Securing LAN Connected Devices in Industrial Sites with TLS and Multicast DNS
|
|
- Maurice Cain
- 8 years ago
- Views:
Transcription
1 Securing LAN Connected Devices in Industrial Sites with TLS and Multicast DNS Tero Keski-Valkama May 28, 2015 Version 1.0 Abstract This whitepaper outlines a more flexible and more secure user interface architecture for browsers for industrial site networks based on proven web and LAN technologies, TLS and multicast DNS. Outotec Oyj and Cybercom Finland Oy
2 2 TERO KESKI-VALKAMA 1. Introduction In this whitepaper we separate two roles: The Provider who develops connected devices, and the Customer, who buys and arranges the installation of the devices provided by the Provider. The devices are installed in LANs owned by the Customer. Currently, a typical industrial site network consists of statically configured LANs, with weak or no encryption for the connections. These networks are minimally secured by restricting their connectivity to other site networks and to the internet. When the Customer s industrial site consists of devices from multiple different device suppliers, these device suppliers usually set up their own local networks separate from the networks of the other device suppliers, because there is little standardization in the site network topologies between sites. This leads to an increase in integration costs and in the complexity of site networks. In industrial networks we generally cannot make assumptions for the set of services available, such as support for Dynamic DNS, or Active Directory, for example. The organic approach leads to a layered network architecture where the networks closer to the core networks are kept increasingly isolated from the outside world, and nominally "more secure". However, as the industrial devices are getting more connected, this architecture is increasingly punctured by all kinds of ad-hoc methods to support the required connectivity and integration. Typically the connectivity is implemented by custom static routing, VPNs, sneakernet, and multi-homed VNC servers, for example. This makes industrial plant networks increasingly complex and the security increasingly difficult to guarantee, especially as there are more and more attacks against such networks. As the trend of industrial web progresses and specifically rich, mobile and interoperable user interfaces are increasingly being developed with web technologies like HTML5, there becomes a distinct need to secure the connectivity between the user s browser and the local LAN connected industrial device serv-
3 TLS AND MDNS IN INDUSTRIAL LANS 3 ing the management, administration or diagnostic user interfaces. This whitepaper outlines a more flexible and more secure user interface architecture for browsers for industrial site networks based on proven web and LAN technologies, TLS [1] and multicast DNS [2]. Since electronic attacks against industrial segment are increasing in frequency and sophistication, modern and proven web scale security technologies must be taken into use in the industrial segment as well. Existing security solutions concentrate on the industrial bus layer, and do not solve the local user interface layer in a flexible and secure way. Using the solution outlined in this whitepaper, modern HTML5 user interfaces can be used in a local industrial network environment securely and flexibly, in a dynamic auto discovery architecture. 2. Overview We propose a solution where the device deployed to the industrial site network administered by the Customer can be connected securely on the common and shared site LAN network in line with zero configuration principles. Users can access the devices using mdns domain names with common browsers over HTTPS, secured by proper TLS certificates. The devices can connect to each other using LAN connectivity and M2M bus while authenticating each other with the same TLS certificates. TLS and X.509 certificates [3] are a good solution for securing the connectivity between clients and servers. For example, a de-facto industrial plant networking standard OPC UA [4] uses TLS and X.509 certificates for securing the connectivity between devices and servers. TLS connectivity in statically configured LANs is challenging to implement properly because the certificates are bound to host addresses which might be unknown at the time of signing the certificates before actual deployment. The IP addresses might also change during the lifetime of the device because of site reconfigurations. Typically the hosts are configured to use insecure self-signed
4 4 TERO KESKI-VALKAMA certificates for this reason. The self-signed certificates are missing the chain of trust, which exposes distinct vulnerabilities in these kinds of networks. Multicast DNS (Avahi) is a technology for discovering host names in the local area network. The common mdns domain consists of mdns addresses in the form of <HOSTNAME>.local, where <HOSTNAME> is a DNS part: A label. Many browsers and operating systems support mdns name discovery, and it is commonly used for example in printers and similar devices with dynamic LAN connectivity. While the focus of this whitepaper is in securing user interfaces used with a browser, the established X.509 certificates can be reused for M2M authentication and encryption also. The first part of this whitepaper describes the TLS certification scheme for an industrial site environment. The second part describes the mdns HTTPS interface discovery and its binding to TLS scheme. 3. The Difference between Web TLS and Industrial LAN Security Standard web root DNS TLS certificate authorities do not support LAN mdns schemes and related trust. *.local certificates are being phased out by standard web root TLS certification authorities, and the existing certificates will be revoked. This is because such globally valid certificates for *.local addresses would cause a leaky trust scheme where devices certified for any network in the world would automatically be trusted in other LANs, possibly in other sites. In general, WWW TLS certificate authorities should only certify unique names that are accessible from the global web. The trust model for the World Wide Web and for industrial LANs are fundamentally different in requirements and in related solutions. In the solution described in this whitepaper, we mitigate this risk by using
5 TLS AND MDNS IN INDUSTRIAL LANS 5 separate trusted certificate authorities for each site and for each device, so that any Customer administering a network can select the proper trust domains and respective certification authorities to trust so that they are capable of signing only addresses related to a specific Provider, specific sites and specific devices. Obviously networked services that can be published in the World Wide Web securely over HTTPS, as opposed to local services, can be published using normal DNS and web root TLS certification methods. 4. Trust between Organizations The solution described in this whitepaper assumes that the Customer site can trust the relevant certification authorities of the device Provider. Establishing this trust is straight-forward, because it means that the browsers in the Customer LANs gain a proper added benefit of being able to validate devices provided by a trusted Provider. If this trust is not established, then the scheme falls back gracefully to operation similar to commonly used self-signed certificate model where each user needs to accept the server certificate for each device at the first connection. If the trust chain is established, the browsers can validate the proper TLS certificate trust chain in a similar fashion as with normal World Wide Web HTTPS sites. 5. Authentication in Machine-to-Machine Interfaces The devices deployed by the Customer network provided by the same Provider implicitly trust the Provider certificate authorities. This means that they can authenticate and encrypt HTTPS REST (or SOAP) connections securely using the certificates the devices were deployed with. The devices can optionally allow only a subset of their machine-to-machine APIs to other devices of certain
6 6 TERO KESKI-VALKAMA types from the same Provider. The established X.509 certificates for the devices can be reused for securing other kinds of M2M service buses like OPC UA also. The devices between different Providers can expose APIs to each other in a similar fashion, but of course a certificate trust must be established in these cases for example device-by-device basis manually by the Customer for example through device administration user interfaces. 6. Distributing Public Certificates and Certificate Revocation Lists The public TLS CA certificates of the Provider can be distributed through normal World Wide Web from a public TLS secured HTTPS site of the Provider. This guarantees the authenticity of the public CA certificates and links the trust chain to the standard WWW TLS certification authorities. If a certificate is leaked or lost, then it must be revoked by the certificate authority. Distributing the certificate revocation lists can be done in conjunction with distributing public certificates. Certificate and revocation list provisioning can be attached to the software update processes and co-managed in the same management processes. 7. Certificate Chain and Mapping to mdns Names The typical hierarchical organization for a family of products and sites they are licensed to follows a scheme where the Provider s root certificate is configured with an ability to sign *.local mdns addresses. After this root level, the trust domains must be provisioned into segments so that software development teams developing software for certain devices only have access to a certification authority certificate capable of signing addresses related to these devices and for the sites the devices are licensed to. Conversely, the Customer administering a
7 TLS AND MDNS IN INDUSTRIAL LANS 7 Figure 1: The certificate hierarchy certain site with devices from the Provider must have the option to only trust the certificates intrinsically capable of signing only mdns addresses related to this Provider and the devices licensed to a certain site. This means that the certificate chain roughly follows the hierarchy depicted in Figure 1. The development team developing software for a certain device licensed to certain customers and sites therefore only have the certificate authority capable of signing certificates for a certain Provider, for a set of certain Customers, for a set of certain sites, and for a certain device type. Conversely, the Customer site can trust a CA that is capable of signing certificates only for a certain Provider, a certain Customer and for this certain Site. Optionally the Customer can additionally enumerate all the device types that are trusted in Customer s LAN. For clarity, we leave out details of certificate expiration settings and their relation to the certificate chain. This certificate chain is for guidance only and does not necessarily reflect implementation specific details. Certificate expirations can be bound to the expiration of software licenses and co-managed in the same management processes. While TLS supports multiple certification authority levels separated by the domain name wildcards and hierarchy of labels, common mdns usage requires that the DNS names are in the form of <HOSTNAME>.local, where <HOSTNAME> is a label. Specifically, normal browsers only follow the.local mdns domain, and do not see other domains without explicit configuration. This introduces a
8 8 TERO KESKI-VALKAMA Table 1: Definitions of the parts of the mdns name Placeholder <DEVICE_TYPE> <SITE> <CUSTOMER> <PROVIDER> Description The name of one type of device. Generally the first device of a certain type deployed to the network should reserve this mdns address. E.g. "device". The name of the Customer s site. The naming is customer-specific and generally uniquely identifies a certain LAN. The name of the Customer. This must not collide with the assigned names of other customers, and these are managed and registered by the Provider. The name of the Provider. Generally this can be the same as the label registered to standard WWW HTTPS certification authorities without the TLD part for the sake of brevity. complication, because we cannot use the common WWW TLS method of separating different levels of certificate authorities by a hierarchy of DNS labels and wildcards. In this whitepaper, we suggest structuring the mdns host name so that it includes the relevant labels and hierarchy. This is done by using the hyphen as the delimiter between labels instead of period. The TLS certificate trust domains are mapped to mdns naming structure. The mdns names are structured as parts separated by hyphens as follows: <DEVICE_TYPE>-<SITE>-<CUSTOMER>-<PROVIDER>.local. The descriptions of the parts are shown in the Table 1. The resulting mdns names are long, but they can be automatically and securely redirected to from shorter DNS addresses or by using portals and link lists if necessary. The labels forming the parts of the names should be kept relatively short for obvious reasons.
9 TLS AND MDNS IN INDUSTRIAL LANS 9 8. mdns Collisions Avahi detects an mdns collision when multiple devices in the same LAN attempt to broadcast the same mdns names. This collision detection can be used for advantage in cases where multiple devices of the same type are installed to the same network. The first device that is able to reserve the mdns name can subsequently serve the common interface for all similar devices in the network, and function as a kind of a portal representing all the devices of the similar type in the same network. It is possible to use only one mdns name usable from browsers, and aggregate the other devices together inside the same portal user interface using a separate M2M bus with autodiscovery. This M2M bus can be secured using the same X.509 certificates and trust chains. 9. Mobile Support and Adapting Multicast DNS to Unicast DNS At least Android OS has a very limited support for mdns at the time of writing. In practice, all the browsers utilize the Android OS DNS resolver which has no support for mdns, so at the moment no browser can resolve *.local addresses properly. However, there are several utilities available in the Android market, such as Bonjour Browser [5], which allows discovering the published services from the local network. Current applications do not support opening a browser to the discovered IP address, but implementing such a client application is trivial. Of course, using IP addresses in the browser negates some of the security benefits described in this whitepaper, and the connection security would be analogous to self-signed certificates. Apple ios devices support mdns natively. Some mobile browsers and operating systems with no support for mdns can also be accommodated by adapting the mdns names in the local network to be published in the local DNS infrastructure. This is can be done by utilizing
10 10 TERO KESKI-VALKAMA DNS UPDATE [6] queries to a local DNS server as typically done in DDNS, or using a hybrid mdns-udns like one in an IETF draft Hybrid Unicast/Multicast DNS-Based Service Discovery [7]. Since the Provider does not know the configuration of such an infrastructure on the Customer s site, it remains Customer s responsibility to implement such an adapter if considered necessary. 10. Security Domain Separation using Certificate Sets Because the root certificate has a trusted capability to sign all *.local domain names, it is necessary to keep this certificate secured to maintain this trust. However, it is still necessary to sign new certificates for new devices and for new sites. In this whitepaper we propose a TLS-based domain separation scheme to mitigate the risks. The security domains are limited in the mdns names their respective certificates are capable of signing. They form a normal certificate chain, or more accurately a tree, based on the root CA. In this whitepaper we suggest a scheme where all the possible mdns names for each successive certification authority level are enumerated to work around the lack of suitable wildcard support in TLS for intra-label structuring. In practice TLS certificates can contain an enumerated list for all names they are able to sign, but in practice certain technical limitations limit the length of these lists. For the implementation of the scheme described in this whitepaper, we suggest maintaining Certificate Sets for each level of certificate authority, so that each certificate can only sign certificates with one certain name. The Certificate Sets then include certificates capable of signing a cartesian product of all the possible enumerations of allowed label values for the respective certification authority. This means that the certificate authority just under the Provider root *.local
11 TLS AND MDNS IN INDUSTRIAL LANS 11 certificate authority should contain the largest number of distinct certificates limited by the cartesian product shown in the Equation (1). Customers CustomerSites DeviceT ypes (1) For a reasonably sized Provider this could result in for example: 1, = 5,000,000 certificates. When one certificate takes for example around 4 kb of space this results in 20 GB, which is reasonable in the light of current consumer-grade disk sizes. One Customer Site would generally either trust the singular Provider root CA, or optionally trust a Certificate Set for one customer site limited by the number of device types. For the previous example this would result in 100 distinct certificates to trust per site. A standard Firefox desktop browser comes with an in-built list of trusted CA certificates with over 170 certificates, so this number is reasonable even for mobile browsers. The root certificate must be kept secure and its exposure must be limited to a simple API with limited operations allowed so that all operations are securely logged. For example, signing a set of certificate signing requests is only allowed if the names in the certificate signing requests match the enumerations of allowed labels. 11. Adding New Customers, Sites and Device Types In a continuous business new customers, sites and devices must be added to the scheme while the existing trust relations must not be invalidated. Obviously if the trust has been established for a certain Customer site limited for certain device types only, the new certificates related to the new device types need only be generated by the Provider only for the new device types. The existing certificates are maintained, thus maintaining the existing trust relations.
12 12 TERO KESKI-VALKAMA 12. Summary This whitepaper describes a practical method for establishing secure and flexible networking for LAN connected devices and their HTML user interfaces especially in industrial networks using standard web technologies, specifically multicast DNS and TLS. The scheme described in this whitepaper has been implemented as a proofof-concept and it s practical usability has been validated with common desktop browsers and operating systems. References [1] RFC 5246 The Transport Layer Security (TLS) Protocol. [2] RFC 6762 Multicast DNS. [3] ITU-T Recommendation X.509 (10/12). [4] OPC Unified Architecture (UA). [5] Bonjour Browser for Android. [6] RFC 2136 Dynamic Updates in the Domain Name System (DNS UPDATE). [7] Hybrid Unicast/Multicast DNS-Based Service Discovery.
Introduction to the DANE Protocol
Introduction to the DANE Protocol ICANN 47 July 17, 2013 Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC, routing and other Internet technologies: Case Studies
More informationCisco ISE and Certificates. How to Implement Cisco ISE and Server Side Certificates
Cisco ISE and Certificates How to Implement Cisco ISE and Server Side Certificates Table of Contents Certificate Usage... 3 So, what is a certificate?... 3 Determine if a Trusted Authority has Signed the
More informationWPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies" (srublev@ptsecurity.ru)
WPAD TECHNOLOGY WEAKNESSES Sergey Rublev Expert in information security, "Positive Technologies" (srublev@ptsecurity.ru) MOSCOW 2009 CONTENTS 1 INTRODUCTION... 3 2 WPAD REVIEW... 4 2.1 PROXY AUTO CONFIGURATION
More informationBlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide
BlackBerry Enterprise Service 10 Version: 10.2 Configuration Guide Published: 2015-02-27 SWD-20150227164548686 Contents 1 Introduction...7 About this guide...8 What is BlackBerry Enterprise Service 10?...9
More informationSSL BEST PRACTICES OVERVIEW
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
More informationNetwork Virtualization Network Admission Control Deployment Guide
Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus
More informationChapter 1 Personal Computer Hardware------------------------------------------------ 7 hours
Essential Curriculum Networking Essentials Total Hours: 244 Cisco Discovery 1: Networking for Home and Small Businesses 81.5 hours teaching time Chapter 1 Personal Computer Hardware------------------------------------------------
More informationEssential Curriculum Computer Networking 1. PC Systems Fundamentals 35 hours teaching time
Essential Curriculum Computer Networking 1 PC Systems Fundamentals 35 hours teaching time Part 1----------------------------------------------------------------------------------------- 2.3 hours Develop
More informationInternal Server Names and IP Address Requirements for SSL:
Internal Server Names and IP Address Requirements for SSL: Guidance on the Deprecation of Internal Server Names and Reserved IP Addresses provided by the CA/Browser Forum June 2012, Version 1.0 Introduction
More informationBlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide
BlackBerry Enterprise Service 10 Universal Service Version: 10.2 Administration Guide Published: 2015-02-24 SWD-20150223125016631 Contents 1 Introduction...9 About this guide...10 What is BlackBerry
More informationIntroduction to Mobile Access Gateway Installation
Introduction to Mobile Access Gateway Installation This document describes the installation process for the Mobile Access Gateway (MAG), which is an enterprise integration component that provides a secure
More informationIntroduction to the EIS Guide
Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment
More informationSSL Certificates and Bomgar
SSL Certificates and Bomgar 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective
More informationUsing a VPN with Niagara Systems. v0.3 6, July 2013
v0.3 6, July 2013 What is a VPN? Virtual Private Network or VPN is a mechanism to extend a private network across a public network such as the Internet. A VPN creates a point to point connection or tunnel
More informationDigital certificates and SSL
Digital certificates and SSL 20 out of 33 rated this helpful Applies to: Exchange Server 2013 Topic Last Modified: 2013-08-26 Secure Sockets Layer (SSL) is a method for securing communications between
More informationCertificates. Noah Zani, Tim Strasser, Andrés Baumeler
Certificates Noah Zani, Tim Strasser, Andrés Baumeler Overview Motivation Introduction Public Key Infrastructure (PKI) Economic Aspects Motivation Need for secure, trusted communication Growing certificate
More informationFundamentals of Windows Server 2008 Network and Applications Infrastructure
Fundamentals of Windows Server 2008 Network and Applications Infrastructure MOC6420 About this Course This five-day instructor-led course introduces students to network and applications infrastructure
More informationConfiguration Guide BES12. Version 12.1
Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationEnabling Apple AirPrint with Your Xerox Device Built on ConnectKey Technology. A White Paper
Enabling Apple AirPrint with Your Xerox Device Built on ConnectKey Technology A White Paper i Contents 1 Background 1 Step 1: Device Discovery Apple Bonjour 2 Step 2: Device Information and Status 2 Step
More informationLecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.
Lecture 13 Public Key Distribution (certification) 1 PK-based Needham-Schroeder TTP 1. A, B 4. B, A 2. {PKb, B}SKT B}SKs 5. {PK a, A} SKT SKs A 3. [N a, A] PKb 6. [N a, N b ] PKa 7. [N b ] PKb B Here,
More informationConfiguration Guide. BlackBerry Enterprise Service 12. Version 12.0
Configuration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-12-19 SWD-20141219132902639 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12...
More informationhttp://alice.teaparty.wonderland.com:23054/dormouse/bio.htm
Client/Server paradigm As we know, the World Wide Web is accessed thru the use of a Web Browser, more technically known as a Web Client. 1 A Web Client makes requests of a Web Server 2, which is software
More informationGuide to Name Collision Identification and Mitigation for IT Professionals. 1 August 2014 Version 1.1
Guide to Name Collision Identification and Mitigation for IT Professionals 1 August 2014 Version 1.1 Table of Contents 1. Introduction... 4 1.1 Name Collisions... 4 1.2 Name Collisions Due to Private TLDs...
More informationActive Directory Comapatibility with ExtremeZ-IP A Technical Best Practices Whitepaper
Active Directory Comapatibility with ExtremeZ-IP A Technical Best Practices Whitepaper About this Document The purpose of this technical paper is to discuss how ExtremeZ-IP supports Microsoft Active Directory.
More informationSymantec Managed PKI Service Deployment Options
WHITE PAPER: SYMANTEC MANAGED PKI SERVICE DEPLOYMENT............. OPTIONS........................... Symantec Managed PKI Service Deployment Options Who should read this paper This whitepaper explains
More informationDeploy Remote Desktop Gateway on the AWS Cloud
Deploy Remote Desktop Gateway on the AWS Cloud Mike Pfeiffer April 2014 Last updated: May 2015 (revisions) Table of Contents Abstract... 3 Before You Get Started... 3 Three Ways to Use this Guide... 4
More informationSAC075: SSAC Comments to ITU-D on Establishing New Certification Authorities
03 December 2015 Subject: SAC075: SSAC Comments to ITU-D on Establishing New Certification Authorities The Internet Corporation for Assigned Names and Numbers (ICANN) Security and Stability Advisory Committee
More informationDNSSEC - Why Network Operators Should Care And How To Accelerate Deployment
DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment Dan York, CISSP Senior Content Strategist, Internet Society Eurasia Network Operators' Group (ENOG) 4 Moscow, Russia October
More informationAdministering the Web Server (IIS) Role of Windows Server
Course 10972A: Administering the Web Server (IIS) Role of Windows Server Course Details Course Outline Module 1: Overview and Installing Internet Information Services In this module students will learn
More informationTrustedX - PKI Authentication. Whitepaper
TrustedX - PKI Authentication Whitepaper CONTENTS Introduction... 3 1... 4 Use Scenarios... 5 Operation... 5 Architecture and Integration... 6 SAML and OAuth 7 RESTful Web Services 8 Monitoring and Auditing...
More informationUsing a VPN with CentraLine AX Systems
Using a VPN with CentraLine AX Systems User Guide TABLE OF CONTENTS Introduction 2 What Is a VPN? 2 Why Use a VPN? 2 How Can I Set Up a VPN? 2 Important 2 Network Diagrams 2 Network Set-Up with a VPN 2
More informationTMW01 Managing and Deploying BYOD Identity Solutions with a Microsoft PKI
TMW01 Managing and Deploying BYOD Identity Solutions with a Microsoft PKI Mark B. Cooper President & Founder PKI Solutions Inc. @PKISOLUTIONS Level: Intermediate [ About PKI Solutions Inc. 10 years as
More informationGlobalSign Integration Guide
GlobalSign Integration Guide GlobalSign Enterprise PKI (EPKI) and AirWatch Enterprise MDM 1 v.1.1 Table of Contents Table of Contents... 2 Introduction... 3 GlobalSign Enterprise PKI (EPKI)... 3 Partner
More informationLBSEC. http://www.liveboxcloud.com
2014 LBSEC http://www.liveboxcloud.com LiveBox Srl does not release declarations or guarantee regarding this documentation and its use and declines any expressed or implied commercial or suitability guarantee
More informationSecure Web Service - Hybrid. Policy Server Setup. Release 9.2.5 Manual Version 1.01
Secure Web Service - Hybrid Policy Server Setup Release 9.2.5 Manual Version 1.01 M86 SECURITY WEB SERVICE HYBRID QUICK START USER GUIDE 2010 M86 Security All rights reserved. 828 W. Taft Ave., Orange,
More informationBYOD: BRING YOUR OWN DEVICE.
white paper BYOD: BRING YOUR OWN DEVICE. On-boarding and Securing Devices in Your Corporate Network Preparing Your Network to Meet Device Demand The proliferation of smartphones and tablets brings increased
More informationBREAKING HTTPS WITH BGP HIJACKING. Artyom Gavrichenkov R&D Team Lead, Qrator Labs ag@qrator.net
BREAKING HTTPS WITH BGP HIJACKING Artyom Gavrichenkov R&D Team Lead, Qrator Labs ag@qrator.net ABSTRACT OVERVIEW OF BGP HIJACKING GLOBAL AND LOCAL HIJACKING HIJACKING A CERTIFICATE AUTHORITY MITIGATIONS
More informationCertificate Management
Certificate Management This guide provides information on...... Configuring the GO!Enterprise MDM server to use a Microsoft Active Directory Certificate Authority... Using Certificates from Outside Sources...
More informationActive Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper
Active Directory Compatibility with ExtremeZ-IP A Technical Best Practices Whitepaper About this Document The purpose of this technical paper is to discuss how ExtremeZ-IP supports Microsoft Active Directory.
More informationDeploying DNSSEC: From End-Customer To Content
Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical
More informationRequest for Comments: 1788 Category: Experimental April 1995
Network Working Group W. Simpson Request for Comments: 1788 Daydreamer Category: Experimental April 1995 Status of this Memo ICMP Domain Name Messages This document defines an Experimental Protocol for
More informationSetting Up an AS4 System
INT0697_150625 Setting up an AS4 system V1r0 1 Setting Up an AS4 System 2 Version 1r0 ENTSOG AISBL; Av. de Cortenbergh 100, 1000-Brussels; Tel: +32 2 894 5100; Fax: +32 2 894 5101; info@entsog.eu, www.entsog.eu,
More informationIntegrating Cisco ISE with GO!Enterprise MDM Quick Start
Integrating Cisco ISE with GO!Enterprise MDM Quick Start GO!Enterprise MDM Version 3.x Overview 1 Table of Contents Overview 3 Getting GO!Enterprise MDM Ready for ISE 5 Grant ISE Access to the GO!Enterprise
More informationEHR OAuth 2.0 Security
Hospital Health Information System EU HIS Contract No. IPA/2012/283-805 EHR OAuth 2.0 Security Final version July 2015 Visibility: Restricted Target Audience: EHR System Architects EHR Developers EPR Systems
More informationDistrict of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification
1.1 Multipoint Control Unit (MCU) A. The MCU shall be capable of supporting (20) continuous presence HD Video Ports at 720P/30Hz resolution and (40) continuous presence ports at 480P/30Hz resolution. B.
More informationWhat communication protocols are used to discover Tesira servers on a network?
Understanding device discovery methods in Tesira OBJECTIVES In this application note, basic networking concepts will be summarized to better understand how Tesira servers are discovered over networks.
More informationMaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software
More informationCOMODO CERTIFICATE MANAGER. Simplify SSL Certificate Management Across the Enterprise
COMODO CERTIFICATE MANAGER Simplify SSL Certificate Management Across the Enterprise Comodo Certificate Manager CCM Enables nominated administrators the ability to manage the lifespan, issuance, deployment,
More informationInstalling and Configuring vcenter Support Assistant
Installing and Configuring vcenter Support Assistant vcenter Support Assistant 5.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced
More informationNetwork Layers. CSC358 - Introduction to Computer Networks
Network Layers Goal Understand how application processes set up a connection and exchange messages. Understand how addresses are determined Data Exchange Between Application Processes TCP Connection-Setup
More informationTroubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123. Instructor Manual
Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123 Instructor Manual Published: 2013-07-02 SWD-20130702091645092 Contents Advance preparation...7 Required materials...7 Topics
More informationMaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2014 Fiberlink, an IBM Company. All rights reserved. Information in this document is subject to change without notice. The software described
More informationWorking With Virtual Hosts on Pramati Server
Working With Virtual Hosts on Pramati Server 13 Overview Virtual hosting allows a single machine to be addressed by different names. There are two ways for configuring Virtual Hosts. They are: Domain Name
More informationComputer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System
Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce 18/02/15 Networks: DNS attacks 1 Domain Name System The domain name system (DNS) is an applica>on- layer protocol
More informationWhat in the heck am I getting myself into! Capitalware's MQ Technical Conference v2.0.1.5
SSL Certificate Management or What in the heck am I getting myself into! Table of Contents What is SSL and TLS? What do SSL and TLS do (and not do)? Keystore and Certificate Lifecycle Certificates Certificate
More informationA Standards-based Mobile Application IdM Architecture
A Standards-based Mobile Application IdM Architecture Abstract Mobile clients are an increasingly important channel for consumers accessing Web 2.0 and enterprise employees accessing on-premise and cloud-hosted
More informationDigital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University
Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate
More informationIBM Cloud Manager with OpenStack
IBM Cloud Manager with OpenStack Download Trial Guide Cloud Solutions Team: Cloud Solutions Beta cloudbta@us.ibm.com Page 1 Table of Contents Chapter 1: Introduction...3 Development cycle release scope...3
More informationActive Directory Compatibility with ExtremeZ-IP
Active Directory Compatibility with ExtremeZ-IP A Technical Best Practices White Paper Group Logic White Paper October 2010 About This Document The purpose of this technical paper is to discuss how ExtremeZ-IP
More informationConfiguration Guide BES12. Version 12.2
Configuration Guide BES12 Version 12.2 Published: 2015-07-07 SWD-20150630131852557 Contents About this guide... 8 Getting started... 9 Administrator permissions you need to configure BES12... 9 Obtaining
More informationTLS and SRTP for Skype Connect. Technical Datasheet
TLS and SRTP for Skype Connect Technical Datasheet Copyright Skype Limited 2011 Introducing TLS and SRTP Protocols help protect enterprise communications Skype Connect now provides Transport Layer Security
More informationNew DNS Technologies in the LAN
New DNS Technologies in the LAN Everything you always wanted to know about mdns, DNS-SD, LLMNR and similar technologies but were too afraid to ask. Carsten Strotmann, Men & Mice Services What's in it?
More informationUsing LifeSize Systems with Microsoft Office Communications Server 2007
Using LifeSize Systems with Microsoft Office Communications Server 2007 This technical note describes the steps to integrate a LifeSize video communications device with Microsoft Office Communication Server
More information1 2 3 4 5 6 7 8 9 Multichannel Retailer selling bedding, towels, clothing, kid stuff (the huge bear is called Ralph) and home stuff for making your outside area look like that 10 5 years of doing Mac support
More informationSecuring VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER
Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER Table of Contents About VMware View.... 3 Changes in VMware View 5.1.... 3 SSL Authentication Mechanism.... 4 X.509
More informationWebsense Content Gateway HTTPS Configuration
Websense Content Gateway HTTPS Configuration web security data security email security Support Webinars 2010 Websense, Inc. All rights reserved. Webinar Presenter Title: Sr. Tech Support Specialist Cisco
More informationTable of Contents. This whitepaper outlines how to configure the operating environment for MailEnable s implementation of Exchange ActiveSync.
This whitepaper outlines how to configure the operating environment for MailEnable s implementation of Exchange ActiveSync. Table of Contents Overview... 2 Evaluating Exchange ActiveSync for MailEnable...
More informationMOC 6435A Designing a Windows Server 2008 Network Infrastructure
MOC 6435A Designing a Windows Server 2008 Network Infrastructure Course Number: 6435A Course Length: 5 Days Certification Exam This course will help you prepare for the following Microsoft exam: Exam 70647:
More informationConclusion and Future Directions
Chapter 9 Conclusion and Future Directions The success of e-commerce and e-business applications depends upon the trusted users. Masqueraders use their intelligence to challenge the security during transaction
More informationCertificate Management
www.novell.com/documentation Certificate Management ZENworks Mobile Management 3.1.x August 2015 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of
More informationEA-ISP-012-Network Management Policy
Technology & Information Services EA-ISP-012-Network Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 01/04/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref:
More informationDNS and E-mail Interface User Guide
DNS and E-mail Interface User Guide Document Revision 04 // 2012 www.twcbc.com back back to TOC to TOC Header Text and Info Table of Contents 1. Introduction 3 2. Accessing the Application 4 3. Working
More informationDetecting Search Lists in Authoritative DNS
Detecting Search Lists in Authoritative DNS Andrew Simpson March 10 th, 2014 Summary Early research into name collisions has postulated that search list interaction drives some portion of the DNS requests
More informationHow To Understand The History Of The Network And Network (Networking) In A Network (Network) (Netnet) (Network And Network) (Dns) (Wired) (Lannet) And (Network Network)
COMPUTER NETWORKS LECTURES DR.PETER G. GYARMATI Research professor Lectures of P. G. Gyarmati 1. page 1999.-2006. 1999.-2006. This page is intentionally left blank Lectures of P. G. Gyarmati 2. page 1999.-2006.
More informationAdministering the Web Server (IIS) Role of Windows Server
Course 10972B: Administering the Web Server (IIS) Role of Windows Server Page 1 of 7 Administering the Web Server (IIS) Role of Windows Server Course 10972B: 4 days; Instructor-Led Introduction This course
More informationReparing HTTP authentication for Web security
Reparing HTTP authentication for Web security Yutaka OIWA 1 Overview This position paper proposes improvement efforts for HTTP authentication/authorization mechanisms, to solve various current problems
More informationCase Study for Layer 3 Authentication and Encryption
CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client
More informationCourse Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion
Key Data Product #: 3380 Course #: 6420A Number of Days: 5 Format: Certification Exams: Instructor-Led None This course syllabus should be used to determine whether the course is appropriate for the students,
More informationMCSA Objectives. Exam 70-236: TS:Exchange Server 2007, Configuring
MCSA Objectives Exam 70-236: TS:Exchange Server 2007, Configuring Installing and Configuring Microsoft Exchange Servers Prepare the infrastructure for Exchange installation. Prepare the servers for Exchange
More informationAccelerating Service Discovery in Ad-hoc Zero Configuration Networking
Accelerating Service Discovery in Ad-hoc Zero Configuration Networking Se Gi Hong, Suman Srinivasan and Henning Schulzrinne Columbia University, New York, NY {segihong, sumans, hgs}@cs.columbia.edu Abstract
More informationData Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment
White Paper Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment Cisco Connected Analytics for Network Deployment (CAND) is Cisco hosted, subscription-based
More informationAdministering the Web Server (IIS) Role of Windows Server 10972B; 5 Days
Lincoln Land Community College Capital City Training Center 130 West Mason Springfield, IL 62702 217-782-7436 www.llcc.edu/cctc Administering the Web Server (IIS) Role of Windows Server 10972B; 5 Days
More informationDeployment and Configuration Guide
vcenter Operations Manager 5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions
More informationConsiderations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.
Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet
More informationArchitecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference
Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise
More informationPresto User s Manual. Collobos Software Version 1.1. 2013 Collobos Software, Inc! http://www.collobos.com
Presto User s Manual Collobos Software Version 1.1 2013 Collobos Software, Inc! http://www.collobos.com Welcome To Presto! 3 AirPrint! 3 Google Cloud Print! 3 System Requirements! 3 How It Works! 5 PrintKit
More informationUsing Bonjour Across Subnets
Using Bonjour Across Subnets Version: 1.0 Date: 9/19/06 Author: Geordie Korper Overview This paper discusses methods you can use to provide Bonjour discovery services across subnets. It is intended for
More informationInstallation & Configuration Guide
Installation & Configuration Guide Bluebeam Studio Enterprise ( Software ) 2014 Bluebeam Software, Inc. All Rights Reserved. Patents Pending in the U.S. and/or other countries. Bluebeam and Revu are trademarks
More informationINUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER
INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER ARCHITECTURE OVERVIEW AND SYSTEM REQUIREMENTS Mathieu SCHIRES Version: 1.0.0 Published March 5, 2015 http://www.inuvika.com Contents 1 Introduction 3 2 Architecture
More informationMobile Admin Security
Mobile Admin Security Introduction Mobile Admin is an enterprise-ready IT Management solution that generates significant cost savings by dramatically increasing the responsiveness of IT organizations facing
More informationSecurity IIS Service Lesson 6
Security IIS Service Lesson 6 Skills Matrix Technology Skill Objective Domain Objective # Configuring Certificates Configure SSL security 3.6 Assigning Standard and Special NTFS Permissions Enabling and
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationA Plan for the Continued Development of the DNS Statistics Collector
A Plan for the Continued Development of the DNS Statistics Collector Background The DNS Statistics Collector ( DSC ) software was initially developed under the National Science Foundation grant "Improving
More informationNext Steps In Accelerating DNSSEC Deployment
Next Steps In Accelerating DNSSEC Deployment Dan York, CISSP Senior Content Strategist, Internet Society DNSSEC Deployment Workshop, ICANN 45 Toronto, Canada October 17, 2012 Internet Society Deploy360
More informationDNS security: poisoning, attacks and mitigation
DNS security: poisoning, attacks and mitigation The Domain Name Service underpins our use of the Internet, but it has been proven to be flawed and open to attack. Richard Agar and Kenneth Paterson explain
More informationCUSTOMIZED ASSESSMENT BLUEPRINT COMPUTER SYSTEMS NETWORKING PA. Test Code: 8148 Version: 01
CUSTOMIZED ASSESSMENT BLUEPRINT COMPUTER SYSTEMS NETWORKING PA Test Code: 8148 Version: 01 Specific competencies and skills tested in this assessment: Personal and Environmental Safety Wear personal protective
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationLast Updated: July 2011. STATISTICA Enterprise Server Security
Last Updated: July 2011 STATISTICA Enterprise Server Security STATISTICA Enterprise Server Security Page 2 of 10 Table of Contents Executive Summary... 3 Introduction to STATISTICA Enterprise Server...
More informationSonicOS Enhanced 5.7.0.2 Release Notes
SonicOS Contents Platform Compatibility... 1 Key Features... 2 Known Issues... 3 Resolved Issues... 4 Upgrading SonicOS Enhanced Image Procedures... 6 Related Technical Documentation... 11 Platform Compatibility
More information