DOCSLIB.ORG

Vulnerability Assessment and Secure Coding Practices 1 Secure Coding Practices for Grid and Cloud Middleware and Services Who We

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Vulnerability Assessment and Secure Coding Practices Secure Coding Practices for Who we are Grid and Cloud Middleware and Services Barton P. Miller Elisa Heymann Bart Miller Elisa Heymann Jim Kupsch Eduardo Cesar James A. Kupsch Computer Architecture and Computer Sciences Department Operating Systems Department Vamshi Basupalli Manuel Brugnoli University of Wisconsin Universitat Autònoma de Barcelona Salini Kowsalya Max Frydman [email protected] [email protected] XSEDE13 San Diego July 2013 http://www.cs.wisc.edu/mist/ This research funded in part by Department of Homeland Security grant FA8750-10-2-0030 (funded through AFRL). 2 Past funding has been provided by NATO grant CLG 983049, National Science Foundation grant OCI-0844219, the National Science Foundation under contract with San Diego Supercomputing Center, and National Science Foundation grants1 CNS-0627501 and CNS-0716460. What do we do Our experience Condor, University of Wisconsin Batch queuing workload management system • Assess Middleware: Make cloud/grid 15 vulnerabilities 600 KLOC of C and C++ SRB, SDSC software more secure Storage Resource Broker - data grid 5 vulnerabilities 280 KLOC of C •Train:We teach tutorials for users, MyProxy, NCSA Credential Management System developers, sys admins, and managers 5 vulnerabilities 25 KLOC of C glExec, Nikhef • Research: Make in-depth assessments Identity mapping service more automated and improve quality of 5 vulnerabilities 48 KLOC of C Gratia Condor Probe, FNAL and Open Science Grid automated code analysis Feeds Condor Usage into Gratia Accounting System 3 vulnerabilities 1.7 KLOC of Perl and Bash Condor Quill, University of Wisconsin http://www.cs.wisc.edu/mist/papers/VAshort.pdf DBMS Storage of Condor Operational and Historical Data 6 vulnerabilities 7.9 KLOC of C and C++ 3 4 Our experience Our experience VOMS Core INFN Wireshark, wireshark.org Virtual Organization Management System Network Protocol Analyzer 1 vulnerability 161 KLOC of Bourne Shell, C++ and C 2 vulnerabilities 2400 KLOC of C iRODS, DICE Condor Privilege Separation, Univ. of Wisconsin Data-management System Restricted Identity Switching Module 9 vulnerabilities (and counting) 285 KLOC of C and C++ 2 vulnerabilities 21 KLOC of C and C++ Google Chrome, Google VOMS Admin, INFN Web browser Web management interface to VOMS data 1 vulnerability 2396 KLOC of C and C++ 4 vulnerabilities 35 KLOC of Java and PHP CrossBroker, Universitat Autònoma de Barcelona WMS, INFN Resource Mgr for Parallel & Interactive Applications Workload Management System 4 vulnerabilities 97 KLOC of C++ in progress 728 KLOC of Bourne Shell, C++, C, Python, Java, and Perl ARGUS 1.2, HIP, INFN, NIKHEF, SWITCH gLite Authorization Service CREAM, INFN 0 vulnerabilities 42 KLOC of Java and C Computing Resource Execution And Management 5 vulnerabilities (and counting) 216 KLOC of Bourne Shell, Java, and C++ 5 6 1 Vulnerability Assessment and Secure Coding Practices Who funds us Roadmap • United States – Introduction –DHS – Handling errors –NSF – Pointers and Strings – Numeric Errors • European Commission – Race Conditions – EGI – Exceptions –EMI – Privilege, Sandboxing and Environment • Spanish Government – Injection Attacks – Web Attacks •NATO –Bad things 7 8 Discussion of the Practices Roadmap – Introduction • Description of vulnerability – Handling errors • Signs of presence in the code – Pointers and Strings • Mitigations – Numeric Errors – Race Conditions • Safer alternatives – Exceptions – Privilege, Sandboxing and Environment – Injection Attacks – Web Attacks –Bad things 26 27 Buffer Overflows http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.html#Listing 1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 2. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 3. Buffer Copy without Checking Size of Input ('Classic Buffer Pointers and Strings Overflow') 4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 5. Missing Authentication for Critical Function 6. Missing Authorization 7. Use of Hard-coded Credentials 8. Missing Encryption of Sensitive Data 9. Unrestricted Upload of File with Dangerous Type 10. Reliance on Untrusted Inputs in a Security Decision 29 30 2 Vulnerability Assessment and Secure Coding Practices Why Buffer Overflows Buffer Overflows are Dangerous • Description • An overflow overwrites memory adjacent – Accessing locations of a buffer outside the boundaries to a buffer of the buffer • Common causes • This memory could be –C-style strings – Unused – Array access and pointer arithmetic in languages –Code without bounds checking – Program data that can affect operations – Off by one errors – Internal data used by the runtime system – Fixed large buffer sizes (make it big and hope) – Decoupled buffer pointer and its size • Common result is a crash • If size unknown overflows are impossible to detect • Specially crafted values can be used for an • Require synchronization between the two attack • Ok if size is implicitly known and every use knows it (hard) 31 32 Buffer Overflow of User Data Buffer Overflow Danger Signs: Affecting Flow of Control Missing Buffer Size char id[8]; int validId = 0; /* not valid */ • gets, getpass, getwd, and scanf family %s %[ ] id validId (with or … specifiers without width) \0 \0 \0 \0 – Impossible to use correctly: size comes solely from user input gets(id); /* reads "evillogin"*/ – Source of the first (1987) stack smash attack. id validId – Alternatives: evillogi110 \0 \0 \0 ‘n’ Unsafe Safer /* validId is now 110 decimal */ gets(s) fgets(s, sLen, stdin) if (IsValid(id)) validId = 1; /* not true */ if (validId) /* is true */ getcwd(s) getwd(s, sLen) {DoPrivilegedOp();} /* gets executed */ scanf("%s", s) scanf("%100s", s) 33 34 strcat, strcpy, sprintf, Buffer Overflow Danger Signs: vsprintf Difficult to Use and Truncation – Impossible for function to detect overflow • strncat(dst, src, n) • Destination buffer size not passed – n is the maximum number of chars of src to append – Difficult to use safely w/o pre-checks (trailing null also appended) – can overflow if n >=(dstSize-strlen(dst)) • Checks require destination buffer size • Length of data formatted by printf • strncpy(dst, src, n) • Difficult & error prone –Writes n chars into dst, if strlen(src)<n, it fills the other n-strlen(src) chars with 0’s • Best incorporated in a safe replacement function –If strlen(src)>=n, dst is not null terminated Proper usage: concat s1, s2 into dst If (dstSize < strlen(s1) + strlen(s2) + 1) • Truncation detection not provided {ERROR("buffer overflow");} • Deceptively insecure strcpy(dst, s1); – Feels safer but requires same careful use as strcat strcat(dst, s2); 35 36 3 Vulnerability Assessment and Secure Coding Practices Safer String Handling: C11 and ISO/IEC TR 24731 C-library functions • snprintf(buf, bufSize, fmt, …) and Extensions for the C library: vsnprintf Part 1, Bounds Checking Interface – Returns number of bytes, not including \0 that • Functions to make the C library safer would’ve been written. • Meant to easily replace existing library – Truncation detection possible calls with little or no other changes (result >= bufSize implies truncation) – Use as safer version of strcpy and strcat • Aborts on error or optionally reports error Proper usage: concat s1, s2 into dst • Very few unspecified behaviors r = snprintf(dst, dstSize, "%s%s",s1, s2); • All updated buffers require a size param If (r >= dstSize) {ERROR("truncation");} • http://www.open-std.org/jtc1/sc22/wg14 37 38 ISO/IEC 24731: string and memory functions Attacks on Code Pointers • strcpy_s strncpy_s memcpy_s • Stack Smashing is an example strcat_s strncat_s memmove_s • There are many more pointers to functions or • Like standard counterpart, except all addresses in code include an additional parameter for the – Dispatch tables for libraries length of the destination buffer – Return addresses • Run-time constraint failure if destination – Function pointers in code • If error – C++ vtables – jmp_buf – Null-terminates destination buffer, null fills – atexit buffer for mem functions – Exception handling run-time – Internal heap run-time data structures 39 42 Buffer Overflow of a User Pointer { char id[8]; int (*logFunc)(char*) = MyLogger; id logFunc Ptr to MyLogger Numeric Errors gets(id); /* reads "evilguyxPtr to system “ */ id logFunc evi l guyx Ptr to system /* equivalent to system(userMsg) */ logFunc(userMsg); 43 44 4 Vulnerability Assessment and Secure Coding Practices Integer Vulnerabilities • Description – Many programming languages allow silent loss of integer data without warning due to •Overflow • Truncation • Signed vs. unsigned representations – Code may be secure on one platform, but silently vulnerable on another, due to different underlying integer types. • General causes – Not checking for overflow – Mixing integer types of different ranges – Mixing unsigned and signed integers 45 46 Integer Danger Signs Numeric Parsing Unreported Errors • Mixing signed and unsigned integers • atoi, atol, atof, scanf family (with %u, • Converting to a smaller integer %i, %d, %x and %o specifiers) • Using a built-in type instead of the API’s – Out of range values results in unspecified typedef type behavior • However built-ins can be problematic too: – Non-numeric input returns 0 size_t is unsigned, ptrdiff_t is signed –Use strtol, strtoul, strtoll, strtoull, strtof, strtod, strtold which allow error • Assigning values to a variable of the detection correct type
Recommended publications
  • Configuring DNS

    Configuring DNS

    Configuring DNS The Domain Name System (DNS) is a distributed database in which you can map hostnames to IP addresses through the DNS protocol from a DNS server. Each unique IP address can have an associated hostname. The Cisco IOS software maintains a cache of hostname-to-address mappings for use by the connect, telnet, and ping EXEC commands, and related Telnet support operations. This cache speeds the process of converting names to addresses. Note You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource record type AAAA is used to map a domain name to an IPv6 address. The IP6.ARPA domain is defined to look up a record given an IPv6 address. • Finding Feature Information, page 1 • Prerequisites for Configuring DNS, page 2 • Information About DNS, page 2 • How to Configure DNS, page 4 • Configuration Examples for DNS, page 13 • Additional References, page 14 • Feature Information for DNS, page 15 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
  • V6.5 Data Sheet

    V6.5 Data Sheet

    Data Sheet Blue Prism Network Connectivity To ensure compatibility with evolving network infrastructures, Blue Prism can be deployed in environments that utilize IPv4 or IPv6 network protocols for all connections as well as those that use a hybrid approach, utilizing a combination of both protocols. This allows all Blue Prism components - Runtimes, Clients, Application Servers - to connect using the preferred or most suitable method. Resource connectivity When establishing connections to Runtime Resources, Blue Prism uses the name specified in the DNS. This is based on the machine name and can either the short name or the Fully Qualified Domain Name (FQDN). If a Resource has both IPv4 and IPv6 addresses in the DNS, the network adapter settings of the connecting device (Application Server, Interactive Client, or Resource) are used to determine which IP address should be used to establish the connection: 1. The connecting device defaults to an IPv6 connection. 2. If an IPv6 connection is not established within 1.5 seconds and if the connecting device has multiple IPv6 addresses listed in the DNS, a connection attempt is made using the next available IPv6 address. 3. If an IPv6 connection is not established, the connecting device automatically attempts to connect using IPv4. 4. If all available IPv4 addresses have been tried without success, the Resource is considered unreachable. Commercial in Confidence Page 1 of 3 ®Blue Prism is a registerd trademark of Blue Prism Limited 6.5 Data Sheet | Blue Prism Network Connectivity Resource connectivity The following diagram illustrates the logic used for connections to Runtime Resources. Commercial in Confidence Page 2 of 3 ®Blue Prism is a registerd trademark of Blue Prism Limited 6.5 Data Sheet | Blue Prism Network Connectivity Application Server connectivity Application Server connectivity Clients and Resources can connect to Application Servers using the host name, IPv4 address, or IPv6 address specified in the connection settings on the Server Configuration Details screen.
  • Changing IP Address and Hostname for Cisco Unified Communications Manager and IM and Presence Service, Release 11.5(1) First Published

    Changing IP Address and Hostname for Cisco Unified Communications Manager and IM and Presence Service, Release 11.5(1) First Published

    Changing IP Address and Hostname for Cisco Unified Communications Manager and IM and Presence Service, Release 11.5(1) First Published: Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  • Dig, a DNS Query Tool for Windows and Replacement for Nslookup 2008-04-15 15:29

    Dig, a DNS Query Tool for Windows and Replacement for Nslookup 2008-04-15 15:29

    dig, a DNS query tool for Windows and replacement for nslookup 2008-04-15 15:29 Disclaimer dig (dig for Windows ) (dig is a powerful tool to investigate [digging into] the DNS system) Source of the binary is from ftp.isc.org Manual Page of dig, in the cryptic Unix style, for reference only. (1) Download: Windows 2000 or Windows XP or Windows Vista ( dig version 9.3.2) Create a folder c:\dig Download this dig-files.zip and save it to c:\dig Use winzip or equivalent to extract the files in dig-files.zip to c:\dig Note: If msvcr70.dll already exists in %systemroot%\system32\ , then you can delete c:\dig\msvcr70.dll Note: Included in dig-files.zip is a command line whois, version 4.7.11: The canonical site of the whois source code is http://ftp.debian.org/debian/pool/main/w/whois/ The whois.exe file inside dig-files.zip is compiled using cygwin c++ compiler. (2) Do a file integrity check (why ? Because some virus checkers destroy dll files) Click Start.. Run ... type CMD (a black screen pops up) cd c:\dig sha1 * You should see some SHA1 hashes (in here, SHA1 hash is used as an integrity check, similar to checksums). Compare your hashes with the following table. SHA1 v1.0 [GPLed] by Stephan T. Lavavej, http://stl.caltech.edu 6CA70A2B 11026203 EABD7D65 4ADEFE3D 6C933EDA cygwin1.dll 57487BAE AA0EB284 8557B7CA 54ED9183 EAFC73FA dig.exe 97DBD755 D67A5829 C138A470 8BE7A4F2 6ED0894C host.exe D22E4B89 56E1831F F0F9D076 20EC19BF 171F0C29 libbind9.dll 81588F0B E7D3C6B3 20EDC314 532D9F2D 0A105594 libdns.dll E0BD7187 BBC01003 ABFE7472 E64B68CD 1BDB6BAB libeay32.dll F445362E 728A9027 96EC6871 A79C6307 054974E4 libisc.dll B3255C0E 4808A703 F95C217A 91FFCD69 40E680C9 libisccfg.dll DFBDE4F9 E25FD49A 0846E97F D813D687 6DC94067 liblwres.dll 61B8F573 DB448AE6 351AE347 5C2E7C48 2D81533C msvcr70.dll BDA14B28 7987E168 F359F0C9 DD96866D 04AB189B resolv.conf 1112343A 319C3EEE E44BF261 AE196C96 289C70E2 sha1.exe 21D20035 2A5B64E2 69FEA407 4D78053F 3C7A2738 whois.exe If your hashes are the same as the above table, then your files pass the integrity check.
  • Configuring Smart Licensing

    Configuring Smart Licensing

    Configuring Smart Licensing • Prerequisites for Configuring Smart Licensing, on page 1 • Introduction to Smart Licensing, on page 1 • Connecting to CSSM, on page 2 • Linking Existing Licenses to CSSM, on page 4 • Configuring a Connection to CSSM and Setting Up the License Level, on page 4 • Registering a Device on CSSM, on page 14 • Monitoring Smart Licensing Configuration, on page 19 • Configuration Examples for Smart Licensing, on page 20 • Additional References, on page 26 • Feature History for Smart Licensing, on page 27 Prerequisites for Configuring Smart Licensing • Release requirements: Smart Licensing is supported from Cisco IOS XE Fuji 16.9.2 to Cisco IOS XE Amsterdam 17.3.1. (Starting with Cisco IOS XE Amsterdam 17.3.2a, Smart Licensing Using Policy is supported.) • CSSM requirements: • Cisco Smart Account • One or more Virtual Account • User role with proper access rights • You should have accepted the Smart Software Licensing Agreement on CSSM to register devices. • Network reachability to https://tools.cisco.com. Introduction to Smart Licensing Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco portfolio and across your organization. And it’s secure – you control what users can access. With Smart Licensing you get: Configuring Smart Licensing 1 Configuring Smart Licensing Overview of CSSM • Easy Activation: Smart Licensing establishes a pool of software licenses that can be used across the entire organization—no more PAKs (Product Activation Keys). • Unified Management: My Cisco Entitlements (MCE) provides a complete view into all of your Cisco products and services in an easy-to-use portal, so you always know what you have and what you are using.
  • 1. Run Nslookup to Obtain the IP Address of a Web Server in Europe

    1. Run Nslookup to Obtain the IP Address of a Web Server in Europe

    1. Run nslookup to obtain the IP address of a Web server in Europe. frigate:Desktop drb$ nslookup home.web.cern.ch Server: 130.215.32.18 Address: 130.215.32.18#53 Non-authoritative answer: home.web.cern.ch canonical name = drupalprod.cern.ch. Name: drupalprod.cern.ch Address: 137.138.76.28 Note that the #53 denotes the DNS service is running on port 53. 2. Run nslookup to determine the authoritative DNS servers for a university in Asia. frigate:Desktop drb$ nslookup -type=NS tsinghua.edu.cn Server: 130.215.32.18 Address: 130.215.32.18#53 Non-authoritative answer: tsinghua.edu.cn nameserver = dns2.tsinghua.edu.cn. tsinghua.edu.cn nameserver = dns.tsinghua.edu.cn. tsinghua.edu.cn nameserver = dns2.edu.cn. tsinghua.edu.cn nameserver = ns2.cuhk.edu.hk. Authoritative answers can be found from: dns2.tsinghua.edu.cn internet address = 166.111.8.31 ns2.cuhk.edu.hk internet address = 137.189.6.21 ns2.cuhk.edu.hk has AAAA address 2405:3000:3:6::15 dns2.edu.cn internet address = 202.112.0.13 dns.tsinghua.edu.cn internet address = 166.111.8.30 Note that there can be multiple authoritative servers. The response we got back was from a cached record. To confirm the authoritative DNS servers, we perform the same DNS query of one of the servers that can provide authoritative answers. frigate:Desktop drb$ nslookup -type=NS tsinghua.edu.cn dns.tsinghua.edu.cn Server: dns.tsinghua.edu.cn Address: 166.111.8.30#53 tsinghua.edu.cn nameserver = dns2.edu.cn.
  • World-Wide Web Proxies

    World-Wide Web Proxies

    World-Wide Web Proxies Ari Luotonen, CERN Kevin Altis, Intel April 1994 Abstract 1.0 Introduction A WWW proxy server, proxy for short, provides access to The primary use of proxies is to allow access to the Web the Web for people on closed subnets who can only access from within a firewall (Fig. 1). A proxy is a special HTTP the Internet through a firewall machine. The hypertext [HTTP] server that typically runs on a firewall machine. server developed at CERN, cern_httpd, is capable of run- The proxy waits for a request from inside the firewall, for- ning as a proxy, providing seamless external access to wards the request to the remote server outside the firewall, HTTP, Gopher, WAIS and FTP. reads the response and then sends it back to the client. cern_httpd has had gateway features for a long time, but In the usual case, the same proxy is used by all the clients only this spring they were extended to support all the within a given subnet. This makes it possible for the proxy methods in the HTTP protocol used by WWW clients. Cli- to do efficient caching of documents that are requested by ents don’t lose any functionality by going through a proxy, a number of clients. except special processing they may have done for non- native Web protocols such as Gopher and FTP. The ability to cache documents also makes proxies attrac- tive to those not inside a firewall. Setting up a proxy server A brand new feature is caching performed by the proxy, is easy, and the most popular Web client programs already resulting in shorter response times after the first document have proxy support built in.
  • Mozilla's Attachment to Open Public Consultation Survey

    Mozilla's Attachment to Open Public Consultation Survey

    European Commission’s Open Public Consultation on eIDAS Attachment to Mozilla’s Survey Response 1 October, 2020 About Mozilla 1 Feedback on QWACs in the eIDAS Regulation 2 Historical Background of QWACs and TLS Certification 4 TLS server certificates are not the correct place to store QWAC identity information. 5 Proposed Technical Alternatives to TLS binding in eIDAS 6 ntQWACs 7 Non-TLS QWAC Delivery Mechanisms 8 Additional Transparency and Security Concerns with the EU TSP List 9 Lack of Transparency 9 Irregular Audits 9 Insufficient Risk Management 9 Recommendations 10 Appendix A: Relevant Language from the eIDAS Regulation 11 Appendix B - Bringing Openness to Identity White Paper 13 About Mozilla Mozilla is the Corporation behind the Firefox web browser and the Pocket “read-it-later” application; products that are used by hundreds of millions of individuals around the world. Mozilla’s parent is a not-for-profit foundation that focuses on fuelling a healthy internet. Finally, Mozilla is a global community of thousands of contributors and developers who work together to keep the internet open and accessible for all. 1 Since its founding in 1998, Mozilla has championed human-rights-compliant innovation as well as choice, control, and privacy for people on the internet. According to Mozilla, the internet is a global public resource that should remain open and accessible to all. As stated in our Manifesto, we believe individuals' security and privacy on the internet are fundamental and must not be treated as optional. We have worked hard to actualise this belief for the billions of users on the web by actively leading and participating in the creation of web standards that drive the internet.
  • Command Reference Guide for Cisco Prime Infrastructure 3.9

    Command Reference Guide for Cisco Prime Infrastructure 3.9

    Command Reference Guide for Cisco Prime Infrastructure 3.9 First Published: 2020-12-17 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  • Tanium™ Appliance Deployment Guide

    Tanium™ Appliance Deployment Guide

    Tanium™ Appliance Deployment Guide Version 1.5.6 June 06, 2020 The information in this document is subject to change without notice. Further, the information provided in this document is provided “as is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium’s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc. has been advised of the possibility of such damages. Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Please visit https://docs.tanium.com for the most current Tanium product documentation. This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium.
  • Introduction to Computer Networking

    Introduction to Computer Networking

    www.PDHcenter.com PDH Course E175 www.PDHonline.org Introduction to Computer Networking Dale Callahan, Ph.D., P.E. MODULE 7: Fun Experiments 7.1 Introduction This chapter will introduce you to some networking experiments that will help you improve your understanding and concepts of networks. (The experiments assume you are using Windows, but Apple, Unix, and Linux systems will have similar commands.) These experiments can be performed on any computer that has Internet connectivity. The commands can be used from the command line using the command prompt window. The commands that can be used are ping, tracert, netstat, nslookup, ipconfig, route, ARP etc. 7.2 PING PING is a network tool that is used on TCP/IP based networks. It stands for Packet INternet Groper. The idea is to verify if a network host is reachable from the site where the PING command issued. The ping command uses the ICMP to verify if the network connections are intact. When a PING command is issued, a packet of 64 bytes is sent to the destination computer. The packet is composed of 8 bytes of ICMP header and 56 bytes of data. The computer then waits for a reply from the destination computer. The source computer receives a reply if the connection between the two computers is good. Apart from testing the connection, it also gives the round trip time for a packet to return to the source computer and the amount of packet loss [19]. In order to run the PING command, go to Start ! Run and in the box type “cmd”.
  • Ebook: from a Record & DNS to Zones

    Ebook: from a Record & DNS to Zones

    Ebook: THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY From A Record & DNS to Zones dyn.com 603 668 4998 150 Dowdyn.com Street, Mancheste603r, NH 668 031 499801 US A 150@dyn Dow Street, Manchester, NH 03101 USA @dyn Your Master List of Key DNS Terms As more users and more online services (sites, microservices, connected “things,” etc.) join the global internet, the scale, complexity and volatility of that internet are also on the rise. Modern DNS is reemerging as a powerful tool for commercial internet infrastructure that puts control back in the hands of IT leaders. The foundation of the Domain Name System or DNS, a distributed internet database that maps human-readable names to IP addresses, allows people to reach the correct online service (website, application, etc.) when entering URL. For example, the domain name dyn.com translates to the IP address of 199.180.184.220. Table of Contents Because DNS is the first step in the process of reaching online assets, it also provides an ideal “location” in the network to make decisions about 3 A Record — Auth code where to send certain traffic. This is particularly useful as more organizations adopt cloud or use CDNs to optimize content delivery, spawning hybrid environments. DNS, particularly when coupled with intelligence about those 3 Authoritative Nameserver — DDoS destination endpoints and the network path between them, can help get the right user to the right asset, improving performance, reachability of 4 DDNS — Endpoint those assets, and security posture. 5 GSLB — Primary DNS Dyn has been in the managed DNS business for over 10 years (and pioneered Dynamic DNS before that), so the DNS terms in this guide are commonly heard around the proverbial water coolers at Dyn, but we realize 6 PTR Records — Traceroute they can be a bit arcane despite the importance of DNS.