentication, confidentiality, integrity, and assurance. It then describes different types of threats such as visual spying, eavesdropping, spoofing, trojan horses, logic bombs, denial of service attacks, and more. It also discusses security challenges across different budget levels and contexts like internal vs. external threats.
This document discusses security information and event management (SIEM) systems. It describes how a SIEM system collects and analyzes log and event data from various sources like firewalls, intrusion detection systems, applications, and networks. It then uses rule-based and statistical correlation to parse, normalize, and process large amounts of semi-structured data to identify security incidents and threats. The SIEM system helps aggregate millions of events into meaningful security alerts and assists in incident response investigations.
This document discusses security information and event management (SIEM) systems. It describes how a SIEM system collects and analyzes log and event data from various sources like firewalls, intrusion detection systems, applications, and networks. It then uses rule-based and statistical correlation to parse, normalize, and process large amounts of semi-structured data to identify security incidents and threats. The SIEM system helps aggregate millions of events into meaningful security alerts and assists in incident response investigations.
Snort is an open source intrusion detection and prevention system that uses rules written in its own language to inspect network traffic in real-time, detect anomalous activity, and generate alerts. It works by matching packets against signatures in its rules database to identify attacks and exploits, and can detect protocol anomalies, custom signatures, and payload analysis. Snort rules allow it to detect specific patterns in network traffic including payload signatures, TCP flags, and port numbers to identify malicious activity.
The document discusses various topics related to incident response, including risk analysis, common threats, and investigation techniques. It provides an overview of risk analysis frameworks, outlines some typical threats like rogue wireless access points and password reuse, and describes approaches for gathering evidence from network logs, user devices, and other sources during an investigation.
The document describes Windows Credentials Editor (WCE), a tool that manipulates Windows logon sessions to dump and modify credentials in memory. WCE has two main features - it can dump in-memory credentials like usernames, domains, and NTLM hashes from current, future, and terminated logon sessions; and it supports pass-the-hash by allowing changes to NTLM credentials or creation of new logon sessions with arbitrary credentials. The document discusses two methods WCE could use - directly calling authentication package APIs, which requires running code in LSASS; or reading LSASS memory to locate logon session and credential structures and decrypt credentials without injecting code.
The document discusses database forensics and analysis techniques. It introduces current challenges, available tools, and new approaches using external tables to preserve metadata when collecting evidence. Typical patterns seen in database objects like SYS.USER$ are shown, like multiple accounts with login attempts or similar lock times indicating password guessing. Timeline creation is demonstrated to combine data from different sources.
This document provides an overview of database security platforms and the evolution of this market. Some key points:
- Database security platforms have evolved beyond just monitoring database activity and now incorporate features like vulnerability assessment, user rights management, data discovery/filtering, and blocking capabilities.
- The increased scope of monitoring coverage and additional security features mean "Database Activity Monitoring" is no longer an accurate term - these solutions are now more appropriately called "Database Security Platforms."
- These platforms consolidate multiple database security tools into a single solution and can monitor both relational and non-relational databases as well as multiple database types.
- Vendors are beginning to differentiate their database security platforms based on primary use cases
The document discusses how Windows Credentials Editor (WCE) can be used to obtain credentials stored in memory on Windows systems, allowing an attacker to steal usernames and hashes to perform pass-the-hash attacks without cracking passwords. WCE enables bypassing common pre-exploitation techniques by directly using harvested credentials. Leaving logon sessions disconnected rather than logged off can leave credentials exposed in memory as "zombie sessions".
By using specially crafted parameters in double quotes, it is possible to bypass the input validation of the Oracle dbms_assert package and inject SQL code. This allows dozens of already patched Oracle vulnerabilities to be exploited again across versions 8.1.7.4 to 10.2.0.2. The researcher notified Oracle of the problem in April 2006. To mitigate risks, privileges like CREATE PROCEDURE should be revoked to prevent injection of malicious functions or procedures.
This document describes a new method for exploiting PL/SQL injection without needing to create functions or procedures. It involves injecting a pre-compiled cursor using the DBMS_SQL package to execute arbitrary SQL. The attacker can use this to grant privileges to themselves or create their own functions without any system privileges beyond CREATE SESSION. It provides an example exploiting the SDO_DROP_USER_BEFORE trigger in Oracle to gain DBA privileges in this way without needing CREATE PROCEDURE permission.
This document discusses a vulnerability in Oracle databases that allows privilege escalation from CREATE USER privileges to SYSDBA privileges. It provides code examples demonstrating how a user with CREATE USER privileges can create a function with the same name as a built-in SYS function to override the namespace and elevate their privileges when SYS executes the function. The document outlines best practices for prevention, including not logging in as SYS, closely monitoring CREATE USER privileges, and using a tool like Sentrigo Hedgehog for advanced monitoring and alerts. It also provides recommendations for forensic response if privilege escalation occurs.
1. The document discusses SSH tricks and configuration tips for securing SSH connections and servers. It provides examples of SSH client-side one-liners and ways to quickly set up an SSH server.
2. SSH is a secure network protocol for exchanging data between networked devices. The document outlines ways to lock down SSH servers and clients through configuration files and access controls.
3. The document shows examples of SSH port forwarding, tunnels, and other one-liners that can enable remote access or administration through SSH connections.
The document discusses a Layer 7 DDOS attack called an HTTP POST attack. It works by sending legitimate HTTP POST requests to a server but slowly sending the content over an extended period, tying up server resources. This attack is more effective than the HTTP GET Slowloris attack as it fully sends the HTTP headers immediately, bypassing defenses against Slowloris. The attack code example shows how it generates random content lengths and sends payload bytes slowly over time to perform the DDOS attack.
This document summarizes optimizations to TLS/SSL including False Start, Snap Start, and defenses against the BEAST attack. False Start allows the client to send application data before receiving the server's Finished message to reduce latency. Snap Start uses cached handshake parameters to further reduce latency. However, both introduce security risks. The BEAST attack exploits TLS CBC encryption and IV reuse, but can be prevented by changing the encryption mode or adding padding.
The document provides an overview of practical cryptography and the GPG/PGP encryption tools. It discusses symmetric and public key cryptography theory. It then demonstrates how to use GPG/PGP to generate keys, encrypt and decrypt files, digitally sign documents, verify signatures, and distribute public keys through a key server. It also discusses how the web of trust model works to validate identities through in-person key signing after carefully verifying a user's identity.
Kyle Young presents on SSH tricks and configuration tips. He discusses the history and uses of SSH, how to securely connect to SSH servers by verifying fingerprints, and ways to lock down SSH servers and clients through configuration files like sshd_config and ssh_config. He also shares some useful SSH client-side one-liners.
This document describes padding oracle attacks on cryptographic hardware devices that allow encrypted keys to be imported. It presents two types of attacks: 1) An improved Bleichenbacher attack that exploits RSA PKCS#1v1.5 padding to reveal an imported private key in an average of 49,000 oracle queries. 2) An adaptation of the Vaudenay CBC attack to reveal keys encrypted with CBC and PKCS#5 padding. It demonstrates these attacks on commercial security tokens, smartcards, and electronic ID cards to reveal stored cryptographic keys.
The document discusses proper password hashing methods for securely storing passwords. It begins by stating that most websites currently do not properly store passwords, either in plaintext or with a single hash without salt. This is irresponsible. The document then discusses proper hashing methods that should be used, including adding salt, using key derivation functions like PBKDF2, ARC4PBKDF2, and bcrypt. PBKDF2 works by repeatedly hashing the password with a salt, while ARC4PBKDF2 additionally encrypts the password and hashes with an evolving ARC4 stream for added complexity. Bcrypt is also an adaptive function that works similarly to PBKDF2 but in a more complicated way. The document
This document proposes a new method for improving the cryptanalytic time-memory trade-off technique. The original technique, introduced by Hellman in 1980, precomputes ciphertexts to reduce cryptanalysis time at the cost of memory usage. The new method reduces the number of calculations needed during cryptanalysis by a factor of two compared to the existing approach using distinguished points. As an example, the new method can crack 99.9% of Windows password hashes in 13.6 seconds using 1.4GB of precomputed data, much faster than the 101 seconds taken by the existing approach.
This document provides an introduction and overview of threading and concurrency in Perl. It begins with definitions of threads and concurrency basics. It then discusses Perl's implementation of threads since version 5.6, noting that global variables are non-shared by default and sharing must be explicit. The document outlines various threading primitives and synchronization mechanisms in Perl like locks, condition variables, and shows examples of building thread-safe data structures like queues. It concludes with best practices and implementing other common synchronization primitives.
The document is a series of lines repeatedly stating "Author: Bill Buchanan". It does not contain any other substantive information in the content. The author of the document is Bill Buchanan, as his name is listed on every line.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
The document discusses database forensics and analysis techniques. It introduces current challenges, available tools, and new approaches using external tables to preserve metadata when collecting evidence. Typical patterns seen in database objects like SYS.USER$ are shown, like multiple accounts with login attempts or similar lock times indicating password guessing. Timeline creation is demonstrated to combine data from different sources.
This document provides an overview of database security platforms and the evolution of this market. Some key points:
- Database security platforms have evolved beyond just monitoring database activity and now incorporate features like vulnerability assessment, user rights management, data discovery/filtering, and blocking capabilities.
- The increased scope of monitoring coverage and additional security features mean "Database Activity Monitoring" is no longer an accurate term - these solutions are now more appropriately called "Database Security Platforms."
- These platforms consolidate multiple database security tools into a single solution and can monitor both relational and non-relational databases as well as multiple database types.
- Vendors are beginning to differentiate their database security platforms based on primary use cases
The document discusses how Windows Credentials Editor (WCE) can be used to obtain credentials stored in memory on Windows systems, allowing an attacker to steal usernames and hashes to perform pass-the-hash attacks without cracking passwords. WCE enables bypassing common pre-exploitation techniques by directly using harvested credentials. Leaving logon sessions disconnected rather than logged off can leave credentials exposed in memory as "zombie sessions".
By using specially crafted parameters in double quotes, it is possible to bypass the input validation of the Oracle dbms_assert package and inject SQL code. This allows dozens of already patched Oracle vulnerabilities to be exploited again across versions 8.1.7.4 to 10.2.0.2. The researcher notified Oracle of the problem in April 2006. To mitigate risks, privileges like CREATE PROCEDURE should be revoked to prevent injection of malicious functions or procedures.
This document describes a new method for exploiting PL/SQL injection without needing to create functions or procedures. It involves injecting a pre-compiled cursor using the DBMS_SQL package to execute arbitrary SQL. The attacker can use this to grant privileges to themselves or create their own functions without any system privileges beyond CREATE SESSION. It provides an example exploiting the SDO_DROP_USER_BEFORE trigger in Oracle to gain DBA privileges in this way without needing CREATE PROCEDURE permission.
This document discusses a vulnerability in Oracle databases that allows privilege escalation from CREATE USER privileges to SYSDBA privileges. It provides code examples demonstrating how a user with CREATE USER privileges can create a function with the same name as a built-in SYS function to override the namespace and elevate their privileges when SYS executes the function. The document outlines best practices for prevention, including not logging in as SYS, closely monitoring CREATE USER privileges, and using a tool like Sentrigo Hedgehog for advanced monitoring and alerts. It also provides recommendations for forensic response if privilege escalation occurs.
1. The document discusses SSH tricks and configuration tips for securing SSH connections and servers. It provides examples of SSH client-side one-liners and ways to quickly set up an SSH server.
2. SSH is a secure network protocol for exchanging data between networked devices. The document outlines ways to lock down SSH servers and clients through configuration files and access controls.
3. The document shows examples of SSH port forwarding, tunnels, and other one-liners that can enable remote access or administration through SSH connections.
The document discusses a Layer 7 DDOS attack called an HTTP POST attack. It works by sending legitimate HTTP POST requests to a server but slowly sending the content over an extended period, tying up server resources. This attack is more effective than the HTTP GET Slowloris attack as it fully sends the HTTP headers immediately, bypassing defenses against Slowloris. The attack code example shows how it generates random content lengths and sends payload bytes slowly over time to perform the DDOS attack.
This document summarizes optimizations to TLS/SSL including False Start, Snap Start, and defenses against the BEAST attack. False Start allows the client to send application data before receiving the server's Finished message to reduce latency. Snap Start uses cached handshake parameters to further reduce latency. However, both introduce security risks. The BEAST attack exploits TLS CBC encryption and IV reuse, but can be prevented by changing the encryption mode or adding padding.
The document provides an overview of practical cryptography and the GPG/PGP encryption tools. It discusses symmetric and public key cryptography theory. It then demonstrates how to use GPG/PGP to generate keys, encrypt and decrypt files, digitally sign documents, verify signatures, and distribute public keys through a key server. It also discusses how the web of trust model works to validate identities through in-person key signing after carefully verifying a user's identity.
Kyle Young presents on SSH tricks and configuration tips. He discusses the history and uses of SSH, how to securely connect to SSH servers by verifying fingerprints, and ways to lock down SSH servers and clients through configuration files like sshd_config and ssh_config. He also shares some useful SSH client-side one-liners.
This document describes padding oracle attacks on cryptographic hardware devices that allow encrypted keys to be imported. It presents two types of attacks: 1) An improved Bleichenbacher attack that exploits RSA PKCS#1v1.5 padding to reveal an imported private key in an average of 49,000 oracle queries. 2) An adaptation of the Vaudenay CBC attack to reveal keys encrypted with CBC and PKCS#5 padding. It demonstrates these attacks on commercial security tokens, smartcards, and electronic ID cards to reveal stored cryptographic keys.
The document discusses proper password hashing methods for securely storing passwords. It begins by stating that most websites currently do not properly store passwords, either in plaintext or with a single hash without salt. This is irresponsible. The document then discusses proper hashing methods that should be used, including adding salt, using key derivation functions like PBKDF2, ARC4PBKDF2, and bcrypt. PBKDF2 works by repeatedly hashing the password with a salt, while ARC4PBKDF2 additionally encrypts the password and hashes with an evolving ARC4 stream for added complexity. Bcrypt is also an adaptive function that works similarly to PBKDF2 but in a more complicated way. The document
This document proposes a new method for improving the cryptanalytic time-memory trade-off technique. The original technique, introduced by Hellman in 1980, precomputes ciphertexts to reduce cryptanalysis time at the cost of memory usage. The new method reduces the number of calculations needed during cryptanalysis by a factor of two compared to the existing approach using distinguished points. As an example, the new method can crack 99.9% of Windows password hashes in 13.6 seconds using 1.4GB of precomputed data, much faster than the 101 seconds taken by the existing approach.
This document provides an introduction and overview of threading and concurrency in Perl. It begins with definitions of threads and concurrency basics. It then discusses Perl's implementation of threads since version 5.6, noting that global variables are non-shared by default and sharing must be explicit. The document outlines various threading primitives and synchronization mechanisms in Perl like locks, condition variables, and shows examples of building thread-safe data structures like queues. It concludes with best practices and implementing other common synchronization primitives.
The document is a series of lines repeatedly stating "Author: Bill Buchanan". It does not contain any other substantive information in the content. The author of the document is Bill Buchanan, as his name is listed on every line.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
2. Proxy
VPN
Eve
Bob
Alice
Author: Bill Buchanan
Introduction
Author: Prof Bill Buchanan
3. Bob Alice
CIA AAA
Applications Services
(Integrated Security) (Integrated Security)
Application Communications
(TCP, IP, and so on)
Network Infrastructure
(Firewalls, Proxies, and so on)
Eve Eve
Author: Bill Buchanan
Integration between the levels
often causes the most problems
Author: Prof Bill Buchanan
CIA and AAA
4. Firewall
Switch
Internet
Intrusion
Detection
System
Bob Alice
Router
Firewall Switch
Intrusion
Detection
System
Web
server
Email
server
Author: Bill Buchanan
FTP
server
Proxy
server
Author: Prof Bill Buchanan
Example Infrastructure
5. Firewall (Packet
filter)
Switch
Internet
Intrusion
Detection Alice
System
Bob
Router (NAT)
Firewall
(Statefull)
Intrusion
Web
server
DMZ Detection
System
Email
server
FTP
server
Author: Bill Buchanan
Proxy
server
Author: Prof Bill Buchanan
Example Infrastructure
6. Cisco
Cisco Firewall
Switch
Internet
Intrusion
Detection Alice
Bob System
Router
(NAT)
Cisco
PIX
Cisco
ASA 5500
Intrusion
Web
server
DMZ Detection
System
Email
server
FTP
server
Author: Bill Buchanan
Proxy
server
Author: Prof Bill Buchanan
Example Infrastructure
7. Bob
Firewall Application
(Packet filter) (FTP, Telnet, etc)
Switch
L4. Transport
Internet (TCP)
L3. Internet (IP)
L2. Network
Intrusion (Ethernet)
Detection
System
Different VLANs cannot communication
Router (NAT)
directly, and need to go through a router
to communicate
Firewall
(Stateful)
DMZ
Web
server
Email
server
FTP
server
Author: Bill Buchanan
Proxy
server
VLAN 1 VLAN 2
Author: Prof Bill Buchanan
Example Infrastructure
8. Bob
Firewall Application
(Packet filter) (FTP, Telnet, etc)
Switch
L4. Transport
Internet (TCP)
L3. Internet (IP)
L2. Network
Intrusion (Ethernet)
Detection
System
Screening Firewalls
filter for IP and TCP packet details, such Router (NAT)
as addresses and TCP ports, for
incoming/outgoing traffic Firewall
(Stateful)
DMZ Alice
Web
server
Intrusion
Email
Detection
server
System
FTP
server
Author: Bill Buchanan
Proxy
server
Author: Prof Bill Buchanan
Example Infrastructure
9. Bob
Firewall Application
(Packet filter) (FTP, Telnet, etc)
Switch
L4. Transport
Internet (TCP)
L3. Internet (IP)
L2. Network
Intrusion (Ethernet)
Detection
System
Stateful Firewalls
filter for Application, IP and TCP packet Router (NAT)
details. They remember previous data
packets, and keep track of connections Firewall
(Stateful)
DMZ
Web
server Alice
Intrusion
Email
Detection
server
System
FTP
server
Author: Bill Buchanan
Proxy
server
Author: Prof Bill Buchanan
Example Infrastructure
10. Bob Firewall Application
(Packet filter) (FTP, Telnet, etc)
Switch
L4. Transport
Internet (TCP)
L3. Internet (IP)
L2. Network
Intrusion (Ethernet)
Detection
System
All Application-layer traffic goes
through the Proxy (eg FTP, Router (NAT)
Telnet, and so on) – aka
Application Gateways
Firewall
(Stateful)
DMZ
Web
server Alice
Intrusion
Email
Detection
server
System
FTP
server
Proxy
server
Author: Bill Buchanan
Author: Prof Bill Buchanan
Example Infrastructure
11. Proxy
VPN
Eve
Bob
Alice
Author: Bill Buchanan
Screening Firewalls
Author: Prof Bill Buchanan
12. Software firewall
Hardware firewall
Host-based:
Zone alarm
Cisco router
With firewall
(non-stateful)
CheckPoint
firewall
(software)
Runs within:
Windows Server,
VMWare
LINUX
Cisco PIX/ASA
(stateful)
LINUX
iptables Software firewall:
Easy to reconfigure
CheckPoint firewall
Slower
(dedicated)
Less expensive
Nokia
Author: Bill Buchanan
Can be used with a range of computers/OSs
Hardware firewall:
Optimized engine/architecture
Copes better with large traffic conditions
Improved failover
Firewalls
13. Bob 01/16-22:27:35.286762 0:60:B3:68:B1:10 -> 0:3:6D:FF:2A:51 type:0x800 len:0x169
Firewall 192.168.0.22:445 -> 192.168.0.20:3554 TCP TTL:128 TOS:0x0 ID:774 IpLen:20 DgmLen:347 DF
(Packet filter) ***AP*** Seq: 0xF842A9D3 Ack: 0x3524EE7B Win: 0x4321 TcpLen: 20
Switch
Internet
Intrusion
Detection Alice
System
Source IP address. The address that the data
packet was sent from.
Destination IP address. The address that the Router (NAT)
data packet is destined for.
Source TCP port. The port that the data Firewall
segment originated from. Typical ports which (Statefull)
could be blocked are: FTP (port 21); TELNET
(port 23); and Web (port 80).
Destination TCP port. The port that the data Intrusion
segment is destined for.
Web
DMZ Detection
server
Protocol type. This filters for UDP or TCP System
traffic. Email
IP header TCP header
server
Version Header len. Type of service TCP Source Port
FTP Total length TCP Destination Port
server Identification
Proxy Sequence Number
0 D M Fragment Offset
server Time-to-live (TTL) Protocol
Acknowledgement Number
Header Checksum
Author: Bill Buchanan
Data Offset Flags/Reserved
Source IP Address
Window
Checksum
Destination IP Address
Urgent Pointer
Ethernet frame
Author: Prof Bill Buchanan
Src MAC Dest. MAC IP TCP
Type Length Data
address address header header
CIA and AAA
14. Alice
156.1.1.0 Bob
160.1.1.1
160.1.1.2
0 .0.0.255
‘0' defines a match ‘255' (all 1s defines that it
should be ignored) 156.1.1.2
10.0.0.1
156.1.1.1
E2
These hosts will be
E0 barred from
communicating
10.0.0.2 E1 through the firewall
Eve
192.168.0.1
(config)# access-list 1 deny 156.1.1.0 0.0.0.255
(config)# access-list 1 permit any
192.168.0.2
(config)# interface E0
Author: Bill Buchanan
(config-if)# ip address 156.1.1.130 255.255.255.0
(config-if)# ip access-group 1 in
Author: Prof Bill Buchanan
Standard Access-Control List (ACL)
15. Alice
Standard ACLs are applied as
near to the destination as possible, Bob
so that they do not affect 160.1.1.1
any other traffic 160.1.1.2
156.1.1.3
10.0.0.1
156.1.1.2
E2
These hosts will be
E0 barred from
communicating
10.0.0.2 E1 through the firewall
Eve
192.168.0.1
(config)# access-list 1 deny 156.1.1.0 0.0.0.255
(config)# access-list 1 permit any
192.168.0.2
(config)# interface E0
Author: Bill Buchanan
(config-if)# ip address 156.1.1.130 255.255.255.0
(config-if)# ip access-group 1 in
Author: Prof Bill Buchanan
Standard Access-Control List (ACL)
16. Alice
Standard ACLs are applied as
near to the destination as possible, Bob
so that they do not affect 160.1.1.1
any other traffic 160.1.1.2
156.1.1.2
10.0.0.1
156.1.1.1
E2
These hosts will be
E0 barred from
communicating
10.0.0.2 E1 through the firewall
Access blocked Eve
192.168.0.1
(config)# access-list 1 deny 156.1.1.0 0.0.0.255
(config)# access-list 1 permit any
192.168.0.2
(config)# interface E0
Author: Bill Buchanan
(config-if)# ip address 156.1.1.130 255.255.255.0
(config-if)# ip access-group 1 in
Author: Prof Bill Buchanan
Standard Access-Control List (ACL)
17. 156.1.1.2 156.1.1.3
E1 E0
156.1.1.1
161.10.11.12 161.10.11.13
Router(config)#access-list 100 deny ip host 156.1.1.2 70.1.2.0 0.0.0.255
Router(config)#access-list 100 permit ip any any
Denies traffic from 156.1.1.2 to
the 70.1.2.0 network
Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 70.1.2.0 0.0.0.255
Author: Bill Buchanan
Router(config)#access-list 100 permit ip any any
Denies traffic from any host on
156.1.1.0 to the 70.1.2.0
network
Author: Prof Bill Buchanan
Extended ACL – can select a source and destination
18. Alice
Extended ACLs are applied as
near to the source as possible, Bob
so that they stop traffic at an early 160.1.1.1
stage. 160.1.1.2
156.1.1.3
10.0.0.1
156.1.1.2
E2
These hosts will be
E0 barred from
communicating
10.0.0.2 E1 through the firewall
Access blocked Eve
192.168.0.1
Router(config)#access-list 100 deny ip host 156.1.1.2 70.1.2.0 0.0.0.255
192.168.0.2 Router(config)#access-list 100 permit ip any any
Author: Bill Buchanan
Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 70.1.2.0 0.0.0.255
Router(config)#access-list 100 permit ip any any
Author: Prof Bill Buchanan
Extended ACL – can select a source and destination
19. Optional field
An extended ACLs can also filter for TCP/UDP traffic, such as:
in brackets
Router(config)#access-list access-list-value { permit | deny } {tcp | udp
| igrp} source source-mask destination destination-mask {eq | neq | lt |
gt} port
access-list 101 deny tcp 156.1.1.0 0.0.0.255 eq any host 156.70.1.1 eq telnet
access-list 101 permit ip any any
No Telnet
Access to 156.70.1.1
156.1.1.2
E1 E0
156.1.1.130
156.70.1.1
Author: Bill Buchanan
161.10.11.12 161.10.11.13
Author: Prof Bill Buchanan
Extended ACL – filtering for the port
20. Bob
Alice
Open firewall
Router(config)# access-list 100 deny ... 160.1.1.1
Router(config)# access-list 100 permit ip any any 160.1.1.2
156.1.1.2
Eve
156.1.1.1
E0
These hosts will
be barred from
communicating
through the
firewall
Closed firewall
Author: Bill Buchanan
Router(config)# access-list 100 permit ...
Router(config)# access-list 100 deny ip any any
Author: Prof Bill Buchanan
CIA and AAA
21. Proxy
VPN
Eve
Bob
Alice
Author: Bill Buchanan
NAT
Author: Prof Bill Buchanan
22. OUTGOING
Public (Internet space)
OUTGOING
Src: 168.10.34.21:5555
Dest: 11.22.33.44:80
Host (192.168.10.12) Web server
(11.22.33.44)
INCOMING
Src: 11.22.33.44:80
INCOMING NAT
Hides the network
Author: Bill Buchanan
addresses of the network.
Bars direct contact with a
host.
Increased range of
Private space Author: Prof Bill Buchanan
address.
Allow easy creation of
subnetworks.
PAT (Port address translation) – Maps many addresses to one global address.
23. OUTGOING
Public (Internet space)
OUTGOING
Src: 168.10.34.21:5555
Dest: 11.22.33.44:80
Host (192.168.10.12) Web server
(11.22.33.44)
INCOMING
Src: 11.22.33.44:80
INCOMING
Author: Bill Buchanan
192.168.10.12:4444 168.10.34.21:5555 11.122.33.44:80
Private space
PAT (Port address translation) – Maps many addresses to one global address.
24. OUTGOING
Public (Internet space)
OUTGOING
Src: 168.10.34.21:5555
Dest: 11.22.33.44:80
Host (192.168.10.12) Web server
(11.22.33.44)
NAT
INCOMING
Src: 11.22.33.44:80
Network Security
INCOMING
Author: Bill Buchanan
192.168.10.12:4444 168.10.34.21:5555 11.122.33.44:80
192.168.10.12:4445 168.10.34.21:5556 11.122.33.44:80
Private space 192.168.10.12:4446 168.10.34.21:5557 11.122.33.44:80
192.168.10.20:1234 168.10.34.21:5558 11.122.33.44:80
Author: Prof Bill Buchanan
New connections added...
PAT (Port address translation) – Maps many addresses to one global address.
25. OUTGOING
Public (Internet space)
OUTGOING
Src: 168.10.34.21:5555
Dest: 11.22.33.44:80
Host (192.168.10.12)
Web server
(11.22.33.44)
INCOMING
Src: 11.22.33.44:80
INCOMING
Author: Bill Buchanan
192.168.10.12:4444 168.10.34.21:5555 11.122.33.44:80
Private space
Author: Prof Bill Buchanan
PAT (Port address translation) – Maps many addresses to one global address.
26. OUTGOING
Public (Internet space)
OUTGOING
Src: 168.10.34.21:5555
Dest: 11.22.33.44:80
Host (192.168.10.12)
Web server
(11.22.33.44)
INCOMING
Src: 11.22.33.44:80
INCOMING
Author: Bill Buchanan
192.168.10.12:4444 168.10.34.21:5555 11.122.33.44:80
192.168.10.12:4445 168.10.34.21:5556 11.122.33.44:80
192.168.10.12:4446 168.10.34.21:5557 11.122.33.44:80
Private space 192.168.10.20:1234 168.10.34.21:5558 11.122.33.44:80
Author: Prof Bill Buchanan
New connections added...
PAT (Port address translation) – Maps many addresses to one global address.
27. Static translation.
Each public IP address translates to
a private one through a static table.
Good for security/logging/traceability.
Bad, as it does not hide the internal
network.
IP Masquerading (Dynamic
Translation).
A single public IP address is used for the
whole network. The table is thus dynamic.
Author: Bill Buchanan
NAT
28. Load Balancing Translation.
With this, a request is made to a resource,
such as to a WWW server, the NAT
device then looks at the current loading of
the systems, and forwards the request to
the one which is most lightly used
Mapping selected on
the least loading
Author: Bill Buchanan
a1.b1.c1.d1 a2.b2.c2.d2 a3.b3.c3.d3 a4.b4.c4.d4
Server farm
NAT (Load balancing)
29. Blocked!
NAT is good as we are isolated
from the external public network, where
our hosts make the initiate connections
but what happens if we use applications
which create connections in the reverse direction,
such as with FTP and IRC?
FTP creates a local .. we thus need some form of backtracking of
Author: Bill Buchanan
server port connections in the NAT device. Where the NAT
device remembers the initial connection, and then
allows direct connections to the initiator.
Backtracking
30. Eve
Static NAT is poor for security, as it does
not hide the network. This is because
there is a one-to-one
mapping.
Dynamic NAT is good for security,
as it hides the network. Unfortunately it Eve could
has two major weaknesses: compromise the
Backtracking allows external parties to NAT device
trace back a connection. and send
If the NAT device become compromised connection data to
the external party can redirect traffic. Eve’s host
Eve
Bob
Backtracking
Author: Bill Buchanan
Eve gets Bob to
connect to a server,
and then backtracks
into his host
Backtracking
31. Proxy
VPN
Eve
Bob
Alice
Author: Bill Buchanan
Stateful Firewalls
Author: Prof Bill Buchanan
32. Originator Recipient
1. CLOSED LISTEN
2. SYN-SENT <SEQ=999><CTL=SYN> SYN-RECEIVED SYN
3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> SYN-RECEIVED
4. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK> ESTABLISHED
5. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK><DATA> ESTABLISHED
Firewall
(Packet filter)
Switch
SYN
Intrusion
Detection Internet
System
Router (NAT)
SYN
Firewall
(Stateful)
Intrusion
Web
server
DMZ Detection
Author: Bill Buchanan
System
Email
server
FTP
server
Proxy
server
Stateful firewall
33. Originator Recipient
1. CLOSED LISTEN
SYN
2. SYN-SENT <SEQ=999><CTL=SYN> SYN-RECEIVED
3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> SYN-RECEIVED SYN,ACK
4. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK> ESTABLISHED
5. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK><DATA> ESTABLISHED
Firewall
(Packet filter)
Switch
SYN,ACK
Intrusion
Detection Internet
System
Router (NAT)
SYN
Firewall
(Stateful)
SYN,ACK
Intrusion
Web
server
DMZ Detection
Author: Bill Buchanan
System
Email
server
FTP
server
Proxy
server
Stateful firewall
34. Originator Recipient
1. CLOSED LISTEN
2. SYN-SENT <SEQ=999><CTL=SYN> SYN-RECEIVED SYN
3. ESTABLISHED <SEQ=100><ACK=1000><CTL=SYN,ACK> SYN-RECEIVED SYN,ACK
4. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK> ESTABLISHED ACK
5. ESTABLISHED <SEQ=1000><ACK=101><CTL=ACK><DATA> ESTABLISHED
Firewall
(Packet filter)
Switch
Intrusion
ACK
Detection Internet
System
Router (NAT)
SYN
Firewall
(Stateful)
SYN,ACK
Intrusion
Web
DMZ ACK Detection
server
Author: Bill Buchanan
System
Email
server
FTP
server
Proxy
server
Stateful firewall
35. SYN
www.napier.ac.uk?
DNS server
146.176.1.188 SYN
Src Port=4213, Dest Port=80
Author: Bill Buchanan
TCP port=4213 TCP port=80
192.168.1.101 146.176.1.188
Client-server (SYN)
36. SYN,ACK
Author: Bill Buchanan
ACK
Stateful firewall
37. Proxy
VPN
Eve
Bob
Alice
Author: Bill Buchanan
PIX/ASA Firewalls
Author: Prof Bill Buchanan
38. Firewall rules. These are contained within ACLs
(using the access-list and access-group
commands), and block or permit traffic. A key feature
of this is the usage of URL filtering which defines
the Web pages which are allowed and which are not.
Port blocking. These use the fixup command to
change, enable or disable network services.
Intrusion detection.
Cut-through proxy. This allows the definition of the These use the ip audit
users who are allowed services such as HTTP, Telnet command to detect
and FTP. This authentication is a single initial intrusions.
authentication, which differs from the normal proxy Shunning. This, along
operation which checks every single packet. with intrusion detection,
Bob
allows a defined
response to an
intrusion.
Encryption. This allows the PIX firewall to
support enhanced encryption, such as
Failover. This allows other
being a server for VPN connections,
Author: Bill Buchanan
devices to detect that a PIX
typically with IPSec and tunnelling
device has crashed, and that
techniques such as PPTP.
another device needs to take its
place.
Stateful firewall
40. Enterprise – PIX 525. This has
a 600MHz processor with
256MB RAM, and handles a
throughput of 360Mbps for a
maximum of 280,000
connections. It supports
failover, and has the support for
up to eight connections.
ASA 5520
Intel Pentium 4, 2GHz
512MB RAM
Enterprise – PIX 535. This has PIX 7.x, ASA 8.x IOS
a 1GHz processor with 1GB 8 interfaces
RAM, and handles a throughput Integrated VPN
of 1Gbps for a maximum of SSL VPN
500,000 connections. It
Throughput: 450Mbps
Author: Bill Buchanan
supports failover, and has the
support for up to ten network 3DES: 225Mbps
interfaces. Max conn: 280,000
VPN peers: 750
Stateful firewall
41. Proxy
VPN
Eve
Bob
Alice
Author: Bill Buchanan
Proxies
Author: Prof Bill Buchanan
42. Eve
Application
Firewall (FTP, Telnet,
Switch
(Packet filter) etc)
L4. Transport
Internet (TCP)
Bob
L3. Internet (IP)
L2. Network
Intrusion (Ethernet)
Detection
System
All Application-layer traffic goes
through the Proxy (eg FTP, Router (NAT)
Telnet, and so on) – aka
Application Gateways
Firewall
(Stateful)
DMZ
Web Alice
server
Intrusion
Email
Detection
server
System
FTP Proxy
server
Author: Bill Buchanan
Proxy
Bob server Alice
Proxy
server
Application gateways/proxy servers
43. Eve
Communications
on certain
Bob application
protocols (such as
HTTP for Web) go
through the proxy.
Proxy
Alice
Trusted Untrusted
Proxy (Application Gateway):
Advantages:
- User-oriented authentication.
- User-oriented logging.
- User-oriented accounting.
Disadvantages:
- Build specifically for each application (although
the SOCKS protocol has been designed, which
Author: Bill Buchanan
is an all-one proxy).
- Slower than without proxy.
- Central point-of-failure
Application gateways/proxy servers
44. Bob cannot communicate without
outside unless it is through the
proxy
Bob
192.168.10.1 169.10.11.1
192.168.10.3
E0 E1
Proxy
Alice
192.168.10.2
Only communication allowed
Is through the proxy
192.168.10.65
interface Ethernet0
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
!
interface Ethernet1
Only the proxy is ip address 169.10.11.1 255.255.0.0
allowed out of the ip access-group 101 in
firewall !
access-list 100 permit ip 192.168.10.65 any
Author: Bill Buchanan
Only the contact access-list 100 deny any any
With the proxy is !
allowed in access-list 101 permit ip any host 192.168.10.65
access-list 101 deny any any
Application gateways/proxy servers
45. Bob
192.168.10.3
Only allows Only allows Alice
communication communication
192.168.10.2 from the proxy from the proxy
Proxy
Author: Bill Buchanan
Dual homed proxy
46. Bob
192.168.10.3
E0 E1
Proxy
Web traffic Web traffic
goes on port goes out on
192.168.10.2 6588 port 80
192.168.10.65
Agent proxy
Web traffic goes enabled
To port 6588 on
the proxy
Author: Bill Buchanan
Application gateways/proxy servers
47. Bob
192.168.10.3
E0 E1
Proxy
Web traffic Web traffic
goes on port goes out on
192.168.10.2 6588 port 80
192.168.10.65
HTTP (web browsers) (port 6588)
HTTPS (secure web browsers) (port 6588)
SOCKS4 (TCP proxying) (port 1080)
SOCKS4a (TCP proxying w/ DNS lookups) (port 1080)
SOCKS5 (only partial support, no UDP) (port 1080)
NNTP (usenet newsgroups) (port 119)
POP3 (receiving email) (port 110)
Author: Bill Buchanan
SMTP (sending email) (port 25)
FTP (file transfers) (port 21)
Agent proxy
enabled
Typical proxy ports
48. Bob
192.168.10.1 169.10.11.1
192.168.10.3
E0 E1
Proxy Only Telnet,
FTP, HTTP Alice
and POP-3
192.168.10.2
are allowed
in
192.168.10.65
interface Ethernet1
ip address 169.10.11.1 255.255.0.0
Only traffic
ip access-group 101 in
on certain
!
ports are
access-list 101 permit tcp any any eq telnet host 192.168.10.65
allowed, and
access-list 101 permit tcp any any eq ftp host 192.168.10.65
only if they
access-list 101 permit tcp any any eq http host 192.168.10.65
are destined
Author: Bill Buchanan
access-list 101 permit tcp any any eq pop3 host 192.168.10.65
for the proxy
access-list 101 deny any any
Application gateways/proxy servers
49. Bob
192.168.10.3
E0 E1
Proxy
Web traffic Web traffic
goes on port goes out on
192.168.10.2 6588 port 80
192.168.10.65
03/06/2003 21:26:19.957: 3750332 - HTTP Client connection
accepted from 192.168.0.20
03/06/2003 21:26:21.620: 3773004 - HTTP Client connection
accepted from 192.168.0.20
03/06/2003 21:26:23.232: 3773004 - HTTP Closing socket (2)
03/06/2003 21:26:23.863: 3773004 - HTTP Client connection
accepted from 192.168.0.20
03/06/2003 21:26:26.527: 3773004 - HTTP Closing socket (2)
03/06/2003 21:26:26.737: 3773004 - HTTP Client connection
accepted from 192.168.0.20
03/06/2003 21:26:29.091: 3773004 - HTTP Closing socket (2)
03/06/2003 21:26:29.371: 3773004 - HTTP Client connection
accepted from 192.168.0.20
03/06/2003 21:26:29.431: 3750332 - HTTP Closing socket (2)
03/06/2003 21:26:30.453: 3773004 - HTTP Closing socket (1)
Author: Bill Buchanan
03/06/2003 21:26:31.644: 3750332 - HTTP Client connection
accepted from 192.168.0.20
03/06/2003 21:26:32.786: 3750332 - HTTP Closing socket (1)
03/06/2003 21:26:33.126: 3750332 - HTTP Client connection
Agent proxy accepted from 192.168.0.20
enabled
Logging from a proxy
50. Bob
192.168.10.3
E0 E1
Proxy
192.168.10.2
192.168.10.65
Proxy allows:
The hosts to be hidden from the outside.
Private addresses can be used for the internal
network.
Logging of data packets.
User-level authentication, where users may require
a username and a password.
Author: Bill Buchanan
Isolation of nodes inside the network, as they cannot
be directly contacted.
Strengths of a proxy
51. Proxy
VPN
Eve
Bob
Alice
Author: Bill Buchanan
VPNs
Author: Prof Bill Buchanan
52. Eve
Eve could
eavesdrop on the
public
communications
Untrusted network
Bob Alice
Gateway Gateway
What is required is: Eve
Eve could
Encryption. change the
Authentication of data packets Eve
devices (to
overcome Gateway
spoofing) Eve could
Authentication of
Author: Bill Buchanan
setup an
packets (for alternative
integrity) gateway
Issues involved
53. Eve
Bob Alice
Gateway Gateway
Untrusted network
What is required is: PPTP (Point-to-point Tunneling Protocol). Created by
Microsoft and is routable. It uses MPPE (Microsoft
Encryption. Point-to-point Encryption) and user authentication.
Authentication of
L2TP (Layer 2 Tunneling Protocol). Works at Layer 2 to
devices (to
Forward IP, IPX and AppleTalk (RFC2661). Cisco,
overcome
Microsoft, Ascent and 3Com developed it. User and
spoofing) machine authentication, but no encryption (but can be used
Authentication of
Author: Bill Buchanan
with L2TP over IPSec).
packets (for
integrity) IPSec. An open standard. Includes both encryption and
Authentication.
Tunnelling methods
54. Traffic is encrypted
over the untrusted
network.
Bob Alice
Encrypted traffic
Unencrypted traffic Unencrypted traffic
Tunelling mode (over
untrusted connections)
Bob Alice
Transport mode.
Author: Bill Buchanan
End-to-end (host-to-
host) tunnelling
Tunnelling mode or transport mode
55. Bob Co.
VPN VPN
Alice Co.
Extranet
VPN
Bob Co. VPN VPN
Bob Co.
Intranet
VPN
VPN
Bob Co.
Author: Bill Buchanan
Bob@
home
Remote
Access VPN
VPN types
56. Firewall
Switch Traffic
Internet only
encrypted
over the
public
Intrusion channel
Detection
System
Bob Alice
Traffic is encrypted
and cannot be Router
checked by firewalls, Firewall Switch
IDS, and so on
Intrusion
Detection
System
Web
server
Email
server
Author: Bill Buchanan
FTP
server
Proxy
server
Tunnelling mode or transport mode
57. Firewall
Switch Traffic
Internet only
encrypted
over the
public
Intrusion channel
Detection
System
Bob Alice
Firewall blocks all Router
encrypted content Firewall Switch
and any negation of
a tunnel
Intrusion
Detection
For IPSec (one of the most popular tunnelling System
Web
methods): server
Email
UDP Port 500 is the key exchange
server port. If it is
Author: Bill Buchanan
blocked there can be no tunnel. FTP
server
TCP Port 50 for IPSec ESP (Encapsulated Security
Proxy
Protocol). server
TCP Port 51 for IPSec AH (Authentication Header)
Blocking end-to-end encryption
58. Authentication scope
ESP ESP IP packet ESP
IP header
Auth. trailer (encrypted) header
ESP transport mode method
(Weakness: Replay attack)
The IPSec protocol has:
ESP (Encapsulated Security Protocol). IP packet contents IP header
ESP takes the original data packet, and
breaks off the IP header. The rest of the
packet is encrypted, with the original header
added at the start, along with a new ESP Authentication scope
field at the start, and one at the end. It is
important that the IP header is not encrypted IP packet contents
AH New
as the data packet must still be read by header IP header
routers as it travels over the Internet. Only
the host at the other end of the IPSec tunnel AH transport method
can decrypt the contents of the IPSec data (Provides complete
packet. authentication for the packet)
AH (Authentication Header). This encrypts
the complete contents of the IP data packet, IP packet contents IP header
Author: Bill Buchanan
and adds a new packet header. ESP has the
weakness that an intruder can replay
previously sent data, whereas AH provides a
mechanism of sequence numbers to reduce
this problem.
IPSec
59. IP
IP TCP
TCP Higher-level protocol/data
Higher-level protocol/data
Version
Version Header length
Header length Type of service
Type of service
Total length
Total length
Identification
Identification
0 D M
0 D M Fragment Offset
Fragment Offset
Time-to-Live
Time-to-Live Protocol
Protocol
Header Checksum
Header Checksum
1 ICMP Internet Control Message [RFC792]
6 TCP Transmission Control [RFC793]
Source IP Address
Source IP Address
8 EGP Exterior Gateway Protocol [RFC888]
Destination IP Address
Destination IP Address 9 IGP any private interior gateway [IANA]
47 GRE General Routing Encapsulation
(PPTP)
50 ESP Encap Security Payload [RFC2406]
51 AH Authentication Header [RFC2402]
55 MOBILE IP Mobility
88 EIGRP EIGRP [CISCO]
89 OSPFIGP OSPFIGP [RFC1583]
115 L2TP Layer Two Tunneling Protocol
Author: Bill Buchanan
IPSec
60. VPN
Bob Co.
Bob@
home
Remote
Access VPN
Phase 1 (IKE – Internet Key Exchange)
UDP port 500 is used for IKE isakmp enable outside
Define the policies between the peers isakmp key ABC&FDD address 176.16.0.2 netmask
255.255.255.255
IKE Policies isakmp identity address
isakmp policy 5 authen pre-share
Hashing algorithm (SHA/MD5) isakmp policy 5 encrypt des
Encryption (DES/3DES) isakmp policy 5 hash sha
isakmp policy 5 group 1
Diffie-Hellman agreements isakmp policy 5 lifetime 86400
sysopt connection permit-ipsec
Authentication (pre-share, RSA nonces, RSA sig).
Phase 2
Defines the policies for transform sets, peer IP
addresses/hostnames and lifetime settings. crypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmac
Crypto maps are exchanged crypto map MYIPSEC 10 ipsec-isakmp
access-list 111 permit ip 10.0.0.0 255.255.255.0 176.16.0.0
AH, ESP (or both) 255.255.255.0
Encryption (DES, 3DES) crypto map MYIPSEC 10 match address 111
crypto map MYIPSEC 10 set peer 176.16.0.2
ESP (tunnel or transport) crypto map MYIPSEC 10 set transform-set MYIPSECFORMAT
Author: Bill Buchanan
crypto map MYIPSEC interface outside
Authentication (SHA/MD5)
SA lifetimes defined
Define the traffic of interest
IPSec
61. Public
Key (Kpb1) Public
Key (Kpb2)
Shared key passed (Diffie-
Hellman) – used to encrypt all
the data
Kpv1 Public key is used
to authenticate the
device
Hashed
Hashed value
Result
value
Challenge?
Author: Bill Buchanan
Blocking end-to-end encryption
62. 172.16.0.1 172.16.0.2 192.168.0.1
10.0.0.1
Author: Bill Buchanan
IPSec (PIX)
63. 172.16.0.1 172.16.0.2 192.168.0.1
10.0.0.1
Author: Bill Buchanan
IPSec (PIX and Router)
64. No. Time Source Destination Protocol Info
81 5.237402 192.168.0.3 146.176.210.2 ISAKMP Aggressive
Frame 81 (918 bytes on wire, 918 bytes captured)
Ethernet II, Src: IntelCor_34:02:f0 (00:15:20:34:62:f0), Dst: Netgear_b0:d6:8c
(00:18:4d:b0:d6:8c)
Internet Protocol, Src: 192.168.0.3 (192.168.0.3), Dst: 146.176.210.2 (146.176.210.2)
172.16.0.1 172.16.0.2 192.168.0.1
10.0.0.1
Internet Security Association and Key Management Protocol
Initiator cookie: 5ABABE2D49A2D42A
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Aggressive (4)
Flags: 0x00
Message ID: 0x00000000
Length: 860
Security Association payload
Next payload: Key Exchange (4)
Payload length: 556
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 544
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 14
Transform payload # 1
Next payload: Transform (3)
Payload length: 40
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): AES-CBC (7)
Author: Bill Buchanan
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group (2)
Authentication-Method (3): XAUTHInitPreShared (65001)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (2147483)
Key-Length (14): Key-Length (256)
IPSec (PIX and Router)
67. VPN
Bob Co.
Bob@
home
Remote
Access VPN
146.176.212.218 146.176.0.1
VPN connection
192.168.0.3 All other traffic goes
not on 146.176.0.0
network goes through
non-VPN connection
C:>route print
===========================================================================
Interface List
21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter
10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet
7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connectio
1 ........................... Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
Author: Bill Buchanan
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
146.176.0.0 255.255.0.0 On-link 146.176.212.218 281
146.176.1.0 255.255.255.0 146.176.0.1 146.176.212.218 100
146.176.2.0 255.255.255.0 146.176.0.1 146.176.212.218 100
...
===========================================================================
Persist After connecting to the VPN
68. VPN
Bob Co.
Bob@
home
Remote
Access VPN
146.176.212.218 146.176.0.1
VPN connection
C:>tracert www.napier.ac.uk
Tracing route to www.napier.ac.uk [146.176.222.174] Before VPN connection
over a maximum of 30 hops:
1 2 ms 2 ms 6 ms 192.168.0.1
2 36 ms 38 ms 38 ms cr0.escra.uk.easynet.net [87.87.249.224]
3 31 ms 31 ms 30 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129]
4 43 ms 43 ms 43 ms be2.er10.thlon.ov.easynet.net [195.66.224.43]
5 48 ms 45 ms 45 ms linx-gw1.ja.net [195.66.224.15]
6 45 ms 44 ms 45 ms so-0-1-0.lond-sbr4.ja.net [146.97.35.129]
7 49 ms 79 ms 49 ms so-2-1-0.leed-sbr1.ja.net [146.97.33.29]
8 58 ms 56 ms 56 ms EastMAN-E1.site.ja.net [146.97.42.46]
9 59 ms 57 ms 57 ms vlan16.s-pop2.eastman.net.uk [194.81.56.66]
10 57 ms 59 ms 58 ms gi0-1.napier-pop.eastman.net.uk [194.81.56.46]
11
C:>tracert www.napier.ac.uk
Tracing route to www.napier.ac.uk [146.176.222.174] After VPN connection
over a maximum of 30 hops:
Author: Bill Buchanan
1 57 ms 58 ms 57 ms 146.176.210.2
2 58 ms 56 ms 57 ms www.napier.ac.uk [146.176.222.174]
3 58 ms 59 ms 56 ms www.napier.ac.uk [146.176.222.174]
Traceroute for VPN
69. VPN
Bob Co.
Bob@
home
Remote
Access VPN
146.176.212.218 146.176.0.1
VPN connection
C:>tracert www.intel.com
Before VPN connection
Tracing route to a961.g.akamai.net [90.223.246.33]
over a maximum of 30 hops:
1 3 ms 1 ms 1 ms 192.168.0.1
2 35 ms 43 ms 36 ms cr0.escra.uk.easynet.net [87.87.249.224]
3 32 ms 31 ms 32 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129]
4 46 ms 45 ms 45 ms te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109]
5 46 ms 47 ms 47 ms 5adff621.bb.sky.com [90.223.246.33]
C:>tracert www.intel.com
After VPN connection
Tracing route to a961.g.akamai.net [90.223.246.33]
over a maximum of 30 hops:
1 3 ms 1 ms 1 ms 192.168.0.1
2 35 ms 43 ms 36 ms cr0.escra.uk.easynet.net [87.87.249.224]
Author: Bill Buchanan
3 32 ms 31 ms 32 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129]
4 46 ms 45 ms 45 ms te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109]
5 46 ms 47 ms 47 ms 5adff621.bb.sky.com [90.223.246.33]
Traceroute for VPN
70. Proxy
VPN
Eve
Bob
Alice
Author: Bill Buchanan
Tunnelling
Author: Prof Bill Buchanan
71. Application Application
Protocol
Secure protocols:
Port: 443. https (HTTP + SSL).
SSL Port: 465. ssmtp (SMTP + SSL).
Secure Socket
Port: 563. snntp (NNTP + SSL).
Port: 995. spop (POP-3 + SSL).
Port: 993. simap (IMAP + SSL).
Transport Transport
Network Network
Data Link Data Link
Physical Physical
Device
Server Server
Author: Bill Buchanan
One-way server authentication. Server provides
User authentication to the client, such as SSL (HTTPS,
FTPS, etc). Digital certificate required on the server. ID
Secure Sockets (SSL)
72. Application
Protocol
Secure Socket
Enter Remote Host:
Transport Enter Username: zzAA
Enter Password:
Connecting...Details:
Network MAC-hmac-md5
Port: 22
Cipher: 3des-cbc
Last login: Tue Jan 23 21:15:43 2007 from user-
Data Link 514da235.l2.c1.dsl.pol.co.uk
Directory: /home/cs72
Tue Jan 23 21:19:30 GMT 2007
Physical
Author: Bill Buchanan
SFTP example
73. ISP SMTP
server relays
email to Firewall
email servers blocks
SMTP relay
(port 25)
ISP
Author: Bill Buchanan
Email relaying