Apr262017 by sysadminNo Comments

Overview

General, Research, RFC, Technology
This paper attempts to provide a common sense definition of the ECI TruSecc system and an overview of our solution set. The ECI TruSecc PCC is a hybrid developed from the technologies of VNC, PN (private networking) and VPN Virtual Network Computing (VNC) is a process by which a system’s desktop can not only be viewed but also engaged in an interactive session as well. The use of such a tool gives the system administrator the ability to administer and troubleshoot a system remotely. In this way, a target system on the next floor, the next building or even at an employee’s home is within reach. There are other methods available of establishing this type of remote viewing. The obvious example is Symantec’s PCAnywhere(http://www.symantec.com/pcanywhere/Consumer/). A VPN - Virtual Private Network…
Read More
Apr152017 by sysadminNo Comments

Security Overview

General, Technology
OpenVPN cryptographic layer This is a technical overview of OpenVPN's cryptographic layer, and assumes a prior understanding of modern cryptographic concepts. For additional discussion on OpenVPN security. OpenVPN has two authentication modes: Static Key -- Use a pre-shared static key TLS -- Use SSL/TLS + certificates for authentication and key exchange In static key mode, a pre-shared key is generated and shared between both OpenVPN peers before the tunnel is started. This static key contains 4 independent keys: HMAC send, HMAC receive, encrypt, and decrypt. By default in static key mode, both hosts will use the same HMAC key and the same encrypt/decrypt key. However, using the direction parameter to --secret, it is possible to use all 4 keys independently. In SSL/TLS mode, an SSL session is established with bidirectional…
Read More
Apr152017 by sysadminNo Comments

Circuit Network Components

E3, General, Research, Technology
In the context of RFC 2547bis, our PCC is a collection of policies, and these policies control connectivity among a set of sites. A customer site becomes a node connected to our backbone and their private communication circuit ports, where we provide each port with a VPN routing table. In RFC 2547bis terms, the VPN is then dynamically defined to support forwarding and the PCC.
Read More
Apr152017 by sysadminNo Comments

Hardened Security

General, Technology
One of the often-repeated maxims of network communication security is that one should never place so much trust in a single security component that its failure causes a catastrophic security breach. We use several mechanisms to add additional security layers to hedge against such an outcome. The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against: DoS attacks or port flooding on the OpenVPN UDP port. Port scanning to determine which server UDP ports are in a listening state. Buffer overflow vulnerabilities in the SSL/TLS implementation. SSL/TLS handshake…
Read More