Upload
adam-higgins
View
223
Download
4
Tags:
Embed Size (px)
Citation preview
2005 MTSC UC-74002005 MTSC UC-7400
Thomas Cheng
Aug-2005
0913 Topic
1400-1520Universal Communicator ndash Part I
1520-1540 Coffee Break
1540-1700 Universal Communicator ndash Part II
1700-1800 UC Exam
1800 Dinner
2005 MTSC UC-74002005 MTSC UC-7400
2005 MTSC UC-74002005 MTSC UC-7400
UC-7400 Series Introduction1 Comparisons2 New functions and Features
iptables Introduction Hands-On
OpenVPN Introduction Hands-On
Live Demo
UC Family ComparisonsUC Family Comparisons
Hardware and Software
Hardware ComparisonHardware Comparison
(UC-74107420 Hardware V12)
UC-7420 UC-7410 UC-7408 UC-7110
CPU Intel Xscale IXP-422 266MHz ARM9 32-bit 166MHz
RAM 128MB 16MB
Flash 32MB 8MB
LAN 10100 Mbps x 2
RS-232422485 8 2
Serial Protection 15 KV ESD for all signal
Flow Control RTSCTS XONXOFF
Speed 50 bps to 9216 Kbps
DIDO NA NA DI x8DO x 8 NA
USB 20 Hosts 2 NA NA NA
USB 10 Client 1 1 1 NA
PCMCIA Cardbus x 1 NA Cardbus x 1 NA
Compact Flash 1 NA 1 NA
LCM 128 x 64 dots 128 x 64 dots NA NA
Keypad 5 5 NA NA
Real Time Clock Yes
Buzzer Yes
Reset Button HW Reset x 1 Reset to default x 1 Reset to default x 1
Software ComparisonSoftware ComparisonUC-7400 Series UC-7110
Boot Loader Redboot V192 Moxa Proprietary Boot Loader
Kernel MontaVista Linux 2418 uClinux Kernel 2422
Protocol Stack ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1v3
HTTPNTPNFSSMTPPPP
SSHv1020SSLOpenVPN
ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1
HTTPNTPNFSSMTPPPP
Flash File System JFFS2 JFFS2
OS Shell Command bash V205 mash V0604
Linux normal command utility Busybox V0604 Busybox V0604
Web Apache 2042 Boa 09316
Secure shell sshd V120 NA
Network file system NFS Server V22 NA
Virtual private network OpenVPN V20 NA
OpenSSL OpenSSL V096 NA
Tool Chain Linux Windows Linux
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Functions and Features Introduction
Firmware Version V11 V143 V15
Serial port 2304 Kbps 2304 Kbps 9216 Kbps (with HW V12)
WLAN 80211b
(Prism2025)
80211b (Prism2025)
80211b (Prism2025) 80211g
USB Host NA Mass Storage PNP Mass Storage PNP
USB Client NA NA NA
Reset to Factory Default button NA NA Yes (with HW V12)
Share Memory NA NA Yes
Protocol stacks and utilities
Arp (utility) NA Yes Yes
iptable NA NA Yes
OpenVPN NA NA Yes
WatchDog API NA NA Yes
Crontable NA NA Yes
upfirm NA Yes Yes
backupuf NA Yes Yes
backupfs bf Yes Yes NA
minicom Yes Yes Replace by tip
Directory Change
var User File System
User File System Change to ramdisk
Apache root document usrhtml usrhtml usrwww
UC-7400 V15 FirmwareUC-7400 V15 Firmware
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Feature Introductionbull WatchDog supportbull Support Cron function on system bull UART and special baud rate supportbull System Image Backup utility ldquoupfirmbull 80211g wireless card supportbull Support tool chain on Windows platform
including GCC Glibc and Insight (GDB debug tool)
bull iptables supportbull OpenVPN support
Watch Dog Timer (Watch Dog Timer (WDT)WDT)
1 Introduction
The WDT works like a watch dog function You can enable it or disable it When the user enables WDT but the application does not acknowledge it the system will reboot You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds
2 How the WDT works
The sWatchDog is enabled when the system boots up The kernel will auto ack it The user application can also enable ack When the user does not ack it will let the system reboot
3 The user API
The user application must include ltmoxadevicehgt and link moxaliba
CrontabCrontab
1 Introduction Daemon to Execute Scheduled Commands
2 Descriptionbull Start Cron from the directory etcrcdrclocal bull Modify the file etccrondcrontab to set up your scheduled
applications Crontab files have the following format
3 Example
bull How to add ntpdate (synchronize time) in Cronbull Everyday 510 system will synchronize the time from NTP Server
(19216801)
Mm (Month)
H (Hour)
Dom (Date)
Mon (Month)
Dow (Week) User command
0-59 0-23 1-31 1-12 0-6 (0 is Sunday)
vi etccrondcrontab m h dom mon dow user command10 5 root usrsbinntpdate 19216801 sbinhwclock -w
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
0913 Topic
1400-1520Universal Communicator ndash Part I
1520-1540 Coffee Break
1540-1700 Universal Communicator ndash Part II
1700-1800 UC Exam
1800 Dinner
2005 MTSC UC-74002005 MTSC UC-7400
2005 MTSC UC-74002005 MTSC UC-7400
UC-7400 Series Introduction1 Comparisons2 New functions and Features
iptables Introduction Hands-On
OpenVPN Introduction Hands-On
Live Demo
UC Family ComparisonsUC Family Comparisons
Hardware and Software
Hardware ComparisonHardware Comparison
(UC-74107420 Hardware V12)
UC-7420 UC-7410 UC-7408 UC-7110
CPU Intel Xscale IXP-422 266MHz ARM9 32-bit 166MHz
RAM 128MB 16MB
Flash 32MB 8MB
LAN 10100 Mbps x 2
RS-232422485 8 2
Serial Protection 15 KV ESD for all signal
Flow Control RTSCTS XONXOFF
Speed 50 bps to 9216 Kbps
DIDO NA NA DI x8DO x 8 NA
USB 20 Hosts 2 NA NA NA
USB 10 Client 1 1 1 NA
PCMCIA Cardbus x 1 NA Cardbus x 1 NA
Compact Flash 1 NA 1 NA
LCM 128 x 64 dots 128 x 64 dots NA NA
Keypad 5 5 NA NA
Real Time Clock Yes
Buzzer Yes
Reset Button HW Reset x 1 Reset to default x 1 Reset to default x 1
Software ComparisonSoftware ComparisonUC-7400 Series UC-7110
Boot Loader Redboot V192 Moxa Proprietary Boot Loader
Kernel MontaVista Linux 2418 uClinux Kernel 2422
Protocol Stack ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1v3
HTTPNTPNFSSMTPPPP
SSHv1020SSLOpenVPN
ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1
HTTPNTPNFSSMTPPPP
Flash File System JFFS2 JFFS2
OS Shell Command bash V205 mash V0604
Linux normal command utility Busybox V0604 Busybox V0604
Web Apache 2042 Boa 09316
Secure shell sshd V120 NA
Network file system NFS Server V22 NA
Virtual private network OpenVPN V20 NA
OpenSSL OpenSSL V096 NA
Tool Chain Linux Windows Linux
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Functions and Features Introduction
Firmware Version V11 V143 V15
Serial port 2304 Kbps 2304 Kbps 9216 Kbps (with HW V12)
WLAN 80211b
(Prism2025)
80211b (Prism2025)
80211b (Prism2025) 80211g
USB Host NA Mass Storage PNP Mass Storage PNP
USB Client NA NA NA
Reset to Factory Default button NA NA Yes (with HW V12)
Share Memory NA NA Yes
Protocol stacks and utilities
Arp (utility) NA Yes Yes
iptable NA NA Yes
OpenVPN NA NA Yes
WatchDog API NA NA Yes
Crontable NA NA Yes
upfirm NA Yes Yes
backupuf NA Yes Yes
backupfs bf Yes Yes NA
minicom Yes Yes Replace by tip
Directory Change
var User File System
User File System Change to ramdisk
Apache root document usrhtml usrhtml usrwww
UC-7400 V15 FirmwareUC-7400 V15 Firmware
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Feature Introductionbull WatchDog supportbull Support Cron function on system bull UART and special baud rate supportbull System Image Backup utility ldquoupfirmbull 80211g wireless card supportbull Support tool chain on Windows platform
including GCC Glibc and Insight (GDB debug tool)
bull iptables supportbull OpenVPN support
Watch Dog Timer (Watch Dog Timer (WDT)WDT)
1 Introduction
The WDT works like a watch dog function You can enable it or disable it When the user enables WDT but the application does not acknowledge it the system will reboot You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds
2 How the WDT works
The sWatchDog is enabled when the system boots up The kernel will auto ack it The user application can also enable ack When the user does not ack it will let the system reboot
3 The user API
The user application must include ltmoxadevicehgt and link moxaliba
CrontabCrontab
1 Introduction Daemon to Execute Scheduled Commands
2 Descriptionbull Start Cron from the directory etcrcdrclocal bull Modify the file etccrondcrontab to set up your scheduled
applications Crontab files have the following format
3 Example
bull How to add ntpdate (synchronize time) in Cronbull Everyday 510 system will synchronize the time from NTP Server
(19216801)
Mm (Month)
H (Hour)
Dom (Date)
Mon (Month)
Dow (Week) User command
0-59 0-23 1-31 1-12 0-6 (0 is Sunday)
vi etccrondcrontab m h dom mon dow user command10 5 root usrsbinntpdate 19216801 sbinhwclock -w
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2005 MTSC UC-74002005 MTSC UC-7400
UC-7400 Series Introduction1 Comparisons2 New functions and Features
iptables Introduction Hands-On
OpenVPN Introduction Hands-On
Live Demo
UC Family ComparisonsUC Family Comparisons
Hardware and Software
Hardware ComparisonHardware Comparison
(UC-74107420 Hardware V12)
UC-7420 UC-7410 UC-7408 UC-7110
CPU Intel Xscale IXP-422 266MHz ARM9 32-bit 166MHz
RAM 128MB 16MB
Flash 32MB 8MB
LAN 10100 Mbps x 2
RS-232422485 8 2
Serial Protection 15 KV ESD for all signal
Flow Control RTSCTS XONXOFF
Speed 50 bps to 9216 Kbps
DIDO NA NA DI x8DO x 8 NA
USB 20 Hosts 2 NA NA NA
USB 10 Client 1 1 1 NA
PCMCIA Cardbus x 1 NA Cardbus x 1 NA
Compact Flash 1 NA 1 NA
LCM 128 x 64 dots 128 x 64 dots NA NA
Keypad 5 5 NA NA
Real Time Clock Yes
Buzzer Yes
Reset Button HW Reset x 1 Reset to default x 1 Reset to default x 1
Software ComparisonSoftware ComparisonUC-7400 Series UC-7110
Boot Loader Redboot V192 Moxa Proprietary Boot Loader
Kernel MontaVista Linux 2418 uClinux Kernel 2422
Protocol Stack ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1v3
HTTPNTPNFSSMTPPPP
SSHv1020SSLOpenVPN
ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1
HTTPNTPNFSSMTPPPP
Flash File System JFFS2 JFFS2
OS Shell Command bash V205 mash V0604
Linux normal command utility Busybox V0604 Busybox V0604
Web Apache 2042 Boa 09316
Secure shell sshd V120 NA
Network file system NFS Server V22 NA
Virtual private network OpenVPN V20 NA
OpenSSL OpenSSL V096 NA
Tool Chain Linux Windows Linux
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Functions and Features Introduction
Firmware Version V11 V143 V15
Serial port 2304 Kbps 2304 Kbps 9216 Kbps (with HW V12)
WLAN 80211b
(Prism2025)
80211b (Prism2025)
80211b (Prism2025) 80211g
USB Host NA Mass Storage PNP Mass Storage PNP
USB Client NA NA NA
Reset to Factory Default button NA NA Yes (with HW V12)
Share Memory NA NA Yes
Protocol stacks and utilities
Arp (utility) NA Yes Yes
iptable NA NA Yes
OpenVPN NA NA Yes
WatchDog API NA NA Yes
Crontable NA NA Yes
upfirm NA Yes Yes
backupuf NA Yes Yes
backupfs bf Yes Yes NA
minicom Yes Yes Replace by tip
Directory Change
var User File System
User File System Change to ramdisk
Apache root document usrhtml usrhtml usrwww
UC-7400 V15 FirmwareUC-7400 V15 Firmware
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Feature Introductionbull WatchDog supportbull Support Cron function on system bull UART and special baud rate supportbull System Image Backup utility ldquoupfirmbull 80211g wireless card supportbull Support tool chain on Windows platform
including GCC Glibc and Insight (GDB debug tool)
bull iptables supportbull OpenVPN support
Watch Dog Timer (Watch Dog Timer (WDT)WDT)
1 Introduction
The WDT works like a watch dog function You can enable it or disable it When the user enables WDT but the application does not acknowledge it the system will reboot You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds
2 How the WDT works
The sWatchDog is enabled when the system boots up The kernel will auto ack it The user application can also enable ack When the user does not ack it will let the system reboot
3 The user API
The user application must include ltmoxadevicehgt and link moxaliba
CrontabCrontab
1 Introduction Daemon to Execute Scheduled Commands
2 Descriptionbull Start Cron from the directory etcrcdrclocal bull Modify the file etccrondcrontab to set up your scheduled
applications Crontab files have the following format
3 Example
bull How to add ntpdate (synchronize time) in Cronbull Everyday 510 system will synchronize the time from NTP Server
(19216801)
Mm (Month)
H (Hour)
Dom (Date)
Mon (Month)
Dow (Week) User command
0-59 0-23 1-31 1-12 0-6 (0 is Sunday)
vi etccrondcrontab m h dom mon dow user command10 5 root usrsbinntpdate 19216801 sbinhwclock -w
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
UC Family ComparisonsUC Family Comparisons
Hardware and Software
Hardware ComparisonHardware Comparison
(UC-74107420 Hardware V12)
UC-7420 UC-7410 UC-7408 UC-7110
CPU Intel Xscale IXP-422 266MHz ARM9 32-bit 166MHz
RAM 128MB 16MB
Flash 32MB 8MB
LAN 10100 Mbps x 2
RS-232422485 8 2
Serial Protection 15 KV ESD for all signal
Flow Control RTSCTS XONXOFF
Speed 50 bps to 9216 Kbps
DIDO NA NA DI x8DO x 8 NA
USB 20 Hosts 2 NA NA NA
USB 10 Client 1 1 1 NA
PCMCIA Cardbus x 1 NA Cardbus x 1 NA
Compact Flash 1 NA 1 NA
LCM 128 x 64 dots 128 x 64 dots NA NA
Keypad 5 5 NA NA
Real Time Clock Yes
Buzzer Yes
Reset Button HW Reset x 1 Reset to default x 1 Reset to default x 1
Software ComparisonSoftware ComparisonUC-7400 Series UC-7110
Boot Loader Redboot V192 Moxa Proprietary Boot Loader
Kernel MontaVista Linux 2418 uClinux Kernel 2422
Protocol Stack ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1v3
HTTPNTPNFSSMTPPPP
SSHv1020SSLOpenVPN
ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1
HTTPNTPNFSSMTPPPP
Flash File System JFFS2 JFFS2
OS Shell Command bash V205 mash V0604
Linux normal command utility Busybox V0604 Busybox V0604
Web Apache 2042 Boa 09316
Secure shell sshd V120 NA
Network file system NFS Server V22 NA
Virtual private network OpenVPN V20 NA
OpenSSL OpenSSL V096 NA
Tool Chain Linux Windows Linux
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Functions and Features Introduction
Firmware Version V11 V143 V15
Serial port 2304 Kbps 2304 Kbps 9216 Kbps (with HW V12)
WLAN 80211b
(Prism2025)
80211b (Prism2025)
80211b (Prism2025) 80211g
USB Host NA Mass Storage PNP Mass Storage PNP
USB Client NA NA NA
Reset to Factory Default button NA NA Yes (with HW V12)
Share Memory NA NA Yes
Protocol stacks and utilities
Arp (utility) NA Yes Yes
iptable NA NA Yes
OpenVPN NA NA Yes
WatchDog API NA NA Yes
Crontable NA NA Yes
upfirm NA Yes Yes
backupuf NA Yes Yes
backupfs bf Yes Yes NA
minicom Yes Yes Replace by tip
Directory Change
var User File System
User File System Change to ramdisk
Apache root document usrhtml usrhtml usrwww
UC-7400 V15 FirmwareUC-7400 V15 Firmware
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Feature Introductionbull WatchDog supportbull Support Cron function on system bull UART and special baud rate supportbull System Image Backup utility ldquoupfirmbull 80211g wireless card supportbull Support tool chain on Windows platform
including GCC Glibc and Insight (GDB debug tool)
bull iptables supportbull OpenVPN support
Watch Dog Timer (Watch Dog Timer (WDT)WDT)
1 Introduction
The WDT works like a watch dog function You can enable it or disable it When the user enables WDT but the application does not acknowledge it the system will reboot You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds
2 How the WDT works
The sWatchDog is enabled when the system boots up The kernel will auto ack it The user application can also enable ack When the user does not ack it will let the system reboot
3 The user API
The user application must include ltmoxadevicehgt and link moxaliba
CrontabCrontab
1 Introduction Daemon to Execute Scheduled Commands
2 Descriptionbull Start Cron from the directory etcrcdrclocal bull Modify the file etccrondcrontab to set up your scheduled
applications Crontab files have the following format
3 Example
bull How to add ntpdate (synchronize time) in Cronbull Everyday 510 system will synchronize the time from NTP Server
(19216801)
Mm (Month)
H (Hour)
Dom (Date)
Mon (Month)
Dow (Week) User command
0-59 0-23 1-31 1-12 0-6 (0 is Sunday)
vi etccrondcrontab m h dom mon dow user command10 5 root usrsbinntpdate 19216801 sbinhwclock -w
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Hardware ComparisonHardware Comparison
(UC-74107420 Hardware V12)
UC-7420 UC-7410 UC-7408 UC-7110
CPU Intel Xscale IXP-422 266MHz ARM9 32-bit 166MHz
RAM 128MB 16MB
Flash 32MB 8MB
LAN 10100 Mbps x 2
RS-232422485 8 2
Serial Protection 15 KV ESD for all signal
Flow Control RTSCTS XONXOFF
Speed 50 bps to 9216 Kbps
DIDO NA NA DI x8DO x 8 NA
USB 20 Hosts 2 NA NA NA
USB 10 Client 1 1 1 NA
PCMCIA Cardbus x 1 NA Cardbus x 1 NA
Compact Flash 1 NA 1 NA
LCM 128 x 64 dots 128 x 64 dots NA NA
Keypad 5 5 NA NA
Real Time Clock Yes
Buzzer Yes
Reset Button HW Reset x 1 Reset to default x 1 Reset to default x 1
Software ComparisonSoftware ComparisonUC-7400 Series UC-7110
Boot Loader Redboot V192 Moxa Proprietary Boot Loader
Kernel MontaVista Linux 2418 uClinux Kernel 2422
Protocol Stack ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1v3
HTTPNTPNFSSMTPPPP
SSHv1020SSLOpenVPN
ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1
HTTPNTPNFSSMTPPPP
Flash File System JFFS2 JFFS2
OS Shell Command bash V205 mash V0604
Linux normal command utility Busybox V0604 Busybox V0604
Web Apache 2042 Boa 09316
Secure shell sshd V120 NA
Network file system NFS Server V22 NA
Virtual private network OpenVPN V20 NA
OpenSSL OpenSSL V096 NA
Tool Chain Linux Windows Linux
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Functions and Features Introduction
Firmware Version V11 V143 V15
Serial port 2304 Kbps 2304 Kbps 9216 Kbps (with HW V12)
WLAN 80211b
(Prism2025)
80211b (Prism2025)
80211b (Prism2025) 80211g
USB Host NA Mass Storage PNP Mass Storage PNP
USB Client NA NA NA
Reset to Factory Default button NA NA Yes (with HW V12)
Share Memory NA NA Yes
Protocol stacks and utilities
Arp (utility) NA Yes Yes
iptable NA NA Yes
OpenVPN NA NA Yes
WatchDog API NA NA Yes
Crontable NA NA Yes
upfirm NA Yes Yes
backupuf NA Yes Yes
backupfs bf Yes Yes NA
minicom Yes Yes Replace by tip
Directory Change
var User File System
User File System Change to ramdisk
Apache root document usrhtml usrhtml usrwww
UC-7400 V15 FirmwareUC-7400 V15 Firmware
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Feature Introductionbull WatchDog supportbull Support Cron function on system bull UART and special baud rate supportbull System Image Backup utility ldquoupfirmbull 80211g wireless card supportbull Support tool chain on Windows platform
including GCC Glibc and Insight (GDB debug tool)
bull iptables supportbull OpenVPN support
Watch Dog Timer (Watch Dog Timer (WDT)WDT)
1 Introduction
The WDT works like a watch dog function You can enable it or disable it When the user enables WDT but the application does not acknowledge it the system will reboot You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds
2 How the WDT works
The sWatchDog is enabled when the system boots up The kernel will auto ack it The user application can also enable ack When the user does not ack it will let the system reboot
3 The user API
The user application must include ltmoxadevicehgt and link moxaliba
CrontabCrontab
1 Introduction Daemon to Execute Scheduled Commands
2 Descriptionbull Start Cron from the directory etcrcdrclocal bull Modify the file etccrondcrontab to set up your scheduled
applications Crontab files have the following format
3 Example
bull How to add ntpdate (synchronize time) in Cronbull Everyday 510 system will synchronize the time from NTP Server
(19216801)
Mm (Month)
H (Hour)
Dom (Date)
Mon (Month)
Dow (Week) User command
0-59 0-23 1-31 1-12 0-6 (0 is Sunday)
vi etccrondcrontab m h dom mon dow user command10 5 root usrsbinntpdate 19216801 sbinhwclock -w
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Software ComparisonSoftware ComparisonUC-7400 Series UC-7110
Boot Loader Redboot V192 Moxa Proprietary Boot Loader
Kernel MontaVista Linux 2418 uClinux Kernel 2422
Protocol Stack ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1v3
HTTPNTPNFSSMTPPPP
SSHv1020SSLOpenVPN
ARPCHAPPAPIPv4ICMPTCP
UDPDHCPFTPTelnetSNMPv1
HTTPNTPNFSSMTPPPP
Flash File System JFFS2 JFFS2
OS Shell Command bash V205 mash V0604
Linux normal command utility Busybox V0604 Busybox V0604
Web Apache 2042 Boa 09316
Secure shell sshd V120 NA
Network file system NFS Server V22 NA
Virtual private network OpenVPN V20 NA
OpenSSL OpenSSL V096 NA
Tool Chain Linux Windows Linux
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Functions and Features Introduction
Firmware Version V11 V143 V15
Serial port 2304 Kbps 2304 Kbps 9216 Kbps (with HW V12)
WLAN 80211b
(Prism2025)
80211b (Prism2025)
80211b (Prism2025) 80211g
USB Host NA Mass Storage PNP Mass Storage PNP
USB Client NA NA NA
Reset to Factory Default button NA NA Yes (with HW V12)
Share Memory NA NA Yes
Protocol stacks and utilities
Arp (utility) NA Yes Yes
iptable NA NA Yes
OpenVPN NA NA Yes
WatchDog API NA NA Yes
Crontable NA NA Yes
upfirm NA Yes Yes
backupuf NA Yes Yes
backupfs bf Yes Yes NA
minicom Yes Yes Replace by tip
Directory Change
var User File System
User File System Change to ramdisk
Apache root document usrhtml usrhtml usrwww
UC-7400 V15 FirmwareUC-7400 V15 Firmware
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Feature Introductionbull WatchDog supportbull Support Cron function on system bull UART and special baud rate supportbull System Image Backup utility ldquoupfirmbull 80211g wireless card supportbull Support tool chain on Windows platform
including GCC Glibc and Insight (GDB debug tool)
bull iptables supportbull OpenVPN support
Watch Dog Timer (Watch Dog Timer (WDT)WDT)
1 Introduction
The WDT works like a watch dog function You can enable it or disable it When the user enables WDT but the application does not acknowledge it the system will reboot You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds
2 How the WDT works
The sWatchDog is enabled when the system boots up The kernel will auto ack it The user application can also enable ack When the user does not ack it will let the system reboot
3 The user API
The user application must include ltmoxadevicehgt and link moxaliba
CrontabCrontab
1 Introduction Daemon to Execute Scheduled Commands
2 Descriptionbull Start Cron from the directory etcrcdrclocal bull Modify the file etccrondcrontab to set up your scheduled
applications Crontab files have the following format
3 Example
bull How to add ntpdate (synchronize time) in Cronbull Everyday 510 system will synchronize the time from NTP Server
(19216801)
Mm (Month)
H (Hour)
Dom (Date)
Mon (Month)
Dow (Week) User command
0-59 0-23 1-31 1-12 0-6 (0 is Sunday)
vi etccrondcrontab m h dom mon dow user command10 5 root usrsbinntpdate 19216801 sbinhwclock -w
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Functions and Features Introduction
Firmware Version V11 V143 V15
Serial port 2304 Kbps 2304 Kbps 9216 Kbps (with HW V12)
WLAN 80211b
(Prism2025)
80211b (Prism2025)
80211b (Prism2025) 80211g
USB Host NA Mass Storage PNP Mass Storage PNP
USB Client NA NA NA
Reset to Factory Default button NA NA Yes (with HW V12)
Share Memory NA NA Yes
Protocol stacks and utilities
Arp (utility) NA Yes Yes
iptable NA NA Yes
OpenVPN NA NA Yes
WatchDog API NA NA Yes
Crontable NA NA Yes
upfirm NA Yes Yes
backupuf NA Yes Yes
backupfs bf Yes Yes NA
minicom Yes Yes Replace by tip
Directory Change
var User File System
User File System Change to ramdisk
Apache root document usrhtml usrhtml usrwww
UC-7400 V15 FirmwareUC-7400 V15 Firmware
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Feature Introductionbull WatchDog supportbull Support Cron function on system bull UART and special baud rate supportbull System Image Backup utility ldquoupfirmbull 80211g wireless card supportbull Support tool chain on Windows platform
including GCC Glibc and Insight (GDB debug tool)
bull iptables supportbull OpenVPN support
Watch Dog Timer (Watch Dog Timer (WDT)WDT)
1 Introduction
The WDT works like a watch dog function You can enable it or disable it When the user enables WDT but the application does not acknowledge it the system will reboot You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds
2 How the WDT works
The sWatchDog is enabled when the system boots up The kernel will auto ack it The user application can also enable ack When the user does not ack it will let the system reboot
3 The user API
The user application must include ltmoxadevicehgt and link moxaliba
CrontabCrontab
1 Introduction Daemon to Execute Scheduled Commands
2 Descriptionbull Start Cron from the directory etcrcdrclocal bull Modify the file etccrondcrontab to set up your scheduled
applications Crontab files have the following format
3 Example
bull How to add ntpdate (synchronize time) in Cronbull Everyday 510 system will synchronize the time from NTP Server
(19216801)
Mm (Month)
H (Hour)
Dom (Date)
Mon (Month)
Dow (Week) User command
0-59 0-23 1-31 1-12 0-6 (0 is Sunday)
vi etccrondcrontab m h dom mon dow user command10 5 root usrsbinntpdate 19216801 sbinhwclock -w
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Firmware Version V11 V143 V15
Serial port 2304 Kbps 2304 Kbps 9216 Kbps (with HW V12)
WLAN 80211b
(Prism2025)
80211b (Prism2025)
80211b (Prism2025) 80211g
USB Host NA Mass Storage PNP Mass Storage PNP
USB Client NA NA NA
Reset to Factory Default button NA NA Yes (with HW V12)
Share Memory NA NA Yes
Protocol stacks and utilities
Arp (utility) NA Yes Yes
iptable NA NA Yes
OpenVPN NA NA Yes
WatchDog API NA NA Yes
Crontable NA NA Yes
upfirm NA Yes Yes
backupuf NA Yes Yes
backupfs bf Yes Yes NA
minicom Yes Yes Replace by tip
Directory Change
var User File System
User File System Change to ramdisk
Apache root document usrhtml usrhtml usrwww
UC-7400 V15 FirmwareUC-7400 V15 Firmware
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Feature Introductionbull WatchDog supportbull Support Cron function on system bull UART and special baud rate supportbull System Image Backup utility ldquoupfirmbull 80211g wireless card supportbull Support tool chain on Windows platform
including GCC Glibc and Insight (GDB debug tool)
bull iptables supportbull OpenVPN support
Watch Dog Timer (Watch Dog Timer (WDT)WDT)
1 Introduction
The WDT works like a watch dog function You can enable it or disable it When the user enables WDT but the application does not acknowledge it the system will reboot You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds
2 How the WDT works
The sWatchDog is enabled when the system boots up The kernel will auto ack it The user application can also enable ack When the user does not ack it will let the system reboot
3 The user API
The user application must include ltmoxadevicehgt and link moxaliba
CrontabCrontab
1 Introduction Daemon to Execute Scheduled Commands
2 Descriptionbull Start Cron from the directory etcrcdrclocal bull Modify the file etccrondcrontab to set up your scheduled
applications Crontab files have the following format
3 Example
bull How to add ntpdate (synchronize time) in Cronbull Everyday 510 system will synchronize the time from NTP Server
(19216801)
Mm (Month)
H (Hour)
Dom (Date)
Mon (Month)
Dow (Week) User command
0-59 0-23 1-31 1-12 0-6 (0 is Sunday)
vi etccrondcrontab m h dom mon dow user command10 5 root usrsbinntpdate 19216801 sbinhwclock -w
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
UC-7400 V15 FirmwareUC-7400 V15 Firmware
New Feature Introductionbull WatchDog supportbull Support Cron function on system bull UART and special baud rate supportbull System Image Backup utility ldquoupfirmbull 80211g wireless card supportbull Support tool chain on Windows platform
including GCC Glibc and Insight (GDB debug tool)
bull iptables supportbull OpenVPN support
Watch Dog Timer (Watch Dog Timer (WDT)WDT)
1 Introduction
The WDT works like a watch dog function You can enable it or disable it When the user enables WDT but the application does not acknowledge it the system will reboot You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds
2 How the WDT works
The sWatchDog is enabled when the system boots up The kernel will auto ack it The user application can also enable ack When the user does not ack it will let the system reboot
3 The user API
The user application must include ltmoxadevicehgt and link moxaliba
CrontabCrontab
1 Introduction Daemon to Execute Scheduled Commands
2 Descriptionbull Start Cron from the directory etcrcdrclocal bull Modify the file etccrondcrontab to set up your scheduled
applications Crontab files have the following format
3 Example
bull How to add ntpdate (synchronize time) in Cronbull Everyday 510 system will synchronize the time from NTP Server
(19216801)
Mm (Month)
H (Hour)
Dom (Date)
Mon (Month)
Dow (Week) User command
0-59 0-23 1-31 1-12 0-6 (0 is Sunday)
vi etccrondcrontab m h dom mon dow user command10 5 root usrsbinntpdate 19216801 sbinhwclock -w
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Watch Dog Timer (Watch Dog Timer (WDT)WDT)
1 Introduction
The WDT works like a watch dog function You can enable it or disable it When the user enables WDT but the application does not acknowledge it the system will reboot You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds
2 How the WDT works
The sWatchDog is enabled when the system boots up The kernel will auto ack it The user application can also enable ack When the user does not ack it will let the system reboot
3 The user API
The user application must include ltmoxadevicehgt and link moxaliba
CrontabCrontab
1 Introduction Daemon to Execute Scheduled Commands
2 Descriptionbull Start Cron from the directory etcrcdrclocal bull Modify the file etccrondcrontab to set up your scheduled
applications Crontab files have the following format
3 Example
bull How to add ntpdate (synchronize time) in Cronbull Everyday 510 system will synchronize the time from NTP Server
(19216801)
Mm (Month)
H (Hour)
Dom (Date)
Mon (Month)
Dow (Week) User command
0-59 0-23 1-31 1-12 0-6 (0 is Sunday)
vi etccrondcrontab m h dom mon dow user command10 5 root usrsbinntpdate 19216801 sbinhwclock -w
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
CrontabCrontab
1 Introduction Daemon to Execute Scheduled Commands
2 Descriptionbull Start Cron from the directory etcrcdrclocal bull Modify the file etccrondcrontab to set up your scheduled
applications Crontab files have the following format
3 Example
bull How to add ntpdate (synchronize time) in Cronbull Everyday 510 system will synchronize the time from NTP Server
(19216801)
Mm (Month)
H (Hour)
Dom (Date)
Mon (Month)
Dow (Week) User command
0-59 0-23 1-31 1-12 0-6 (0 is Sunday)
vi etccrondcrontab m h dom mon dow user command10 5 root usrsbinntpdate 19216801 sbinhwclock -w
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
UART and special baud rate supportUART and special baud rate support
1 Introductionbull The normal tty device node is located at devttyM0 hellip ttyM7
and the modem tty device node is located at devcum0 hellip cum7
bull UC-7400 supports Linux standard termios controlbull Moxa UART Device API allows you to configure ttyM0 to
ttyM7 as RS-232 RS-422 2-wire RS-485 and 4-wire RS4852 The FunctionYou must include ltmoxadevicehgtdefine RS232_MODE 0define RS485_2WIRE_MODE 1define RS422_MODE 2define RS485_4WIRE_MODE 3
Function bull MOXA_SET_OP_MODEbull MOXA_GET_OP_MODE
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
UART and special baud rate supportUART and special baud rate support
3 Special baud rate supportbull There are two Moxa private ioctl commands for setting up
special baud rates
Function bull MOXA_SET_SPECIAL_BAUD_RATEbull MOXA_GET_SPECIAL_BAUD_RATE
bull If you use this ioctl to set a special baud rate the termios cflag will be B4000000 in which case the B4000000 define will be different
bull If the baud rate you get from termios (or from calling tcgetattr()) is B4000000 you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Upgrading the FirmwareUpgrading the Firmware
New utility Upfirm
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Upgrading the FirmwareUpgrading the Firmware
1 Introduction UC-7400rsquos bios kernel mini file system and user file system
are combined into one firmware file which can be downloaded from Moxarsquos website (wwwmoxacom)
bull The name of the firmware file has the form
uc7400-xxxfrm with xxx indicating the firmware
version
ATTENTIONATTENTIONbull Upgrading the firmware will erase all data on the Flash ROM
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Upgrading the FirmwareUpgrading the Firmware
2 Descriptionbull In V143 or later version firmware UC-7400 new add a
utility upfirmldquo
bull The utility upfirm is designed for upgrading the firmware (include boot-loader kernel mini file system user file system and configuration)
bull If your firmware version is early than V143 you can find the utility from Moxa Website
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
How to upgrade firmwareHow to upgrade firmware
Step1 Type the following commands to enable the RAM disk
upramdisk
cd mntramdisk
Step2 Download firmware file into ramdisk from Moxa website
Step3 Use the upfirm command to upgrade the kernel and root file system
upfirm uc7400-xxxfrm
(Reference next slide to see upfirm procedure)
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
rootMoxamntramdisk upfirm UC7420-15frm
Upgrade firmware utility version 10To check source firmware file contextThe source firmware file conext is OKThis step will destroy all your firmwareDo you want to continue it (YN) YMTD device [devmtd6] erase 128 Kibyte 20000 ndash 100 completeWait to write file Compleleted 100Now upgrade the new configuration fileUpgrade the firmware is OKPlease press any key to reboot system
Press any key to Press any key to reboot systemreboot system
Note DO NOT power off UC until the Ready LED is ON again It will take much time for the first boot up after upgrading the firmware
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Setting up the Network InterfacesSetting up the Network Interfaces
IEEE80211g
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
ConfigureConfigure 80211g Wireless LAN80211g Wireless LAN
rootMoxa vi etcnetworkinterfaces
80211g Gigabyte Cardbus wireless card
iface eth0 inet static
address 1921685127
network 19216850
netmask 2552552550
broadcast 1921685255
Step1 Unplug the CardBus Wireless LAN card first
Step2 Configure the default IP setting profile
vi etcnetworkinterfaces
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
ConfigureConfigure 80211g Wireless LAN 80211g Wireless LAN
vi etcWirelessRT2500START2500STAdat
Copy this file to etcWirelessRT2500START2500STAdat
This file is a binary file and will be read on loading rt2500o module
Use vi -b RT2500STAdat to modify settings according to your need
1) set NetworkType to Adhoc for using Adhoc-mode otherwise using Infrastru
2) set Channel to 0 for auto-select on Infrastructure mode
3) set SSID for connecting to your Accss-point
4) AuthMode can be OPEN SHARED WPAPSK WPANONE
5) EncrypType can be NONE WEP TKIP AES
for more information refer to the Readme file
Step3 Configure the WLAN parameters
vi etcWirelessRT2500START2500STAdat
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Configuring 80211g Wireless LANConfiguring 80211g Wireless LAN
bull The settings in etcWirelessRT2500START2500STAdat
CountryRegionmdashSets the channels for your particular country regionWirelessModemdashSets the wireless modeSSIDmdashSets the softAP SSIDNetworkTypemdashSets the wireless operation modeChannelmdashSets the channelAuthModemdashSets the authentication modeEncrypTypemdashSets encryption typeDefaultKeyIDmdashSets default key IDKey1Str Key2Str Key3Str Key4StrmdashSets strings Key1 to Key4TxBurstmdashWPA pre-shared keyWpaPskmdashEnables or disables TxBurstTurboRatemdashEnables or disables TurboRateBGProtectionmdashSets 11b11g protection (this function is for engineering testing only)ShortSlotmdashEnables or disables the short slot timeTxRatemdashSets the TxRateRTSThresholdmdashSets the RTS thresholdFragThresholdmdashSets the fragment threshold
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Developing Your ApplicationDeveloping Your Application
Windows Tool Chain
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
AgendaAgenda
1) Windows Tool Chain Introduction
2) Development Process
3) Debugging with GDB
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Windows Tool Chain IntroductionWindows Tool Chain Introduction
UC-7400rsquos Windows Tool Chain is a cross development environment that simulates the Linux root file system allowing users to develop applications on a Windows PC
The following topics are covered in this appendixbull 1048713 Introductionbull 1048713 Installation Procedurebull 1048713 Using the BASH Shellbull 1048713 GDB debug toolmdashInsight
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Windows Tool ChainWindows Tool Chain
1 Operating System Windows 2000 or Windows XP
2 Minimum of 500 MB Hard Disk space
3 CD-ROM or equivalent
4 Ethernet to connect with UC-7400
5 Be able to login as administrator
6 Use a Windows username without spaces
7 You will be using a BASH shell window to enter commands
8 In addition for editing text files such as configuration files you should use vi editor (Unix editor) Do NOT use WordPad (Windows editor) which could cause problems when the files are transferred to a bona fide Linux environment
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Developing ProcessDeveloping Process
Step1 Setting up the Development Environment on PC
Step2 Coding Compiling and Debugging on Windows Tool Chain
Step3 Deploying the Program to UC
x86
IXP-422
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Step1 Setting up Developing EnvironmentStep1 Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2KXPInstallation Tipsbull Default Install Path CUCCUCbull Default Text File Type Unix (Recommended)Unix (Recommended)
Utilitiesbull Moxa Bash Shellbull GDB debug toolmdashInsight
bull httpsourcesredhatcominsight
bull This process could take from 5 to 30 minutes depending on the speed of your system
x86
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Code with CC++ Program on Moxa Bash Shell (PC Windows Tool Chain)
Compilelink the Source Codes with Tool-chain bull Compiler path setting
PATH=usrlocalmxscalebbinbull Compiling Helloc
Step2 Coding Compiling and DebuggingStep2 Coding Compiling and Debugging
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Step3 Deployment Step3 Deployment
Upload the program to UCbull ftp 1921683127bull ftpgt binarybull ftpgt put hello-release
Running the program (At UC-7400 site)bull chmod +x hello-releasebull hello-release
chmod +x hello-release chmod +x hello-release
hello-release hello-release
HelloHello
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Ethernet
PC Moxa Bash Shell 1 Compile with -ggdb 3 Insight Tool (GDB Client) 4 Target remote
UC 2 GDB Debug Server
Debugging with GDBDebugging with GDB
gdbserver 19216831272000 hello-debug gdbserver 19216831272000 hello-debug
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Debugging with GDBDebugging with GDB
chmod +x hello-debug
gdbserver 19216831272000 hello-debug
Process hello-debug created pid = 206
Step1 PC Moxa Bash Shell Compile the program with ndashggdb option then upload to UC
Step2 UC Called hello-debug with command
gdbserver 19216831272000 hello-debug
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Step3 PC Insight Run GDB clientbull Open hello-debug filebull Connect to target
bull GCB ServerTCPbull 1921683200bull 2000
Debugging with GDBDebugging with GDB
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
iptables Introductioniptables Introduction
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
AgendaAgenda
1) Quick View of iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1 Quick View of iptables1 Quick View of iptables
A User-space Command to setupmaintain the ldquoNetfilterrdquo sub-system of Kernel
ldquoNetfilterrdquo manages only the packet headers not the content
iptables is currently one of many FirewallNAT solutions to be an administration tool for set up maintain and inspect the tables of IP packet filter rules in the Linux kernel
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1 Quick View of iptables1 Quick View of iptables
Several different tables may be defined Each table contains a number of built-in chains and may also contain user-defined chains
Each chain is a list of rules which can match a set of packets Each rule specifies what to do with a packet that matches This is called a ldquotargetrdquo which may be a jump to a user-defined chain in the same table
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1 Quick View of iptables1 Quick View of iptables
3rd generation firewall on Linuxndash ldquoipfwadmrdquo on Linux Kernel V20Xndash ldquoipchainsrdquo on Linux Kernel V22Xndash ldquoipchainsrdquo ldquoiptablesrdquo on Linux Kernel V24Xndash ldquoiptablesrdquo on Linux Kernel V26X
Supports basic packet filtering as well as connection state tracking
UC-71107400 support only ldquoiptablesrdquo
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2) Rules Chains and Tables2) Rules Chains and Tables
2-1 First Match
2-2 Three Major Tables
2-3 Processing Packets
2-4 State Machine
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-1 First Match ndash The Highest Priority2-1 First Match ndash The Highest Priority
Packets
Rule 1
Rule 10
Default Policy
Action 1
Action 2
No
No
Yes
Yes
Rule 2
No
Action 10Yes
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-1 First Match 2-1 First Match
On WWW Server reject the attack from IP = 1921681100Rule 1 Drop the packets from 1921681100Rule 2 Accept WWW request packets from all the hostsRule 3 Drop all the none-WWW packets
Rule 1 Accept WWW request packets from all the hosts Rule 2 Drop the packets from 1921681100Rule 3 Drop all the none-www packets
1921681100 is able to use the WWW service or to attack WWW service port
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-2 Three 2-2 Three Major TablesMajor Tables
1) Filter Table
2) NAT Table
3) Mangle Table
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-2-1 Filter Table2-2-1 Filter Table
Mainly used for filtering packets The place that we actually take action against packets
and look at what they contain and ACCEPT DROP REJECT LOG them depending on their content
1 INPUT chain ndash packets enter the local host
2 OUTPUT chainndash packets output from the local host
3 FORWARD chainndash forward packets to other hosts
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-2-2 NAT Table2-2-2 NAT Table
Be used for NAT on different packets
to translate the packets source field or destination field
1) PREROUTING chain ndash to transfer the dst IP address (DNAT)
2) POSTROUTING chainndash this works after routing process and before Ethernet device process to transfer the source IP address (SNATMASQUARED)
3) OUTPUT chainndash to work for local producing packets
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-2-3 Mangle Table2-2-3 Mangle Table
This table is mainly be used for
mangling packets In other words you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields It can also ldquoMARKrdquo the packets
1 PREROUTING chain
2 POSTROUTING chain
3 INPUT OUTPUT and FORWARD chain
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3 Processing Packets2-3 Processing Packets
2-3-1 Destination Local Host
2-3-2 Source Local Host
2-3-3 Forward Packets
2-3-4 State Machine
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3-1 Destination Local Host2-3-1 Destination Local Host
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3-1 Destination Local Host2-3-1 Destination Local Host
Incoming Packets
NAT Table PREROUTING
Local Process
Filter Table INPUT
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3-2 Source Local Host2-3-2 Source Local Host
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3-2 Source Local Host2-3-2 Source Local Host
NAT Table OUTPUT
Outgoing Packets
Filter Table OUPUT
NAT Table POSTROUTING
Send Out Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3-3 Forwarded Packets2-3-3 Forwarded Packets
NAT Table PREROUTING
Local Resource
NAT Table POSTROUTING
Other Hosts
Incoming Packets
Filter Table FORWARD
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-4 State Machine2-4 State Machine
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3) Usage of iptables3) Usage of iptables
3-1 Load iptables Modules
3-2 Define Default Policy
3-3 Structure of a Rule
3-4 Save Restore Rules
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-1 Load iptables Modules3-1 Load iptables Modules
Note ipchains and iptables are not compatible
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-1 Load iptables Module3-1 Load iptables Module
Check the Current Tablesiptables [-t tables] [-L] [-n]
Default Policy
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-1 Install iptables3-1 Install iptables
Clear Current Policy
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-2 Define Default Policy3-2 Define Default Policy
iptables ndasht filter nat mangle
ndashP INPUT OUTPUT FORWARD PREROUTING POSTROUTING
ACCEPT DROP
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-2 Define Default Policy3-2 Define Default Policy
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-3 Structure of a Rule3-3 Structure of a Rule
3-3-1 Add Insert Delete an Replace Rules
3-3-2 Direction
3-3-3 Matches
3-3-4 Targets
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-3-1 Add Insert Delete and Replace3-3-1 Add Insert Delete and Replace
iptables ndasht filter nat mangle
AI DR
ndash direction match target
3 major things needed
to be considered
ndashj
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-3-2 Direction ndash Chains3-3-2 Direction ndash Chains
a filter Table INPUT
OUTPUT
FORWARD
b nat Table PREROUTING
POSTROUTING
OUTPUT
c mangle table hellip
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1 -p [proto] tcp udp icmp all
2 -s [IP] -d [IP]
3 --sport [port] --dport [port]
4 -m state --state [state] NEW ESTABLISHED INVALID RELATED
5 -m multiport [p1p2hellipp15]
6 -i [iface] -o [oface]
7 hellipetc
3-3-3 Matches - Conditions3-3-3 Matches - Conditions
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-3-4 Targets - Actions3-3-4 Targets - Actions
a filter Table ACCEPT DROP
QUEUE RETURN target extensions --LOG --ULOG --REJECT - -MIRROR
b nat table SNAT (only in POSTROUTING)
DNAT (only in PREROUTINGOUTPUT)
MASQUERADE (POSTROUTING)
REDIRECT (only in PREROUTING)
c mangle table hellip
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-4 Save Restore Rules3-4 Save Restore Rules
It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file) Please refer to the Hands-ON practice
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
AgendaAgenda
1) Firewall NAT and iptables
2) Rules Chains Tables
3) Usage of iptables
4) Hands-ON Practice 1) Packet Filter2) NAT Machine
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Accept all the packets incoming from lo interface
Example 2 ndash Accept all the TCP packets incoming from
IP = 19216801
iptables ndasht filter ndashA INPUT ndashi lo ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 19216801 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 3 ndash Accept all the TCP packets incoming from the network
1921681024
Example 4 ndash Drop all the TCP packets incoming from IP = 192168125
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 1921681024 -j ACCEPT
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndashs 192168125 ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 5 ndash Drop all the Incoming TCP packets with dst Port = 21
(forbid FTP Connection from eth0)
Example 6 ndash Accept TCP packets incoming from IP 192168024 to
local port number 137138 and 139
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp
ndash ndashdport 21 ndashj DROP
iptables ndasht filter ndashA INPUT ndashi eth0 ndashp tcp ndashs
192168024 ndash ndashdport 137139 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 7 ndash Log all the IncomingOutgoing TCP packets with tofrom
Port = 25 (Log SMTP Service)
iptables ndasht filter ndashA INPUT ndashp tcp ndash ndashdport 25 ndashj LOG
Note UC7110 does not support the target ldquoLOGrdquo
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 8 ndash Drop all the [syn] packets from IP = 192168100200
Example 9 ndash Drop all the packets from MAC = aabbccddeeff
iptables ndasht filter ndashA INPUT ndashp tcp ndashi eth0
ndashs 192168100200 ndash ndashsyn ndashj DROP
iptables ndasht filter ndashA INPUT ndashp all
ndashm mac-source aabbccddeeff ndashj DROP
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Example 10 ndash Does not response to ldquopingrdquo
Example 11 ndash ICMP ldquopingrdquo burst
iptables ndasht filter ndashA INPUT ndashp icmp ndash ndashicmpndashtype 8
ndashj DROP
iptables ndasht filter ndashP INPUT DROP
iptables ndasht filter ndashA INPUT ndashp icmp ndashm limit 6min
ndash ndashlimit-burst 10 ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Example 12 ndash Accept the Established Related packets of the local
host drop the Invalid packets and New packets which are trying to create new connection
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
ESTABLISHEDRELATED ndashj ACCEPT
iptables ndasht filter ndashA INPUT ndashp tcp ndashm state ndash ndashstate
INVALIDNEW ndashj DROP
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Example 13 ndash Check the packet integrity
Example 14 ndash Enable the ldquoPassive Moderdquo FTP Service to a host
iptables ndasht filter ndashA INPUT ndashp all ndashm unclean ndashj DROP
modprobe ip_conntrack_ftp
iptables ndashA FORWARD ndashp tcp
ndashm state ndash ndashstate RELATED ndashj ACCEPT
4-1 Packet Filter ndash Rules of filter table4-1 Packet Filter ndash Rules of filter table
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Example 1 ndash Redirect the Connection Request of Port 80 to Port 8080
Example 2ndash Masquerade the incoming packets from 1921681024
to be local ppp0rsquos IP
iptables ndasht nat ndashA PREROUTING ndashp tcp ndash ndashdport 80
ndashj REDIRECT ndash ndashto-ports 8080
iptables ndasht nat ndashA PREROUTING ndashs 1921681024 ndasho
ppp0 ndashj MASQUERADE
4-2 NAT Machine4-2 NAT Machine
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
4-2 NAT Machine4-2 NAT Machine
Example 3 ndash DNAT the incoming packet from eth0 (602486675) and
TCP Port 80 to internal Web sever 19216812710 80
Example 4 ndash Redirect the incoming packet of TCP Port 80 to
192168110 and TCP Port 80
iptables ndasht nat ndashA PREROUTING ndashp tcp ndashi eth0 ndashd 602486675 ndash ndashdport 80 ndashj DNAT ndash ndashto 1921681271080
iptables ndasht nat ndashA POSTROUTING ndashs 192168127024 ndashj SNAT ndash ndashto $OUT_IP
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
OpenVPN 20OpenVPN 20Stephen Lin
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
OpenVPN 20OpenVPN 20
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1) Cryptography Summery1) Cryptography Summery
1-1 What does cryptography solve
1-2 Symmetric Data Encryption
1-3 Hash (Digest) Function
1-4 Message Authentication Code
1-5 Asymmetric Data Encryption
1-6 Digital Signature
1-7 Certificate
1-8 Moxa UC7400
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-1 What does Cryptography solve1-1 What does Cryptography solve
Confidentiality bull Ensure that nobody can get knowledge of what you
transfer even if listening the whole conversation Integrity
bull Ensure that message has not been modified during the transmission
Authenticity bull You can verify that you are talking to the entity you think
you are talking to bull You can verify who is the specific individual behind that
entity Non-repudiation
bull The individual behind that asset cannot deny being associated with it
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-2 Symmetric Data Encryption1-2 Symmetric Data Encryption
Fast High Efficiency for data transmission
Is it ldquosecurerdquo while transferring the key
Maintains of the keys (n-1)n 2 keys
DES3DESAESBlowfish
Tom Bob
Plaintext
Plaintext
Ciphertext
Encryption
Secret Key
Decryption
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-3 Hash (Digest) Function1-3 Hash (Digest) Function
Ensure Date Integrity
MD5SHA-1
Tom
Data
Bob
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Same Hash FunctionSame Hash Function
+Hash FunctionHash Function
Message Message Digest 2Digest 2
Message Digest1Message Digest1 DataData
Compare
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-4 Message Authentication Code 1-4 Message Authentication Code
Ensure the Data Integrity
Use a key to protect the MAC
HMACCBC-MAC Tom
Data
Hash FunctionHash Function
+
Message Message Digest 1Digest 1
Bob
Data
Message Message Digest 2Digest 2
+Hash FunctionHash Function
MACEncryption
Message Message Digest 1Digest 1
Decryption
Compare
Secret Key
MACMAC DataData
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-5 Asymmetric Encryption1-5 Asymmetric Encryption
Things to rememberbull Key Pair ndash PublicPrivate keysbull In a session one for encryption and the other one
for decryptionbull ldquoPublic Keyrdquo can be deployed everywherebull The relation between the two keys is unknown and from
one key you cannot gain knowledge of the other even if you have access to clear-text and cipher-text
bull The two keys are interchangeable All algorithms make no difference between public and private key When a key pair is generated any of the two can be public or private
bull Less efficient than Static Keybull RSADiff-Hellman
g$5knvMdrsquorkg$5knvMdrsquorkvegMsrdquovegMsrdquo
Clear Clear texttext
EncryptionEncryption
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Bobrsquos Public KeyPlaintex
tBobrsquos Private Key
Recipientrsquos Key Pair
Confidentiality Check
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-5 Asymmetric Data Encryption1-5 Asymmetric Data Encryption
Tom
Plaintext
Bob
ciphertextEncryption Decryption
Tomrsquos Private KeyPlaintex
tTomrsquos Public Key
Senderrsquos key pair
Authenticity Check
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-6 Digital Signature1-6 Digital Signature
Real World ndash Hybrid 1 Data Integrity2 Authenticity3 Non-repudiation4 Algorithm ndash Use the public key and Hash
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-6 Digital Signature - Creating1-6 Digital Signature - Creating
3kJfgfpound$amp3kJfgfpound$ampPy75cbnPy75cbn
This is the This is the document document created by created by GianniGianni
Message or FileMessage or File Digital SignatureDigital SignatureMessage DigestMessage Digest
Calculate a short message Calculate a short message digest from even a long input digest from even a long input using a one-way message using a one-way message digest function (hash)digest function (hash)
Signatorys Signatorys private keyprivate key
privpriv
GenerateGenerateHashHash
SHA MD5SHA MD5
AsymmetricAsymmetricEncryptionEncryption
RSARSA
This is the This is the document document created by created by GianniGianni 3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
(Typically 128 bits)(Typically 128 bits)
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-6 Digital Signature - Verifying1-6 Digital Signature - Verifying
This is the This is the document document created by created by GianniGianni
3kJfgfpound$amp3kJfgfpound$amp
SignedSignedDocumentDocument
Py75cbnPy75cbn
Message DigestMessage DigestGenerateGenerate
HashHash
Giannis public keyGiannis public key(from certificate)(from certificate)
AsymmetricAsymmetricDecryptionDecryption
pubpub
DigitalDigitalSignatureSignature
Py75cbnPy75cbn
Compare Compare
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
DataData
1-6 Digital Signature1-6 Digital Signature
Tom
Data
Message Message Digest 1Digest 1
Hash FunctionHash Function
+ +Compare
Bob
Data
Message Message Digest 2Digest 2
Hash FunctionHash Function
MACEncryption Decryption
Message Message Digest 1Digest 1
Tomrsquos Private Key Tomrsquos Public Key
Digital SignatureDigital Signature
Digital Signature
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-7 Certificate1-7 Certificate
The simplest certificate just containsbull A public key (for Stephen)bull Information about the entity that is being certified to own that public key
hellip and the whole isbull Digitally signed by someone trusted (like your friend or a CA)
2wsR46frd2wsR46frdEWWrswe(EWWrswe(^$G^^$G^DvtrsdFDfDvtrsdFDfd367d367
pubpub
3kJfgfpound3kJfgfpound$amp4dser4$amp4dser4358g6gd7d358g6gd7dTTCertificateCertificate
This public This public key belongs key belongs to to StephenStephen
DigitalDigitalSignatureSignatureCan be a person a computer Can be a person a computer
a device a file some code a device a file some code anything hellipanything hellip
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-7-1 CA Certificate 1-7-1 CA Certificate
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Right Cert signed by CA
Leftt Cert signed by CA
CA Pub Key signed by CA
1-7-1 CA Certificate Example1-7-1 CA Certificate Example
CACA Private Key
Left Right
Trusts
Left Priv Key signed by CA
CA Pub Key
Right Priv Key signed by CA
CA Pub KeyCA Pub Key Left Cert signed by CA
Right Cert signed by CA
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-7-2 SSLTLS1-7-2 SSLTLS
PrivPriv
pubpub PrivPriv
pubpub
Clear text
Encrypt
Cipher 1
Encrypt
Cipher 2
Transmission over the public network
Cipher 2
Cipher 1
Decrypt
Clear text
Decryptpubpub
Ensures confidentialitybull And integrity if digitally
signed
Depending on how public key are exchanged
bull Authenticity Identity Non-repudiation
pubpub
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-8 Moxa UC7400 - Hardware Cipher1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports bull Security Engines DES AESbull Algorithm methods ECB CBC ECR
Moxa wrap hardware acceleration inside algorithm APIs of ldquolibcryptosordquo bull No need to change the source codes
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-8-1 Moxa Accelerated Algorithm 1-8-1 Moxa Accelerated Algorithm ndash OpenSSL 097 ndash OpenSSL 097
DES_cbc_encrypt
DES_ede3_cbc_encrypt
AES_cbc_encrypt
AES_ctr_encrypt
bull We wrap ECB mode at a higher level (libsslso) which openssl wraps too
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-8-2 Performance1-8-2 Performance
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
83DESCBC3DESCBCRATE
0
10
20
30
40
50
60
70
80
128 256 384 512 640 768 896 1024 1152 12800
1
2
3
4
5
6
7
8AES128CBCAES128CBCRATE
0
1
2
3
4
5
6
7
8
16 32 64 80 96 112 128 1440
05
1
15
2
25AES128CBC
AES128CBC
RATE
012
3456
789
16 32 64 80 96 112 128 1440
05
1
15
2
253DESCBC
3DESCBC
RATE
= HW Cipher
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-8-3 Things to be noticed1-8-3 Things to be noticed
Moxa UC-7400 switches the operations between the software and the hardware approachesbull Default Hardware Approachbull Any mis-configuration or business causes the
switch
Small packets are switched to software approachbull DES 128 bytesbull 3DESAES 64 bytes
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
1-8-4 Software Package1-8-4 Software Package
Driverbull mxhw_ciphero
Device Filebull mknod devmxcrypto c 11 131
Test Programbull io correctness test bull io 0 5000 stability test bull io 1 golden pattern bull io 2 20000 performance test
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2) OpenVPN 20 2) OpenVPN 20
2-1 Virtual Private Network
2-2 Why OpenVPN
2-3 OpenVPN Modes
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-1 Virtual Private Network2-1 Virtual Private Network
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-1 VPN AdvantagesDisadvantage2-1 VPN AdvantagesDisadvantage
VPN a network that is constructed by using public wires (eg internet) to connect nodes
VPN encrypt all network traffic not just a few application protocols (like SSL SSH etc)
VPN allows the usage of protocols which are insecure by themselves
VPNs cannot be controlled and logged easily because of their encrypted nature
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-2 Why OpenVPN2-2 Why OpenVPN
Usabilitybull Open Source (GPL)bull Full featured SSL VPN Solutionbull Easy to configure secure tunnelbull NATDHCP supportbull Can use a 2048 bit shared key or
digital certificates (PKI)
Portability ndash Supports most of the platformsbull Linux Solaris Mac OS Xbull OpenBSD FreeBSD NetBSDbull Windows2000-SP4WindowsXP-SP1 or later
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-2 Why OpenVPN2-2 Why OpenVPN
Peers ndash each node with a clientserver rolebull In use of kernel routingbull Multiple clients
A user-space programbull A full-featured SSL-VPN solutions
bull on top of existing SSLTLS mechanism bull options between a set of security algorithms
bull Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (50001194) or TCP port
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-2 OpenVPN Security 2-2 OpenVPN Security
Two Authentication Modesbull Static Key Use pre-shared bull SSLTLS Use SSLTLS + Certificates for
bull Authentication bull Key exchange
The encrypted packet is formatted asbull SeqN 64-bit sequence numberbull IV plain text initial vector randomized per packet
HMAC IV SeqN V IPs payload
encrypt
HMACW IPs
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-2 OpenVPN vs IPSec2-2 OpenVPN vs IPSec
OpenVPNbull User-space daemonbull SSLTLSbull portability across
operating systemsbull firewall and NAT-
friendly bull dynamic address
support
IPSecbull Kernel-space IP stack bull each operating system
requires its own independent implementation of IPSec
bull IETF Standard - multi-vendor support
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3 OpenVPN Modes2-3 OpenVPN Modes
Bridging and Routing are two methods of linking systems via a VPN
Routed IP tunnels (layer 3)
Bridged Ethernet tunnels (layer 2)
Suitable for Connectionsbull Site-to-Sitebull Dynamic Site-to-Sitebull (Dynamic) Client-to-Site
Dynamic FirewallNATDHCP friendly
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device) a virtual point-to-point IP link that combines the inner interface together with TUN
Use the kernel routings to forward the packets
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
ApplicationOpenVPN
TUN (3rd)
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3-1 Routed IP Tunnels (TUN Mode)2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages1 Point-to-point2 Easier to configure3 Efficiency and scalability 4 Allows better tuning of MTU for efficiency
Routed IP Disadvantages1 Clients must use a WINS server (such as samba) to
allow cross-VPN network browsing to work 2 Routes must be set up linking each subnet 3 Software that depends on broadcasts Will Not see
those machines on the other side of the VPN 4 Works only with IPv4 in general and IPv6 in cases
where tun drivers on both ends of the connection support it explicitly
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses ldquoTAPrdquo mode a TAP device is a Virtual Ethernet Adapter
Bridge tools (bcrtl) are required to create the virtual adapters
Need to create a script to bind eth1 and tap0 together into a bridged device called br0
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3-2 Bridged Ethernet Mode (TAP Mode)2-3-2 Bridged Ethernet Mode (TAP Mode)
brctl addbr br0 create an ethernet bridge
brctl addif br0 eth1 connect interface eth1 as a port
brctl addif tap0 connect virtual interface tap0 as a port
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Application
Bridging
OpenVPN
TUN (3rd)TAP (2nd)
eth1 eth1eth0 eth0
tap0 tap0
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
2-3-2 Bridged Ethernet Mode (TAP 2-3-2 Bridged Ethernet Mode (TAP Mode)Mode)
Bridging advantages1 Point to Point point to multi-point2 Broadcasts traverse the VPN -- this allows browsing
of Windows file shares across the VPN without setting up a Samba or WINS server
3 No route statements to configure4 Works with the VPN needs to be able to handle non-
IP protocols such as IPX Netware and AppleTalk5 Relatively easy-to-configure solution for road
warriors
Bridging disadvantages1 Less efficient than Routing and does not scale well
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) OpenVPN Configuration
4) Hands-On Practice
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3) OpenVPN Configuration3) OpenVPN Configuration
3-1 Getting Started
3-2 TUN Configuration
3-3 TAP Configuration
3-4 SSLTLS ndash X509 Dynamic Keys
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-1 Getting Started3-1 Getting Started
ixp019216812201
ixp0 19216812202
gw 1001254IP 1001124
gw 1002254IP 1002124
LAN A LAN B
VPN Tunnel
Connect
1001254
[VPN Server]
1002254
[VPN-Client]
ixp1 ixp1
[CATLS Server]
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-1 Getting Started 3-1 Getting Started
Create a Working Directory (recommended) mkdir etcopenvpn
Check for TUN Modules if not ls devnet look for a character device ldquotunrdquo mknod devtun c 10 200
Load necessary modules modprobe tun modprobe bridge
Generate a (pre-shared) key openvpn --genkey --secret [KeyName]
Self Diagnostic openvpn --test-crypto --secret [KeyName]
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-1 Getting Started3-1 Getting Started
Enable IP Forwarding echo ldquo1rdquo gt procsysnetipv4ip_forwardor vi etcsysctlconf modify ldquonetipv4ip_forward = 1rdquo
Create Start Bridge Interface using Moxa Script openvpn-bridge [start stop restart]
Check the CiphersAuthentication Support openvpn --show-ciphers openvpn --show-digests
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Create TUN Configuration Files vi etcopenvpntunserverconf
[At VPN Client] vi etcopenvpntunclientconf
3-2 TUN Server Configuration 3-2 TUN Server Configuration
LocalRemote VPN IP address must be specified
It is NECESSARY to specify the Server Address at VPN Client
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-2 TUN Server Configuration 3-2 TUN Server Configuration
Edit the Static Routings vi etcopenvpntunserversh
chmod +x etctunserversh
[At VPN Client] vi etceopenvpntunclientsh chmod +x etctunclientsh
Start OpenVPN with the configuration file openvpn --config etctunserverconf amp openvpn --config etctunclientconf amp
2nd argument of ldquoifconfigrdquo which is now ldquo1002254rdquo
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Create TAP Configuration Files vi etcopenvpntapserverconf
[At VPN Client] vi etcopenvpntapclientconf
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Mark this line if both VPN Networks are in the same subnet
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-2 TAP Configuration ndash VPN Server3-2 TAP Configuration ndash VPN Server
Edit the Static Routings vi etcopenvpntunserversh
[At VPN Client] vi etcopenvpntapclientsh chmod +x etctapclientsh
Pointed to the Kernel Routing br0 = 1001254
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-3 TAP Configuration ndash VPN Server3-3 TAP Configuration ndash VPN Server
Start the Bridge device vi openvpnopenvpn-bridge
chmod +x etcopenvpnopenvpn-bridge etcopenvpnopenvpn-bridge start
Start OpenVPN with the configuration file openvpn ndashconfig etcopenvpntapserverconf amp openvpn ndashconfig etcopenvpntapclient amp
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-4-1 SSLTLS ndash Dynamic Keys3-4-1 SSLTLS ndash Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC vi usrsharesslopensslcnf Pre-input the default_days default_bits hellip etc
Create New CA root Key Pair usrsharesslmiscCA -newca
Create New Client Private Key and new Certificate Request usrsharesslmiscCA -newreq
Certificate Sign-in usrsharesslmiscCA ndashsign
Copy the CA root certificate client private key and the client certificate to the first client
Have the second client certificated
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Copy the ldquoeasy-rsardquo to the working directory cp ndashr openvpn-20easy-rsa etcopenvpn
modify the vars file vi etcopenvpneasy-rsavars
Activate the vars etcopenvpneasy-rsavars
Create CA root key etcopenvpneasy-rsabuild-ca
Create VPN Server Private Key and Certificate etcopenvpneasy-rsabuild-key server
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools3-4-2 OpenVPN ndash ldquoeasy-rsardquo tools
Create VPN Client private Key and Certificate etcopenvpnbuild-key client
Create Diff-Hellman Parameters etcopenvpnbuild-dh 1024
Copy the CA certificate (cacrt) Server key (serverkey) and Server certificate (servercrt) to VPN Server
Copy the CA certificate Client key and certificate to VPN Client
ldquoeasy-rsardquo tools also work on UC7400 series
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
3-4-3 Configuration File Modification3-4-3 Configuration File Modification
txxserverconf
txxclienconf
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
AgendaAgenda
1) Cryptography Summery
2) OpenVPN 20
3) Open VPN Configuration
4) Hands-On Practice
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Live DemoLive Demo
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
UC-7420 DEMO BOXUC-7420 DEMO BOX
Two of its serial ports connectedto a Power Meter and Thermocouple
Two LAN ports plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site
The rest of the serial ports are looped back in lsquoburn-in modersquo to demonstrate UCrsquos high performance and reliability
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Demo Box FeaturesDemo Box Features
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Software Block DiagramSoftware Block Diagram
Temperature Range 0 to 500degC
Left side for high range 0 to 300 VDC amp Right side for low range 0 to 20 VDC
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
UCrsquos LCM amp keypad (F1-F5)UCrsquos LCM amp keypad (F1-F5)
F1 Monitoring Temperature rarr Voltage rarrThroughput for P3 to P8
F2 System Status LANrsquos IP rarr Wi-Firsquos IP rarr CPU loading rarr Available Memory
F3 Alarm Setting Temperature rarr Voltage rarr burning throughput
F4 Configuration Key
F5 Main Menu
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Apache Web with CGI amp HTMLApache Web with CGI amp HTML
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Seat Locating SystemSeat Locating System
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Score Query SystemScore Query System
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
AppendixAppendix
What is the wireless PCMCIA card support status in 80211gbull UC-7420s built-in Wireless driver supports Intersil Prism 20
chipset PCMCIA cardbull The compatible Wireless cards are
Supplier Model name
ASUS WL-107g
CNET CWC-854(181D version)Edmiax EW-7108PCgAmigo AWP-914WGigbyte GN-WMKGOthers which use R-Link chip set
Thank YouThank You
Thank YouThank You