Self-Adaptable Security Monitoring for Iaas Cloud Environments Anna Giannakou
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Release Notes for Debian 10 (Buster), 32-Bit PC
Release Notes for Debian 10 (buster), 32-bit PC The Debian Documentation Project (https://www.debian.org/doc/) September 28, 2021 Release Notes for Debian 10 (buster), 32-bit PC This document is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License, version 2, as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. The license text can also be found at https://www.gnu.org/licenses/gpl-2.0.html and /usr/ share/common-licenses/GPL-2 on Debian systems. ii Contents 1 Introduction 1 1.1 Reporting bugs on this document . 1 1.2 Contributing upgrade reports . 1 1.3 Sources for this document . 2 2 What’s new in Debian 10 3 2.1 Supported architectures . 3 2.2 What’s new in the distribution? . 3 2.2.1 UEFI Secure Boot . 4 2.2.2 AppArmor enabled per default . 4 2.2.3 Optional hardening of APT . 5 2.2.4 Unattended-upgrades for stable point releases . 5 2.2.5 Substantially improved man pages for German speaking users . 5 2.2.6 Network filtering based on nftables framework by default . -
Red Hat Virtualization 4.4 Package Manifest
Red Hat Virtualization 4.4 Package Manifest Package listing for Red Hat Virtualization 4.4 Last Updated: 2021-09-09 Red Hat Virtualization 4.4 Package Manifest Package listing for Red Hat Virtualization 4.4 Red Hat Virtualization Documentation Team Red Hat Customer Content Services [email protected] Legal Notice Copyright © 2021 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. -
Migrazione Da Iptables a Nftables
UNIVERSITÀ DEGLI STUDI DI GENOVA MASTER IN CYBER SECURITY AND DATA PROTECTION Migrazione da iptables a nftables Autore: Tutor accademico: dott. Marco DE BENEDETTO prof. Mario MARCHESE Tutor aziendale: dott. Carlo BERUTTI BERGOTTO Project Work finale del Master di secondo livello in Cyber Security and Data Protection III edizione (a.a. 2016/17) 10 marzo 2019 iii Indice 1 Introduzione 1 2 Packet Filtering in Linux 3 2.1 Storia ...................................... 3 2.2 Netfilter .................................... 4 2.3 Nftables successore di iptables? ....................... 6 3 Firewall Linux nella rete Galliera 7 3.1 Cenni storici .................................. 7 3.2 Architettura attuale .............................. 7 3.3 Problemi dell’infrastruttura ......................... 9 3.4 Opportunità di migrazione a nftables ................... 9 4 Nftables 11 4.1 Caratteristiche di nftables .......................... 11 4.2 Packet flow in nftables ............................ 12 4.3 Strumenti di debug e tracing ......................... 15 5 Migrazione del Captive Portal 17 5.1 Captive Portal con iptables .......................... 17 5.2 Captive Portal nella versione nftables ................... 19 5.3 Autorizzazioni temporizzate ........................ 20 5.4 Aggiornamento del timeout ......................... 21 5.5 Limitazione della banda ........................... 22 6 Strumenti di sviluppo e test 25 6.1 Virtualizzazione ................................ 25 6.2 Debug ..................................... 26 7 Considerazioni finali -
Nftables Och Iptables En Jämförelse Av Latens Nftables and Iptables a Comparison in Latency
NFtables and IPtables Jonas Svensson Eidsheim NFtables och IPtables En jämförelse av latens NFtables and IPtables A Comparison in Latency Bachelors Degree Project in Computer Science Network and Systems Administration, G2E, 22.5 hp IT604G Jonas Svensson Eidsheim [email protected] Examiner Jonas Gamalielsson Supervisor Johan Zaxmy Abstract Firewalls are one of the essential tools to secure any network. IPtables has been the de facto firewall in all Linux systems, and the developers behind IPtables are also responsible for its intended replacement, NFtables. Both IPtables and NFtables are firewalls developed to filter packets. Some services are heavily dependent on low latency transport of packets, such as VoIP, cloud gaming, storage area networks and stock trading. This work is aiming to compare the latency between the selected firewalls while under generated network load. The network traffic is generated by iPerf and the latency is measured by using ping. The measurement of the latency is done on ping packets between two dedicated hosts, one on either side of the firewall. The measurement was done on two configurations one with regular forwarding and another with PAT (Port Address Translation). Both configurations are measured while under network load and while not under network load. Each test is repeated ten times to increase the statistical power behind the conclusion. The results gathered in the experiment resulted in NFtables being the firewall with overall lower latency both while under network load and not under network load. Abstrakt Brandväggen är ett av de viktigaste verktygen för att säkra upp nätverk. IPtables har varit den främst använda brandväggen i alla Linux-system och utvecklarna bakom IPtables är också ansvariga för den avsedda ersättaren, NFtables. -
Homework #6 Solution Network Administration
Network Administration/System Administration (NTU CSIE, Spring 2017) Homework #6 Solution Homework #6 Solution Contact TAs: [email protected] Network Administration Wi-Fi Authentication (15%) 1. WPA-Personal, also referred to as WPA-PSK (pre-shared key) mode, is designed for home and small office networks and doesn’t require an authentication server. Each wireless network device encrypts the network traffic by deriving its 128-bit encryption key from a 256 bit shared key. The password for connecting to the Wi-Fi network is shared among all users. WPA-Enterprise, also referred to as WPA-802.1X mode, is designed for enterprise networks and requires a RADIUS authentication server. The RADIUS server is responsible for authenticating the users. Various kinds of the Extensible Authentication Protocol (EAP) are used for authentication. 2. WPA2-Enterprise (It’s fine if your answer is WPA-Enterprise) Wi-Fi Encryption (15%) 1. • WEP: RC4 steam cipher • WPA: RC4 steam cipher • WPA2: AES 2. WPA2 WPA3 (10%) 1. Opportunistic Wireless Encryption (OWE): Many locations, e.g. restaurants, coffee shops, ho- tels, provide open (unencrypted) wireless networks. This makes the traffic vulnerable to sniffing 1 Network Administration/System Administration (NTU CSIE, Spring 2017) Homework #6 Solution attacks. Even if the network is protected by a Pre-Shared Key (PSK), an attacker can still observe the 4-way handshake and compute the traffic encryption key. OWE, on the other hand, provides individualized data encryption. The client and the AP first perform a Diffie-Hellman key exchange and use the resulting pairwise secret, that can’t be derived by sniffing the traffic, with the 4-way handshake. -
Linux® Firewalls: Enhancing Security with Nftables and Beyond
Linux® Firewalls Fourth Edition This page intentionally left blank Linux® Firewalls Enhancing Security with nftables and Beyond Fourth Edition Steve Suehring Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Capetown • Sydney • Tokyo • Singapore • Mexico City Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. The author and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at [email protected] or (800) 382-3419. For government sales inquiries, please contact [email protected]. For questions about sales outside the U.S., please contact [email protected]. Visit us on the Web: informit.com/aw Library of Congress Cataloging-in-Publication Data Suehring, Steve. Linux firewalls : enhancing security with nftables and beyond.—Fourth edition / Steve Suehring. pages cm Earlier ed. authored by Robert L. Ziegler. Includes bibliographical references and index. ISBN 978-0-13-400002-2 (pbk. -
The Nftables Tutorial
The nftables tutorial Patrick McHardy Pablo Neira Ayuso <[email protected]> <[email protected]> Netdev 0.1 February 2015 Ottawa, Canada Proceedings of netdev 0.1, Feb 14-17, 2015, Ottawa, On, Canada What is nftables? ● New packet classification framework to replace {ip,ip6,arp,eb}tables based on lessons learnt. ● nftables was presented in Netfilter Workshop 2008 (Paris, France) and released in March 2009 by Patrick McHardy. ● Merged mainstream in October 2013, available since January 2014 in Linux kernel 3.13. ● It reuses the existing Netfilter building blocks: hooks, conntrack, NAT, logging and userspace queueing. ● We also reuse existing xtables extensions through nft compat. Proceedings of netdev 0.1, Feb 14-17, 2015, Ottawa, On, Canada Why nftables? ● Address iptables architectural design problems: – From kernelspace: ● Avoid code duplication – Four families (arp, ip, ip6, bridge) derivated from the original iptables codebase. – Very similar extensions to match protocol fields and metadata. ● Netlink API (including event notifications) ● Better dynamic/incremental updates support ● Linear ruleset evaluation: Generic set infrastructure allowing dictionaries. – From userspace: ● New command line tool (with improved new syntax): nft ● Proper userspace libraries for third party software Proceedings of netdev 0.1, Feb 14-17, 2015, Ottawa, On, Canada nftables source & documentation ● Grab the code ● Kernel: – http://www.kernel.org – http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git ● Library: git://git.netfilter.org/libnftnl -
Cilium Documentation Release 1.0.0-Rc9
Cilium Documentation Release 1.0.0-rc9 Cilium Authors Apr 18, 2018 Getting Started 1 Introduction to Cilium 2 1.1 What is Cilium?.............................................2 1.2 Why Cilium?...............................................2 1.3 Functionality Overview.........................................3 2 Getting Started Guides 5 2.1 Getting Started Using Minikube.....................................5 2.2 Getting Started Using Istio........................................ 18 2.3 Getting Started Securing Kafka..................................... 33 2.4 Getting Started Securing gRPC..................................... 42 2.5 Getting Started Using Mesos/Marathon................................. 49 2.6 Getting Started Using Docker Compose................................. 56 3 Concepts 64 3.1 Component Overview.......................................... 64 3.2 Terminology............................................... 67 3.3 Address Management.......................................... 70 3.4 Multi Host Networking.......................................... 71 3.5 Security.................................................. 73 3.6 Datapath................................................. 76 4 Getting Help 77 5 Kubernetes 78 5.1 Quick Start................................................ 78 5.2 Introduction............................................... 79 5.3 Installation Guide............................................ 80 5.4 Network Policy.............................................. 87 5.5 Troubleshooting............................................ -
2013 Kernel Recipes Nftables
nftables, far more than %s/ip/nf/g Éric Leblond Nefilter Coreteam September 24, 2013 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 1 / 48 1 Introduction 2 Netfilter in 2013 3 Iptables limitations 4 Nftables, an Iptables replacement 5 Advantages of the approach 6 An updated user experience 7 Conclusion Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 2 / 48 Éric Leblond Hacker and contractor Independant Open Source and Security consultant Started and developped NuFW, the authenticating firewall Core developer of Suricata IDS/IPS Netfilter Coreteam member Work on kernel-userspace interaction Kernel hacking ulogd2 maintainer Port of Openoffice firewall to Libreoffice Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 4 / 48 History ipchains (1997) Linux 2.2 firewalling stateless Developped by Paul ’Rusty’ Russel iptables (2000) Linux 2.4 firewalling Stateful tracking and full NAT support in-extremis IPv6 support Netfilter project ’Rusty’ Russel developed iptables and funded Netfilter project Netfilter coreteam was created to consolidate the community Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 6 / 48 Features Filtering and logging Filtering on protocol fields on internal state Packet mangling Change TOS Change TTL Set mark Connection tracking Stateful filtering Helper to support protocol like FTP Network Address Translation Destination Network Address Translation Source Network Address Translation Éric -
Red Hat Enterprise Linux 8 Securing Networks
Red Hat Enterprise Linux 8 Securing networks Configuring secured networks and network communication Last Updated: 2021-09-16 Red Hat Enterprise Linux 8 Securing networks Configuring secured networks and network communication Legal Notice Copyright © 2021 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project. -
Lab-Firewalls-Color.Pdf
Firewalls October 16, 2020 Administrative – submittal instructions answer the lab assignment’s questions in written report form, as a text, pdf, or Word document file (no obscure formats please) deadline is start of your lab session the following week reports not accepted (zero for lab) if late submit via D2L 1 Administrative – script files reminder re-download the script files' zip to obtain the new vmconfigure scripts for this "sniffing" exercise Firewall types Packet filter – linux, netfilter-based – BSD, PF subsystem – Windows’s built-in (since XP) – router device built-ins – single TCP conversation Proxy server – specialized server program on internal machine – client talks to it instead of desired external server – it conducts conversation with external server for client and plays relay middleman between them subject to policy – 2 separate TCP conversations 2 Linux “Netfilter ” project Netfilter produced iptables, now nftables centerpiece commands: iptables, nft – nft replaces/extends legacy iptables – both coexist in recent linux distributions packet filter, not proxy starting point: packet structure details IP packet structure Protocol Source Address Destination Address Number IP’s Data Payload 3 Payload types - subprotocols Src Dest 17 Src Dest 1 UDP (17) datagram ICMP (1) message Src Dest 6 TCP (6) packet … and others UDP datagram structure Source Port Destination Port UDP’s Data Payload 4 TCP packet structure Source Port Destination Port Sequence # Acknowledgment TCP’s Data Payload ICMP message structure ICMP-type -
A Practical Approach to Protect Iot Devices Against Attacks and Compile Security Incident Datasets
Hindawi Scientific Programming Volume 2019, Article ID 9067512, 11 pages https://doi.org/10.1155/2019/9067512 Research Article A Practical Approach to Protect IoT Devices against Attacks and Compile Security Incident Datasets Bruno Cruz ,1 Silvana Go´mez-Meire ,1 David Ruano-Orda´s ,1,2,3,4 Helge Janicke,3,4 Iryna Yevseyeva ,3,4 and Jose R. Me´ndez 1,2 1Department of Computer Science, University of Vigo, ESEI—Escuela Superior de Ingenier´ıa Informa´tica, Edificio Polite´cnico, Campus Universitario As Lagoas s/n, 32004 Ourense, Spain 2SING Research Group, Galicia Sur Health Research Institute (IIS Galicia Sur), SERGAS-UVIGO, Vigo, Spain 3Cyber Technology Institute, School of Computer Science and Informatics, De Montfort University, Gateway House 5.33, 7e Gateway, LE1 9BH Leicester, UK 4Faculty of Computing, Engineering & Media (CEM), De Montfort University, Leicester, UK Correspondence should be addressed to Jose R. Me´ndez; [email protected] Received 27 April 2019; Revised 26 June 2019; Accepted 7 July 2019; Published 29 July 2019 Guest Editor: Daniele D’Agostino Copyright © 2019 Bruno Cruz et al. +is is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. +e Internet of +ings (IoT) introduced the opportunity of remotely manipulating home appliances (such as heating systems, ovens, blinds, etc.) using computers and mobile devices. +is idea fascinated people and originated a boom of IoTdevices together with an increasing demand that was difficult to support. Many manufacturers quickly created hundreds of devices implementing functionalities but neglected some critical issues pertaining to device security.