WHITEPAPER SECURITY CONCEPT FOR SICK REMOTE SERVICE. Lifetime Services, SICK AG in Waldkirch / Germany. Introduction Protocols Used...

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "WHITEPAPER SECURITY CONCEPT FOR SICK REMOTE SERVICE. Lifetime Services, SICK AG in Waldkirch / Germany. Introduction... 2. Protocols Used..."

Transcription

1 WHITEPAPER SECURITY CONCEPT FOR SICK REMOTE SERVICE L i f e T i m e S er v i c es, EDITOR: TA B L E O F C O N T E N T S Lifetime Services, SICK AG in Waldkirch / Germany Introduction Protocols Used HTTPS SSH User Authentication Connection Topology Machine PCs Meeting Point Router mpr Service Technicians Potential Attack Scenarios Attacks on the Connection Technology Attacks on the Application Risk Assessment Conclusion

2 Introduction The SICK Meeting Point architecture was designed with the goal of ensuring maximum security while keeping operating complexity to a minimum. The architecture is aligned with the recommendations and the catalog of measures provided by the BSI (German Federal Office for Information Security) for securing remote maintenance (M5.33). These include: Always initiating remote maintenance access only from the local IT system Adequately logging the performance of the remote maintenance Adhering to the dual-control principle (no remote maintenance without customer approval) The following sections describe how these specifications have been incorporated technically into the Meeting Point architecture and provide detailed information for ensuring secure remote maintenance. Protocols Used Two communications channels are used in the Meeting Point architecture (MPA): HTTPS (port 443) SSH (port 22) HTTPS HTTPS is generally used for encrypted communication between browsers and Web servers in applications such as online banking, in various purchasing portals, and in many portals that store personal data. In such applications, the Web server uses an x.509 certificate that provides the user with the assurance of being connected to the desired server. In addition, the name under which the server can be accessed in the Internet is stored in the certificate, and this information is signed by a certification authority (CA). A browser provides a list of trusted CAs which are expected to sign only if the information for the server name is correct. However, past experience has shown that this cannot always be ensured. For example, gaps in the Web portals used by the CAs for managing certificates may allow any server names to be stored in a certificate, or normally functioning CAs listed in the browsers may write almost any desired server name into a certificate without conducting thorough checks. An mpa server therefore uses its own CA, which means that the server is able to issue its own certificates. This makes it possible to provide the Web server with a certificate and also for individual users to obtain an x.509 certificate, thus allowing them to identify themselves to the Web server in a secure manner. These user certificates are installed in the customer browser, which presents them every time the mpa server is visited. By in turn securing the certificate store in the browser with a password, two-factor authentication is achieved, since the certificate and the password are required to log on to the server. User certificates provide a convenient and secure way to authenticate users, especially on computers that are used for machine control and on which several employees frequently work in alternation. When using a browser, if an HTTPS Web server is activated that produces a certificate that is not signed by one of the stored trusted CAs, warning messages are generally issued. Once the CA certificate of the mpa system has been added to the list of trusted CAs, the browser henceforth accepts the server certificate like all other certificates of preinstalled CAs. In principle, accepting certificates is a matter of trust. Due to the fact that many certificates are preinstalled in the browser, meaning that the chain of trust from the CA operator via the browser vendor and the software distribution is not transparent, as well as the potential for manipulation after installation, it is recommended to delete the supplied list of trusted CA certificates. By adding certification authorities to the CA list individually, only those that are actually required for the pages activated by the user are trusted. 2

3 Experience gleaned from cases such as DigiTrust has shown that it is possible to compromise officially listed certification authorities and thus to issue any desired certificates, which makes it much easier to launch man-in-the-middle attacks. Adding CAs individually to the list of trusted CAs substantially reduces the risk of successful attacks of this kind. With current browsers, HTTPS uses the AES encryption algorithm with a 256-bit key length. The mpa server uses the popular Apache Web server as a communication endpoint. The OpenSSL libraries are used for encryption. SSH Secure Shell (SSH) is a popular protocol for ensuring access to Unix servers via the network. The OpenSSH implementation that is used on the server side is based on the development environment of OpenBSD, a Unix derivative devised with security in mind, which is used in many hardware firewalls. In addition to OpenSSH, Plink from the Putty package is also used in the Meeting Point architecture on Windows systems. In addition to authentication with user names and passwords, the SSH protocol also allows the use of public keys, which are exchanged in advance and presented to the server when establishing a connection, as well as others, such as Kerberos. The mpa server uses only public key authentication. The use of user names/passwords is deactivated to prevent automated programs on the Internet from testing them automatically and possibly encountering a weak password. Before the SSH connection is established, the public keys are dynamically generated by the system and exchanged via HTTPS. The validity of a key pair generated in this way is limited to a maximum of 10 minutes. After authentication, a session key is generated in the SSH protocol, which is used for further data exchange and is periodically changed. Encryption is implemented via AES with a key length of 128 bits. User Authentication User authentication can be performed via client-side x.509 certificates, which can be stored in the browser. This procedure causes a random session cookie to be passed to the user, which is subsequently used to identify the user. This cookie is exchanged at regular intervals so that there is only a limited time window in which to exploit the obtained information in the event of a man-in-themiddle attack. In order to defend against brute-force attacks on user name/password combinations, accounts are automatically blocked after five unsuccessful attempts and must be reactivated by an administrator. Unsuccessful attempts are logged in the system independently of the application and can be analyzed by the system administrator. Connection Topology mpa uses a star connection topology, meaning that all connections are established via the central MPA server. Only this server provides the above-mentioned HTTPS and SSH services on the Internet. All other components utilize them and thus use only outgoing connections. In particular, there are no direct connections between service technicians and machines. Events involving changes in authorizations, such as the loss of laptops or changes in employees, or detected security gaps, can be handled centrally. With this architecture, it is no longer necessary to perform administrative actions on client devices. 3

4 Customer Production Control Station / SPS Meeting Point Server Database administration of forwarded ports, adaptable via web application Service Advantages SSH authentication by dynamic one pass keys Forwarded ports via the Gateway-PC Controller with SPS- and CAN- Bus control Port 22 (SSH) Port 443 (HTTPS) Reverse connection via SSH tunnel Port 22 (SSH) Port 443 (HTTPS) Connection via SSH tunnel HTTPS authentication via x509 certificates DB based administration Minimal requirements for router and firewall Gateway-PC or Meeting Point Router (MPR) Internet Port 22 (SSH) Port 443 (HTTPS) Connection via SSH tunnel Service- Technician Meeting-Point architecture Machine PCs The machine account account type is provided for control PCs that are used on machines as operator terminals for mpa. This account type provides access to exactly one machine file and allows the establishment of a remote connection. The SSH connection configuration generated in the mpa server allows only SSH reverse tunnels for machine accounts. Thus, resources can be activated on the machine computer, but not in the opposite direction. Meeting Point Router mpr The mpr is based on a simple industrial PC that is equipped with two network interfaces and is used for separating the machine network and the customer network. An integrated packet firewall specifically activates only the required communications channels between the customer network and the machine network, as well as from the machine network to the Internet. Here as well, only outgoing connections via HTTPS and SSH are used for remote access via the mpa server. During the rollout of the mpr, a unique identifier is stored on the system for authentication, which is transmitted during MPR activation. This identifier replaces the use of user names and passwords for the MPR and must therefore be kept secret. However, if an MPR identifier is stolen from the MPR, it can be used to gain access to the MPR-specific pages of the mpa server. These pages allow establishing a remote connection which, however, can comprise only reverse ports (ensured by server-side limitation), so that a potential attacker would only be able to make its own resources accessible, but particularly cannot gain access to resources of other MPR devices that are currently connected. 4

5 Meeting Point Router: Security through separation of Machine Network and Customer Network. In addition to the normal ports that are forwarded via SSH, the mpr also provides the option of establishing a full VPN connection between the service technician and the machine network as required. To do this, a network link is also established on Layer 2 via an SSH tunnel of a remote connection using OpenVPN, so that the service technician can, for example, use broadcast-based or UDP-based services. The OpenVPN option can be used only via an existing SSH remote connection, so that the authentication and encryption of the VPN connection does not constitute a new point of attack. 5

6 Service Technicians Service technicians have access to all machine files and can connect to all machines currently connected via a remote connection. A connection made by a service technician is always logged in the machine file as information. The server-side generation of the SSH configuration allows only forward tunnels in this case. Thus, a service technician can activate services on the customer side, but not in the other direction. The limitation of port forwarding to the ports provided for the machine takes place in two stages. First, these ports are provided to the SSH client configuration. Parallel to this, a list of allowed ports is stored on the mpa server on the server side for the relevant SSH key, which is checked by the SSH server when establishing a connection. Potential Attack Scenarios The limitation to exactly two connection mechanisms also limits the possibility of attacking them from the outside. Since only the mpa server is active for connections to these ports, the necessity of making regular security updates is largely limited to this server. Attacks on the Connection Technology SSH is operated in a configuration having maximum security (access possible only for the required users, exclusively via public key authentication, no root access, only SSH2 protocol), which is used in this way throughout the world in many forms to provide remote administrative access. Successful attacks on servers configured in this way are unknown. In addition, we use key pairs that are dynamically generated and only time-limited, so that even brute-force attacks on the keys are not likely to succeed. The HTTPS server provides end-to-end encryption between the browser and Web server, which cannot be compromised by conventional means. Nonetheless, as with any HTTPS communication, the potential exists for compromising the communication between the browser and server using a man-in-the-middle attack. However, the manipulations required to do this always necessitate tampering with the basic IT infrastructure such as the DNS server or the proxy infrastructure. In addition, when carrying out such an attack, either the list of trusted certification bodies in the browser or a trusted certification body must be directly manipulated. In any event, in the interest of IT security within the company, this should be prevented administratively. However, some companies exploit this opportunity supposedly in the interest of their own IT security (which is relatively easy since all above-mentioned components can be influenced by their own IT) in order to investigate HTTPS-encrypted data exchange with malware. Although this is well-intended, it effectively breaches the concept of end-to-end encryption and thus undercuts the trust of users, who assume that HTTPS provides secure communication. Attacks on the Application In addition to attacks on the connection technology, there is also the potential for attacks on the Web application itself. The software components and the implementation of the Web application on the mpa server should be well maintained and regularly checked for known security gaps. By forming a service level agreement, you can ensure that you will receive a rapid and professional response to such an event. The internal security architecture of the Web application strictly separates the individual areas from each other. Areas that grant user-dependent access to user data are protected by gatekeepers that first check that the passed parameters are valid within the context of the user when calling a corresponding path. These include machine files, documents, and connections, among others. 6

7 Risk Assessment The centralized structure of the Meeting Point architecture concentrates the potential for attacks on one server and the connections to it. Compared to widely deployed remote VPN or dial-in architectures, it is possible to react quickly from a central location to events such as lost laptops and to block user access. In particular, by avoiding direct communication between service technicians and customers as well the associated required distribution of access data to the service technicians, potential attack scenarios can be substantially reduced. The above-mentioned potential for attacks on the HTTPS connections would make it possible to display manipulated pages to the user or to gain access to entered information. However, it is not possible to deceive the server about one s own identity and thereby gain access to information that is not intended for the user. The procedure for blocking user accounts after five failed attempts creates the potential for a denial-of-service attack that attempts to block as many accounts as possible. In this case, the administrator must reactivate these accounts and should take additional measures (such as setting up firewall barriers to the source of the attack) if they occur frequently. Conclusion The remaining risks are manageable. The potential attack scenarios are concentrated on a few points that can be monitored well due to the centralized structure. Comprehensive system logging can be used to ensure that attacks are logged and do not go unnoticed during the regular system reviews that take place under the service level agreement. 7

8 / DIV03 ( ) WB USmod int37 REFERENCES Package of measures for secure Remote Services of the BSI (German Federal Office for Information Security) (M5.33) SICK AG Waldkirch Germany

SSL VPN Technology White Paper

SSL VPN Technology White Paper SSL VPN Technology White Paper Keywords: SSL VPN, HTTPS, Web access, TCP access, IP access Abstract: SSL VPN is an emerging VPN technology based on HTTPS. This document describes its implementation and

More information

Contents. Part 1 SSH Basics 1. Acknowledgments About the Author Introduction

Contents. Part 1 SSH Basics 1. Acknowledgments About the Author Introduction Acknowledgments xv About the Author xvii Introduction xix Part 1 SSH Basics 1 Chapter 1 Overview of SSH 3 Differences between SSH1 and SSH2 4 Various Uses of SSH 5 Security 5 Remote Command Line Execution

More information

Enterprise Security Critical Standards Summary

Enterprise Security Critical Standards Summary Enterprise Security Critical Standards Summary The following is a summary of key points in the Orange County Government Board of County Commissioners (OCGBCC) security standards. It is necessary for vendors

More information

Secure Web Access Solution

Secure Web Access Solution Secure Web Access Solution I. CONTENTS II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. E-CODE SECURE WEB ACCESS SOLUTION... 3 OVERVIEW... 3 PKI SECURE WEB ACCESS... 4 Description...

More information

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview

More information

Control and management of privileged users

Control and management of privileged users Control and management of privileged users The secure solution for monitoring and recording privileged users Visulox The complete Access Management Solution ToolBox Solution GmbH, established in 2003,

More information

Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments

Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments A Secure Shell Key Management White Paper Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments Emerging trends impacting PCI-DSS compliance requirements in secure shell deployments

More information

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection: Table of Content I. What is VPN?... 2 II. Types of VPN connection... 2 III. Types of VPN Protocol... 3 IV. Remote Access VPN configuration... 4 a. PPTP protocol configuration... 4 Network Topology... 4

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

Case Study for Layer 3 Authentication and Encryption

Case Study for Layer 3 Authentication and Encryption CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client

More information

Security Policy Revision Date: 23 April 2009

Security Policy Revision Date: 23 April 2009 Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure

More information

Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004

Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004 Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004 White Paper Published: June 2004 For the latest information, please see http://www.microsoft.com/isaserver/ Contents

More information

Using Entrust certificates with VPN

Using Entrust certificates with VPN Entrust Managed Services PKI Using Entrust certificates with VPN Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark

More information

PRODUCT INFORMATION. SICK Remote Service Product and System Support. Secure remote monitoring for efficient service

PRODUCT INFORMATION. SICK Remote Service Product and System Support. Secure remote monitoring for efficient service PRODUCT INFORMATION SICK Remote Service Product and System Support Secure remote monitoring for efficient service Modular service contracts - flexible for every requirement An important part of LifeTime

More information

Security from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation.

Security from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation. eblvd enables secure, cloud-based access to a PC or server over the Internet. Data, keyboard, mouse and display updates are transmitted over a highly compressed, encrypted stream, yielding "as good as

More information

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0 Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

Technical White Paper

Technical White Paper Instant APN Technical White Paper Introduction AccessMyLan Instant APN is a hosted service that provides access to a company network via an Access Point Name (APN) on the AT&T mobile network. Any device

More information

Corporate and Payment Card Industry (PCI) compliance

Corporate and Payment Card Industry (PCI) compliance Citrix GoToMyPC Corporate and Payment Card Industry (PCI) compliance GoToMyPC Corporate provides industryleading configurable security controls and centralized endpoint management that can be implemented

More information

Maruleng Local Municipality

Maruleng Local Municipality Maruleng Local Municipality. 22 November 2011 1 Version Control Version Date Author(s) Details 1.1 23/03/2012 Masilo Modiba New Policy 2 Contents ICT Firewall Policy 1 Version Control.2 1. Introduction.....4

More information

DDoS Protection Technology White Paper

DDoS Protection Technology White Paper DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of

More information

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks SSL VPN Virtual Appliance Installation Guide Virtual Private Networks C ONTENTS Introduction... 2 Installing the Virtual Appliance... 2 Configuring Appliance Operating System Settings... 3 Setting up the

More information

CareGiver Remote Support Information Technology FAQ

CareGiver Remote Support Information Technology FAQ CareGiver Remote Support Information Technology FAQ CareGiver remote support Information Technology FAQ Purpose The purpose of this document is to answer Frequently Asked Questions (FAQs) regarding CareGiver

More information

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding. When a remote user accesses the SSL VPN

More information

Common Criteria Web Application Security Scoring CCWAPSS

Common Criteria Web Application Security Scoring CCWAPSS Criteria Web Application Security Scoring CCWAPSS Author Frédéric Charpentier, security pentester. France. Fcharpentier@xmcopartners.com Releases Version 1.0 : First public release September 2007 Version

More information

Guidelines for Web applications protection with dedicated Web Application Firewall

Guidelines for Web applications protection with dedicated Web Application Firewall Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security

More information

Using a VPN with Niagara Systems. v0.3 6, July 2013

Using a VPN with Niagara Systems. v0.3 6, July 2013 v0.3 6, July 2013 What is a VPN? Virtual Private Network or VPN is a mechanism to extend a private network across a public network such as the Internet. A VPN creates a point to point connection or tunnel

More information

Centralized Self-service Password Reset: From the Web and Windows Desktop

Centralized Self-service Password Reset: From the Web and Windows Desktop Centralized Self-service Password Reset: From the Web and Windows Desktop Self-service Password Reset Layer v.3.2-007 PistolStar, Inc. dba PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200

More information

Tunnels and Redirectors

Tunnels and Redirectors Tunnels and Redirectors TUNNELS AND REDIRECTORS...1 Overview... 1 Security Details... 2 Permissions... 2 Starting a Tunnel... 3 Starting a Redirector... 5 HTTP Connect... 8 HTTPS Connect... 10 LabVNC...

More information

Using Rsync for NAS-to-NAS Backups

Using Rsync for NAS-to-NAS Backups READYNAS INSTANT STORAGE Using Rsync for NAS-to-NAS Backups Infrant Technologies 3065 Skyway Court, Fremont CA 94539 www.infrant.com Using Rsync For NAS-To-NAS Backups You ve heard it before, but it s

More information

Network Security. Mobin Javed. October 5, 2011

Network Security. Mobin Javed. October 5, 2011 Network Security Mobin Javed October 5, 2011 In this class, we mainly had discussion on threat models w.r.t the class reading, BGP security and defenses against TCP connection hijacking attacks. 1 Takeaways

More information

Topics in Network Security

Topics in Network Security Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure

More information

Networked AV Systems Pretest

Networked AV Systems Pretest Networked AV Systems Pretest Instructions Choose the best answer for each question. Score your pretest using the key on the last page. If you miss three or more out of questions 1 11, consider taking Essentials

More information

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel This document describes the procedures required to configure an IPSec VPN tunnel between a WatchGuard SOHO or SOHO tc and a Check Point FireWall-1.

More information

ViPNet ThinClient 3.3. Quick Start

ViPNet ThinClient 3.3. Quick Start ViPNet ThinClient 3.3 Quick Start 1991 2014 Infotecs Americas. All rights reserved. Version: 00060-07 34 02 ENU This document is included in the software distribution kit and is subject to the same terms

More information

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS Adaptive Authentication in Juniper SSL VPN Environments Solution Brief RSA Adaptive Authentication is a comprehensive authentication platform providing

More information

2.2.1. Astaro User Portal: Getting Software and Certificates...13. 2.2.2. Astaro IPsec Client: Configuring the Client...14

2.2.1. Astaro User Portal: Getting Software and Certificates...13. 2.2.2. Astaro IPsec Client: Configuring the Client...14 1. Introduction... 2 2. Remote Access via IPSec... 2 2.1. Configuration of the Astaro Security Gateway... 2 2.2. Configuration of the Remote Client...13 2.2.1. Astaro User Portal: Getting Software and

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Written by Edmond Ng on behalf of D-Link for a Thai magazine (before translation) Page 1 of 4

Written by Edmond Ng on behalf of D-Link for a Thai magazine (before translation) Page 1 of 4 Increasing Network Security Introduction Network and data security has been a growing concern in many organizations. With the emergence of wireless networking, security preemptives have been primarily

More information

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such

More information

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access [ W H I T E P A P E R ] Written by e-dmz Security, LLC April 2007 Achieving PCI Compliance A White Paper by e-dmz Security,

More information

83-10-41 Types of Firewalls E. Eugene Schultz Payoff

83-10-41 Types of Firewalls E. Eugene Schultz Payoff 83-10-41 Types of Firewalls E. Eugene Schultz Payoff Firewalls are an excellent security mechanism to protect networks from intruders, and they can establish a relatively secure barrier between a system

More information

Cleaning Encrypted Traffic

Cleaning Encrypted Traffic Optenet Documentation Cleaning Encrypted Traffic Troubleshooting Guide iii Version History Doc Version Product Date Summary of Changes V6 OST-6.4.300 01/02/2015 English editing Optenet Documentation

More information

A new Secure Remote Access Platform from Giritech. Page 1

A new Secure Remote Access Platform from Giritech. Page 1 A new Secure Remote Access Platform from Giritech Page 1 Remote users have preferences G/On 5 works for Windows, Mac and Linux The G/On Client user experience is specific to the operating system Users

More information

CONDIS. IT Service Management and CMDB

CONDIS. IT Service Management and CMDB CONDIS IT Service and CMDB 2/17 Table of contents 1. Executive Summary... 3 2. ITIL Overview... 4 2.1 How CONDIS supports ITIL processes... 5 2.1.1 Incident... 5 2.1.2 Problem... 5 2.1.3 Configuration...

More information

Cornerstones of Security

Cornerstones of Security Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to

More information

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc. SSL-TLS VPN 3.0 Certification Report For: Array Networks, Inc. Prepared by: ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 USA http://www.icsalabs.com SSL-TLS VPN 3.0 Certification

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS Ebook YOUR HIPAA RISK ANALYSIS IN FIVE STEPS A HOW-TO GUIDE FOR YOUR HIPAA RISK ANALYSIS AND MANAGEMENT PLAN 2015 SecurityMetrics YOUR HIPAA RISK ANALYSIS IN FIVE STEPS 1 YOUR HIPAA RISK ANALYSIS IN FIVE

More information

Stealth OpenVPN and SSH Tunneling Over HTTPS

Stealth OpenVPN and SSH Tunneling Over HTTPS Stealth OpenVPN and SSH Tunneling Over HTTPS Contents Tunneling OpenVPN and SSH via HTTPS for Windows,MAC and Linux... 1 Benefits of HTTPS Tunneling:... 2 Pre-Requisites:... 3 Part A: Step by Step Instructions

More information

SHARPCLOUD SECURITY STATEMENT

SHARPCLOUD SECURITY STATEMENT SHARPCLOUD SECURITY STATEMENT Summary Provides details of the SharpCloud Security Architecture Authors: Russell Johnson and Andrew Sinclair v1.8 (December 2014) Contents Overview... 2 1. The SharpCloud

More information

1Intro. Apache is an open source HTTP web server for Unix, Apache

1Intro. Apache is an open source HTTP web server for Unix, Apache Apache 1Intro Apache is an open source HTTP web server for Unix, Microsoft Windows, Macintosh and others, that implements the HTTP / 1.1 protocol and the notion of virtual sites. Apache has amongst other

More information

SSL... 2 2.1. 3 2.2. 2.2.1. 2.2.2. SSL VPN

SSL... 2 2.1. 3 2.2. 2.2.1. 2.2.2. SSL VPN 1. Introduction... 2 2. Remote Access via SSL... 2 2.1. Configuration of the Astaro Security Gateway... 3 2.2. Configuration of the Remote Client...10 2.2.1. Astaro User Portal: Getting Software and Certificates...10

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

Hang Seng HSBCnet Security. May 2016

Hang Seng HSBCnet Security. May 2016 Hang Seng HSBCnet Security May 2016 1 Security The Bank aims to provide you with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of

More information

Fig. 4.2.1: Packet Filtering

Fig. 4.2.1: Packet Filtering 4.2 Types of Firewalls /DKo98/ FIREWALL CHARACTERISTICS 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the

More information

The Shift to Wireless Data Communication

The Shift to Wireless Data Communication The Shift to Wireless Data Communication Choosing a Cellular Solution for Connecting Devices to a WWAN Dana Lee, Senior Product Manager dana.lee@moxa.com Recent developments in the wireless and industrial

More information

Securing Windows Remote Desktop with CopSSH

Securing Windows Remote Desktop with CopSSH Securing Windows Remote Desktop with CopSSH Presented by DrNathan@teamhackaday.com If you enjoyed this article, please consider joining our Folding@Home team I like having the ability to remotely access

More information

Using a VPN with CentraLine AX Systems

Using a VPN with CentraLine AX Systems Using a VPN with CentraLine AX Systems User Guide TABLE OF CONTENTS Introduction 2 What Is a VPN? 2 Why Use a VPN? 2 How Can I Set Up a VPN? 2 Important 2 Network Diagrams 2 Network Set-Up with a VPN 2

More information

Firewalls. Steven M. Bellovin https://www.cs.columbia.edu/~smb. Matsuzaki maz Yoshinobu

Firewalls. Steven M. Bellovin https://www.cs.columbia.edu/~smb. Matsuzaki maz Yoshinobu <maz@iij.ad.jp> Firewalls Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki maz Yoshinobu 1 What s a Firewall? A barrier between us and the Internet All traffic, inbound or outbound, must pass

More information

StreamServe Persuasion SP5 Control Center

StreamServe Persuasion SP5 Control Center StreamServe Persuasion SP5 Control Center User Guide Rev C StreamServe Persuasion SP5 Control Center User Guide Rev C OPEN TEXT CORPORATION ALL RIGHTS RESERVED United States and other international patents

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

visionapp Remote Desktop 2010 (vrd 2010)

visionapp Remote Desktop 2010 (vrd 2010) visionapp Remote Desktop 2010 (vrd 2010) Convenient System Management P roduct Information www.vrd2010.com Inhalt 1 Introduction... 1 2 Overview of Administration Tools... 1 2.1 RDP Administration Tools...

More information

Security in the smart grid

Security in the smart grid Security in the smart grid Security in the smart grid It s hard to avoid news reports about the smart grid, and one of the media s favorite topics is security, cyber security in particular. It s understandable

More information

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic

More information

Example - Barracuda Network Access Client Configuration

Example - Barracuda Network Access Client Configuration Example - Barracuda Network Access Client Configuration Introducing an active Barracuda Network Access Client environment involves several components, such as global objects, trustzone settings, Access

More information

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku Univerzita Komenského v Bratislave Fakulta matematiky, fyziky a informatiky Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku ITMS: 26140230008 dopytovo orientovaný projekt Moderné

More information

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT. April 2009 EXAMINERS' REPORT. Network Information Systems

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT. April 2009 EXAMINERS' REPORT. Network Information Systems THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT April 2009 EXAMINERS' REPORT Network Information Systems General Comments Last year examiners report a good pass rate with

More information

This section will focus on basic operation of the interface including pan/tilt, video, audio, etc.

This section will focus on basic operation of the interface including pan/tilt, video, audio, etc. Catalogue Basic Operation... 2 For Internet Explorer... 2 For Other Non-IE Web Browsers... 5 Camera Settings... 6 System... 6 About... 6 PT Setting... 7 Backup and Restore Setup... 8 NTP Setting... 8 System

More information

Software Defined Perimeter: Securing the Cloud to the Internet of Things

Software Defined Perimeter: Securing the Cloud to the Internet of Things Software Defined Perimeter: Securing the Cloud to the Internet of Things SESSION ID: CDS-T08 Jim Reavis Chief Executive Officer Cloud Security Alliance @cloudsa About Cloud Security Alliance Global, not-for-profit

More information

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Apache HTTP Server

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Apache HTTP Server SafeNet Authentication Service Integration Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information

More information

White Paper: Security Considerations When Deploying Remote Access Solutions

White Paper: Security Considerations When Deploying Remote Access Solutions White Paper: Security Considerations When Deploying Remote Access Solutions August 12, 2008 Table of Contents Introduction 2 Part I - Network Security Challenges for Remote Access 3 Host-Based Authentication

More information

Chapter 4 Virtual Private Networking

Chapter 4 Virtual Private Networking Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between

More information

How-To Guide SAP NetWeaver Document Version: 1.0-2013-12-22. How To Guide - Configure SSL in ABAP System

How-To Guide SAP NetWeaver Document Version: 1.0-2013-12-22. How To Guide - Configure SSL in ABAP System How-To Guide SAP NetWeaver Document Version: 1.0-2013-12-22 Document History Document Version Description 1.0 First official release of this guide Document History 2013 SAP AG or an SAP affiliate company.

More information

Alfresco Enterprise on Azure: Reference Architecture. September 2014

Alfresco Enterprise on Azure: Reference Architecture. September 2014 Alfresco Enterprise on Azure: Reference Architecture Page 1 of 14 Abstract Microsoft Azure provides a set of services for deploying critical enterprise workloads on its highly reliable cloud platform.

More information

WHITE PAPER. GoToMyPC. Citrix GoToMyPC Corporate Security FAQs. Common security questions about Citrix GoToMyPC Corporate. www.gotomypc.

WHITE PAPER. GoToMyPC. Citrix GoToMyPC Corporate Security FAQs. Common security questions about Citrix GoToMyPC Corporate. www.gotomypc. Citrix Corporate Security FAQs Common security questions about Citrix Corporate www.gotomypc.com Q: What are the Corporate software components that I need to install on the host and client computers? A:

More information

DCB Ethernet Tunnel Family Configuration Guide

DCB Ethernet Tunnel Family Configuration Guide DCB Ethernet Tunnel Family Configuration Guide Introduction Thank you for your purchase of the DCB Ethernet Tunnel. This guide will step you through a typical installation as shown in the following diagram.

More information

Securing Remote Vendor Access with Privileged Account Security

Securing Remote Vendor Access with Privileged Account Security Securing Remote Vendor Access with Privileged Account Security Table of Contents Introduction to privileged remote third-party access 3 Do you know who your remote vendors are? 3 The risk: unmanaged credentials

More information

REMOTE ASSISTANCE SOLUTIONS Private Server

REMOTE ASSISTANCE SOLUTIONS Private Server REMOTE ASSISTANCE SOLUTIONS Private Server UBIQUITY components Control Center: client on the remote assistance PC Ubiquity Runtime: software installed on the remote device Ubiquity Server Infrastructure:

More information

SSL VPN Portal Options

SSL VPN Portal Options 1. ProSecure UTM Quick Start Guide This quick start guide describes how to use the SSL VPN Wizard to configure SSL VPN portals on the ProSecure Unified Threat Management (UTM) Appliance. The Secure Sockets

More information

VPN Lesson 2: VPN Implementation. Summary

VPN Lesson 2: VPN Implementation. Summary VPN Lesson 2: VPN Implementation Summary 1 Notations VPN client (ok) Firewall Router VPN firewall VPN router VPN server VPN concentrator 2 Basic Questions 1. VPN implementation options for remote users

More information

F455. Basic gateway. Installation Manual. www.homesystems-legrandgroup.com

F455. Basic gateway. Installation Manual. www.homesystems-legrandgroup.com F455 www.homesystems-legrandgroup.com Contents Description 4 Warnings and recommendations 4 Main functions 4 Legend 4 Connection 5 Wiring diagrams 5 Configuration 6 Procedure with Windows Vista / 7 /

More information

OMU350 Operations Manager 9.x on UNIX/Linux Advanced Administration

OMU350 Operations Manager 9.x on UNIX/Linux Advanced Administration OMU350 Operations Manager 9.x on UNIX/Linux Advanced Administration Instructor-Led Training For versions 9.0, 9.01, & 9.10 OVERVIEW This 5-day instructor-led course focuses on advanced administration topics

More information

How Reflection Software Facilitates PCI DSS Compliance

How Reflection Software Facilitates PCI DSS Compliance Reflection How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance In 2004, the major credit

More information

ReadyNAS Replicate. Software Reference Manual. 350 East Plumeria Drive San Jose, CA 95134 USA. November 2010 202-10727-01 v1.0

ReadyNAS Replicate. Software Reference Manual. 350 East Plumeria Drive San Jose, CA 95134 USA. November 2010 202-10727-01 v1.0 ReadyNAS Replicate Software Reference Manual 350 East Plumeria Drive San Jose, CA 95134 USA November 2010 202-10727-01 v1.0 2010 NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced,

More information

Personal Telepresence. Place the VidyoPortal/VidyoRouter on a public Static IP address

Personal Telepresence. Place the VidyoPortal/VidyoRouter on a public Static IP address NAT Introduction: Vidyo Conferencing in Firewall and NAT Deployments Vidyo Technical Note Section 1 The VidyoConferencing platform utilizes reflexive addressing to assist in setup of Vidyo calls. Reflexive

More information

Common Remote Service Platform (crsp) Security Concept

Common Remote Service Platform (crsp) Security Concept Siemens Remote Support Services Common Remote Service Platform (crsp) Security Concept White Paper April 2013 1 Contents Siemens AG, Sector Industry, Industry Automation, Automation Systems This entry

More information

White Paper Secure Reverse Proxy Server and Web Application Firewall

White Paper Secure Reverse Proxy Server and Web Application Firewall White Paper Secure Reverse Proxy Server and Web Application Firewall 2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security

More information

Understanding Secure Shell Host Keys

Understanding Secure Shell Host Keys Understanding Secure Shell Host Keys White Paper 4848 tramway ridge dr. ne suite 101 albuquerque, nm 87111 505-332 -5700 www.vandyke.com Understanding Host Keys Think about the last time you faxed personal

More information

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise

More information

Issue 09/2012. Big-LinX The Remote Service Cloud Remote maintenance and remote diagnostics for machines and plants

Issue 09/2012. Big-LinX The Remote Service Cloud Remote maintenance and remote diagnostics for machines and plants Issue 09/2012 Big-Lin The Remote Service Cloud Remote maintenance and remote diagnostics for machines and plants Big-Lin Securely networked worldwide Big-Lin VPN rendezvous server Service technicians VPN

More information

athenahealth Interface Connectivity SSH Implementation Guide

athenahealth Interface Connectivity SSH Implementation Guide athenahealth Interface Connectivity SSH Implementation Guide 1. OVERVIEW... 2 2. INTERFACE LOGICAL SCHEMATIC... 3 3. INTERFACE PHYSICAL SCHEMATIC... 4 4. SECURE SHELL... 5 5. NETWORK CONFIGURATION... 6

More information

TUNNA. A tool designed to bypass firewall restrictions on remote webservers. By: Rodrigo Marcos Nikos Vassakis

TUNNA. A tool designed to bypass firewall restrictions on remote webservers. By: Rodrigo Marcos Nikos Vassakis TUNNA A tool designed to bypass firewall restrictions on remote webservers By: Rodrigo Marcos Nikos Vassakis Web Applications What a User sees Web Applications What a Penetration Tester sees 80/443 Firewall

More information

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Driving Company Security is Challenging. Centralized Management Makes it Simple. Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary

More information

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client Astaro Security Gateway V8 Remote Access via SSL Configuring ASG and Client 1. Introduction This guide contains complementary information on the Administration Guide and the Online Help. If you are not

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Avaya IP Office Remote Access Guidelines for Implementation and Maintenance Support

Avaya IP Office Remote Access Guidelines for Implementation and Maintenance Support Avaya IP Office Remote Access Guidelines for Implementation and Maintenance Support Introduction The Avaya IP Office family is the latest advancement in converged voice and data technology from Avaya.

More information

Bit Chat: A Peer-to-Peer Instant Messenger

Bit Chat: A Peer-to-Peer Instant Messenger Bit Chat: A Peer-to-Peer Instant Messenger Shreyas Zare shreyas@technitium.com https://technitium.com December 20, 2015 Abstract. Bit Chat is a peer-to-peer instant messaging concept, allowing one-to-one

More information