Peter Kloep

A+ R A-

FAQs

Hier finden Sie eine Liste mit "Häufig gestellten Fragen", die mir so im täglichen Umgang mit der EDV gestellt wurden

NAT-Traversal

  • Hauptkategorie: FAQs
  • Kategorie: Security
  • Zuletzt aktualisiert: Donnerstag, 06. September 2012 17:38
  • Veröffentlicht: Freitag, 15. September 2006 07:26
  • Geschrieben von Peter Kloep
  • Zugriffe: 18830
Das IETF hat vorgeschlagen, daß der IPSec-Traffic vom VPN Server in ein UDP-Paket gepackt wird, dessen Header nicht durch das EPS verändert wird. Das AH kann an dieser Stelle vernachlässigt werden.
Diese Art des UDP-Tunnelns erlaubt es, daß Quellport und -adresse durch das NAT-Gerät geändert werden und keine Änderungen am ESP-Paket durchgeführt werden müssen. Wenn ein solches Paket nun am VPN Server ankommt, wird der UDP-Header entfernt und das IPSec-Paket kann ganz normal bearbeitet werden.

Der VPN Server führt eine Prüfung durch ob es sich bei ankommenden Packeten um IPSec oder IPSec NAT Traversal (Überquerung) Paket handelt. Die benötigten Parameter für IPSec NAT Traversal werden zwischen Client und Server durch das NAT Traversal Protokoll ausgehandelt. Dieser Vorgang lässt sich wie folgt beschrieben:
  1. VPN Server und Client tauschen eine herstellerspezifische ID (einen MD5 Hash) aus - damit bestätigen beide Seiten, daß sie NAT Traversal unterstützen

  2. NAT-Discovery wird durchgeführt - dabei wird festgestellt welcher Teilnehmer sich hinter einem NAT-gerät befindet. Das ist insofern wichtig, da der Partner, der sich hinter einem NAT-Gerät befindet, aller 9 Sekunden eine keep-alive Nachricht senden muß. NAT Discovery untersucht die Quell- und Zieladresse um festzustellen, welcher Partner hinter einem NAT-Device ist.

  3. IPSec NAT Traversal wird nun zwischen VPN Server und Client genutzt, wenn ein NAT-Gerät festgestellt wurde. Server und Client nutzen UDP-gekapselte ESP Pakete im Tunnel- oder Transportmodus.

  4. So gekapselte Pakete werden an den Zielport 500 gesendet. Dies ist der gleiche Port wie für das Internet Key Exchange Protocol (IKE). Der Port kann sowohl von NAT Traversal als auch nicht NAT Traversal Packeten genutzt werden. Dies funktioniert, da der Client die 8 Byte des IKE Feldes im UDP Header mit Null überschreibt und so eine Identifizierung möglich ist.

  5. Während der VPN-Session sendet der Client alle 9 Sekunden eine keep-alive Nachricht an den Server. Dies ist wichtig, damit die Verbindung nicht abbricht. Wenn dies passiert und eine neue Verbindung aufgebaut wird, wird ein neuer Port vergeben und die Sicherheit der Verbindung ist nicht mehr gewährleistet.
IPSec NAT Traversal löst viele Probleme in Verbindung mit NAT-Geräten und VPN - jedoch nicht alle. Das Hauptproblem bei Protokollen wie FTP, H.323, LDAP und vielen weiteren liegt darin, daß die Quell-IP-Adresse im Applikations-Layer vermerkt ist. Ein NAT-Gerät kann diese Informationen durch einfache NAT-Editoren überschreiben. Dies geht aber bei der Verwendung von IPSec NAT Traversal nicht, da der Applikations-Layer durch ESP verschlüsselt ist, wenn er das NAT-Device passiert.

Verschlüsselungsverfahren

  • Hauptkategorie: FAQs
  • Kategorie: Security
  • Zuletzt aktualisiert: Sonntag, 09. September 2012 10:36
  • Veröffentlicht: Donnerstag, 14. September 2006 01:00
  • Geschrieben von Peter Kloep
  • Zugriffe: 10198

Hier ist eine Übersicht über die gängigsten Verschlüsselungsverfahren:

Hashing-Verfahren:

Algorithmus Name Schlüssellänge Bemerkung 
SHA-1 Secure Hash Algorithm 160 bit 
SHA-256 Secure Hash Algorithm 256 bit 
SHA-512 Secure Hash Algorithm 512 bit  
MD4 Message-Digest algorithm 4 128 bit  
MD5Message-Digest algorithm 5 128 bit  
 

Asymmetrische Verfahren

Algorithmus Name  ModusSchlüssellänge Bemerkung 
RSARivest, Shamir, AdlemanPrimzahlmultiplikation 1024 - 2048 bit 
D-HDiffie Hellmann variabel 
MQV-DHMenezes-Qu-Vanstone variabel 
El-GamalEl-Gamaldiskrete Logarithmen variabel 
Elliptic CurveElliptische-Kurven-Kryptosystem diskrete Logarithmen  

Symmetrische Verfahren 

Algorithmus Name  ModusSchlüssellänge Bemerkung 
DESData Encryption StandardBlockchiffre 64 bit (56+8) 
3DESData Encryption StandardBlockchiffre 168 bit 
IDEAInternational Data Encryption AlgorithmBlockchiffre 128 
RC4Rivest CipherStromchiffrevariabel 
RC5Rivest Cipher Blockchiffre variabel  
Blowfish Blowfish Blockchiffre variabel  
Skipjack FIPS 185 Blockchiffre 80  
Rijndael Rijndael Blockchiffre 128, 192, 256 bit  
AES Advanced Encryption Standard Blockchiffre 128, 192, 256 bit  

 

Known attacks (English)

  • Hauptkategorie: FAQs
  • Kategorie: Security
  • Zuletzt aktualisiert: Sonntag, 09. September 2012 10:35
  • Veröffentlicht: Montag, 11. September 2006 17:26
  • Geschrieben von Peter Kloep
  • Zugriffe: 12426

Known attacks:

Name 
Type of attack
Tools 
-
Aliasing 
Cryptographic Attack 
-
-
Aliasing is a type of backdoor attack where an existing user who already has privileges often
creates the back door account, which is set up to look like a normal user's account and given a
high-level privilege that allows an attacker to come in under an alias
Backdoor
Malicious Software 
NetBus, Back Orifice, Rootkit 
-
Also called a Trapdoor. It is a hidden mechanism to bypass security measures. It is an entry point into the application. Sometimes created to enable debugging functions whiles testing the application. Can also be created intentionally to bypass security measures. If an attacker knows about the Backdoor, exploits can be used to compromise the application. Sometimes the applications (NetBus) are used for "Remote Administration" 
Birthday Attack
Cryptographic Attack 
-  
 
A Birthday attack is an attack against a one-way hashing algorithm. It is based on "The birthday Paradox". (within a group of 23 people the chance that 2 in the group share the same birthday is at 50%). A birthday attack aims at  a digest (hash value) of a message. In order to prove that a messge has not been tampered, a hash value is generated. In a birthday attack the attacker tries to created a 2nd message that created the same hash value as the original message. 
Brute Force Attack 
Cryptographic Attack 
-
-  
A brute force attack tries to guess a password until the correct password is encountered. A brute force attack might take really long (depends on the password length and the character set that was used) 
Buffer Overflow 
Denial Of Service / Attack 
- 
Buffer overflows occur when an application receives more data than it is programmed to accept.
This situation can cause an application to terminate. The termination may leave the system
sending the data with temporary access to privileged levels in the attacked system. 
Chosen Ciphertext Attack
Cryptographic Attack 
- 
This is an attack to figure out the encryption key. The attacker chooses the ciphertext and has access to the original plaintext 
Chosen Plaintext Attack 
Cryptographic Attack 
- 
This is an attack to figure out the encryption key. The attacker has the plaintext and the ciphertext. The attacker encrypts the plaintext with differents keys to "create" the ciphertext. If the ciphertexts match he might have the correct encryption key 
Ciphertext only Attack 
Cryptographic attack 
- 
In this attack the attacker has ciphertext of several messages that have been encrypted using the same algorithm. Goal of the attacker is to discover the encryption key. If the key is discovered the attacker can also decrypt messages that have been encrypted with the same key and algorithm 
Covert Channel 
- 
A covert channel is also known as a confinement problem. It is a communication between processes to transfer information in a way that violates security policies. There are two know types of covert channels: storage and timing.  
Data diddling 
- 
Data diddling means changing data prior or during input into a system. The information is changed by a person typing in the data, a virus that changes data, the programmer of the database or application, or anyone else involved in the process of having information stored in a computer file. Example: A cashier type $80 into the cashing machine but charges $100 from the customer. The Data diddler keeps difference of the extra $20 
Denial of Service 
Denial of Service 
- 
A Denial of Service attack (DoS) is an attempt to make resources unavailable. For example: Sending so many requests to a server that the server no longer responds in a timely manner. 
Dictionary Attack 
Cryptographic Attack 
- 
A dictionary attack is the attempt to crack a password using "easy to remember" words or terms. Usually most users select "easy" password that are listed in a dictionary, because they are easy to remember 
Distributed DoS 
- 
A Distributed Denial-of-Service attack (DDoS) is a special version of a DoS attack. Several (sometimes millions of) computers are used to attack the victim. Most of the time the "application" that performs the attack is deployed by a Worm. 
DNS DoS 
- 
A new form of denial of service attack based on the difference in size between a Domain Name System (DNS) query and a DNS response and the willingness of DNS servers to answer queries from any source. 
Easter Egg 
Malicious Software
- 
Easter Eggs are hidden messages or features in a computer program. You might also find them in books, DVDs, movies or video games. In computing, Easter eggs are messages, graphics, sound effects, or an unusual change in program behavior, that occur in a program in response to some undocumented set of commands, mouse clicks, keystrokes or other stimuli intended as a joke or to display program credits. An early use of the term Easter egg was to describe a message hidden in the object code of a program as a joke, intended to be found by persons disassembling or browsing the code 
Fingerprinting 
- 
Fingerprinting is the act of inspecting returned information from a server (ie. One method is ICMP
Message quoting where the ICMP quotes back part of the original message with every ICMP
error message. Each operating system will quote definite amount of message to the ICMP error
messages. The peculiarity in the error messages received from various types of operating
systems helps us in identifying the remote host's OS. 
Fraggle Attack 
Denial of Service 
- 
In computer security a fraggle attack is a type of denial-of-service attack where an attacker sends a large amount of UDP echo traffic to IP broadcast addresses, all of it having a fake source address. This is a simple rewrite of the smurf attack code.
This traffic is aimed at ports 7 (echo) and 19 (chargen). 
Hoax
- 
A hoax is (similar to a newspaper hoax) a report to trick the recipient to believe that something false is true. For Example: "There is a virus spreading around. To protect yourself, please delete the file xxx.xxx and send this email to all you colleagues". A hoax can cause as much traffic as a "real" virus or worm. Another "target" of hoaxes is to conguest the network by causing traffic when users forwarded the message  
Host Hijacking 
- 
This is an attack using the hosts file of your operating system (%systemdrive%\system32\drivers\etc\). Normally all Name-resolution request are adressed to a DNS-Server. The name resolution process of the Operating system queries this text file before it sends a request to a DNS server. If an attacker is able to "modify" this hosts file (by a virus) he can redirect the victim to different locations (or prevent the user from accessing anti-virus webpages) 
Known-Plaintext Attack 
- 
The attacker gets a sample of ciphertext and the corresponding plaintext. This attack aims on the encryption key 
Land Attack 
- 
A land attack is a DoS attack using a special poisoned spoofed packet to the target system. The spoofed IP adress of the sender is actually the IP adress of the target system. In this case, the target will reply to itself continuously. 
Logic Bomb 
- 
A logic bomb is a special kind of virus or Trojan horse that is set to go off following a preset
time interval, or following a pre-set combination of keyboard strokes. Some unethical advertisers
use logic bombs to deliver the right pop-up advertisement following a keystroke, and some
disgruntled employees set up logic bombs to go off to sabotage their company's computers if they
feel termination is imminent 
Man-in-the-Middle Attack 
- 
This attack is relevant for cryptographic communication and key exchange protocols. The attacker attempts to intercept a key exchange (Diffie-Hellmann) between to communicating parties. The attacker performs (himself) a key exchange with both of the parties. The parties this that they communicate with each other directly, but in reality there is a "man in the middle" 
Meet-in-the-Middle Attack 
- 
The Meet-in-the-middle attack is a cryptographic attack which attempts to find a value in each possible part of the function. A Meet-in-the-middle attack was used to reduce the time needed to hack 2DES to almost half of the original time 
Phishing 
- 
In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication 
Ping flood
- 
This is a simple Denial of service attack where the attacke sends ICMP Echo request to the victim. 
Ping of Death 
A Ping of Death is a malformed ping-packet that is sent to the target. A ping is normally 64 bytes in size; many computer systems cannot handle a ping larger than the maximum IP packet size which is 65,535 bytes. Sending a ping of this size often crashes the target computer. 
Replay Attack
- 
A replay attack is an attack in which a transmission is repeated. For instance: A user authenticates to a server by sending a password. The attacker eavedropes the line and after the communication between the user and the server is closed, the attacker authenticates against the server sending the captured information again. 
Reverse Engineering 
- 
Reverse engineering is the process of retrieving or rebuilding the source code of an application. One aim is to discover vulnerabilities within the application based on the source code 
Salami Attack 
- 
A Salami attack is a series of several minor attack that result in total in a larger attack. For instance an employee at a bank steals a small amount of money from each bank account. In total this might be a huge amount of money. This is considered a salami attack 
Side-Channel Attack 
- 
In cryptography, a side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information which can be exploited to break the system. Many side-channel attacks require considerable technical knowledge of the internal operation of the system on which the cryptography is implemented 
Smurf Attack 
Denial of Service
- 

A smurf program builds a network packet that appears to originate from another address (this is known as spoofing an IP address). The packet contains an ICMP ping message that is addressed to an IP broadcast address, meaning all IP addresses in a given network. The echo responses to the ping message are sent back to the "victim" address. Enough pings and resultant echoes can flood the network making it unusable for real traffic.  

Social Engineering 
- 

Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible. 

Spamming 
- 
Spamming is the abuse of electronic messaging systems to send unsolicited, undesired bulk messages. While the most widely recognized form of spam is e-mail spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, and mobile phone messaging spam. 
Spoofing at Logon 
- 
Login spoofing is a technique used to obtain a user's password. The user is presented with an ordinary looking login prompt for username and password, which is actually a malicious program under the control of the attacker. When the username and password are entered, this information is logged or in some way passed along to the attacker, breaching security. 
Spoofing Attack 
- 
In computer networking, the term Internet Protocol address spoofing is the creation of IP packets with a forged (spoofed) source IP address. Since "IP address" is sometimes just referred to as an IP, IP spoofing is another name for this term. 
SQL Injection 
- 
SQL injection is a security vulnerability that occurs in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. 
SYN flood / SYS attack
- 

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system.
When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:
1. The client requests a connection by sending a SYN (synchronize) message to the server.
2. The server acknowledges this request by sending SYN-ACK back to the client, which,
3. Responds with an ACK, and the connection is established.
This is called the TCP three-way handshake, and is the foundation for every connection established using TCP/IP protocols.
A malicious client can skip sending this last ACK message. The server will wait for this bit for some time, as simple network congestion could also be the cause of the missing ACK.
If this so called half-open connection binds resources on the server or the server software is licensed per-connection, as is the case in many operating systems, it may be possible to take up all these resources or run out of Client Access Licenses by flooding the server with SYN messages. Once all resources CALs set aside for half-open connections are reserved, no new connections (legitimate or not) can be made, resulting in denial of service. Some systems may malfunction badly or even crash if other operating system functions are starved of resources this way. 

TCP Hijacking 
- 
Also called TCP Sequence Prediction Attack. A TCP sequence prediction attack is an attempt to hijack an existing TCP session by injecting packets which pretend to come from one computer involved in the TCP session. 
Teardrop Attack 
- 
"Teardrop" is a remote denial-of-service attack (DoS) that affected the Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to 2.0.32 and 2.1.63. The Teardrop attack involved sending IP fragments with overlapping payloads to the target machine. A bug in the TCP/IP fragmentation re-assembly code caused the fragments to be improperly handled, crashing the operating system as a result 
Time of Check/Time of Use 
- 
A time-of-check-to-time-of-use bug (TOCTTOU − pronounced "TOCK too") is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition. For Example: You disable an user account on one of your Domain Controller. The time that is needed until the setting is "effective" on all DCs is "TOCK too". 
Trojan Horse 
- 
In the context of computer software, a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.
Often the term is shortened to simply trojan, even though this turns the adjective into a noun, reversing the myth (Greeks, not Trojans, were gaining malicious access). 
Virus 
- 
In computer security, computer virus is a self-replicating computer program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an "infection", and the infected file, or executable code that is not part of a file, is called a "host". Viruses are one of the several types of malicious software or malware. In common parlance, the term virus is often extended to refer to worms, trojan horses and other sorts of malware; viruses in the narrow sense of the word are less common than they used to be, compared to other forms of malware. 
Worm 
- 
A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other systems and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. In general, worms always harm the network and consume bandwidth, whereas viruses always infect or corrupt files on a targeted computer. 

Automatische Installation von mehreren Domänenumgebungen

  • Hauptkategorie: FAQs
  • Kategorie: Virtualisierung
  • Zuletzt aktualisiert: Dienstag, 16. April 2013 08:54
  • Veröffentlicht: Dienstag, 16. April 2013 08:54
  • Geschrieben von Peter Kloep
  • Zugriffe: 6731

Hier eine "kurze" Beschreibung zur Installation von mehreren Domänen (2 DC + Windows 7 Client) unter Hyper-V. Da die Maschinen per RDP von außen erreichbar sein sollen, können die virtuellen Maschinen nicht einfach kopiert werden.

Schritt 1: Vorbereiten der Images:

Schritt 2: Erstellen der Antwortdatei

Schritt 3: Sysprep

Schritt 4: Erstellen der VMs / Konfiguration der VMs

Schritt 5: Festlegen der IP-Adressen

Schritt 6: DCpromo

Schulungsunterlagen

  • Hauptkategorie: FAQs
  • Kategorie: Virtualisierung
  • Zuletzt aktualisiert: Donnerstag, 06. September 2012 17:38
  • Veröffentlicht: Donnerstag, 10. September 2009 11:00
  • Geschrieben von Peter Kloep
  • Zugriffe: 9838

Die Schulungsunterlagen zum Hyper-V Buch sind jetzt online:

Hyper-VPPTs.zip

Unterkategorien

Hier einige Antworten auf Fragen rund um die Zertifizierung