This is one topic born out of necessity. I had to do it and had a discussion on the vim-use group about it. Since I am lazy, I just cut-paste the conversation instead of summarizing it.

Trident Media Guard pourrait répondre favorablement à l’appel d’offre du ministère de la culture en charge de faire fonctionner la machine Hadopi.

La société TMG a dans ses rangs Thierry Lhermite, administrateur, cette société vise à défendre les données copyrightées en injectant de faux contenus sur les réseaux.

Ce que l’on peut retenir, c’est que TMG va leurrer les téléchargeurs pour mieux les attraper avec de faux fichiers.

Bref, une machine à fric.

Effectivement, un véritable business financier est derrière tout cela puisque Thierry Lhermitte aurait injecté 50 000 euros en numéraire sur un compte de la société commerciale contre 5 000 actions.

Une autre société serait elle aussi favorable pour l’Hadopi du nom de AdVestigo.

Bref, nous serons bientôt qui sera l’heureux élu de l’”Hadopisation”, ou plutôt, à qui empochera le pognon.

Pendant ce temps, de nombreux internautes multiplient et emploient d’autres services comme le téléchargement directe, des services de serveurs Proxy, VPN et autres cryptages de données comme Perseus.

Le petite guéguerre que mène le ministère de la culture risque fort d’augmenter l’utilisation et les méthodes de contournement qu’utiliserons les internautes de tout poils, tout cela, au risque de ne plus rien contrôler.

Comme on dit chez nous, le mal engendre le mal, et cela ne fait que commencer.

Default behavior of redistribution on VRF aware OSPF will lead to the MPLS VPN cloud trying to emulate OSPF. This is done using a “Super Backbone” which is hierarchically above area zero. RFC4577 explains in great detail how this should ideally work.

The whole point of this behavior is to mask the VPNv4 BGP from the customer networks. Traditionally if you redistribute any protocol into OSPF it will be created as an LSA type 5 (external). In Cisco’s implementation all LSAs of type 1-3 will be advertised out the egress PE(s) as type 3.

Given the topology below assume that the link from CE1-CE2 is not active (for the moment). All Ethernet links have been set to a network type of point-to-point for simplification.

Looking at the link state database we can see the summary prefixes (type 3) all have the router ID of the nearby PE. This means that the “Super Backbone” is working, converting area zero LSA type 1 into type 3 at the egress PE. It is important to make sure that the process IDs match between PEs. The process ID configured on the PE is attached in the form of an extended community, under the ospf process you can manually set the value to be attached to the ext-community;

OSPF DOMAIN ID:0×0005:0×0000007B0200

router ospf 123 vrf cust
domain-id type 0005 value 000000000123

OSPF DOMAIN ID:0×0005:0×000000000123

An issue which can occur when implementing OSPF as the PE-CE protocol, which I have seen first hand in a production network is that the “Super Backbone” cannot be treated as a transit network as it would in a layer two VPN. I can imagine that enterprises and even the people who design/architect for enterprises (not trying to have a dig a CCIE RS holders) do not take into consideration how OSPF MPLS VPNs actually work. You cannot just make the MPLS VPN cloud a single area, even if all the PE-CE links are in area zero all LSAs will be type three after they have crossed the cloud.

CE1#show ip ospf 123 database router adv 172.0.0.2

OSPF Router with ID (172.0.0.1) (Process ID 123)
Router Link States (Area 0)

Adv Router is not-reachable
LS age: 481
Options: (No TOS-capability, DC)
LS Type: Router Links
Link State ID: 172.0.0.2
Advertising Router: 172.0.0.2
LS Seq Number: 80000004
Checksum: 0xD09A
Length: 60
Number of Links: 3

The LSAs (from CE2) are inside the database (on CE1) but they will not ever be able to be used for forwarding because the topology has broken the “Area 0 must be contiguous” rule. CE2 is in fact sending LSA type 1 for both Area0 and Area1 but all LSAs from Area0 are marked “Adv Router is not reachable” above.

Another thing worth noting is that in regular OSPF the “advertising router” for an LSA stays the same within an area and is changed at the border (by an ASBR/ABR). This is consistant with the “ever router must know every other router in the area” concept. This is also applied to the Superbackbone. The “advertising router” for an LSA will be changed as it is advertised out the egress PE. This combined with some of the above shows how the Superbackbone truely does act as an area hierachically above area zero.

GNS3 .net file (rename to *.rar)

Numerous experiences with clients and students implementing Virtual Private Networks (VPNs) with IPSec have shown me that some common misconceptions exist as to their operation and troubleshooting.  We will examine three of these using the scenario below between an ASA running version 8.0 code and a Cisco Router running IOS version 12.2 or higher code.

Misconception #1: A Site-to-Site VPN created with the ASDM Wizard is Bidirectional

The commands below are a portion of what would be displayed if the “Preview Commands…” option were selected in the ASDM preferences after finishing the Site-to-Site wizard.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer 192.168.11.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside

Note the set pfs group2 statement above; this default deployment option with the wizard will result in the IKE Phase II proposal of Perfect Forward Secrecy using Diffie-Hellman Group #2.  While the IOS Router will support this and agree to it (even though it wasn’t explicitly configured), the tunnel CANNOT be successfully initiated by the site owning that router!  For this to happen, the router MUST be configured with the same statement for its Phase II policy in its crypto map.

Misconception #2: The IKE keepalive keeps the Site-to-Site tunnel up

Actually, the IKE keepalive merely insures that the remote peer is reachable. A little-known fact is that the Idle Timeout usually found in the Network (Client) Access for the IPSec client also impacts Site-to-Site tunnels being kept up.  A screenshot is provided below showing where this is configured for the default group policy, DfltGrpPolicy.

Studies have shown that if this time interval is increased to be greater than 80% of the Phase II IPSec Security Association lifetime, the tunnel will stay up.

Misconception #3: Allowing IPSec ACL bypass is insecure – Default Wizard option

This appears as a checkbox in the wizard, or could be configured using the CLI command sysopt connection permit-vpn. Two very effective techniques can be used here, the mechanics of which will be discussed in future postings.  The first of these would be to configure a VPN Group Filter (done under the Group Policy settings), a feature which applies for both Site-to-Site or Remote Access VPNs. A second effective technique, applicable for both IPSec and SSL VPN Client access, would be to use downloadable access-control lists with RADIUS.

Author: Doug McKillip

References
Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions Document ID #81824

I keep forgetting the config required for setting up an ASA VPN server, so here it is for reference:

This is an ASA config with Radius authentication.

aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host <HOST>
key <KEY>

access-list VPN_splitTunnelAcl standard permit <NETWORK> <SUBNET>
ip local pool VPN-IP-POOL <FROM_IP>-<TO_IP> mask 255.255.255.0

access-list nonat extended permit ip any <NETWORK> <SUBNET>
nat (inside) 0 access-list nonat

group-policy <GROUP> internal
group-policy <GROUP> attributes
dns-server value <DNS_IP>
vpn-tunnel-protocol IPSec webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value <DNS_SUFFIX>
webvpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp nat-traversal  20

tunnel-group <TUNNEL> type ipsec-ra
tunnel-group <TUNNEL> ipsec-attributes
pre-shared-key <PRESHAREKEY>
isakmp keepalive threshold 10 retry 2
tunnel-group <TUNNEL> general-attributes
address-pool VPN-IP-POOL
authentication-server-group RADIUS
default-group-policy <GROUP>

Caro internauta, per caso ti sei imbattuto nel sito hulu.com per guardare in streaming un film, un telefilm o magari un anime e ti è uscito il fatidico messaggio “The requested video cannot be displayed in your region” ovvero “Il video richiesto non può essere visionato nel tuo paese” infatti Hulu a differenza degli altri siti in streaming, trasmette film, telefilm e anime regolarmente tramite accordi con le case produttrici però può essere guardato solo da chi è residente negli Stati Uniti.

Allora come possiamo aggirare questa restrizione di hulu? La prima idea è quella di usare un proxy americano, ma generalmente i proxy sono di una lentezza paradossale e inoltre di solito vengono riconosciuti immediatamente dai sistemi anti-proxy.

Esiste però un’altra soluzione, che fino ad ora ha sempre funzionato anche con Hulu; usare una connessione VPN (Virtual Private Network) con ip americano.

Direttamente da wikipedia:“Una Virtual Private Network o VPN è una rete privata instaurata tra soggetti che utilizzano un sistema di trasmissione pubblico e condiviso come per esempio Internet. Lo scopo delle reti VPN è di dare alle aziende le stesse possibilità delle linee private in affitto ad un costo inferiore sfruttando le reti condivise pubbliche.”

In genere le connessioni VPN sono a pagamento, ma oggi esistono dei network gratuiti e uno di questi è Hotspot shield, un programmino free che una volta installato e aperto ci installa una connessione VPN e ci genera un indirizzo ip statunitense. Una volta installato e connesso il programma, cancelliamo dal browser cronologia, cache e cookie (in particolare questi ultimi visto che hulu li installa e quindi se non li cancelli verrai riconosciuto dal sito che non sei residente degli Stati Uniti).

Puoi scaricare Hotspot cliccando qui e poi clicca in alto a destra su “Download The Latest Version”.

Sei hai fatto tutto bene vai sul film che ti interessa e potrai guardarlo in santa pace!

Ovviamente la connessione VPN non andrà veloce come la nostra ADSL, ma neanche tanto lento, anzi và anni luce meglio dei proxy, ti do però un consiglio, quando parte il video metti pausa per almeno 10-20 secondi in modo che il video non vada scattoso.

A volte può capitare che Hulu riconosca il VPN, in quel caso cancellate di nuovo tutti i cookie e chiudete e riaprite il programma di modo che vi generi un nuovo indirizzo ip.

Spero di esserti stato utile e ti saluto! Se lasci un commento mi farebbe piacere.

NB: questo articolo è solo a scopo informativo, non mi riterrò responsabile per l’uso che ne farai.

Pas un jour sans parler du sujet dans les médias ! Des écoles qui ferment, des campagnes de vaccinations qui se mettent en place et aussi des avis très partagés sur le bien fondé de la vaccination !…

Toujours est-il que le constat est là, les PME sont aujourd’hui très peu organisées pour affronter une pandémie :

Les entreprises ont déployées des solutions pour répondre à des coupures de courant, des pannes informatiques (perte d’un serveur, d’une application) mais rares sont celles qui savent répondre aux perturbations liées à l’absence des employés.

Risc Group vient de publier un étude :

La réalité du télétravail à l’épreuve de l’épidémie

Plus des deux tiers des responsables de PME (70%) estiment pouvoir développer le télétravail pour faire face aux risques épidémiques. Cependant, moins d’un sur trois (30%) est réellement en mesure de le faire pour la plupart (26%) ou pour tous leurs salariés (4%). 30% seraient totalement incapables de permettre le télétravail.

Les plus petites entreprises souffrent d’avantage de ce problème. Si 56% des patrons de PME de plus de 50 salariés prétendent pouvoir faire travailler à distance quelques uns de leurs collaborateurs, 41% des responsables de TPE (6 à 9 salariés) reconnaissent leur incapacité totale au télétravail.

Parmi les « champions » du télétravail potentiel, 94% des entreprises de services aux entreprises pensent pouvoir mettre en place le télétravail sécurisé. A l’inverse, seulement un tiers (36%) des

PME du secteur de la santé l’envisagent.

Solutions Cisco : Plusieurs type de solutions existe en fonction du besoin et du niveau de service : 

1^er niveau : Webex

Webex est une suite applicative complète qui permet de mettre en œuvre une conférence audio avec partage de document, support vidéo et chat.

Il suffit pour le salarié d’avoir un PC (personnel ou professionnel) connecté à internet. Webex est une application web qui peut se déployer très facilement et qui convient quelque soit le nombre d’utilisateurs …facturation par abonnement ou à l’utilisation.

A partir de 46 € par mois.

Plus d’info sur www.webex.fr

2eme niveau : Acces VPN

Cette solution consiste à utiliser internet pour permettre à un utilisateur distant de se connecter sur le réseau de l’entreprise via un « tunnel » sécurisé. Il existe deux techniques :

-          VPN SSL : l’utilisateur peut se connecter à partir de n’importe quel PC (professionnel,personnel, ou même PC libre service). Il se connecte en utilisant un identifiant + mot de passe à un portail défini par l’entreprise qui lui donne accès aux applications prédéfinies.

-          VPN IPSEC : l’utilisateur doit posséder un portable professionnel car ce poste doit etre configurer avec un logiciel client qui permet de se connecter au réseau de l’entreprise comme si il était en local.

Mise en œuvre de ces accès : L’accès VPN implique la mise en place d’un équipement sur le réseau de l’entreprise et l’achat de licences SSL (pour le VPN SSL)

Les routeurs Cisco, les boitiers de sécurité Cisco ASA ou les nouveaux boitiers dédiés PME SA4500 permettent de mettre en place facilement ces liaisons VPN.

3eme niveau : extension Wifi / IP phone

Cette solution implique un réseau wifi Cisco déjà installé dans l’entrprise et le déploiement de bornes wifi dans les bureaux distants ou à la maison.

Permet d’avoir un accès wifi comme dans l’entreprise.

4eme niveau : Cisco Virtual Office.

Permet de fournir le meme niveau de service au domicile que celui de l’entreprise (accès téléphonique et informatique).

Implique le déploiement d’un routeur au domicile + téléphone IP.

Implique une solution de communication unifiée Cisco dans l’entreprise.

I spent time yesterday on a friend’s computer in a different city.  I, of course, was home sitting in my favorite chair.  TeamViewer ( http://www.teamviewer.com/index.aspx ) is a package that allows me at home to see my friend’s ‘puter screen in a browser window and to move the mouse and type in commands.  Neat stuff.

This is an example of VPN ( Virtual Private Network ) software, that I have used before in unix environments.  I have a couple VPNs loaded up now on this Windows machine.  There was one that seemed to confuse, or cross-operate, a university and a city library.  That all seems sorted now.

I want to see how TeamViewer works as a remote desktop on a Mac as the other ‘puter.

All still neat stuff.

Esta frase de Oscar Wilde da inicio al libro Redes Privadas Virtuales de mi buen amigo Javier Andrés Alonso que hoy por fin recibí en casa vía editorial Ra-Ma. En el primer vistazo al libro lo que más me ha llamado la atención ha sido su finalidad  puramente práctica junto con el grosor, casi 900 páginas, … todo un tratado de seguridad, redes y encriptación única en su género y en castellano.

Ha sido muy emotivo este primer encuentro con su libro y que me ha traido recuerdos del antiguo equipo de mucha calidad del GateDefender (Javi, Dani, Patri y yo),  compañeros del equipo de desarrollo y de managers. Son muchas horas codo con codo, analizando tráfico de red, buscando la forma de que “explotaran” las nuevas releases o buscando el entrecotte para la dieta multiproteica de Iván ,  aunque destacaría esas clases magistrales que tanto me ayudaron para hacerme con el producto y adentrarme en el mundo de la seguridad informática. Se hace irónico encontrar mi nombre en los agradecimientos del libro, … , aprendí mucho de su poesía en directo y sigo aprendiendo de su prosa escrita MAESTRO!!!

Foreword: I’ve decided to put this tutorial back up, which was originally created by author Chyea for Call of Duty World at War. Please note that the preferred method is Tunngle. You need to update your game to the latest version. Please see my exclusive Tunngle video below.

Of course, this article is no way in shape or form created to promote piracy. There are legitimate players with legitimate users who want to play this game via LAN with their friends.  This is an educational piece, and shall be treated as one.  ~ Versatile

Revisions:
11-17-09: Re-release of an old article per indiscreet demand. MW2 is a better game. Does anyone care about this one?

Note: It is highly recommended you go to www.filefront.com and download ALL the game patches to update yourself t the latest version. If you need new patch files, then go to www.gamecopyworld.com.

All files have been scanned with NOD32 antivirus.

1. Download Hamachi 1.0.1.5: (the older versions are better, the newer one didn’t work for me)

http://rapidshare.com/files/166420002/HamachiSetup-1.0.1.5-en.exe

2. Run Hamachi and create a virtual LAN.

3. Download this patch for the singleplayer version of the game:

Call of Duty: World at War v1.0 PRIVATE SERVER PATCH #1
http://rapidshare.com/files/166420570/CoDWaW_LANFixed.exe

This fixes the “CD key in use” issue.

4. Paste the patch into your cod5 directory, don’t need to rename or anything.

5. Both CLIENT and the HOST of the game server will use this patch to start up your game.

6. If you encounter an error involving a conflict of CD keys, download this keygen by razor http://rapidshare.com/files/162328894/rzr-c5kg.exe

and change your cd key.

Edit: In the case that you have no friends, you can join a hamachi network with more activity. There are tons of them out there, if you know any, we’d appreciate it if you posted it in the comments.

Much thanks to RedDot, we acquired a lot more servers:

• Name: coop zombie -> Password: 123

• Name: coop zombie2 -> Password: 123

• Name: cod5waw.vcr.pl-> Password: 123

• Name: cod5waw.vcr.pl1-> Password: 123

• Name: cod5waw.vcr.pl2-> Password: 123
• Name: cod5waw.vcr.pl3-> Password: 123
• Name: cod5waw.vcr.pl4-> Password: 123
• Name: cod5waw.vcr.pl5-> Password: 123
• Name: cod5waw.vcr.pl6-> Password: 123
• Name: cod5waw.vcr.pl7-> Password: 123
• Name: cod5waw.vcr.pl8-> Password: 123
• Name: cod5waw.vcr.pl9-> Password: 123
• Name: cod5waw.vcr.pl10-> Password: 123

Warning: if you do join a big hamachi network, be sure to go to your control panel and make sure your hamachi network is set to “public”, so that other peeps won’t be able to see your personal folders.

Don’t go anywhere, we will write a tutorial on how to play multiplayer soon.

Here’s a screenshot of it on my computer:

And here is a video of how I got mine to work, you can download it here and see it more clearly, or you can scroll down and look at the crappy youtube quality vid.

http://rapidshare.com/files/168327132/cod5.wmv

Previously I used Cisco VPN client for connecting to my company VPN. But since, I moved to kernel 2.6.30+ things are broken. Cisco VPN client does not work anymore. Whenever I tried to connect to VPN whole system freeze and I had to do a hard power off. So, I switched to VPNC, which worked quite but after lot of tweaks. Moreover, you have to extract the configuration for VPNC from Cisco VPN profile files (*.pcf) . You can use pcf2vpnc to extract configuration for you from *.pcf profile files.

Extracted configuration file would look like as below.
## generated by pcf2vpnc
IPSec ID your-group-id
IPSec secret your-group-secret
IPSec gateway your-vpn-gateway
Xauth username flukebox
Enable Single DES
IKE Authmode hybrid
CA-File path-to-certificate file
Application version “Cisco Systems VPN Client 4.8.01 (0640):Linux”
Script /etc/vpnc/vpnc-script

You can connect to your vpn server vpnc-connect in root or sudo mode.

There could be few glitches when using vpnc on Ubuntu. Due some licensing issues, vpnc is not built with ssl support on Ubuntu and you may see error like this.

vpnc was built without openssl: Can’t do hybrid or cert mode.
To avoid that you have to built the vpnc from source manually which is quite easy though.

Get necessary package to built vpnc with ssl support.
$apt-get install libgcrypt11-dev openssl libssl-dev

Create a temp vpnc directory to hold the source.
$mkdir /tmp/vpnc
$cd /tmp/vpnc

Get the source of vpnc and cd to source directory
$apt-get source vpnc
$cd vpnc-version

Now, modify Makefile to enable SSL support. Basically search for OPENSSL in Makefile and uncomment OPENSSL options, than save the file.

48 # Comment this in to obtain a binary with certificate support which is
49 # GPL incompliant though.
50 #OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION
51 #OPENSSLLIBS = -lcrypto

$vi Makefile

48 # Comment this in to obtain a binary with certificate support which is
49 # GPL incompliant though.
50 OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION
51 OPENSSLLIBS = -lcrypto

Now, build the package by running the following command in vpnc source directory.
$dpkg-buildpackage

If everything goes fine, you will see a vpnc_version_i386.deb package in /tmp/vpnc made by dpkg. Which you can install with dpkg -i.
$dpkg -i vpnc_version_i386.deb

Now, enjoy connecting with vpn network and happy coding

A few thoughts on VPN’s:

VPN (virtual private network)

One can buy VPN service subscriptions for as little as 6 euro/month. That’s cheap for “perfect” (or whatever) anonymity, whether you want to fileshare (and your ISP forbids legal file sharing), whether you live in China, Australia, Burma, or Iran (and the web is censored or much of it blocked) or if you want to use streaming video sites that are prohibited in your region. Or if you just don’t want your ISP to know every site that you visit: because now they have to retain that sort of information. It’s better than a proxy in some respects because you can run any protocol, from mail to skype to utorrent through it. It’s terrible to have to pay for anonymity, and maybe this sends the wrong message (i.e. we should be battling for our rights online, not subverting their authority with cool technologies) — but really we need to open the world up, not censor and close it up.

On 11/05/09 the notice of Renegotiation vulnerabilities within SSL/TLS protocols became public.  The vulnerability allows for injection of arbitrary plain-text allowing for HTTP requests, or impersonate the victim, as well as other consequences.

~Opinion~

While the known possible outcomes of this vulnerability seem similar to many of the run-of-the-mill exploits we’ve seen, the ramifications behind this vulnerability are monumental.

Just the number of vendors, and their products effected by this alone show that there will soon be a revolution.  The affect on everyday lives of so many will undoubtedly negative.

Either a major overhaul of the protocols is necessary, or we are in for a new breed of security focus.  An overhaul is most likely to occur; however, if it doesn’t we will have to be prepared to move into a security stance which covers security in both a pre- and post- environment.

Our previously hardened infrastructure would have to be analyzed, and protected during use.  Protecting our protection if you will.

While all this seems goofy, given the fact that we will most likely just patch and move on, it seems to beckon the time for more intuitive security measures is nearing, or hear.  Security measures that… think.

Packets with guns.  Headers with secret handshakes. Connections that conspire against their own existence.

~/Opinion~

As usual, if you want to hear more information, visit the link below… And I am very interested in hearing comments on this one… Maybe I am just blowing it out of proportion, but it seems big.

Vulnerability Note VU#120541 (New Window)

I spent several hours during yesterday’s NewTeeVee Live conference at San Francisco’s Mission Bay Conference Center sitting at the press table with tech writers from various publications who were connecting to the open Wi-Fi network. Before I connected to the center’s hotspot, I loaded a VPN (virtual private network) application, which provides a secure, encrypted tunnel within which I use public Wi-Fi. The one I use happens to be custom and proprietary, and takes about 15 seconds to establish a connection that will keep me completely secure on an open network.

I noticed, though, that while some of the writers at the conference were probably using firewalls, hardly any of them used VPNs to keep their Wi-Fi sessions completely secure. And these were tech writers. That’s a shame, because there are a lot of good, completely free VPN applications available.

One of the best choices out there is OpenVPN, an open-source, cross-platform VPN solution. The freeware world, too, includes many VPN applications that users swear by, such as iPig from iOpus and the free version of LogMeIn’s Hamachi. Cisco’s (S csco) cross-platform VPN client is also widely used, although note that it’s incompatible with some firewalls. Hotspot Shield is also well-liked by many Windows and Mac users.

Windows 7 (S msft) actually comes with a built-in Agile VPN client, but it’s not said to be as easy as many of the free, time-tested clients. Snow Leopard (S aapl) Server also offers VPN functionality, and previous versions of the Mac OS have included it. For many users, though, especially ones who don’t have access to help from an IT department, simple, free downloadable VPN solutions–which usually have intuitive interfaces–are great choices.

VPN applications couldn’t be easier to use. Once installed, you simply sign in to them, and your online communications are routed through encrypted tunnels. Problems with particular VPN clients are typically the result of firewall-related conflicts, but you can easily find an app that works for you.

As is always true with security software solutions, user apathy is the biggest problem of all. So the next time you use public Wi-Fi, make sure you hop into a secure VPN tunnel first.

Do you use a VPN application that you like?

By Gary Kinghorn

Virtualization has certainly become a driving factor in networking, application deployment and data center design over the last few years. One of our marketing folks recently ran across an interesting deployment scenario where as part of a large network virtualization project, they were also making use of virtual firewalls to virtualize the security layer of their network, further reducing costs. While the first step of virtualization usually happens in the application server, customers should also be thinking about ways to reduce hardware costs and management complexity by taking advantage of the same concepts inherent in all of our H3C security appliances and blades.

The typical deployment scenario goes something like this: A large distributed enterprise has multiple campuses, or a large distributed campus, with divisions or groups spread throughout. You can think of these as potentially subsidiaries of a conglomerate, departments in a university, or logically separated clean-room projects. The problem is that the physical location of the groups is not aligned with the physical layout of the campuses or buildings. This is a challenge for network designs that frequently are aligned with campus layouts and not the virtual organizations. Virtual Local Area Networks (VLANs) work well locally, when closely mirroring the network topology, but don’t work well across the enterprise WAN, since Layer 2 network virtualization doesn’t scale when extended through the Layer 3 routers.

Providing the functionality of a VLAN for a widely separated logical group (over a Layer 3 WAN or router core) requires a technology called Virtual Routing and Forwarding (VRF). This provides what could be thought of as a virtual VLAN (but that sounds both redundant and confusing). These new private WANs are more accurately called VRFs, or what can logically be viewed as a wide area broadcast domain.

VRFs effectively provide the appropriate policy enforcement and network capacity appropriate for each division or group, no matter what their size, while sharing the same Layer 2 and 3 network infrastructure with many other VRFs. This can help optimize network resources and provide better service to individual users. These VRFs are reasonably straightforward to set up and manage since the H3C networking infrastructure and management platform supports this capability for highly scalable deployments.

But things get even better when enterprises take advantage of virtual firewalls. Whereas logically distinct organizations sharing a network would need their own firewall to protect their LAN segment and to define their unique security policies, firewalls no longer need a one-to-one correspondence with the LAN segment they are protecting any more than an enterprise application still needs its own server to provide adequate service. In essence, a single physical firewall can be divided into hundreds of virtual firewalls, each with its own distinct set of rules, aligned with a particular LAN segment, VLAN, or VRF and can be individually managed by a local group administrator (as needed).

The enterprise class SecPath F5000-A5 and the SecBlade VPN Firewall module, for example, both support up to 256 virtual firewalls. The SecBlade module could be deployed right into one of the core router chassis, and all the traffic that flows through the firewall can be partitioned to the right VLAN, applying the relevant policies. A widely distributed VLAN doesn’t need a firewall at each physical site. A few physical firewalls can support hundreds of distributed VLANs in a highly scalable fashion, no matter how widely distributed, as part of a larger virtual network. This can greatly reduce the proliferation of security devices by consolidating and centralizing deployments, while greatly reducing ongoing management costs and overhead. Networks will be able to grow more efficiently and cost-effectively, and maximize use of shared resources.

Interested in hearing more? Give us a call and we’ll show you how.

La sécurité « tout-en-un » pour les PME a connu dans les années 2000 un essor fulgurant lié à plusieurs  facteurs : un raccordement massif des PME à Internet, l’explosion des menaces (virus, spyware, spam, phishing), et l’attrait financier que représente pour les pirates ces dizaines de milliers de PME  si faciles à spammer, infiltrer, rançonner, siphonner… Les PME ont plébiscité ces boitiers « tout-en-un » à base de logiciel open-source et de hardware générique. En effet, regrouper Pare-feu, Antivirus, VPN et même AntiSpam et filtrage d’URL dans une seule boite : c’est moins cher à l’achat, et c’est plus facile à gérer.

Cisco, construisant des réseaux destinés à accueillir la voix sur IP et la vidéo, n’était pas prêt à transiger sur la performance du firewall. Le célèbre Cisco PIX n’a jamais fait d’antivirus, tandis que les  « tout-en-un » en faisaient leur fonds de commerce. Fallait-il céder aux sirènes et se résoudre à fournir un firewall qui ne capture qu’un virus sur deux au prix d’un fonctionnement aléatoire ?

Le remplacement du PIX par l’ASA a permis l’intégration du filtrage de contenu dans le firewall, mais sans fournir de vrai « tout-en-un » pour les plus petites PME… La carte d’extension Trend Micro sur l’ASA est une solution d’Entreprise : il faut accepter de payer la qualité d’une solution logicielle reconnue embarquée sur un hardware dédié qui ne pénalise pas les performances du firewall. Caramba, encore raté…

La solution est venue du filtrage en mode hébergé « dans le nuage », qu’on peut aussi qualifier de SAAS (software as a service). On connaissait les offres des opérateurs (l’option Antispam de votre FAI personnel…) : pas franchement impressionnant d’efficacité et de souplesse de réglage. Ou encore les offres de messagerie d’entreprise du type Messagelabs : trop haut-de-gamme. Mais cette fois ça y est, les investissements sont faits, les datacenters sont opérationnels.

Les PME ont dorénavant leur solution « Tout-en-Un » Cisco : le Cisco SA500 propose un service de filtrage de contenu entièrement « dans le nuage » pour les entreprises de moins de 100 utilisateurs. Le SA500 offre firewall et VPN à très hautes performances avec une administration graphique simplissime en trois clics. L’AntiSpam, l’Antivirus et le filtrage d’URL se font grâce aux Datacenters de Trend Micro. Le client conserve la possibilité de configurer sa propre politique de filtrage, et dispose de rapports d’activité détaillés. Les avantages sans les inconvénients : pas d’impact sur les performances du boîtier, pas de travail de déploiement ou de mise-à-jour, et une protection qui reste efficace en toutes circonstances grâce à une connaissance mutualisée des menaces en temps réel. Non seulement c’est plus simple et moins couteux en efforts et en matériel, mais c’est également plus efficace face aux nouvelles menaces comme les Botnets que les antivirus embarqués sont incapables d’identifier.  Les boitiers « tout-en-un » qui embarquent l’ « antivirus de papa » viennent de prendre un coup de vieux.

Windows only: Free application Comodo EasyVPN creates a virtual private network between your computers for a hassle-free, secure private network. That means you can access, for example, anything on your home computer from work as though you’re on the same local network.

Comodo EasyVPN, like previously mentioned VPN app Hamachi, is simple to set up. Just install the application, register for an account, and then log in. Once you’ve got the app running on a couple of computers, you can easily (and securely) access one computer from the other as though you’re on the same local network.

As we mentioned in our guide to Hamachi, a VPN comes in handy when:

• You’re on the road with your laptop and want secure access to your PC’s files.
• Your office or dorm room computer is behind a restrictive firewall that doesn’t let you reach it from the internet.
• You want to add encryption to insecure network protocols like VNC.
• You want to set up a shared folder of files for friends and family to access.

We showed you how to set up secure VNC with Hamachi, and the same basic steps would apply with Comodo EasyVPN. So is EasyVPN better than Hamachi? Not necessarily, but since LogMeIn bought Hamachi, it’s only free for non-commercial use. If you want or need to use a VPN for work purposes and don’t have the extra budget, Comodo EasyVPN will do the job nicely. Update: Apparently EasyVPN is also only available for non-commercial use. This information was not on the main page, but I missed it on their download page. Apologies for the confusion. Apart from the basics, EasyVPN also comes with a built-in, secure chat tool.

Comodo EasyVPN is a free download, works with Windows XP and above with support for 32- and 64-bit systems.

Comodo EasyVPN [Comodo via Download Squad]

IP Security, atau IP Sec untuk jangka pendek, adalah kerangka kerja standar yang memberikan kunci berikut fitur keamanan pada jaringan peer lapisan antara dua perangkat:

- Kerahasiaan data

- Integritas data

- Data otentikasi

- Deteksi anti-replay

- Peer otentikasi

Internet Engineering Task Force (IETF) mendefinisikan standar untuk IP Security di berbagai RFC. Karena memberikan perlindungan lapisan jaringan antar perangkat atau jaringan, dan karena itu adalah standar terbuka, itu biasa digunakan dalam jaringan saat ini yang menggunakan IPv4 dan IPv6.

vendor (seperti Cisco), memiliki kecenderungan untuk meningkatkan standar untuk mengatasi masalah yang dapat IP Security pengalaman di jaringan data. Cisco, misalnya, telah menambahkan banyak fitur untuk meningkatkan baik LAN ke LAN (L2L) dan sesi akses remote.

Virtual private network (VPN) berkembang pada saat perusahaan besar memperluas jaringan bisnisnya, namun mereka tetap dapat menghubungkan jaringan lokal (private) antar kantor cabang dengan perusahaan mitra kerjanya yang berada di tempat yang jauh. Perusahaan juga ingin memberikan fasilitas kepada pegawainya (yang memiliki hak akses) yang ingin terhubung ke jaringan lokal milik perusahaan di manapun mereka berada. Perusahaan tersebut perlu suatu jaringan lokal yang jangkauannya luas, tidak bisa diakses oleh sembarang orang, tetapi hanya orang yang memiliki hak akses saja yang dapat terhubung ke jaringan lokal tersebut.

Implementasi jaringan tersebut dapat dilakukan dengan menggunakan leased line. Namun biaya yang dibutuhkan untuk membangun infrastuktur jaringan yang luas menggunakan leased line sangat besar. Di sisi lain perusahaan ingin mengoptimalkan biaya untuk membangun jaringan mereka yang luas. Oleh karena itu VPN dapat digunakan sebagai teknologi alternatif untuk menghubungkan jaringan lokal yang luas dengan biaya yang relatif kecil, karena transmisi data teknologi VPN menggunakan media jaringan publik yang sudah ada (mis. internet).

If you’re using an OpenVPN Server to surf in Ubuntu, maybe you experienced this strange problem : you can connect but you cannot surf !    This how to fix it...

Before we start check your current IP online and save it.

The first thing you have to know is that you shouldn’t use NetworkManager Applet to configure your OpenVPN Connexion, it seems that there’s a problem with vpn connections when using this applet (atleast with Intrepid), you can connect but traffic isn’t redirected correctly, so let’s first make sure you’re correctly  connected ! The best thing to do is to download the configuration files from the OpenVPN Server’s website (just look in the forum if you don’t find it, it’s generally an archive file with a *.conf file and a *.crt file, this last one is the certificate) and use’em directly in a shell console.

Copy the archive content files to

/etc/openvpn/

Type :

cd /etc/openvpn && sudo openvpn yourserver.conf

Enter your login and password and wait till you see :

Initialization Sequence Completed

It means that you’re in.

Now to make sure that you’re not facing a routing problem, just type :

route -n

If you see tunX connections with new IPs, it’s OK you’re connected, if one of your web connected peripheral connections (ethX, athX…) is showing the IP of your OpenVPN Server as a destination you’re correctly routed.

Now try to ping the tunX IP with a gateway, if you’ve got this message :

ping: sendmsg: Operation not permitted

You got the fix ! It’s a SIMPLE FIREWALL PROBLEM !

To solve it, you have to edit :

/etc/firestarter/user-pre

First thing to do is to make it writable (it’s a read-only file) then paste these lines and save the file :

# Allow OpenVPN traffic
$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT

Restart Firestarter :

sudo /etc/init.d/firestarter restart

It should work now ! Just re-check your Online IP to see if it changed !