• Wikipedia about SSL/TLS

• OpenSSL → http://www.openssl.org/
• http://dev.openssl.org/
• The Most Common OpenSSL Commands
• A few frequently used SSL commands
• OpenSSL Command-Line HOWTO
• OpenSSL vulnerability in Debian → http://www.debian.org/security/2008/dsa-1571
• OpenSSL for Windows (link from Colubris)
  → http://www.slproweb.com/products/Win32OpenSSL.html

Test SMTP-over-SSL:

openssl s_client -connect host.domain.net:3525

• X509 is an ITU-T standard for a public key infrastructure (PKI), specifies public key certificates.
• Public Key Cryptography Standards → PKCS
• A .PEM file may contain certificate(s) or private key(s), enclosed between the appropriate BEGIN/END-lines (Base64 encoded).
• DER (Distinguished Encoding Rules) is a different format (non-Base64)
• Common Certificate filename extensions for X.509 certificates are:
  • .pem - (Privacy Enhanced Mail) Base64 encoded DER certificate
  • .cer, .crt, .der - usually in binary form (DER), but Base64-encoded (PEM) certificates are common too.
  • .p7b, .p7c - PKCS7 SignedData structure without data, just certificate(s) or CRL(s)
  • .p12 - PKCS12, may contain certificate(s) (public) and private keys (password protected)
  • .pfx - PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)
• PKCS#7 is a standard for signing or encrypting (officially called “enveloping”) data.
• PKCS#10 is Certification Request Standard (CSR)
• PKCS#12 evolved from the PFX (Personal inFormation eXchange) standard and is used to exchange public and private objects in a single file.
• http://www.cacert.org/
• http://www.rapidssl.com/
• http://www.sslcertificaten.nl/
• http://www.instantssl.com/
• Free SSL Certificate (Comodo)
• Exchange 2007 lessons learned - generating a certificate with a 3rd party CA
• SSL HOWTO: using openssl to get keys into PKCS#12 format
• Multi-site certification voor MS Exchange, zie
  → http://www.sslcertificaten.nl/multidomein.php
• multi-site = Unified Communications Certificaten (UCC)
• SAN: The Subject Alternative Name field explained
  → http://www.digicert.com/subject-alternative-name.htm
• Comparison of SSL certificates for web servers
• EVC = Extended Validation Certificate
• Extended Validation → https://www.sslcertificaten.nl/GroeneAdresbalk
• Generate UCC cert on Exchange-2007 → https://www.digicert.com/easy-csr/exchange2007.htm
• OCSP = Online Certificate Status Protocol (alternative to CRL)

• Xolphin → http://www.sslcertificaten.nl/
• SSL.NU → https://www.ssl.nu/nl/

• MD5/SHA1 database → http://md5.rednoize.com/
• MD5 GUI for Windows → http://www.toast442.org/md5/

• http://www.openssh.com/
• Putty
• Putty User Manual
• ssh
• http://sial.org/howto/openssh/publickey-auth/
• http://www.ece.uci.edu/~chou/ssh-key.html
• http://www.csua.berkeley.edu/~ranga/notes/ssh_nopass.html
• Slashdot → Debian Bug Leaves Private SSL/SSH Keys Guessable

• FTP is insecure: both the control-channel (login, dir list, get/put cmds) and the data-channel (file upload/download) is clear-text
• There are 3 “Secure FTP” versions (overview):
  • FTPS = FTP over SSL
    • Explicit FTPS = FTPES (negotiates AUTH)
      The CCC (Clear Command Channel) command revert the control-channel back to cleartext to allow NAT-routers to snoop the data-channels ports.
    • Implicit FTPS (deprecated)
  • SFTP = SSH-FTP (is a SSH native file-transfer protocol, like SCP)
  • FTP-over-SSH

• SFTP
• How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh
• rssh → http://www.pizzashack.org/rssh/
• scponly → http://www.sublimation.org/scponly/wiki/index.php/Main_Page

• Rootkit
• http://www.chkrootkit.org/
• http://rkhunter.sourceforge.net/
• http://www.ossec.net/

• Alladin Safeword Tokens
  → http://www.aladdin.com/safeword/authenticators.aspx
• http://www.aladdin.com/support/safeword/application-notes.aspx

• NotepadCrypt

• IPsec
• http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html
• IPSec Overview Part Four: Internet Key Exchange (IKE)
  → http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
• http://www.tcpipguide.com/free/t_IPSecKeyExchangeIKE-2.htm
• Cisco: IPsec Troubleshooting: Understanding and Using debug Commands

• What is IKE ID mode?
  → There are 2 IDs in an IKE exchange:

ID in phase 1 = authentication of the remote VPN gateway:
  ID_IPV4_ADDR/ID_FQDN/ID_USER_FQDN/ID_DER_ASN1_DN
ID used in phase 2 = proxy id = retrieved from the pre-configured policy =
  ID_IPV4-ADDR/ID_IPV4_SUBNET/ID_IPV4_RANGE

IPsec overview:
- IKE phase 1: establish ISAKMP-SA (used to encrypt IKE phase-2)
- IKE phase 2: establish IPsec-SA (used to encrypt IPsec ESP)
- IPsec ESP tunneling

IKE phase 1:
- ISAKMP 
- match local/remote IKE ID (IP/FQDN/U-FQDN)
- negotiate proposals with elements:
  * d

Links to local pages:

• OpenVPN config examples
• OpenVPN notes

Links:

• James Yonan's OpenVPN → http://openvpn.net/
• OpenVPN 2.0 Manual page
• OpenVPN 2.1 Manual page
• OpenVPN 2.2 Manual page
• Running OpenVPN as a Windows Service
• OpenVPN GUI → http://openvpn.se/
• Endian (an OpenVPN based VPN/Firewall) → http://www.endian.com/
• Endian forked from IpCop → http://www.ipcop.org/
• OpenVPN Web GUI (old) → http://openvpn-web-gui.sourceforge.net/
• http://en.wikipedia.org/wiki/OpenVPN_infrastructure
• Article by SANS: OpenVPN and the SSL VPN Revolution
  → http://www.sans.org/reading_room/whitepapers/vpns/1459.php
• built your own OpenVPN install-script
• Active Directory Authentication for OpenVPN
• OpenVPN Auth-LDAP Plugin
• Access Server → http://openvpn.net/index.php/access-server/download-openvpn-as.html
• SurfBouncer uses OpenVPN → http://www.surfbouncer.com/
• Tips OpenVPN on Windows7
• http://easyopackager.sourceforge.net/
• OSPF over OpenVPN → http://openmaniak.com/openvpn_routing.php

• Safenet SoftRemote (before NS Remote Client)
  → http://biz.safenet-inc.com/prod/software/index.asp
• AnthaVPN → http://www.anthasoft.com/anthavpn-virtual-private-network.php
• The GreenBow → http://thegreenbow.com/vpn.html
• Juniper/Netscreen IPsec client discusion
• (replacement Netscreen Secure Client): Universal IPsec VPN Client
  → van NCP-E: http://www.ncp-e.com/

• http://www.shrew.net/download/vpn
• http://www.shrew.net/support/wiki/HowtoJuniperSsg
• http://sourceforge.net/projects/ivpn/

• IPsec
• IKE = Internet Key Exchange
• Xauth = IKE Extended Authentication
• Cisco on Xauth
• XAuth info → draft-beaulieu-ike-xauth-02.txt

• picture from SNORT that shows traffic flow through Linux-kernel and netfilter (iptables):

• NZV 'Aladdin SafeWord 2008' → http://www.aladdin.com/SafeWord/default.aspx
• SafeWord and Juniper → http://www.aladdin.com/partners/findresults.aspx?id=231
• http://www.aladdin.com/etoken/solutions/secure-vpn-access.aspx

• Port knocking

• Juniper KB: Configuring PPTP, IPSec pass-through or L2TP over IPSec solutions on a Juniper Firewall device
  → http://kb.juniper.net/InfoCenter/index?page=content&id=KB8536

• http://www.juniper.net/us/en/products-services/security/ssg-series/ssg140/

• http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html

• http://www.websense.com/content/Juniper.aspx
• http://kb.juniper.net/KB4197

• SecureWorks: A Firewall Log Analysis Primer
• Stonylake Firewall Reporter → http://www.stonylakesolutions.com/sls/about%20sfr.jsp
• ManageEngine Firewall Analyzer → http://www.manageengine.com/products/firewall/
• SnortAlog → http://jeremy.chartier.free.fr/snortalog/
• http://www.sawmill.net/products.html

hint

• SNMP Traffic Grapher STG → http://www.wtcs.org/informant/stg.htm