WHITEPAPER SECURITY CONCEPT FOR SICK REMOTE SERVICE. Lifetime Services, SICK AG in Waldkirch / Germany. Introduction Protocols Used...
|
|
- Jennifer Phelps
- 7 years ago
- Views:
Transcription
1 WHITEPAPER SECURITY CONCEPT FOR SICK REMOTE SERVICE L i f e T i m e S er v i c es, EDITOR: TA B L E O F C O N T E N T S Lifetime Services, SICK AG in Waldkirch / Germany Introduction Protocols Used HTTPS SSH User Authentication Connection Topology Machine PCs Meeting Point Router mpr Service Technicians Potential Attack Scenarios Attacks on the Connection Technology Attacks on the Application Risk Assessment Conclusion
2 Introduction The SICK Meeting Point architecture was designed with the goal of ensuring maximum security while keeping operating complexity to a minimum. The architecture is aligned with the recommendations and the catalog of measures provided by the BSI (German Federal Office for Information Security) for securing remote maintenance (M5.33). These include: Always initiating remote maintenance access only from the local IT system Adequately logging the performance of the remote maintenance Adhering to the dual-control principle (no remote maintenance without customer approval) The following sections describe how these specifications have been incorporated technically into the Meeting Point architecture and provide detailed information for ensuring secure remote maintenance. Protocols Used Two communications channels are used in the Meeting Point architecture (MPA): HTTPS (port 443) SSH (port 22) HTTPS HTTPS is generally used for encrypted communication between browsers and Web servers in applications such as online banking, in various purchasing portals, and in many portals that store personal data. In such applications, the Web server uses an x.509 certificate that provides the user with the assurance of being connected to the desired server. In addition, the name under which the server can be accessed in the Internet is stored in the certificate, and this information is signed by a certification authority (CA). A browser provides a list of trusted CAs which are expected to sign only if the information for the server name is correct. However, past experience has shown that this cannot always be ensured. For example, gaps in the Web portals used by the CAs for managing certificates may allow any server names to be stored in a certificate, or normally functioning CAs listed in the browsers may write almost any desired server name into a certificate without conducting thorough checks. An mpa server therefore uses its own CA, which means that the server is able to issue its own certificates. This makes it possible to provide the Web server with a certificate and also for individual users to obtain an x.509 certificate, thus allowing them to identify themselves to the Web server in a secure manner. These user certificates are installed in the customer browser, which presents them every time the mpa server is visited. By in turn securing the certificate store in the browser with a password, two-factor authentication is achieved, since the certificate and the password are required to log on to the server. User certificates provide a convenient and secure way to authenticate users, especially on computers that are used for machine control and on which several employees frequently work in alternation. When using a browser, if an HTTPS Web server is activated that produces a certificate that is not signed by one of the stored trusted CAs, warning messages are generally issued. Once the CA certificate of the mpa system has been added to the list of trusted CAs, the browser henceforth accepts the server certificate like all other certificates of preinstalled CAs. In principle, accepting certificates is a matter of trust. Due to the fact that many certificates are preinstalled in the browser, meaning that the chain of trust from the CA operator via the browser vendor and the software distribution is not transparent, as well as the potential for manipulation after installation, it is recommended to delete the supplied list of trusted CA certificates. By adding certification authorities to the CA list individually, only those that are actually required for the pages activated by the user are trusted. 2
3 Experience gleaned from cases such as DigiTrust has shown that it is possible to compromise officially listed certification authorities and thus to issue any desired certificates, which makes it much easier to launch man-in-the-middle attacks. Adding CAs individually to the list of trusted CAs substantially reduces the risk of successful attacks of this kind. With current browsers, HTTPS uses the AES encryption algorithm with a 256-bit key length. The mpa server uses the popular Apache Web server as a communication endpoint. The OpenSSL libraries are used for encryption. SSH Secure Shell (SSH) is a popular protocol for ensuring access to Unix servers via the network. The OpenSSH implementation that is used on the server side is based on the development environment of OpenBSD, a Unix derivative devised with security in mind, which is used in many hardware firewalls. In addition to OpenSSH, Plink from the Putty package is also used in the Meeting Point architecture on Windows systems. In addition to authentication with user names and passwords, the SSH protocol also allows the use of public keys, which are exchanged in advance and presented to the server when establishing a connection, as well as others, such as Kerberos. The mpa server uses only public key authentication. The use of user names/passwords is deactivated to prevent automated programs on the Internet from testing them automatically and possibly encountering a weak password. Before the SSH connection is established, the public keys are dynamically generated by the system and exchanged via HTTPS. The validity of a key pair generated in this way is limited to a maximum of 10 minutes. After authentication, a session key is generated in the SSH protocol, which is used for further data exchange and is periodically changed. Encryption is implemented via AES with a key length of 128 bits. User Authentication User authentication can be performed via client-side x.509 certificates, which can be stored in the browser. This procedure causes a random session cookie to be passed to the user, which is subsequently used to identify the user. This cookie is exchanged at regular intervals so that there is only a limited time window in which to exploit the obtained information in the event of a man-in-themiddle attack. In order to defend against brute-force attacks on user name/password combinations, accounts are automatically blocked after five unsuccessful attempts and must be reactivated by an administrator. Unsuccessful attempts are logged in the system independently of the application and can be analyzed by the system administrator. Connection Topology mpa uses a star connection topology, meaning that all connections are established via the central MPA server. Only this server provides the above-mentioned HTTPS and SSH services on the Internet. All other components utilize them and thus use only outgoing connections. In particular, there are no direct connections between service technicians and machines. Events involving changes in authorizations, such as the loss of laptops or changes in employees, or detected security gaps, can be handled centrally. With this architecture, it is no longer necessary to perform administrative actions on client devices. 3
4 Customer Production Control Station / SPS Meeting Point Server Database administration of forwarded ports, adaptable via web application Service Advantages SSH authentication by dynamic one pass keys Forwarded ports via the Gateway-PC Controller with SPS- and CAN- Bus control Port 22 (SSH) Port 443 (HTTPS) Reverse connection via SSH tunnel Port 22 (SSH) Port 443 (HTTPS) Connection via SSH tunnel HTTPS authentication via x509 certificates DB based administration Minimal requirements for router and firewall Gateway-PC or Meeting Point Router (MPR) Internet Port 22 (SSH) Port 443 (HTTPS) Connection via SSH tunnel Service- Technician Meeting-Point architecture Machine PCs The machine account account type is provided for control PCs that are used on machines as operator terminals for mpa. This account type provides access to exactly one machine file and allows the establishment of a remote connection. The SSH connection configuration generated in the mpa server allows only SSH reverse tunnels for machine accounts. Thus, resources can be activated on the machine computer, but not in the opposite direction. Meeting Point Router mpr The mpr is based on a simple industrial PC that is equipped with two network interfaces and is used for separating the machine network and the customer network. An integrated packet firewall specifically activates only the required communications channels between the customer network and the machine network, as well as from the machine network to the Internet. Here as well, only outgoing connections via HTTPS and SSH are used for remote access via the mpa server. During the rollout of the mpr, a unique identifier is stored on the system for authentication, which is transmitted during MPR activation. This identifier replaces the use of user names and passwords for the MPR and must therefore be kept secret. However, if an MPR identifier is stolen from the MPR, it can be used to gain access to the MPR-specific pages of the mpa server. These pages allow establishing a remote connection which, however, can comprise only reverse ports (ensured by server-side limitation), so that a potential attacker would only be able to make its own resources accessible, but particularly cannot gain access to resources of other MPR devices that are currently connected. 4
5 Meeting Point Router: Security through separation of Machine Network and Customer Network. In addition to the normal ports that are forwarded via SSH, the mpr also provides the option of establishing a full VPN connection between the service technician and the machine network as required. To do this, a network link is also established on Layer 2 via an SSH tunnel of a remote connection using OpenVPN, so that the service technician can, for example, use broadcast-based or UDP-based services. The OpenVPN option can be used only via an existing SSH remote connection, so that the authentication and encryption of the VPN connection does not constitute a new point of attack. 5
6 Service Technicians Service technicians have access to all machine files and can connect to all machines currently connected via a remote connection. A connection made by a service technician is always logged in the machine file as information. The server-side generation of the SSH configuration allows only forward tunnels in this case. Thus, a service technician can activate services on the customer side, but not in the other direction. The limitation of port forwarding to the ports provided for the machine takes place in two stages. First, these ports are provided to the SSH client configuration. Parallel to this, a list of allowed ports is stored on the mpa server on the server side for the relevant SSH key, which is checked by the SSH server when establishing a connection. Potential Attack Scenarios The limitation to exactly two connection mechanisms also limits the possibility of attacking them from the outside. Since only the mpa server is active for connections to these ports, the necessity of making regular security updates is largely limited to this server. Attacks on the Connection Technology SSH is operated in a configuration having maximum security (access possible only for the required users, exclusively via public key authentication, no root access, only SSH2 protocol), which is used in this way throughout the world in many forms to provide remote administrative access. Successful attacks on servers configured in this way are unknown. In addition, we use key pairs that are dynamically generated and only time-limited, so that even brute-force attacks on the keys are not likely to succeed. The HTTPS server provides end-to-end encryption between the browser and Web server, which cannot be compromised by conventional means. Nonetheless, as with any HTTPS communication, the potential exists for compromising the communication between the browser and server using a man-in-the-middle attack. However, the manipulations required to do this always necessitate tampering with the basic IT infrastructure such as the DNS server or the proxy infrastructure. In addition, when carrying out such an attack, either the list of trusted certification bodies in the browser or a trusted certification body must be directly manipulated. In any event, in the interest of IT security within the company, this should be prevented administratively. However, some companies exploit this opportunity supposedly in the interest of their own IT security (which is relatively easy since all above-mentioned components can be influenced by their own IT) in order to investigate HTTPS-encrypted data exchange with malware. Although this is well-intended, it effectively breaches the concept of end-to-end encryption and thus undercuts the trust of users, who assume that HTTPS provides secure communication. Attacks on the Application In addition to attacks on the connection technology, there is also the potential for attacks on the Web application itself. The software components and the implementation of the Web application on the mpa server should be well maintained and regularly checked for known security gaps. By forming a service level agreement, you can ensure that you will receive a rapid and professional response to such an event. The internal security architecture of the Web application strictly separates the individual areas from each other. Areas that grant user-dependent access to user data are protected by gatekeepers that first check that the passed parameters are valid within the context of the user when calling a corresponding path. These include machine files, documents, and connections, among others. 6
7 Risk Assessment The centralized structure of the Meeting Point architecture concentrates the potential for attacks on one server and the connections to it. Compared to widely deployed remote VPN or dial-in architectures, it is possible to react quickly from a central location to events such as lost laptops and to block user access. In particular, by avoiding direct communication between service technicians and customers as well the associated required distribution of access data to the service technicians, potential attack scenarios can be substantially reduced. The above-mentioned potential for attacks on the HTTPS connections would make it possible to display manipulated pages to the user or to gain access to entered information. However, it is not possible to deceive the server about one s own identity and thereby gain access to information that is not intended for the user. The procedure for blocking user accounts after five failed attempts creates the potential for a denial-of-service attack that attempts to block as many accounts as possible. In this case, the administrator must reactivate these accounts and should take additional measures (such as setting up firewall barriers to the source of the attack) if they occur frequently. Conclusion The remaining risks are manageable. The potential attack scenarios are concentrated on a few points that can be monitored well due to the centralized structure. Comprehensive system logging can be used to ensure that attacks are logged and do not go unnoticed during the regular system reviews that take place under the service level agreement. 7
8 / DIV03 ( ) WB USmod int37 REFERENCES Package of measures for secure Remote Services of the BSI (German Federal Office for Information Security) (M5.33) SICK AG Waldkirch Germany
Contents. Part 1 SSH Basics 1. Acknowledgments About the Author Introduction
Acknowledgments xv About the Author xvii Introduction xix Part 1 SSH Basics 1 Chapter 1 Overview of SSH 3 Differences between SSH1 and SSH2 4 Various Uses of SSH 5 Security 5 Remote Command Line Execution
More informationVPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu
VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining
More informationSSL VPN Technology White Paper
SSL VPN Technology White Paper Keywords: SSL VPN, HTTPS, Web access, TCP access, IP access Abstract: SSL VPN is an emerging VPN technology based on HTTPS. This document describes its implementation and
More informationSupport and Remote Dialup SIMATIC. Process Control System PCS 7. Support and Remote Dialup. Preface 1. Support and Remote Dialup.
Preface 1 2 SIMATIC Process Control System PCS 7 Dialup 3 Practical information 4 Commissioning Manual 12/2011 A5E02657554-02 Legal information Legal information Warning notice system This manual contains
More informationEnterprise Security Critical Standards Summary
Enterprise Security Critical Standards Summary The following is a summary of key points in the Orange County Government Board of County Commissioners (OCGBCC) security standards. It is necessary for vendors
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationReadyNAS Remote White Paper. NETGEAR May 2010
ReadyNAS Remote White Paper NETGEAR May 2010 Table of Contents Overview... 3 Architecture... 3 Security... 4 Remote Firewall... 5 Performance... 5 Overview ReadyNAS Remote is a software application that
More informationUsing Entrust certificates with VPN
Entrust Managed Services PKI Using Entrust certificates with VPN Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark
More informationCase Study for Layer 3 Authentication and Encryption
CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client
More informationSAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)
SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview
More informationProtecting Microsoft Internet Information Services Web Servers with ISA Server 2004
Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004 White Paper Published: June 2004 For the latest information, please see http://www.microsoft.com/isaserver/ Contents
More informationTELNET CLIENT 5.11 SSH SUPPORT
TELNET CLIENT 5.11 SSH SUPPORT This document provides information on the SSH support available in Telnet Client 5.11 This document describes how to install and configure SSH support in Wavelink Telnet
More informationSecure Web Access Solution
Secure Web Access Solution I. CONTENTS II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. E-CODE SECURE WEB ACCESS SOLUTION... 3 OVERVIEW... 3 PKI SECURE WEB ACCESS... 4 Description...
More informationSecurity Policy Revision Date: 23 April 2009
Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure
More informationChapter 17. Transport-Level Security
Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics
More informationControl and management of privileged users
Control and management of privileged users The secure solution for monitoring and recording privileged users Visulox The complete Access Management Solution ToolBox Solution GmbH, established in 2003,
More informationChapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding
Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding. When a remote user accesses the SSL VPN
More informationI. What is VPN? II. Types of VPN connection. There are two types of VPN connection:
Table of Content I. What is VPN?... 2 II. Types of VPN connection... 2 III. Types of VPN Protocol... 3 IV. Remote Access VPN configuration... 4 a. PPTP protocol configuration... 4 Network Topology... 4
More informationTopics in Network Security
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
More informationLinux Network Security
Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols
More informationUsing a VPN with Niagara Systems. v0.3 6, July 2013
v0.3 6, July 2013 What is a VPN? Virtual Private Network or VPN is a mechanism to extend a private network across a public network such as the Internet. A VPN creates a point to point connection or tunnel
More informationUsing Rsync for NAS-to-NAS Backups
READYNAS INSTANT STORAGE Using Rsync for NAS-to-NAS Backups Infrant Technologies 3065 Skyway Court, Fremont CA 94539 www.infrant.com Using Rsync For NAS-To-NAS Backups You ve heard it before, but it s
More informationWritten by Edmond Ng on behalf of D-Link for a Thai magazine (before translation) Page 1 of 4
Increasing Network Security Introduction Network and data security has been a growing concern in many organizations. With the emergence of wireless networking, security preemptives have been primarily
More informationSecure Shell User Keys and Access Control in PCI-DSS Compliance Environments
A Secure Shell Key Management White Paper Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments Emerging trends impacting PCI-DSS compliance requirements in secure shell deployments
More informationnwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
More informationSecuring end-user mobile devices in the enterprise
IBM Global Technology Services Thought Leadership White Paper January 2012 Securing end-user mobile devices in the enterprise Develop an enforceable mobile security policy and practices for safer corporate
More informationEntrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0
Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust
More informationGuidelines for Web applications protection with dedicated Web Application Firewall
Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security
More informationSSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.
SSL-TLS VPN 3.0 Certification Report For: Array Networks, Inc. Prepared by: ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 USA http://www.icsalabs.com SSL-TLS VPN 3.0 Certification
More informationCornerstones of Security
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
More informationCareGiver Remote Support Information Technology FAQ
CareGiver Remote Support Information Technology FAQ CareGiver remote support Information Technology FAQ Purpose The purpose of this document is to answer Frequently Asked Questions (FAQs) regarding CareGiver
More informationStealth OpenVPN and SSH Tunneling Over HTTPS
Stealth OpenVPN and SSH Tunneling Over HTTPS Contents Tunneling OpenVPN and SSH via HTTPS for Windows,MAC and Linux... 1 Benefits of HTTPS Tunneling:... 2 Pre-Requisites:... 3 Part A: Step by Step Instructions
More informationSecuring Windows Remote Desktop with CopSSH
Securing Windows Remote Desktop with CopSSH Presented by DrNathan@teamhackaday.com If you enjoyed this article, please consider joining our Folding@Home team I like having the ability to remotely access
More informationSecurity from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation.
eblvd enables secure, cloud-based access to a PC or server over the Internet. Data, keyboard, mouse and display updates are transmitted over a highly compressed, encrypted stream, yielding "as good as
More informationFig. 4.2.1: Packet Filtering
4.2 Types of Firewalls /DKo98/ FIREWALL CHARACTERISTICS 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the
More informationUsing a VPN with CentraLine AX Systems
Using a VPN with CentraLine AX Systems User Guide TABLE OF CONTENTS Introduction 2 What Is a VPN? 2 Why Use a VPN? 2 How Can I Set Up a VPN? 2 Important 2 Network Diagrams 2 Network Set-Up with a VPN 2
More informationPRODUCT INFORMATION. SICK Remote Service Product and System Support. Secure remote monitoring for efficient service
PRODUCT INFORMATION SICK Remote Service Product and System Support Secure remote monitoring for efficient service Modular service contracts - flexible for every requirement An important part of LifeTime
More informationADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief
ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS Adaptive Authentication in Juniper SSL VPN Environments Solution Brief RSA Adaptive Authentication is a comprehensive authentication platform providing
More informationSoftware Defined Perimeter: Securing the Cloud to the Internet of Things
Software Defined Perimeter: Securing the Cloud to the Internet of Things SESSION ID: CDS-T08 Jim Reavis Chief Executive Officer Cloud Security Alliance @cloudsa About Cloud Security Alliance Global, not-for-profit
More informationOPC UA vs OPC Classic
OPC UA vs OPC Classic By Paul Hunkar Security and Communication comparison In the world of automation security has become a major source of discussion and an important part of most systems. The OPC Foundation
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationvisionapp Remote Desktop 2010 (vrd 2010)
visionapp Remote Desktop 2010 (vrd 2010) Convenient System Management P roduct Information www.vrd2010.com Inhalt 1 Introduction... 1 2 Overview of Administration Tools... 1 2.1 RDP Administration Tools...
More informationNokia E90 Communicator Using WLAN
Using WLAN Nokia E90 Communicator Using WLAN Nokia E90 Communicator Using WLAN Legal Notice Nokia, Nokia Connecting People, Eseries and E90 Communicator are trademarks or registered trademarks of Nokia
More informationTHE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT. April 2009 EXAMINERS' REPORT. Network Information Systems
THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT April 2009 EXAMINERS' REPORT Network Information Systems General Comments Last year examiners report a good pass rate with
More information83-10-41 Types of Firewalls E. Eugene Schultz Payoff
83-10-41 Types of Firewalls E. Eugene Schultz Payoff Firewalls are an excellent security mechanism to protect networks from intruders, and they can establish a relatively secure barrier between a system
More informationSecuring Remote Vendor Access with Privileged Account Security
Securing Remote Vendor Access with Privileged Account Security Table of Contents Introduction to privileged remote third-party access 3 Do you know who your remote vendors are? 3 The risk: unmanaged credentials
More informationLab 2.5.2a Configure SSH
Lab 2.5.2a Configure SSH Objective Scenario Topology In this lab, the students will complete the following tasks: Configuring a router as a Secure Shell (SSH) server Version 1. Install and configure a
More informationTUNNA. A tool designed to bypass firewall restrictions on remote webservers. By: Rodrigo Marcos Nikos Vassakis
TUNNA A tool designed to bypass firewall restrictions on remote webservers By: Rodrigo Marcos Nikos Vassakis Web Applications What a User sees Web Applications What a Penetration Tester sees 80/443 Firewall
More informationVPN Lesson 2: VPN Implementation. Summary
VPN Lesson 2: VPN Implementation Summary 1 Notations VPN client (ok) Firewall Router VPN firewall VPN router VPN server VPN concentrator 2 Basic Questions 1. VPN implementation options for remote users
More informationSSL... 2 2.1. 3 2.2. 2.2.1. 2.2.2. SSL VPN
1. Introduction... 2 2. Remote Access via SSL... 2 2.1. Configuration of the Astaro Security Gateway... 3 2.2. Configuration of the Remote Client...10 2.2.1. Astaro User Portal: Getting Software and Certificates...10
More informationIssue 09/2012. Big-LinX The Remote Service Cloud Remote maintenance and remote diagnostics for machines and plants
Issue 09/2012 Big-Lin The Remote Service Cloud Remote maintenance and remote diagnostics for machines and plants Big-Lin Securely networked worldwide Big-Lin VPN rendezvous server Service technicians VPN
More informationREMOTE ASSISTANCE SOLUTIONS Private Server
REMOTE ASSISTANCE SOLUTIONS Private Server UBIQUITY components Control Center: client on the remote assistance PC Ubiquity Runtime: software installed on the remote device Ubiquity Server Infrastructure:
More informationathenahealth Interface Connectivity SSH Implementation Guide
athenahealth Interface Connectivity SSH Implementation Guide 1. OVERVIEW... 2 2. INTERFACE LOGICAL SCHEMATIC... 3 3. INTERFACE PHYSICAL SCHEMATIC... 4 4. SECURE SHELL... 5 5. NETWORK CONFIGURATION... 6
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationUnderstanding Secure Shell Host Keys
Understanding Secure Shell Host Keys White Paper 4848 tramway ridge dr. ne suite 101 albuquerque, nm 87111 505-332 -5700 www.vandyke.com Understanding Host Keys Think about the last time you faxed personal
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationCorporate and Payment Card Industry (PCI) compliance
Citrix GoToMyPC Corporate and Payment Card Industry (PCI) compliance GoToMyPC Corporate provides industryleading configurable security controls and centralized endpoint management that can be implemented
More informationPríprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku
Univerzita Komenského v Bratislave Fakulta matematiky, fyziky a informatiky Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku ITMS: 26140230008 dopytovo orientovaný projekt Moderné
More informationSecuring Windows Remote Desktop with CopSSH
Securing Windows Remote Desktop with CopSSH Presented by DrNathan@teamhackaday.com If you enjoyed this article, please consider joining our Folding@Home team I like having the ability to remotely access
More informationCommon Remote Service Platform (crsp) Security Concept
Siemens Remote Support Services Common Remote Service Platform (crsp) Security Concept White Paper April 2013 1 Contents Siemens AG, Sector Industry, Industry Automation, Automation Systems This entry
More informationNetworked AV Systems Pretest
Networked AV Systems Pretest Instructions Choose the best answer for each question. Score your pretest using the key on the last page. If you miss three or more out of questions 1 11, consider taking Essentials
More information8 Steps for Network Security Protection
8 Steps for Network Security Protection cognoscape.com 8 Steps for Network Security Protection Many small and medium sized businesses make the mistake of thinking they won t be the target of hackers because
More informationArchitecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference
Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise
More information8 Steps For Network Security Protection
8 Steps For Network Security Protection 8 Steps For Network Security Protection Many small and medium sized businesses make the mistake of thinking they won t be the target of hackers because of their
More informationWHITE PAPER. GoToMyPC. Citrix GoToMyPC Corporate Security FAQs. Common security questions about Citrix GoToMyPC Corporate. www.gotomypc.
Citrix Corporate Security FAQs Common security questions about Citrix Corporate www.gotomypc.com Q: What are the Corporate software components that I need to install on the host and client computers? A:
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationDashlane Security Whitepaper
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
More informationDriving Company Security is Challenging. Centralized Management Makes it Simple.
Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary
More informationInformation. Questions will be answered at the end. Please submit questions to Erick Mendoza using the chat function.
Information Questions will be answered at the end. Please submit questions to Erick Mendoza using the chat function. Securing Niagara, Part 2 Java 1.7.0.25 Update Announcement Review basic hardening steps
More informationChapter 4 Virtual Private Networking
Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between
More informationGoToMyPC Corporate Advanced Firewall Support Features
F A C T S H E E T GoToMyPC Corporate Advanced Firewall Support Features Citrix GoToMyPC Corporate features Citrix Online s advanced connectivity technology. We support all of the common firewall and proxy
More informationNetwork Security. Mobin Javed. October 5, 2011
Network Security Mobin Javed October 5, 2011 In this class, we mainly had discussion on threat models w.r.t the class reading, BGP security and defenses against TCP connection hijacking attacks. 1 Takeaways
More informationTechnical White Paper
Instant APN Technical White Paper Introduction AccessMyLan Instant APN is a hosted service that provides access to a company network via an Access Point Name (APN) on the AT&T mobile network. Any device
More informationEnterprise Remote Support Network
Enterprise Remote Support Network Table of Contents I. Introduction - Executive Summary...1 Managing Remote Support in a Secure Environment...1 The Challenge...2 The Solution...2 II. SecureLink Enterprise
More informationHughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R
HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Managed Broadband Network Services include a high level of end-toend security utilizing a robust architecture designed by
More informationHow Reflection Software Facilitates PCI DSS Compliance
Reflection How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance In 2004, the major credit
More informationReverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006
Reverse Shells Enable Attackers To Operate From Your Network Richard Hammer August 2006 Reverse Shells? Why should you care about reverse shells? How do reverse shells work? How do reverse shells get installed
More informationReadyNAS Replicate. Software Reference Manual. 350 East Plumeria Drive San Jose, CA 95134 USA. November 2010 202-10727-01 v1.0
ReadyNAS Replicate Software Reference Manual 350 East Plumeria Drive San Jose, CA 95134 USA November 2010 202-10727-01 v1.0 2010 NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced,
More informationCommon Criteria Web Application Security Scoring CCWAPSS
Criteria Web Application Security Scoring CCWAPSS Author Frédéric Charpentier, security pentester. France. Fcharpentier@xmcopartners.com Releases Version 1.0 : First public release September 2007 Version
More informationHow to install and run an OpenVPN client on your Windows-based PC
How to install and run an OpenVPN client on your Windows-based PC The DIL/NetPC ADNP/9200 is also available with a preinstalled OpenVPN server. This allows secure VPN connections between a PC as an OpenVPN
More informationConfiguring a Check Point FireWall-1 to SOHO IPSec Tunnel
Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel This document describes the procedures required to configure an IPSec VPN tunnel between a WatchGuard SOHO or SOHO tc and a Check Point FireWall-1.
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505
INTEGRATION GUIDE DIGIPASS Authentication for Cisco ASA 5505 Disclaimer DIGIPASS Authentication for Cisco ASA5505 Disclaimer of Warranties and Limitation of Liabilities All information contained in this
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationUsing etoken for SSL Web Authentication. SSL V3.0 Overview
Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents
More informationSecuring Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper
Securing Patient Data in Today s Mobilized Healthcare Industry Securing Patient Data in Today s Mobilized Healthcare Industry 866-7-BE-GOOD good.com 2 Contents Executive Summary The Role of Smartphones
More informationTOP SECRETS OF CLOUD SECURITY
TOP SECRETS OF CLOUD SECURITY Protect Your Organization s Valuable Content Table of Contents Does the Cloud Pose Special Security Challenges?...2 Client Authentication...3 User Security Management...3
More informationSecurity Considerations for DirectAccess Deployments. Whitepaper
Security Considerations for DirectAccess Deployments Whitepaper February 2015 This white paper discusses security planning for DirectAccess deployment. Introduction DirectAccess represents a paradigm shift
More informationCompany Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
More informationAstaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client
Astaro Security Gateway V8 Remote Access via SSL Configuring ASG and Client 1. Introduction This guide contains complementary information on the Administration Guide and the Online Help. If you are not
More informationThe New Key Management:
SESSION ID: SEC-F01 The New Key Management: Unlocking the Safeguards of Keeping Keys Private Jono Bergquist Solutions Engineering Lead - APJ CloudFlare Outline Why application-level TLS is important Key
More informationWhite Paper Secure Reverse Proxy Server and Web Application Firewall
White Paper Secure Reverse Proxy Server and Web Application Firewall 2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security
More informationBrainloop Cloud Security
Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud www.brainloop.com Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating
More informationSecurity in the smart grid
Security in the smart grid Security in the smart grid It s hard to avoid news reports about the smart grid, and one of the media s favorite topics is security, cyber security in particular. It s understandable
More informationTel: 905.940.9000 Toll-Free: 800.668.5769 Fax: 905.940.9009 Oct 2005 Email: info@cail.com Website: www.cail.com. CAIL Security Facility
Tel: 905.940.9000 Toll-Free: 800.668.5769 Fax: 905.940.9009 Oct 2005 Email: info@cail.com Website: www.cail.com CAIL Security Facility Table of Contents A. Overview B. CAIL Security Solutions C. Summary
More informationRepeater. BrowserStack Local. browserstack.com 1. BrowserStack Local makes a REST call using the user s access key to browserstack.
Connection Setup Process makes a REST call using the user s access key to chooses a repeater for establishing a secure connection for Local Testing. The repeater exists within the BrowserStack cloud infrastructure.
More informationIf you prefer to use your own SSH client, configure NG Admin with the path to the executable:
How to Configure SSH Each Barracuda NG Firewall system is routinely equipped with an SSH daemon listening on TCP port 22 on all administrative IP addresses (the primary box IP address and all other IP
More informationEnterprise Security Interests Require SSL with telnet server from outside the LAN
Create and Use an SSL on Goals Provide secure and encrypted 5250 data stream conversations with the server (including authentication) use a digital certificate we create with Digital Manager Show a client
More informationAlfresco Enterprise on Azure: Reference Architecture. September 2014
Alfresco Enterprise on Azure: Reference Architecture Page 1 of 14 Abstract Microsoft Azure provides a set of services for deploying critical enterprise workloads on its highly reliable cloud platform.
More information