DOCSLIB.ORG

Sophos Connect Help Contents About Sophos Connect

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Sophos Connect Help Contents About Sophos Connect Sophos Connect help Contents About Sophos Connect............................................................................................................................ 1 How to install Sophos Connect.....................................................................................................1 How to uninstall Sophos Connect.................................................................................................2 Connections................................................................................................................................... 2 Events............................................................................................................................................ 8 Troubleshoot event errors........................................................................................................... 10 General troubleshooting.............................................................................................................. 19 About Sophos Connect Admin...............................................................................................................25 Editing configuration files............................................................................................................ 25 Legal Notices..........................................................................................................................................27 (2021/03/05) Sophos Connect 1 About Sophos Connect Sophos Connect is a VPN client that you can install on Windows and Macs. It allows you to connect to networks behind XG Firewall from a remote location, such as your organization's network. Your firewall administrator configures connection details on XG Firewall and gives you the installation package and the connection configuration files. This guide provides information about how to use Sophos Connect. 1.1 How to install Sophos Connect Follow these instructions to install Sophos Connect on Windows or macOS. Introduction Install Sophos Connect on Windows To install Sophos Connect on Windows, do as follows: 1. Open the installer. 2. Accept the license agreement and click Install. 3. Once the installation is complete, click Finish. You can now run Sophos Connect. Install Sophos Connect on macOS To install Sophos Connect on macOS, do as follows: 1. Open the installer. 2. Choose the installation destination. Make sure you have enough free space in the destination you've chosen, such as the system drive. 3. Click Install. 4. Once the installation is complete, click Finish. You can now run Sophos Connect. Copyright © Sophos Limited 1 Sophos Connect 1.2 How to uninstall Sophos Connect This topic shows you how to uninstall Sophos Connect on Windows or macOS. Introduction Uninstall Sophos Connect from Windows To uninstall Sophos Connect from Windows, do as follows: 1. Go to Control Panel and under Programs click Uninstall a program. 2. Right-click Sophos Connect, and select Uninstall. Uninstall Sophos Connect from macOS To uninstall Sophos Connect from macOS, do as follows: 1. Open the terminal. 2. Elevate to root and run the uninstall script from the location Sophos Connect is installed in. Example: sudo /Library/Sophos Connect/uninstall.sh You'll get the following message if the uninstallation was successful: Sophos Connect has been uninstalled 1.3 Connections You can import connections, establish connections, and view and edit connections. Sophos Connect supports SSL VPN and IPsec VPN. 1.3.1 Import Connections The Sophos Connect client can connect to XG Firewall using SSL or IPsec VPN connections. You can import connections into the Sophos Connect client. Introduction In version 2.0 of the Sophos Connect client, you can import both SSL and IPsec VPN connections. If you're using an earlier version of the Sophos Connect client, you can only import IPsec connections. You can do as follows: • Import an IPsec connection using a file given to you by your firewall administrator. • Import an SSL connection using a file given to you by your firewall administrator. • Import an SSL connection by downloading a file from the user portal. 2 Copyright © Sophos Limited Sophos Connect Import an IPsec connection To import an IPsec connection you must have a connection file. The file has the extension tgb. To get the file contact your firewall administrator. To import a connection, do as follows: 1. Click Import connection on the Connections page. a) If there are existing connections, click the menu button and choose Import connection from the drop-down menu. The image below shows the Connections page: 2. Browse for the .tgb file and double-click on it. The imported connection shows under Connections. The image below shows an imported connection: You can now establish the connection. You can import multiple connections. Import an SSL connection To import an SSL connection you must have a connection file. The file has the extension pro. To get the file contact your firewall administrator. To import a connection do as follows: Browse for the .pro file and double-click it. Copyright © Sophos Limited 3 Sophos Connect The connection is imported automatically, and Sophos Connect opens. The imported connection shows under Connections. You can now establish the connection. You can import multiple connections. Import an SSL connection from the user portal To import a connection do as follows: 1. Sign in to the user portal. 2. Go to SSL VPN and click Download configuration for other OSs. 3. Open the Sophos Connect client. 4. Click Import connection on the Connections page. If there are existing connections, click the menu button and choose Import connection from the drop-down menu. 5. Browse for the .ovpn file and open it. The imported connection shows under Connections. You can now establish the connection. You can import multiple connections. 1.3.2 Connect Follow these instructions to establish a connection. Make sure there's at least one imported connection available, and your firewall administrator has given you the required credentials. 4 Copyright © Sophos Limited Sophos Connect To establish a connection do as follows: 1. Select a connection on the Connections page. 2. Double-click the connection. You can also click Connect. The sign-in screen appears. The following image shows the sign-in screen: 3. Enter your username and password and click Sign in. Your firewall administrator may have configured one of the following types of multi-factor authentication: • If your firewall administrator has configured One Time Password (OTP), in addition to entering your username and password, you must enter your six-digit OTP passcode. You'll see a third input box (under username and password) where you enter the OTP passcode. • If your firewall administrator has configured DUO authentication, you may get one or two DUO prompts during the connection process. • If your firewall administrator has configured mixed mode two-factor authentication (2FA), you'll see a third input box (under username and password). You must enter one of the following words: push, phone, sms, or enter a DUO token. If you aren't sure about which options you can choose, contact your IT administrator or firewall administrator. Copyright © Sophos Limited 5 Sophos Connect Note If you imported the connection using a provisioning file, you'll get a warning that the server certificate can't be verified. You can click OK to continue. If you don't want to see the message, contact your firewall administrator. Sophos Connect attempts to establish the connection and authenticate you. If you're facing connection issues, do as follows: • To investigate the cause, click the Events tab or click the menu icon and select Open VPN log. • For help with troubleshooting, see Troubleshoot event errors (page 10) and General troubleshooting (page 19). • You can also contact your IT administrator or firewall administrator for further assistance. The image below shows you where to find the Events tab and Open VPN log. The connection to the remote server is established. The image below shows a successful connection: 6 Copyright © Sophos Limited Sophos Connect If the connection is successful, you'll see this icon on the taskbar: If the connection is unsuccessful, you'll see this icon on the taskbar: Note If you've renamed the connection, the original name, as provided by your firewall administrator, still shows in connection details. For instructions on how to rename it, see Connection options (page 7). 1.3.3 Connection options You can change the connections in Sophos Connect. To change a connection click the settings icon on the right of the connection. Copyright © Sophos Limited 7 Sophos Connect 1. Auto-connect: Attempts a connection when Sophos Connect starts up. Restriction You can only use this option if your firewall administrator turned it on. 2. Delete: Deletes the connection, so if you want to re-enable that connection, you'll need to import it again. 3. Rename: Gives you the option to rename your connection. 4. Clear credentials: Clears credentials that you've previously stored. 5. Update policy: Allows you to pull the latest policy from XG Firewall on demand. Restriction You can only use this option if your firewall administrator created the connection using a provisioning file. Tip If the connection fails after multiple retries, start a policy update, and try to connect again. 1.4 Events On the events page, you can see any actions in Sophos Connect, and the results of those actions. For example, a user imports a connection file, and the connection
Load more

Recommended publications
  • Flexgw Ipsec VPN Image User Guide
    FlexGW IPsec VPN Image User Guide Zhuyun Information Technology Co.,Ltd. www.cloudcare.cn Zhuyun Information Technology Co.,Ltd. Contents .......................................................................................................... .................................................................................................................. 1 Introduction 4 1.1 Software Compon.e..n..t.s................................................................................................................... 4 1.2 Login Description ................................................................................................................... 4 1.3 Function Description ....................................................................................................5 1.4 Typical Scenarios Des..c..r..i.p..t..i.o..n......................................................................................................5 1.5 Program Description .................................................................................6 1.6 Software Operation Command Summary ............................... 7 ............................................................................................................... 2 IPSec Site-to-Site VPN User Guide (VPC network scenario) 8 2.1 Start IPSec VPN.s..e..r..v..i.c..e.................................................................................................................8 2.2 Add new tunnel .................................................................................................................
    [Show full text]
  • Enabling TPM Based System Security Features
    Enabling TPM based system security features Andreas Fuchs <[email protected]> Who am I ? ● 13 year on/off TPMs ● Fraunhofer SIT: Trustworthy Platforms ● TCG-member: TPM Software Stack WG ● Maintainer – tpm2-tss: The libraries – tpm2-tss-engine: The openssl engine – tpm2-totp: Computer-to-user attestation (mjg’s tpm-totp reimplemented for 2.0) 2 The hardware stack ● Trusted Platform Module (TPM) 2.0 – Smartcard-like capabilities but soldered in – Remote Attestation capabilities – As separate chip (LPC, SPI, I²C) – In Southbridge / Firmware – Via TEEs/TrustZone, etc – Thanks to Windows-Logos in every PC ● CPU – OS, TSS 2.0, where the fun is... 3 The TPM Software Stack 2.0 ● Kernel exposes /dev/tpm0 with byte buffers ● tpm2-tss is like the mesa of TCG specs ● TCG specifications: – TPM spec for functionality – TSS spec for software API ● tpm2-tss implements the glue ● Then comes core module / application integration – Think GDK, but OpenSSL – Think godot, but pkcs11 – Think wayland, but cryptsetup 4 The TSS APIs System API (sys) Enhanced SYS (esys) Feature API (FAPI) • 1:1 to TPM2 cmds • Automate crypto for • Spec in draft form HMAC / encrypted • TBimplemented • Cmd / Rsp sessions • No custom typedefs U serialization • Dynamic TCTI • JSON interfaces s • No file I/O loading • Provides Policy e • No crypto • Memory allocations language r • No heap / malloc • No file I/O • Provides keystore S p TPM Command Transmission Interface (tss2-tcti) p a Abstract command / response mechanism, • No crypto, heap, file I/O a Decouple APIs
    [Show full text]
  • Master Thesis
    Master's Programme in Computer Network Engineering, 60 credits MASTER Connect street light control devices in a secure network THESIS Andreas Kostoulas, Efstathios Lykouropoulos, Zainab Jumaa Network security, 15 credits Halmstad 2015-02-16 “Connect street light control devices in a secure network” Master’s Thesis in Computer Network engineering 2014 Authors: Andreas Kostoulas, Efstathios Lykouropoulos, Zainab Jumaa Supervisor: Alexey Vinel Examiner: Tony Larsson Preface This thesis is submitted in partial fulfilment of the requirements for a Master’s Degree in Computer Network Engineering at the Department of Information Science - Computer and Electrical Engineering, at University of Halmstad, Sweden. The research - implementation described herein was conducted under the supervision of Professor Alexey Vinel and in cooperation with Greinon engineering. This was a challenging trip with both ups and downs but accompanied by an extend team of experts, always willing to coach, sponsor, help and motivate us. For this we would like to thank them. We would like to thank our parents and family for their financial and motivational support, although distance between us was more than 1500 kilometres. Last but not least we would like to thank our fellow researchers and friends on our department for useful discussions, comments, suggestions, thoughts and also creative and fun moments we spend together. i Abstract Wireless communications is a constantly progressing technology in network engineering society, creating an environment full of opportunities that are targeting in financial growth, quality of life and humans prosperity. Wireless security is the science that has as a goal to provide safe data communication between authorized users and prevent unauthorized users from gaining access, deny access, damage or counterfeit data in a wireless environment.
    [Show full text]
  • Nist Sp 800-77 Rev. 1 Guide to Ipsec Vpns
    NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel Karen Scarfone Paul Wouters This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel* Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA Paul Wouters Red Hat Toronto, ON, Canada *Former employee; all work for this publication was done while at NIST This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 June 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • TPM2 Software Community (Slides)
    TPM2 Software Community https://github.com/tpm2-software Philip Tricca (Intel) Andreas Fuchs (Fraunhofer SIT) Agenda Intro & Architecture boot: tcti-uefi verify system: tpm2-totp decrypt disk: cryptsetup/clevis vpn: strongswan / openconnect server: openssl learning, experimenting, prototyping develop: Join us TSS2 Design Use-case driven – Support for constrained environments to full OS: Layered design – Separate transport layer from APIs – Both synchronous and async: event-driven programming – Details exposed if needed, “sane defaults” otherwise Lower layers provide data transport & direct access to TPM2 commands – “Expert” applications in constrained environments – Minimal dependencies (c99, libc) Upper layers provide convenience functions & abstractions – Crypto for sessions, dynamic memory allocation, transport layer configuration – More features → more dependencies TSS2 Design System API (tss2-sys) Enhanced SYS (tss2- Feature API (FAPI) • 1:1 to TPM2 cmds esys) • Spec in draft form • Automate crypto for • No implementation yet • Command / Response HMAC / encrypted • File I/O U serialization sessions • Requires heap s • No file I/O • Dynamic TCTI loading • Automate retries e • No crypto • Memory allocations • Context based state r • No heap / malloc • No file I/O • Must support static linking S p TPM Command Transmission Interface (tss2-tcti) a • Abstract command / response mechanism, No crypto, heap, file I/O c • Dynamic loading / dlopen API Decouple APIs from command transport / IPC e K TPM Access Broker and Resource Manager
    [Show full text]
  • Master's Thesis Template
    DEGREE PROGRAMME IN WIRELESS COMMUNICATIONS ENGINEERING MASTER’S THESIS Wireless Backhaul in Future Cellular Communication Author Munim Morshed Supervisor Mika Ylianttila Second Examiner Jari Iinatti (Technical Advisor Jaakko Leinonen) August 2018 Morshed Munim. (2018) Wireless Backhaul for Future Cellular Communication. University of Oulu, Degree Programme in Wireless Communications Engineering. Master’s Thesis, 64 p. ABSTRACT In 5G technology, huge number of connected devices are needed to be considered where the expected throughput is also very ambitious. Capacity is needed and thus used frequencies are expected to get higher (above 6 GHz even up to 80 GHz), the Cell size getting smaller and number of cells arising significantly. Therefore, it is expected that wireless backhaul will be one option for Network operators to deliver capacity and coverage for high subscriber density areas with reduced cost. Wireless backhaul optimization, performance and scalability will be on the critical path on such cellular system. This master’s thesis work includes connecting a base station by using the wireless backhaul by introducing a VPN in the proposed network. We find the bottleneck and its solution. The network is using 3.5 GHz wireless link instead of LAN wire for backhaul link between the EnodeB and the core network (OpenEPC). LTE TDD band 42 acting as a Wireless Backhaul (Link between EnodeB and Band 42 CPE Router). The status and attachment procedure are observed from different nodes of the openEPC and from the VPN machine. Step by step we have established a tunnel between the CPE device and the VPN server using PPTP and L2TP with IPSec tunneling protocol.
    [Show full text]
  • City Research Online
    Sajjad, Ali (2015). A secure and scalable communication framework for inter-cloud services. (Unpublished Post-Doctoral thesis, City University London) City Research Online Original citation: Sajjad, Ali (2015). A secure and scalable communication framework for inter- cloud services. (Unpublished Post-Doctoral thesis, City University London) Permanent City Research Online URL: http://openaccess.city.ac.uk/14415/ Copyright & reuse City University London has developed City Research Online so that its users may access the research outputs of City University London's staff. Copyright © and Moral Rights for this paper are retained by the individual author(s) and/ or other copyright holders. All material in City Research Online is checked for eligibility for copyright before being made available in the live archive. URLs from City Research Online may be freely distributed and linked to from other web pages. Versions of research The version in City Research Online may differ from the final published version. Users are advised to check the Permanent City Research Online URL above for the status of the paper. Enquiries If you have any enquiries about any aspect of City Research Online, or if you wish to make contact with the author(s) of this paper, please email the team at [email protected]. A Secure and Scalable Communication Framework for Inter-Cloud Services Ali Sajjad School of Mathematics, Computer Science & Engineering City University London This dissertation is submitted for the degree of Doctor of Philosophy September 2015 THE FOLLOWING PARTS OF THIS THESIS HAVE BEEN REDACTED FOR COPYRIGHT REASONS: p 7: Fig 1.2. International Data Corporation survey.
    [Show full text]
  • English Slides
    Presented by Jason A. Donenfeld Who Am I? ▪ Jason Donenfeld, also known as ZX2C4, founder of Edge Security (.com), a security consultancy. ▪ Background in exploitation, kernel vulnerabilities, crypto vulnerabilities, though quite a bit of development experience too. ▪ Motivated to make a VPN that avoids the problems in both crypto and implementation that I’ve found in numerous other projects. What is WireGuard? ▪ Layer 3 secure network tunnel for IPv4 and IPv6. ▪ Opinionated. ▪ Lives in the Linux kernel, but cross platform implementations are in the works. ▪ UDP-based. Punches through firewalls. ▪ Modern conservative cryptographic principles. ▪ Emphasis on simplicity and auditability. ▪ Authentication model similar to SSH’s authenticated_keys. ▪ Replacement for OpenVPN and IPsec. Security Design Principle 1: Easily Auditable OpenVPN Linux XFRM StrongSwan SoftEther WireGuard 101,199 LoC 13,898 LoC 405,894 LoC 329,853 LoC 3,924 LoC Plus OpenSSL! Plus StrongSwan! Plus XFRM! Less is more. Security Design Principle 1: Easily Auditable WireGuard 3,924 LoC IPsec OpenVPN SoftEther (XFRM+StrongSwan) 101,199 329,853 LoC 419,792 LoC LoC Security Design Principle 2: Simplicity of Interface ▪ WireGuard presents a normal network interface: # ip link add wg0 type wireguard # ip address add 192.168.3.2/24 dev wg0 # ip route add default via wg0 # ifconfig wg0 … # iptables –A INPUT -i wg0 … /etc/hosts.{allow,deny}, bind(), … ▪ Everything that ordinarily builds on top of network interfaces – like eth0 or wlan0 – can build on top of wg0. Blasphemy! ▪ WireGuard is blasphemous! ▪ We break several layering assumptions of 90s networking technologies like IPsec. ▪ IPsec involves a “transform table” for outgoing packets, which is managed by a user space daemon, which does key exchange and updates the transform table.
    [Show full text]
  • Vpn Connection Request Android
    Vpn Connection Request Android synthetisingHow simulate vivaciously is Morse when when obcordate Dominic is and self-appointed. uncovenanted Lither Grady Hashim sterilised idolatrized some Sahara?his troweller Herbless clocks Mackenzie intertwistingly. incarcerated radiantly or Why does the total battery power management apps have a voice call is sent to android vpn connection has been grabbing more precise instruments while we have a tech geek is important Granting access permission to VPN software. Avoid these 7 Android VPN apps because for their privacy sins. VPN connections may the network authentication that uses a poll from FortiToken Mobile an application that runs on Android and iOS devices. How they Connect cable a VPN on Android. Perhaps there is a security, can access tool do you will be freed, but this form and run for your applications outside a connection request? Tap on opportunity In button to insight into StrongVPN application 2 Connecting to a StrongVPN server 2png Check a current IP address here key will. Does Android have built in VPN? Why do divorce have everybody give permissions to ProtonVPN The procedure time any attempt to torment to one side our VPN servers a Connection request outlook will pop up with. Vpn on android vpn connection request android, request in your research. Connect to Pulse Secure VPN Android UMass Amherst. NetGuardFAQmd at master M66BNetGuard GitHub. Reconnecting to the VPN For subsequent connections follow the Reconnecting directions which do or require re-installing the client. You and doesn't use the VPN connection to sleep or away your activity. You can restart it after establishing the vpn connection.
    [Show full text]
  • Virtuaalikone Ja -Verkkoympäristön Hyödyntäminen Tietoverkkotekniikan Tutkimus- Ja Opetusympäristöjen Rakentamisessa
    Iikka Jaakkola Virtuaalikone ja -verkkoympäristön hyödyntäminen tietoverkkotekniikan tutkimus- ja opetusympäristöjen rakentamisessa Elektroniikan, tietoliikenteen ja automaation tiedekunta Diplomityö, joka on jätetty opinnäytteenä tarkastettavaksi diplomi-insinöörin tutkintoa varten Espoossa 10.5.2010 Työn valvoja: Prof. Jukka Manner Työn ohjaaja: TkL Markus Peuhkuri i AALTO-YLIOPISTO DIPLOMITYÖN TEKNILLINEN KORKEAKOULU TIIVISTELMÄ Tekijä: Iikka Jaakkola Työn nimi: Virtuaalikone ja -verkkoympäristön hyödyntäminen tietoverkkotekniikan tutkimus- ja opetusympäristöjen rakentamisessa Päivämäärä: 10.5.2010 Kieli: suomi Sivumäärä:55+26 Elektroniikan, tietoliikenteen ja automaation tiedekunta Tietoliikenne- ja tietoverkkotekniikan laitos Professuuri: Tietoverkot Koodi: S-38 Valvoja: Prof. Jukka Manner Ohjaaja: TkL Markus Peuhkuri Työn tavoitteena oli selvittää virtuaalisen tutkimusverkkoyhteyden tarvetta, vaatimuk- sia ja toteutuskelpoista tuomista tutkijoiden ja muiden tahojen, kuten opiskelijoiden, käyttöön. Virtuaalinen ympäristö oli tarkoitus rakentaa maksutta saatavilla olevien vir- tuaalikone- ja VPN-asiakasyhteysohjelmistojen varaan ja sen tulisi olla mahdollista asentaa tutkijoiden keskitetysti hallittuihin työasemiin. Lisäksi tutkittiin ratkaisun käyt- tökohteita, joista tärkeimpänä oli testiverkkoihin yhdistäminen. Ratkaisulle asetettavia vaatimuksia selvitettiin tietoturvapolitiikan, loppukäyttäjien, tietojärjestelmien ylläpi- don ja laitteistovaatimusten kannalta. Käyttäjien ja ylläpidon näkemyksiä kyseltiin haastatteluin ja kyselyin.
    [Show full text]
  • Draft SP 800-77 Rev. 1, Guide to Ipsec Vpns
    Withdrawn Draft Warning Notice The attached draft document has been withdrawn, and is provided solely for historical purposes. It has been superseded by the document identified below. Withdrawal Date June 30, 2020 Original Release Date July 2, 2019 Superseding Document Status Final Series/Number NIST Special Publication 800-77 Revision 1 Title Guide to IPsec VPNs Publication Date June 2020 DOI CSRC URL https://csrc.nist.gov/publications/detail/sp/800-77/rev-1/draft Additional Information 1 Draft NIST Special Publication 800-77 2 Revision 1 3 Guide to IPsec VPNs 4 5 6 Elaine Barker 7 Quynh Dang 8 Sheila Frankel 9 Karen Scarfone 10 Paul Wouters 11 12 13 14 15 16 This publication is available free of charge from: 17 https://doi.org/10.6028/NIST.SP.800-77r1-draft 18 19 20 C O M P U T E R S E C U R I T Y 21 22 23 Draft NIST Special Publication 800-77 24 Revision 1 25 Guide to IPsec VPNs 26 27 Elaine Barker 28 Quynh Dang 29 Sheila Frankel 30 Computer Security Division 31 Information Technology Laboratory 32 33 Karen Scarfone 34 Scarfone Cybersecurity 35 Clifton, VA 36 37 Paul Wouters 38 No Hats Corporation 39 Toronto, ON, Canada 40 41 This publication is available free of charge from: 42 https://doi.org/10.6028/NIST.SP.800-77r1-draft 43 44 45 July 2019 46 47 48 49 50 51 U.S. Department of Commerce 52 Wilbur L. Ross, Jr., Secretary 53 54 National Institute of Standards and Technology 55 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 56 Authority 57 This publication has been developed by NIST in accordance with its statutory responsibilities under the 58 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C.
    [Show full text]
  • Next-Generation Secure Kernel Network Tunnel
    Presented by Jason A. Donenfeld Who Am I? ▪ Jason Donenfeld, also known as zx2c4. ▪ Background in exploitation, kernel vulnerabilities, crypto vulnerabilities, and been doing kernel-related development for a long time. ▪ Motivated to make a VPN that avoids the problems in both crypto and implementation that I’ve found in numerous other projects. What is WireGuard? ▪ Layer 3 secure network tunnel for IPv4 and IPv6. ▪ Opinionated. Only layer 3! ▪ Designed for the Linux kernel ▪ Slower cross platform implementations also. ▪ UDP-based. Punches through firewalls. ▪ Modern conservative cryptographic principles. ▪ Emphasis on simplicity and auditability. ▪ Authentication model similar to SSH’s authenticated_keys. ▪ Replacement for OpenVPN and IPsec. ▪ Grew out of a stealth rootkit project. ▪ Techniques desired for stealth are equally as useful for tunnel defensive measures. Blasphemy! ▪ WireGuard is blasphemous! ▪ We break several layering assumptions of 90s networking technologies like IPsec. ▪ IPsec involves a “transform table” for outgoing packets, which is managed by a user space daemon, which does key exchange and updates the transform table. ▪ With WireGuard, we start from a very basic building block – the network interface – and build up from there. ▪ Lacks the academically pristine layering, but through clever organization we arrive at something more coherent. Easily Auditable OpenVPN Linux XFRM StrongSwan SoftEther WireGuard 116,730 LoC 13,898 LoC 405,894 LoC 329,853 LoC 3,782 LoC Plus OpenSSL! Plus StrongSwan! Plus XFRM! Less is more. Easily Auditable WireGuard 3,782 LoC IPsec SoftEther OpenVPN (XFRM+StrongSwan) 329,853 LoC 116,730 419,792 LoC LoC Simplicity of Interface ▪ WireGuard presents a normal network interface: # ip link add wg0 type wireguard # ip address add 192.168.3.2/24 dev wg0 # ip route add default via wg0 # ifconfig wg0 … # iptables –A INPUT -i wg0 … /etc/hosts.{allow,deny}, bind(), … ▪ Everything that ordinarily builds on top of network interfaces – like eth0 or wlan0 – can build on top of wg0.
    [Show full text]