DOCSLIB.ORG

ADC Administration Guide, Staros Release 21.14

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ADC Administration Guide, StarOS Release 21.14 First Published: 2019-06-27 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version. Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com go trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) © 2019 Cisco Systems, Inc. All rights reserved. CONTENTS PREFACE About this Guide vii Conventions Used vii Supported Documents and Resources viii Related Common Documentation viii Related Product Documentation viii Obtaining Documentation ix Contacting Customer Support ix CHAPTER 1 Application Detection and Control Overview 1 ADC Overview 1 Qualified Platforms 2 License Requirements 2 Dynamic Software Upgrade 2 Overview 2 ADC Protocol Group Detection 3 Behavioral Traffic 4 SNI Detection 4 SSL Renegotiation Tracking 4 Analyzer Interworking 5 Traffic Sub-classification 5 ADC Support for TRM/FP 5 ADC Support for FAPA 5 ADC Support over Gx 7 Limitations 9 Dynamic Advertisement Server Correlation 9 Bulk Statistics Support 10 ADC Administration Guide, StarOS Release 21.14 iii Contents How ADC Works 11 Limitations 11 CHAPTER 2 Application Detection and Control Configuration 13 Configuring Dynamic Software Upgrade 13 How to perform Dynamic Software Upgrade 13 Configuring System for ADC 15 Initial Configuration 16 Enabling Enhanced Charging 16 Modifying the Local Context 16 ADC Configuration 17 Creating the Active Charging Service 17 Configuring ADC Rules 18 Configuring P2P Protocol Groups 19 Configuring Behavioral Detection 20 Configuring P2P Advertisement server 21 Configuring SSL Renegotiation 21 Configuring Analyzers 22 Configuring the Charging Action 22 Configuring the Rulebase 23 Setting EDR Formats 24 Configuring IP Protocol and Server port mapping 24 Configuring EDR for P2P Events 25 Gathering ADC Statistics 26 Supported Bulk Statistics 27 P2P Reports 27 CHAPTER 3 App-based Tethering Detection 29 Feature Information 29 Feature Description 30 How It Works 30 Licensing 30 Configuring App-based Tethering Detection 30 Enabling App-based Tethering Detection at Rulebase Level 30 ADC Administration Guide, StarOS Release 21.14 iv Contents Enabling App-based Tethering Detection at Ruledef Level 31 Enabling App-based Tethering Detection at Rule-variable 31 Monitoring and Troubleshooting the App-based Tethering Detection 32 Show Commands and Outputs 32 CHAPTER 4 Peer-to-Peer Protocol and Application Detection Support 35 Supported Protocols and Applications 35 New in this Release 35 All Supported Protocols and Applications 36 Port-based Protocols 104 IP Protocols 132 CHAPTER 5 Reporting SSL Parameters in EDR 139 Feature Summary and Revision History 139 Feature Description 140 How It Works 140 EDR 140 Configuring SSL Parameters in EDR 142 Enabling SSL Parameters 142 Monitoring and Troubleshooting 142 Show Commands and/or Outputs 142 CHAPTER 6 Support for SNI Detection 145 Feature Description 145 QUIC SNI Detection 145 Relationships to Other Features 146 Configuring SNI Detection 147 Configuring SNI in Ruledef 147 Configuring SNI rule variable 148 Enabling HTTPS Analyzer Interworking 149 Verifying the SNI Configuration 149 Monitoring and Troubleshooting the SNI Detection 149 SNI Detection Show Command(s) and/or Outputs 149 show active-charging analyzer statistics name cdp 149 ADC Administration Guide, StarOS Release 21.14 v Contents show active-charging flows type cdp 150 Bulk Statistics 150 ADC Administration Guide, StarOS Release 21.14 vi About this Guide This preface describes the ADC Administration Guide, how it is organized and its document conventions. Application Detection and Control (ADC) is a StarOS™ in-line service application that runs on Cisco® ASR 5500 platform. The ADC in-line service makes use of innovative and highly accurate protocol behavioral detection techniques to reliably detect protocols and applications in the network. ADC is mainly used to detect Peer-to-Peer protocols by analyzing traffic, and can also detect network traffic created by audio and video clients. • Conventions Used, on page vii • Supported Documents and Resources, on page viii • Contacting Customer Support , on page ix Conventions Used The following tables describe the conventions used throughout this documentation. Notice Type Description Information Note Provides information about important features or instructions. Caution Alerts you of potential damage to a program, device, or system. Warning Alerts you of potential personal injury or fatality. May also alert you of potential electrical hazards. Typeface Conventions Description Text represented as a screen display This typeface represents displays that appear on your terminal screen, for example: Login: ADC Administration Guide, StarOS Release 21.14 vii About this Guide Supported Documents and Resources Typeface Conventions Description Text represented as commands This typeface represents commands that you enter, for example: show ip access-list This document always gives the full form of a command in lowercase letters. Commands are not case sensitive. Text represented as a command variable This typeface represents a variable that is part of a command, for example: show card slot_number slot_number is a variable representing the desired chassis slot number. Text represented as menu or sub-menu names This typeface represents menus and sub-menus that you access within a software application, for example: Click the File menu, then click New Supported Documents and Resources Related Common Documentation The following common documents are available: • AAA Interface Administration and Reference • Command Line Interface Reference • GTPP Interface Administration and Reference • Installation Guide (platform dependant) • Release Change Reference • SNMP MIB Reference • Statistics and Counters Reference • System Administration Guide (platform dependant) • Thresholding Configuration Guide Related Product Documentation The most up-to-date information for this product is available in the product Release Notes provided with each product release. The following product documents are also available and work in conjunction with ADC: • ECS Administration Guide • GGSN Administration Guide • PDSN Administration Guide • P-GW Administration Guide ADC Administration Guide, StarOS Release 21.14 viii About this Guide Obtaining Documentation Obtaining Documentation The most current Cisco documentation is available on the following website: http://www.cisco.com/cisco/web/psa/default.html Use the following path selections to access the ADC documentation: Products > Wireless > Mobile Internet > In-Line Services > Cisco Peer-to-Peer Contacting Customer Support Use the information in this section to contact customer support. Refer to the support area of http://www.cisco.com for up-to-date product documentation or to submit a service request. A valid username and password are required to access this site. Please
Recommended publications
  • SSL/TLS Implementation CIO-IT Security-14-69

    SSL/TLS Implementation CIO-IT Security-14-69

    DocuSign Envelope ID: BE043513-5C38-4412-A2D5-93679CF7A69A IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 Revision 6 April 6, 2021 Office of the Chief Information Security Officer DocuSign Envelope ID: BE043513-5C38-4412-A2D5-93679CF7A69A CIO-IT Security-14-69, Revision 6 SSL/TLS Implementation VERSION HISTORY/CHANGE RECORD Person Page Change Posting Change Reason for Change Number of Number Change Change Initial Version – December 24, 2014 N/A ISE New guide created Revision 1 – March 15, 2016 1 Salamon Administrative updates to Clarify relationship between this 2-4 align/reference to the current guide and CIO-IT Security-09-43 version of the GSA IT Security Policy and to CIO-IT Security-09-43, IT Security Procedural Guide: Key Management 2 Berlas / Updated recommendation for Clarification of requirements 7 Salamon obtaining and using certificates 3 Salamon Integrated with OMB M-15-13 and New OMB Policy 9 related TLS implementation guidance 4 Berlas / Updates to clarify TLS protocol Clarification of guidance 11-12 Salamon recommendations 5 Berlas / Updated based on stakeholder Stakeholder review / input Throughout Salamon review / input 6 Klemens/ Formatting, editing, review revisions Update to current format and Throughout Cozart- style Ramos Revision 2 – October 11, 2016 1 Berlas / Allow use of TLS 1.0 for certain Clarification of guidance Throughout Salamon server through June 2018 Revision 3 – April 30, 2018 1 Berlas / Remove RSA ciphers from approved ROBOT vulnerability affected 4-6 Salamon cipher stack
  • The Edonkey File-Sharing Network

    The Edonkey File-Sharing Network

    The eDonkey File-Sharing Network Oliver Heckmann, Axel Bock, Andreas Mauthe, Ralf Steinmetz Multimedia Kommunikation (KOM) Technische Universitat¨ Darmstadt Merckstr. 25, 64293 Darmstadt (heckmann, bock, mauthe, steinmetz)@kom.tu-darmstadt.de Abstract: The eDonkey 2000 file-sharing network is one of the most successful peer- to-peer file-sharing applications, especially in Germany. The network itself is a hybrid peer-to-peer network with client applications running on the end-system that are con- nected to a distributed network of dedicated servers. In this paper we describe the eDonkey protocol and measurement results on network/transport layer and application layer that were made with the client software and with an open-source eDonkey server we extended for these measurements. 1 Motivation and Introduction Most of the traffic in the network of access and backbone Internet service providers (ISPs) is generated by peer-to-peer (P2P) file-sharing applications [San03]. These applications are typically bandwidth greedy and generate more long-lived TCP flows than the WWW traffic that was dominating the Internet traffic before the P2P applications. To understand the influence of these applications and the characteristics of the traffic they produce and their impact on network design, capacity expansion, traffic engineering and shaping, it is important to empirically analyse the dominant file-sharing applications. The eDonkey file-sharing protocol is one of these file-sharing protocols. It is imple- mented by the original eDonkey2000 client [eDonkey] and additionally by some open- source clients like mldonkey [mlDonkey] and eMule [eMule]. According to [San03] it is with 52% of the generated file-sharing traffic the most successful P2P file-sharing net- work in Germany, even more successful than the FastTrack protocol used by the P2P client KaZaa [KaZaa] that comes to 44% of the traffic.
  • Conducting and Optimizing Eclipse Attacks in the Kad Peer-To-Peer Network

    Conducting and Optimizing Eclipse Attacks in the Kad Peer-To-Peer Network

    Conducting and Optimizing Eclipse Attacks in the Kad Peer-to-Peer Network Michael Kohnen, Mike Leske, and Erwin P. Rathgeb University of Duisburg-Essen, Institute for Experimental Mathematics, Ellernstr. 29, 45326 Essen [email protected], [email protected], [email protected] Abstract. The Kad network is a structured P2P network used for file sharing. Research has proved that Sybil and Eclipse attacks have been possible in it until recently. However, the past attacks are prohibited by newly implemented secu- rity measures in the client applications. We present a new attack concept which overcomes the countermeasures and prove its practicability. Furthermore, we analyze the efficiency of our concept and identify the minimally required re- sources. Keywords: P2P security, Sybil attack, Eclipse attack, Kad. 1 Introduction and Related Work P2P networks form an overlay on top of the internet infrastructure. Nodes in a P2P network interact directly with each other, i.e., no central entity is required (at least in case of structured P2P networks). P2P networks have become increasingly popular mainly because file sharing networks use P2P technology. Several studies have shown that P2P traffic is responsible for a large share of the total internet traffic [1, 2]. While file sharing probably accounts for the largest part of the P2P traffic share, also other P2P applications exist which are widely used, e.g., Skype [3] for VoIP or Joost [4] for IPTV. The P2P paradigm is becoming more and more accepted also for professional and commercial applications (e.g., Microsoft Groove [5]), and therefore, P2P technology is one of the key components of the next generation internet.
  • Configuring SSL for Services and Servers

    Configuring SSL for Services and Servers

    Barracuda Web Application Firewall Configuring SSL for Services and Servers https://campus.barracuda.com/doc/4259877/ Configuring SSL for SSL Enabled Services You can configure SSL encryption for data transmitted between the client and the service. In the BASIC > Services page, click Edit next to a listed service and configure the following fields: Status – Set to On to enable SSL on your service. Status defaults to On for a newly created SSL enabled service. Certificate – Select a certificate presented to the browser when accessing the service. Note that only RSA certificates are listed here. If you have not created the certificate, select Generate Certificate from the drop-down list to generate a self-signed certificate. For more information on how to create self- signed certificates, see Creating a Client Certificate. If you want to upload a self-signed certificate, select Upload Certificate from the drop- down list. Provide the details about the certificate in the Upload Certificate dialog box. For information on how to upload a certificate, see Adding an SSL Certificate. Select ECDSA Certificate – Select an ECDSA certificate presented to the browser when accessing the service. SSL/TLS Quick Settings - Select an option to automatically configure the SSL/TLS protocols and ciphers. Use Configured Values - This option allows you to use the previously saved values. If the values are not saved, the Factory Preset option can be used. Factory Preset - This option allows you to enable TLS 1.1, TLS 1.2 and TLS 1.3 protocols without configuring override ciphers. Mozilla Intermediate Compatibility (Default, Recommended) - This configuration is a recommended configuration when you want to enable TLS 1.2 and TLS 1.3 and configure override ciphers for the same.
  • Emule for Dummies V 0.1 - by Ciquta

    Emule for Dummies V 0.1 - by Ciquta

    eMule for dummies v 0.1 - by ciquta (Guida funzionale ed incompleta rivolta ai neofiti della rete ed2k) Filosofia ed2k I p2p ed2k (edonkey, emule, emule plus, etc…) sono la generazione “intelligente” dei p2p: si basano sul principio dei “crediti”, ovvero chi più shara risorse, chi più invia, chi in definitiva si impegna di più a mettere a disposizione la propria banda di upload viene maggiormente premiato con slot di download. La quantità totale di upload in qualsiasi p2p è uguale identica a quella totale di download, pertanto più vengono messi a disposizione bit di upload, più vi saranno utenti connessi alla rete e maggiori saranno le possibilità di reperimento di un file e quindi di download. Il che sta a significare che gli utenti collegati avendo un ristorno in termini di download di quello che sharano e soprattutto inviano sono ben disposti a alimentare questo circolo di scambio dati, e i risultati si palpano in termini di reperibilità di file particolarmente rari e di numero delle fonti e di slot disponibili. Il software lato client è open source, pertanto vi capiterà di perdervi tra le mille versioni e relativi modding. Tuttavia la sostanza è sempre simile e notevoli cambiamenti tra l’una e l’altra sono percettibili solo tra versioni notevolmente distanti tra di loro in termini di date di sviluppo, quindi non è certo il caso di cambiare ad ogni uscita di una nuova versione, credo sia sufficiente farlo una volta ogni 3 o 4 mesi a scanso di epocali svolte nello sviluppo. Principali caratteristiche innovative Tante sono le interessanti differenze con gli altri p2p: • Gestione autonoma delle code: eMule non da modo agli utenti di “segare” gli upload, evitando quindi i classici casi di troncamento dei download tipici degli altri p2p, nei quali c’è da guerrigliare con baratti e suppliche per farsi finire un download.
  • Hosting Multiple Certs on One IP

    Hosting Multiple Certs on One IP

    Hosting multiple SSL Certicates on a single IP S Solving the IPv4 shortage dilemma FULL COMPATIBILITY When it comes to SSL security, hosting companies are increasingly facing In public environments, using SNI alone would mean cutting access to a issues related to IP addresses scarcity. Today every digital certificate used large number of potential site visitors as around 15% of systems (as of to provide an SSL connection on a webserver needs a dedicated IP January 2013) are incompatible with SNI. address, making it difficult for hosting companies to respond to increas- ing demand for security. The true solution GlobalSign has developed a solution to address hosting companies’ operational limitations and to let them run multiple certificates on a By coupling the Server Name Indication technology with SSL Certificates single IP address, at no detriment to browser and operating system and a CloudSSL Certificate from GlobalSign, multiple certificates can compatibility. now be hosted on a single IP without losing potential visitors that might lack SNI support. Host Headers GlobalSign SSL Certificates can be installed on several name-based virtual hosts as per any SNI-based https website. Each website has its To address the current concern of shortage of IPv4 addresses, most own certificate, allowing for even the highest levels of security (such as websites have been configured as name-based virtual hosts for years. Extended Validation Certificates). When several websites share the same IP number, the server will select the website to display based on the name provided in the Host Header. GlobalSign will then provide a free fall-back CloudSSL certificate for legacy configurations, enabling the 15% of visitors that do not have SNI Unfortunately this doesn’t allow for SSL security as the SSL handshake compatibility to access the secure websites on that IP address.
  • Perception Financial Services Cyber Threat Briefing Report

    Perception Financial Services Cyber Threat Briefing Report

    PERCEPTION FINANCIAL SERVICES CYBER THREAT BRIEFING REPORT Q1 2019 1 Notable Cyber Activity within Financial Services Contents January 2019 October 2018 A security researcher discovered that The State Bank of India Between the 4th and 14th October 2018 HSBC reported a number Table of Contents . 1 (SBI), India’s largest bank, had failed to secure a server which of US online bank accounts were accessed by unauthorized users, Welcome . 1 was part of their text-messaging platform. The researcher was with potential access to personal information about the account able to read all messages sent and received by the bank’s ‘SBI holder. HSBC told the BBC this affected fewer than 1% of its 1 Notable Cyber Activity within Financial Services . 2 quick’ enquiry service which contained information on balances, American clients and has not released further information on 2 Threat Actor Profile: The Carbanak Organized Crime Gang . 4 phone numbers and recent transactions. This information could how the unauthorized access occurred. have been used to profile high net worth individuals, or aid social 3 Benefits and challenges of deploying TLS 1.3 . 5 engineering attacks which are one of the most common types of It is likely that this was an example of a credential-stuffing attack, 4 Ethereum Classic (ETC) 51% Attack . 9 financial fraud in India.1 where attackers attempt to authenticate with vast quantities 5 Authoritative DNS Security . 10 of username and password combinations obtained from other December 2018 compromised sites, hoping to find users who have re-used their Kaspersky published a detailed examination of intrusions into credentials elsewhere.
  • Investigating the User Behavior of Peer-To-Peer File Sharing Software

    Investigating the User Behavior of Peer-To-Peer File Sharing Software

    www.ccsenet.org/ijbm International Journal of Business and Management Vol. 6, No. 9; September 2011 Investigating the User Behavior of Peer-to-Peer File Sharing Software Shun-Po Chiu (Corresponding author) PhD candidate, Department of Information Management National Central University, Jhongli, Taoyuan, Taiwan & Lecture, Department of Information Management Vanung University, Jhongli, Taoyuan, Taiwan E-mail: [email protected] Huey-Wen Chou Professor, Department of Information Management National Central University, Jhongli, Taoyuan, Taiwan E-mail: [email protected] Received: March 26, 2011 Accepted: May 10, 2011 doi:10.5539/ijbm.v6n9p68 Abstract In recent years, peer-to-peer file sharing has been a hotly debated topic in the fields of computer science, the music industry, and the movie industry. The purpose of this research was to examine the user behavior of peer-to-peer file-sharing software. A methodology of naturalistic inquiry that involved qualitative interviews was used to collect data from 21 university students in Taiwan. The results of the study revealed that a substantial amount of P2P file-sharing software is available to users. The main reasons for using P2P file-sharing software are to save money, save time, and to access files that are no longer available in stores. A majority of respondents use P2P file-sharing software to download music, movies, and software, and the respondents generally perceive the use of such software as neither illegal nor unethical. Furthermore, most users are free-riders, which means that they do not contribute files to the sharing process. Keywords: Peer to peer, File sharing, Naturalistic inquiry 1. Introduction In recent years, Peer-to-Peer (P2P) network transmission technology has matured.
  • The Trip to TLS Land Using the WSA Tobias Mayer, Consulting Systems Engineer BRKSEC-3006 Me…

    The Trip to TLS Land Using the WSA Tobias Mayer, Consulting Systems Engineer BRKSEC-3006 Me…

    The Trip to TLS Land using the WSA Tobias Mayer, Consulting Systems Engineer BRKSEC-3006 Me… CCIE Security #14390, CISSP & Motorboat driving license… Working in Content Security & IPv6 Security tmayer{at}cisco.com Writing stuff at “blogs.cisco.com” Agenda • Introduction • Understanding TLS • Configuring Decryption on the WSA • Troubleshooting TLS • Thoughts about the Future • Conclusion For Your Reference • There are (many...) slides in your print-outs that will not be presented. • They are there “For your Reference” For Your Reference Microsoft and Google pushing encryption • Microsoft pushing TLS with PFS • Google, FB, Twitter encrypting all traffic • HTTPS usage influencing page ranking on google • Deprecate SHA1, only SHA2+ • Browser Vendors aggressively pushing https • Problems with older TLS versions leading to upgrade of servers to newer protocols and ciphers • Poodle, Freak, Beast, …. Google Search Engine • Google ranking influenced by using HTTPS • http://blog.searchmetrics.com/us/2015 /03/03/https-vs-http-website-ssl-tls- encryption-ranking-seo-secure- connection/ Understanding TLS TLS Versions • SSLv3, 1996 • TLS 1.0, 1999, RFC2246 • TLS 1.1, 2006, RFC4346 • Improved security • TLS 1.2, 2008, RFC5246 • Removed IDEA and DES ciphers • Stronger hashes • Supports authenticated encryption ciphers (AES-GCM) • TLS 1.3, currently Internet Draft Attacks… • POODLE • SSLv3 Problems with Padding, turn of SSLv3 • BEAST • Know issues in CBC mode, use TLS 1.1/1.2 with non-CBC mode ciphers (GCM) • CRIME/BREACH • Compression Data Leak, disable
  • How Organisations Can Properly Configure SSL Services to Ensure the Integrity and Confidentiality of Data in Transit”

    How Organisations Can Properly Configure SSL Services to Ensure the Integrity and Confidentiality of Data in Transit”

    An NCC Group Publication “SS-Hell: the Devil is in the details” Or “How organisations can properly configure SSL services to ensure the integrity and confidentiality of data in transit” Prepared by: Will Alexander Jerome Smith © Copyright 2014 NCC Group Contents 1 Introduction .................................................................................................................................................... 3 2 Protocols ........................................................................................................................................................ 3 3 Cipher Suites ................................................................................................................................................. 4 4 Certificates ..................................................................................................................................................... 5 4.1 Self-Signed or Untrusted Certificates ................................................................................................... 5 4.2 Mismatched Hostnames ....................................................................................................................... 6 4.3 Wildcard Certificates ............................................................................................................................. 6 4.4 Extended Validation Certificates .......................................................................................................... 7 4.5 Certificate Validity Period ....................................................................................................................
  • Avocent® ACS 6000 Advanced Console Server Release Notes Version 3.1.0.8 UPDATE! July 24, 2015

    Avocent® ACS 6000 Advanced Console Server Release Notes Version 3.1.0.8 UPDATE! July 24, 2015

    Avocent® ACS 6000 Advanced Console Server Release Notes Version 3.1.0.8 UPDATE! July 24, 2015 This document outlines: 1. Update Instructions 2. Appliance Firmware Version Information 3. Features/Enhancements 4. Bug Fixes =================================================================================== 1. Update Instructions =================================================================================== NOTE: Please refer to the ACS 6000 Installation/Administration/User Guide for detailed instructions on updating the ACS 6000 console server to version 3.1.0. IMPORTANT NOTE: This version should be upgraded from version 2.5.0-11 or newer. Appliances with earlier versions should be upgraded to version 2.5.0-11 or newer before the upgrade to version 3.1.0.8. In order to have all features listed in this release available through DSView™ management software, DSView™ software version 4.5.0.123 or later and ACS 6000 console server plug-in version 3.1.0.4 are required. After the ACS 6000 console server firmware has been upgraded to version 3.1.0, it is mandatory that the web browser cache of any system which intends to be connected to the ACS 6000 console server web interface is cleared. To do this, press Ctrl-F5 from the browser. ACS 6000 console server firmware version 3.1.0 provides an internal mechanism which preserves the existing configuration when upgrading from firmware version 3.0.0. However, it is strongly recommended that you back up the system configuration before the firmware version upgrade. =================================================================================== 2. Appliance Firmware Version Information =================================================================================== Appliance/Product Firmware Type Version Filename Avocent® ACS 6000 Opcode V_3.1.0.8 avoImage_avctacs-3.1.0-8.bin Console Server avoImage_avctacs-3.1.0-8.bin.md5 =================================================================================== 3.
  • Configurer Les Ports Emule Ou Mldonkey Pour Un Routeur Linux

    Configurer Les Ports Emule Ou Mldonkey Pour Un Routeur Linux

    Configurer les ports eMule ou mlDonkey pour un routeur Linux Stephane´ Bortzmeyer <[email protected]> Premiere` redaction´ de cet article le 2 aoutˆ 2007. Derniere` mise a` jour le 8 aoutˆ 2007 https://www.bortzmeyer.org/emule-ports-linux.html —————————- Le logiciel de partage de fichiers eMule, s’il n’est pas contactable par d’autres utilisateurs depuis l’exterieur,´ rend un service degrad´ e.´ Comment le rendre contactable si le routeur est une machine Linux? On sait que le NAT est une source d’ennuis sans fin, notamment pour les applications pair a` pair. Sa presence´ necessite´ beaucoup de bricolages comme ici, ou` nous allons faire du ”port fowarding”, c’est-a-` dire relayer les paquets IP depuis un pair vers notre client eMule ou mlDonkey, via un routeur Linux. Le cas d’un routeur Linux n’est pas actuellement documente´ en <http://www.emule-project. net/home/perl/help.cgi?l=1&rm=show_entries&cat_id=251> mais, par contre, il y a un exemple dans l’excellente documentation de mlDonkey <http://mldonkey.sourceforge.net/WhatFirewallPortsToOpen>. Mais c’est de toute fac¸on assez simple. Il faut commencer par connaˆıtre les ports utilises.´ eMule en change desormais,´ pour passer les filtrages. Allez dans Pref´ erences´ puis Connexion et regardez ”Port client”. Notez la valeur pour le port TCP et le port UDP. Pour mlDonkey, on peut utiliser la commande portinfo de la console : > portinfo --Portinfo-- Network | Port|Type ----------+------+------------------- BitTorrent| 6882|client_port TCP BitTorrent| 6881|tracker_port TCP Core | 4080|http_port Core | 4000|telnet_port Core | 4001|gui_port Donkey | 4550|client_port TCP Donkey | 4554|client_port UDP Donkey | 18703|overnet_port TCP+UDP Donkey | 10349|kademlia_port UDP G2 | 6347|client_port TCP+UDP Gnutella | 6346|client_port TCP+UDP 1 2 ou bien un tres` bon script bash <http://mldonkey.sourceforge.net/BashScriptToFindPortsUsed>.