This shows you the differences between two versions of the page.
links:security [2016/02/19 10:46] jdg [Secure Timestamp] |
links:security [2019/03/06 07:33] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Security Links ====== | ||
- | |||
- | |||
- | |||
- | ==== SSL / TLS ==== | ||
- | |||
- | * Wikipedia about [[wp>Secure_Sockets_Layer|SSL/TLS]] | ||
- | |||
- | === OpenSSL === | ||
- | |||
- | * OpenSSL -> http://www.openssl.org/ | ||
- | * http://dev.openssl.org/ | ||
- | * [[http://www.sslshopper.com/article-most-common-openssl-commands.html|The Most Common OpenSSL Commands]] | ||
- | * [[http://shib.kuleuven.be/docs/ssl_commands.shtml|A few frequently used SSL commands]] | ||
- | * [[http://www.madboa.com/geek/openssl/|OpenSSL Command-Line HOWTO]] | ||
- | * OpenSSL vulnerability in Debian -> http://www.debian.org/security/2008/dsa-1571 | ||
- | * OpenSSL for Windows (link from Colubris) \\ -> http://www.slproweb.com/products/Win32OpenSSL.html | ||
- | |||
- | Test SMTP-over-SSL: | ||
- | <code> | ||
- | openssl s_client -verify 3 -showcerts -connect host.domain.net:3525 | ||
- | </code> | ||
- | |||
- | ==== X509 Certificates ==== | ||
- | |||
- | * [[wp>X509]] is an ITU-T standard for a public key infrastructure (PKI), specifies public key certificates. | ||
- | * Public Key Cryptography Standards -> [[wp>PKCS]] | ||
- | * A [[wp>Privacy-enhanced_Electronic_Mail|.PEM]] file may contain certificate(s) or private key(s), enclosed between the appropriate BEGIN/END-lines ([[wp>Base64]] encoded). | ||
- | * [[wp>DER]] (Distinguished Encoding Rules) is a different format (non-Base64) | ||
- | * Common [[wp>X.509#Certificate_filename_extensions|Certificate filename extensions]] for X.509 certificates are: | ||
- | * .pem - (Privacy Enhanced Mail) Base64 encoded DER certificate | ||
- | * .cer, .crt, .der - usually in binary form (DER), but Base64-encoded (PEM) certificates are common too. | ||
- | * .p7b, .p7c - PKCS7 SignedData structure without data, just certificate(s) or CRL(s) | ||
- | * .p12 - PKCS12, may contain certificate(s) (public) and private keys (password protected) | ||
- | * .pfx - PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS) | ||
- | * PKCS#7 is a standard for signing or encrypting (officially called "enveloping") data. | ||
- | * PKCS#10 is Certification Request Standard (CSR) | ||
- | * PKCS#12 evolved from the PFX (Personal inFormation eXchange) standard and is used to exchange public and private objects in a single file. | ||
- | * http://www.cacert.org/ | ||
- | * http://www.rapidssl.com/ | ||
- | * http://www.sslcertificaten.nl/ | ||
- | * http://www.instantssl.com/ | ||
- | * [[ | ||
- | http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html?entryURL=http%3A//www.instantssl.com/| | ||
- | Free SSL Certificate (Comodo) | ||
- | ]] | ||
- | * [[http://msexchangeteam.com/archive/2007/02/19/435472.aspx| | ||
- | Exchange 2007 lessons learned - generating a certificate with a 3rd party CA]] | ||
- | * [[http://blog.palantirtech.com/2008/06/23/pkcs12/| | ||
- | SSL HOWTO: using openssl to get keys into PKCS#12 format]] | ||
- | * Multi-site certification voor MS Exchange, zie \\ -> http://www.sslcertificaten.nl/multidomein.php | ||
- | * multi-site = Unified Communications Certificaten (UCC) | ||
- | * SAN: The Subject Alternative Name field explained \\ -> http://www.digicert.com/subject-alternative-name.htm | ||
- | * [[wp>Comparison_of_SSL_certificates_for_web_servers|Comparison of SSL certificates for web servers]] | ||
- | * EVC = [[wp>Extended_Validation_Certificate|Extended Validation Certificate]] | ||
- | * Extended Validation -> https://www.sslcertificaten.nl/GroeneAdresbalk | ||
- | * Generate UCC cert on Exchange-2007 -> https://www.digicert.com/easy-csr/exchange2007.htm | ||
- | * OCSP = [[ http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol | ||
- | |Online Certificate Status Protocol]] (alternative to CRL) | ||
- | |||
- | |||
- | ==== Publicly Signed SSL certificates ==== | ||
- | |||
- | * Xolphin -> http://www.sslcertificaten.nl/ | ||
- | * SSL.NU -> https://www.ssl.nu/nl/ | ||
- | |||
- | |||
- | |||
- | ==== Security ==== | ||
- | |||
- | * MD5/SHA1 database -> http://md5.rednoize.com/ | ||
- | * MD5 GUI for Windows -> http://www.toast442.org/md5/ | ||
- | |||
- | |||
- | |||
- | ==== SSH ==== | ||
- | |||
- | * http://www.openssh.com/ | ||
- | * [[ http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html | ||
- | |Putty]] | ||
- | * [[ | ||
- | http://the.earth.li/~sgtatham/putty/0.53b/htmldoc/Contents.html | ||
- | |Putty User Manual]] | ||
- | * [[wp>ssh]] | ||
- | * http://sial.org/howto/openssh/publickey-auth/ | ||
- | * http://www.ece.uci.edu/~chou/ssh-key.html | ||
- | * http://www.csua.berkeley.edu/~ranga/notes/ssh_nopass.html | ||
- | * Slashdot -> [[ | ||
- | http://it.slashdot.org/article.pl?sid=08/05/13/1533212 | ||
- | |Debian Bug Leaves Private SSL/SSH Keys Guessable]] | ||
- | |||
- | ===== Secure FTP Overview ===== | ||
- | |||
- | * [[wp>File_Transfer_Protocol|FTP]] is insecure: both the control-channel (login, dir list, get/put cmds) and the data-channel (file upload/download) is clear-text | ||
- | * There are 3 "Secure FTP" versions ([[wp>FTP_over_SSH#Secure_FTP|overview]]): | ||
- | * [[wp>FTPS]] = FTP over SSL | ||
- | * Explicit FTPS = FTPES (negotiates AUTH) \\ The CCC (Clear Command Channel) command revert the control-channel back to cleartext to allow NAT-routers to snoop the data-channels ports. | ||
- | * Implicit FTPS (deprecated) | ||
- | * [[wp>SSH_File_Transfer_Protocol|SFTP]] = SSH-FTP (is a SSH native file-transfer protocol, like SCP) | ||
- | * [[wp>FTP_over_SSH#FTP_over_SSH_.28not_SFTP.29|FTP-over-SSH]] | ||
- | |||
- | |||
- | ==== SFTP/SCP ==== | ||
- | |||
- | * [[wp>SSH_file_transfer_protocol|SFTP]] | ||
- | * [[ | ||
- | http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html | ||
- | |How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh]] | ||
- | * rssh -> http://www.pizzashack.org/rssh/ | ||
- | * scponly -> http://www.sublimation.org/scponly/wiki/index.php/Main_Page | ||
- | |||
- | ==== Rootkit ==== | ||
- | * [[wp>Rootkit]] | ||
- | * http://www.chkrootkit.org/ | ||
- | * http://rkhunter.sourceforge.net/ | ||
- | * http://www.ossec.net/ | ||
- | |||
- | ==== Token ==== | ||
- | |||
- | * Alladin Safeword Tokens \\ -> http://www.aladdin.com/safeword/authenticators.aspx | ||
- | * http://www.aladdin.com/support/safeword/application-notes.aspx | ||
- | |||
- | |||
- | |||
- | ===== Encryption Apps ===== | ||
- | |||
- | ==== Secure Editor ==== | ||
- | |||
- | * [[ | ||
- | http://www.andromeda.com/people/ddyer/notepad/NotepadCrypt.html | ||
- | |NotepadCrypt]] | ||
- | |||
- | ===== VPN tunneling ===== | ||
- | |||
- | ==== IPsec ==== | ||
- | |||
- | * [[wp>IPsec]] | ||
- | * http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html | ||
- | * IPSec Overview Part Four: Internet Key Exchange (IKE) \\ -> http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7 | ||
- | * http://www.tcpipguide.com/free/t_IPSecKeyExchangeIKE-2.htm | ||
- | * Cisco: [[ | ||
- | http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#check | ||
- | |IPsec Troubleshooting: Understanding and Using debug Commands]] | ||
- | |||
- | * [[ | ||
- | http://kb.juniper.net/InfoCenter/index?page=content&id=KB5633&cat=IPSEC&actp=LIST | ||
- | |What is IKE ID mode?]] \\ -> There are 2 IDs in an IKE exchange: | ||
- | |||
- | <code> | ||
- | ID in phase 1 = authentication of the remote VPN gateway: | ||
- | ID_IPV4_ADDR/ID_FQDN/ID_USER_FQDN/ID_DER_ASN1_DN | ||
- | ID used in phase 2 = proxy id = retrieved from the pre-configured policy = | ||
- | ID_IPV4-ADDR/ID_IPV4_SUBNET/ID_IPV4_RANGE | ||
- | </code> | ||
- | |||
- | |||
- | <code> | ||
- | IPsec overview: | ||
- | - IKE phase 1: establish ISAKMP-SA (used to encrypt IKE phase-2) | ||
- | - IKE phase 2: establish IPsec-SA (used to encrypt IPsec ESP) | ||
- | - IPsec ESP tunneling | ||
- | |||
- | IKE phase 1: | ||
- | - ISAKMP | ||
- | - match local/remote IKE ID (IP/FQDN/U-FQDN) | ||
- | - negotiate proposals with elements: | ||
- | * d | ||
- | |||
- | </code> | ||
- | |||
- | |||
- | ==== OpenVPN ==== | ||
- | |||
- | Links to local pages: | ||
- | * [[:links:openvpn|OpenVPN config examples]] | ||
- | * [[:links:openvpn_notes|OpenVPN notes]] | ||
- | |||
- | Links: | ||
- | * James Yonan's OpenVPN -> http://openvpn.net/ | ||
- | * [[ | ||
- | http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html | ||
- | |OpenVPN 2.0 Manual page]] | ||
- | * [[ | ||
- | http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html | ||
- | |OpenVPN 2.1 Manual page]] | ||
- | * [[ | ||
- | http://openvpn.net/index.php/manuals/427-openvpn-22.html | ||
- | |OpenVPN 2.2 Manual page]] | ||
- | * [[ | ||
- | http://openvpn.net/index.php/documentation/install.html?start=1#running_as_windows_service | ||
- | |Running OpenVPN as a Windows Service]] | ||
- | * OpenVPN GUI -> http://openvpn.se/ | ||
- | * Endian (an OpenVPN based VPN/Firewall) -> http://www.endian.com/ | ||
- | * Endian forked from IpCop -> http://www.ipcop.org/ | ||
- | * OpenVPN Web GUI (old) -> http://openvpn-web-gui.sourceforge.net/ | ||
- | * http://en.wikipedia.org/wiki/OpenVPN_infrastructure | ||
- | * Article by SANS: OpenVPN and the SSL VPN Revolution \\ -> http://www.sans.org/reading_room/whitepapers/vpns/1459.php | ||
- | * [[ | ||
- | http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package.html| | ||
- | built your own OpenVPN install-script | ||
- | ]] | ||
- | * [[ | ||
- | http://amigo4life.googlepages.com/openvpn| | ||
- | Active Directory Authentication for OpenVPN | ||
- | ]] | ||
- | * [[ | ||
- | http://code.google.com/p/openvpn-auth-ldap/| | ||
- | OpenVPN Auth-LDAP Plugin | ||
- | ]] | ||
- | * Access Server -> http://openvpn.net/index.php/access-server/download-openvpn-as.html | ||
- | * SurfBouncer uses OpenVPN -> http://www.surfbouncer.com/ | ||
- | * Tips OpenVPN on [[ | ||
- | http://www.fiberworks.com/DNN/Support/OpenVPN/tabid/171/language/en-US/Default.aspx | ||
- | |Windows7]] | ||
- | * http://easyopackager.sourceforge.net/ | ||
- | * OSPF over OpenVPN -> http://openmaniak.com/openvpn_routing.php | ||
- | |||
- | |||
- | ==== IPsec clients ==== | ||
- | |||
- | * Safenet SoftRemote (before NS Remote Client) \\ -> http://biz.safenet-inc.com/prod/software/index.asp | ||
- | * AnthaVPN -> http://www.anthasoft.com/anthavpn-virtual-private-network.php | ||
- | * The GreenBow -> http://thegreenbow.com/vpn.html | ||
- | * [[ | ||
- | http://forums.juniper.net/t5/Firewalls/Recommend-an-IPSec-Client-for-SSG-s/m-p/9555/message-uid/9555 | ||
- | |Juniper/Netscreen IPsec client discusion]] | ||
- | * (replacement Netscreen Secure Client): Universal IPsec VPN Client \\ -> van NCP-E: http://www.ncp-e.com/ | ||
- | |||
- | === Open-Source IPsec clients === | ||
- | |||
- | * http://www.shrew.net/download/vpn | ||
- | * http://www.shrew.net/support/wiki/HowtoJuniperSsg | ||
- | * http://sourceforge.net/projects/ivpn/ | ||
- | |||
- | ==== IPsec info ==== | ||
- | |||
- | * [[wp>IPsec]] | ||
- | * IKE = [[wp>Internet_Key_Exchange|Internet Key Exchange]] | ||
- | * Xauth = IKE Extended Authentication | ||
- | * Cisco on [[ | ||
- | http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/xauth.html | ||
- | |Xauth]] | ||
- | * XAuth info -> [[ | ||
- | http://www.unix-ag.uni-kl.de/~massar/vpnc/docs/draft-beaulieu-ike-xauth-02.txt | ||
- | |draft-beaulieu-ike-xauth-02.txt]] | ||
- | |||
- | ===== Linux Security ===== | ||
- | |||
- | * picture from SNORT that shows traffic flow through Linux-kernel and netfilter (iptables): | ||
- | |||
- | ---- | ||
- | |||
- | {{:links:inline_netfilter.gif}} | ||
- | |||
- | ---- | ||
- | |||
- | ===== Secure Timestamp ===== | ||
- | |||
- | * https://en.wikipedia.org/wiki/Trusted_timestamping \\ According to the RFC 3161 standard, a trusted timestamp is a timestamp \\ issued by a trusted third party (TTP) acting as a Time Stamping Authority (TSA). | ||
- | * [[https://tools.ietf.org/html/rfc3161|RFC3163]] Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) | ||
- | * https://www.digitalehandtekeningen.nl/support/Code_Signing_Certificaten/Time_Stamping | ||
- | * use this TSA: http://timestamp.comodoca.com/authenticode * https://www.digitalehandtekeningen.nl/support/Timestamping | ||
- | ===== Fortigate ===== | ||
- | |||
- | * Fortigate FW from Fortinet | ||
- | * Docs en SW -> http://docs.fortinet.com/fgt.html | ||
- | |||
- | ===== Tokens ===== | ||
- | |||
- | ==== Aladdin SafeWord ==== | ||
- | |||
- | * NZV 'Aladdin SafeWord 2008' -> http://www.aladdin.com/SafeWord/default.aspx | ||
- | * SafeWord and Juniper -> http://www.aladdin.com/partners/findresults.aspx?id=231 | ||
- | * http://www.aladdin.com/etoken/solutions/secure-vpn-access.aspx | ||
- | |||
- | ===== Firewall ===== | ||
- | |||
- | * [[wp>Port_knocking|Port knocking]] | ||
- | |||
- | ==== Juniper Netscreen ScreenOS ==== | ||
- | |||
- | * Juniper KB: Configuring PPTP, IPSec pass-through or L2TP over IPSec solutions on a Juniper Firewall device \\ -> http://kb.juniper.net/InfoCenter/index?page=content&id=KB8536 | ||
- | |||
- | === SSG-140 === | ||
- | |||
- | * http://www.juniper.net/us/en/products-services/security/ssg-series/ssg140/ | ||
- | |||
- | === SSG documentation === | ||
- | |||
- | * http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html | ||
- | |||
- | === WebSense on Juniper === | ||
- | |||
- | * http://www.websense.com/content/Juniper.aspx | ||
- | * http://kb.juniper.net/KB4197 | ||
- | |||
- | ==== Log Analyzer ==== | ||
- | |||
- | * SecureWorks: [[ | ||
- | http://www.secureworks.com/research/articles/firewall-primer | ||
- | |A Firewall Log Analysis Primer]] | ||
- | * Stonylake Firewall Reporter -> http://www.stonylakesolutions.com/sls/about%20sfr.jsp | ||
- | * ManageEngine Firewall Analyzer -> http://www.manageengine.com/products/firewall/ | ||
- | * SnortAlog -> http://jeremy.chartier.free.fr/snortalog/ | ||
- | * http://www.sawmill.net/products.html | ||
- | |||
- | hint | ||
- | * SNMP Traffic Grapher STG -> http://www.wtcs.org/informant/stg.htm | ||
- | |||
- | ===== Anti-Virus ===== | ||
- | |||
- | * tips -> http://www.schoonepc.nl/optim/antivirussoftware.html | ||
- | * tips -> http://www.pepermunt.net/beveiliging/gratis-antivirus.html | ||
- | * [[ | ||
- | http://www.av.eu/nl/producten/avast-free-antivirus?pageId=1&languageId=11&avast_antivirus_producten/avast_Free_Antivirus#.Uf0G121v_cs | ||
- | |avast!] |