DOCSLIB.ORG

Demystifying Tokens for Securing Enterprise Apis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Demystifying Tokens for Securing Enterprise Apis DEVELOPING AND CONNECTING ISSA Demystifying Tokens for CYBERSECURITY LEADERS GLOBALLY Securing Enterprise APIs Demystifying Tokens for Securing Enterprise APIs By Sandeep Jayashankar – ISSA member Delaware Chapter and Subin Thayyile Kandy – ISSA member Delaware Chapter This article is mainly designed for a software architect to help understand the problems tokens tend to solve, with illustrations of different types of tokens in use. The authors also explain the token implementation methods for an enterprise API mechanism and provide security best practices to be taken care of when implementing the same. Abstract able products, both as a software and a service, to handle the authentication security controls. The security community has Tokens have been the de-facto means that support scalable striven to set many authentication policy definitions, such as and performance-focused security solutions in the current password policies, user lockout policies, captcha frameworks, technological environments. There are currently many op- and provided many scan engines to check the implemented tions and operation modes for anybody thinking of imple- authentication policies. Enterprise organizations have priori- menting a token-based security measure with support of tized their strategic plans concerning security by utilizing the cryptographic mechanisms. With the web-attack landscapes best products to support the applications’ authentication and changing to APIs, and with APIs managed as a decoupled password handling requirements. data handling entity, APIs need to have stringent authori- zation decision engines that ensure an authorized entity re- Implementing single sign-on with compulsory multi-factor quests each data retrieval. This article is mainly designed for authentication sequences has become a de facto for appli- a software architect to help understand the problems tokens cations and web components in an enterprise environment. tend to solve, with illustrations of different types of tokens Also, organizations have taken the acceptable password pol- in use. The article also explains the token implementation icies seriously, and have taken steps to ensure their users are methods for an enterprise API mechanism and provides se- using only adequately complex passwords for their accounts. curity best practices to be taken care of when implementing The password rotation policies in enterprise organizations the same. are now aptly defined, and employees lose their access if the passwords are not changed before they expire. Furthermore, uthentication (AuthN) and authorization (AuthZ) organizations have taken additional precautions to store sen- have always been the essential security controls in a sitive information such as passwords, tokens, and private programmable system or entity. The program needs keys in centralized key storage locations, and procure them Ato identify who is using it and what features of the program are only during runtime. From an authentication perspective, unrestricted to the user. There are many commercially avail- there have been significant advancements in recent years, 14 – ISSA Journal | July 2020 Demystifying Tokens for Securing Enterprise APIs | Sandeep Jayashankar and Subin Thayyile Kandy and enterprise organizations are taking additional measures and an administrator, the API entity cannot limit what to close security gaps. So, does the buck stops here? data should be available in the response, and thus blindly sends all information back to the application. Eventually, Traditional authorization sequences the application decides whether to show this data to the One of the common security gaps prevalent in current enter- end user or not (depending on the user’s role authenticated prise environments is not to effectively build authorization to the application front-end). definitions in API endpoints. Many API endpoints still use • Not effectively utilizing the existing single sign-on: Single server-based authentication and authorization using basic sign-on (SSO) deployments at enterprise organizations authentication or master tokens for accessing APIs and other support many approaches for APIs to authorize the user external resources. In this architecture scheme, the applica- and retrieve the data. Using service account credentials or tion or an API client uses a single username/password pair master tokens means the APIs would lose the authenticat- or a long-lived token to access the APIs. This design results in ed users’ session context, eventually missing the point of users having full control of the API endpoints, once authenti- utilizing SSO mechanisms for internal applications. Since cated, eventually making it impossible to define and establish most of the enterprise application’s authenticated users authorization rules. Figure 1 considers how API endpoints are under the SSO context, the authenticated users’ ses- authenticate using server-based authorization via master to- sion context should be forward to the underlying APIs for kens or basic authentication [4]. them to authorize the user, and return appropriate data. • Growing dependency on passwords or master tokens: The dependency on passwords or keys would limit developers from not being able to provide features that require some level of automation. This limitation eventually results in an administrative overhead of securing and recycling passwords. To overcome this limitation, developers store the passwords or master tokens and erroneously publish in GitHub. Furthermore, if attackers steal these passwords Figure 1 – Authentication to API servers using Basic Auth or master tokens or master tokens, they would be able to retrieve all the data Following are some of the security loopholes that may result provided by the API. from applications/API endpoints utilizing server-based au- Growing dependency on front-end applications: If APIs do thentication: • not handle authorization mechanisms on their own, they • Inadequate checks in the API or data layer: Data entities eventually depend on the front-end web or mobile appli- such as the API may never be able to deduce who is re- cations to dictate the authorization sequences. To fix the questing the data and which part of the application is uti- created design and security gaps, architects would eventu- lizing it. If the application has more than one role, like user ally make the APIs entirely dependent upon external ap- Members Join ISSA to: l Earn CPEs through Conferences and Education l Network with Industry Leaders l Advance their Careers www.issa.org l Attend Chapter Events to Meet Local Colleagues l Become part of Special Interest Groups (SIGs) that focus on particular topics Join Today: www.issa.org/join Regular Membership $95* CISO Executive Membership $995 (+Chapter Dues: $0-$35*) (Includes Quarterly Forums) *US Dollars/Year July 2020 | ISSA Journal – 15 Demystifying Tokens for Securing Enterprise APIs | Sandeep Jayashankar and Subin Thayyile Kandy plications for all security-related activities, thus changing dependent applications. Also, the conventional methods of the established trust boundaries. If any strategic changes session management, utilizing cookies, have been replaced to the APIs are outlined, for example, to support or service with tokenization systems that ensure granular access con- a mobile application, the APIs should be positioned to be trols and independent implementations. Internet facing. Eventually, the trust boundaries break, and they now have a very minimalistic authentication and Tokens and security controls no authorization mechanism. While designing the security controls in our applications, we need the right tokenization system for the right token con- • Scalability limitations: Due to the dependency of sessions, the application’s scalability factor will always be at stake. tent. Below is a list of common tokenization mechanisms With seasonal or incremental traffic influx, applications that relate to what security controls or the security problem should have a way to increase the number of machines it it solves: uses or its computational power. If an application is de- • Session cookie: Technically a type of a token, session cook- pendent on user sessions, the mechanisms to add new de- ies are used to ensure that an application maintains the vices to support traffic cannot be implemented or will be user session after the user authenticates. Since HTTP is a cumbersome. stateless protocol, the application requires the contents of the cookies to validate every request from the user. Ses- • Lacking defenses against phishing attacks: If an application uses external authentication/authorization sequences, sion identifiers are stored as cookies, and the application’s and if generated master tokens are used, the applications session management sequence verifies whether the user would never consent from their users to use the feature session is valid or not every time the browser submits a or perform actions on users’ behalf. This design gap can request. The cookies are used extensively in server-based be utilized by attackers to formulate a successful phishing authentication and are generally extended further for oth- campaign, and eventually implement complicated cross- er API endpoints. site request forgery attacks. • Authentication tokens: Authentication tokens usually are So, the solution is to ensure that we are utilizing short-lived used instead of the username/password combinations. The dynamic tokens on all our APIs. Dynamic tokens (user to- first time
Load more

Recommended publications
  • Login with Amazon Developer Guide for Websites
    Login with Amazon Developer Guide for Websites Login with Amazon: Developer Guide for Websites Copyright © 2017 Amazon Services, LLC or its affiliates. All rights reserved. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates. All other trademarks not owned by Amazon are the property of their respective owners Contents Welcome .................................................................................................................................................. 2 How Do I...? .............................................................................................................................................. 2 Understanding Login with Amazon ........................................................................................................... 3 Login with Amazon Conceptual Overview ................................................................................................. 4 Single Sign-On (SSO) for Web ................................................................................................................. 6 Single Sign-On (SSO) for Mobile ............................................................................................................. 7 Access Token ............................................................................................................................................ 7 Authorization Code ................................................................................................................................... 7 Refresh Token ..........................................................................................................................................
    [Show full text]
  • Release 0.0.2 Hypothes.Is Project and Contributors
    The h Documentation Release 0.0.2 Hypothes.is Project and contributors Sep 27, 2021 Contents 1 Contents 3 Index 25 i ii The h Documentation, Release 0.0.2 h is the web app that serves most of the https://hypothes.is/ website, including the web annotations API at https: //hypothes.is/api/. The Hypothesis client is a browser-based annotator that is a client for h’s API, see the client’s own documentation site for docs about the client. This documentation is for: • Developers working with data stored in h • Contributors to h Contents 1 The h Documentation, Release 0.0.2 2 Contents CHAPTER 1 Contents 1.1 The Hypothesis community Please be courteous and respectful in your communication on Slack (request an invite or log in once you’ve created an account), IRC (#hypothes.is on freenode.net), the mailing list (subscribe, archive), and GitHub. Humor is appreciated, but remember that some nuance may be lost in the medium and plan accordingly. If you plan to be an active contributor please join our mailing list to coordinate development effort. This coordination helps us avoid duplicating efforts and raises the level of collaboration. For small fixes, feel free to open a pull request without any prior discussion. 1.2 Advice for publishers If you publish content on the web and want to allow people to annotate your content, the following documents will help you get started. 1.2.1 Generating authorization grant tokens Warning: This document describes an integration mechanism that is undergoing early-stage testing.
    [Show full text]
  • Vmware Workspace ONE Access 20.01 Managing User Authentication Methods in Vmware Workspace ONE Access
    Managing User Authentication Methods in VMware Workspace ONE Access JAN 2020 VMware Workspace ONE Access 20.01 Managing User Authentication Methods in VMware Workspace ONE Access You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2020 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents 1 Configuring Authentication in VMware Workspace ONE Access 5 2 User Auth Service Authentication Methods in Workspace ONE Access 8 Configuring Password (Cloud) Authentication in Workspace ONE Access 9 Configure Password (Cloud) Authentication with Your Enterprise Directory 10 Configuring RSA SecurID (Cloud) For Workspace ONE Access 13 Prepare the RSA SecurID Server 13 Configure RSA SecurID Authentication in Workspace ONE Access 14 Configuring RADIUS for Workspace ONE Access 16 Prepare the RADIUS Server 16 Configure RADIUS Authentication in Workspace ONE Access 16 Enable User Auth Service Debug Logs In Workspace ONE Access Connector 19 3 Configuring Kerberos Authentication In Workspace ONE Access 21 Configure and Enable Kerberos Authentication in Workspace ONE Access 21 Configuring your Browser for Kerberos 23 Configure Internet Explorer to Access the Web Interface 23 Configure Firefox to Access the Web Interface 24 Configure the Chrome Browser to Access the Web Interface 25 Kerberos Initialization Error in Workspace ONE Access 26 4 Associate Workspace ONE Access Authentication Methods
    [Show full text]
  • Hacking JSON Web Token (JWT) - 101-Writeups
    Hacking JSON Web Token (JWT) - 101-writeups ... https://medium.com/101-writeups/hacking-json... Hacking JSON Web Token (JWT) Rudra Pratap Follow May 3, 2018 · 5 min read Hey, Well this is my first writeup and there might be ton of mistakes as i go along writing it out so please give me feedback so that i can work over it. So lets start! JWT ... 0x01 JWT work�low Starting with JWT, it is a very lightweight specification 1 of 13 8/21/19, 10:35 AM Hacking JSON Web Token (JWT) - 101-writeups ... https://medium.com/101-writeups/hacking-json... This specification allows us to use JWT to pass secure and reliable information between users and servers. JWT is often used for front-end and back-end separation and can be used with the Restful API and is often used to build identity authentication mechanisms. Take an example of vimeo.com , which is one of the biggest video hosting companies as per my knowledge. ... Figure 1 2 of 13 8/21/19, 10:35 AM Hacking JSON Web Token (JWT) - 101-writeups ... https://medium.com/101-writeups/hacking-json... Figure 2 When a user enters his/her credentials, a post request is sent (check Figure 1) after which the credentials are validated. If they are a correct combo then the user is presented with response having a JWT token as seen in Figure 2. ... Example JWT : eyJraWQiOiJrZXlzLzNjM2MyZWExYzNmMTEzZjY0OWRjOTM4OW RkNzFiODUxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOi JkdWJoZTEyMyJ9.XicP4pq_WIF2bAVtPmAlWIvAUad_eeBhDOQe2 MXwHrE8a7930LlfQq1lFqBs0wLMhht6Z9BQXBRos9jvQ7eumEUF WFYKRZfu9POTOEE79wxNwTxGdHc5VidvrwiytkRMtGKIyhbv68du FPI68Qnzh0z0M7t5LkEDvNivfOrxdxwb7IQsAuenKzF67Z6UArbZE8 odNZAA9IYaWHeh1b4OUG0OPM3saXYSG- Q1R5X_5nlWogHHYwy2kD9v4nk1BaQ5kHJIl8B3Nc77gVIIVvzI9N_ klPcX5xsuw9SsUfr9d99kaKyMUSXxeiZVM-7os_dw3ttz2f- TJSNI0DYprHHLFw Now whenever a user accesses something, the request which are made are slightly different having a new header authorization: jwt 3 of 13 8/21/19, 10:35 AM Hacking JSON Web Token (JWT) - 101-writeups ..
    [Show full text]
  • Adminstudio Inventory and Rationalization 2015 SP1 Installation Guide Legal Information
    AdminStudio Inventory and Rationalization 2015 SP1 Installation Guide Legal Information Book Name: AdminStudio Inventory and Rationalization 2015 SP1 Installation Guide Part Number: ASRM-2015SP1-IG00 Product Release Date: 26 January 2016 Copyright Notice Copyright © 2016 Flexera Software LLC. All Rights Reserved. This publication contains proprietary and confidential information and creative works owned by Flexera Software LLC and its licensors, if any. Any use, copying, publication, distribution, display, modification, or transmission of such publication in whole or in part in any form or by any means without the prior express written permission of Flexera Software LLC is strictly prohibited. Except where expressly provided by Flexera Software LLC in writing, possession of this publication shall not be construed to confer any license or rights under any Flexera Software LLC intellectual property rights, whether by estoppel, implication, or otherwise. All copies of the technology and related information, if allowed by Flexera Software LLC, must display this notice of copyright and ownership in full. Intellectual Property For a list of trademarks and patents that are owned by Flexera Software, see http://www.flexerasoftware.com/intellectual-property. All other brand and product names mentioned in Flexera Software products, product documentation, and marketing materials are the trademarks and registered trademarks of their respective owners. Restricted Rights Legend The Software is commercial computer software. If the user or licensee of the Software is an agency, department, or other entity of the United States Government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Software, or any related documentation of any kind, including technical data and manuals, is restricted by a license agreement or by the terms of this Agreement in accordance with Federal Acquisition Regulation 12.212 for civilian purposes and Defense Federal Acquisition Regulation Supplement 227.7202 for military purposes.
    [Show full text]
  • Openair XML API Reference Guide
    XML API Reference Guide April 10, 2021 Copyright © 2013, 2021, Oracle and/or its affiliates. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error- free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract.
    [Show full text]
  • The Windows Operating System, Such As the Logon Process and the Session Manager
    TTHEHE WWINDOWSINDOWS OOPERATINGPERATING SSYSTEMYSTEM William Stallings This document is an extract from Operating Systems: Internals and Design Principles, Fifth Edition Prentice Hall, 2005, ISBN 0-13-147954-7 Copyright 2005 William Stallings TTABLEABLE OFOF CCONTENTSONTENTS 2.5 MICROSOFT WINDOWS OVERVIEW...........................................................................3 History............................................................................................................................3 Single-User Multitasking...............................................................................................5 Architecture....................................................................................................................7 Operating System Organization.........................................................................7 User-Mode Processes.......................................................................................10 Client/Server Model.....................................................................................................11 Threads and SMP.........................................................................................................13 Windows Objects.........................................................................................................13 4.4 WINDOWS THREAD AND SMP MANAGEMENT.....................................................17 Process and Thread Objects.........................................................................................18
    [Show full text]
  • Measuring and Mitigating Oauth Access Token Abuse by Collusion Networks
    Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks Shehroze Farooqi Fareed Zafar The University of Iowa Lahore University of Management Sciences Nektarios Leontiadis Zubair Shafq Facebook The University of Iowa ABSTRACT 1 INTRODUCTION We uncover a thriving ecosystem of large-scale reputation manipu- Online social networks have become the primary way people con- lation services on Facebook that leverage the principle of collusion. nect and communicate with each other, consume information, and Collusion networks collect OAuth access tokens from colluding mem- form opinions. Reputation is a fundamental tenet of online social bers and abuse them to provide fake likes or comments to their networks. People trust the information that is posted by a reputable members. We carry out a comprehensive measurement study to social media account or is endorsed (e.g., liked) by a large number understand how these collusion networks exploit popular third- of accounts. Unfortunately, reputation fraud is prevalent in online party Facebook applications with weak security settings to retrieve social networks. A number of black-hat reputation manipulation OAuth access tokens. We infltrate popular collusion networks services target popular online social networks such as Facebook using honeypots and identify more than one million colluding Face- and Twitter [29, 53, 63]. These services rely on a large number of on- book accounts by “milking” these collusion networks. We disclose line social network accounts to conduct reputation manipulation at our fndings to Facebook and collaborate with them to implement a scale. To accomplish this goal, fraudsters purchase fake accounts in series of countermeasures that mitigate OAuth access token abuse bulk from underground marketplaces [55, 57], use infected accounts without sacrifcing application platform usability for third-party compromised by malware [51], or recruit users to join collusion developers.
    [Show full text]
  • Precompiler Session 01 - Tuesday 8:00 Machine Learning: Taking Your ML Models to Android and Ios Wes Eklund
    PreCompiler Session 01 - Tuesday 8:00 Machine Learning: Taking your ML Models to Android and iOS Wes Eklund Once you've developed a kickass Machine Learning model, you need a way to get that model to your computing devices (phones) to start doing your predictions! Most Machine Learning projects in production will 'train' the model on cloud servers, then 'deploy' the model to an API server or mobile device. This session will introduce the attendee on using TensorFlow Serving and Apple CoreML to deploy Machine Learning models to a mobile app. Prerequisites: Download Here Build a Natural Language Slack Bot for your Dev Team Michael Perry Many project teams use Slack as a means of communication with one another. Why not also use it to communicate with your infrastructure? Invite a helper into your conversation that can perform routine tasks tirelessly, conversationally, and interactively. In this 4 hour workshop, you will build a Slack bot that understands natural language and integrates with your DevOps pipeline. You will use the Slack Events API to receive messages, and the Slack Web API to send them. You will use LUIS to interpret language and extract intent. You will execute actions against the Visual Studio Team Services Web API in response to user requests, and subscribe to Webhooks to notify your team of important events. In the end, you will have a new member of your team who can help you with your build and release pipeline. Workshop outline: Slack API Authorization - OAuth and API key verification Events API - respond to posts Web
    [Show full text]
  • On the Security of Single Sign-On
    On the Security of Single Sign-On Vladislav Mladenov (Place of birth: Pleven/Bulgaria) [email protected] 30th June 2017 Ruhr-University Bochum Horst G¨ortz Institute for IT-Security Chair for Network and Data Security Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum First Supervisor: Prof. Dr. rer. nat. J¨org Schwenk Second Supervisor: Prof. Dr.-Ing. Felix Freiling www.nds.rub.de Abstract Single Sign-On (SSO) is a concept of delegated authentication, where an End- User authenticates only once at a central entity called Identity Provider (IdP) and afterwards logs in at multiple Service Providers (SPs) without reauthenti- cation. For this purpose, the IdP issues an authentication token, which is sent to the SP and must be verified. There exist different SSO protocols, which are implemented as open source libraries or integrated in commercial products. Google, Facebook, Microsoft and PayPal belong to the most popular SSO IdPs. This thesis provides a comprehensive security evaluation of the most popular and widely deployed SSO protocols: OpenID Connect, OpenID, and SAML. A starting point for this research is the development of a new concept called malicious IdP, where a maliciously acting IdP is used to attack SSO. Generic attack classes are developed and categorized according to the requirements, goals, and impact. These attack classes are adapted to different SSO proto- cols, which lead to the discovery of security critical vulnerabilities in Software- as-a-Service Cloud Providers, eCommerce products, web-based news portals, Content-Management systems, and open source implementations.
    [Show full text]
  • Roadmap for Section 4.3
    Unit OS4: Scheduling and Dispatch 4.3. Windows Process and Thread Internals Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 4.3. Windows Process and Thread Internals Thread Block, Process Block Flow of Process Creation Thread Creation and Deletion Process Crashes Windows Error Reporting 2 1 Windows Process and Thread Internals Data Structures for each process/thread: Process environment Executive process block block (EPROCESS) Thread Executive thread block environment block (ETHREAD) Process address space Win32 process block System address space Process block Process environment block (EPROCESS) Win32 process block Thread environment block Handle table Thread block (ETHREAD) ... 3 Process Container for an address space and threads Associated User-mode Process Environment Block (PEB) Primary Access Token Quota, Debug port, Handle Table etc Unique process ID Queued to the Job, global process list and Session list MM structures like the WorkingSet, VAD tree, AWE etc 4 2 Thread Fundamental schedulable entity in the system Represented by ETHREAD that includes a KTHREAD Queued to the process (both E and K thread) IRP list Impersonation Access Token Unique thread ID Associated User-mode Thread Environment Block (TEB) User-mode stack Kernel-mode stack Processor Control Block (in KTHREAD) for CPU state when not running 5 Processes & Threads Internal Data Structures Access Token VAD VAD VAD Process Object Virtual Address Space Descriptors See kernel debugger Handle Table commands: object dt (see next slide) !process object !thread !token !handle !object Thread Thread Thread . Access Token 6 3 Process Block Layout Kernel Process Block (or PCB) Process ID Parent Process ID Dispatcher Header Exit Status Process Page Directory Create and Exit Time Kernel Time EPROCESS User Time Next Process Block Inwwap/Outswap List Entry Quota Block KTHREAD .
    [Show full text]
  • Cisco Firepower Threat Defense REST API Guide Americas Headquarters Cisco Systems, Inc
    Cisco Firepower Threat Defense REST API Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]