IT Professionals: October 2009

Sunday, October 25, 2009

Jncia Juniper Networks Certified Internet Associate Study Guide

Jncia Juniper Networks Certified Internet Associate Study Guide

Jncia Juniper Networks Certified Internet Associate Study Guide you need to prepare for the JNCIA exam, JN0-201, from Juniper Networks. Written by a team of Juniper Network trainers and engineers, this Study Guide provides:

Assessment testing to focus and direct your studies
In-depth coverage of official test objectives
Hundreds of challenging practice questions, in the book and on the CD

Authoritative coverage of all test objectives, including:

Working with the JUNOS software
Implementing Juniper Networks boot devices
Troubleshooting Routing Information Protocol
Implementing a routing policy
Configuring and monitoring an OSPF Network
Implementing Border Gateway Protocol
Monitoring and troubleshooting an IS-IS network
Understanding the Reverse Path Forwarding process
Operating firewall filters
Using Multiprotocol Label Switching

Jncia Juniper Networks Certified Internet Associate Study Guide
DownloadLink Here:
http://www.ziddu.com/download/7051709/-networks-certified-internet-associate-study-guide.rar.html

Tuesday, October 20, 2009

CBT Nuggets CCIE Combo Pack

CBT Nuggets CCIE Combo Pack

The CCIE certification is one of the highest paid and most respected IT certifications available but also one of the most difficult to obtain. Many people have questions and concerns when it comes to obtaining the CCIE and that's what this training is all about.
Jeremy Cioara has done a tremendous job breaking down all the information you need to not only study and prepare for the hands-on lab exam, but he presents it so that you learn how to model and configure advanced LAN/WAN topologies and scenarios. He shows you how to put together a practice lab to duplicate nearly any network set-up and provides an array of cost and time saving tips and tricks that will literally repay your investment in this training many times over.

Even if you do not plan on obtaining certification, you'll learn about the Catalyst 3550 router, Frame-Relay, ISDN, OSPF, ISIS, NAT, VoIP, QOS and BGP.

While a CCNP certification is not a pre-requisite to earn your CCIE certification, you do need to know routing and switching thoroughly. In addition to having a CCNA, we recommend that you have the knowledge and skills of a CCNP prior to viewing the CCIE videos.

The training contains 36 videos providing more than 24 hours of instruction.

--------------------------------------------------------------------------------

NOTE: The CCIE Exam has been updated to cover new information on MPLS, as well as some additional information on Security and IPv6.

This training has not yet been updated to cover these concepts. This training still maps to all other exam objectives and will help you greatly as you prepare for the CCIE Lab exam.

For information on updates and future product releases, please see our Videos in Development page.

--------------------------------------------------------------------------------

Contents: Cisco CCIE Certification Package

- CCIE Series Intro: So you want to be a CCIE
- Advanced LAN Configuration (Part 1): Cat 3550, VLANs, VTP, and EtherChannel
- Advanced LAN Configuration (Part 2): Cat 3550, Spanning Tree Protocol
- Advanced LAN Configuration (Part 3): Cat 3550, Advanced Features
- Advanced WAN Configuration (Part 1): HDLC & PPP
- Advanced WAN Configuration (Part 2): Frame Relay
- Advanced WAN Configuration (Part 3): Frame Relay Traffic Shaping and ATM
- Advanced WAN Configuration (Part 4): ISDN
- Internal Routing Protocols (Part 1): Distance Vector Challenges and RIPv2
- Internal Routing Protocols (Part 2): Advanced EIGRP Configuration
- Internal Routing Protocols (Part 3): OSPF, Key Concepts
- Internal Routing Protocols (Part 4): Foundation OSPF Configuration
- Internal Routing Protocols (Part 5): Advanced OSPF Configuration: NBMA Networks
- Internal Routing Protocols (Part 6): Advanced OSPF Configuration: Practical Example
- Internal Routing Protocols (Part 7): Understanding and Configuring the IS-IS Protocol
- Advanced Router Technology (Part 1): Routing the Unroutable: Router Bridging Technology
- Advanced Router Technology (Part 2): Data Link Switching Plus (DLSW+)
- Advanced Router Technology (Part 3): Voice over IP (VoIP)
- Advanced Router Technology (Part 4): Network Address Translation (NAT)
- Advanced Router Technology (Part 5): HSRP and NTP
- Advanced Router Technology (Part 6): Understanding IP Access-Lists
- Advanced Router Technology (Part 7): Multicast Routing Concepts
- Advanced Router Technology (Part 8): Configuring Multicast Routing
- Quality of Service (Part 1): QoS Fundamentals and the MQC
- Quality of Service (Part 2): Congestion Management and Avoidance
- Quality of Service (Part 3): Policing, Shaping, and Link Efficiency
- BGP (Part 1): BGP Theory
- BGP (Part 2): Understanding BGP Attributes
- BGP (Part 3): Foundation BGP Configuration
- BGP (Part 4): BGP Route Reflectors, Confederations, and Peer-Groups
- BGP (Part 5): BGP Route Aggregation and Filtering
- BGP (Part 6): Configuring BGP Attributes to Influence Routing, Part 1
- BGP (Part 7): Configuring BGP Attributes to Influence Routing, Part 2
- BGP (Part 8): BGP Multihoming, Route Dampening, and Optimization
- Practice Lab
- IPv6

CBT Nuggets CCIE Combo Pack
Download links:
http://uploading.com/files/U2WFL6TZ/CBTCCCP.part11.rar.html
http://uploading.com/files/75XV3Z4X/CBTCCCP.part06.rar.html
http://uploading.com/files/CZTDFCPG/CBTCCCP.part09.rar.html
http://uploading.com/files/QXUIMUKH/CBTCCCP.part08.rar.html
http://uploading.com/files/KO7OASBQ/CBTCCCP.part04.rar.html
http://uploading.com/files/TQFA12PL/CBTCCCP.part07.rar.html
http://uploading.com/files/4KPKXYXF/CBTCCCP.part05.rar.html
http://uploading.com/files/69TLCHEJ/CBTCCCP.part10.rar.html
http://uploading.com/files/BSWRJMSH/CBTCCCP.part03.rar.html
http://uploading.com/files/APK01W8X/CBTCCCP.part01.rar.html
http://uploading.com/files/YQWJDO0W/CBTCCCP.part02.rar.html

Cryptographic components

IPsec combines a number of cryptographic techniques, all of them well-known and well-analyzed. The overall design approach was conservative; no new or poorly-understood components were included.

This section gives a brief overview of each technique. It is intended only as an introduction. There is more information, and links to related topics, in our glossary. See also our bibliography and cryptography web links.

Block ciphers

The encryption in the ESP encapsulation protocol is done with a block cipher.

We do not implement single DES. It is insecure. Our default, and currently only, block cipher is triple DES .

The Rijndael block cipher has won the AES competition to choose a relacement for DES. It will almost certainly be added to FreeS/WAN and to other IPsec implementations. Patches are already available.

Hash functions

The HMAC construct

IPsec packet authentication is done with the HMAC construct. This is not just a hash of the packet data, but a more complex operation which uses both a hashing algorithm and a key. It therefore does more than a simple hash would. A simple hash would only tell you that the packet data was not changed in transit, or that whoever changed it also regenerated the hash. An HMAC also tells you that the sender knew the HMAC key.

For IPsec HMAC, the output of the hash algorithm is truncated to 96 bits. This saves some space in the packets. More important, it prevents an attacker from seeing all the hash output bits and perhaps creating some sort of attack based on that knowledge.

Choice of hash algorithm

The IPsec RFCs require two hash algorithms -- MD5 and SHA-1 -- both of which FreeS/WAN implements.

Various other algorithms -- such as RIPEMD and Tiger -- are listed in the RFCs as optional. None of these are in the FreeS/WAN distribution, or are likely to be added, although user patches exist for several of them.

Additional hash algorithms -- SHA-256, SHA-384 and SHA-512 -- may be required to give hash strength matching the strength of AES. These are likely to be added to FreeS/WAN along with AES.

Diffie-Hellman key agreement

The Diffie-Hellman key agreement protocol allows two parties (A and B or Alice and Bob) to agree on a key in such a way that an eavesdropper who intercepts the entire conversation cannot learn the key.

The protocol is based on the discrete logarithm problem and is therefore thought to be secure. Mathematicians have been working on that problem for years and seem no closer to a solution, though there is no proof that an efficient solution is impossible.

RSA authentication

The RSA algorithm (named for its inventors -- Rivest, Shamir and Adleman) is a very widely used public key cryptographic technique. It is used in IPsec as one method of authenticating gateways for Diffie-Hellman key negotiation.

Structure of IPsec

There are three protocols used in an IPsec implementation:

ESP, Encapsulating Security Payload: Encrypts and/or authenticates data
AH, Authentication Header: Provides a packet authentication service
IKE, Internet Key Exchange: Negotiates connection parameters, including keys, for the other two

The term "IPsec" is slightly ambiguous. In some contexts, it includes all three of the above but in other contexts it refers only to AH and ESP.

Monday, October 19, 2009

IPsec Resisting traffic analysis

Resisting traffic analysis

Traffic analysis is the attempt to derive useful intelligence from encrypted traffic without breaking the encryption.

Is your CEO exchanging email with a venture capital firm? With bankruptcy trustees? With an executive recruiting agency? With the holder of some important patents? If an eavesdropper learns about any of those, then he has interesting intelligence on your company, whether or not he can read the messages themselves.

Even just knowing that there is network traffic between two sites may tell an analyst something useful, especially when combined with whatever other information he or she may have. For example, if you know Company A is having cashflow problems and Company B is looking for aquisitions, then knowing that packets are passing between the two is interesting. It is more interesting if you can tell it is email, and perhaps yet more if you know the sender and recipient.

Except in the simplest cases, traffic analysis is hard to do well. It requires both considerable resources and considerable analytic skill. However, intelligence agencies of various nations have been doing it for centuries and many of them are likely quite good at it by now. Various commercial organisations, especially those working on "targeted marketing" may also be quite good at analysing certain types of traffic.

In general, defending against traffic analysis is also difficult. Inventing a really good defense could get you a PhD and some interesting job offers.

IPsec is not designed to stop traffic analysis and we know of no plausible method of extending it to do so. That said, there are ways to make traffic analysis harder. This section describes them.

Using "unnecessary" encryption

One might choose to use encryption even where it appears unnecessary in order to make analysis more difficult. Consider two offices which pass a small volume of business data between them using IPsec and also transfer large volumes of Usenet news. At first glance, it would seem silly to encrypt the newsfeed, except possibly for any newsgroups that are internal to the company. Why encrypt data that is all publicly available from many sites?

However, if we encrypt a lot of news and send it down the same connection as our business data, we make traffic analysis much harder. A snoop cannot now make inferences based on patterns in the volume, direction, sizes, sender, destination, or timing of our business messages. Those messages are hidden in a mass of news messages encapsulated in the same way.

If we're going to do this we need to ensure that keys change often enough to remain secure even with high volumes and with the adversary able to get plaintext of much of the data. We also need to look at other attacks this might open up. For example, can the adversary use a chosen plaintext attack, deliberately posting news articles which, when we receive and encrypt them, will help break our encryption? Or can he block our business data transmission by flooding us with silly news articles? Or ...

Also, note that this does not provide complete protection against traffic analysis. A clever adversary might still deduce useful intelligence from statistical analysis (perhaps comparing the input newsfeed to encrypted output, or comparing the streams we send to different branch offices), or by looking for small packets which might indicate establishment of TCP connections, or ...

As a general rule, though, to improve resistance to traffic analysis, you should encrypt as much traffic as possible, not just as much as seems necessary.

Using multiple encryption

This also applies to using multiple layers of encryption. If you have an IPsec tunnel between two branch offices, it might appear silly to send PGP-encrypted email through that tunnel. However, if you suspect someone is snooping your traffic, then it does make sense:

it protects the mail headers; they cannot even see who is mailing who
it protects against user bungles or software malfunctions that accidentally send messages in the clear
it makes any attack on the mail encryption much harder; they have to break IPsec or break into your network before they can start on the mail encryption

Similar arguments apply for SSL -encrypted web traffic or SSH-encrypted remote login sessions, even for end-to-end IPsec tunnels between systems in the two offices.

Using fewer tunnels

It may also help to use fewer tunnels. For example, if all you actually need encrypted is connections between:

mail servers at branch and head offices
a few branch office users and the head office database server

You might build one tunnel per mail server and one per remote database user, restricting traffic to those applications. This gives the traffic analyst some information, however. He or she can distinguish the tunnels by looking at information in the ESP header and, given that distinction and the patterns of tunnel usage, might be able to figure out something useful. Perhaps not, but why take the risk?

We suggest instead that you build one tunnel per branch office, encrypting everything passing from head office to branches. This has a number of advantages:

it is easier to build and administer
it resists traffic analysis somewhat better
it provides security for whatever you forgot. For example, if some user at a remote office browses proprietary company data on some head office web page (that the security people may not even know about!), then that data is encrypted before it reaches the Internet.

Of course you might also want to add additional tunnels. For example, if some of the database data is confidential and should not be exposed even within the company, then you need protection from the user's desktop to the database server. We suggest you do that in whatever way seems appropriate -- IPsec, SSH or SSL might fit -- but, whatever you choose, pass it between locations via a gateway-to-gateway IPsec tunnel to provide some resistance to traffic analysis.

Multiple layers of IPsec processing are possible

The above describes combinations possible on a single IPsec connection. In a complex network you may have several layers of IPsec in play, with any of the above combinations at each layer.

For example, a connection from a desktop machine to a database server might require AH authentication. Working with other host, network and database security measures, AH might be just the thing for access control. You might decide not to use ESP encryption on such packets, since it uses resources and might complicate network debugging. Within the site where the server is, then, only AH would be used on those packets.

Users at another office, however, might have their whole connection (AH headers and all) passing over an IPsec tunnel connecting their office to the one with the database server. Such a tunnel should use ESP encryption and authentication. You need authentication in this layer because without authentication the encryption is vulnerable and the gateway cannot verify the AH authentication. The AH is between client and database server; the gateways aren't party to it.

In this situation, some packets would get multiple layers of IPsec applied to them, AH on an end-to-end client-to-server basis and ESP from one office's security gateway to the other.

IPsec: Encryption without authentication is dangerous

Encryption without authentication is dangerous

Originally, the IPsec encryption protocol ESP didn't do integrity checking. It only did encryption. Steve Bellovin found many ways to attack ESP used without authentication. See his paper Problem areas for the IP Security Protocols. To make a secure connection, you had to add an AH Authentication Header as well as ESP. Rather than incur the overhead of several layers (and rather than provide an ESP layer that didn't actually protect the traffic), the IPsec working group built integrity and replay checking directly into ESP.

Today, typical usage is one of:

ESP for encryption and authentication
AH for authentication alone

Other variants are allowed by the standard, but not much used:

ESP encryption without authentication: Bellovin has demonstrated fatal flaws in this. Do not use.
ESP encryption with AH authentication: This has higher overheads than using the authentication in ESP, and no obvious benefit in most cases. The exception might be a network where AH authentication was widely or universally used. If you're going to do AH to conform with network policy, why authenticate again in the ESP layer?
Authenticate twice, with AH and with ESP: Why? Of course, some folk consider "belt and suspenders" the sensible approach to security. If you're among them, you might use both protocols here. You might also use both to satisfy different parts of a security policy. For example, an organisation might require AH authentication everywhere but two users within the organisation might use ESP as well.
ESP authentication without encryption: The standard allows this, calling it "null encryption". FreeS/WAN does not support it. We recommend that you use AH instead if authentication is all you require. AH authenticates parts of the IP header, which ESP-null does not do.

Some of these variants cannot be used with FreeS/WAN because we do not support ESP-null and do not support automatic keying of AH-only connections.

There are fairly frequent suggestions that AH be dropped entirely from the IPsec specifications since ESP and null encryption can handle that situation. It is not clear whether this will occur. My guess is that it is unlikely.

Using authentication without encryption

Where appropriate, IPsec can provide authentication without encryption. One might do this, for example:

where the data is public but one wants to be sure of getting the right data, for example on some web sites
where encryption is judged unnecessary, for example on some company or department LANs
where strong encryption is provided at link level, below IP
where strong encryption is provided in other protocols, above IP
Note that IPsec authentication may make some attacks on those protocols harder.

Authentication has lower overheads than encryption.

The protocols provide four ways to build such connections, using either an AH-only connection or ESP using null encryption, and in either manually or automatically keyed mode. FreeS/WAN supports only one of these, manually keyed AH-only connections, and we do not recommend using that. Our reasons are discussed under Resisting traffic analysis a few sections further along.

Using tracert and TTL to troubleshoot network connectivity problems

Using tracert and TTL to troubleshoot network connectivity problems

To troubleshoot Windows network connectivity problems, use this introduction to time-to-live (TTL) and trace route (tracert) ping commands to learn how to detect packet loss that would slow performance, causing network latency or lost connections.

This tip originally appeared on WindowsNetworking.com.

So far in this article series, I have shown you all kinds of tricks that involve using the ping command to diagnose network connectivity problems. In this article, I want to continue the discussion by showing you some variations of these techniques.

Packet loss
So far when we have used the ping command, the command has either been successful, or it has failed. There really has not been any in-between. As you may recall, the ping command is designed to return four different responses. Occasionally, one or more of these responses may fail while others succeed. When this happens, it means that packet loss is occurring.

In such a situation, the local host and the remote host or both are functioning properly, but conditions exist that cause some packets to be lost along the way. The TCP/IP protocol is designed so that it can retry the transmission when packet loss occurs, but packet loss kills performance. A slow connection with no packet loss will often outperform a high-speed connection on which packet loss is occurring.

The tricky thing about packet loss is that it can sometimes be hard to spot. Sure, you know that packet loss is occurring if some of the ping responses fail, but ICMP packets used by pinging are so small that they will often be successfully returned even if a network condition exists that may cause packet loss in real world situations.

If you suspect that packet loss may be occurring but ping is not returning any errors then you can try increasing the size of the ICMP packets. Larger packets are more prone to failure if network problems exist.

Saturday, October 17, 2009

Complete CBT catalog of IT training videos – Including All Titles Released in 2008

Complete CBT catalog of IT training videos – Including All Titles Released in 2008

Nugget Archive Server – with 2008 Video Library

Our complete catalog of IT training videos – Including All Titles Released in 2008

$18,999.00 – Includes 3019 Videos

You save $22,875.00 on this package

In-House IT Training Library Keeps

All Your Employees Well-TrainedThe Nugget Archive Server is the perfect in-house training solution for corporations, universities and other organizations with multiple IT staff members to train. It contains every CBT Nuggets IT video in our inventory†, and comes with 10 concurrent user licenses for up to 10 people to train at once. (Plus additional user licenses can be added at any time.)

This is the link to make sure

http://www.cbtnuggets.com/webapp/product?id=428

Running Time: 1489 Hours

CONTENTS

Windows

Windows NT

Windows 2000: Exam-Pack 70-210: Professional

Windows 2000: Exam-Pack 70-214: Security

Windows 2000: Exam-Pack 70-215: Server

Windows 2000: Exam-Pack 70-216: Network Infrastructure

Windows 2000: Exam-Pack 70-217: Directory Services

Windows 2000: Exam-Pack 70-218: Managing a Network Environment

Windows 2000: Exam-Pack 70-219: Designing a Directory Services Infrastructure

Windows 2000: Exam-Pack 70-220: Designing Network Security

Windows 2000: Exam-Pack 70-221: Designing a Networking Services Infrastructure

Windows XP: Exam-Pack 70-270: Professional

Windows XP: Exam-Pack 70-271: Supporting XP

Windows XP: Exam-Pack 70-272: Supporting Apps in XP

Windows 2003: Exam-Pack 70-292: MCSA 2003 Upgrade

Windows 2003: Exam-Pack 70-296: MCSE 2003 Upgrade

Windows 2003: Exam-Pack 70-290: Maintaining Windows Server 2003

Windows 2003: Exam-Pack 70-291: Windows 2003 Network Infrastructure

Windows 2003: Exam-Pack 70-293: Planning and Maintaining a 2003 Network

Windows 2003: Exam Pack 70-294: Planning/Maintaining Windows 2003 Active Directory

Windows 2003: Exam-Pack 70-297: Designing 2003 Active Directory and Network

Windows 2003: Exam-Pack 70-298: Designing Security

Windows 2003: Exam-Pack 70-299: Administering Security in Windows 2003

Security

Security+ Series

CISSP Certification Package

Certified Ethical Hacker

On The Job Training Series: End-User Security

SSCP Series

Windows 2000: Exam-Pack 70-214: Security

Windows 2000: Exam-Pack 70-220: Designing Network Security

Windows 2003: Exam-Pack 70-298: Designing Security

Windows 2003: Exam-Pack 70-299: Administering Security in Windows 2003

Microsoft ISA Server

Microsoft ISA Server 2004

Cisco CCSP-SECUR – Exam-Pack 642-501

Cisco CCSP-CSI – Exam-Pack: 642-541

Cisco CCSP-CSIDS – Exam-Pack: 642-531

Cisco CCSP-SNPA – Exam-Pack: 642-522

Cisco CCSP-CSVPN – Exam-Pack: 642-511

Exchange

Exchange 5.5

Exchange 2000 Administration

Exchange 2003 Administration

Exchange 2003 Design

MOS Series: Outlook 2003

Cisco

Cisco CCNA Certification Package

Cisco CCNP-BSCI Certification Package

Cisco CCNP-BCMSN Certification Package

Cisco CCNP-CIT Certification Package

Cisco CCNP-BCRAN Series (Remote Access)

Cisco CSSP – Exam-Pack: 642-551 SND

Cisco CCDA Series

Cisco CCSP – Exam-Pack: 642-532 IPS

Cisco CCDP – Exam-Pack: 642-871 ARCH

Cisco CCIE Certification Package

Cisco CCIE Video Practice Lab

Cisco CCSP-SECUR – Exam-Pack 642-501

Cisco CCSP-CSI – Exam-Pack: 642-541

Cisco CCSP-CSIDS – Exam-Pack: 642-531

Cisco CCSP-SNPA – Exam-Pack: 642-522

Cisco CCSP-SNRS – Exam-Pack 642-502

Cisco CCSP-CSVPN – Exam-Pack: 642-511

Cisco CCVP-CVOICE – Exam Pack: 642-432

Cisco CCVP-QoS – Exam-Pack: 642-642

CompTIA

2005 A+ Series

2005 Network+ Series

Server+ Certification Package

Security+ Series

Linux+ Series

Web Development

CIW Perl Fundamentals

CIW JavaScript Fundamentals

CIW Associate Series – CIW Foundations

iNet+ Series

Project Mgt

PMP Certification Package

Project+ Series

Microsoft Project

Citrix

Citrix MetaFrame XP CCA Certification Package

MCDBA

Oracle 9i/10g OCA Series

SQL Fundamentals

SQL 2000 Administration

SQL 2000 Implementation and Design

Windows 2000: Exam-Pack 70-215: Server

Windows 2000: Exam-Pack 70-216: Network Infrastructure

Programming

On The Job Training Series: C#

On The Job Training Series: Java

Java – SCJP Certification Package

Intro to Programming with VB.NET

Intro to XML and Programming using the Microsoft.NET Platform

Developing Web Apps with VB.NET: Exam-Pack 70-305

Developing Windows Apps with VB.NET

Developing XML Web Services and Server Components with VB.NET

Analyzing Requirements and Defining Microsoft .NET Solution Architectures

VB 6.0 Fundamentals Package

VB 6.0 Desktop Applications

VB 6.0 Distributed Applications

MS Office

MOS Series: Excel 2000

MOS Series: Word 2000

MOS Series: PowerPoint 2000

MOS Series: Outlook 2003

MOS Series: Excel 2003

MOS Series: Word 2003

MOS Series: PowerPoint 2003

Wireless

Wireless# Certification Package

CWNA Certification Package

CWNA Certification Package Update

Linux

Linux+ Series

Intermediate to Advanced Linux Series

Linux LPIC-1 Series

Linux LPIC-2 Series

Here are the links

(Size : 20 GB)

DownloaD:

Download Easy-Share

http://www.easy-share.com/f/1326001672/Complete CBT 2009

Mirror Hotfile.com

http://hotfile.com/dl/2651223/2a81b3f/videotraining__Sadikhov-CBT_Nuggets_Server.part001.rar.html

http://hotfile.com/dl/2651262/da3a8c5/videotraining__Sadikhov-BT_Nuggets_Server.part002.rar.html

http://hotfile.com/dl/2651310/a0be039/videotraining__Sadikhov-BT_Nuggets_Server.part003.rar.html

http://hotfile.com/dl/2651341/228623b/videotraining__Sadikhov-BT_Nuggets_Server.part004.rar.html

http://hotfile.com/dl/2651388/3774b81/videotraining__Sadikhov-BT_Nuggets_Server.part005.rar.html

http://hotfile.com/dl/2651427/c5a9032/videotraining__Sadikhov-BT_Nuggets_Server.part006.rar.html

http://hotfile.com/dl/2651478/6cb322d/videotraining__Sadikhov-BT_Nuggets_Server.part007.rar.html

http://hotfile.com/dl/2651548/6409bc3/videotraining__Sadikhov-BT_Nuggets_Server.part008.rar.html

http://hotfile.com/dl/2651641/44041a4/videotraining__Sadikhov-BT_Nuggets_Server.part009.rar.html

http://hotfile.com/dl/2651709/8eb6e11/videotraining__Sadikhov-BT_Nuggets_Server.part010.rar.html

http://hotfile.com/dl/2651735/deab386/videotraining__Sadikhov-BT_Nuggets_Server.part011.rar.html

http://hotfile.com/dl/2651757/6deb563/videotraining__Sadikhov-BT_Nuggets_Server.part012.rar.html

http://hotfile.com/dl/2651782/bedf20a/videotraining__Sadikhov-CBT_Nuggets_Server.part013.rar.html

http://hotfile.com/dl/2651811/1f658c1/videotraining__Sadikhov-CBT_Nuggets_Server.part014.rar.html

http://hotfile.com/dl/2651833/85a414c/videotraining__Sadikhov-BT_Nuggets_Server.part015.rar.html

http://hotfile.com/dl/2651992/1b13bdc/videotraining__Sadikhov-BT_Nuggets_Server.part016.rar.html

http://hotfile.com/dl/2652274/af3f02a/videotraining__Sadikhov-CBT_Nuggets_Server.part017.rar.html

http://hotfile.com/dl/2652414/d390185/videotraining__Sadikhov-BT_Nuggets_Server.part018.rar.html

http://hotfile.com/dl/2652440/0cac7f9/videotraining__Sadikhov-CBT_Nuggets_Server.part019.rar.html

http://hotfile.com/dl/2652469/9a1dabf/videotraining__Sadikhov-CBT_Nuggets_Server.part020.rar.html

http://hotfile.com/dl/2652486/33f2449/videotraining__Sadikhov-CBT_Nuggets_Server.part021.rar.html

http://hotfile.com/dl/2652499/5a12497/videotraining__Sadikhov-BT_Nuggets_Server.part022.rar.html

http://hotfile.com/dl/2652519/5fb5410/videotraining__Sadikhov-CBT_Nuggets_Server.part023.rar.html

http://hotfile.com/dl/2652534/c0c80ef/videotraining__Sadikhov-CBT_Nuggets_Server.part024.rar.html

http://hotfile.com/dl/2652545/e8c3df8/videotraining__Sadikhov-CBT_Nuggets_Server.part025.rar.html

http://hotfile.com/dl/2652566/39e0057/videotraining__Sadikhov-BT_Nuggets_Server.part026.rar.html

http://hotfile.com/dl/2652620/c4ce749/videotraining__Sadikhov-BT_Nuggets_Server.part027.rar.html

http://hotfile.com/dl/2652779/42b81a2/videotraining__Sadikhov-BT_Nuggets_Server.part028.rar.html

http://hotfile.com/dl/2653143/437f55d/videotraining__Sadikhov-CBT_Nuggets_Server.part029.rar.html

http://hotfile.com/dl/2653243/aa2d7b0/videotraining__Sadikhov-BT_Nuggets_Server.part030.rar.html

http://hotfile.com/dl/2653335/7b55be2/videotraining__Sadikhov-BT_Nuggets_Server.part031.rar.html

http://hotfile.com/dl/2653414/622d35c/videotraining__Sadikhov-BT_Nuggets_Server.part032.rar.html

http://hotfile.com/dl/2653474/471c6ea/videotraining__Sadikhov-BT_Nuggets_Server.part033.rar.html

http://hotfile.com/dl/2653501/7ea5d7d/videotraining__Sadikhov-BT_Nuggets_Server.part034.rar.html

http://hotfile.com/dl/2653542/89f9366/videotraining__Sadikhov-CBT_Nuggets_Server.part035.rar.html

http://hotfile.com/dl/2653565/c25d9a5/videotraining__Sadikhov-BT_Nuggets_Server.part036.rar.html

http://hotfile.com/dl/2653593/543b5bb/videotraining__Sadikhov-BT_Nuggets_Server.part037.rar.html

http://hotfile.com/dl/2653615/36be055/videotraining__Sadikhov-BT_Nuggets_Server.part038.rar.html

http://hotfile.com/dl/2653644/605aa31/videotraining__Sadikhov-BT_Nuggets_Server.part039.rar.html

http://hotfile.com/dl/2653671/38a8880/videotraining__Sadikhov-BT_Nuggets_Server.part040.rar.html

http://hotfile.com/dl/2780145/f47edce/videotraining__Sadikhov-CBT_Nuggets_Server.part041.rar.html

http://hotfile.com/dl/2780173/31d72db/videotraining__Sadikhov-BT_Nuggets_Server.part042.rar.html

http://hotfile.com/dl/2780196/5d9a1cd/videotraining__Sadikhov-BT_Nuggets_Server.part043.rar.html

http://hotfile.com/dl/2780204/44ceb32/videotraining__Sadikhov-BT_Nuggets_Server.part044.rar.html

http://hotfile.com/dl/2780209/eefcac2/videotraining__Sadikhov-CBT_Nuggets_Server.part045.rar.html

http://hotfile.com/dl/2780221/904dee3/videotraining__Sadikhov-BT_Nuggets_Server.part046.rar.html

http://hotfile.com/dl/2780241/9d90a22/videotraining__Sadikhov-BT_Nuggets_Server.part047.rar.html

http://hotfile.com/dl/2780270/518df7c/videotraining__Sadikhov-CBT_Nuggets_Server.part048.rar.html

http://hotfile.com/dl/2780285/858115b/videotraining__Sadikhov-BT_Nuggets_Server.part049.rar.html

http://hotfile.com/dl/2780316/46b010d/videotraining__Sadikhov-BT_Nuggets_Server.part050.rar.html

http://hotfile.com/dl/2780394/a63a4ee/videotraining__Sadikhov-BT_Nuggets_Server.part051.rar.html

http://hotfile.com/dl/2780558/1377b9a/videotraining__Sadikhov-BT_Nuggets_Server.part052.rar.html

http://hotfile.com/dl/2780812/c084edc/videotraining__Sadikhov-BT_Nuggets_Server.part053.rar.html

http://hotfile.com/dl/2781032/716bb35/videotraining__Sadikhov-BT_Nuggets_Server.part054.rar.html

http://hotfile.com/dl/2781254/866789a/videotraining__Sadikhov-BT_Nuggets_Server.part055.rar.html

http://hotfile.com/dl/2781393/bf1dc03/videotraining__Sadikhov-CBT_Nuggets_Server.part056.rar.html

http://hotfile.com/dl/2781564/140f1c8/videotraining__Sadikhov-CBT_Nuggets_Server.part057.rar.html

http://hotfile.com/dl/2781696/aad6d95/videotraining__Sadikhov-BT_Nuggets_Server.part058.rar.html

http://hotfile.com/dl/2781779/fda9636/videotraining__Sadikhov-CBT_Nuggets_Server.part059.rar.html

http://hotfile.com/dl/2781855/7e015a6/videotraining__Sadikhov-BT_Nuggets_Server.part060.rar.html

http://hotfile.com/dl/2781964/506e172/videotraining__Sadikhov-BT_Nuggets_Server.part061.rar.html

http://hotfile.com/dl/2782025/9389c23/videotraining__Sadikhov-BT_Nuggets_Server.part062.rar.html

http://hotfile.com/dl/2782132/a6be0d2/videotraining__Sadikhov-BT_Nuggets_Server.part063.rar.html

http://hotfile.com/dl/2782223/97816b6/videotraining__Sadikhov-BT_Nuggets_Server.part064.rar.html

http://hotfile.com/dl/2782356/455d2b4/videotraining__Sadikhov-BT_Nuggets_Server.part065.rar.html

http://hotfile.com/dl/2782474/0aca609/videotraining__Sadikhov-BT_Nuggets_Server.part066.rar.html

http://hotfile.com/dl/2782529/f8731d4/videotraining__Sadikhov-CBT_Nuggets_Server.part067.rar.html

http://hotfile.com/dl/2782602/9a936e8/videotraining__Sadikhov-BT_Nuggets_Server.part068.rar.html

http://hotfile.com/dl/2782810/ee132f6/videotraining__Sadikhov-CBT_Nuggets_Server.part069.rar.html

http://hotfile.com/dl/2783011/ec0b231/videotraining__Sadikhov-BT_Nuggets_Server.part070.rar.html

http://hotfile.com/dl/2896692/c459ad6/videotraining__Sadikhov-BT_Nuggets_Server.part071.rar.html

http://hotfile.com/dl/2896804/392773c/videotraining__Sadikhov-BT_Nuggets_Server.part072.rar.html

http://hotfile.com/dl/2896934/dee1087/videotraining__Sadikhov-BT_Nuggets_Server.part073.rar.html

http://hotfile.com/dl/2897010/d83b0ca/videotraining__Sadikhov-BT_Nuggets_Server.part074.rar.html

http://hotfile.com/dl/2897087/5be75dd/videotraining__Sadikhov-BT_Nuggets_Server.part075.rar.html

http://hotfile.com/dl/2897255/04d4066/videotraining__Sadikhov-BT_Nuggets_Server.part076.rar.html

http://hotfile.com/dl/2897620/fa5b05a/videotraining__Sadikhov-CBT_Nuggets_Server.part077.rar.html

http://hotfile.com/dl/2897787/baaeb63/videotraining__Sadikhov-BT_Nuggets_Server.part078.rar.html

http://hotfile.com/dl/2897880/5d0ab1c/videotraining__Sadikhov-BT_Nuggets_Server.part079.rar.html

http://hotfile.com/dl/2898095/755be01/videotraining__Sadikhov-BT_Nuggets_Server.part080.rar.html

http://hotfile.com/dl/2903682/f3766e5/videotraining__Sadikhov-CBT_Nuggets_Server.part081.rar.html

http://hotfile.com/dl/2903837/af5627b/videotraining__Sadikhov-CBT_Nuggets_Server.part082.rar.html

http://hotfile.com/dl/2904027/49c82e3/videotraining__Sadikhov-BT_Nuggets_Server.part083.rar.html

http://hotfile.com/dl/2904543/b7058ca/videotraining__Sadikhov-BT_Nuggets_Server.part084.rar.html

http://hotfile.com/dl/2905227/8a4a04a/videotraining__Sadikhov-BT_Nuggets_Server.part085.rar.html

http://hotfile.com/dl/2905391/96fee20/videotraining__Sadikhov-CBT_Nuggets_Server.part086.rar.html

http://hotfile.com/dl/2905462/3a69f61/videotraining__Sadikhov-CBT_Nuggets_Server.part087.rar.html

http://hotfile.com/dl/2905544/3b8e9e0/videotraining__Sadikhov-BT_Nuggets_Server.part088.rar.html

http://hotfile.com/dl/2905704/43c0215/videotraining__Sadikhov-BT_Nuggets_Server.part089.rar.html

http://hotfile.com/dl/2905782/b6df574/videotraining__Sadikhov-CBT_Nuggets_Server.part090.rar.html

http://hotfile.com/dl/2905868/3068364/videotraining__Sadikhov-BT_Nuggets_Server.part091.rar.html

http://hotfile.com/dl/2905940/3d27843/videotraining__Sadikhov-BT_Nuggets_Server.part092.rar.html

http://hotfile.com/dl/2906030/ab05b92/videotraining__Sadikhov-BT_Nuggets_Server.part093.rar.html

http://hotfile.com/dl/2906085/11500b7/videotraining__Sadikhov-BT_Nuggets_Server.part094.rar.html

http://hotfile.com/dl/2906189/e5d6063/videotraining__Sadikhov-BT_Nuggets_Server.part095.rar.html

http://hotfile.com/dl/2906263/bcb10bc/videotraining__Sadikhov-BT_Nuggets_Server.part096.rar.html

http://hotfile.com/dl/2906346/9deeb8e/videotraining__Sadikhov-BT_Nuggets_Server.part097.rar.html

http://hotfile.com/dl/2906553/9be5c04/videotraining__Sadikhov-BT_Nuggets_Server.part098.rar.html

http://hotfile.com/dl/2907099/27a47b4/videotraining__Sadikhov-BT_Nuggets_Server.part099.rar.html

http://hotfile.com/dl/2907286/f1d4af9/videotraining__Sadikhov-CBT_Nuggets_Server.part100.rar.html

http://hotfile.com/dl/2907726/fb3fd4c/videotraining__Sadikhov-CBT_Nuggets_Server.part101.rar.html

http://hotfile.com/dl/2908128/40f2d10/videotraining__Sadikhov-CBT_Nuggets_Server.part102.rar.html

http://hotfile.com/dl/2908278/0e490b1/videotraining__Sadikhov-BT_Nuggets_Server.part103.rar.html

http://hotfile.com/dl/2908396/1d5b20e/videotraining__Sadikhov-BT_Nuggets_Server.part104.rar.html

http://hotfile.com/dl/2908676/edbd349/videotraining__Sadikhov-BT_Nuggets_Server.part105.rar.html

http://hotfile.com/dl/2908906/25afffa/videotraining__Sadikhov-CBT_Nuggets_Server.part106.rar.html

http://hotfile.com/dl/2909398/2c25226/videotraining__Sadikhov-BT_Nuggets_Server.part107.rar.html

http://hotfile.com/dl/2909669/0b875c7/videotraining__Sadikhov-BT_Nuggets_Server.part108.rar.html

http://hotfile.com/dl/2909965/6aa83e5/videotraining__Sadikhov-BT_Nuggets_Server.part109.rar.html

http://hotfile.com/dl/2910150/d71906d/videotraining__Sadikhov-BT_Nuggets_Server.part110.rar.html

http://hotfile.com/dl/2910254/eb15a58/videotraining__Sadikhov-BT_Nuggets_Server.part111.rar.html

http://hotfile.com/dl/2910354/aefb268/videotraining__Sadikhov-CBT_Nuggets_Server.part112.rar.html

http://hotfile.com/dl/2910478/06eb6aa/videotraining__Sadikhov-BT_Nuggets_Server.part113.rar.html

http://hotfile.com/dl/2910557/0a4ef94/videotraining__Sadikhov-CBT_Nuggets_Server.part114.rar.html

http://hotfile.com/dl/2910634/d0453bc/videotraining__Sadikhov-BT_Nuggets_Server.part115.rar.html

http://hotfile.com/dl/2910745/7b091f2/videotraining__Sadikhov-CBT_Nuggets_Server.part116.rar.html

http://hotfile.com/dl/2910831/156826b/videotraining__Sadikhov-BT_Nuggets_Server.part117.rar.html

http://hotfile.com/dl/2910893/b01d79f/videotraining__Sadikhov-CBT_Nuggets_Server.part118.rar.html

http://hotfile.com/dl/2910979/f6b9733/videotraining__Sadikhov-CBT_Nuggets_Server.part119.rar.html

http://hotfile.com/dl/2911063/d1bb8cb/videotraining__Sadikhov-BT_Nuggets_Server.part120.rar.html

http://hotfile.com/dl/2911189/e5fcafb/videotraining__Sadikhov-CBT_Nuggets_Server.part121.rar.html

http://hotfile.com/dl/2911267/1f9c5c8/videotraining__Sadikhov-CBT_Nuggets_Server.part122.rar.html

http://hotfile.com/dl/2911336/53d6111/videotraining__Sadikhov-BT_Nuggets_Server.part123.rar.html

http://hotfile.com/dl/2911426/57b1c9d/videotraining__Sadikhov-BT_Nuggets_Server.part124.rar.html

http://hotfile.com/dl/2911508/67332a7/videotraining__Sadikhov-BT_Nuggets_Server.part125.rar.html

http://hotfile.com/dl/2911581/4a1b54a/videotraining__Sadikhov-BT_Nuggets_Server.part126.rar.html

http://hotfile.com/dl/2911655/b3feda7/videotraining__Sadikhov-CBT_Nuggets_Server.part127.rar.html

http://hotfile.com/dl/2911721/3f69c40/videotraining__Sadikhov-CBT_Nuggets_Server.part128.rar.html

http://hotfile.com/dl/2911814/dc12785/videotraining__Sadikhov-BT_Nuggets_Server.part129.rar.html

http://hotfile.com/dl/2911902/d73f622/videotraining__Sadikhov-CBT_Nuggets_Server.part130.rar.html

http://hotfile.com/dl/2983552/03c298b/videotraining__Sadikhov-BT_Nuggets_Server.part131.rar.html

http://hotfile.com/dl/2983630/fe4fe7e/videotraining__Sadikhov-CBT_Nuggets_Server.part132.rar.html

http://hotfile.com/dl/2983697/72a9b81/videotraining__Sadikhov-BT_Nuggets_Server.part133.rar.html

http://hotfile.com/dl/2983760/6bc5270/videotraining__Sadikhov-BT_Nuggets_Server.part134.rar.html

http://hotfile.com/dl/2983856/0d2dcea/videotraining__Sadikhov-BT_Nuggets_Server.part135.rar.html

http://hotfile.com/dl/2983920/0afe4e8/videotraining__Sadikhov-CBT_Nuggets_Server.part136.rar.html

http://hotfile.com/dl/2983985/dc97945/videotraining__Sadikhov-BT_Nuggets_Server.part137.rar.html

http://hotfile.com/dl/2984075/9d2424e/videotraining__Sadikhov-BT_Nuggets_Server.part138.rar.html

http://hotfile.com/dl/2984139/ea1c48c/videotraining__Sadikhov-BT_Nuggets_Server.part139.rar.html

http://hotfile.com/dl/2984206/c777276/videotraining__Sadikhov-BT_Nuggets_Server.part140.rar.html

http://hotfile.com/dl/2984298/c23f52c/videotraining__Sadikhov-CBT_Nuggets_Server.part141.rar.html

http://hotfile.com/dl/2984359/5490442/videotraining__Sadikhov-BT_Nuggets_Server.part142.rar.html

http://hotfile.com/dl/2984438/30f9217/videotraining__Sadikhov-CBT_Nuggets_Server.part143.rar.html

http://hotfile.com/dl/2984540/ef940a9/videotraining__Sadikhov-CBT_Nuggets_Server.part144.rar.html

http://hotfile.com/dl/2984610/62bba85/videotraining__Sadikhov-BT_Nuggets_Server.part145.rar.html

http://hotfile.com/dl/2984689/585f3cd/videotraining__Sadikhov-CBT_Nuggets_Server.part146.rar.html

http://hotfile.com/dl/2984752/84e1667/videotraining__Sadikhov-BT_Nuggets_Server.part147.rar.html

http://hotfile.com/dl/2984769/f3f3305/videotraining__Sadikhov-CBT_Nuggets_Server.part148.rar.html

Friday, October 16, 2009

GETVPN for MPLS WAN Encryption

For many years there has been a compromise of security vs. convenience on private WAN networks. For the most part, WAN connections have been considered private even though there are potential points throughout the path from which data could be compromised. In theory, a provider could tap into the data stream at any point within the data path. In addition, with solutions such as MPLS, the security of the VPN is totally reliant upon the service provider and their configuration.

This compromise has been in place given the complexity and overhead associated with trying to encrypt all WAN connections for a large organization. To create individual IPSec tunnels to every endpoint in the WAN cloud is both cumbersome and a management nightmare. Quality of service is also difficult to maintain as IPSec only keeps the TOS bit and encapsulates everything else. As a solution Cisco has come up with Group Encrypted Transport VPN or GETVPN for short. Catchy acronym that makes one wonder if some marketing person came up with the name before the technology was developed. The basics are simple, rather than creating individual point to point IPSec connections, GETVPN establishes an agreed upon key throughout all the WAN points. Additionally, some packet level detail is maintained to allow for quality of service and natural routing.

Cisco is making an aggressive play here that many other router providers will need to answer soon. As security auditors and assessors recognize there is an easy and cost effective solution to the minimal risk of data compromise over the WAN, they may begin on insisting such a solution be implemented. Right now, GETVPN is a Cisco proprietary solution so you need a completely Cisco WAN infrastructure to support it.

As with any security solution, there are some things to understand regarding this technology before implementing it. Jan Bervar has a good write-up regarding some of the potential security pitfalls with this solution. Even with these potential drawbacks, GETVPN is a good solution for fully meshed encryption across the WAN and should be a consideration for companies moving forward.

IPsec is a general mechanism for securing IP

While IPsec does not provide all functions of a mail encryption package, it can encrypt your mail. In particular, it can ensure that all mail passing between a pair or a group of sites is encrypted. An attacker looking only at external traffic, without access to anything on or behind the IPsec gateway, cannot read your mail. He or she is stymied by IPsec just as he or she would be by PGP.

The advantage is that IPsec can provide the same protection for anything transmitted over IP. In a corporate network example, PGP lets the branch offices exchange secure mail with head office. SSL and SSH allow them to securely view web pages, connect as terminals to machines, and so on. IPsec can support all those applications, plus database queries, file sharing (NFS or Windows), other protocols encapsulated in IP (Netware, Appletalk, ...), phone-over-IP, video-over-IP, ... anything-over-IP. The only limitation is that IP Multicast is not yet supported, though there are Internet Draft documents for that.

IPsec creates secure tunnels through untrusted networks . Sites connected by these tunnels form VPNs, Virtual Private Networks.

IPsec gateways can be installed wherever they are required.

One organisation might choose to install IPsec only on firewalls between their LANs and the Internet. This would allow them to create a VPN linking several offices. It would provide protection against anyone outside their sites.
Another might install IPsec on departmental servers so everything on the corporate backbone net was encrypted. This would protect messages on that net from everyone except the sending and receiving department.
Another might be less concerned with information secrecy and more with controlling access to certain resources. They might use IPsec packet authentication as part of an access control mechanism, with or without also using the IPsec encryption service.
It is even possible (assuming adequate processing power and an IPsec implementation in each node) to make every machine its own IPsec gateway so that everything on a LAN is encrypted. This protects information from everyone outside the sending and receiving machine.
These techniques can be combined in various ways. One might, for example, require authentication everywhere on a network while using encryption only for a few links.

Which of these, or of the many other possible variants, to use is up to you. IPsec provides mechanisms; you provide the policy .

No end user action is required for IPsec security to be used; they don't even have to know about it. The site administrators, of course, do have to know about it and to put some effort into making it work. Poor administration can compromise IPsec as badly as the post-it notes mentioned above. It seems reasonable, though, for organisations to hope their system administrators are generally both more security-conscious than end users and more able to follow computer security procedures. If not, at least there are fewer of them to educate or replace.

IPsec can be, and often should be, used with along with security protocols at other levels. If two sites communicate with each other via the Internet, then IPsec is the obvious way to protect that communication. If two others have a direct link between them, either link encryption or IPsec would make sense. Choose one or use both. Whatever you use at and below the IP level, use other things as required above that level. Whatever you use above the IP level, consider what can be done with IPsec to make attacks on the higher levels harder. For example, man-in-the-middle attacks on various protocols become difficult if authentication at packet level is in use on the potential victims' communication channel.

Limitations of IPsec

IPsec is designed to secure IP links between machines. It does that well, but it is important to remember that there are many things it does not do. Some of the important limitations are:

IPsec cannot be secure if your system isn't

System security on IPsec gateway machines is an essential requirement if IPsec is to function as designed. No system can be trusted if the underlying machine has been subverted. See books on Unix security such as Garfinkel and Spafford or our web references for Linux security or more general computer security.

Of course, there is another side to this. IPsec can be a powerful tool for improving system and network security. For example, requiring packet authentication makes various spoofing attacks harder and IPsec tunnels can be extremely useful for secure remote administration of various things.

IPsec is not end-to-end

IPsec cannot provide the same end-to-end security as systems working at higher levels. IPsec encrypts an IP connection between two machines, which is quite a different thing than encrypting messages between users or between applications.

For example, if you need mail encrypted from the sender's desktop to the recipient's desktop and decryptable only by the recipient, use PGP or another such system. IPsec can encrypt any or all of the links involved -- between the two mail servers, or between either server and its clients. It could even be used to secure a direct IP link from the sender's desktop machine to the recipient's, cutting out any sort of network snoop. What it cannot ensure is end-to-end user-to-user security. If only IPsec is used to secure mail, then anyone with appropriate privileges on any machine where that mail is stored (at either end or on any store-and-forward servers in the path) can read it.

In another common setup, IPsec encrypts packets at a security gateway machine as they leave the sender's site and decrypts them on arrival at the gateway to the recipient's site. This does provide a useful security service -- only encrypted data is passed over the Internet -- but it does not even come close to providing an end-to-end service. In particular, anyone with appropriate privileges on either site's LAN can intercept the message in unencrypted form.

IPsec cannot do everything

IPsec also cannot provide all the functions of systems working at higher levels of the protocol stack. If you need a document electronically signed by a particular person, then you need his or her digital signature and a public key cryptosystem to verify it with.

Note, however, that IPsec authentication of the underlying communication can make various attacks on higher-level protocols more difficult. In particular, authentication prevents man-in-the-middle attacks.

IPsec authenticates machines, not users

IPsec uses strong authentication mechanisms to control which messages go to which machines, but it does not have the concept of user ID, which is vital to many other security mechansims and policies. This means some care must be taken in fitting the various security mechansims on a network together. For example, if you need to control which users access your database server, you need some non-IPsec mechansim for that. IPsec can control which machines connect to the server, and can ensure that data transfer to those machines is done securely, but that is all. Either the machines themselves must control user access or there must be some form of user authentication to the database, independent of IPsec.

IPsec does not stop denial of service attacks

Denial of service attacks aim at causing a system to crash, overload, or become confused so that legitimate users cannot get whatever services the system is supposed to provide. These are quite different from attacks in which the attacker seeks either to use the service himself or to subvert the service into delivering incorrect results.

IPsec shifts the ground for DoS attacks; the attacks possible against systems using IPsec are different than those that might be used against other systems. It does not, however, eliminate the possibility of such attacks.

IPsec does not stop traffic analysis

Traffic analysis is the attempt to derive intelligence from messages without regard for their contents. In the case of IPsec, it would mean analysis based on things visible in the unencrypted headers of encrypted packets -- source and destination gateway addresses, packet size, et cetera. Given the resources to acquire such data and some skill in analysing it (both of which any national intelligence agency should have), this can be a very powerful technique.

IPsec is not designed to defend against this. Partial defenses are certainly possible, and some are described below, but it is not clear that any complete defense can be provided.

Applying and Advantages of IPsec

Applying IPsec

Authentication and encryption functions for network data can, of course, be provided at other levels. Many security protocols work at levels above IP.

PGP encrypts and authenticates mail messages
SSH authenticates remote logins and then encrypts the session
SSL or TLS provides security at the sockets layer, e.g. for secure web browsing

and so on. Other techniques work at levels below IP. For example, data on a communications circuit or an entire network can be encrypted by specialised hardware. This is common practice in high-security applications.

Advantages of IPsec

There are, however, advantages to doing it at the IP level instead of, or as well as, at other levels.

IPsec is the most general way to provide these services for the Internet.

Higher-level services protect a single protocol; for example PGP protects mail.
Lower level services protect a single medium; for example a pair of encryption boxes on the ends of a line make wiretaps on that line useless unless the attacker is capable of breaking the encryption.

IPsec, however, can protect any protocol running above IP and any medium which IP runs over. More to the point, it can protect a mixture of application protocols running over a complex combination of media. This is the normal situation for Internet communication; IPsec is the only general solution.

IPsec can also provide some security services "in the background", with no visible impact on users. To use PGP encryption and signatures on mail, for example, the user must at least:

remember his or her passphrase,
keep it secure
follow procedures to validate correspondents' keys

These systems can be designed so that the burden on users is not onerous, but any system will place some requirements on users. No such system can hope to be secure if users are sloppy about meeting those requirements. The author has seen username and password stuck on terminals with post-it notes in an allegedly secure environment, for example.

The IPsec protocols

This section provides information on the IPsec protocols which FreeS/WAN implements. For more detail, see the RFCs .

The basic idea of IPsec is to provide security functions, authentication and encryption , at the IP (Internet Protocol) level. This requires a higher-level protocol (IKE) to set things up for the IP-level services (ESP and AH).

Protocols and phases

Three protocols are used in an IPsec implementation:

ESP, Encapsulating Security Payload: Encrypts and/or authenticates data
AH, Authentication Header: Provides a packet authentication service
IKE, Internet Key Exchange: Negotiates connection parameters, including keys, for the other two

The term "IPsec" (also written as IPSEC) is slightly ambiguous. In some contexts, it includes all three of the above but in other contexts it refers only to AH and ESP.

There is more detail below, but a quick summary of how the whole thing works is:

Phase one IKE (main mode exchange): sets up a keying channel (ISAKMP SA) between the two gateways
Phase two IKE (quick mode exchange): sets up data channels (IPsec SAs)
IPsec proper: exchanges data using AH or ESP

Both phases of IKE are repeated periodically to automate re-keying.

Thursday, October 15, 2009

Cisco ASA, PIX, and FWSM Firewall Handbook (2nd Edition)

Cisco ASA, PIX, and FWSM Firewall Handbook (2nd Edition)
Cisco ASA, PIX, and FWSM Firewall Handbook, Second Edition, is a guide for the most commonly implemented features of the popular Cisco® firewall security solutions. Fully updated to cover the latest firewall releases, this book helps you to quickly and easily configure, integrate, and manage the entire suite of Cisco firewall products, including ASA, PIX®, and the Catalyst® Firewall Services Module (FWSM).

Organized by families of features, this book helps you get up to speed quickly and efficiently on topics such as file management, building connectivity, controlling access, firewall management, increasing availability with failover, load balancing, logging, and verifying operation
Cisco ASA, PIX, and FWSM Firewall Handbook (2nd Edition)
By Dave Hucaby

Download Link:
http://w15.easy-share.com/1702348408.html
http://www.4shared.com/file/70257061/629d0abe/CiscoASA_PIXFWSMHandbook2ndEdiAug2007.html

Sunday, October 11, 2009

Cisco Networkers 2009- Advanced IPSec with GET VPN

Cisco Networkers 2009- Advanced IPSec with GET VPN

Advanced IPSec with GET VPN session is covers the design principles associated with the deployment of Group Encrypted Transport (GET) VPNs. A brief overview covers the protocols (GDOI and COOP) and state machines associated with group members and key servers. Best practices are emphasized for redundancy, scalability, manageability, and network performance. Discussion also covers various deployment scenarios. Knowledge of GET VPN architecture is highly recommended as a prerequisite.

Advanced IPSec with GET VPN
Download Links:
http://rapidshare.com/files/289674332/LiP-Advanced_IPSec_with_GET_VPN.part01.rar.html
http://rapidshare.com/files/289674298/LiP-Advanced_IPSec_with_GET_VPN.part02.rar.html
http://rapidshare.com/files/289674306/LiP-Advanced_IPSec_with_GET_VPN.part03.rar.html
http://rapidshare.com/files/289674266/LiP-Advanced_IPSec_with_GET_VPN.part04.rar.html
http://rapidshare.com/files/289674317/LiP-Advanced_IPSec_with_GET_VPN.part05.rar.html
http://rapidshare.com/files/289674297/LiP-Advanced_IPSec_with_GET_VPN.part06.rar.html
http://rapidshare.com/files/289674067/LiP-Advanced_IPSec_with_GET_VPN.part07.rar.html

Sample of Cisco PIX 515E Configuration

Sample of Cisco PIX 515E Configuration

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

hostname CHICAGOTECH

domain-name ciscopix.com

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.254.0.4 OWA

name 10.0.0.3 MAIL

name 10.0.0.19 DATA

name 10.0.0.29 DC

name 10.0.0.28 001109

name 10.0.0.25 Bob

name 10.0.0.7 Runit

name 10.0.2.57 001288

object-group service TCP-DCs tcp

port-object eq ldaps

port-object eq 3268

port-object eq ldap

port-object eq domain

port-object eq 88

port-object eq 135

port-object range 137 netbios-ssn

port-object range 1024 65535

port-object eq 445

object-group service TCP-Mail tcp

port-object eq 691

port-object eq www

port-object eq https

port-object eq smtp

port-object eq 135

port-object eq 445

port-object eq ftp

object-group service UDP-DCs udp

port-object eq 389

port-object eq domain

port-object eq 88

port-object eq 135

port-object range netbios-ns 139

port-object range 1024 65535

object-group network DCs_ref

network-object DATA 255.255.255.255

network-object DC 255.255.255.255

object-group network DCs

network-object DATA 255.255.255.255

network-object DC 255.255.255.255

object-group network DCs_ref_1

network-object DATA 255.255.255.255

network-object DC 255.255.255.255

object-group service OWA_Ports tcp

port-object eq www

port-object eq https

port-object eq smtp

port-object eq pop3

object-group service TCP_OWA_DCs tcp

port-object range 1024 65535

port-object eq domain

port-object eq ldap

port-object eq 135

port-object eq 88

port-object eq 3268

object-group service UDP_OWA_DCs udp

port-object eq domain

port-object eq 88

port-object eq 389

object-group service TCP_OWA_MAIL tcp

port-object eq www

port-object eq 691

port-object eq ftp

port-object eq https

port-object eq smtp

object-group service TCP_OWA_INSIDE tcp

port-object eq www

port-object eq ftp

port-object eq pop3

port-object eq https

port-object eq 123

port-object eq smtp

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit tcp any host x.x.x.195 object-group OWA

_Ports

access-list outside_access_in permit tcp any host x.x.x.202 eq pcanywhere-da

ta

access-list outside_access_in deny udp any host x.x.x.197 eq isakmp log

access-list outside_access_in deny ah any host x.x.x.197

access-list outside_access_in deny esp any host x.x.x.197

access-list outside_access_in deny udp any host x.x.x.197 eq 4500

access-list outside_access_in deny udp any host x.x.x.202 eq isakmp

access-list outside_access_in deny ah any host x.x.x.204

access-list outside_access_in deny esp any host x.x.x.202

access-list outside_access_in deny tcp any host x.x.x.204 eq 3389

access-list outside_access_in permit tcp any host x.x.x.205 eq pcanywhere-da

ta

access-list DMZ_access_in permit tcp host OWA object-group DCs_ref_1 object-g

roup TCP_OWA_DCs

access-list DMZ_access_in permit udp host OWA object-group DCs_ref_1 object-g

roup UDP_OWA_DCs

access-list DMZ_access_in permit icmp host OWA object-group DCs_ref_1

access-list DMZ_access_in permit tcp host OWA host MAIL object-group TCP_O

WA_MAIL

access-list DMZ_access_in permit tcp host OWA any object-group TCP_OWA_INSIDE

access-list DMZ_access_in permit icmp host OWA any echo-reply

access-list DMZ_access_in permit icmp host OWA any unreachable

access-list DMZ_access_in permit icmp host OWA any time-exceeded

access-list VPN_splitTunnelAcl permit ip 10.0.0.0 255.255.0.0 any

access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.192

access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0 255.255.255.192

pager lines 24

logging on

logging timestamp

logging trap warnings

logging host inside 10.0.1.29

logging host inside 10.0.0.11

logging host inside MAIL

logging host outside 192.168.254.3

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside x.x.x.194 255.255.255.224

ip address inside 10.0.0.2 255.255.0.0

ip address DMZ 172.254.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool POOL 192.168.254.1-192.168.254.50

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address DMZ

pdm location 172.16.100.0 255.255.255.0 inside

pdm location OWA 255.255.255.255 DMZ

pdm location 001109 255.255.255.255 inside

pdm location 10.0.1.29 255.255.255.255 inside

pdm location MAIL 255.255.255.255 inside

pdm location DATA 255.255.255.255 inside

pdm location DC 255.255.255.255 inside

pdm location Bob 255.255.255.255 inside

pdm location 10.0.0.11 255.255.255.255 inside

pdm location apps 255.255.255.255 inside

pdm location 192.168.254.3 255.255.255.255 outside

pdm location x.x.x.111 255.255.255.255 outside

pdm location 70.131.123.103 255.255.255.255 outside

pdm location 001288 255.255.255.255 inside

pdm group DCs inside

pdm group DCs_ref_1 DMZ reference DCs

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.222

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 1 OWA 255.255.255.255 0 0

static (inside,DMZ) 001109 001109 netmask 255.255.255.255 0 0

static (inside,DMZ) 172.16.100.0 172.16.100.0 netmask 255.255.255.0 0 0

static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0

static (DMZ,outside) x.x.x.195 OWA netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.197 Bob netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.204 001109 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.202 001288 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.205 apps netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.199 10.0.0.11 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 x.x.x.193 1

route inside 172.16.100.0 255.255.255.0 10.0.100.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup VPN address-pool POOL

vpngroup VPN dns-server DC DATA

vpngroup VPN wins-server DC DATA

vpngroup VPN default-domain chicgaobotanic.org

vpngroup VPN split-tunnel VPN_splitTunnelAcl

vpngroup VPN idle-time 1800

telnet x.x.x.103 255.255.255.255 outside

telnet 10.0.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

Microsoft Server + Certification Training Kit

Microsoft Server + Certification Training Kit

The Server+ credential is the newest certification developed by CompTIA, the Computing Technology Industry Association, and this self-paced training kit provides in-depth exam preparation for IT professionals moving up from entry-level or A+ status. The SERVER+ CERTIFICATION TRAININGKIT delivers a thorough, vendor-neutral study of hardware-related issues in the networked environment, including RAID, SCSI, multiple CPUs, and hot swapping. Service managers, system engineers/administrators, help desk staff, and other mid-level and upper-level technicians can use the kit to build real-world expertise-as they prepare for the corresponding skill areas of the Server+ exam. Topics include installation, configuration, upgrading, proactive maintenance, environment, troubleshooting, and disaster recovery. The kit is modular and self-paced, with hands-on, skill-building exercises. And the entire book, as well as the Microsoft Encyclopedia of Netowrking is featured on CD-ROM for easy searches and reference.

Microsoft Server + Certification Training Kit

Download Link:

http://rapidshare.com/files/237312490/Microsoft_Server__Certification_Training_Kit.rar