Planning, Implementing, and Maintaining a Secure Network

Transcription

Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Planning, Implementing, and Maintaining a
Secure Network Perimeter for GIAC Enterprises
ull
rig
ht
s.
by
Jim Moore
ins
f
GIAC Certified Firewall Analyst (GCFW) Practical Assignment Version
4.1
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
DRAFT COPY FOR REVIEW ONLY
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
Submitted April 6, 2005
© SANS Institute 2000 - 2005
Author retains full rights.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
ins
f
1 Security Problems with 802.11
1.1 Inherent Risks of Wireless LAN Communications
1.2 Inadequacies of WEP . . . . . . . . . . . . . . .
1.3 Inadequacies of 802.1X . . . . . . . . . . . . . .
1.4 Inadequacies of WPA . . . . . . . . . . . . . . .
ull
rig
ht
s.
I Wireless Networking: Security Implications for GIAC Enterprises Network
5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
13
ut
GIAC Enterprises Perimeter Security Architecture
5,
A
II
ho
rr
eta
2
of 802.11i
10
KeyAssessment
fingerprint = AF19
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
2.1 Overview of the Security Architecture . . . . . . . . . . . . . . . . . . .
2.2 Potential Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3 Implementation Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Defining the Information Technology Capabilities Required by GIAC Enterprises in order to Accomplish its Business Objectives
13
3.1 Historical Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2 Capabilities needed for suppliers of GIAC Enterprises. . . . . . . . . . .
3.3 Capabilities needed for partners of GIAC Enterprises. . . . . . . . . . .
3.4 Capabilities needed for GIAC Enterprises’ employees located in Brooklyn.
3.5 Capabilities needed for GIAC Enterprises’ employees located at remote
sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
te
20
00
-2
00
©
SA
NS
In
sti
tu
4 Netork Security Architecture Providing Capabilities Needed by GIAC
terprises
4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2 IP Addressing Scheme . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.1 Border Router . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.2 Internet Firewall . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.3 Network Intrusion Detection System 1 . . . . . . . . . . . . .
4.3.4 VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.5 VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.6 Email Gateway . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.7 Network Intrusion Detection System 2 . . . . . . . . . . . . .
4.3.8 Internal Firewall . . . . . . . . . . . . . . . . . . . . . . . . .
En.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
18
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
ull
rig
ht
s.
4.3.9 Network Intrusion Detection System 3
4.3.12 Web Proxy Server . . . . . . . . . . .
4.3.14 Syslog Server . . . . . . . . . . . . .
4.3.15 Network Management Workstation . .
4.4 Enterprise-wide Features . . . . . . . . . . .
4.4.1 Patch Management . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
ins
f
III GIAC Enterprises Perimeter Security Policy and Implementation
32
A Border Router Configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
63
69
20
00
B Internet Firewall Configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
NS
In
sti
tu
te
C VPN Gateway Configuration
C.1 /etc/ipsec.conf . . . . . .
C.2 /etc/ipsec.secrets . . . . .
C.3 /etc/ipsec.d/cacerts . . . .
C.4 /etc/ipsec.d/crls . . . . . .
C.5 Crontable entries . . . . .
32
63
00
Appendices
.
.
.
.
.
.
.
-2
IV
5,
A
ut
ho
rr
eta
5 Internet Firewall Security Policy
Overview
. .FA27
. . .2F94
. . .998D
. . . FDB5
. . . DE3D
. . . . F8B5
. . . 06E4
. . . A169
. . . 4E46
. . . .
Key5.1
fingerprint
= AF19
5.2 Border Router and Firewall Access Rules . . . . . . . . . . . . .
5.3 Inbound Access Rules . . . . . . . . . . . . . . . . . . . . . . . .
5.4 Outbound Access Rules . . . . . . . . . . . . . . . . . . . . . . .
5.5 Network Address Translation Rules . . . . . . . . . . . . . . . . .
5.6 Logging Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.7 Order of Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . .
102
SA
D Redhat Network Scheduled Updates Script
99
103
©
References
! "#%$'& )(+*-, Key1fingerprint
AF19 FA27Network
2F94 998D
FDB5Overview
DE3D F8B5. 06E4
GIAC =Enterprises
Design
. . . A169
. . . 4E46
. . . . . . . .
2
3
4
5
6
7
.
.
.
.
.
.
GIAC Enterprises IP Addressing Scheme . . . . . . . . . . . . . . . . .
VPN Gateway Subnets . . .
DMZ . . . . . . . . . . . . .
Internal Firewall . . . . . . .
Internal Servers Network .
Restricted-Access Network
User Subnets . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
ins
f
2
.
.
.
.
.
.
ull
rig
ht
s.
! "#%$/.1032546
.
.
.
.
.
.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
7 0 , #8
ull
rig
ht
s.
Wireless Networking: Security
Implications for GIAC Enterprises
Network
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
Serious security issues have plagued 802.11 wireless LANs since their introduction
in the late 1990s. Numerous security analyses have pointed out the inherently insecure nature of LAN communications through the air and the woefully inadequate
protections provided by Wired Equivalent Privacy (WEP), the protocol defined to protect WLAN traffic from eavesdropping, spoofing, and connection hijacking in the original 802.11 standard. Since the issue of the original standard, the IEEE and industry
groups have made several attempts to improve the security of WLAN communicaKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tions, including the 802.11X standard, which defined an improved method for authenticating wireless nodes, WPA (Wi-Fi Protected Access), an interim standard improving
on WEP produced by an industry group, which can be applied to existing hardware
via firmware upgrades, and 802.11i, a new standard recently approved by the IEEE,
which specifies a more robust security architecture for WLAN communications. Under
the original standard, WLANs were considered too insecure for a broad number of
security-sensitive applications. If one or more wireless devices had to be attached to
a private network, it was frequently recommended that that they be isolated from the
wired network by a firewall and forced to use a VPN to make a connection to the wired
network. With the new standard in place, to what extent and in what circumstances
do the security measures recommended for 802.11 networks still make sense? How
could WLANs be implemented securely in the GIAC Enterprises network using the
features added by the 802.11i standard?
To answer these questions, it would be useful to review the security characteristics
of the original 802.11 standard and each of its improvements to establish a basis of
comparison for 802.11i security. Then we can consider the remaining security weaknesses of 802.11i and the practicality of exploiting those weaknesses. Finally, we can
consider other practical obstacles to implementing full-strength 802.11i security that
may qualify a decision about whether other security measures are required.
©
SA
NS
C E F+GHJI 9+9
9 : ; *<,= ?> 7@, +2A46
B D
MK LNK O PRQRS"TSUPWVYX[Z]\_^`\badcJe fZ TSUghSU\i\bjlknm opadqrqtsuPRZ]vxwyVZ]aMPR\
Wireless communications introduces a new set of complications into the process of
defining and defending the boundaries of trust in a networked environment. Wireless
devices conforming to the 802.11 standard broadcast signals; any other conforming
device within range can pick them up.[1] Range varies depending on the physical
Key fingerprint
AF19 FA27
2F94can
998Dcarry
FDB5
F8B52006E4
A169 4E46
medium
used.= Infrared
signals
upDE3D
to about
meters,[2]
802.11b signals
ins
f
ull
rig
ht
s.
can carry up to about 500 meters in ideal conditions.[1] In the United States, 802.11b is
in wide use. In urban settings it is trivially easy for anonymous individuals to intercept
wireless LAN communications from nearby offices, buildings or streets.
In the most common wireless LAN configuration, known as an Extended Service
Set, one or more wireless access points broadcast (“beacon frame”) or at least readily
transmit to an inquiring device the “Service Set Identifier” (SSID) needed to connect
to the wireless LAN.[2] In the original 802.11 standard, access points are configured
to accept by default “open system authentication,” which basically means anyone can
connect to the device and anybody can listen in.[3] Most wireless access points have
been set up with the factory default configuration, as the annual Worldwide Wardriving
contest maps have abundantly demonstrated.[4] No sane administrator of a private
network would open up his organization’s network to the public, but ordinary users in
many organizations, possibly unaware of the security risks, have set up “rogue” access
points reachable by devices outside the organization.[5]
KML{z OPRwM|RSU}~suwMvxZ]SU\YaMce A
eta
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
A sane network administrator would want to restrict access to his organization’s wireless LAN to authorized devices and prevent unauthorized individuals from being able
to intercept messages transmitted from participating wireless devices. The original
802.11 standard provided for authentication and privacy through “Shared Key” authentication and “Wired Equivalent Privacy” (WEP). The shared key is a code configured
on each authorized wireless device. When a device wants to “associate” with an access point, the access point uses the code to generate a challenge and sends it to the
device, which uses the same code to return the challenge in a WEP-encrypted packet.
If the access point can decrypt the packet and the decrypted challenge matches the
challenge originally sent, the device is allowed to associate. WEP is then used to
encrypt all subsequent data traffic between the access point and the device. WEP
employs a 40-bit shared secret key (optionally increased to 104-bit by many vendors’
implementations)[1] and the RC4 encryption algorithm to encrypt and decrypt messages between wireless devices. The secret key is distributed to each participating
station by a mechanism unspecified by the standard.[2]
Unfortunately, the security provisions in the original 802.11 standard fail to provide
adequate authentication or privacy. Even if an administrator were to implement all
the recommended provisions for maximizing the security of his organization’s wireless
LAN(s) available under the 802.11 standard,[3][1] the inherent weaknesses of WEP
would expose it to numerous vulnerabilities. First, there is no provision in the standard
for a device to authenticate an access point. An attacker with a modicum of knowledge
of the wireless LAN could set up a rogue access point with security features turned
off and attract victim devices to associate with it under the false pretense that traffic is
secured. Second, MAC address spoofing is trivial under 802.11 and most control and
management frames are sent in the clear, making it easy for an attacker to masquerade as an access point and interfere with the associations between devices and legitimate access points. Third, since access points send the authentication challenges
in the clear, an attacker who intercepts them can use offline brute-force methods to
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
crack the shared key.[5] Fourth, the WEP IV (initialization vector) field, at 24 bits, is too
small. On a busy network, a constantly-changing IV will eventually roll over, allowing
a persistent attacker monitoring the network to recover the RC4 key stream. From
there, he can use offline methods to crack the WEP key. In addition, there are no
provisions in the standard for changing the IV. A vendor’s implementation could have
all stations changing the IV in a similar manner, leading to identical key streams occurring nearly simultaneously. Even worse, it is possible that a particular station may
use a constant IV. The IV is part of the RC4 encryption key. Knowledge of part of the
encryption key, combined with a known weakness in the RC4 key scheduling algorithm, makes it possible for an attacker to analyze WEP-encrypted traffic and recover
the encryption key.[1] Vendors have reduced the risk associated with this problem by
implementing key management schemes that reduce the lifetime of the WEP key to
around 5-15 minutes. A frequently-changing WEP key greatly reduces the likelihood
that identical key streams will be used over the lifetime of a WEP-encrypted WLAN.[5]
Unfortunately, weaknesses in the way IVs are generated do not rule out the possibility.
Key
= AF19
2F94
998D FDB5
DE3D
06E4
Evenfingerprint
if an attacker
is FA27
unable
to crack
a WEP
key F8B5
on time
to A169
mount4E46
an active attack
using WEP, he can still decrypt all the traffic using that key. Finally, WEP makes no
provision for cryptographic integrity-checking. The integrity of a packet is determined
under 802.11 by computing a CRC value and comparing that to a CRC value sent
with the packet. There are published methods for altering packets that will result in
the identical CRC value. In addition, it is possible to use partial knowledge of the contents of an encrypted packet to generate packets with altered IP, TCP or UDP headers
using bit-flipping that will be accepted by an access point and then forwarded to a system under the attacker’s control! Some of these attacks require modifications to the
firmware of wireless devices, but competent, determined attackers could accomplish
that[6].
There are several ways to mitigate these weaknesses within the framework of the
original 802.11 standard, but many students of the issue recommend employing additional security measures. These include isolating the wireless network from the rest
of an organization’s network by address segmentation, firewalling the wired network
off from the wireless segments, and requiring all wireless devices to use a VPN based
on IPSec or SSL/TLS to communicate with other devices.[3][5][1] The problem with
these recommendations is that they are not practical in some applications and do not
eliminate all problems. For example, they do not eliminate the problem of communications between nearby wireless devices. If the wireless devices need to communicate
securely with each other, either each will have to be forced to route its packets through
a VPN concentrator, which could have a serious impact on network performance, or
each device will have to be configured to establish a VPN directly with its wireless
neighbors. Not all wireless devices are capable of this, and for those that are configuring VPNs is not a trivial exercise.
KML OPRwM|RSU}~suwMvxZ]SU\YaMc<MWz~LNK"
The IEEE recognized the security inadequacies of 802.11 early, and started working
groups to address them. The first new standard, 802.1X, published in 2001, addressed
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
the problem of authentication.[7] It established a mechanism for authenticating wireless devices and their users to another device. The authenticating device could be
a wireless access point, hub, router, or even another wireless device. It adapted the
Extensible Authentication Protocol (EAP) standard published by the IETF[8] to transport over ISO layer 2 (EAP over LAN). As its name suggests, EAP provides a means
for a device communicating with another device over a point-to-point link to authenticate using any conforming method. The 802.1X standard specifies EAP mechanisms
employing an “authentication server” that may or may not be part of the authenticating device. The authenticating device (“authenticator”) and its peer (“supplicant”) exchange authentication messages using EAP. These messages include initialization of
the authentication exchange, negotiation of an authentication mechanism, exchange
of authentication tokens and authorization information, and deauthentication. The authenticator also acts as an intermediary between the supplicant and the authentication
server translating packets from EAP to whatever protocol it uses to communicate with
the authentication server and vice versa. Until authentication completes successfully,
Key
fingerprint = AF19
2F94 998D
FDB5from
DE3D
06E4 A169
4E46
the authenticator
will FA27
not accept
packets
theF8B5
supplicant
except
those needed
to complete the authentication exchange. The standard recognizes that in a shared
media environment, such as a wireless LAN, EAP mechanisms must be chosen that
enable the exchange of authentication information between the supplicant and authenticator and between the authenticator and authentication server securely, typically
via encryption. Authentication protocols meeting this requirement include Kerberos,[9]
Diameter,[10] and RADIUS using IPSec.[11][12]
The authentication exchange described above is strictly one-way. The “supplicant”
does not authenticate the “authenticator.” The original standard required that in an
IBSS, in which each wireless device communicates directly with every other wireless device in an “ad hoc” network, each wireless device would act both as a “supplicant” and an “authenticator.” In this setting, all devices would mutually authenticate.
In an ESS, however, only the access point acts as an “authenticator.” The “supplicant” device has no way to authenticate access points. Furthermore, at least some
of the management packets exchanged between the “supplicant” and the “authenticator” travel in the clear and unauthenticated. These flaws in the design of 802.1X
led to the elaboration of “man-in-the-middle” and session-hijacking attacks against
802.1X in an ESS context.[13] Subsequent responses generally conceded the authors’
claims against the 802.1X standard, unless enhanced by per-packet encryption using
dynically-negotiated keys and a higher-level protocol that performs mutual authentication. Responses written by members of the wireless industry tended to claim that their
product’s enhancements to the 802.1X standard would defeat the attacks.[14][15]
©
SA
KML OPRwM|RSU}~suwMvxZ]SU\YaMce lk
In fact, vendors had been quite busy implementing security enhancements to their
802.11 devices, mostly without standardization. The industry evntually issued an interim standard of its own, Wi-Fi Protected Access, which defined a protocol for dynamic key management and data packet authentication and encryption called TemKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
poral Key Integrity Protocol (TKIP). The purpose of the standard was to mitigate the
ull
rig
ht
s.
weaknesses of the 802.11 standard without requiring the replacement of deployed
hardware. TKIP added an encrypted Message Integrity Code (MIC) to messages to
reduce the effectiveness of attacks that relied on MAC address spoofing or packet
modification. It also increased the size of the Initialization Vector (IV), added a key
mixing function, implemented replay attack prevention measures, defined a rekeying
mechanism, and described a series of counter-measures designed to reduce the impact of attempted exploits against the protocol to Denial of Service. TKIP is included
in the 802.11i standard as an interim security protocol for networks making the transition from hardware that does not conform to the requirements of 802.11i to hardware
that does. It only enhances the security of ESS networks and still relies on the RC4
encryption algorithm specified for WEP.[16] The 802.11i standard states that TKIP is
a trade-off between security and compatibility with older hardware. It is still vulnerable to active attacks. As a countermeasure, the protocol specifies that reception of a
packet with an invalid MIC should be treated as an active attack. After receiving two
such packets within 60 seconds, the receiving device will deauthenticate itself and, in
Key case
fingerprint
AF19 FA27
FDB5 all
DE3D
F8B5it06E4
4E46authenticated
the
of an=access
point2F94
or in998D
an IBSS,
stations
has A169
currently
and refuse to accept or send any packets except 802.1X authentication messages for
60 seconds.[18]
This trade-off makes it possible to launch an extended Denial of Service attack
against a TKIP-protected WLAN simply by sending 2 invalid TKIP messages to the
access point every 60 seconds.[19] Other researchers have verified TKIP’s susceptibility to DoS attacks based on spoofed deauthentication or disassociation packets.[20]
By itself, thse attacks pose no threat to the privacy of data carried over the WLAN,
but in some situations the DoS itself could lead to serious problems for the victim
organization. In addition, WLANs making use of WPA with pre-shared keys rather
than 802.1X authentication are vulnerable to off-line dictionary attacks against the
pre-shared key. Any system capable of intercepting traffic between the access point
and any other station in the ESS could perform this off-line attack, and once in possession of the key, compromise the security of the entire WLAN. The vulnerability can
be mitigated by using a random pre-shared key of 20 characters or more in length.[21]
The use of DoS could be the first step in such an attack, since it would provoke a
large number of authentication attempts which could be collected and subjected to
analysis. An attack tool based on this vulnerability was subsequently published on the
internet with an accompanying technical discussion.[22] Overall, WPA, when implemented with properly-configured 802.1X authentication and without legacy support for
WEP-only devices, still represents a huge improvement over any combination of prior
non-proprietary security features available for wireless LANs.
SA

NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f

©
The Wi-Fi Alliance’s documentation on WPA can be described as marketing literature. It does not
mention the limitations of TKIP detailed in the 802.11i standard. At least one document makes the
undocumented claim, “Cryptographers have reviewed Wi-Fi Protected Access and have verified that
it meets its claims to close all known WEP vulnerabilities and provides an effective deterrent against
known attacks.”[17] The WPA specification is still available on their Website only for a fee of $25.00,
while the full 802.11i standard is now freely available to the public on the IEEE website.
H
U
B D+$F+GHJI 9+9
~z LNK MS"T`Z]S" adcVQRS~SUvxsuTZ{Vk[TvQRZ{VSUv?VsTS
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
The complete IEEE 802.11i standard describes an overhauled 802.11 security architecture called a “Robust Security Network.” This architecture can be implemented in
an IBSS or ESS. It consists of a set of peer-to-peer security associations (analogous to
the security associations established in IPSec) negotiated between wireless devices
based on pre-configured security requirements and collectively labelled a “Robust Security Network Association” (RSNA). In an IBSS these security associations are established between any pair of wireless devices wishing to communicate with each other.
In an ESS, they are established between the access point and any wireless devices
wishing to participate in the wireless network. Each RSNA includes up to 4 specific security associations consisting of keys and policies. The Pairwise Master Key Security
Association (PMKSA) includes the long-term key to be used for generation of the transientfingerprint
keys. The= Pairwise
Transient
Key FDB5
Security
Association
(PTKSA)
includes the key
Key
AF19 FA27
2F94 998D
DE3D
F8B5 06E4
A169 4E46
to be used to encrypt unicast packets exchanged between the two peers. The Group
Transient Key Security Association (GTKSA) includes the key to be used to encrypt
multicast or broadcast packets destined for the members of the wireless network. The
STAKey Security Assoction (STAKeySA) includes the key to be used to encrypt traffic
sent from one non-AP wireless device to another non-AP device participating in the
same ESS.
RSNA-capable devices identify one another by an additional RSN element in beacon frames and (re)association messages. This element includes a list of cipher suites
the device is willing to use to communicate securely with other devices. In addition,
in an ESS access points can insist on the use of a specific cipher suite during association. Before establishing any of these security associations, wireless peers must
authenticate each other using either pre-shared keys or an 802.11X authentication
mechanism that implements mutual authentication such as EAP-TLS. Upon authentication, the peers establish the PMKSA, using either the pre-shared key or keying information exchanged during 802.11X authentication as the Pairwise Master Key. The
peers then engage in a “4-way handshake” that establishes the PTKSA and GTKSA.
If the non-AP peer wishes to establish direct communications with another non-AP
device on the wireless LAN, it then initiates a “STAKey handshake” with the access
point. Whenever a wireless device (re)(dis)associates, (de)authenticates, or simply
moves out of range of an access point with which it has an active security association,
any existing PTKSA and GTKSA are deleted. Likewise, the access point deletes the
PTKSA for any device that has entered one of these states. The PMKSA, on the other
hand, can remain in force indefinitely. PMKSAs can be cached by a device as they
are established between different peers. Implementations may use whatever means
are available to preserve the cached PMKSAs across system reboots or other interruptions of communication with the wireless network. The device can be configured
to specify a pre-defined maximum lifetime for its PMKSAs. Once the lifetime expires,
the device must re-authenticate if it is using 802.1X authentication, or the user may
Keyprompted
fingerprintto= re-enter
AF19 FA27
2F94 998D FDB5
DE3Da F8B5
06E4 A169
4E46will supply the
be
a passphrase
to activate
pre-shared
key that
eta
ins
f
ull
rig
ht
s.
key material for the PMKSA. Otherwise, the PMKSA may last as long as the Pairwise
Master Key used by the peers does not change.
The 802.11i standard specifies the Counter with CBC-MAC cipher suite[23] using
the AES-128[24] encryption algorithm for data and key management, packet encryption and authentication. The only other option available in a Robust Security Network
is TKIP, and this must only be used in contexts in which compatibility with non-RSNAenabled devices is required. The Counter with CBC-MAC cipher suite (CCM) combines a block cipher with message authentication. In 802.11i it takes 4 inputs, an encryption key, a nonce that must be unique across all encryption operations using the
same encryption key, a plaintext message block, and part of the MAC header including
the source and destination MAC addresses.[18] It computes a message authentication code using over the combined MAC header and message text. Then it encrypts
the message authentication code and message text by generating key stream blocks
using AES-128 over the nonce and encryption key and XORing blocks of the message
text with the key stream. The encrypted message authentication code is appended to
Keyencrypted
fingerprint =
AF19 FA27
998D
DE3D
F8B5 06E4 A169 4E46
the
message
text2F94
to form
theFDB5
cipher
text.[23]
rr
z~L{z AayVSUPWVZhwMgle SUw^`PRSU\i\iSU\
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
As of this writing, the 802.11i standard is not even a year old, and because implementing conformant RSNAs requires new hardware, has not been widely deployed. Still,
there is data on potential security weaknesses of the standard, some of it supplied by
the standard itself. In particular, the authors include a list of “Assumptions and Constraints” for aspects of a WLAN not part of the standard that must be met in order for
the RSNA to possess the security characteristics outlined in the standard. This list is
intended to help implementors prevent poor design of features outside the scope of
the 802.11i standard from compromising the security of their products and to help consumers assess the real-world security consequences of deploying a particular 802.11i
configuration. Notable items include the need to use an EAP method that ensures
strong mutual authentication for 802.1X authentication, the need to provide a secure
channel between access points and centralized authentication servers to protect keys
and authentication tokens passing along the wired LAN, and the limitations of using
pre-shared keys for the Pairwise Master Key. Regarding the last item, a malicious insider (someone who has control of another device furnished with the same pre-shared
key) can determine the Pairwise Transient Key for any two other stations by examining the first two exchanges of the 4-way handshake. From there, eavesdropping or
a man-in-the-middle attack is possible.[18] The exploitation of other potential weaknesses depends on the specifics of the 802.11i implementation and the configuration
choices of the 802.11 network administrators.
It is heartening to note that the core privacy and authentication protocol chosen
for conforming 802.11i devices, CCMP, has been proven to have robust security properties. An attacker with access to a stream of packets processed by CCMP is highly
unlikely to be able to collect two identical ciphertexts (which can be used to attempt to
crack the encryption key) or to learn enough about the message authentication code
to forge a valid packet,[25] provided the same encryption key is used for no more than
2 encryption operations.[23]. It is possible for an attacker to mount a precomputation attack against CCMP with 128-bit encryption keys when the same nonce value is
likely to occur across encryption sessions using different keys and the first 16 bytes
of the plaintext message are known. The attacker generates a table of all keys and
the first of the resulting key stream blocks generated using that nonce. He then captures packets using that nonce and compares the first encrypted block to those in the
table. After about 2 messages the attacker should be able to find a matching block
and identifiy the encryption key. This attack can be defeated by using a larger key or
by combining additional data with a sequentially increasing nonce value to form the
nonce.[23] The 802.11i specification employs 128-bit keys but also requires that the
MAC address of the sending station be included in the nonce value. As a result, the
series of all possible nonce values is unique to each communicating device. The attacker would have to generate a separate table for each device in the target packet
stream and would have to observe 2 messages from at least one of the devices before discovering the encryption key. This additional restriction makes precomputation
Key fingerprint
AF19 FA27
2F94
998Dto
FDB5
DE3D F8B5 06E4 A169 4E46
attacks
against=CCMP
highly
unlikely
succeed.[26]
The wedding of 802.11i privacy using CCMP with 802.1X authentication closes
nearly all the known holes in the 802.11 architecture. The major remaining problem is
Denial of Service. DoS attacks of several types can still succeed against a full-blown
802.11i network. In addition to the TKIP DoS attack mentioned previously1.4, 802.11i
networks are subject to DoS attacks using forged deauthentication or disassociation
frames, sending any of several forged EAPOL messages to the 802.1X supplicant or
authenticator, forging a packet with an incorrect RSN Information Element in message
3 of the 4-way handshake, or sending out numerous forged 4-way handshake message 1 packets to a supplicant.He and Mitchell [26] The impact of these attacks is
mitigated somewhat by the requirement that the attacker operate a device on the LAN.
Since the device is in the vicinity of the rest of the network, in most cases it could be
located fairly quickly. Still, many networks cannot function adequately with even brief
interruptions of service to devices on the LAN.
ull
rig
ht
s.
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
tu
te
z~L Oqg]SqSUPWVwyVZ]aMPO\\isRSU\
©
SA
NS
In
sti
It appears to this author at least that 802.11i WLANs can provide adequate security
to an organization that must protect data from unauthorized access, provided certain
conditions are met. First, the WLAN must implement the RSNA architecture using
CCMP. Legacy devices only capable of using WEP should not be allowed to use the
WLAN. This eliminates not only the vulnerabilites of WEP but also those of WPA and
TKIP. Second, the WLAN must be configured as an ESS and employ 802.1X authentication using centralized authentication servers running RADIUS, Diameter, or
Kerberos. Third, the WLAN must be restricted to devices participating in a shared
network of trust, such as a Windows Domain or a PKI infrastructure. If all these conditions are met, there is no need in most cases to firewall off the WLAN from the rest
of the organization’s network or force WLAN devices to tunnel traffic through a VPN to
the wired
network.
Key
fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

ull
rig
ht
s.
On the other hand, there are numerous cases in which not all of these conditions
can be met. The most obvious case is that of the road warrior who uses a wireless
device to access the organization’s network from the outside. In many cases the road
warrior’s device will associate with a 3rd-party access point. In these cases, no guarantees about the security of the device’s traffic in the air or across intervening wired
networks can be made. In this case it makes sense to firewall off the road warrior’s
device and force it to establish a VPN tunnel. Some organizations have divisions with
different security requirements or have policies which prevent divisions from sharing
certain types of information with each other. In these cases, if the organization wishes
to deploy WLANs shared by members of different divisions, the network will have to
be configured to restrict unauthorized devices higher up the protocol stack, including
the use of internal VPNs and intra-divisional network firewalls.
ins
f
7 0 , #88
GIAC Enterprises Perimeter Security
Architecture
Defining the Information Technology Capabilities Reut
ho
rr
eta
-2
Historical Assumptions
00

LNK
00
5,
A
quired by GIAC Enterprises in order to Accomplish
its Business Objectives
©
SA
NS
In
sti
tu
te
20
The description of GIAC Enterprises given in the guidelines for Part 1 of this Practical
is too general for determining the precise relationship the company has or intends to
have with its customers, suppliers, partners, and employees. In order to develop a
realistic network design, it is necessary to make further assumptions about the nature
of GIAC Enterprises’ business, as was done by previous analysts.[27] These assumptions put flesh to the business needs of the company. The network design will be
shaped by the business needs that arise from these assumptions, and it must be
judged by how well it satisfies those needs.
In the real world, the analyst rarely has such freedom to shape the circumstances
for which he is designing a solution. There is little doubt that if IT Security professionals really had the power to dictate to organizations what their genuine business
needs were, there would be far fewer security breaches – and far fewer successful
organizations! Likewise, I must not make assumptions about the character of GIAC
Enterprises that end up serving simply to make it easier for me to design a satisfying network security infrastructure. With this caveat, let’s take a closer look at the
company.
Enterprises
a small
company
that specializes
the global distriKeyGIAC
fingerprint
= AF19isFA27
2F94publishing
998D FDB5
DE3D F8B5
06E4 A169 in
4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
bution of fortune cookie sayings. While it is based in the United States and maintains
there its corporate headquarters and publishing offices in Brooklyn, NY, it partners
with authors and printers around the world to provide buyers with fortune cookie sayings that are in their customers’ native language and appropriate to their customers’
culture.
The company was founded in the 1960s, grew rapidly in the United States and began expanding overseas, largely by cooperative agreements with foreign businesses,
in the 1970s. Management tended to be cautious about adopting new technologies.
This policy appeared to serve them well until the 1990s.
As the decade wore on, it became clear that companies more quickly adopting internet technologies were eating their lunch. Fueled by the efficiencies of web-based
ordering, their competitors were dropping prices and luring customers away. Management reluctantly decided to establish an English-language web site for product sales
in 1998. They hired a web development company to develop and maintain a website.
The web development company customized a business-to-business shopping-cart soKey
AF19contracted
FA27 2F94 with
998Dtheir
FDB5
DE3D
F8B5
A169 4E46
lutionfingerprint
for them.=They
ISP
to host
the06E4
website.
That decision led to increased sales. Management was sufficiently impressed to
roll out web-based sales worldwide over the following year. By 2001 the company
had a well-established international on-line sales presence. Meanwhile, sales costs
dropped as many older customers converted to web-based ordering. While management was happy with these results, they were also feeling pressure to increase the
breadth of their reliance on internet technologies.
They were not able to develop as broad a base of authors in emerging markets
as they desired because of continuing problems with communications. They had also
begun to lose authors to companies that were using the web to maintain relationships
with authors. Management decided to survey all their existing suppliers, partners,
and customers to find out what services they would like the company to provide and
how they would like to receive them. The results indicated that business relationships
should improve if the company supplemented its personal contacts with its suppliers,
partners, and customers with web-based access to more detailed product information,
coming projects, and collaboration tools. This year, the company hired a chief technology officer and assigned him the task of bringing in these capabilities, overseeing
training of staff, suppliers, partners, and customers in using the new features, and
providing and maintaining the infrastructure necessary to make it happen. He in turn
hired me to help design and implement a network security architecture to support the
new operations.
The new CTO included the following requirements in my assignment. First, the design must assume that as many functions as possible of the company’s web presence
be located in-house. The CTO was determined to eliminate dependence on thirdparties for the security of the company’s assets. Second, the design should use opensource tools, unless commercially-available, closed-source tools were significantly superior or open-source tools are not available for a particular function. This decision
was based primarily on budgetary constraints for software acquisition and training
(NOT because open-source software is inherently more likely to be free of security
weaknesses! [28, 29]). As it turns out, the CTO’s former company had used many
Capabilities needed for suppliers of GIAC Enterprises.
00

L{z
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
open-source security tools, and he had managed to bring a few of his key staff along
with him to GIAC Enterprises. He wanted to exploit their competencies as quickly and
cheaply as possible.
Third, the design must allow for the use of the existing ecommerce solution, which
includes the following components: A web/application server cluster provides access
for customers to product information via HTTP and secure online ordering and orderstatus information via HTTPS secured with SSL v.3 using an RSA server certificate
signed by Verisign’s Certificate Authority and a negotiated encryption algorithm of minimum 128-bit key length. Also, an Oracle database backend cluster located in-house
provides access to customer account information to the web/application servers and
detailed reporting information to internal customer support and accounting personnel
using an internal application server via an encrypted channel on TCP ports 1521-1526
using TLS v. 1.0 with 2-way authentication using RSA client and server certificates
signed by Verisign’s Certificate Authority and encryption using the triple DES cipher
algorithm with a 168-bit key and SHA-1 MAC. In addition, the Oracle database server
Key
fingerprint
AF19toFA27
998D FDB5
DE3D Payment
F8B5 06E4
A169 4E46
cluster
must be= able
make2F94
connections
to Acme
Systems
remote payment
processor over the internet (IP address 1.100.100.1) on port 4999 using TLS v. 1.0
with 2-way authentication using RSA client and server certificates signed by Verisign’s
Certificate Authority and encryption using the triple DES cipher algorithm with a 168bit key and SHA-1 or MD5 MAC.
In addition to these baseline requirements, I had to make provision for additional
access by suppliers, partners, and employees as follows:
©
SA
NS
In
sti
tu
te
20
00
-2
GIAC Enterprises’ suppliers can be broken into two broad categories: authors of fortune cookie sayings and vendors who provide products needed by the employees of
GIAC Enterprises to conduct the various aspects of her business. Authors need access to specifications for new projects, legal and contractual information regarding
copyright, ownership of submissions, review policy, plagiarism, pay scales, and other
contranct terms, a repository in which they can place and retrieve works in process
that are under editorial review, and channels for communication with editors and, in
limited cases, with each other, about their work. The CTO already had an answer to
my question about exactly where in the organization’s network infrastructure authors
would go to get this access; he had contracted with a development firm to build a
web portal into the existing Oracle application server. This portal required authors
to authenticate with a user name and password to gain access to most features of
the site, and granted access to various features of the portal based on policies set
for their identity by the editorial staff. The portal included a collaboration space, in
which authors and editors could brainstorm together, and a restricted-access repository for submissions in progress and contracts. Communications with the portal from
the internet were secured with 2-way authentication using RSA certificates signed by
Verisign’s Certificate Authority and a negotiated encryption algorithm of minimum key
length of 128 bits. I had to come up with a secure method for editors and authors to
exchange contracts and other sensitive information over the internet in the event the
web portal was not available.
Other suppliers required far less access to GIAC Enterprises. They needed to
be able to communicate with GIAC Enterprises employees via email and wanted the
employees to be able to get to their websites for product information, purchasing, and
educational opportunities. Occasionally, they would be exchanging email that required
encryption.
Capabilities needed for partners of GIAC Enterprises.
ull
rig
ht
s.

L
ho
Capabilities needed for GIAC Enterprises’ employees located
in Brooklyn.
5,
A
ut

L
rr
eta
ins
f
Most of GIAC Enterprises’ partners were printers with long-term contracts for printing
and ensuring delivery of fortune cookie sayings to customers. Many of these firms
were based in other countries. Most of the rest of the the firm’s partners were overseas
as well. Most often, they provided translation services. Frequently, they were also
asked to vet projects destined for an overseas customer for cultural appropriateness.
They needed to be able to exchange email with GIAC Enterprises’ editorial staff,
Key
fingerprint
= AF19 FA27
2F94
998D
FDB5
DE3D
F8B5 to
06E4
sometimes
in encrypted
form.
They
also
needed
access
the A169
portal4E46
for specifications
of ongoing or upcoming projects and to exchange work in progress. Their access to
the portal was secured in the same way as that for authors.
©
SA
NS
In
sti
tu
te
20
00
-2
00
The employees based at GIAC Enterprises’ headquarters and publishing offices include their corporate officers, editorial staff, and several support departments: accounting, legal, human resources, purchasing, sales, and IT. In general, the employees require access to the web and must be able to send email to various parties on the
internet. In many cases, they will need the ability to engage in secure transactions via
SSL. Individuals or departments that require additional access will be specfied below.
Editorial staff need the ability to send encrypted email to authors as a backup to
secure access to the company’s web portal. There exists the danger of proprietary
information leaking out of the company in undetectable form via secure email. There
does not seem to be a realistic method of preventing this from happening, and even
if there were a way to prevent employees from sending encrypted email, there are
too many other relatively easy ways for them to sneak proprietary information out the
door. For that reason, this kind of access will be allowed and the risk mitigated by
issuing clear policies on proper use and training editorial staff on how to implement
those policies in their communications with authors.
Corporate and accounting staff need access to a variety of reports and financial data stored in the Oracle database originally used as part of the company’s
ecommerce solution. It was decided, however, to consolidate a number of internal
databases storing financial data onto the same server. The company purchased a
second application server to be used in-house only. This application server would
limit direct access to the database, allow for even more granular access control, and
isolate
sensitive
data FA27
from the
application
used by partners,
Key fingerprint
= AF19
2F94publicly-available
998D FDB5 DE3D
F8B5 06E4server
A169 4E46
Capabilities needed for GIAC Enterprises’ employees located
at remote sites.
ins
f

L{
ull
rig
ht
s.
suppliers, and customers. Of course, it also greatly simplified access to the financial
data.
IT staff need FTP access to various sites on the internet in order to download
needed software packages and updates. While it is entirely possible to do this via
HTTP, FTP is faster, and many of these packages will be quite large. The CTO has
already indicated that only IT staff should be allowed to download software packages
and updates, including Java programs. If employees need access to software available on the web, it IT’s responsibility to fetch it, check it for problems (licensing issues,
viruses and worms, security vulnerabilities) and make it available to employees on the
company’s intranet. IT staff also require access to the newsgroup server at the company’s ISP in order to keep up with technical issues discussed in some newsgroups.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Key the
fingerprint
= AF19
2F94 998D
FDB5 Enterprises
DE3D F8B5 06E4
A169
4E46
For
most part,
theFA27
employees
of GIAC
do not
need
access to data
stored inside the company’s network except when they are at work. The exceptions
to this rule include corporate officers, some of the editorial staff, remote sales staff,
and IT staff. The first three groups need access to email, the web portal, and the
internal application server. The internal application server gives corporate officers
quick access to confidential financials, performance data and strategy. Editors and
salespeople use the internal application server to maintain confidential information
on customers. The company’s CRM solution, for example, is hosted on the internal
application server. IT staff needs comprehensive access to the network to perform
remote diagnostics and troubleshooting.
Access to email had already been available via Outlook for Web Access, provided
by the company’s Microsoft Exchange server. The company was now to migrate all its
groupware functions to Oracle Collaboration Suite and use the web-interface provided
by Oracle on the web/application server to give remote users access to email and
other groupware functions. Remote access to the email site would be granted to
users via HTTPS secured with SSL v.3 using 2-way authentication with RSA client
and server certificates and a negotiated encryption algorithm of minimum 128-bit key
length. The server certificate will be signed by Verisign’s Certificate Authority and
the client certificates will be signed by GIAC Enterprises’ own certificate authority.
Traveling employees will connect to the portal site in the same way. The internal
application server cannot be accessed directly from the internet. For remote access
to this system, remote users will have to establish an IPSec VPN connection to the
company network from their remote site.
IT staff require by far the most far-ranging remote access to the company’s network
as a consequence of the CTO’s decision not to staff IT on-site 24x7. After a study of
the frequency of problems encountered during the use of the company’s ecommerce
solution and the number of such problems requiring on-site intervention by IT staff,
and several discussions with IT managers who oversaw the use of portal software
similar
in design
and purpose
to 998D
what FDB5
the company
was 06E4
aboutA169
to put
into production,
Key fingerprint
= AF19
FA27 2F94
DE3D F8B5
4E46
ho
rr
eta
ins
f
ull
rig
ht
s.
he concluded that the company could provide a sufficient level of service to its site’s
users without incurring the expense of keeping staff on-site 24 hours a day, 365 days
a year.
Instead, he would have IT staff rotate on-call duty from home and have the company’s security and network-monitoring tools forward alerts to the on-call staff. In order
for this to work, on-call staff would have to have a secure, reliable connection to the
company’s network and sufficient access to its network infrastructure to perform maintenance and repair. This will take place via an IPSec VPN between each of the IT
staff’s homes and the company network.
As a backup in case the company’s link to its ISP goes down or the VPN gateway
or internet firewall fail, a Remote Access Server taking dialup connections will also be
provided. The dialup lines are normally only needed on off-hours, and then only when
IT staff are unable to reach target hosts via their VPN connection.
It should be noted in this connection that in no case does a remote employee need
an end-to-end IPSec tunnel. Confidentiality inside the company’s network can be
Key
fingerprint
= AF19
FA27such
2F94as
998D
FDB5
DE3D
4E46
achieved
by other
means,
using
HTTPS
orF8B5
SSH.06E4
The A169
CTO instructed
me that
in the absence of a clear business need end-to-end tunnels will not be allowed. He
preferred to limit the amount of unidentifiable traffic flowing in and out of the company’s
network.
Netork Security Architecture Providing Capabilities
Needed by GIAC Enterprises
00
Overview
-2
LNK
5,
A
ut
©
SA
NS
In
sti
tu
te
20
00
The network security architecture recommended for GIAC Enterprises is meant to accomplish the following objectives: 1.) Provide all the capabilities required by GIAC Enterprises; 2.) Prevent anyone from extending or exploiting those capabilities to achieve
unauthorized access to any of GIAC Enterprises IT assets; 3.) Keep implementation and maintenance costs as low as is consistent with meeting objectives 1) and 2)
quickly. The security architecture will achieve its objectives by employing a number
of complementary security features, including a multi-layered perimeter, network intrusion detection and, for mission-critical, exposed, or otherwise sensitive hosts, hostbased intrusion detection, hardening of exposed hosts, segmentation of the company’s
internal network, enterprise-wide anti-virus detection and removal, centralized system
logging and near real-time response to possible security breaches. Costs will be contained by employing free or inexpensive open-source software and recycled hardware
for many key components. Centralized administration tools will simplify maintenance
and monitoring.
ull
rig
ht
s.
Remote
Users
ISP
IDS 1
ins
f
Cisco
2621
(2.3.1)
eta
Key fingerprint(2.3.3)
DMZ
FreeS/WAN
VPN
Gateway
(2.3.4)
ho
ut
5,
A
Log
00
Linux
Netfilter
Firewall
(2.3.8)
IDS 3
(2.3.9)
te
Internal
Servers
Cisco
3640
Users
©
SA
NS
In
sti
tu
Limited
Access
20
00
-2
IDS 2
(2.3.7)
rr
Linux
Netfilter
Firewall
(2.3.2)
¡=¢¤£¥¦N§ ¨ GIAC Enterprises Network Design Overview
L{z
IP Addressing Scheme
Border Router
20
te
Components
tu
L
©ª¬«Uª
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
Heretofore, GIAC Enterprises’ internal network was based on RFC 1918 addressing
using class C subnets or smaller in the 192.168/16 address space. I decided to abandon this scheme entirely in favor of one based on the 10/8 address space. The obvious but less important reason for going with the 10/8 address space is that it increases
the total number of available addresses by a factor of 256. The company is currently
nowhere near large enough to use up the 65536 addresses available in the 192.168/16
space; converting to the 10/8 space simply makes it a complete non-issue.
The more important reason is interoperability. Many home networks and businesses use one or more class C subnets of the 192.168/16 space as their private
addressing. By converting to the 10/8 space, the company more easily avoids collisions with private addresses in the home networks of VPN clients. Each VPN client
will be assigned an IP address in the 10/8 space, and in no case will a VPN client be
permitted to route packets from his/her home network or anywhere else into GIAC Enterprises’
network,
or vice
This FDB5
is not DE3D
so easily
accomplished
if the IP address
Key
fingerprint
= AF19
FA27versa.
2F94 998D
F8B5
06E4 A169 4E46
assigned to a VPN client interface happened to be in a subnet already allocated to a
home network. Routing issues between the client and the company network could be
alleviated by subnetting the part of the home network assigned to the VPN client.
Another problem would remain, however. The firewall will include access rules for
VPN subnets. The brevity and efficiency of these rules depends on being able to
predict the subnetting for entire blocks of addresses assigned to certain classes of
VPN clients. If exceptions have to be made to prevent address clashes with certain
home networks, it will complicate the firewall ruleset. If, in the future the company has
a need to set up a network-network VPN, perhaps with a partner, there is far more
flexibility in the 10/8 space for finding a network number that will allow the two sides to
talk to one another without asking either one to change their current addressing.
©
SA
NS
In
sti
The purpose of the border router is to supervise the connection between GIAC Enterprises and the internet. Not only does it route IP traffic in and out of the company’s
network, but it also blocks IP traffic with invalid source addresses and prevents certain other kinds of potentially dangerous traffic, including certain kinds of ICMP and
traceroutes, from entering the company’s network. The border router is placed on the
company’s end of the T1 connecting it to its Internet Service Provider. All other devices connected to the internet in GIAC Enterprises forward their traffic through this
router and all network traffic entering GIAC Enterprises network must pass through this
router first. Since this is the first device incoming traffic encounters, it is the ideal device to block certain kinds of suspicious traffic which its limited access-control facilities
can detect. In particular, it is able to block traffic with unrouteable[30] and otherwise
reserved[31] source IP addresses. It is also ideal for blocking traceroutes, which might
Description
Network Block
Public Networks
1.1.1.104/30
Assigned to GIAC Enterprises by ISP. Border
Router <-> Internet Firewall
VPN Gateway Public Network
1.1.1.240/30 Assigned to GIAC Enterprises by ISP. Internet Firewall <-> VPN Gateway
Public Servers
1.1.2.240/28 Assigned to GIAC Enterprises by ISP.
Internal Network Device Link Networks
Firewall-Firewall Network
10.1.1.0/30
Internet Firewall <-> Internal Firewall network
VPN Gateway Private Network
10.1.1.4/30
VPN <-> Internet Firewall
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5
06E4
A169
4E46
RFC
1918
network
Internal Firewall-Users Network
10.1.1.8/30
Internal Firewall <-> Cisco
3640 Router
Private Networks
Restricted-Access Network
10.1.3/24
Used to isolate
sensitive traffic used
mostly for infrastructure support from
main subnets
DMZ
10.1.4/24
Internal Server Network
10.1.5/24
Logging Network
10.1.6/24
Mostly dedicated to logging
to lighten load on main subnets.
Corporate User Network
10.10.2/24
Editorial User Network
10.10.3/24
Support User Network
10.10.128/17 Supernet for various support departments.
Devices are logically subdivided by department into
natural subnets. Used in
firewall rules and for later
segmentation.
IT Network
10.10.128/24 Used by network security
devices to grant special access to IT personnel.
Sales Network
10.10.129/24 Used by network security
devices to limit access by
sales
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5
06E4personnel.
A169 4E46
Editorial VPN Client Network
10.253.2/24
System running VPN client
software for a remote editorial user gets address in
this subnet.
Sales VPN Client Network
10.253.3/24
software for a remote sales
user gets address in this
subnet.
IT Staff VPN Client Network
10.253.4/24
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
Public WAN Network
Comment
otherwise be able to discover invaluable information about the structure of the network
defenses protecting the publicly accessible mail gateway and web/application server.
It can also reduce the impact of DOS attacks using rate limiting on certain types of
otherwise permitted traffic. The border router used at GIAC Enterprises is a Cisco
2621 running Cisco IOS Release 12.2(15)T2, with the IP Plus feature set.
©ª¬«Uª¬®
Internet Firewall
ho
Network Intrusion Detection System 1
ut
©ª¬«Uª¬«
rr
eta
ins
f
ull
rig
ht
s.
The purpose of the internet firewall is to limit the types of IP traffic allowed to pass
between the GIAC Enterprises network and the internet. It sits just inside the border
router and performs “stateful” filtering to prevent forwarding of unallowed traffic that
the router’s access-control mechanisms are too simple to detect. It also translates
unrouteable (RFC 1918) addresses used in the GIAC Enterprises network into public
IP addresses that can be passed along the internet. Since all traffic in and out of
the network passes through this system, including unencrypted traffic from the VPN
gateway,
it is able
to comprehensively
limit the
types
of06E4
trafficA169
flowing
Key
fingerprint
= AF19
FA27 2F94 998D FDB5
DE3D
F8B5
4E46in and out. It
is configured to block many types of attacks and evasive scanning techniques based
on malformed IP packets, including fragmentation and unusual combinations of TCP
flags. This system runs Redhat Linux 9.0 with netfilter v. 1.2.7a.
te
VPN Gateway
tu
©ª¬«Uª¯©
20
00
-2
00
5,
A
This unit sits just inside the border router. It captures and anaylyzes all inbound and
outbound traffic for signs of suspicious activity, sends alerts when such activity is detected, blocks certain types of activity, and logs a record of the subsequent conversation between the source and destination hosts. It supplements the internet firewall by
performing protocol analysis and blocking suspicious TCP activity. While it is possible
to have the intrusion detection system modify the firewall rulebase dynamically in response to suspicious activity, this function is not implemented in the GIAC Enterprises
network. This system runs Snort, v. 2.0.1 on Redhat Linux 9.0.
©
SA
NS
In
sti
The VPN Gateway enables key GIAC Enterprises employees who need more comprehensive access to the company network than what is available through the web portal
to establish a secure channel for communications across the internet. While this function could be performed by the internet firewall itself, it was offloaded to a separate
device to ease the load on the firewall and to allow for the use of network address
translation on packets coming from systems inside GIAC Enterprises network.
The VPN gateway has two interfaces connected to the internet firewall, an internal
and a publicly-addressable interface. Outbound VPN packets pass through the firewall, NAT is performed on them, and they are forwarded to the VPN gateway’s internal
interface for handling. The VPN gateway wraps the packets in AH or ESP headers
and passes them back to the firewall on the publicly-addressable interface. The firewall checks the information in the new packet headers and forwards them if they are
acceptable. Inbound VPN packets are checked by the firewall first and passed to
5,
A
©ª¬«Uª¬°
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
the VPN gateway if allowed. The VPN gateway unwraps and unencrypts the packets
and passes them to the firewall through its internal interface. The firewall performs
any needed NAT on the packets, checks them to see if they are allowed, and if so,
forwards them to a system in GIAC Enterprises’ network.
The gateway will be configured to allow for redundant controls on access to the
company network by remote clients. The VPN gateway itself will use the distinguished
name of the client’s X.509 certificate to determine to which areas of the company
network the client is granted access . Each user will also be assigned a static IP
address to be associated with a virtual interface on the client machine. The IP address
will be pulled from a subnet to which all addresses for that access class belong. The
internet firewall will include rules that specify to which areas of the company network
that subnet is granted access. The VPN gateway and firewall access controls will be
coordinated by configuration settings on the gateway that bind a user’s distinguished
name to the subnet belonging to his/her access class.
The VPN gateway system runs FreeS/WAN v. 2.01 with the X.509 patch on a
Key fingerprint
AF19
FA27 modified
2F94 998Dkernel
FDB5 version
DE3D F8B5
06E4The
A169
4E46 patch allows
Redhat
Linux =9.0
system,
2.4.20.
X.509
the VPN gateway to use PKI for authentication which also enables it to interoperate
with Windows 2000/XP clients. A patch to FreeS/WAN which allows for NAT traversal
was considered unready for production use, but will be studied closely for possible
inclusion in future installations.
VPN Clients
te
Email Gateway
tu
©ª¬«Uª¬±
20
00
-2
00
Since the company already owns a fair number of laptops with Windows 2000 or XP
installed, the IPSec sub-system that comes standard in a Windows 2000 and XP Professional workstation installation will be the standard VPN client software used by the
company. The IPSec sub-system will be configured to operate in client-only mode
and use X.509 certificates signed by GIAC Enterprises own certificate authority for
authentication.
©
SA
NS
In
sti
The email gateway handles email traffic going in and out of GIAC Enterprises. It is
designed to trap SPAM and viruses or trojans embedded in email and strip them out
of the message flow. It also rewrites headers on outbound email to hide sensitive
information about the internal structure of GIAC Enterprises network and blocks 3rdparty relaying. It also runs a DNS service, both to provide DNS to the mail service for
quick name resolution, and to act as a proxy for internal DNS servers. The company’s
forward and reverse DNS records are maintained by the company’s ISP, so this gateway DNS server does not actually serve any DNS records to the internet. All inbound
access to the email gateway’s DNS service is blocked. The gateway DNS server
performs recursive queries on behalf of internal DNS servers and forwards them its
cached information. It also acts as a slave server for the internal DNS domain and
provides
direct=DNS
to the
perimeter
hostsF8B5
that need
it. The4E46
DNS service on
Key fingerprint
AF19service
FA27 2F94
998D
FDB5 DE3D
06E4 A169
ull
rig
ht
s.
Corporate
VPN Clients
10.253.1.0/24
Sales VPN
ins
f
Editorial
VPN Clients
10.253.2.0/24
IT VPN
10.253.3.0/24
ut
ho
rr
10.253.4.0/24
eta
Key fingerprint Clients
= AF19 FA27 2F94 998D FDB5Clients
DE3D F8B5 06E4 A169 4E46
ISP
20
00
-2
00
5,
A
216.97.129.102
Border
Router
216.97.129.100/30
(2.3.1)
216.97.129.105
IDS 1
(2.3.3)
216.97.129.104/30
te
216.97.130.240/30 216.97.129.106
216.97.130.242 216.97.130.241
©
SA
NS
In
sti
tu
10.1.1.6
10.1.1.5
10.1.1.4/30
FreeS/WAN
Internet
VPN
Firewall
Gateway
(2.3.2)
(2.3.4)
²¬³)´xµ¶¸·º¹y³¼»½N¾x³À¿RÁÂÃÄ½h»ÆÅ
¡Ç¢¬£¥¦È§ i¨ VPN Gateway Subnets
IDs 3
(2.3.9)
ull
rig
ht
s.
10.1.4/24
10.1.4.3
(NAT ->
10.1.4.1
216.97.159.242)
Cisco
Internet
Catalyst
Firewall
2950
(2.3.2)
10.1.4.254
Public
Web/Portal
Server
10.1.4.2
(NAT ->
216.97.159.241)
ins
f
Email
Gateway
(2.3.6)
¡Ç¢¬£¥¦N§ ¨ DMZ
rr
eta
00
20
©ª¬«UªÊÉ
-2
00
5,
A
ut
ho
this host is configured to allow queries only from perimeter hosts and internal nameservers. The internal DNS master server is configured to allow zone transfers from the
email gateway and other internal DNS servers. The gateway runs MailScanner 4.22-5
to integrate anti-virus and anti-SPAM checks with the mail delivery system, Spamassassin 2.55 for SPAM detection, Sophos Anti-Virus for virus-checking and removal,
Sendmail 12.8 with the latest security patches for mail transport and BIND v.9 for the
DNS service on a Redhat Linux 9.0 system.
©ª¬«Uª¬Ë
©
SA
NS
In
sti
tu
te
This intrusion detection system sits between the internet firewall and an internal firewall to monitor traffic from the internet and VPN gateway after network address translation has been performed (See 4.3.4). It also monitors outbound traffic before network address translation is performed. It is meant to perform several functions. First,
it verifies the success of IDS 1 in detecting and blocking suspicious inbound activity. Second, it traps suspicious traffic passing through the VPN gateway, since it is
unencrypted when it passes through this IDS, unless of course it is encrypted email,
SSL or SSH traffic. Third, it verifies the sucess of the user network IDS and proxy
server at detecting and trapping dangerous HTTP or FTP requests and will stop them
if detected. This system’s software configuration is identical to that of IDS 1.
Internal Firewall
The internal firewall offers a second line of defense against traffic inbound from the
internet. It also protects sensitive areas of GIAC Enterprises’ internal network from
other internal systems and users. All server systems and network devices in the GIAC
10.1.1.2
10.1.3.1
10.1.5.1
User
Servers
10.1.5/24
ull
rig
ht
s.
10.1.1.0/30
ins
f
IDS 2
(2.3.7)
Internet
Firewall
(2.3.2)
10.1.1.1
ut
ho
rr
eta
Internal
Key fingerprint = AF19
Restricted
Firewall
Access
(2.3.8)
Segment
10.1.1.9
10.1.3/24
00
-2
¡Ç¢¤£¥¦È§ ¨ Internal Firewall
20
00
Cisco
3640
5,
A
10.1.1.10
©
SA
NS
In
sti
tu
te
Enterprises network log to a remote syslog server. This logging is carried over a
back-channel LAN segment through the internal firewall to the remote syslog server.
Communications between the application servers and the Oracle database server are
also carried over this back-channel segment. The internal firewall allows limited access to these servers for crucial maintenance without exposing them unnecessarily.
The company already owns a Cisco 3640 router that was used to forward traffic between segments of their LAN. An IOS upgrade to include Cisco’s firewall feature set
could have enabled the router to perform the functions of the internal firewall fairly effectively, but The router’s available ethernet interfaces were already taken up with user
LAN segments. Had the switches in the user portion of the LAN been capable of handling vlan trunking, this problem could have been alleviated. Unfortunately, they were
not. As a result, the addition of a restricted-access segment and a segment dedicated
to internal servers necessitated either the introduction of another device or a costly
hardware upgrade. The internal firewall runs Redhat Linux 9.0 with netfilter v. 1.2.7a.
©ª¬«Uª¬Ì
©ª¬«Uª_Í
ull
rig
ht
s.
This system inspects traffic traversing the DMZ (See 4.3.6). It is connected to one
of the Gigabit ethernet ports on the Cisco 2950 switch to which all devices on that
segment connect. Cisco SPAN is configured to copy all traffic to that port; the IDS
monitors all incoming, outgoing, and intra-segment traffic. It is configured to alert
on suspicious requests addressed to any of the servers and any unexpected activity
originating from any of the servers. It runs Snort, v. 2.0.1 on Redhat Linux 9.0.
rr
ho
©ª¬«UªÎ
eta
ins
f
This system inspects traffic traversing the internal server LAN segment. It is connected
to one of the Gigabit ethernet ports on the Cisco 2950 switch to which all devices on
that segment connect. Cisco SPAN is configured to copy all traffic to that port; the
IDS monitors all incoming, outgoing, and intra-segment traffic. It is configured to alert
on suspicious requests addressed to any of the servers and any unexpected activity
Key fingerprint
= AF19
2F94 998D
FDB5
DE3Dv.F8B5
A169 4E46
originating
from
any ofFA27
the servers.
It runs
Snort,
2.0.106E4
on Redhat
Linux 9.0.
In
Web Proxy Server
NS
©ª¬«Uªi®
sti
tu
te
20
00
-2
00
5,
A
ut
This system inspects traffic traversing the restricted access LAN segment. It is connected to one of the Gigabit ethernet ports on the Cisco 2950 switch to which all
devices on that segment connect. Cisco SPAN is configured to copy all traffic to that
port; the IDS monitors all incoming, outgoing, and intra-segment traffic. It is configured
to alert on any unencrypted communication with the Oracle service or any communication not originating from one of the application servers or the network management
workstation, either of which is a sure sign of trouble. It also will alert on attempts to get
unencrypted web traffic from any of the systems in this segment. The syslog server,
backup server, and network management workstation all run web services that allow
remote access to their management and reporting capabilities, but these connections
are all SSL-enabled to protect the network management data from being visible inside
GIAC Enterprises’ network to any but IT staff. This system runs Snort, v. 2.0.1 on
Redhat Linux 9.0.
©
SA
The web proxy server takes http, https, and ftp requests and fetches the requested
information on behalf of the connecting client (See 4.3.10). In the process, it offers
access control by requiring users to authenticate and limiting access to internet resources by matching the identity of the user with a list of ACLs based on the IP address/DNS hostname, URL, mime-type, request method, and a variety of other criteria. The proxy server is configured to block access to downloads of certain types of
files, such as Windows executables and script files (except from Microsoft’s automatic
ull
rig
ht
s.
ins
f
Internal
Domain Controller File/Print
Firewall DNS/DHCP Server
Server
(2.3.8)
10.1.5.13
10.1.5.10
10.1.5.1
eta
Cisco
Catalyst
2950
10.1.5.254
-2
00
File/Print
Server
10.1.5.12
te
20
00
IDS 4
(2.3.10)
5,
A
ut
ho
rr
Application/Groupware
Server
10.1.5.11
Intranet
Web Proxy
Web
Server
Server
(2.3.12) 10.1.5.15
10.1.5.14
¡Ç¢¤£¥¦È§ ¨ Internal Servers Network
©
SA
NS
In
sti
tu
RAS
Server
(2.3.16)
10.1.5.16
ull
rig
ht
s.
10.1.3.1
ins
f
Internal
Firewall
(2.3.8)
ho
rr
eta
Oracle
Database
Server
10.1.3.10
IDS 5
(2.3.11)
5,
A
00
-2
00
Syslog
Server
(2.3.14)
10.1.3.11
ut
Cisco
Catalyst
2950
10.1.3.254
20
Network
Management
Workstation
(2.3.15)
10.1.3.25
¡=¢¤£¥¦N§ ¨ Restricted-Access Network
©
SA
NS
In
sti
tu
te
Backup
Server
10.1.3.12
10.1.1.10
10.10.1.1
10.10.2.1
ull
rig
ht
s.
Cisco
3640
10.10.3.1
IDS 6
(2.3.13)
Support
(10.10.128/17)
ins
f
Corporate
(10.10.2/24)
rr
eta
ut
ho
Editorial
(10.10.3/24)
00
5,
A
¡Ç¢¬£¥¦È§ ¨ User Subnets
20
te
©ª¬«Uªi«
00
-2
updates site), MP3s, java archives, and all very large files. It will also filter out pornography to a limited degree. The server runs Squid 2.5.3 for proxying and caching and
DansGuard 2.6.1-3 for web content filtering on a Redhat 9.0 Linux system.
©
SA
NS
In
sti
tu
This system inspects traffic entering and leaving the user LAN segments. Ideally, the
IDS would be monitoring all traffic on each segment, including intra-segment traffic.
Unfortunately, the systems in these segments are attached to Cisco catalyst 2820
switches, which do not allow for SPAN ports. At some point in the future, the company
will invest in a switch upgrade. Until that time, it was decided to attach a hub to the port
leading out of each switch to the Cisco 3640 router and run the monitoring interface
for each segment into the hub to capture traffic entering and leaving the segment.
For the time being, this rather busy IDS will alert on suspicious requests originating
from the user segments and dangerous responses coming back. It will also alert on
suspicious incoming activity. The system runs Snort, v. 2.0.1 on Redhat Linux 9.0
with modifications to the system init scripts and snort rules to allow for independent
configuration and control of Snort for each sensor interface.
©ª¬«Uª©
Syslog Server
ull
rig
ht
s.
This system captures logs sent to it from every server and network device on the
GIAC Enterprises network (see 4.3.11). It uses syslog-ng, v. 1.6 to customize logging
sources and destinations so that system logs are automatically deposited in a SQL
database as well as in standard log files. It uses swatch 3.0.8 to analyze logs for
security violations and alert IT staff via pages, emails, and Windows desktop pop-ups
when detected. The Analysis Console for Intrusion Databases, v. 0.9.6b23 and phpsyslog-ng, v. 1.4 are used to provide web-based tools for searching and reporting on
security incidents. IT staff connect to the web-based interfaces using HTTPS with 2way authentication using RSA certificates signed by the Verisign Certificate Authority
and a negotiated encryption algorithm of minimum 128-bit key length. The system
runs Redhat Linux 9.0
ins
f
©ª¬«Uªi°
eta
Network Management Workstation
Key
= AF19
FA27
2F94 998D FDB5
DE3D
06E4 A169
Thisfingerprint
system acts
as the
management
console
forF8B5
configuration
of 4E46
network security.
From this system, updates to router and firewall configurations are permitted
ut
ho
rr
L A PWVS"TuTZ]\iS¸ÏbZ]|RStÐuSUwyVsuTSU\
©ª¯©ª Ñ ÒÓÔÖÕn×ØÒÚÙÒÛÎÜÝ!ÜÙ?Ó
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
To ease the administrative burden of staying up-to-date with security fixes on GIAC
Enterprises’ servers and workstations, all qualified systems will use a vendor’s patch
management distribution system. Systems that are not qualified will be slated for
replacement as soon as possible. In the meantime, non-qualified systems will be
kept up-to-date via scripted software installation with available patches. Both Redhat Network[32] and Windows Update[33] make available an automatic update feature with their patch management solutions. The Windows Update feature in Windows
2000/XP Professional and Windows 2000/2003 Server allows administrators to schedule automatic updates. All Windows 2000/XP workstations and Windows 2000/2003
servers will be scheduled to download and install available updates once per week.
Windows servers and workstations will be scheduled for updating early every Sunday
morning. Redhat Network’s automatic update feature does not yet allow for scheduled
updates. This is easily managed, however with a small shell script run from cron on a
weekly basis. This script will be run once per week early Sunday morning. In addition,
a staggered schedule of reboots will be set up through the Redhat Network so that
any updates are applied to daemons or the kernel as soon as possible after updates
are installed. The schedule will stagger the reboot of web server and database cluster
members so that at least one member of each cluster is available at all times.
To prevent large numbers of systems from attempting to carry out downloads of
updates over the internet, local update distribution will be used. Windows Software
Updates Service[34] will be deployed on the same Windows 2000 server that deploys
Sophos Anti-Virus updates. Redhat Network’s Satellite Server software[35] will be
installed on the web proxy server. All other systems in the company will be configured
to contact one of these two systems to fetch available updates.
7 0 , #888
ins
f
ull
rig
ht
s.
GIAC Enterprises Perimeter Security
Policy and Implementation
Þ Internet Firewall Security Policy
~LNK Overview
-2
~L{z
00
5,
A
ut
ho
rr
eta
The internet firewall’s security policy is designed to limit access from the internet to
a small set of TCP/IP hosts and services that have been available to the public or to
selected parties outside GIAC Enterprises network, limit access to the internet from
within GIAC Enterprises network to TCP/IP services approved for use by GIAC Enterprises employees, frustrate various techniques employed by network enumeration
and exploit tools, perform network address tanslation on the RFC 1918 IP addresses
used by systems in GIAC Enterprises network, limit access to the border router and
the firewall itself, and maintain a detailed log of all network activity supervised by the
firewall. We will examine the firewall settings that accomplish each of these tasks in
detail below. See B on page 69 for the complete configuration.
Border Router and Firewall Access Rules
©
SA
NS
In
sti
tu
te
20
00
Technical Support personnel may obtain virtual terminal access to the firewall via SSH
from company headquarters or a remote location, as specified in the global policy ruleset below. As mentioned above, the border router does not run a SSH server. Telnet
access is granted only from the firewall to the ethernet interface facing the firewall.
Access is granted to the firewall via its non-public interfaces implicitly as part of the
GIAC Enterprises private address space. The first rule includes access via SSH or
PCAnywhere. Since nearly every company system runs only one of these, one could
write a separate rule for each type of access. Unfortunately, there is no easy way to
separate out the two cases; each rule would have a long list of specific IP addresses
to which it applies. Technical Support would have the onerous job of maintaining this
long list whenever a particular device is added, removed, or changes its remote access configuration. The class C subnet 10.10.128.0/24 does not represent a physical
or virtual network segment; planning for the day when that can be a reality, the IP
addresses of all systems belonging to Technical Support were kept in this range. The
10.253.4/24 and 10.254.1/24 subnets represent Technical Support VPN and dialin access networks.
ß
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßAß àâáãâäºåÀæçèÖãâé6êëãÖì
ßAøÈùíôäÖä)óâîÀïñùÖëð6ãáâïÖòòÖéÖé)õ¼ôóô<õèûä)øüôëñõõóõÀïñäÀöé)é)ó5ôä<ýëâþâ÷¼ÿâöiùøÈùñïÖëÖä)óîî6ä äÖõâõôéúëãã
ß ýíÿ ð 5þø¼÷ Öæ ýíÿ
ð
Àÿ ý í ¼÷!å ]ö õ¼ôë6ô
ä âõ¼ôë)ôä
"!<þø¼
÷ Öæ ýíÿ
ð ÷Àÿ Öýæ í¼ ÷!#å h#å ]#å hå $ ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
"!<þø¼
ýíÿ
ð 5þø¼÷ Öæ hå
ýíÿ
ð Àÿ5þø¼÷ Öæ &ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüóô(õ $)'å *+ fö õÀôë)ô,ä âõÀôë)ô-ä "!Aþø¼÷Öæhå
ýíÿ
ð Aà .åÀæ
ýíÿ
å .åÈæâõ å 0$12 fö
õ¼ôë)ôäâõÀð ôë)Àÿ5ôä3þø¼÷ Ö"!Aæ àh/
ýíÿ
Key fingerprint
06E4 A169 4E46
ÿ5ô3ä þø¼÷ FA27
Öæ 2F94
h/
å 998D
âõ å FDB5
0$4h5
å DE3D
F8B5
fö
õ¼ôë)ôä âõÀð =ôë)ÀAF19
"!Aà .åÈæ
ýíÿ
å .åÈæâõ å ]å hå ]ö
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ àh/
ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ å $140 ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
å ]#å h#å hä8å $ ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôåÀø¼æé6'ù ÈòÖéüó-ô $) fö õÀôë)ôä
#
)õ¼ôë)ô7
ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ å $4h#å 0 ¼÷
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
#
)õ¼ôë)ô7
ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ å h8å hå À÷
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
#
)õ¼ôë)ô7
ýíÿ
ð 5þø¼÷ Öæ ýíÿ
)õ¼ôë)ô7
ä ð À9ÿ "!A:6à ÿþø¼à÷ ;ÖÀ÷!æ 8å ]ö õ¼ôë)ôä
ýíÿ
ð À9ÿ "!A:6à ÿþø¼à÷ ;ÖÀ÷!æ 5å h#å h#å ]å $ fö õÀôë)ôä
)õ¼ôë)ô7
ä
ýíÿ
ð5þø¼÷Öæ
ýíÿ
ù ÈòÖéüóô(õ $)'å *+ fö õÀôë)ô,ä âõÀôë)ô-ä "!Aþø¼÷ Öæ Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
õ¼ôýë)ôíÿä
âõÀð ôë)Àÿ5ôä3þø¼÷ Ö"!Aæà .åÈæâõ å0$12 fö
ýíÿ
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæà .åÈæâõ å0$4hå5 fö
ýíÿ
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ à .åÈæâõ å]åhå ]ö
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ å8$14 ¼÷
ù Èòé)óô-$) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $14 ¼÷
å]#å h#å "h!-8å à$ .¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $) fö õÀôë)ô,ä âõÀôë)ôä
#
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $2h#å ¼÷
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $2h#å ¼÷
å ]#å h#å "h!-8å à$ =AF19
#
¼÷äÖõ¼ôFA27
øÈùÖë)ôø¼2F94
é6'ù ÈòÖéüó998D
ô $)FDB5
fö õÀDE3D
ôë)ô,ä F8B5
âõÀôë)ôä 06E4 A169 4E46
Key fingerprint
.åÀæ
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å hå ]å ¼÷
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å hå ]å ¼÷
å ]#å h#å "h!-8å à$ .¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $) fö õÀôë)ô,ä âõÀôë)ôä
#
ýíÿ
ð è À6ÿAãâä)àûä-ã )%.åÀæ6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôåÀ,æ )ÈöJøÈÿùâþáþôâä ýBí"! A
:= 6ãâé)>
ßßAàâýáíÿãâ
9ä ðåçèÖÀÿAãâé6àêëãÖì .åÀæ C!<ÿþþ ýí
ßßúð)ôë ??3ïÖé î6ë6ùñðð DAô9é ?øÀó"ä Öëãã ë6óäúëããâé Öä)÷ ôé<ôäãüùÖä69ô ?âóéÀö
?øÈóä ÖëãâãJôé-êÖé)ó÷ä6ó<óé6áôä69
ß ýíÿ ð Aà .å ó ?é)óAóäÀöé6ôä<ëâ÷¼öøNùøâõ¼ôóë)ôøüé64ù ýíÿ
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å hå ) ¼÷!"#å !<h5å àh#å h
å .$ å
À÷äÖõ¼ôøNùÖë)ôøüéüù'ÈòÖéüóô- ]ö õ¼ôë)ôäâõ¼ôë)ôä3
ýíÿ
ð Àã ÿA)6à üãâé).EèÈå òóä ?]ö!ø @ãÖø]ANöà øÀ%ô 6ãÖ9å ø]öJøÈ<ô ÿþ)þÈöýøÈùâBí áôA ä "!9
:=
üãâé)E
è
6ã)ä)ûä7
ýíÿ
ðÀÿAà.å C!<ÿþþýí
Inbound Access Rules
SA
~L
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
©
Generally, responses to outbound requests are allowed into the network. The range
of responses is largely limited by restrictions on outbound requests. Additionally, most
types of inbound ICMP are blocked regardless of whether they come in response to
outbound requests. Only echo replies and unreachables (ICMP type 3) are allowed
in, and only in response to an outbound request. Fragmented packets are blocked,
except
for fragmented
AH or2F94
ESP998D
packets
bound
the public
IP address
Key fingerprint
= AF19 FA27
FDB5
DE3DforF8B5
06E4 A169
4E46 of the VPN
gateway. This exception is granted to allow for oversize packets resulting from IPSec
encapsulation in cases where pMTU discovery fails between the IPSec gateways.
Below are relevant snippets from the firewall configuration script, with extra comments
added to clarify:
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßAßúàâëáããâã<äé)õôâïëÖä)îóAî6ä6óâòáôãâøÈùäÖèõ òëÖîCFä)ôõôâïÖë)ôúë)óä òÖë6óôúé?ñäõ¼ôë6êãøâõÀïÖäâ÷Aî6é6ùùäÖî¼ôøüéüùõ+òóäÖî6äâ÷ä
ýíÿ
üãâé)E
è Èòóäð ?Àø ô5@÷âANàó
éüGò<ÈÿHG;à
:6-ýH)ý ÿI=A "!9
:= 6ã)é)èE6ãâä6ûäã-)
ýíÿ
ð Àÿ ý í ]ö õ¼ôë6ôä âõ¼ôë)ôä
ð6íÿ ð D;* à âÿ)í ;9"!<ÿþþ âýí
ýíÿ
ð Àÿ :Cíâý í ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ
ð À9ÿ :6à ÿà ;%]ö õ¼ôë6ôä âõ¼ôë)ôä
ß
Key fingerprint
ßßAàâáãâäºåçÆ=ä)ôâAF19
ì
ï
ß
ß ;óé6ò öéõ¼ôAô âòÖäÖõé ?pøÈùâêÖé6áù÷ þ J4ý K@î6ä6òôøüé6ùõë)óä
9
áùóäëÖîÀïë6êãâäÖõlë6ù÷úäÖîÀïé<óä6òãÖøüäLõ í)ïÖäÖõ6äAë)óäñî6é6ûä)óäâ÷ ê
ôâïä<èä6ùÖä)óø)îóâáãâäAëãã)é øÈù3è ð)íÿ ð D;<ë6ù÷<à âÿí ;
ôóë ??øâîêÖëÖCî FºøÈùôé<ô)ïÖä<ùä)ô Öé)ó F4Mä5÷éü2ù Nô
õÀòäÖîCø ?ø)î6ëãã öä6ùôøüé6ùúäÖîÈïÖé-óä O)áÖäõ¼ôõlêÖäî6ë6áõ6-ä ä5ë6óä
èéÖøÈùè<ôé5ëããâ"é úô)ïÖäÀöñôé<ôâïÖQä Pý 5èë)ôä Öë òâáêãÖøâî
êßøÈùã)ôéÖä)îCóF?äâ÷Jëî6ïÖRä ä)*uóëüäù ÷5ô)ïÖä QÖé6ù Nôöë Fä øÀôAôâïÖä6óä Cø ?5ô)ïÖä úë)óä
ýíÿ
ð úä)ôâ
ï . Sù .üà .å
ýíÿ
ð Àïÿ . ýSù .6íà ø.å ä)ôâï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
"!5ä)ôâ
ýíÿ
ð
Àÿ ý í ø ä)ôâ
$
"!5ä)ôâ
ï . Sù .6à .å ï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
ýíÿ
$å
"!5ä)ôâ
ýíÿ
$
"!5ä)ôâ
ýíÿ
ð
$
"!5ä)ôâ
ï . Sù .6à .å ï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
ýíÿ
ð Àÿ ï . ý Sù í.üà ø .ä)å ôâï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
å "!5ä)ôâ
ýíÿ
ð
Tå "!5ä)ôâ
ï . Sù .üà .å ï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
ýíÿ
å $
"!5ä)ôâ
ýíÿ
å )
"!5ä)ôâ
Key fingerprint
ýíÿ
ð =ÀAF19
ÿ ý FA27
í ø 2F94
ä)ôâï ,998D
Èò!øâîhöFDB5
ò øâDE3D
î]öÖ'ò Àô )òF8B5
Öä 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
æ "!5ä)ôâï. ùS.6à.å
ýíÿ
ðÀÿ ýí ø ä)ôâï,Èò!øâîhöò øâî]öÖò'Àô)òÖä
å "!5ä)ôâï
. ùS.üà.å
ýíÿ
ð
Àÿ ý í ø ä)ôâï,Èò!øâîhöò øâî]öÖò'Àô)òÖä
"!5ä)ôâ
ï . Sù .üà .å
ýíÿ
ð Àÿ ï . ý Sù í.üà ø .ä)å ôâï ,Èò!øâîhöò øâî]öÖò'Àô)òÖä
"!5ä)ôâ
ýíÿ
ð Àï9ÿ . :6 àSù ÿ.6à à;.âå ø ä6ôâï ,Èò!øâîhöÖò øâîhöÖòEÀôâòÖä
"!5ä)ôâ
ýíÿ
ð Àï9ÿ . :6 àSù ÿ.6à à;.âå ø ä6ôâï ,Èò!øâîhöÖò øâîhöÖòEÀôâòÖä
$
"!5ä)ôâ
ýíÿ
ð Àï9ÿ . :6 àSù ÿ.6à à;.âå ø ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
$å
"!5ä)ôâ
ýíÿ
$
"!5ä)ôâ
ýíÿ
$
"!5ä)ôâ
Key fingerprint
=ÀAF19
998D
ýíÿ
ð
ÿ
9
:6à ÿFA27
à ; 2F94
âø ä6ôâ
ï
,Èò!FDB5
â
ø
h
î
Ö
ö
ò
DE3D
øâîhöÖE
ò
ÀF8B5
ô âòÖä 06E4 A169 4E46
å "!5ä)ôâ
ï . Sù .üà .å
ýíÿ
ð À9ÿ ï :6. à ÿSù .üàà ; â.ø å ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
Tå "!5ä)ôâ
ýíÿ
å $
"!5ä)ôâ
ýíÿ
å )
"!5ä)ôâ
æ ý íÿ "!5ð ä)ôâÀï9ÿ . :6 àSù ÿ.6à à;.âå ø ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
ýíÿ
å "!5ä)ôâ
ýíÿ
"!5ä)ôâ
ýíÿ
"!5ä)ôâ
ýíÿ
ð Àÿúä)ôâ
ï . Sù .üà .å ]öpãÖø]öiøÀ6ô 6ãÖø]öiøÀô
)NöøÈùáô
ä "!9
:= 6ã)é)Eè 6ãâä6ûäUã B6ã)é)Eè Èòóä ?ø @AVÿ ;
þJý6U;WGA
ýíÿ
ð Àÿúä)ôâ
ï . Sù .üà .å "!&;à :6ý
ßß ßAß àâáãâä9çÆä)ôâïiå)ì
ßAÿÖããâ"é ºøÈùôä)ó)ùÖä)ô-ïÖéÖõÀôõôé-òøÈùèAôâïÖQä Pý 5èë)ôä Öë 4XÖä
ëãâãâé Aôâïø)3õ ?é)óúôäÖõ¼ôøÈùQè Pý î6é6ùâùÖäÖî¼ôøÈûøÀô úøâõõÀáÖäLõ àë6ôä5ãÖø]öøÀôøÈùèAë6òâòãÖøüäÖõôé<ô)ïÖä<òøÈùè<óä O6áÖäÖõ¼ôYõ XÖä
ëãÖãâøföãâéøÀAôäâó÷Jä6êòÖúôãÖøü)äÖïÖõäºôé<øNùèôéä)óâêÖùëÖä)&ôî F?*uøÀêóáä ôAÖëôâãïÖRã ä- ô âòäÖõ ëããâé äâ÷Aë)óä
ß ýíÿ
ðúä)ôâï_åC. ùS.üà.
ýíÿ
ðÀÿ9:6àÿà; âø ä6ôâïiåQÈò!øâîhöÖò À÷1å#]å#hå#
âä)ô)ïiøâîhåCöÖ. ò' ùÈô.6âòàÖä-
. föõ¼ôë)ôäâõÀôë)ôä3 "!
ýíÿ
ðÀÿúä)ôâï_åC. ùS.üà.
]öpãÖø]öiøÀô66ãÖø]öiøÀô
õ6äÖî6é6ù
÷
6ãÖøföøÀE
ô
Èêâáóõ¼3
ô
$6C!<
:= 6ãâé)>
üãâé)E
è Èòóä ?ø @ANà 6Jÿþþ ýBí A è 6ãâä)ûä-ã )
ýíÿ
ð À6ÿúãÖøföä)ôâøÀï_Eô CåÈêâ. á Sùó.üõ¼à3ô $6C.!A ÿþâþ ]öpýí ãÖø]öiøÀ6ô 6ãÖø]öiøÀô
õ6äÖî6é6ù
÷
ýíÿ
ð úä)ôâï_Cå .:üá
ô .6à .
ýíÿ
ð Àÿ :Cíâý í üé5ä)ôâï_&å Nò!ø)îhöÖò ¼÷p#å h5å h#å âøâîhöÖ'
ò
Èô âòÖä)ô)ïiåC.:üáô.6àä . föõ¼ôë)ôä âõÀôë)ô3ä "!
ýíÿ
ð À9ÿ :6à ÿà ; ¼é5ä6ôâïiQå Èò!øâîhöÖò À÷1#å ]#å h#å âøâîhöÖ'
ò
Èô âòÖä)ô)ïiCå .:üáô .6à ä . föõ¼ôë)ôä âõÀôë)ô3ä "!
ýíÿ
ð Àÿúä)ôâï_Cå .:üá
ô .6à . fö1ãÖøföøÀ%ô 6ãø]öøÀô
õ6äÖî6é6ù
÷ =6AF19
ãÖøföøÀEô ÈFA27
êâáóõ¼3ô 2F94
$6C!<998D
:= FDB5
6ãâé)>
è 6ãâDE3D
ä)ûä-ã ) F8B5 06E4 A169 4E46
Key fingerprint
üãâé)èEÈòóä?ø@ANà
6JÿþþýíBA
ýíÿ
ð À6ÿúãÖøföä)ôâøÀï_Eô CåÈêâ.á:üáó
ôõ¼.63ô à $6
C!A. ÿþâþ ýfö1í ãÖøföøÀ%ô 6ãø]öøÀô
õ6äÖî6é6ù
÷
ýíÿ
ho
rr
eta
ins
f
ull
rig
ht
s.
5,
A
ut
Here are the rules allowing IPSec packets, possibly fragmented, to and from the VPN
gateway interface and blocking all others:
ßß
©
SA
NS
In
sti
tu
te
20
00
-2
00
Aßß àâáãâä9çÆä)ôâïiå)ì
èßAß ë6ÿÖôãäÖãâé"ëºN]øÈõlùòôáä)êÖó)ùÖãÖä)øâô-îAïÖøÈùéÖôõÀôä)óõ?ôëÖéîüä-î6?é6ùé)ùÖó äî¼ýô-ðâôäÖé&îL Pý
ýíÿ
ð 5þø¼÷ )ææ ýíÿ
ð À9ÿ :6à ÿà ; âø ä6ôâïiQå Èò5á÷)ò ¼÷på#hå5hå#
þøÀ÷ ¼÷äÖõ¼
ôøÈ)ùæë)æôøü0 é6Eù ÈòÖé6óâ3ô $ ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $ ¼÷!)âææ#å h#å h5å C?
]ö1õ¼ôë)ô,
ýíÿ
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $å ¼÷!)âææ#å h#å h5å C?
]ö1õ¼ôë)ô,
ýíÿ
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å _å
"!<à í à ýíÿ
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å hå )
"!<à í à ýíÿ
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ å 0
"!<à í à ýíÿ
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å "!<à í à ýíÿ
ð =ÀAF19
ÿ5þø¼÷ FA27
)2F94
ææ 998D
ø ä)ôâï_
å âõ DE3D
å h#å F8B5
#
Key fingerprint
FDB5
06E4 A169 4E46
<à í à
<ýýàííÿÿ í àðð Àÿ5úþä)ôâø¼ï_÷ å ù üàææ ø ä)ôâï_å âõ å hå _å
)ýõ¼íôÿë)ôä ð Àÿ5þ5ø¼÷ ä)ôâïiå ùæ6æ à ø ä)ôâï_å ]ö õ¼ôë)ôä
ýíÿ ð Àÿúä)ôâï_å ù üà
]ö1ãø]öøÀô üãÖø]öøÀô
NJöÿøÈùþáþ ôýä í
6ã)é)è 6ãâä6ûäã 6ã)é)è Èòóä ø ýð þ
ýýííÿÿ ðð Àÿú5þä)ôâø¼ï_÷ å ù üàææ hå
Aÿþâþ ýí
ýíÿ ð Àÿ íâý í üé5ä)ôâï_å Nò5á÷)ò ¼÷!å hå hå
þøÀ÷ ¼÷äÖõ¼ôøÈùæë)æôøü]åé6ù ÈòÖé6óâô ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ]ö1õ¼ð ôë)Àÿôä íâ)ýõ¼ôíë)ôä üé5ä)ôâï_å ANòþø¼÷ À÷!âæå æ hå håhå
ýíÿ ð Àÿ íâý í üé5ä)ôâï_å Nò å À÷!å hå hå
A]þö1ø¼÷ õ¼ôë)ôä æâæ õ¼ôhë)å ôä
ýíÿ ð Àÿ 6à ÿà ¼é5ä6ôâïiå Èò5á÷)ò ¼÷på hå hå
Àõ¼ô÷ë)ôäÖäõ¼ôøNùÖâõÀë)ôôë)øüôéüäù ÈòÖéüóô 5þø¼÷]ö ææ hå
ýíÿ ]ö1õ¼ð ôë)Àÿôä 6à)ÿõ¼ôàë)ôä ¼é5ä6ôâïiAå þÈòø¼÷ ¼÷!âææå hhåå hå
ýíÿ ]ö1õ¼ð ôë)Àÿôä 6à)ÿõ¼ôàë)ôä ¼é5ä6ôâïiAå þÈòø¼÷ å ¼÷!âææå hhåå hå
<ýàíÿ í àð Àÿ5þø¼÷ ææ hå üé5ä)ôâï_å âõ å hå hå _å
<ýàíÿ í àð Àÿ5þø¼÷ ææ hå üé5ä)ôâï_å âõ å hå hå hå
<ýàíÿ í àð Àÿ5þø¼÷ ææ hå üé5ä)ôâï_å âõ å
<ýàíÿ í àð Àÿ5þø¼÷ ææ hå üé5ä)ôâï_å âõ å hå hå
<ýàíÿ í àð Àÿ5þø¼÷ ææ hå üé5ä)ôâï_å âõ å hå
<ýýàííÿÿ í àðð Àÿ5úþä)ôâø¼ï_÷ å üáô 6àææ hå üé5ä)ôâï_å âõ å hå _å
)ýõ¼íôÿë)ôä ð Àÿ5þ5ø¼÷ ä)ôâïiå üáæôæ ühà å üé5ä)ôâï_å ]ö õ¼ôë)ôä
ýíÿ ð Àÿúä)ôâï_å üáô 6à
]ö!ãÖø]öøÈô 6ãÖø]öøÈô
Aÿþþ ýí
ßß ýíÿ ð Àÿúä)ôâï_å üáô 6à
ßAß àâáãâäºåçÆä)ôâïiå)ì
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
"! ) # #
"! C. S. ..
) 7
"!
. S. ..
C. S. ..
%
)
"!9
:= E
-)% E ? @A 5A
C. S. ..
C!
) C: &
# # 5
E
3$ 3
"!
) :C & ,$ 5 # #0
C?
,
3
"!
) :C & ,$
5 # #0
?
Key fingerprint
=
AF19
FA27
2F94
998D
FDB5
DE3D F8B5 06E4 A169 4E46
,
-
"!
) 9: ; Q
# 5 #
'
-$ 3
"!
) 9: ; Q ,$ # # 5
C?
,
3
"!
) 9: ; Q ,$
# # 5
C?
,
3
"!
) ) /
# # 5
"! ) /
# # 5 )
"! ) /
0
"! ) /
# # 5
"! ) /
# #
"! ) /
# #
"! C.: . ..
) /
7
"!
.: . ..
C.: . ..
B
)
"!9
:= E
-)% E ? @A 5A
C.: . ..
"!
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßAÿÖããâé"AôâïÖä-òáêãÖø)îAøÈùôä)ó?ëÖî6ä-é?Aô)ïÖä9PâýAèë)ôäë<ôé
î6éüùùÖäÖî¼-ô øÀôâïñé)ôâïä)óºøÈùôä)ó)ùÖä)ô ïÖéõ¼ô7õ ?é)ó ýðâäÖLî þ)äá@óî6óä6òä6ùô<ôôã é*
øÈùô)ïÖøÈôäAøüèë)ë)ôôä7ä FÖäë ø<÷Èùéè-äÖùÖõä)ùÖèé6é)ôñôøüëë)ôî¼ôâøüáÖéüùëãâõLã <÷é<ôâïøâ#õ *
ß ýíÿ ð 5þø¼÷ þ ýíÿ
ð Àÿ ý í ø ä)ôâïiQå Èò5á÷)ò )õ 5å h#å h#å 0
þÀøÀ÷÷äÖõ¼ôþøNùÖ
ë)ôøüéü0'ù ÈòÖéüó-ô $ ]ö1õ¼ôë6ô,ä âõ¼ôë6ô-ä C!
ýíÿ
ð
Àÿ ý í ø ä)ôâïiQ
C?
]ö1õ¼ôë)ô,
ä )õ¼ôë)ô3ä å "!AÈ,ò þ$ø¼÷ âþõ #å h5å h#å ýíÿ
ð Àÿ ä ý)õ¼íôë)ô3ä ø ä)ôâïiQå "!AÈ,ò þ$ø¼÷å âþõ #å h5å h#å C?
]ö1õ¼ôë)ô,
ýíÿ
ð À9ÿ :6à ÿà ; âø ä6ôâïiQå Èò5á÷)ò âõñ#å h5å h#å À÷äÖõ¼ôøNùÖë)ôøüéü'
þøÀ÷þ
0ù ÈòÖéüó-ô $ ]ö1õ¼ôë6ô,ä âõ¼ôë6ô-ä C!
ýíÿ
ð ôë)ÀAF19
ÿô,ä :6à)ÿõ¼FA27
9
ôàë)ô; 3ä 2F94
âø ä6ôâïiQ
å È,ò $ þ âõ DE3D
å h#å h5å F8B5
#
Key fingerprint
06E4 A169 4E46
C?
]ö1õ¼=
"998D
!Aþø¼÷ FDB5
ýíÿ
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $å þ âõ #å h#å h5å C?
]ö1õ¼ôë)ô,
ýíÿ
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!#å h#å h5å hå )
"!<à í à ýíÿ
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!#å h#å h5å _å
"!<à í à ýíÿ
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!#å h#å _å
"!<à í à ýíÿ
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!#å h#å "!<à í à ýíÿ
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!#å h#å h5å "!<à í à ýíÿ
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!å 0
"!<à í à ýíÿ
ðúä)ôâï_åC. ùS.üà.åC.
ýíÿ
)õ¼ôë)ô7
ä ð Àÿ5þ"!5ø¼÷ ä)ôâïiþå .
Sù.6à .ø å .ä) ôâï_å ]ö õ¼ôë)ôä
ýíÿ
ð Àÿúä)ôâï_Cå . Sù .üà .Cå . ]ö1ãø]öøÀ%ô üãÖø]öøÀô
)NöøÈùáô
ä "!9
:= 6ã)é)Eè 6ãâä6ûä-ã )%6ã)é)Eè Èòóä ?ø @A ýð þ
JÿþþýíBA
ýíÿ
ðð Àÿú5þä)ôâø¼ï_÷ Cå . Sùþ .üà
h.å Cå . C!Aÿþâþ ýí
ýíÿ
ýíÿ
ð À9ÿ :6à ÿà ; ¼é5ä6ôâïiQå Èò5á÷)ò âõñ#å h5å h#å À÷äÖõ¼ôøNùÖë)ôøüéü'
þøÀ÷þ
]ù å ÈòÖéüó-ô $ ]ö1õ¼ôë6ô,ä âõ¼ôë6ô-ä C!
ýíÿ
ð À9ÿ :6à ÿà ; ¼é5ä6ôâïi"!AQå þÈ,òø¼÷$ þâõ #å hh#åå h5å C?
]ö1õ¼ôë)ôä,)õ¼ôë)ôä3
ýíÿ
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä ¼é5ä6ôâïi"!AQå þÈ,òø¼÷ $å þ âõ #å hh#åå h5å C?
]ö1õ¼ôë)ô,
ýíÿ
ð Àÿ5þø¼÷ þ h/
å üé5ä)ôâï_å ¼÷!#å h#å h5å hå )
"!<à í à = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå hå _å
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå _å
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå hå
<ýýàííÿÿ í àðð Àÿ5úþä)ôâø¼ï_÷ å üáþ ô 6à hå å üé5ä)ôâï_å ¼÷!å
)ýõ¼íôÿë)ôä ð Àÿ5þ5ø¼÷ ä)ôâïiþå üáô ühà å üé5å ä)ôâï_å ]ö õ¼ôë)ôä
ýíÿ ð Àÿúä)ôâï_å üáô 6à å ]ö!ãÖø]öøÈô 6ãÖø]öøÈô
ýíÿ ð Àÿúä)ôâï_å üáô 6à å Aÿþþ ýí
ßßAàâáãâ9ä çèÖãâé6êÖëãÖì
ß
ß<êãâéÖî F9?âóë)èüöä6ùôõLMóë6èüöä6ùôäâ÷òÖëÖîFä)ôõô)ïÖë)ôúë)óä-òÖë)óô
é ?úë6ù5ÿ Dñé)<
ó ð)ý<òÖëÖCî Fä)ô<ôé<ôâïÖQä Pý Aèë)ôä Öë 5ë)óä
ä @î6ä6òôä)2
÷ çÆðääAä)ôâïiålóâáÖãâäÖõYì íâïÖä úë)óä5ëããâé Öä)÷-ôâïÖä)óä
êÖôäéâéúî6ë6áã)ë)õ6óäJèôâ&ä ïÖ?ä5é)óúä @ôé6áóóAë ò ýøÈòÖðäÖäÖLõî ïÖäë)÷ä)óõ%öë -öë Fä ôâïÖä-òÖëÖî Fä)ô
ß ýíÿ
ðAà.
ýíÿ
ðð ÀÀÿÿ :C íâý ý 6í %í Èò1Èò!øNòøÈò C?C? "!-C!Aà à ..
ýíÿ
ýíÿ
ðÀÿ9:6àÿà;%Èò!øÈò
C?
"!Aà.
ýíÿ
ð
ÀÿAà .
fö!ãø]öøÀ6
ô
6ãø]öøÀ9
ô )ÈöøÈùáôä "!
:= 6ãâé)>
è
6ãâä)ûäãú&
å
6ãâé)>
è
Èòóä ?ø @,AVàÿ =%U;W5A
ýíÿ
ðÀÿAà. "!&;à:üý
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
/
# # 5
"! /
# #
"! /
# #
"! /
# # 5
"! /
0
"! C.: . . C.
/
7
"!
.: . . C.
C.: . . C.
B
)
"!9
:= E
-)% E ? @A BA
C.: . . C.
"!
Key fingerprint
©
SA
NS
In
sti
A large subset of TCP scanning techniques, including ACK, FIN, null and xmas tree
scans, is blocked. The rules do not try to detect SYN (half-open) scans, since these
cannot easily be differentiated from legitimate connection attempts by Netfilter until the
prober sends a RST packet. By then, it is already too late. We leave it to the IDS1
system to detect and respond to SYN scans. While it is likely that a very stealthy SYN
probe could fly under the IDS, most will get caught. The firewall responds to detected
probes by dropping the offending packets. The decision to react this way is a trade-off.
On the positive side, dropping the scan packets prevents the attacker from receiving
anything from the security devices themselves. Were we to send TCP RSTs or ICMP
unreachables in response to the probes, the attacker could use passive fingerprinting
to guess the OS and possibly the firewalling software we are running on the security
devices. In the case of ICMP unreachables, we would also be giving him the public
IP address of the firewall. Even in the case of a TCP RST, the response packet will
eta
ins
f
ull
rig
ht
s.
contain information (TTL and TCP Window size are two examples) that could tip the
attacker to the presence and nature of the firewall. This assumes that the attacker has
packets from the target host with which to make comparisons, but obtaining these is a
trivial exercise. On the negative side, this makes all ports appear open – or filtered –
to the probing system.[36] A savvy attacker would recognize that a security device is
filtering responses to his probes. A newbie may just go ahead and launch his favorite
attacks on the target.
What would the prober learn about the network by attacking this design? First, he
could learn that SYN scans are treated differently from other types of scans. A simple
TCP connect scan – until it is blocked by the IDS – would show that only ports for
which we allow inbound connections are open. The other scans would show all ports
open. A comparison of results would tell the prober that one or more security devices
have intervened. He is likely to figure out that TCP connections are blocked except to
a few ports and that the filtering devices are configured to drop all TCP scan packets
of certain types. The prober would eventually figure this out no matter what kind of
Key fingerprint
= AF19 FA27
2F94 this
998Dway,
FDB5
F8B5
A169 4E46 that will help
response
we designed.
At least
theDE3D
prober
gets06E4
no information
him attack the security devices themselves. Here is the relevant ruleset with additional
comments:
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
ßßAàâáãâäºåçèÖãâé6êÖëãÖì
ß
ß9;óé6òñð)ôäëã6ôâï õâî6ë6ùõLXé)óüöëãã*ué6òÖä6ùAòÖé)óâôõJ÷âóé6òAêÖë)÷<òëÖîCFä)ôõZ*
ïø6ãâäúî)ãâéõ6äâ÷ òÖé)óâôõAõ6ä6ù÷5ë<íþâýAàð)4
óß äõÀòÖé6ùõüä-ë6ù÷Jöë FäÖõ ëããòÖé)óôõ-ëüòòÖíäë)ó5íâïéüòÖøâä6õ[ù ê ãâéÖCî FõôâïÖä<÷äÖõ¼ôøÈùÖë)ôø¼é6ù
ýíÿ
ðAà.å
ýíÿ
ðð ÀÀÿÿ :C:Cíâíâýý %í%í ÈÈòúòúôôîÀîÀòò ÈÈôôîÀîÀ'ò'ò CC??ãâãâë)ë)èèõ\õ ÿ à&=*ý:ð D * 7C!<àà =R*ýð.Då *0 "!<à.å
ýíÿ
ýíÿ
]ö õ¼ôë6ô
ä ð Àâÿõ¼ô:Cë)ôíâ3ä ý %í ÈòCó!<é)àôéÖîüé.ãJå ôîÀBò ÈôîÀ'ò C?ãâë)èõð W*ÿþ ]*àð6í * U ýíÿ
ð Àÿ :C"!<íâàý %í
.Èå òóé)ôéÖîüéãJôîÀBò ÈôîÀ'ò C?ãâë)èõÿþ ]Aÿþ ]B]ö1õ¼ôë)ôä
)õ¼ôë)ô7
ä
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò ÀôîÀ'ò C?ã)ë)èõlÿ <
: "!<à .å
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò ÀôîÀ'ò C?ã)ë)èõlÿ &à =*ÿþ ]*ýð D*àð)Rí *Æð W*0 "!<à .å
ýíÿ
ð
Àÿ ý 6
í
Èòóé6ôéÖî6éãôîÀB
ò
ÀôîÀ'
ò
C?ã)ë)èõð W*ÿþ ]*àð)
í
* 7 ]ö õ¼ôë6ô
ä âõ¼ôë)ô3ä C!<à .å
ýíÿ
ð Àÿ "!<ý à 6í .Èòå óé6ôéÖî6éãôîÀBò ÀôîÀ'ò C?ã)ë)èõlÿþ ]úÿþ ]6]öõÀôë)ôä
)õ¼ôë)ô7
ä
ýíÿ
ðÀÿ9:6àÿà;%ÈòúôîÀò
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò ÀÀôôîÀîÀò''ò ??ãâãâë)ë)èèõ+^õ ÿà9=R*ý:ð D *0 7"!<àà =*ýð.Då * "!<à .å
ýíÿ
ð À9ÿ :6à ÿà ;%CNò!<óàé)ôéî6.éãå ôîÀ_ò ÀôîÀ'ò ?ãâë)èõð W* ÿþ ]*àð)í * 7 ]ö õ¼ôë6ôäâõ¼ôë)ôä3
ýíÿ
ð À9ÿ "!<:6à ÿàà ;%.å Nòóé)ôéî6éãôîÀ_ò ÀôîÀ'ò ?ãâë)èõÿþ ]Aÿþ ]6]ö õ¼ôë6ôä
)õ¼ôë)ôä7
ýíÿ
ð ?Àø ÿA@à ANíþ)ýñ.ðå î6ë6Bù fö!7ã;ø]öøÀ6ôWGA 6ãø]öøÀ9ô )ÈöøÈùáôä "!&
:= üãâé)Eè 6ã)ä)ûä`ã ü
â
ã
)
é
è
E
È
ò

ó
ä

ýíÿ
ðÀÿAà.å
à üý
"!&; :
ull
rig
ht
s.
Inbound connections to the email gateway’s SMTP services and web/portal server’s
web services are allowed generally. VPN clients are also allowed inbound connections from the VPN gateway’s private interface to a number of services on the internal
server network. Technical Support personnel are also allowed access to all internal
systems via SSH or PCAnywhere, as noted above 5.2 on page 32, and to the telnet service on some legacy Cisco switches. Here are the relevant snippets from the
firewall configuration script, with additional comments:
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ßßAàâáãâä9çèÖãâé6êÖëãÖì
ßßQùóäõ¼ôóøâîÀôäâ7÷ ä6êñëÖîî6äÖõâõôé&ä6êSüòÖé6óôëã-õ6ä)óûä6ó
ß ýíÿ ð Aà .
Key fingerprint
ýíÿ
ð =ÀAF19
ÿ :Cíâý FA27
%
í Èòú2F94
ôîÀò 998D
]ö5öÖáãüFDB5
ôøÈòÖé)óâô DE3D
¼÷ F8B5 06E4 A169 4E46
å h#
å 14ä 0 ¼÷äÖ"!<õ¼ôà øÈùë)
ô.øüé6Eù Èòé)ó)ô(õ R*
]ö1õ¼ôë6ôä
)õ¼ôë)ô7
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò fö5öáã6ôøÈòé)óô À÷
å h#
å
140 ¼÷äÖõ¼ôøÈùë)ôøüé6E
ù Èòé)ó)ô(õ R*
]ö1õ¼ôë6ôä
)õ¼ôë)ôä7
"!<à
.
ýíÿ
ð ÀÿAà . fö!ãø]öøÀ6ô 6ãø]öøÀ9ô )ÈöøÈùáôä "!
:= 6ãâé)>
ÿþâ ýþ íýÿ Bí A ð è À6ÿAãâä)àûä-ã )%. 6ãâ"!<é)>è ÿÈòþþóä ý?í ø @,Ahà %
ßßQùóäõ¼ôóøâîÀôäâ÷-ðJíý5ëÖîîüäÖõõôé5äÀöëøüã-èë)ôäÖë
ß ýíÿ ð Aà .
ýíÿ
ð Àÿ :Cíâý %í ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô ¼÷
å h#
å 140 ¼÷äÖ"!<õ¼ôàøÈùë)
ô.øüé6Eù Èòé)ó)ô(õ $R*)$ ]ö1õ¼ôë6ôä
)õ¼ôë)ôä7
ýíÿ
å h#
)õ¼ôë)ô7
ýíÿ
ð è À6ÿAãâä)àûä-ã )%. 6ãâé)fö!>è Èòãóø]öä ?øÀ6ô ø @,6Ahàãø]öøÀ9ô %)ÈöøÈÿùþáþôä ýBí"! A
:= 6ãâé)>
ýíÿ
ð ÀÿAà . "!<ÿþþ ýí
ßßAàâ áãâäºåçèÖãâé6êëãÖì
ß
ûßAß ë6ÿÖóãøü3ãé6áPõ ý Aõ6ä)áóûõ6ä6ø)óî6äÖõõ èä)ôúëÖîîüäÖõõôé øÈùôä6óâùÖëãAõüä)óûä)ó7õ ?é)ó
Key fingerprint
ýíÿ
ð =AF19
Aà FA27
.å 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
_
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò fö5öáã6ôøÈòé)óô )õ
å
å À÷!å hå
¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)óâôõ
æå âæ æ Èå ]öõÀôë)ôä âõÀ)ôæ ë)ôä
<à )æ å Nå
å å åå À÷!]ö å õ¼ôhë)å ôä âõ¼ôë)ôä ¼÷äÖõ¼ôøÈù-ë)ôà øüé6ù Èòé)å óâôõ
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò fö5öáã6ôøÈòé)óô )õ
åå Èå å Àfö÷!õÀå ôë)hôå ä âõÀôë)ôä ¼÷äÖõ¼ôøÈ<ùë)àôøüé6ù Èòå é)óâôõ
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã å 6ãâé)è]ö!ÈòãÖóø]ä öøÀø ô hà6ãÖø]ö!øÈôå ÈöJøÈÿùâþáþôâä ýí
ýíÿ ð ÀÿAà å <ÿþþ ýí
ßßAàâáãâäºåÀæçèÖãâé6êëãÖì
ß
Key fingerprint
ßAíäÖîÀïñð6áâ=òòÖAF19
é)óô<èä)FA27
ôõóäÀö2F94
é)ôä<ëâ998D
÷¼öiøÈùñëÖFDB5
îî6äÖõâõDE3D
ôéúëãã F8B5 06E4 A169 4E46
ýßøÈùþ)ôÿâùä)óâùÖïëä)ãóïÖä éÖõ¼ôõ-ëüù÷<ôâïÖä êÖé)ó÷ä)ó<óé6áôä)ó<ûøüëñõõÀï é)ó
ýíÿ
ð ÷Àÿ Öýæ í¼ ÷!å ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!<þø¼
ýíÿ
ð
Àÿ ý í ¼÷!#
å h#å ]#å hå $ ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
"!<þø¼
÷
Öæ ýíÿ
ýíÿ
ýíÿ
ð Aà .åÀæ
ýíÿ
ýíÿ
å .åÈæâõ å 0$4h5å fö
ýíÿ
å .åÈæâõ å ]å hå ]ö
ýíÿ
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
#
)õ¼ôë)ô7
ýíÿ
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
å ]#å h#å h8å $ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $) fö õÀôë)ôä
#
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
9: ;%
$0 8) 8 #$ E
R* $L*
R*
$R*+R*a R*+))L*+)Y*+) R*+$R*a$Y*
)$R* TL*
R*+ ,
-
"! . 9: ;%
$0 8) 8 #$ E
R*+ '*aR*+ 8 3
"! . 9: ;%
$0 8) 8 #$ E
R* L*+$R*+ ,
-
"! . . %
<)
"!
:= >
-)% > ? @,A ,
BA
. C!
)õ¼ôë)ôä
<à åÀæ
ýíÿ ð Àÿ ý í Èòúá÷)ò âõ å hå hå
À÷
å )õ¼ôë)ôä ¼<÷äÖà õÀôøÈùÖë)ôåÀæøüé6ù Èòé)óô
]ö õ¼ôë)ôä
ýíÿ ð Àÿ ý í Èòúá÷)ò âõ å hå hå
À÷
å )]õ¼å ôhë)å ôhäå ¼÷<äÖõ¼àôøÈùÖë)ôåÀø¼æé6ù ÈòÖéüóô
fö õÀôë)ôä
ýíÿ ð 5þø¼÷ Öæ
]ö õ¼ôë)ôä
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ ÖÀ÷!æ å
)ýýõ¼íôíÿÿë)ôä ðð Àÿ5þA6ø¼à÷ ÿþø¼à÷ Öæ ÖÀ÷!æ å hå hå ]å fö õÀôë)ôä
ýíÿ ð Àÿ5þø¼÷ Öæ ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô
ÀA÷þäÖõ¼ø¼ô÷ øNùÖë)Öôæøüéüù ÈòÖéüóôõ å fö õÀôë)ôä âõÀôë)ôä
fö
õ¼ôýë)ôíÿä âõÀð ôë)Àÿ5ôä þø¼÷ ÖAæ à åÈæâõ å
fö
õ¼ôýë)ôíÿä âõÀð ôë)Àÿ5ôä þø¼÷ ÖAæ à åÈæâõ å hå
]ö
õ¼ôýë)ôíÿä âõÀð ôë)Àÿ5ôä þø¼÷ ÖAæ à åÈæâõ å ]å hå
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å
¼÷
]ö õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å
¼÷
å ]å hå h-å à ¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6ù ÈòÖéüóô
fö õÀôë)ôä âõÀôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
¼÷
]ö õ¼ôë)ôä
¼÷
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå ]å
¼÷
]ö õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå ]å
¼÷
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã åÀæ 6ãâé)è]ö!ÈòãÖóø]ä öøÀø ô hà6ãÖø]ö!øÈôåÀæ ÈöJøÈÿùâþáþôâä ýí
ýíÿ ð ÀÿAà åÀæ <ÿþþ ýí
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
7
"! .
6
8 0 '
-$) 7
"! .
6
8 # # # 8$ '
-$) 7
"! .
9: ; 8 7
"!
9: ; 5 # # $ 7
"!
&
'
($) '*+ ,
-
"!
0$12 Key fingerprint
= AF19
3 FA27
"! 2F94
. 998D FDB5 DE3D F8B5 06E4 A169 4E46
0$4 5 3
"! .
3
"! .
9: ;%
8$14 0 '
-$) 7
"! .
9: ;%
8$14 # # # 8$ '
-$) ,
"! .
9: ;%
8$2 # 0 '
-$) 7
"! .
9: ;%
8$2 # # # # 8$ '
-$) ,
"! .
9: ;%
8 0 '
-$) 7
"! .
9: ;%
8 # # # 8$ '
-$) ,
"! .
.
%
<)
"!
:= >
-)% > ? @,A ,
BA
.
C!
All the systems on the network perimeter are allowed to send SNMP traps or informs
to a network management station inside GIAC Enterprises network. DMZ hosts are
Key fingerprint
= AF19from
FA27
2F94 998D
FDB5 DE3Dto
F8B5
06E4 A169
4E46 hosts. The
otherwise
forbidden
making
any connections
the firewall
or internal
border router and firewall are also allowed to send logs to the central syslog server.
Finally, inbound ident connections to the email gateway are specifically rejected with
an ICMP port-unreachable packet so that SMTP connections from gateways that use
ident queries don’t hang. Here are the relevant snippets from the firewall configuration
script with additional comments:
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßßAàâáãâäAæçèÖãâé6êÖëãÖì
ßßAÿÖããâ"é úð JýAôóëüòõÖøÈù?é)óüöiõ%êÖëÖîF5ôé9JëüùÖë)èäÀöä6ùôúõÀôë)ôøüéüù
ß ýíÿ ð Aà .âæ
ýíÿ
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å ]#å h#å hb
å ¼÷
å h#
å
0$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù
ÈòÖéüóôúå ) ]ö õ¼ôë6ô
ä âõ¼ôë)ôä
"!-à .)æ
ýíÿ
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å ]#å h#å hb
å ¼÷
å h#
å "!-0à$ =AF19
¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
Key fingerprint
.)æ
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å h5å ) ¼÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 5å h#å h#å ]å $ À÷
å h#
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å 12 ¼÷
å h#
å
"!-à .)æ
ýíÿ
å h#
å
"!-à.)æ
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å 12$ ¼÷
å h#
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å h5å ) ¼÷
å h#
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 5å h#å h#å ]å $ À÷
å h#
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12 ¼÷
å h#
å
"!-à.)æ
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12 ¼÷
å h#
å
"!-à .)æ
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12$ ¼÷
å h#
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã-)%.âæ 6ãâé)fö!è>Èòãóø]öä?øÀô6ø@,6Ahàãø]öúøÀô9æ%)ÈöøÈÿùþáþôäýíB"! A
ßßAàâýáíÿãâäºåð çèÖÀÿAãâé6àêëãÖì .âæ "!<ÿþþýí
ßß<êãâéÖî FøÈùèAëîî6äÖõõôéºøÈùôä)óâùÖëãùÖä)ô
ßúßAàâë6ùá9÷ãâä?õøÀôâóïÖä Öë)ô<ëãòÖ3ã ä)ó¼?)öóéÀøÀöô5;ëÖJ
îcîüäÖ õõôé õ6ä)óûä)óõ
ßúß é6ù ;J
cñõÀïÖé6áÖã)÷ êÖä5ëâ÷÷äâ÷AëüêÖé)ûä ýíÿ
ðð À5ÿ þ ø¼ý÷ íâõ å )å h5å )) "!5þø¼÷ å )
ýíÿ
ýíÿ
ðÀÿ ýí âõ åhå514 "!5þø¼÷å)
ýíÿ
ðð ÀÀÿÿ ýý íí ââõõ åå hh5å5å 14)$ ""!5!5þþø¼ø¼÷÷ åå ))
ýíÿ
ýíÿ
ðAà.å
ýíÿ
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ åå )) ¼¼÷!÷!#å#å hh5å5å hh#å#å hå )å ""!<!<àà ..åå
ýíÿ
Key fingerprint
ýíÿ
ðÀÿ5þø¼÷å) ¼÷!å]å#hå#$ "!<à
.å
ýíÿ
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ åå )) ¼¼÷!÷!åå ]]#å#å 1h4#å hhb
å ""!<!<àà ..åå b
ýíÿ
å
ýíÿ
ðÀÿ5þø¼÷å) ¼÷!å]å#) "!<à
.å
ýíÿ
ð Àÿ ý í âõ å h5å )) ¼÷18å "!
à .å ýíÿ
ð Àÿ ý í âõ å h5å 14 ¼÷18å "!
à .å ýíÿ
ð Àÿ ý í âõ å h5å 14 ¼÷18å "!
à .å ýíÿ
ð
Àÿ ý í âõ å h5
å )$ ¼÷18å "!
à .å ýíÿ
ð À9ÿ :6à ÿà ; )õ 8å h#å )) ¼÷!å 0 C!
à .å ýíÿ
ð À9ÿ :6à ÿà ; )õ 8å h#å 12 ¼÷!å 0 C!
à .å ýíÿ
ð À9ÿ :6à ÿà ; )õ 8å h#å 12 ¼÷!å 0 C!
à .å ýíÿ
ð À9ÿ :6à ÿà ; )õ 8å h#å )$ ¼÷!å 0 C!
à .å ýíÿ
ð è À6ÿAãâä)àûäUã B.å 6ãâé)>è]ö!ÈòãÖóäø]ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)Èö7øÈ;ùâáôWGä "A !
:= 6ãâé)>
ýíÿ
ð ÀÿAà .å C!&;âà :6ý
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
:= >
©
SA
ßßAàâ áãâäºå)çèÖãâé6êëãÖì
ß
ß9øÀó"ä Öëãã ëüù9÷ é)ó÷ä)ó<àé6áôä)óJöë õ6ä6ù÷úãâé)èâèøÈùè
öäõõ6ë)èäõôé î6ä6ùôóëãACõ õ6ãâé)è õ6ä)óâûä)ó4KøÀóäÖëããLN]õãâé)èõ
ë)óä<óé6áôäâ÷Aéüáô!øÈôõ-ãâé)èèøNùè øÈùôä)ó ?ëÖîüä í)ïÖä<êé)ó÷ä)ó
óéüáôä)ó-ïÖë=õJAF19
ùéñãâé6èFA27
èøÈùè 2F94
øNùôä)ó ?998D
ëÖî6Rä *õ6FDB5
é ä5ëDE3D
&
ããâé ãâF8B5
é)èõôé 06E4 A169 4E46
Key fingerprint
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßî6éÈ öýíä&ÿ?â
óéÀö ðøÀôA-õ à?øÈó.õ¼ô5å) ä)ôâïä)óâùÖä)ô øNùôä)ó?ëÖî6ä
ýíÿ
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å]å#) ¼÷
å h#
å "!-]åà å .¼÷å äÖ) õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $åT ]ö õ¼ôë6ôäâõ¼ôë)ôä
ýíÿ
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å ]#å ) ¼÷
å h#
å "!-]åàå .¼÷åäÖ) õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $Tå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ
å h#
å
]åå ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüó-ô $Tå ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à .å )
ýíÿ
å h#
å
]åå ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüó-ô $Tå ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à.å)
ýíÿ
ð è À6ÿAãâä)àûä-ã )%.å )6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ),)ÈöJøÈÿùâþáþôâä ýBí"! A
:= 6ãâé)>
Key fingerprint
=ÀAF19
ýíÿ
ð
A
ÿ
FA27
à
.å) 2F94
C!<ÿþþ998D
ýí FDB5 DE3D F8B5 06E4 A169 4E46
ßßAàâáãâäºå çèÖãâé6êëãÖì
ß
òÖßAß é6àóô<ä !áäùî¼óô äëø¼÷îÀïÖä6ùë6ôêã)O6äRáÖ*ä)óõüéøüäõhõöÖôôâòºé<ôâî6ïÖé6ùäAûäÀä6öóëõ6ë)øüã-ôø¼èé6ë)ùôõä ÷Öé6ë ù23Nô-øÀïôâïñë6ùè4ë ýíÿ
ð Aà .å ýíÿ
ð Àÿ ù :CÈòÖíâéüýóôú%í åÈå òú ôîÀ"ò!-à ¼÷!.å å ]#å 14
ýíÿ
ð À9ÿ ù È:6òÖà éüÿóôúà ;%åå Èòúô"!-îÀò à À÷!.8åå h#å 12
ýíÿ
ð è À6ÿAãâä)àûä-ã )%.å 6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)ÈöJøÈàùâáôdä þâBí"! A
:= 6ãâé)>
ýíÿ
øâî]öÖ'ò ÈòÖé6óEôð ÈáÀÿAùóà äëÖîNïÖ.ëüêå ã6ä C!<à dþâí Àóä !âäÖî¼Eô 8øÀôâï
~L Outbound Access Rules
©
SA
NS
In
Outbound ICMP is restricted carefully. Echo requests and unreachables are allowed
out, the latter only in response to an inbound connection request. Echo replies to
pings to the VPN gateway are allowed out as well. These are covered by the generic
rules permiting packets belonging to established connections. All other standard types
are blocked. This protects the network from traceroute probes and other types of
reconnaisance. It also prevents most types of inbound ICMP traffic, because if no
outbound request is allowed, no inbound response will be allowed either. Outbound
fragments and TCP Scans are blocked in the same way as for inbound attempts. Here
are snippets from the firewall configuration script with additional comments:
ßßAàâáãâä9çÆä)ôâïì
ß
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ß9;óé6ò öéõ¼ôAôâòÖäÖõé?ñé6áôâêÖé6áù÷ þJý2K@î6äüòôøüé6ùõJë)óä
äÖîÈïÖé-óäO)áÖäõ¼ôõJë6ù÷ þJý<áùóäâëÖîÀïÖë6êÖãâäÖõLeJë6ùñé?Aô)ïÖäÖõ6ä
ô)òÖäÖ`õ ø6ãâã êä5÷âóé6òòÖäâ÷ ê5ô)ïÖäºøföÖòãÖøâîøÀô<÷ä?ë6áã6ôQ;W*
êá9ô &ä ÖëüùôAôé îüë6òôâáóäôâïÖäÀö øÈù ë õÀòÖäÖîø¼ëãJóâáã)ä íâïä)óä<ë)óä<ûä)ó ?ä ºî6ëÖõ6äÖõAøNù ïøâîÀïAôâïÖäõ6ä òÖëÖCî Fä6ôõë)óä
ãÖ8ø Fäã <ôé5ë6òòäë)9ó ?é)óñãâä6èøÀôø]öë)ôäJóäëÖõ6é6ùLõ XÖä øÈùî6ãüá÷ä
õ6éüáóî6Qä O)áä6ùîÀïºøÈùúôâïø)õèâóé6áò<êÖäî6ë6áõ6äñøÈôºîüë6ùúêä-áõ6äâ÷
?é6óñë&;:âð
ß ýíÿ ð úä)ôâ
ï .:üá
ô .6à .
ýíÿ
åå å "!5ð ä)Àÿôâ
ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
ýíÿ
åå "!5ð ä)Àÿôâ
ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ýíÿ
ð Àïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
$
"!5ä)ôâ
ýíÿ
ð =ÀAF19
í üé5
ä)ôâ
ï %998D
Nò!ø)îhFDB5
öÖò DE3D
ø)îhöÖ'ò Àô F8B5
âòÖä 06E4 A169 4E46
Key fingerprint
2F94
$å
"!5ä)ôâ
ïÿ :C.:üíâáýô FA27
.üà .
ýíÿ
$
"!5ä)ôâ
ýíÿ
$
"!5ä)ôâ
ýíÿ
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
å "!5ä)ôâ
ýíÿ
ô í.6à üé5
.ä) ôâ
å $
"!5ä)ôâ
ýíÿ
ô í.6à üé5
.ä) ôâ
Tå "!5ä)ôâ
ýíÿ
ô í.6à üé5
.ä) ôâ
å )
"!5ä)ôâ
æ ý íÿ "!5ð ä)ôâÀïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
ýíÿ
ô í.6à üé5
.ä) ôâ
å "!5ä)ôâ
ýíÿ
ô í.6à üé5
.ä) ôâ
"!5ä)ôâ
ýíÿ
ô í.6à üé5
.ä) ôâ
"!5ä)ôâ
ýíÿ
åå å "!5ð ä)À9ÿôâ
ï :6.à:üÿá
ô à.6;à ¼
é5. ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
ýíÿ
åå "!5ð ä)À9ÿôâ
ï :6.à:üÿá
ô à.6;à ¼
é5. ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
ýíÿ
ð Àï9ÿ .:6:üàáÿô .üàà ;¼.é5 ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
$
"!5ä)ôâ
ýíÿ
$å
"!5ä)ôâ
ýíÿ
$
"!5ä)ôâ
ýíÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï
æ ýíÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï
ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï
ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï
ýíÿ ð Àÿúä)ôâï üáô 6à
þNöýýíøÈùÿ áôä ð Àÿúä)ôâï ü6áã)é)ô è6à6ãâä6ûäã
Èò!øâîhöÖò øâîhöÖò Àô âòÖä
fö1ãÖøföøÀô 6ãø]öøÀô
6ã)é)è Èòóä ø Öëâ÷
à üý
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
9: ; ,
E $
"!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E $
"!
.: . .
9: ; ,
E T
"!
.: . .
9: ; ,
E )
"!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E Key fingerprint
998D FDB5 DE3D F8B5 06E4 A169 4E46
"! = AF19
.: FA27
. 2F94
.
.: . .
%
)
"!9
:= E
UB E ? @AV
J 6U;WGA
.: . .
"!Q; :
-2
00
5,
A
The firewall, the email gateway, and the web/portal server also fulfill the role of time
hosts for the rest of the company’s network. They are allowed access to the NTP
ports on nine public NTP servers. Each server synchronizes with three different time
servers. All internal hosts are allowed to use the NTP service on these hosts for time
synchronization. No other access to internet time servers is granted:
©
SA
NS
In
sti
tu
te
20
00
ßßAÿÖããïÖéÖõÀôõJèä)ôAôø]öä&?âóéÀö ôâïÖäÖõ6äúõüä)óûä)óõ
ß ýíÿ ð Aà .
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò âõ å ¼÷
å ]#å h#å hä8å ) ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôø¼é6'ù ÈòÖéüóôúå ]ö õ¼ôë6ôä
#
)õ¼ôë)ô7
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò âõ #å hå#]å#hå$ ¼÷
å)]õ¼#å ôhë)#å ôhä78å ) ¼÷"!<äÖõ¼àôøÈùÖ
#
ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ å ¼÷
#
)õ¼ôë)ô7
ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ #å h#å ]#å hå $ ¼÷
å ]#å h#å h8å ) ¼÷"!<äÖõ¼àôøÈùÖ
#
)õ¼ôë)ôä7
ýíÿ
ð 5þø¼÷ );4
Key fingerprint
ýíÿ
ð =ÀAF19
ÿ :Cíâý FA27
í â2F94
õ å 0998D
FDB5
fö õÀDE3D
ôë)ôä F8B5 06E4 A169 4E46
)õ¼ôë)ôä
Aþø¼÷
ýíÿ <þð ø¼÷Àÿ íâý í âõ å hå hå hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷
ÈòúôîÀò ¼÷!å ]å
Àà ÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
à Àý÷íäÖÿõ¼ôøNùÖë)ð ôøü5éüù þÈòÖø¼÷ éüóôúå ]hö1å õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ <þð ø¼÷Àÿ íâý í hå âõ å
ýíÿ <þð ø¼÷Àÿ íâý í hå âõ å hå hå hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
hå Èò5á÷)ò ¼÷!å ]å
à À÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð 5þø¼÷
]ö õ¼ôë)ôä
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ )õ å
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ )õ å hå hå ]å fö õÀôë)ôä
à Àý÷íäÖÿõ¼ôøNùÖë)ð ôøü5éüù þÈòÖø¼÷ éüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
]ö õ¼ôë)ôä
Èò5á÷)ò ¼÷!å ]å
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã 6ãâé)fö!è Èòãóø]öä øÀô ø 6hàãø]öøÀô ÈöøÈÿùþáþôä ýí
ýíÿ ð ÀÿAà
<ÿþþ ýí
ßßAàâáãâäºTå ÚçèÖãâé6êëãÖì
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
7
"!
)";4
:C # 5 # $ "!
);4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
);4
:C 0 ,
"!
);4
:C # 5 # $ "!
);4
);4 `
#14
'
,
-
C!
.
);4 `
#14
'
,
-
C!
.
);4
9: ; 8 7
"!
)";4
9: ; 5 # # $ 7
"!
)";4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
);4
9: ; 8 7
"!
)";4
9: ; 5 # # $ 7
"!
)";4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
.
6
9)
"!
:= >
-)% > ? @,A %
BA
. "!
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßßAÿÖããâé"AôâïÖäÖõ6äñõ6ä6óûä)óõôé îüé6ùôëÖîÀô õ6äãâäÖîÀôäâ÷3íâýºõüä)óûä)óõ
ß ýíÿ ð Aà .Tå ýíÿ
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å#hå5hå#hå) ¼÷
â
æ $#å ]å )#å " !<à¼÷
ä.õ¼ôåTøÈùÖë6ôøüé6ù'NòÖé6óôúå ]öõÀôë)ôä
)õ¼ôë)ôä7
ýíÿ
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å hå ) ¼÷
å )$)$ ¼÷äõ¼ôøÈùÖë6ôøüé6'
)õ¼ôë)ô7
ä "!<à .Tå ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ
å $
æ
0$
æ hå "!<à¼÷äÖ
õ¼ô.øÈåTùÖë)ôø¼é6'ù Èòé)óâôúå föõ¼ôë)ôä
)õ¼ôë)ôä7
ýíÿ
8å )2hå $)0 ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
)õ¼ôë)ô7
ä "!<à .Tå ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ
åÀæ hTå hVå " !<à¼÷
ä.õ¼ôåTøÈùÖë6ôøüé6'ù NòÖé6óôúå ]öõÀôë)ôä
)õ¼ôë)ôä7
ýíÿ
)$å#
å ä ]å æ h/
å "!<Àà÷äÖõ¼
ô.øNùÖTå ë)ôøüéü'ù ÈòÖéüóôúå ]ö1õ¼ôë6ôä
)õ¼ôë)ô7
ýíÿ
)$å#
å ]å æ håâb
å "!<à¼÷äÖ
)õ¼ôë)ôä7
ýíÿ
å hå $
å "!<à¼÷äÖ
õ¼ô.øÈTå ùÖë)ôø¼é6'ù Èòé)óâôúå föõ¼ôë)ôä
)õ¼ôë)ô7
ä æ håâb
ýíÿ
å hå $håâb
å "!<à¼÷äÖ
)õ¼ôë)ôä7
ýíÿ
ð Àÿ :Cíâý %í Èò5á÷)ò âõ #å h5å h#å hå ) ¼÷
â
æ $#å ä ]å )#å " !<à¼÷
ä.õ¼ôTå øÈùÖë6ôøüé6'ù NòÖé6óôúå ]öõÀôë)ôä
)õ¼ôë)ô7
ýíÿ
å )$)$ ¼÷äõ¼ôøÈùÖë6ôøüé6'
ù NòÖé6óôúå ]öõÀôë)ôä
)õ¼ôë)ôä7
"!<à
.åT
ýíÿ
å $
æ ä 0$æ hå "!<à¼÷äÖ
õ¼ô.øÈTå ùÖë)ôø¼é6'ù Èòé)óâôúå föõ¼ôë)ôä
)õ¼ôë)ô7
ýíÿ
8å )2hå $)0 ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù Èòé)óâôúå föõ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åT
ýíÿ
åÀæ)õ¼ôhë)Tå ô7ä hVå " !<à¼÷
ä.õ¼ôTå øÈùÖë6ôøüé6'ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ
)õ¼ôë)åôå ä ]å æ hå <Àà÷äÖõ¼ôøNùÖå ë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å hå hå hå ¼÷
)õ¼ôë)åôå ä ]å æ håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
å )õ¼ôhë)å ôä æ håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
å )õ¼ôhë)å ôä håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð 5þø¼÷ å
ýíÿ <þð ø¼÷Àÿ 6à ÿå à )õ å hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ æ å hå å
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å æ âæ hå
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ å ]å
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!åÀæ hå hå
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ åå hå æ hå
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ åå hå æ håå
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å hå æ håå
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å hå håå
Àà ÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð 5þø¼÷ å hå
ýíÿ <þð ø¼÷Àÿ 6à ÿå à hå )õ å hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
)$ # /
'
7
"! . T
:C %
# 5 # ) )$ # b
'
7
"! . T
:C %
# 5 # ) $ b
'
7
"! . T
:C %
# 5 # ) $ b
'
7
"! . T
) V[
9: ; 8 #12 "!
) f[
9: ; 8 #12 "!
) f[
) V[&
$ # 8) #
E
8 3
"!
. T
) V[&
)0$)$
E
8 3
"!
. T
) V[&
$ $ E
8 3
"!
. T
) V[&
)4 $)
E
8 3
"!
. T
) V[&
T
0 T
E
8 3
"!
. T
) V[&
)$0 # 8 '
,
-
C!
. T
) V[&
)$0 # 8 '
,
-
C!
. T
) V[&
$0 '
,
-
C!
. T
) V[&
$0
'
,
-
C!
. T
) V[
9: ; 8 #12 "!
) f[
9: ; 8 #12 "
!
)
f
[
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ æ å hå å
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å æ âæ hå
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ å ]å
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!åÀæ hå hå
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ åå hå æ hå
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ åå hå æ håå
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å hå æ håå
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å hå håå
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
) V[ `
$ # 8) #
E
8 3
"!
. T
) V[ `
)0$)$
E
8 3
"!
. T
) V[ `
$ $ E
8 3
"!
. T
) V[ `
)4 $)
'
,
-
C!
. T
) V[ `
T
0 T
E
8 3
"!
. T
) V[ `
)$0 # 8 '
,
F8B5
C!
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D
06E4 A169 4E46
. T
) V[ `
)$0 # 8 '
,
-
C!
. T
) V[ `
$0 '
,
-
C!
. T
) V[ `
$0
'
,
-
C!
. T
. T
%
<)
"!
:= >
-)% > ? @,A T6
BA
. T C!
In
sti
tu
te
The email gateway is allowed to contact internet mailservers to conduct SMTP transactions. It also runs a caching-only DNS service to improve its mail-handling response
time and serves as a forwarder for our internal nameserver so it doesn’t have to contact internet nameservers directly. The email gateway DNS service is allowed to contact internet DNS servers for name resolution. The internal nameserver is allowed to
contact the email gateway to forward queries it cannot resolve on its own:
©
SA
NS
ßßAàâáãâäQÎçèÖãâé6êÖëãÖì
ß
ß9ä@üî6öä6òëô<øüãôèé9ë)ô?äøÀóäë Ö5ëëããã ãâé"Öäâ÷AëÖîîüäÖõõôé&?é)óÖë)ó÷öëÖø6ãL*
ß ýíÿ ð 5þø¼÷ âæ ;
)
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò ]ö5öÖáã6ôøÈòÖé)óô âõ å hå514
¼÷äÖõ¼ôøÈùë)ôøüé6E
ù ÈòÖé6óâôgõ $R*
)$R*+$ ]ö õ¼ôë)ôä âõ¼ôë)ôä3
"!Aþø¼÷æ;
)
ý íÿ
ðÀÿ ýí6Èòúá÷)ò âõ åhå514
þÀøÀ÷÷äÖõ¼ô
øNùÖë)æô;
)øüéü0ù' ÈòÖéüóô-$ ]ö õ¼ôë)ôäâõ¼ôë)ôä3 "!
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò fö5öáã6ôøÈòé)óô )õ
å h#
å
140 ¼÷äÖõ¼ôøÈùë)ôøüé6ùEÈòé)ó)ôõ($R*)$R*+$ ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!Aþø¼÷æ;
)
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12
þÀøÀ ý÷÷ íäÖÿõ¼
ô
øNùÖë)æð ô;
À)øüÿ5éü0'ù þÈòÖø¼÷ éüó-ô $âæ ;
])ö õ¼ôë)¼ô÷!ä #å hâ5å õ¼hô#å ë)hôå 3ä) "!<à"! í à
ýíÿ
ðÀÿ5þø¼÷âæ;
) ¼÷!å#hå5hå#å "!<àíà
ýíÿ
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ ââææ ;
;
)) ¼¼÷!÷!åå ]]#å#å h14#å h$b
"!<à í à ýíÿ
å
"!<à í à ýíÿ
) ¼÷!å]å#hå#håb"!<àíà
ýíÿ
ðð Àÿ5Aàþø¼÷ ..âæ ;
) ¼÷!å ]#å ) "!<à í à ýíÿ
ýíÿ
ð .Àÿ5þø¼÷ âæ ;
) ]ö õ¼ôë6ôä âõ¼ôë)ô3ä "
<
!
à
.
ýíÿ
ð è À6ÿAãâä)àûä-ã )%..6ãâé)>è ]ÈöpòóãÖä ?ø]öiø @,øÀ6ô Ahà6ãÖ9ø]öiBøÀ9ô )ÈöiÿþøÈùþ áýôBíä CA !
:= 6ãâé)>
ýíÿ
ßßAàâáãâ9ä )ð çèÖãâÀÿAé6êÖàëãÖì .. "!<ÿþþ ýâí
ß
ß ùôä6óâùÖë7ã ;ðöëÖõ¼ôä)ó îüë6ù ?é)ó Öë6ó÷<é6áôõø¼÷Qä O)áä)óøüäÖõôé
î6ëîÀïøÈù>è üé6ùã 7;ð õ6ä)óâûä)ó5é6ùñäÀöëÖø6ã èë)ôä ë 4 ôºîüë6ù
ëãõ6&é ?é)ó Öë6óQ÷ hé6ùä-áâò÷ë)ôäùé)ôCø ?ø)î6ë)ôøüéüùLõ iÖëÖõ¼ôø¼é6ù
ïÖëÖéõ7õ¼Öôäõãâáãõ6 ä5äÀöëÖø6ãèë)ô"ä Öë 5ëÖõJôâïÖäÖøÀó<òóø]öë6ó Q;ð õ6ä)óâûä)ó
ß ýíÿ ð Aà .)
ýíÿ
å ¼÷!å h5å 14
ù
ÈòÖé6óâ3
ô
$ ]öõÀôë)ô,
ä
âõÀôë)ôä "!
à
.)
ýíÿ
ð Àÿ :Cù ÈíâòÖý é6óâ%í 3ô È$ò5 á÷)]òöõÀâôõë)ôå,ä ]#åâõÀh#åôë)hb
åô-ä ¼÷! å "h5å!<14à .)
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å $hå À÷
å h#
å 14"!-0 à¼÷.)äÖõ¼ôøÈùë)ôøüé6Eù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å )hå $ À÷
å h#
å
ù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
"!-à .)
ýíÿ
å h#
å
"!-à.)
ýíÿ
å h#
å 14"!-0 à ¼÷.)äÖõ¼ôøÈùë)ôøüé6Eù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ
ð =ÀAF19
ÿ :6à ÿFA27
9
à ;%Èòú2F94
ôîÀò 998D
)õ 8å h#
å 12 DE3D
¼÷ F8B5 06E4 A169 4E46
Key fingerprint
FDB5
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò )õ
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò )õ
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã 6ãâé)fö!è Èòãóø]öä øÀô ø
ýíÿ ð ÀÿAà
<ÿþþ ýí
]öõÀôë)ôä )õ¼ôë)ôä
å hå ¼÷
å hå
¼÷
å hå hå À÷
å hå hå À÷
å hå hå ¼÷
å hå hå ]å À÷
å hå ¼÷
å hå ¼÷
å hå
¼÷
6hàãø]öøÀô ÈöøÈÿùþáþôä ýí
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
#140 E
Q$ "! .)
9: ;%
8 #12 #140 E
Q$ "! .)
9: ;%
8 #12$ #140 E
Q$ "! .)
9: ;%
8 #$ #140 E
Q$ "! .)
9: ;%
8 #) $ #140 E
Q$ "! .)
9: ;%
8 # 5) #140 E
Q$ "
!
.
)
9: ;%
5 # # $ #140 E
Q$ "! .)
9: ;%
8 #12 #140 E
Q$ "! .)
9: ;%
8 #12 #140 E
Q$ "! .)
9: ;%
8 #12$ #140 E
Q$ "! .)
.)
6
9)
"!
:= >
-)% > ? @,A )%
BA
.) "!
In
sti
tu
All internal systems are allowed to perform pings, traceroutes, and whois queries to
internet hosts for network troubleshooting, but FTP and web requests must go through
the web proxy. No direct connections to internet hosts are allowed. Requests that the
web proxy can’t cache are simply passed through it:
©
SA
NS
ßßAàâáãâäAæçèÖãâé6êÖëãÖì
ß
ß&ßúÖää@6ê5î)ã¼ýáó÷éä<@5÷ëÖîîüéäÖäÖõõõôëéãã-òÖ÷é)óâøÈôóäÖõ î¼é6ô ùñî6ô)éüùïÖùÖä&äÖ?î¼ôøÀóøüäé6ù-ëôãéºã øÈùôä)óâùÖä6ô3Öä6êS?âôâò õ6ä)óâûä)óõLMÖäAä@âòãøâîøÀôÖã"
ß ýíÿ ð 5þø¼÷ )âþ;4
ýíÿ
ðÀÿ ýí6ÈòñôîÀò
]ö5öÖáã6ôøÈòÖé)óô âõ åhå5$håT ¼÷äõ¼ôøÈùÖë6ôøüé6ù'Nòé)ó)ôõ(å'*+L*+R*
]öõÀôë
ýíÿ
ð
À9
ÿ
:6à ÿà ;%ÈòúôîÀò
fö5öáã6ôøÈòé)óô )õ å8hå#$håT ¼÷äÖõ¼ôøÈùÖë)ôø¼é6ù'Èòé)óâôõ(åE*+R*+R*
]ö õ
ýíÿ
ð
Àÿ5þø¼÷ )âþ ;4 ¼÷!#
å h5åå5hh#åå#hå )åDE3D
"!<àíà
Key fingerprint
=ÀAF19
ýíÿ
ð
ÿ5þø¼÷FA27
)âþ2F94
;4 998D
¼÷!å#hFDB5
"!<àF8B5
íà 06E4 A169 4E46
ýýííÿÿ
ððÀÀÿ5ÿ5þþø¼ø¼÷÷)â)âþþ;4;4 ¼¼÷!÷!åå]]å#å#h14å#h$åb""!<!<ààííàà
ýýííÿÿ ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ )â)âþþ ;4;4 ¼¼÷!÷!åå]]å#å#h)å#håb""!<!<ààííàà
ýýííÿÿ ðð ÀAÿ5àþø¼÷ .âæ.)âþ ;4 ]ö õ¼ôë6ôäâõ¼ôë)ôä3 C!<à.âæ.
ýýííÿÿ
ððÀÀÿAÿAàà.â.âææ.. "!<]öpÿþãÖþø]öiýâøÀô6í 6ãÖø]öiøÀô9)ÈöiøÈùáôäC!9:= 6ãâé6èE6ãâä)ûäã-)%6ãâé6èEÈòóä?ø@%Ahà5æ%
ßßAàâáãâäºå çèÖãâé6êëãÖì
ß
ßúëããâ"é Aôóé6áêÖãâäÖõÀïÖéâé)ôøÈùè ë6ù âôâïøÈùQè ?âóéÀö øÈùôä)óâùÖëãïÖéÖõ¼ôYõ íâïÖQä Pý Aèë6ôä Öë N]õ
ß<òáêãøâîAøÈùôä6ó ?ëÖî6ä5øâõñøNùî)ãüá÷äâ÷ñøÈù5ôâïø)õ<ãøâõ¼ô<êÖäÖî6ëüáõ6-ä ÖäJöë <ùÖää)÷AôéA÷é
ßAß&ôóøÀôâé6ïáâêãâ ýäÖðõÀïäÖéî é)ôøÈùè é ?5ôâïä-òë)óä6ùô øNùôä)ó ?ëÖî6äôéA÷ä)ôäÖî¼ô õ6é6áóî6ä<é ?<òóé6êÖãâäÀöiõ
ß ýíÿ ð Aà .å ýíÿ
ðÀÿ ýí6Èò1ø)îhöÖò
âõ å0 øâîhöÖòEÀôâòÖä-
]öõÀôë)ôä)õ¼ôë)ôä3
"!-à
.å
Key fingerprint
=ÀAF19
998D
ýíÿ
ý FA27
ð
ÿ
í
6
Èò12F94
)
ø
h
î
Ö
ö
ò
âõ #
å
hFDB5
å
5
h#
å
DE3D
âøâîhF8B5
Ö
ö
ò
'
Èô âòÖ06E4
ä
A169
fö4E46
¼
õ
ô
)
ë

ô
ä
,
âõ¼ôë)ôä
"!Aà .8å ýíÿ
ð Àÿ ý 6í Èò1ø)îhöÖò ââõõ åå]]#åå#h)#å )$ ø)ø)îhîhöÖöÖ'òò'ÀÀôôâòâòÖÖ3ää3 ]]öö õ¼õ¼ôôë)ë)ôôääââõ¼õ¼ôôë6ë6ôô3ää3 ""!-!-àà
..åå
ýíÿ
ðÀÿ ýí6Èò1ø)îhöÖò
ýíÿ
ðð ÀÀÿÿ ýý 6í6í ÈÈòñòñôôîÀîÀòò ââõõ å#å h#å ]#å âõü)é6õ6áé6áóóî6äîüSäÈòÖÈòÖé)óé)óâô ô å å 24j)j)$$$$$ $ ¼÷¼÷äÖäÖõ¼ôõÀôøÈùÖøÈùÖë)ôë)ôø¼é6øü'ùé6'ùÈòÖÈòé6óâé6óUô Uô ]ö1]ö õ¼ôõ
ýíÿ
ýíÿ
ðÀÿ ýí6ÈòñôîÀò
âõ åhå5hå#) âõ6é6áóî6äSÈòé)óôñå4j0)$$$ ¼÷äÖõ¼ôøÈùë)ôøüé6ùEÈòÖé6óâô7 ]öõÀôë
ýíÿ
ð
Àÿ ý 6
í
ÈòñôîÀò
âõ å h5
å )$ âõ6é6áóî6Sä Èòé)óôñùå ÈòÖ4éüój0)-ô $$
$ 2j¼÷äÖ$õ¼ô øÈùfë)öôøüõ¼é6ôEù ë)ÈôòÖ,äé6óâ7ô âõ¼ô ë)ô]-ä öõÀôë
ýíÿ
ð
Àÿ ý 6
í
Èòúá÷)ò âõ å À÷äÖõ¼ôøNùÖë)ôøüéü'
ýíÿ
ðÀÿ ýí6Èòúá÷)ò âõ å#hå#]å#
¼÷äÖõ¼ôøÈùë)ôøüé6ùEÈòÖé)ó)ô3
4j0$ ]ö õ¼ôë)ôäâõ¼ôë6ôä3
ýíÿ
ðð ÀÀÿÿ ýý 6í6í ÈÈòúòúáá÷)÷)òò ââõõ åå hh5å5å h)#å )$ ¼¼÷÷äÖäÖõÀõÀôôøÈøÈùÖùÖë)ë)ôôøüøüé6é6'ù'ù ÈÈòòé6é6óó-ô-ô 44jj$$ ]]öö õ¼õ¼ôôë)ë)ôô,ä,ä ))õ¼õ¼ôôë)ë)ôô7ä7ä ýíÿ
ýíÿ
ðÀÿ:Cíâýí%Èò!øâîhöÖò
)õ å8 øâî]öÖò'Àô)òÖä3
]ö1õ¼ôë)ôä%âõ¼ôë)ôä-
"!<à.å
ýíÿ
ð
À
ÿ
:Cíâý %
í
Èò!øâîhöÖò
)õ 5
å
h#
å
h#
å
0
øâîhöÖE
ò
Àô âòÖä
]öõÀôë)ô
ä
)õ¼ôë)ô3
ä
"!-à .å ýíÿ
ð Àÿ :Cíâý %í Èò!øâîhöÖò ))õõ 8åå8hh#åå#h)5å )$ ââøâøâîhîhöÖöÖ'òò'ÈÈôôâòâòÖÖ-ää- ffööõ¼õ¼ôôë)ë)ôô,ää,ââõ¼õ¼ôôë)ë)ôô-ää- ""!A!Aàà..8åå8
ýíÿ
ðÀÿ:Cíâýí%Èò!øâîhöÖò
ýíÿ
ðð ÀÀÿÿ :C:Cíâíâýý %í%í ÈÈòúòúôôîÀîÀòò ââõõ å#å h5å 0h#å )õ6âé6õ6áé6áóóîüSäî6SäÈòÖÈòÖé)óâé6óô ô å 8å 44j)j$)$$$$$ ¼÷¼÷äÖäõÀôõ¼ôøÈùÖøÈùÖë)ôë6ôøüé6øü'ùé6'ùÈòNòé6óé)Uôó)-ô ]ö fö õ
ýíÿ
ýíÿ
ðÀÿ:Cíâýí%ÈòúôîÀò
âõ å]å#hå#) âõüé6áóî6äÈòÖé)óô å2j)$$$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6ù'ÈòÖé6óâôU
]ö1õ¼ô
ýíÿ
ð
À
ÿ
:Cíâý %
í
ÈòúôîÀò
âõ å ]#
å )$ âõüé6áóî6ä ÈòÖé)óô ùå Èò2é)óâj)3ô $$
$ 4j¼÷äÖ$õ¼ô øÈùÖë)]öôø¼õÀé6ô'ù ë)ÈôòÖäé6óâUô )
õ¼ô ë)ô3ä]ö1õ¼ô
ýíÿ
ð
À
ÿ
:Cíâý %
í
Èò5á÷)ò
âõ å 0 ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ýíÿ
ðÀÿ:Cíâýí%Èò5á÷)ò
âõ å#hå5hå# À÷äÖõ¼ôøNùÖë)ôøüéüù'ÈòÖéüóô-
2j$ föõ¼ôë)ôä,âõ¼ôë)ôä-
ýíÿ
ð
À
ÿ
:Cíâý %
í
Èò5á÷)ò
âõ å ]#
åå h)#å )$ ¼¼÷÷äÖäÖõ¼õ¼ôôøÈøÈùùë)ë)ôôøüøüé6é6EùEù ÈÈòÖòÖé)é)ó)ó)3ô3ô 44j0j0$$ ]]öö õ¼õ¼ôôë)ë)ôôää ââõ¼õ¼ôôë6ë6ôô3ä3ä ýíÿ
ð
À
ÿ
:Cíâý %
í
Èò5á÷)ò
âõ å ]#
ýíÿ
ðÀÿ9:6àÿà;%Èò!øâîhöò âõ å0 ø)îhöÖò'ÀôâòÖä3
]ö õ¼ôë6ôäâõ¼ôë)ôä3
C!Aà
.å
ýíÿ
ð
À9
ÿ
:6à ÿà ;%Èò!øâîhöò âõ #
å
h#
å
h5
å
øâî]öÖ'
ò
Àô )òÖ3
ä
]ö1õ¼ôë)ô%
ä
âõ¼ôë)ôä
"!<à .å ýíÿ
ð À9ÿ :6à ÿà ;%Èò!øâîhöò âõ å h#å ]#å ) øâîhöÖEò Àô âòÖ-ä ]]ööõÀõÀôôë)ë)ôôää))õ¼õ¼ôôë)ë)ôô3ää3 ""!-!-àà
..åå
ýíÿ
ðÀÿ9:6àÿà;%Èò!øâîhöò âõ åhå#0)$ øâîhöÖòEÀôâòÖä-
ýíÿ
ðð ÀÀ9ÿ9ÿ :6:6àà ÿÿàà ;%;%ÈÈòúòúôôîÀîÀòò ))õõ 8å5å h#å h#å 0
âõ6âé6õ6áéüáóóî6Säî6SäÈòÖNòÖé6óé)óô ôñ8å å 42j)j)$$$$$ $ ¼÷À÷ääÖõ¼ôõ¼ôøÈùÖøNùÖë6ôë)ôøüé6øü'ùéü'ù NòÈòÖé)ó)éüó-ô Uô fö ]ö
ýíÿ
ýíÿ
)õ å8hå#hå5) )õ6é6áóîüäSÈòÖé)óâô å4j)$$$ ¼÷äÖõÀôøÈùÖë)ôøüé6ù'Èòé6óôU
]ö õ
ýíÿ
ð
À9
ÿ
:6à ÿà ;%ÈòúôîÀò
)õ 8å h#
å )$ )õ6é6áóîüSä ÈòÖé)óâô ùå NòÖ4é6ój)-ô $$
$ 4j¼÷äÖ$õÀô øÈùÖë)]ö1ôøüõ¼é6ô'ù ë)Èôò%äé6óUô â
õ¼ô ë)ô-ä]ö õ
ýíÿ
ð
À9
ÿ
:6à ÿà ;%Èò5á÷)ò
)õ 8å ¼÷äõ¼ôøÈùÖë6ôøüé6'
ýíÿ
ðÀÿ9:6àÿà;%Èò5á÷)ò
)õ å5hå#hå#0
¼÷äÖõ¼ôøÈùÖë)ôø¼é6ù'Èòé)óâô3
4j$ ]öõÀôë)ôä)õ¼ôë)ôä3
ýíÿ
ð
À9
ÿ
:6à ÿà ;%Èò5á÷)ò
)õ 8å h#
å#å h)5å )$ ÀÀ÷÷äÖäÖõ¼õ¼ôôøNøNùÖùÖë)ë)ôôøüøüéüéü'ù'ù ÈÈòÖòÖéüéüóó-ô-ô 22jj$$ ffööõ¼õ¼ôôë)ë)ôô,ä,ä ââõ¼õ¼ôôë)ë)ôô-ä-ä ýíÿ
ð
À
ÿ
9
6
:
à
ÿ
à
%
;
È
5
ò

á
)
÷
ò
)
õ
å
8
h
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ýýííÿÿ
ððÀÀÿAÿAàà..åå C!<]ö!ÿ þãÖþø]öýøÀô%í 6ãÖø]öøÈô<)ÈöøÈùâáôä"!9
:= 6ãâé)èEüãâä)ûäã7)66ãâé)èENòóä?ø8@,ANà!å,
The Oracle database cluster is allowed to contact a remote payment processor listening on TCP port 4999. These communications are encrypted using SSL. The cluster
always
initiates this contact:
k
rr
eta
ins
f
ull
rig
ht
s.
ßAß àâáãâä9$çèÖãâé6êÖëãÖì
ß:6óëÖî6ãâ3ä ;ë)ôëüêÖëÖõ6ä-ðâä)óûä)ó5ëããâéÖä)÷-ôé îüé6ùôëÖîÀô
Däâë)óôÖãâëüù÷ ýë ¼öä6ùôAð õ¼ôäÀö_õðäÖîÀáóä ýóéÖî6äõõ6é)ó-ûøüë
íß Sð üä6ùîÀó âòôä)÷AîÀïë6ùùÖäRã ýíÿ
ðAà.$
ýíÿ
ð Àå 9ÿ :6¼à÷ÿäÖõ¼àô;%øÈùë)Èòúôøüôé6EùîÀò ÈòÖé))ó)õ7ô 8å ææhæ#å "h!-å à À÷ .$
å
#
]å h8å h/
Key fingerprint
2F94
ýíÿ
ð =è À6AF19
ÿAãâä)àûä-ã FA27
.$
fö!ãø]ö998D
øÀ6ô 6ãFDB5
ø]öøÀ9ô )DE3D
ÈöøÈùáôF8B5
ä "! 06E4 A169 4E46
:= 6ãâé)>
)%6ãâé)>
è
Èòóä ?ø @,Ahà $%-;WGA
ýíÿ
ð ÀÿAà .$ "!&;à :üý
ho
Finally, we allow the network management station to perform SNMP queries to inwardfacing interfaces on the firewall, border router, and DMZ hosts:
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ßßAàâáãâäºåçèÖãâé6êëãÖì
ß
ôß9ß é5Jë6ëùÖãë6ãèùÖäÀöä6ôä6Öùôúé)óFAõ¼ô÷ë6ôä)ûøüé6øâùúî6äëõ ãâãâéÖäâ÷-ôé-òä)ó?é)ó¼ö ðJý<O)áÖä6óøüäÖõ
ýíÿ
ð Aà .å ýíÿ
ð Àÿ ý 6í ÈòñôîÀò âõ å h5å $ ¼÷!åhå5hå#hå
à
¼÷.äÖåõ¼ôøÈùë)ôøüé6Eù ÈòÖé6óâôñ8å )å ]ö õ¼ôë)ôä âõ¼ôë)ôä3 "!
ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ å h5å $ ¼÷!å hå5hå#hå
à
¼÷.äÖåõ¼ôøÈùë)ôøüé6Eù ÈòÖé6óâôñ8å )å ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å $ À÷
å h#
å h"#å !-0) à¼÷.äÖåõ¼ôøÈùë)ôøüé6Eù Èòé)ó)ô 8å )å ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
ýíÿ
å]#å h#å "h!-8å à$ .¼÷å äÖ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå )å ]ö õ¼ôë6ôä âõ¼ôë)ôä
#
ýíÿ
å h#
å
ù Èòé)ó)ô 8å )å ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
"!-à.å
ýíÿ
å h#
å 14"!-0 à ¼÷.äÖå õ¼ôøÈùë)ôøüé6Eù Èòé)ó)ô 8å )å ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
Key fingerprint
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò )õ å hå
À÷
å hå -à ¼å ÷äÖõÀôøÈùÖë)ôøüé6ù Èòé)óôúå å fö õÀôë)ôä âõÀôë)ôä
À÷
å hå hå -à ¼÷äÖå õ¼ôøÈùë)ôøüé6ù Èòé)ó)ô å å ]ö õ¼ôë)ôä âõ¼ôë)ôä
À÷
å ]å hå h-å à ¼÷å äÖõ¼ôøÈùÖë)ôø¼é6ù ÈòÖéüóôúå å ]ö õ¼ôë6ôä âõ¼ôë)ôä
À÷
å hå -à ¼÷äÖå õ¼ôøÈùë)ôøüé6ù Èòé)ó)ô å å ]ö õ¼ôë)ôä âõ¼ôë)ôä
À÷
À÷
ut
Network Address Translation Rules
5,
A
~L{
ho
rr
eta
ins
f
ull
rig
ht
s.
9: ;%
8 #$ #140$ '
)
,
"! . 9: ;%
8 #$ # #0) E
8)
%
"! . 9: ;%
8 #$ # # # 8$ '
)
"! . 9: ;%
8 #$ #140 E
8)
%
"! . 9: ;%
8 #$ #140 E
8)
%
"! . 9: ;%
8 #$ #
1
4
0
$
'
) FDB5
,F8B5
Key fingerprint = AF19 FA27 2F94 998D
DE3D
06E4 A169 4E46
"! . . %
<)
"!
:= >
-)% > ? @,A ,
BA
. C!
NS
In
sti
tu
te
20
00
-2
00
The firewall performs network address translation on all outbound packets from private addresses. It selectively performs NAT on inbound packets also. Since the DMZ
uses RFC 1918 addressing, NAT has to be performed on all packets from or to the
DMZ in order for connections to be sustained. If no NAT is performed on an inbound
connection attempt, the packet(s) will be sent back out the firewall’s public interface
and dropped by the border router’s anti-spoofing rules. If NAT is performed, the rest
of the firewall ruleset will be applied to the packet with its new destination address.
Performing NAT on all packets sent to DMZ hosts improves the accuracy of logging,
because denied packets will be logged by the firewall for the real reason they were
dropped. Inbound syslog packets from the border router are sent to the syslog port
on the firewall’s public interface. The destination IP address of these packets is translated to that of the central logging server. Outbound NTP queries from the web/portal
server and email gateway and DNS queries and SMTP connections from the email
gateway are translated to their public IP addresses. All other outbound connections
are translated to the firewall’s public IP address:
©
SA
ßß âà áã)ä&çaÿíì
ß
ß9ÿíúé6áôâèéøÈùè-ùôâò5óäO)áÖäõ¼ôõU?âóéÀö ôâïÖä3Öä6êS¼òÖé)óôëã
ëâõ6÷âä6ó÷âóûäÖä)óõõ NfGõ N òáêÖãÖøâZî N%øNùôä)ó ?ëÖî6äôé øÀôõòáâêãÖøâîAøÈùôä)óâùÖä6ô
ýíÿ
=¼éú
ð =ÀAF19
ô<ùÖë)Bô FA27
ÀÿA
ý :âð62F94
íà :Cí 998D
ä)ô)
ï l%DE3D
ÈòñôîÀò F8B5
âõ 06E4 A169 4E46
Key fingerprint
FDB5
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
åå#]å#hå#140
¼÷äÖõ¼ôøÈùë)ôøüé6ùEÈòé)ó)ô å8,"!úðÿí%ÀôéSâõ6é6áóî6ä
ýíÿ
ð Àô<ùÖë)ôBÀÿAý:âð6íà:Cí =¼éúä)ô)ï
l%Èòúá÷)ò âõ
å h#
åß ]#å å 140
¼÷äÖõ¼ôøÈùë)ôøüé6Eù Èòé)ó)ô 8å ,"!úð ÿ%í ÀôSé âõ6é6áóî6ä
#
ßß àâáã)ä åaç ÿíì
ß9ÿíúëããAëãã)é Öäâ÷<éüáôèéøNùè-óä O6áÖäÖõ¼ô7õ ?)óéÀö äÀöëÖø6ã
èë6ôä Öë N]Gõ N òáâêãÖøâZî N3øÈùôä)ó ?ëÖî6äôé øÈôõòâáêãÖøâîAøNò ë)÷÷âóäÖõâõ
ýíÿ
ð Àô<ùÖë)Bô ÀÿAý :âð6íà :Cí =¼éúä)ô)
ï l%ÈòñôîÀBò ]ö
öÖáÖ$Lã6*ô
)øÈòÖ$Ré6*aó$ôR*Èå )õ9"å !5hð#å 1ÿâ4Bí 0 ÀôSé¼÷âäÖõüé6õ¼áôóøÈùî6ë)ä5ô#åøüé6hEù5å Èòé)ó)ôåõ
ýíÿ
ï l%Èòúá÷)Bò ]ö
öÖ"áÖ!5ã6ôðøÈòÖÿâí%é6óôÀôéS)õ)õ6é6å áóh#åîüäñ14å#0 hå5¼÷äÖõ¼å ôøÈùë)ôøüé6Eù Èòé)ó)ô(õ $R*È8å ßß àâáã)&ä =aç AF19
Key fingerprint
ÿíì FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ß
ß ÖäA÷é62ù NôA÷9é ÿâíñéüù1øÈùôä)óâùÖëãêÖé @äõô)ïÖë)ô<ôó 5ôé-ïøÀô
&
ôâïä-òâáêãÖøâîë)÷÷âóäÖõâõ6äÖõJé ?AôâïÖ&ä ?øÈóä Öëãâã é)<ó ;J
c
õ6ä6óûä)óYõ #íâïÖä 9ø6ããJêÖä5ë6êãâä-ôé<óäëîÀïAôâïÖ&ä ?øÀóä Öëãã
çNø ?úëããâé Öä)÷(ì øÀô)ïÖé6á&ô ÿâ4í íâïÖä<óâáã)äÖõêÖäãâ"é úô)ïÖë)ô
ïÖùÖëüä6ùôÖ÷é)ãâóä<F2ëÖ îâî6äÖõõôé<ôâïÖQä ;Jc õüä)óûä)ó7õ ?âóéÀö øÈùõø¼÷ä ôâïÖä
ýíÿ
ð Àô<ùÖë)Bô íÀÿAýÀô:âð6Sé í)àõ6:Cé6áíóîüäñ=#å ¼héú5å hä)#å ô)hï å ) âõ
å 0<C!úð âÿ6
ßß àâáã)&ä aç ÿíì
ß
ß ÿíúëãã øÈùîüéÀöøÈùèòÖëÖCî Fä6ôõôé<ôâïÖäAäÀöëÖø6ã èë)ôä ë <ôé
9
ôâïä-òóøÀûë)ôäñøÈò ë)÷÷âóäÖõâõJé6ù!øÀôIõ N òáêÖãÖøâZî N%øNùôä)ó ?ëÖî6ä
ýíÿ
ð À÷Àô<äÖõ¼ùÖôë)øNBôùÖë)ÀôÿAøüé¼ýù à â8å à:Ch#å í 12 = ¼÷15å h#å 0_7å C!
;âÿ6
í
ÀôS
é
ßß àâáã)ä3Îçaÿíì
ß
ò9ß óøÀÿûíºë)ôä5øÈùøÈîüòéÀöë)øÈ÷ù÷âè-óòäÖëÖõâCîõFéä)?pôõøÈôôQéõIÖN òä6Sêáêüòãé)øâóîZôN%ëøÈã-ùôõ6ä)ä)óóû?ä)ëó<î6ä ôé
ýíÿ
ð À÷Àô<äÖõ¼ùÖôë)øNBôùÖë)ÀôÿAøüé¼ýù à â8å à:Ch#å í 12 = ¼÷15å h#å 0
<C!
;âÿ6
í
ÀôS
é
ßß àâáã)&ä $aç ÿíì
ß
ß?øÈóÿä ÖíºëøÈãâù-ã îü?âéÀöóéÀøÈöùè-ôâïòä-ëÖCî êFé)ä)óô÷õä)ôó<é<óôâé6áïÖô-ä ä)
ó<;ôý éACõ ôâõï6äãâé)è-õ õòÖ)é)ãâóâé)ôñè éüõüùñä)óôâûïä)2óä 9
ýíÿ
ð Àô<ùÖë)Bô ÀÿAýà âà :Cí = Nòúá÷6ò âõ 5å h#å h#å ]å $
¼÷!#
å h#å ]#å hå )<¼÷äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óâ3ô $Tå 6"!&;ÿâí
ÈôéS¼÷äõ¼ôøÈùÖë6ôøüé6ùñå]å#håâå
~Lam
Logging Rules
ull
rig
ht
s.
By default, all rules get logged with a limit of at most 1 entry for each unique packet
type every 10 seconds at level ’info’ with the prefix ’Rule [rule number] – [Action].’ All
packets that are dropped are logged at level ’warn’ or higher. Explicitly denied ICMP
packets are logged with the custom prefix ’Bad ICMP – Deny.’ Denied fragments are
logged at level ’alert’ with the custom prefix ’FRAG – Deny.’ TCP Scan packets are
logged with the custom prefix ’TCP Scan – Reject.’ IKE, ESP, and AH packets bound
for the VPN gateway are logged with the custom prefix ’IPSEC – Accept.’ The selected
example snippets from the firewall configuration script below display only the logging
rule. See B for the full surrounding context.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ß ;óé6ò öéõ¼ôAôâòÖäÖõé?ñé6áôâêÖé6áù÷ þJý2K@î6äüòôøüé6ùõ
9
ë)óä5äîÀïÖé-óäO)áäÖõ¼ôõJëüù÷ þJý-áùóäëÖîÀïÖëüêãâäÖõLeJëüùúé?
ôâïäÖõ6ä ôâòäÖõUø6ããêÖä<÷âóéüòòÖäâ÷ ê5ôâïÖä ø]öòãÖøâîøÈô<÷ä?ëüáã6ô
;W*êá9
ô Ö3ä Öë6ùô5ôé î6ëüòôâáóä ô)ïÖäÀö1øÈù ë õÈòÖäÖîøüëãóâáãâä
â
í

ï
)
ä

ó
<
ä
)
ë

ó
ä)ó ?ä FA27
ºî6ëÖõ6äÖ
õAøNù 998D
ïøâîÀïAFDB5
ôâïÖäõ6ä DE3D
òÖëÖîCFä6ôF8B5
õë)óä 06E4 A169 4E46
Key fingerprintä<
=ûAF19
2F94
ëß&õ6éü;áó:âðî6Qä O)áä6ùîÀïºøÈùúôâïø)õèâóé6áò<êÖäî6ë6áõ6äñøÈôºîüë6ùúêä-áõ6äâ9÷ ?é)ó
ýíÿ
ð úä)ôâ
ï .:üá
ô .6à .
ýíÿ
ð Àÿúä)ôâ
ï .:üá
ô .6à . fö1ãÖøföøÀ%ô 6ãø]öøÀ<ô )NöøÈùáôä "!
:= 6ãâé)è>6ãâä)ûäãUB6ãâé)è>Èòóä?ø@,AfÖëâ÷ þJý67;W_A
ßßAàâ áãâä9çÆä)ôâïiå)ì
ß
òßAß áâêÿÖããÖãâøâ"éîAºøÈùøÈùôôä)óä)ó)?ùÖëä)î6ô-ä3ïÖ?éÖé)óõÀôõýôðéäÖîLî6 é6ùùÖäî¼ô-ô&é Pý Aèë)ôä Öë Nfõ
ýíÿ
ð 5þø¼÷ )ææ ýíÿ
ð
Àÿúä)ôâï_Cå . S
ù .üà .. ]ö1ãø]öøÀ%ô üãÖø]öøÀ<ô )ÈöøÈùáôä "!
:= 6ãâé)è>6ãâä)ûäã-)%6ãâé)è>Èòóä?ø@,A ýðþ,ÿþâþýí5A
ßßAàâ áãâä9çèÖãâé6êÖëãÖì
ß
ß<êãâéÖî F9?âóë)èüöä6ùôLõ Móë6èüöä6ùôäâ÷òÖëÖî Fä)ôõô)ïÖë)ôúë)óä-òÖë)óô5é ?
ë6ùúÿ Dúé)<ó ð)ý<òÖëÖî Fä)ô<ôé<ôâïÖQä Pý 5èë)ôä Öë Aë6óäúä @î6ä6òôäâ2÷ ç{ðää
ä) ô)ýïiðäÖålîóâïÖáäãâë)äÖ÷õä)Yì ó#õ+öíâïëä úëö)ëóFäAä-ôâëïÖãäãâ"é òÖÖëÖäâ÷-îFôâä)ïÖô<ä6ôóéäéúêÖäÖãâë)î6óâëüáèäQõ6ä ?ôâé)ïÖóñäAé6áä @âó<ôòóëøÈòäÖõL
ß ýíÿ ð Aà .
ýíÿ
ð è>À6AF19
ÿAãâä)àûäãúFA27
.
fö!ãø]öøÀ6
ô 6ãàø]öÿ=%øÀ9ô )UDE3D
ÈöøÈùáô
ä "!
Key fingerprint
:= 6ãâé)=
å&6ãâé)2F94
è>Èòóä998D
?ø@,AVFDB5
;W5A F8B5 06E4 A169 4E46
ull
rig
ht
s.
ßßAàâ áãâäºåçèÖãâé6êÖëãÖì
ß
ßAàä !äî¼ô5ð)ôäëã6ôâï õî6ëüùõ`øÀôâï þJýAýé)óôQùóäëÖîÀïÖëüêãâäJôé-ïø¼÷ä
é6òä6ùAòÖé)óôYõ né)ó¼öëãã*Ré6òÖä6ùAòÖé6óôõJ÷âóéüò5êëâ÷AòëÖîCFä)ôõZ*oïøüãâä
óßî)äã)éÖõÀòÖõ6äâé6ù÷ õüòÖä-é6óë6ùô÷Jõ<öõ6ä6ëùF÷úäÖõJë<ôâíïÖþâä ý5òÖàé)óð)í2ôñuãâí)éâïéF<øâõ?êø6ãâã6ôéä6îCFóäâõ÷2ôâ ïÖäA÷äÖõÀôøÈùÖë)ôøüé6ù
ýíÿ
ð Aà .å
ýíÿ
ð ÀÿAà .å fö!ãø]öøÀ6ô 6ãø]öøÀ9ô )ÈöøÈùáôä "!
:= 6ãâé)è>6ãâä)ûäãUB6ãâé)è>Èòóä?ø@,AhíþâýúðÖî6ë6ùBJàd"þâíBA
te
Order of Rules
tu
~Lrq
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ßßQùóäõ¼ôó=øâîÀAF19
Key fingerprint
ôäâ7÷ ä6FA27
êñëÖîî6äÖ2F94
õâõôé&998D
ä6êSüòÖFDB5
é6óôëã-DE3D
õ6ä)óûä6ó F8B5 06E4 A169 4E46
ß
ýíÿ
ð Aà .
ýíÿ
ð ÀÿAà . fö!ãø]öøÀ6ô 6ãø]öøÀ9ô )ÈöøÈùáôä "!
:= 6ãâé)>
è 6ãâä)ûä-ã )%6ãâé)>è Èòóä ?ø @,Ahà %ÿþþ ýBí A
ßßAàâáãâä9åçèÖãâé6êëãÖì
ßpß N]î6ë)ôîÀïúëãLã NRóâáÖãâä
ß ýíÿ ð Aà .å
ýíÿ
ð ÀÿAà .å ]ö!ãÖø]öøÀ%ô 6ãÖø]öøÈ<ô )ÈöøÈùâáôä "!
:= 6ãâé)è>6ãâä)ûäãUB6ãâé)è>Èòóä?ø@,AhàåQ7;WGA
©
SA
NS
In
sti
The firewall configuration script puts the rules accepting packets that are part of or
related to established connections first. This prevents rules that do not use stateful
inspection from creating unwanted conflict with rules that do. Immediately following
are the rules tied to specific interfaces. Since these rules precede all “global” rules,
exceptions to global policies can be placed in an interface-specific ruleset. For example, in order to give unfettered access to IP traffic passed back and forth between the
loopback interface and the rest of the local system, we put a stateless rule in the ruleset for the loopback interface and any other restrictions on traffic to or from the firewall
are ignored in the case of the loopback interface. This also means that fragmented
IKE, AH, and ESP packets heading to the VPN gateway’s public interface will pass,
even though the very first global rule blocks all fragments.
The first two global rules block fragments and TCP scans. These packets are potentially
malicious
andFA27
dangerous;
weFDB5
put the
rules
forbidding
them
first to ensure
Key
fingerprint
= AF19
2F94 998D
DE3D
F8B5
06E4 A169
4E46
ins
f
ull
rig
ht
s.
that packets that would otherwise be allowed through, say to an open port on the
web/portal server, are stopped. Next come rules that give access to and from the publicly accessible servers and the Oracle database cluster. We want these packets to be
passed quickly, so we keep the rules near the top. We also put rules granting access
from the DMZ hosts to internal systems higher up in the list, followed by a specific
block rule for any further access from the DMZ to internal hosts. Then come rules for
user access to public services, followed by rules that are not used as frequently, such
as access to internet NTP servers by our time servers or Technical Support access to
perimeter hosts.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
7 0 , #8Rs
Appendices
Border Router Configuration
ëÖàõ¼ôÿ î6éüî6ù
é6ù
??øÀèâøÈèáóã)ë)ëÖôõ¼øüô-éüùúáòîÀï÷ë6ë)ùôèäâ÷Aä<ë)ë)ô1ôåæjuj04)jjhå7$7;;í9í9óóøQøQdüdüááã&ã&$<$<
ûõ6t ä6ä6óóûõøüøâé6î6ùºäJôåø]öäÖõÀôëÀöÖòõ÷ä6êáè-áâòôø]öä
õ6ä6óûøâî6äJôø]öäÖõÀôëÀöÖòõJãâé)è5÷ë)ôä6ôø]öä<ã)éÖî6ëã6ôø]öä5õÀïé'Àôøföähé6ùä
õ6t ä6óûøâî6äòÖëÖõõ é)ó>÷ üäüùî¼ó âòôø¼é6ù
ïÖt éõ¼ôâùÖëÀöäJêÖé)ó÷ä)Eó Àóéüáôä)ó
Key fingerprint
øùÖÈòpé î6øÈòAä ? ïôô)=òpAF19
õüä)óûä)ó
ùÖé îü÷)òñä6ùë6êãâä
ùÖé õ6ä)óâûøâî6äôîÀ'ò âõhöëãã âõüä)óûä)óÖõ
ùÖé õ6ä)óâûøâî6äJá÷)'ò âõhöëãã âõüä)óûä)óÖõ
ùÖé øÈò ?øÈùèä)ó
ùÖé õ6ä)óâûøâî63ä ?øÈùèä)ó
ùÖé øÈòAêÖéé6ôâòºõ6ä)óûä6ó
ùÖé-êÖéé6ô-ùÖä)ô Öé6ó F
ùÖé õ6ä)óâûøâî6ä5îüé6
ù ?øÀè
ùÖé øÈòú÷éÀöëøÈ'ù 6ã)éé Fâáò
õ6ä6óûøâî6äJôîÀ'ò Fää6òÖëãøÀûäÖõ âøÈù
t
v
áä6ùõüë6ä)êóâùÖãâäúëÀöõ6äQä!Àî¼öóéä)<ôé6ó$äúõ6äÖå î¼ó)ä)ûô<W $ ÷ 0Oå ä6$ùá êO?âÿ6ôá !6?âá èc)]ý
î¼û$üÿ:íw
$"v ;_dâå þW vv è÷2
ááõüõüä)ä)óâóâùÖùÖëÀëÀööQääJê!Àöûéé)èé6óääã5òõ6óäÖî¼øÀûóä)ø6ô<ãâä)$èäñ åå $v ô÷ û@âù
P÷øCh6ùÿ6ùÖëüùP6ÿýhâû
:
áëëâõüë-ä)óâùùÖäëÀö'äJ]öêé)û÷é)äèã äãJòóøÀûø6ãâä)èäñå $
ëëâë5ëüáôâïÖä6ùôøâî6ë)ôøüé6ù<ãâé)èøÈù5÷ä?ë6áãüôúãâéÖî6ëã
ët ëâë5ëüáôâïÖé)óCø hë)ôø¼é6ùúîüéÀööë6ù÷õ5å $A÷ä ?ëüáã6ôúãâéÖîüëã
êÖëüùùÖä)óJöé6ô9÷ H
íâÿxïxîâxî6øâäÖõxõx÷õAxä)xûøâxõøâxîüxóäñxäÖxøâõÀxôõxóxô)øâxïÖî¼xäôxäâxò÷xóxôé6xòÖé5x ä6ÿóë6áôàô)AéïÖ é) ?<ó=Cø =ht äâ ÿx÷5þ9xõ¼x)ôxùëxô?x?ä)xóâxöòxäÀóxöøâxêÖõ6xä)äÖxóõ#xõx* xéxù?<xî6x=é)xóâxòÖÿx9þé6xóx)ë)xùôxôäâx ä)÷óâ òóøâõ6äÖõ
íäîÀïùøâîüëã ð6áòâòÖé)óQô ;ä6òÖë)óô¼öä6ù4ô iùÖë6áôâïÖé)óø häâ÷Jáõ63ä ø6ããêÖä-òóéÖõüäÖîÀáôä)÷ôé
ôâï9ä ?6áããâäÖõÀô5ä @ôä6ùô5é ?5ô)ïÖä5ãâë [ÿÖãã<ëÖîÀôøÀûøÀô øâõ5õÀáê !äî¼ô<ôéöé6ùøÈôé)óøÈùè
óä6ûøüä Öä)÷ê = ÿ&þ âùôä)óâòóø)õ6äÖõ íñðâäÖîÀáóøÈô Aë6ù÷ î6é6áÖã)÷ êÖä<óä6òÖé)óâôäâ÷ ôéúãâë ä6ù ?é)óî6äÈöä6ùô-é ??øâîøüëãõôé5ëõõøâõ¼ô øNù!î¼óø]öøÈùÖëãòóéÖõüäÖîÀáôø¼é6ù øÈùúôâïÖäAä)ûä6ùô
?<é6FA27
é ?öøâõÈáõ6
ä = AF19
áú÷é<ù2F94
é)&ô øâ998D
õÀï5ôé FDB5
êÖä õÀáê DE3D
!âäÖî¼ô<ôF8B5
é<ôâïÖäÖõü06E4
äúî6é6ùA169
÷øÈôøüé6ù4E46
õ*
#
Key fingerprint
t
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
t t P J
÷ø)õî6é6ùùäÖî¼ôùé t
H
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
)îî)t ã)ã)éÖéÖîCîCF<F ôõÀá6ø]ööâöähä)óEé6ùÖÀôä3ø]öð)ä7í6;"íú$ óäÖîÀáóóøÈùè åJð6áùúÿâòój05ãâëÖõ¼ôúð6áù,:îÀôj
ùÖt é øÈòºõ6é6áóî6äSÀóé6áôä
øÈùøÈôò ä)ó ëâ?÷ë÷âî6ó-ääÖõõ5ôâï#å ä)]óâ#å ùÖhä)#å ô h8å $Q$$$$0$$$
ùÖøÈòé ëÖøÈòñîî6÷äõøÀóõäÖÀèîÀôóäâé6á>÷ òÈêóå$éå<ëâ÷øÈî¼ù ëÖõÀô
óë)ôSä 6ãÖø]öiøÀôñøÈùâòáôúëÖîî6äõõ Àèóé6áò å å5å $
&æ$9$æ
î6éü
ù ?é)óü#ö üëÖî¼ôø¼é6ù ôâóë6ùõhöiøÀô ä @îüääâ>÷ üëî¼ôøüé6ù ÷âóéüò
óë)ôSä 6ãÖø]öiøÀôñøÈùâòáôúëÖîî6äõõ Àèóé6áò å )å5å $
&æ $&$æ î6t éü
ù ?é)óü#ö üëÖî¼ôø¼é6ù ôâóë6ùõhöiøÀôAä @îüääâ>÷ üëî¼ôøüé6ù ÷âóéüò
øÈù÷ôäÖä)õâó î¼?óëøÈî6òä-ô=øüðé6AF19
ä)ù óøü
ò ë6ãò FA27
Key fingerprint
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Ö
ã
È
ø
ù
FAôé ð)ý
øÈò ëâ÷÷âóäÖõõ5å#]å#hå#hå8Q$$$$0$$$
øÈøÈòò ëÖëÖîîî6î6ääõõõõÀÀèèóóé6é6ááòò åå$$5é6øÈùáô
ùÖé øÈòñ÷øÀóäÖîÀôäâ>÷ Èêóéëâ÷î¼ëÖõÀô
ùÖé øÈò5òóé @>üë)óâò
ùÖé øÈò5áùóäëîÀïÖë6êã)ä
ùÖé øÈò-öëÖCõ FEÈóä6òã
ùÖé øÈòúóäâ÷øÀóäÖî¼ô
ùøÈòúôâòúû÷ä)óø)õ6ø ?ë6ê-áãâä ùøâîüëÖõ¼ô-óä6ûä)óõ6ä ÈòÖë)ôâï
óë)ôSä 6ãÖø]öiøÀôñøÈùâòáôúëÖîî6äõõ Àèóé6áò å <&$æ ºåå $
î6éü
ù ?é)óü#ö üëÖî¼ôø¼é6ù ôâóë6ùõhöiøÀô ä @îüääâ>÷ üëî¼ôøüé6ù ÷âóéüò
óë)ôSä 6ãÖø]öiøÀôñøÈùâòáôúëÖîî6äõõ Àèóé6áò å )på $
&æ $&$æ î6t éü
ù ?é)óü#ö üëÖî¼ôø¼é6ù ôâóë6ùõhöiøÀôAä @îüääâ>÷ üëî¼ôøüé6ù ÷âóéüò
øÈùùÖôé ä)ó øÈ?ò5ëî6áäJùóùäáëãâîÀãïÖ ë6êã)äÖõ
øÈøÈt òpòúóî)é6ãâáëôõä&õ)ãâäÖõâõ 0& å5hå#hå#]åå
øÈøÈòúòúóóé6é6ááôôää #å#å hh#å#å ]]#å#å hå $3æ $
$7$$$$0$$$$$$$A#å ]5#å h5å#å hh#å8å h)#å ]å )
øÈøÈòúòúóóé6é6ááôôä&&ä 00&&$$2$00ùùááãâãâãã øÈøÈòúòúóóé6é6ááôô&ää&$00&&$$$$00ùùááãâãâãã
øÈøÈòúòúóóé6é6ááôô&ä&ä QQ$$$$00JJùùáÖáÖãããã øÈøÈòúòúóóé6é6ááôôä&3ä _)#å QQ$$4$00JJùùáÖáÖãããã øÈòúóé6áô3ä Q$$0JùáÖãã Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
øÈòúóé6áôä&$Q$40JùáÖãã
øÈòúóé6áô&ä Q$40JùáÖãã øÈøÈòúòúóóé6é6ááôô&ää&QQ
$$00JJùùáÖáÖãããã
øÈøÈòúòúóóé6é6ááôô&ä&ä 4QQ
$00JJùùáÖáÖãããã øÈøÈòúòúóóé6é6ááôôä<ä æå ))æ 0$4Q34$$0$J$ùáÖãã ùáãã
øÈøÈòúòúóóé6é6ááôôää åå40033$$4$JJùâùâááãããã øÈøÈòúòúóóé6é6ááôôää åå 4)0033
$JJùâùâááãããã øÈòúóé6áôä åæ03$$Jùâáãã
øÈøÈòúòúóóé6é6ááôôää åÀåÀææ 0033$$$J$Jùâùâááãããã øÈøÈòúòúóóé6é6ááôôää åÀåÀææ 0]å 303$$$$$4J0ùâáãùâã á ãã øÈøÈòúòúóóé6é6ááôô&ää =åAF19
40FA27
342F94
J
ùâáãã FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint
998D
Q$$0JùáÖãã
øÈòúóé6áôä åÀæ ]å )3$$$$ùáãã øÈt òúóé6áôä å ]å )03$$hå )Jùáãâã ãâãâé6é6èèèèøÈøÈùùèèúôõ6óé6áë6òAóîüùÖSä é)ôøÈùCø ?ôä)øâóî6ë6?ôëÖøüîüé6`ä ùâõ ôâïÖä)óâùä)
ô ëÖëÖãâé6îâîâèî6î6èäÖäÖõõøÈùõõ èüüãÖãÖå#øâøâõ¼õ¼hôôå#hååå5<5håò÷ä)ä6) ùóüö5ëøÀ6ôpù 5å hãâ#å é)hè #å ]å )
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼QôQô <<òòä)ä)óüóüööøÀøÀôpôp5å5å hh#å#å h#å ]0å _)å
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼QôQô <5ò÷ä)ä6ùóüö5ëøÀ6ôpù 5å hãâ#å é)è0
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼QôôQ<5ò÷ä)ä6ùóüö5ëøÀ6ôpù 5å hãâ#å é)hè #å ]å )
ëÖt îâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈ,ò 5å $$0$$$$ëüù ã)é)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈò #å h5å h#å hå ë6ù ãâé)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈò #å h5å h#å hå &<ë6ù ã)é)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$<<÷÷ä6ä6ùù ºøºøÈÈòò #å#å hh5å5å h#å 33h<å $<ë6ùëüù ñãã)é)âèé)è
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈ,òò,$QQ$$$$00$$$$$$$$ëüëüùù ã)ã)é)é)èè
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$<<÷÷ä6ä6ùù ºøºøÈÈ,ò,ò 0Q3$$$$0$$$$0$$$$Jëüùë6ù ñãã)é)âèé)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$<<÷÷ä6ä6ùù ºøºøÈÈò,,ò )003ñ#å $$$$$$$$00$$$J$Jë6ë6ùù ñãñãââé)é)èè
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò_
#å 0033$$$$$$$$00$$$J$Jë6ë6ùùñãñãââé)é)èè
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈ,ò $0ñ#å $$$$0$$Jë6ù ñãâé)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈ,ò 0ñ#å $$$$0$$Jë6ù ñãâé)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$<<÷÷ä6ä6ùù ºøºøÈÈ,ò,ò 0033$$$$$$$$00$$$J$Jë6ë6ùù ñãñãââé)é)èè
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈò,ò,40033$$$$$$$$00$$$J$Jë6ë6ùùñãñãââé)é)èè
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò æå))æ0$4303å#$$$$$$$$$$Jë6ë6ùùñãñãââé)é)èè
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò åå2003ñå#$$$$$$$$$$$$ë6ë6ùùñãñãââé)é)èè
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò åå2)0033$$$$$$$$$$$$ë6ë6ùùñãñãââé)é)èè
ëÖîâî6äÖõõ üãÖøâõ¼ô å$<÷ä6ùºøÈò åæ03$$$$$$ë6ùñãâé)è
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò åÀåÀææ0033$$$$$$-ë6ù$$ë6ãâùé)èñãâé)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò åÀåÀææhå033]$å#$$$$$$$$$ë6ùë6ùñãñãâé)âèé)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈò,ò å20303å#$0$$$$$$0$$$J$ë6$ùñãë6ùâé)èã)é)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å$<÷ä6ùºøÈò åÀæhå)03$$$$ë6ùñãâé)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå$$< òÖ÷ä6ä)ùóüöiºøøÀôÈò øâîhåöÖòñhë6åù)ñëüù3ä0îÀïÖ
éSÀóä6$ò$ã$$ë6ù ã)é)è
Key fingerprint
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâ=õ¼õ¼ôô AF19
åå$$ òÖòÖFA27
ä)ä)óüóüöiöiøÀøÀôô 2F94
øâøâîhîhöÖöÖòñòñ998D
ë6ë6ùùñëñëüüùùFDB5
5ápõâüùé6áóóäDE3D
ëÖî6äîÈïÖCO)ë6êáÖä6ãâF8B5
äùîÀï 06E4 A169 4E46
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$ òÖòÖä)ä)óüóüöiöiøÀøÀôô øâøâîhîhöÖöÖòñòñë6ë6ùù ñëñëüüùù úô5òë)ø]öóSäëÀöüää6@ôä)î6EóääâÈò÷óäâ÷é6êã6äÀö
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$ òÖòÖä)ä)óüóüöiöiøÀøÀô<<ô $$5åJë6ë6ùù úëúë66ùù
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùù $$5$5ë6ë6ùùúëúë66ùùñãñãââé)é)èè
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù 5ë6ù úë6ù ñãâé)è
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùù òôîÀø]öºòñë6ë6ùùñëAïÖ6ùéÖñãõÀô1âé6å5è hå#hå#]å äO5ôäãüùÖä)ôúãâé6è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$<<÷÷ä6ä6ùù ôôîÀîÀòñòñë6ë6ùù AïAïÖÖéÖéÖõÀõÀô1ô15å5å hh#å#å hh#å#å ]]åå $ ää O5OôäúãüùÖãâé)ä)èôúãâé6è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$< òÖ÷ä6ä)ùóüöiøÀô<ôôîÀîÀòñòñë6ë6ùùñëAïÖ6ùéÖõÀô1å5hå#hå#]å$ äOúãâé)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $ òÖä)óüöiøÀô-á÷)òñë6ù ñë6ù
ëÖt îâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈò ë6ù úë6ù ã)é)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$åå÷÷ä6ä6ùù $$5$5ë6ë6ùù úëúë66ùù ñãñãââé)é)èè
ëÖîâî6äÖõõüãÖøâõ¼ô å$å÷ä6ù 5ë6ùúë6ùñãâé)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $å÷ä6ù òø]öºë6ù ñë6ù ñãâé6è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $åòÖä)óüöiøÀô<ôîÀòAïÖéÖõÀô15å h#å h#å ]å )JïÖéõ¼ô!#å h#å h5å hå -ä O
ëÖîâî6äÖõõ üãÖøâõ¼ô å $åòÖä)óüöiøÀô øÈò #å h#å h5å hå )-ëüù
ëÖîâî6äÖõõ üãÖøâõ¼ô å $åòÖä)óüöiøÀô øÈò #å h#å h5å Q0-ë6ù
ëÖîâî6äÖõõ üãÖøâõ¼ô å $åòÖä)óüöiøÀô øÈò #å h#å Q]å $-ë6ù
ëÖt îâî6äÖõõ üãÖøâõ¼ô å $å÷ä6ù ºøÈò ë6ù úë6ù ã)é)è
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$ òÖòÖä)ä)óüóüöiöiøÀøÀôô øâøâîhîhöÖöÖòñò1ë6å#ù ]ñëå#hüå#ù ä-îÀïÖë6ùSé <òÀóÖä ëO)áÖîCFäÖä)õÀôEô ÈôééSÈêøÀè
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøâî]öÖòñë6ù úë6ù
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈò #å h5å h#å hå ë6ù
Key fingerprint
ëÖîâî6äÖõõ üãÖøâ=õ¼ô AF19
å $<÷FA27
ä6ù ºøÈò2F94
å h5å h998D
#
å hå $ FDB5
#
ë6ù DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ëÖîâî6äÖõõüãÖøâõ¼ô å$ òÖä)óüöiøÀô øÈò ë6ùúë6ù
t
ëÖîâî6äÖõ"õ yãÖøâõ¼ô å) òÖä)óüöiøÀô<ôîÀòñë6ù1å#hå5hå#åõCâù
ëÖîâî6äÖõ"õ yãÖøâõ¼ô å) òÖä)óüöiøÀô<ôîÀòñë6ù1å#hå5hå#AõCâù
t
ëÖîâî6äÖõõ üãÖøâõ¼ô å)åòÖä)óüöiøÀô<ôîÀòñë6ùñë6ù õC)ù
t
ëÖîâî6äÖõõ üãÖøâõ¼ô å òÖä)óüöiøÀô øâîhöÖòñë6ùñëüù äîÀïÖéSÀóä6òã t
t
ëÖîâî6äÖõõ üãÖøâõ¼ô ååòÖä)óüöiøÀô øâîhöÖòñë6ùñëüù äîÀïÖéSÀóäO)áÖäÖõÀô
õÀt ùüöÖ'ò âõ6ä6óûä)ó-ä6ùèøÈùä ;5ãâéî6ëãQæ;
$å8$)
õÀõÀùüùüöÖöÖ'ò'ò ââõ6õ6ä6ä6óóûûä)ä)óóûûøüøüää ñAùÖëâ÷¼ë)öiô{ëøÈzù ]åJhå<ä @øÈùî)ãüî)áãüá÷÷äâ÷äâ÷
õÀùüöÖ'ò âõ6ä6óûä)óèóé6áòúë)÷¼öøÈù5
û òóøÈû5óäëâ÷5ëâ÷¼öøN<ù óøÀôäùÖë6ôë ùÖé)ôøC?-ùÖë)ôëAëÖîîüäÖõõ-
õÀùüöÖ'ò âõ6ä6óû=ä)óAF19
èóé6áò<ùé)ôCø ?2F94
<û<òóøÀûAóFDB5
äëâ÷-ùÖë)ôQë óøÀF8B5
ôäùÖë6ôë ùÖé)ôA169
øC?5ëâ÷¼öøÈùúëîî6äÖõõ-
Key fingerprint
õÀùüöÖ'ò âõ6ä6óûä)óJáõ6ä)ó<FA27
êøÀè)êóé)ôâïä)ó<998D
ëâ÷ÀöøÈùA
û 5ä6ùî¼DE3D
ó âòôäâ÷-ë6áôâï 06E4
ö÷$ ïÖëããâäâê4E46
ä)óóôéüù
õÀõÀùüùüöÖöÖ'ò'ò ââõ6õ6ä6ä6óóûûä)ä)óJó<áãâéÖõ6ä)î6ó<ë)ôùÖøüé)é6ô9ù Cø =?øüÿä)&þóùÖâùé)ôôä)Cø ó)?ò<ûó
øâúõ6ääügõ ù;î¼óë)ôâòëAôþäâä6÷-ùôëüáä)ôâó ï ö÷ $A÷ 6ùô)òïÖä6ùîüä J_åhù
õÀõÀùüùüöÖöÖ'òò'ââõ6õ6ä6ä6óóûûä)ä)ó5ó-ä6î6ùÖé6ùë6êôëã)äî¼&ô ô=óë6 ÿò9þõ<)õÈù6ùöÖôòä)óâòóøâõ6äÖõíäÖîÀïâùøâî6ëãð6áòòÖé6óô *Rä @â4ô |$
õÀõÀùüùüöÖöÖ'ò'ò ââõ6õ6ä6ä6óóûûä)ä)ó-ó-ä6ä6ùÖùÖë6ë6êêã)ã)ää ôôóóë6ë6òòõ<õäüîüùé6
ùô?øÀôøÀè
õÀõÀùüùüöÖöÖò''ò ââõ6õ6ä6ä6óóûûä)ä)ó-ó-ä6ä6ùÖùÖë6ë6êêã)ã)ää ôôóóë6ë6òòõõ<äüõ ùõûü)öãâé6é)ùè
õÀõÀùüùüöÖöÖ'òò'ââõ6õ6ä6ä6óóûûä)ä)ó-ó-ä6ä6ùÖùÖë6ë6êêã)ã)ää ôôóóë6ë6òò7õõóâ?)ôóóëÀöSä Èóäãâë
õÀõÀùüùüöÖöÖ'ò'ò ââõ6õ6ä6ä6óóûûä)ä)óJó-ïÖä6ùÖéÖë6õ¼êô!ã)ä#å hô5å óhë6#å òhõå äü)Jùûûüöä)óé6ùõøüé6ù 5ë6áôâïAùÖé6ôCø ?øüä6ó
õÀõÀùüùüöÖöÖò''ò ââõ6õ6ä6ä6óóûûä)ä)ó-ó-ä6ä6ùÖùÖë6ë6êêã)ã)ää ôôóóë6ë6òòõ<7õ ?)õõóëÀ)öãâé)Sä èÈóäãâë
õÀõÀùüùüöÖöÖ'òò'ââõ6õ6ä6ä6óóûûä)ä)ó-óJïÖä6ùÖéÖë6õ¼êô!ã)äå#hôå5óhë6å#òhõåóâ)Jôûó ä)óõøüé6ù5ë6áôâïAùÖé6ôøC?øüä6ó
ãÖt øNäùÖ@äñäîî6Àé6ôù ø]ö äé6áôQ$
ôëóëëüëAùë6õÀáòÖôâé)ïÖóâôä6ùôøÈùøâòî6áë)ô<ôø¼ôé6äùAãüùÖã)é)ä6èô øÈùú÷ä ?ë6áã6ô
ãÖøNë6ëÖùÖáîä-ô)îüïÖäÖûé)õô óõ øCâhî69ë)ãâôëÖ õøüé6õ<ù5å î6éÀöâøÈöù ë6ù÷õAå$5÷ä?ë6áãüôÖãÖøÈùÖä<î6é6ù
õ6äÖõâõøüé6'ù Èôø]öäéüá-ô $
ôëóëëüëAùë6õÀáòÖôâé)ïÖóâôä6ùôøÈùøâòî6áë)ô<ôø¼ôé6äùAãüùÖã)é)ä6èô øÈùú÷ä?ë6áã6ô
ë6áô)ïÖé)óCø hë)ôøüé6ù5î6éÀöâöë6ù÷õAå $5÷ä ?ë6áãüô
ãÖøNùÖäAë6á @
ôóëüùõÀòÖé)óâô øÈùòáô-ùÖé6ùÖä
t
ùùô)ô)òpòpî6õüé6ãâáéÖóCî FEî63äNòÖâä)ôâóïÖøüä)é)óâ÷ ùä)å ô )
ins
f
ull
rig
ht
s.
ùùô)ô)òpòpõüõüä)ä)óóûûä)ä)ópópå5å5hhå#å#hhå#å#0]å_)Jå òóä?ä)ó
ùÖä6ùé ÷ õîÀïäâ÷)áãâä6ó<ëãã)éÖî6ë)ôä
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
}
Internet Firewall Configuration
The Netfilter firewall script below was generated by the fwb_ipt program, part of the
Firewall Builder multi-platform firewall ruleset manager. Comments embedded in the
script were mostly added to comment fields in the fwbuilder GUI; a few, including the
file header, were generated by the iptables ruleset compiler, fwb_ipt. The generated
script is stored in /etc/sysconfig/firewall.fw and called by init script /etc/rc.d/init.d/firewall.
Long lines in the original file have been split to make it easier to read.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßß t üêøÈùSõÀï
ß íâïøâõ5øâõ ë6áôéÀöë)ôøâî6ëãã" èä6ùä)óë)ôä)÷3?ø6ã)ä~;:3:6í
J:"; W t
ßß øÀóä Öëã`ã áø6ã)÷ä)ó ?âêS.ÖøÈòô<ûå#hå8Så
ßß =ä6ùä)óë)ôä)-÷ Jé6ù ðä6ò1å$<)j0$j$3Q;í<ê!Àöéâé)óä
Key fingerprint
ßß
ßß
ãâé6èÎôäçNì-õ¼6ô @GA :==5à A :==à Èò1øN
ù ?6é A å A
ûëâ ÷âë ÷.üù.âá6ëâ>ö÷÷)yóÎå çNUì
ù6÷ëâSö÷âä6û÷ây óy y å
ôë)òë)Ö÷÷äy'y'AAAA
yL %
øC?<: ô äýðõ¼ô6y úÈ ùëâð ÷âA ÷â óñ'A'ãuõ ôâï ÷ä6ùä)û
èâóä6_ò A ÷ä64û jVAE
õô6 âòä)Öôð yEä yAU j*>A
ð y : ð
yR ý%ñëâ÷÷âóúãõ ÷ä6û5ôé ë)÷÷âó`èóä6ò_A<øÈùÖä)ôGAE
Cø ?AôäÖõ¼%
ô ÈIù A EA'RôâïÖä6ù
: ð y ð
õëâüëâä)ô÷ðy'÷ yAU > A
ðy : ð
?ø
?ø
øC?<Cø ô?Aäôõ¼ô6äÖõ¼BôCh_A A ô âòëÖëâ÷Eä ÷EAgA'yGôâANïÖý äü: ù í :6
ý : 5í AE`ôâïä6ù
ãâëüêÖäã û÷ë ä66ý.ü4û ùá6j1Sö yRë){÷ä 6÷â@âûóúòëó .¼ëâù÷ á6û÷ ö ë .üùëâá6÷â,ö÷âó5l!÷ä)Eå û ÷ä)û õîüé6òÖä èÖãâéüêÖëã
Cø ?Aø ôäÖõ¼ôBA ôâòÖäEAgyGAVà
:6ÿ;þâÿð)í5A'`ôâïÖä6ù
èÖã)é6êÖëã<û
ãâë ëüý6.üêÖùäá6ãöS yR ë){÷÷ää6÷â@âû4óúòój1ëâ÷ û÷ ë6.üûùëâëá6÷âö,.¼÷âùóá6l! ö ùüåEöñ ÷ä)û ÷ä6ûAêó÷9lpõî6éüòÖä
?ø
?ø
è ä6ô÷ëâä6÷û ÷ây óÚ çNå 7ì
ùÖyLëÈö äy %ý úëâ÷â÷âó õÀïÖé ú÷ä)û ÷ä6û èóäüòºøÈùÖä)ô
ôäõ¼Gô Ac 'Agyy_Ac>A`%
Ö
ä
À
î
Ö
ï
é
6
A ùôä)
ó
?ëÖî6ä ÷ä)ûºøâõ ÷é 2
ù
*+øÈôõ ý ë)÷÷âóäÖõâõAøâõ
áù FâùÖéä @4ù øÀô!
þå ë6ùAùÖé)ôpøÈùõÀôëã-ã ?øÀóä ÖëããòÖéãøâCî 4VA

: ð y ð
ð y'AU>=A AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint
õä)6ûä6ôë%ã A ùÖëÀöä y EA
ð y : ð

ð J:;y'AõÀêøÈ
ù ãùõhöhöéâE÷é)÷)A òâóé6êEä A
J:";ý
à
:"y'ACõÈêøÈS
ýâíÿ
ðy'ACõÈêøÈùSøÈòôë¼êãâäõA
ý y'ACõÀêøÈS
ù ÖøÈ5òó üA êøÈ
ù ã)é)è)èä)Eó A
:==
à
yEACüáõ¼
îü÷âä)ôîuä@øÀô!å
ãâé6_è Ahÿî¼ôøÀûë)ôøÈù3è ?øÀó"ä ÖëããAõâî¼ä óA øÈòô<èä6ùÖä)óë6ôäâ3÷ Jéüù ðâä6ò8å $
)j$j$QQ;âíAê ,!Àöéé)óE
âí à ÿþ ð y'AÈä)ôâ
ï ä)ôâï_ð åJ ä6ôâ÷ïé <ä)ôâ
ï 5ä6ôâï úä)ôâï $5ãâBé A
?é6ópø5øÈù í à ÿþ I
ý ãøÈ
ù
F õÀïÖé _A äÖä @îÀïÖøÀô!é å ùôä)ó?ëî6ä ø A7ø÷é)÷ää)õJû ùüùé)ôúáÖãä3ã @øâõ¼ô å |

÷äÖéüîÈùÖïÖäéº3å <üòóéî Cõ õüùÖä)ô øÈòû ÖøÈ
ò .)÷ âùëâ÷÷6ó
äÖäÖîÈîÈïÖïÖéº9é å3<<üüòòóóééîî õCCõ õõüüùÖùÖä)ä)ôô øÈøÈòòûû î6î6é¼é¼ù
ù ??ââëâëâãããã ¼6óâëÖòîâ.î6?Öä¼òø6ôã6ô.ä)õ6óéüáóîüä .¼óéüáôä
äÖäÖîÈîÈïÖïÖ9éé9<<üüòòóóééîîCõõCõõüüùÖùÖä)ä)ôôøÈøÈòòûûî6î6é¼é¼
ùù
??ââëâëâãããã6)ëÖãâé6îâèî6ä¼.höòôë)ó).¼óôä)ø¼÷ë6ùøÈóõ äÖîÈôõ
äÖäÖîÈîÈïÖïÖéºéº3å3å <<üüòòóóééîî CõCõ õõüüùÖùÖä)ä)ôô øÈøÈòòûû ÖÖøâøâîfîföÖöÖòò .â.ÖäøNèâîÀïÖùÖééüó.ÖäøÈèâ.üùêé)é)óèâáä .üõ ê.)óä)óâéâóë)÷é)óî¼ëÖ.6óõÀôäÖõõÈòé6ùõ6äõ
äÖäÖîÈîÈïÖïÖé9éºå <<ü<òóüòéÖóîéÖîõCõCõõüùÖä)¼ùÖô
ä)ÖôøNòÖûøhòû6ôÖ6îÀòô.îÀ
ò?Ö.øÈùSFä).¼ôä6òøföëä)ãé6øÀáûôä .ÖøNùôâûã
äÖäÖîÈîÈïÖïÖéºéº3åå3<<üüòòóóééîîCõõCõõüüùÖùÖä)ä)ôôøÈøÈòòûû66ôôîNîNSòòS.C.õ6ëøhùîCF÷Cé S.õî¼ëãÖøhùè
äÖäÖîÈîÈïÖïÖéºéº3å3å <<üüòòóóééîî CõCõ õõüüùÖùÖä)ä)ôô øÈøÈòòûû 66ôôîNîNSòSò ..?Cõ 6ùëCî Fî6é)é Føüäõ
äÖäÖîÈîÈïÖïÖéºéºå33å <<üüòòóóééîî õCCõ õõüüùÖùÖä)ä)ôô øÈøÈòòûû 66ôôîNîNòSSò .).üôäÖîNø{öù äÖõÈôëÈöÖòõ
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
?
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâó<ï<??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâïïA ãâë6êäã%AÀä)ôâïj1 A
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâ<ó <ï ??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâïiïiåå ãâë6êä%ã AÀä)ôâïi5å j1 x A
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâ<ó ï<??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâï ïA ãâë6êä%ã AÀä)ôâï j1 x A
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâó<<ï ??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâïïA ãâë6êäã%AÀä)ôâïj1 x A
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâ<ó <ï ??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâï ïú ãâë6êä%ã AÀä)ôâï 2j1 x A
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâ<ó ï<??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâï ï$A$ ãâë6êä%ã AÀä)ôâï $j1 x A
x
ëâ÷â ý
÷ .âãëâ÷øÈù÷)Fóºõ6#å ä)hôú#å ]ä)#å ôâhï
å -)3áâòúä6ôâï ëâ÷â ý
÷ .âãëâ÷øÈù÷)Fóºõ6#å ä)hôú#å ]ä)#å ôâï__ål(å áâòúä6ôâïiå
ëâ÷â ý÷
.âãëâ÷øÈù÷)Fóºõ6åä)ôúhå5ä)hôâå#
ï -$Qáâòúä)ô)ï
ëâ÷â ý
÷ .âãëâ÷øÈù÷)Fóº=õ6å ä)AF19
h5
å ä)1ôâ4ï
h-gå FA27
ä)ô)2F94
ï 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint
ú
ô
â
á
ò
ëâ÷â ý
÷ .âãëâ÷øÈù÷)Fóºõ6å ä)ôúh5å ä)hôâ#å ï hAgå áâòúä)ô)ï ëâ÷â ý÷
.âãëâ÷øÈù÷)Fóºõ6åä)ôúhå5ä)ôâ)
ï $-Qáâò ä)ô)ï$
ëâ÷â ý
÷ .âãëâ÷øÈù÷)Fóºõ6å ä)ôñ0ãâé-áhò (å ñãâé
ýíÿ
ðð ÀÀýý :C íâý ý í í ;;
à
à :6:6ýý
ýíÿ
ýíÿ
ðÀý9:6àÿà;&;à
:6ý
î6ë6,ô ¼ýòíóÿ éÖ
î¼ùÖ<ð ä)ô ÀÖô øNSò .6ôôëüë6êêãâãâä äÖ"õC.ü6ùëÀÈöù äÖ_õ ïâø6ïãâø6ä ãâä-óäóë)ä÷ ë)÷Aî5ôîÀë6ïÖêëÖãâøÈRäù5Ró÷äÖé õ¼ô R÷é
ø?5ô ýâäíõ¼ôGÿ ATwð îÀAgô yG ôATwë6êþ6ïÖã)ëä øÈù# A, 3îÀïÖôâïÖëäüøNùù
÷éü ùÖýíä ?ÿ ø <ð Àô ôëüêãâä w
÷éüùÖä
J:";."; ày'AãÖøÈê
Èöéâ÷üáãâäõZá)ùÖëÀöä&ÈórFä6óâùÖäã¼ùÖä)ôÖøNòûüùä)ô?ø6ã¼ôä6óSA
J:";ð yRçhîü÷ J:";."; õ?6ä)é6óp÷ öNféâõ ÷)áãâäñé øNx ù YçÆNhäÖ5ì îÀ ïÖé J
:à ;uãõ ðxì#.î6÷é6ùé ùôóëÖCî F
. xbx .üùÖë6ô . x
Cø ? ð J:;
èóä6ò Nöéâ÷)áã)ä )÷ä)
û üùáÖãLã
ô)ïÖä6ùºî6é6ùôøÈùáÖRä ~?ø
Cø ?zü6
ä A J:";."; à Nöé6÷)áÖã)ä Sé Agü6é ¼ä
A J:;
.; à Èöéâ÷üáãâä é¤èh'ARôâïÖäüù
J:;âý
à :" Èöéâ÷6áãâä ä @øÀô!å
?ø
÷ß éüùÖä
ß ÿíúé6áôâèéøÈùè-ùôâò5óä O)áÖäõ¼ôUõ ?âóéÀö ôâïÖ3ä Öä6Sê ¼òÖé)óôëã
9
áêÖãÖøâZî N%FA27
øNùôä)ó2F94
?ëÖî6äôé øÀôõòáâêãÖøâîAøÈùôä)óâùÖä6ô
ëâõ6÷âä6ó÷âóûäÖä)óõõ NfGõ =N òAF19
Key fingerprint
998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ý íÿ ð Àô<ùÖë)ôBÀÿAý:âð6íà:Cí =¼éúä)ô)ï
l%ÈòñôîÀò âõ
åå ]å hå
ýíÿ ð Àô<ùÖë)ôBÀÿAý:âð6íà:Cí =¼éúä)ô)ï
l%Èòúá÷)ò âõ
åå ]å hå
ßß àâáã)ä åçaÿíì
ß
ß9ÿíúëããAëãã)éÖäâ÷<éüáôèéøNùè-óäO6áÖäÖõ¼ôõ7?)óéÀö äÀöëÖø6ã
èë6ôä Öë N]Gõ N òáâêãÖøâZî N3øÈùôä)ó ?ëÖî6äôé øÈôõòâáêãÖøâîAøNò ë)÷÷âóäÖõâõ
ýíÿ
ï l%ÈòñôîÀòB]ö
öÖáÖ$Lã6*ô
)øÈòÖ$Ré6*aó$ôR*Èå )õ9"å !5hð#å 1ÿâ4Bí 0 ÀôSé¼÷âäÖõüé6õ¼áôóøÈùî6ë)ä5ô#åøüé6hEù5å Èòé)ó)ôåõ
ýíÿ
ï l%Èòúá÷)Bò ]ö
öÖ"áÖ!5ã6ôðøÈòÖÿâí%é6óôÀôéS)õ)õ6é6å áóh#åîüäñ14å#0 hå5¼÷äÖõ¼å ôøÈùë)ôøüé6Eù Èòé)ó)ô(õ $R*È8å Key fingerprint
ßß àâáã)&ä =aç AF19
ÿíì
ß
ß ÖäA÷é62ù NôA÷9é ÿâíñéüù1øÈùôä)óâùÖëãêÖé @äõô)ïÖë)ô<ôó 5ôé-ïøÀô
&
ôâïä-òâáêãÖøâîë)÷÷âóäÖõâõ6äÖõJé ?AôâïÖ&ä ?øÈóä Öëãâã é)<ó ;J
c
õ6ä6óûä)óYõ #íâïÖä 9ø6ããJêÖä5ë6êãâä-ôé<óäëîÀïAôâïÖ&ä ?øÀóä Öëãã
çNø ?úëããâé Öä)÷(ì øÀô)ïÖé6á&ô ÿâ4í íâïÖä<óâáã)äÖõêÖäãâ"é úô)ïÖë)ô
ïÖùÖëüä6ùôÖ÷é)ãâóä<F2ëÖ îâî6äÖõõôé<ôâïÖQä ;Jc õüä)óûä)ó7õ ?âóéÀö øÈùõø¼÷ä ôâïÖä
ýíÿ
ð
Àô<ùÖë)B
ô
ÀÿA
ý
:âð6í
à
:Cí =¼éúä)ô)
ï âõ
å 0<C!úð âÿ6
í
ÀôS
é
)õ6é6áóîüäñ#
å
h5
å
h#
å
hå )
ß
ß ÿíúëãã øÈùîüéÀöøÈùèòÖëÖCî Fä6ôõôé<ôâïÖäAäÀöëÖø6ã èë)ôä ë <ôé
9
ôâïä-òóøÀûë)ôäñøÈò ë)÷÷âóäÖõâõJé6ù!øÀôIõ N òáêÖãÖøâZî N%øNùôä)ó ?ëÖî6ä
ýíÿ
ð À÷Àô<äÖõ¼ùÖôë)øNBôùÖë)ÀôÿAøüé¼ýù à â8å à:Ch#å í 12 = ¼÷15å h#å 0_7å C!
;âÿ6
í
ÀôS
é
ßß àâáã)ä3Îçaÿíì
ß
ò9ß óøÀÿûíºë)ôä5øÈùøÈîüòéÀöë)øÈ÷ù÷âè-óòäÖëÖõâCîõFéä)?pôõøÈôôQéõIÖN òä6Sêáêüòãé)øâóîZôN%ëøÈã-ùôõ6ä)ä)óóû?ä)ëó<î6ä ôé
ýíÿ
ð À÷Àô<äÖõ¼ùÖôë)øNBôùÖë)ÀôÿAøüé¼ýù à â8å à:Ch#å í 12 = ¼÷15å h#å 0
<C!
;âÿ6
í
ÀôS
é
ßß àâáã)&ä $aç ÿíì
ß
ß?øÈóÿä ÖíºëøÈãâù-ã îü?âéÀöóéÀøÈöùè-ôâïòä-ëÖCî êFé)ä)óô÷õä)ôó<é<óôâé6áïÖô-ä ä)
ó<;ôý éACõ ôâõï6äãâé)è-õ õòÖ)é)ãâóâé)ôñè éüõüùñä)óôâûïä)2óä 9
ýíÿ
ð Àô<ùÖë)Bô ÀÿAýà âà :Cí = Nòúá÷6ò âõ 5å h#å h#å ]å $
¼÷!#
å h#å ]#å =hå AF19
)<¼÷FA27
äÖõÀôøÈùÖ2F94
ë)ôøüé6'ù 998D
Èòé)óâ3
ô FDB5
$Tå 6"!&DE3D
;ÿâí F8B5 06E4 A169 4E46
Key fingerprint
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
#140 # #
#140 # #
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßßÈôéS¼÷äõ¼ôøÈùÖë6ôøüé6ùñå]å#håâå
ýíÿ
üãâé)E
è Èòóäð ?Àø ô5@÷âANàó
éüGò<ÈÿHG;
à:6-ýH)ý ÿI=A "!9
:= 6ã)é)èE6ãâä6ûäã-)
ýíÿ
ð
Àÿ ý í
]ö õ¼ôë6ô
ä âõ¼ôë)ôä
ýíÿ
ð Àÿ :Cíâý í ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ
ð À9ÿ :6à ÿà ;%]ö õ¼ôë6ôä âõ¼ôë)ôä
ßßAàâáãâä9çÆä)ôâïì
ß
ß ;óé6ò öéõ¼ôAô âòÖäÖõé ?ñé6áôâêÖé6áù÷ þ J2ý K@î6äüòôøüé6ùõJë)óä
9
äÖîÈïÖé-óä O)áÖäõ¼ôõJë6ù÷ þ Jý<áùóäâëÖîÀïÖë6êÖãâäÖLõ eJë6ù ñé?Aô)ïÖäÖõ6ä
ô)òÖäÖ`õ ø6ãâã êä5÷âóé6FA27
òòÖäâ÷ ê 5ô)ïÖäº998D
øföÖòãÖøâîøÀô<÷ä DE3D
?ë6áã6Q
ô ;W*
Key fingerprint
êá9ô &ä Öëü=ùôAAF19
ôé îüë6òôâáóä2F94
ôâïÖäÀö øÈù ë õÀFDB5
òÖäÖîø¼ëãJóâáã)ä F8B5 06E4 A169 4E46
íâïä)óä<ë)óä<ûä)ó ?ä ºî6ëÖõ6äÖõAøNù ïøâîÀïAôâïÖäõ6ä òÖëÖCî Fä6ôõë)óä
õ6éüáóî6Qä O)áä6ùîÀïºøÈùúôâïø)õèâóé6áò<êÖäî6ë6áõ6äñøÈôºîüë6ùúêä-áõ6äâ÷
?é6óñë&;:âð
ß ýíÿ ð úä)ôâ
ï .:üá
ô .6à .
ýíÿ
åå å "!5ð ä)Àÿôâ
ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ýíÿ
åå "!5ð ä)Àÿôâ
ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ýíÿ
$
"!5ä)ôâ
ýíÿ
$å
"!5ä)ôâ
ýíÿ
$
"!5ä)ôâ
ýíÿ
$
"!5ä)ôâ
ýíÿ
ô í.6à üé5
.ä) ôâ
å "!5ä)ôâ
ýíÿ
ô í.6à üé5
.ä) ôâ
å $
"!5ä)ôâ
ýíÿ
ô í.6à üé5
.ä) ôâ
Tå "!5ä)ôâ
ýíÿ
ô í.6à üé5
.ä) ôâ
å )
"!5ä)ôâ
ýíÿ
æ "!5ð ä)ôâÀïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
ýíÿ
ô í.6à üé5
.ä) ôâ
å "!5ä)ôâ
ýíÿ
ð =ÀAF19
ÿ :Cíâý FA27
í üé5
ä)ôâ
ï %998D
Nò!ø)îhFDB5
öÖò DE3D
ø)îhöÖ'ò Àô F8B5
âòÖä 06E4 A169 4E46
Key fingerprint
2F94
5ä)ôâï üáô 6à
ýíÿ 5ð ä)Àÿôâï íâüýáô í6à üé5ä)ôâï Nò!ø)îhöÖò ø)îhöÖò Àô âòÖä
åå ýíå ÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
åå ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýíÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýå íÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
æ ýíÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýíÿ ð Àÿúä)ôâï üáô 6à
fö1ãÖøföøÀô 6ãø]öøÀô
þNöýýíøÈùÿ áôä ð Àÿúä)ôâï ü6áã)é)ô è6à6ãâä6ûäã 6ã)é)àè üÈýòóä ø Öëâ÷
ßßAàâáãâäºåçÆä)ôâïì
ß
ß9;óé6ò öéõ¼ôAô âòÖäÖõé?pøÈùâêÖé6áù÷ þJý4K@î6ä6òôøüé6ùõë)óä
áùóäëÖîÀïë6êãâäÖõlë6ù÷úäÖîÀïé<óä6òãÖøüäõL í)ïÖäÖõ6äAë)óäñî6é6ûä)óäâ÷ ê
ôâïä<èä6ùÖä)óø)îóâáãâäAëãã)é øÈù3è ð)íÿ ðD;<ë6ù÷<àâÿí;
ôóë ??øâîêÖëÖCî FºøÈùôé<ô)ïÖä<ùä)ô Öé)ó F4Mä5÷éü2ù Nô
õÀòäÖîCø ?ø)î6ëãã öä6ùôøüé6ùúäÖîÈïÖé-óä O)áÖäõ¼ôõlêÖäî6ë6áõ6-ä ä5ë6óä
èéÖøÈùè<ôé5ëããâ"é úô)ïÖäÀöñôé<ôâïÖQä Pý 5èë)ôä Öë òâáêãÖøâî
êßøÈùã)ôéÖä)îCóF?äâ÷Jëî6ïÖRä ä)*uóëüäù ÷5ô)ïÖä QÖé6ù Nôöë Fä øÀôAôâïÖä6óä Cø ?5ô)ïÖä úë)óä
ýíÿ
ð úä)ôâ
ï . Sù .üà .å
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
"!
.: . .
:C %
' "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E $
"!
.: . .
9: ; ,
E $
"!
.: . .
9: ; ,
E $
"!
.: . .
9: ; ,
E $
"!
.: . .
9: ; ,
E "!
.: . .
Key fingerprint
= AF19
06E4 A169 4E46
9: FA27
; 2F94
998D
, FDB5 DE3D
E F8B5
$
"!
.: . .
9: ; ,
E T
"!
.: . .
9: ; ,
E )
"!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
.: . .
%
)
"!9
:= E
UB E ? @AV
J 6U;WGA
.: . .
"!Q; :
ýíÿ
ýíÿ
ýå íÿ
ýíÿ
ýíÿ
å ýíÿ
å ýíÿ
å ýíÿ
å ýíÿ
æ ýíÿ
å ýíÿ
ýíÿ
ýíÿ
ýíÿ
ýíÿ
ýå íÿ
ýíÿ
ýíÿ
å ýíÿ
å ýíÿ
å ýíÿ
å ýíÿ
æ ýíÿ
å ýíÿ
ýíÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)ôâÀïÿ
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)ôâÀïÿ
5ð ä)Àÿôâï
ð Àÿ
ýù 6íà
ýù 6íà
ýù 6íà
ýù 6íà
ýù 6íà
ý ù íüà
ý ù íüà
ý ù íüà
ý ù íüà
ýù 6íà
ý ù íüà
ý ù íüà
ý ù íüà
6àù ÿ6à à
6àù ÿ6à à
6àù ÿ6à à
6àù ÿ6à à
6àù ÿ6à à
6à ÿù üàà
6à ÿù üàà
6à ÿù üàà
6à ÿù üàà
6àù ÿ6à à
6à ÿù üàà
6à ÿà
øå ä)ôâï Èò!øâîhöò
ø ä)å ôâï Èò!øâîhöò
âå ø ä6ôâï Èò!øâîhöÖò
âø å ä6ôâï Èò!øâîhöÖò
âø ä6ôâï Èò!øâîhöÖò
øâî]öÖò Àô )òÖä
øâîhöÖò Àô âòÖä
ins
f
eta
rr
ho
ut
5,
A
00
-2
00
20
te
tu
sti
In
NS
SA
©
ull
rig
ht
s.
,
' "!
. S. .
,
' $
"!
. S. .
,
' $
"!
. S. .
,
' $
"!
. S. .
,
' $
"!
. S. .
,
' "!
. S. .
,
' T
"!
. S. .
,
' $
"!
. S. .
,
' Key fingerprint
998D FDB5 DE3D F8B5 06E4 A169 4E46
)
"! = AF19
. SFA27
. 2F94
.
,
' "!
. S. .
,
' "!
. S. .
,
' "!
. S. .
,
' "!
. S. .
9: ; ,
E "!
. S. .
9: ; ,
E $
"!
. S. .
9: ; ,
E $
"!
. S. .
9: ; ,
E $
"!
. S. .
9: ; ,
E $
"!
. S. .
9: ; ,
E "!
. S. .
9: ; ,
E T
"!
. S. .
9: ; ,
E $
"!
. S. .
9: ; ,
E )
"!
. S. .
9: ; ,
E "!
. S. .
9: ; ,
E "!
. S. .
9: FA27
; 2F94
998D
, FDB5 DE3D
E F8B5
Key fingerprint
= AF19
06E4 A169 4E46
5ä)ôâï ùS.üà.å
ýíÿ 5ð ä)Àÿôâï 6à ÿùS.üàà; â.ø å ä6ôâï,Èò!øâîhöÖò øâîhöÖòEÀôâòÖä
ýíÿ ð Àÿúä)ôâï
. ùS.üà.å ]öpãÖø]öiøÀô66ãÖø]öiøÀô
þNöýýíøÈùÿ áôä ð Àÿúä)ôâ
ï .6 Sùã)é).üèEà 6ãâä6û.äå ãUB"!&6;ã)àé)èE:6ýÈòóä?ø@AVÿ;
ßßAàâáãâ9ä çÆä)ôâïiå)ì
ßßAÿÖããâ"é ºøÈùôä)ó)ùÖä)ô-ïÖéÖõÀôõôé î6é6ùùÖäî¼ô-ô&é Pý Aèë)ôä Öë NfõlòáêãøâîAøÈùôä6ó?ëÖî6ä-?é)ó ý ðäîL
ß ýíÿ ð 5þø¼÷ )ææ ýíÿ
ð À9ÿ :6à ÿà ; âø ä6ôâïiQå Èò5á÷)ò ¼÷p#å h5å h#å ¼÷äÖõ¼ôøÈùë)ôøüé6E
þøÀ÷ )ææ 0 ù ÈòÖé6óâ3ô $ ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ
ð ôë)À9ÿô,ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $ ¼÷!)âææ#å h#å h5å C
?
]
1
ö
¼
õ
ýíÿ
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $å ¼÷!)âææ#å h#å h5å C?
]ö1õ¼ôë)ô,
ýíÿ
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å _å
"!<à í à ýíÿ
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å hå )
"!<à í à ýíÿ
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ å 0
"!<à í à ýíÿ
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å "!<à í à ýíÿ
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å "!<à í à ýíÿ
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å _å
"!<à í à ýíÿ
ð úä)ôâï_Cå . Sù .üà ..
ýíÿ
)õ¼ôë)ô7
ä ð Àÿ5þ"!5ø¼÷ ä)ôâïiå .) Sùæ.6æ à .ø.ä) ôâï_å ]ö õ¼ôë)ôä
ýíÿ
ð Àÿúä)ôâï_Cå . Sù .üà .. ]ö1ãø]öøÀ%ô üãÖø]öøÀô
)NöøÈùáô
ä "!9
Jÿþþýí5A
ýíÿ
ðð Àÿú5þä)ôâø¼ï_÷ Cå . Sù.üà)ææ h.å . C!Aÿþâþ ýí
ýíÿ
ýíÿ
ð Àÿ :Cíâý í üé5ä)ôâï_&å Nò5á÷)ò ¼÷!#å h#å h5å ¼÷äÖõ¼ôøÈùë)ôøüé6E
þøÀ÷
)ææ]å ù ÈòÖé6óâ3ô $ ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ
ð Àÿ ä :Cíâ)ýõ¼ôíë)ô3ä üé5ä)ôâï_"&å !AN,òþø¼$÷ À÷!)âæ5å æ h#å håh#å 0
C?
]ö1õ¼ôë)ô,
ýíÿ
ð Àÿ :Cíâý í üé5ä)ôâï_&å N,ò $å À÷!5å h#å h#å 0
?
]ö1õ¼ôë)ô,
ä âõ¼ôë)ô-ä "!Aþø¼÷)ææhå
ýíÿ
ð =ÀAF19
ÿ :6à ÿFA27
9
à ; 2F94
¼é5ä6ôâïiQ
å Èò5áFDB5
÷)ò ¼÷pDE3D
å h5å h#å F8B5
#
Key fingerprint
998D
06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
"!
.
9:
"!
.
)
"!9
:=
J 6U;WGA
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
¼õôÀ÷ë)ôäÖäõ¼ôøNùÖâõÀë)ôôë)øüôéüä3ù'ÈòÖéüóô-$"!5 þø¼÷]ö)ææhå
ýíÿ
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä ¼é5ä6ôâïi"!AQå þÈ,òø¼÷ $ ¼÷!)âææå#hhå#å hå5
C?
]ö1õ¼ôë)ô,
ýíÿ
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä ¼é5ä6ôâïi"!AQå þÈ,òø¼÷ $å ¼÷!)âææ#å hh#åå hå5
C?
]ö1õ¼ôë)ô,
ýíÿ
ð Àÿ5þø¼÷ )ææ h/
å üé5ä)ôâï_å âõ #å h#å h5å _å
"!<à í à ýíÿ
å üé5ä)ôâï_å âõ #å h#å h5å hå )
"!<à í à ýíÿ
å üé5ä)ôâï_å âõ å 0
"!<à í à ýíÿ
å üé5ä)ôâï_å âõ #å h#å h5å "!<à í à ýíÿ
å üé5ä)ôâï_å âõ #å h#å "!<à í à ýíÿ
å üé5ä)ôâï_å âõ #å h#å _å
Key fingerprint
"!<à í à = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ
ð úä)ôâï_Cå .:üá
ô .6à ..
ýíÿ
å üé5.ä).ôâ ï_å ]ö õ¼ôë)ôä
)õ¼ôë)ô7
ä ð Àÿ5þ"!5ø¼÷ ä)ôâïiå .:ü)áæôæ .ühà /
ýíÿ
ô .6à .. ]ö!ãÖø]öøÈBô 6ãÖø]öøÈô
)NöøÈùáô
ä "!9
Jÿþþýí5A
äºåð çÆä)ôâÀïiÿúå)ä)ì ôâï_Cå .:üá
ô .6à .. "!Aÿþþ ýí
ß
ßAÿÖããâ"é AôâïÖä-òáêãÖø)îAøÈùôä)ó ?ëÖî6ä-é ?Aô)ïÖ9ä Pâý Aèë)ôä ë <ôé
î6éüùùÖäÖî¼-ô øÀôâïñé)ôâïä)óºøÈùôä)ó)ùÖä)ô ïÖéõ¼ô7õ ?é)ó ýðâäÖLî þ)äá@óî6óä6òä6ùô<ôôã é*
øÈùô)ïÖøÈôäAøüèë)ë)ôôä7ä FÖäë ø<÷Èùéè-äÖùÖõä)ùÖèé6é)ôñôøüëë)ôî¼ôâøüáÖéüùëãâõLã <÷é<ôâïøâ#õ *
ß ýíÿ ð 5þø¼÷ þ ýíÿ
ð Àÿ ý í ø ä)ôâïiQå Èò5á÷)ò )õ 5å h#å h#å 0
þÀøÀ÷÷äÖõ¼ôþøNùÖ
ë)ôøüéü0'ù ÈòÖéüó-ô $ ]ö1õ¼ôë6ô,ä âõ¼ôë6ô-ä C!
ýíÿ
ð
Àÿ ý í ø ä)ôâïiQ
C?
]ö1õ¼ôë)ô,
ä )õ¼ôë)ô3ä å "!AÈ,ò þ$ø¼÷ âþõ #å h5å h#å ýíÿ
ð Àÿ ä ý)õ¼íôë)ô3ä ø ä)ôâïiQå "!AÈ,ò þ$ø¼÷å âþõ #å h5å h#å C?
]ö1õ¼ôë)ô,
ýíÿ
ð À9ÿ :6à ÿà ; âø ä6ôâïiQå Èò5á÷)ò âõñ#å h5å h#å À÷äÖõ¼ôøNùÖë)ôøüéü'
þøÀ÷þ
0ù ÈòÖéüó-ô $ ]ö1õ¼ôë6ô,ä âõ¼ôë6ô-ä C!
ýíÿ
ð À9ÿ :6à ÿà ; âø ä6ôâïi"!AQå þÈ,òø¼÷$ þâõ #å h#å h5å C?
]ö1õ¼ôë)ôä,)õ¼ôë)ôä3
ýíÿ
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $å þ âõ #å h#å h5å C?
]ö1õ¼ôë)ô,
ýíÿ
ð =ÀAF19
ÿ5þø¼÷ FA27
þ 2F94
998D
ø ä)ôâï_
å ¼÷!DE3D
å h#å h5å hF8B5
#
å )
Key fingerprint
FDB5
06E4 A169 4E46
<à í à
ø ä)ôâï_å ¼÷!å hå hå _å
<ýàíÿ í àð Àÿ5þø¼÷ þ
ø ä)ôâï_å ¼÷!å hå _å
ø ä)ôâï_å ¼÷!å hå
ø ä)ôâï_å ¼÷!å hå hå
<ýýàííÿÿ í àðð Àÿ5úþä)ôâø¼ï_÷ å ùþ üà å ø ä)ôâï_å ¼÷!å
)ýõ¼íôÿë)ôä ð Àÿ5þ5ø¼÷ ä)ôâïiþå ù 6à ø å ä)ôâï_å ]ö õ¼ôë)ôä
ýíÿ ð Àÿúä)ôâï_å ù üà å ]ö1ãø]öøÀô üãÖø]öøÀô
ýýííÿÿ ðð Àÿú5þä)ôâø¼ï_÷ å ùþ üà hå å Aÿþâþ ýí
ýíÿ ð Àÿ 6à ÿà ¼é5ä6ôâïiå Èò5á÷)ò âõñå hå hå
þÀøÀ÷÷ äÖõ¼ôþøNùÖë)ôøüéü]ù å ÈòÖéüóô ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ]ö1õ¼ð ôë)Àÿôä 6à)ÿõ¼ôàë)ôä ¼é5ä6ôâïiAå þÈòø¼÷ þ âõ å hhåå hå
ýíÿ ]ö1õ¼ð ôë)Àÿôä 6à)ÿõ¼ôàë)ôä ¼é5ä6ôâïiAå þÈòø¼÷ å þ âõ å hhåå hå
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå hå hå
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå hå _å
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå _å
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå hå
<ýýàííÿÿ í àðð Àÿ5úþä)ôâø¼ï_÷ å üáþ ô 6à hå å üé5ä)ôâï_å ¼÷!å
)ýõ¼íôÿë)ôä ð Àÿ5þ5ø¼÷ ä)ôâïiþå üáô ühà å üé5å ä)ôâï_å ]ö õ¼ôë)ôä
ýíÿ ð Àÿúä)ôâï_å üáô 6à å ]ö!ãÖø]öøÈô 6ãÖø]öøÈô
ßßAàâýáíÿãâ9ä ð çÆä)ôâÀïiÿúå)ä)ì ôâï_å üáô 6à å Aÿþþ ýí
ß
ßAÿÖããâ"é ºøÈ=ùôAF19
ä)ó)ùÖä)ô-FA27
ïÖéÖõÀôõ2F94
ôé-òøÈ998D
ùèAôâïÖQäFDB5
Pý 5èë)ôä Öë 4XÖä
Key fingerprint
DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
"! # # 5
"! # #
"! # #
"! # # 5
"! 0
"! C. S. . C.
7
"!
. S. . .
C. S. . C.
%
)
"!9
:= E
-)% E ? @A BA
Key fingerprint
= AF19 CFA27
. S. 2F94
. C.998D
C! FDB5
DE3D F8B5 06E4 A169 4E46
9: ; Q
# 5 #
'
-$ ,
-
C!
9: ; Q ,$ # # 5
C?
,
3
"!
9: ; Q ,$
# # 5
C?
,
3
"!
/
# # 5 )
"! /
# # 5
"! /
# #
"! /
# #
"! /
# # 5
"! /
0
"! C.: . . C.
/
7
"!
.: . . C.
C.: . . C.
B
)
"!9
:= E
-)% E ? @A BA
C.: . . C.
"!
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ëãâãâé Aôâïø)3õ ?é)óúôäÖõ¼ôøÈùQè Pý î6é6ùâùÖäÖî¼ôøÈûøÀô úøâõõÀáÖäLõ àë6ôä5ãÖø]öøÀôøÈùèAë6òâòãÖøüäÖõôé<ô)ïÖä<òøÈùè<óäO6áÖäÖõ¼ôõYXÖä
ëãÖãâøföãâéøÀAôäâó÷Jä6êòÖúôãÖøü)äÖïÖõäºôé<øNùèôéä)óâêÖùëÖä)&ôî F?*uøÀêóáä ôAÖëôâãïÖRã ä- ô âòäÖõ ëããâé äâ÷Aë)óä
ß ýíÿ
ýíÿ
ð À9ÿ :6à ÿà ; âø ä6ôâïiQå Èò!øâîhöÖò À÷1#å ]#å h#å ä)ô)âïiøâîhCå öÖ. 'ò ùÈô.6âòà Ö-ä . föõ¼ôë)ôä âõÀôë)ô3ä "!
ýíÿ
ð Àÿúä)ôâï_Cå . Sù .üà . ]öpãÖø]öiøÀ6ô 6ãÖø]öiøÀô
õ6äÖî6é6ù
÷ 6ãÖøföøÀEô Èêâáóõ¼3ô $6C!<
:= 6ãâé)>è 6ãâä)ûä-ã )
üãâé)èEÈòóä?ø@ANà
6JÿþþýíBA
ýíÿ
ð
Àÿúä)ôâï_Cå . S
ù .üàô $6C.!A ÿþâþ ]öpýí ãÖø]öiøÀ6ô 6ãÖø]öiøÀô
õ6äÖî6é6ù
÷
6ãÖøföøÀE
ô
Èêâáóõ¼3
ýíÿ
ðúä)ôâï_åC.:üáô
.6à
.
ýíÿ
ð Àÿ :Cíâý í üé5ä)ôâï_&å Nò!ø)îhöÖò ¼÷p#å h5å h#å föõ¼ôë)ô
ä âõÀôë)ô3ä "!
Key fingerprint
ä)ô)âïiøâîhCå öÖ.'ò:üáÈôô âò.6=Öà -ä AF19
. FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ
ð À9ÿ :6à ÿà ; ¼é5ä6ôâïiQå Èò!øâîhöÖò À÷1#å ]#å h#å âøâîhöÖ'
ò
Èô âòÖä)ô)ïiåC.:üáô.6àä . föõ¼ôë)ôä âõÀôë)ô3ä "!
ýíÿ
ô .6à . fö1ãÖøföøÀ%ô 6ãø]öøÀô
õ6äÖî6é6ù
÷
üãâé)E
è Èòóä ?6ø ãÖ@øföANà øÀ
Eô Èêâá6óõ¼3ô J$6ÿþC!<þ ýBí:= A 6ãâé)>è 6ãâä)ûä-ã )
ýíÿ
ð À6ÿúãÖøföä)ôâøÀï_Eô CåÈêâ.á:üáó
ôõ¼.63ô à $6
C!A. ÿþâþ ýfö1í ãÖøföøÀ%ô 6ãø]öøÀô
õ6äÖî6é6ù
÷
ßßAàâáãâä9ç{ãâéì
ßßúëããâ"é úä)ûä)ó âôâïøÈùè<é6ùºã)éé6òêÖëCî F
ß ýíÿ ð ñãâé . Sù .6à .
ýíÿ
ð Àÿ ý í ø-ãâé "!úãâé . Sù .6à .
ýíÿ
ð Àÿñãâé . Sù .6à . fö!ãø]öøÀ6ô 6ãø]öøÀô
)NöøÈùáô
ä "!9
:= 6ã)é)Eè 6ãâä6ûä-ã )%6ã)é)Eè Èòóä ?ø @ANà JÿþþýíBA
ýíÿ
ðð Àÿññãâãâéé ..:ü áSù ô.6à.6
à .. "!<ÿþþ ýí
ýíÿ
ýíÿ
ðÀÿ:Cíâýí üéúãâé "!úãâé.:üáô.6à.
ýíÿ
ð Àÿñãâé .:üáô .6à . ]ö!ãÖø]öøÀ%ô 6ãÖø]öøÈô
)NöøÈùáô
ä
"!9
:= 6ã)é)E
è 6ãâä6ûä-ã )%6ã)é)Eè Èòóä ?ø @ANà Jÿþþ ýB
í
A
ßßA àâýáíÿãâ
9ä ð çèÖãâÀÿñé6êÖãâëéãÖ.ì :üáô .6à . C!<ÿþþ ýí
ß
ß<êãâéÖî F9?âóë)èüöä6ùôLõ Móë6èüöä6ùôäâ÷òÖëÖî Fä)ôõô)ïÖë)ôúë)óä-òÖë)óô
é ?úë6ù5ÿ Dñé)<
ó ð)ý<òÖëÖCî Fä)ô<ôé<ôâïÖQä Pý Aèë)ôä Öë 5ë)óä
ä @î6ä6òôä)2
÷ çÆðääAä)ôâïiålóâáÖãâäÖõYì íâïÖä úë)óä5ëããâé Öä)÷-ôâïÖä)óä
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
êÖôäéâéúî6ë6áã)ë)õ6óäJèôâä&ïÖ?ä5é)óúä@ôé6áóóAë ò ýøÈòÖðäÖäÖõLî ïÖäë)÷ä)óõ%öë-öëFä ôâïÖä-òÖëÖîFä)ô
ß ýíÿ ð Aà .
ýíÿ
ðÀÿ:Cíâýí%Èò!øÈò
C?
C!Aà
.
ýíÿ
ð
Àÿ ý 6
í
Èò1øNò
C?
"!-à .
ýíÿ
ð À9ÿ :6à ÿà ;%Èò!øÈò C? "!Aà .
ýíÿ
ð è À6ÿAãâä)àûäãú.&å 6ãâé)fö!>è Èòãóø]öä ?øÀ6ô ø @,6AVãàø]öÿ =%øÀ9ô )UÈö;øÈùW5áôA ä "!
:= 6ãâé)>
äºåð çèÖãâÀÿAé6êÖàëãÖì . "!&;à :üý
ß
ß ;óé6òñð)ôäëã6ôâï õâî6ë6ùLõ Xé)óüöëãã *ué6òÖä6ùAòÖé)óâôõJ÷âóé6òAêÖë)÷<òëÖîCFä)ôõZ*
9
ïø6ãâäúî)ãâéõ6äâ÷ òÖé)óâôõAõ6ä6ù÷5ë<íþâýAàð)4
óß äõÀòÖé6ùõüä-ë6ù÷JöëFäÖõ ëããòÖé)óôõ-ëüòòÖíäë)ó5íâïéüòÖøâä6õù[ê ãâéÖCî FõôâïÖä<÷äÖõ¼ôøÈùÖë)ôø¼é6ù
ýíÿ
ð =ÀAF19
Aà .å
Key fingerprint
ýíÿ
ð
ýíÿ
ð Àÿÿ :C:Cíâíâýý í%%í ÈÈòúòúôôîÀîÀòò ÈÈôôîÀîÀò''ò CC??ãâãâë)ë)èèõ\õ ÿà&=*ý:ð D * 7C!<àà =R*ýð.Då *0 "!<à.å
ýíÿ
ð Àÿ :Cíâý %í ÈòCó!<é)àôéÖîüé.ãJå ôîÀBò ÈôîÀ'ò C?ãâë)èõð W*ÿþ ]*àð6í * U ]ö õ¼ôë6ôäâõ¼ôë)ôä3
ýíÿ
ð Àÿ :C"!<íâàý %í
.Èå òóé)ôéÖîüéãJôîÀBò ÈôîÀ'ò C?ãâë)èõÿþ ]Aÿþ ]B]ö1õ¼ôë)ôä
)õ¼ôë)ôä7
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò ÀôîÀ'ò C?ã)ë)èõlÿ <
: "!<à .å
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò ÀôîÀ'ò C?ã)ë)èõlÿ &à =*ÿþ ]*ýð D*àð)Rí *Æð W*0 "!<à.å
ýíÿ
ð
Àÿ ý 6
í
Èòóé6ôéÖî6éãôîÀB
ò
ÀôîÀ'
ò
C?ã)ë)èõð W*ÿþ ]*àð)
í
* 7 ]ö õ¼ôë6ô
ä âõ¼ôë)ô3ä C!<à .å
ýíÿ
ð Àÿ "!<ý à 6í .Èòå óé6ôéÖî6éãôîÀBò ÀôîÀ'ò C?ã)ë)èõlÿþ ]úÿþ ]6]öõÀôë)ôä
)õ¼ôë)ô7
ä
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò ÀÀôôîÀîÀ'òò'??ãâãâë)ë)èèõ+õ^ÿ à9=R*ý:ðD *0 7"!<àà=*ýð.Då * "!<à
.å
ýíÿ
ýíÿ
ð À9ÿ :6à ÿà ;%CNò!<óàé)ôéî6.éãå ôîÀ_ò ÀôîÀ'ò ?ãâë)èõð W* ÿþ ]*àð)í * 7 ]ö õ¼ôë6ôäâõ¼ôë)ôä3
ýíÿ
)õ¼ôë)ô7
ä ð À9ÿ "!<:6à ÿà à ;%.å Nòóé)ôéî6éãôîÀ_ò ÀôîÀ'ò ?ãâë)èõÿþ ]Aÿþ ]6]ö õ¼ôë6ôä
ýíÿ
ð ÀÿAà .å ù fö!7ã;ø]öøÀ6ôWGA 6ãø]öøÀ9ô )ÈöøÈùáôä "!&
:= üãâé)Eè 6ã)ä)ûä`ã üãâé)E
è
Èòóä ?ø @ANíþ)ýñðî6ë6B
9ä ð çèÖãâÀÿAé6êÖàëãÖì .å "!&;à :üý
ßßQùóäõ¼ôóøâîÀôäâ÷7ä6êñëÖîî6äÖõâõôé&ä6êSüòÖé6óôëã-õ6ä)óûä6ó
ß ýíÿ ð Aà .
ýíÿ
å h#
ô.øüé6Eù Èòé)ó)ô(õ R*
]ö1õ¼ôë6ôä
)õ¼ôë)ôä7
ýíÿ
Key fingerprint
DE3D
å h#
å 140 =AF19
¼÷äÖõ¼ôøÈFA27
ùë)ôøüé62F94
ù Èòé)ó)ô998D
E
õ R*FDB5
(
]ö1
õ¼ôë6ôä F8B5 06E4 A169 4E46
)õ¼ôë)ôä "!<à
.
ýíÿ ð ÀÿAà. fö!ãø]öøÀô66ãø]öøÀô9)ÈöøÈùáôä"!
ÿþâýþ íýÿ í 6ãâé)ð è À6ÿAãâä)àûäã-)%. 6ãâ"!<é)è>ÿÈòþþóäý?í ø@,Ahà%
ßßQùóäõ¼ôóøâîÀôäâ÷-ðJíý5ëÖîîüäÖõõôé5äÀöëøüã-èë)ôäÖë
ß ýíÿ ð Aà .
ýíÿ
å h#
)õ¼ôë)ôä7
ýíÿ
å h#
)õ¼ôë)ô7
ýíÿ
Key fingerprint
2F94
ð =è À6AF19
ÿAãâä)àûä-ã FA27
.
fö!ãø]ö998D
øÀ6ô 6ãFDB5
ø]öøÀ9ô )DE3D
ÈöøÈùáôF8B5
ä í"! A 06E4 A169 4E46
:= 6ãâé)>
)%6ãâé)>
è
Èòóä ?ø @,Ahà %ÿþþ ýB
ýíÿ
ßßAàâáãâQä Îð çèÖãâÀÿAé6êÖàëãÖì . "!<ÿþþ ýí
ß
ßä @üî6öä6òëô<øüãôè9é ë)ô?äøÀóäë Ö5ëëããã ãâ"é Öäâ÷AëÖîîüäÖõõô&é ?é)ó Öë)ó÷öëÖø6Lã *
9
ß ýíÿ
ð5þø¼÷âæ;
)
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò ]ö5öÖáã6ôøÈòÖé)óô âõ å h5å 14
"!Aþø¼
÷ æ ;
ù )ÈòÖé6óâôgõ $R*
)$R*+$ ]ö õ¼ôë)ôä âõ¼ôë)ô3ä ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ å h5å 14
þÀøÀ÷÷äÖõ¼ô
øNùÖë)æô;
)øüéü0'ù ÈòÖéüó-ô $ ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ
å h#
å 14ä 0 ¼÷äÖ"!Aõ¼ôþøÈùø¼÷ë)ôøüé6Eù Èòæ ;
é))ó)ô(õ $R*)$R*+$ ]ö õ¼ôë)ôä
)õ¼ôë)ô7
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12
þÀøÀ ý÷÷íäÖÿõ¼
ô
øNùÖë)æð ô;
À)øüÿ5éü0'ù þÈòÖø¼÷ éüó-ô $âæ ;
])ö õ¼ôë)¼ô÷!ä #å hâ5å õ¼hô#å ë)hôå 3ä) "!<à"! í à ýíÿ
ð Àÿ5þø¼÷ âæ ;
) ¼÷!#å h5å h#å å "!<à í à ýíÿ
) ¼÷!å]å#hå#$ "!<àíà
ýíÿ
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ ââææ ;
;
)) ¼¼÷!÷!åå ]]#å#å 1h4#å hhb
å ""!<!<àà íí àà b
ýíÿ
å
ýíÿ
) ¼÷!å]å#) "!<àíà
ýíÿ
ð Aà ..
ýíÿ
ð Àÿ5þø¼÷ âæ ;
) ]ö õ¼ôë6ôä âõ¼ôë)ô3ä "!<à..
ýíÿ
ð >è À6ÿAãâä)àûä-ã )%..6ãâé)>è ]ÈöpòóãÖä ø]?öiø @,øÀ6ô Ahà6ãÖ9ø]öiBøÀ9ô )ÈöiÿþøÈùþ áôýBíä CA !
:
=
6
â
ã
)
é
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
7
:= >
BA
ä9$ðçèÖãâÀÿAé6êÖàëãÖì .. "!<ÿþþýâí
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ß
ß:6óëÖî6ãâä3;ë)ôëüêÖëÖõ6ä-ðâä)óûä)ó5ëããâéÖä)÷-ôé îüé6ùôëÖîÀô
Däâë)óôÖãâëüù÷ ýë¼öä6ùôAðõ¼ôäÀö_õðäÖîÀáóä ýóéÖî6äõõ6é)ó-ûøüë
íß ðSüä6ùîÀóâòôä)÷AîÀïë6ùùÖäãR
ýíÿ
ð Aà .$
ýíÿ
å ]å h8å ðhÀ/
#
å 9ÿ :6¼à÷ÿäÖõ¼àô;%øÈùë)Èòúôøüôé6EùîÀò ÈòÖé))ó)õ7ô 8å ææhæ#å "h!-å à À÷ .$
ýíÿ
ð è À6ÿAãâä)àûä-ã )%.$ 6ãâé)fö!>è Èòãóø]öä ?øÀ6ô ø @,6Ahàãø]öøÀ9ô $%)Èö-øÈ;ùáôWGä"A !
:= 6ãâé)>
9ä )ðçèÖãâÀÿAé6êÖàëãÖì .$ "!&;à:üý
ß
ß ùôä6óâùÖë=7ã AF19
;ðöëÖFA27
õ¼ôä)ó 2F94
îüë6ù ?é)998D
ó Öë6ó÷<FDB5
é6áôõø¼÷DE3D
ä O)áä)óF8B5
Q
øüäÖõôé 06E4 A169 4E46
Key fingerprint
î6ëîÀïøÈù>è üé6ùã 7;ð õ6ä)óâûä)ó5é6ùñäÀöëÖø6ã èë)ôä ë 4 ôºîüë6ù
ëãõ6&é ?é)ó Öë6óQ÷ hé6ùä-áâò÷ë)ôäùé)ôCø ?ø)î6ë)ôøüéüùLõ iÖëÖõ¼ôø¼é6ù
ïÖëÖé7õ õ¼Öôäõãâáã õ6 ä5äÀöëÖø6ãèë)ô"ä Öë 5ëÖõJôâïÖäÖøÀó<òóø]öë6ó Q;ð õ6ä)óâûä)ó
ß ýíÿ
ðAà.)
ýíÿ
å ¼÷!å h5å 14
ù
ÈòÖé6óâ3
ô
$ ]öõÀôë)ô,
ä
âõÀôë)ôä "!
à .)
ýíÿ
ð Àÿ :Cù ÈíâòÖý é6óâ%í 3ô È$ò5 á÷)]òöõÀâôõë)ôå,ä ]#åâõÀh#åôë)hb
åô-ä ¼÷! å "h5å!<14à .)
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å $hå À÷
å h#
å
"!-à.)
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å )hå $ À÷
å h#
å
"!-à .)
ýíÿ
å h#
ýíÿ
å h#
å 14"!-0 à ¼÷.)äÖõ¼ôøÈùë)ôøüé6Eù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ
å h#
ýíÿ
å h#
å
"!-à .)
ýíÿ
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå hå À÷
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå hå À÷
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå hå ¼÷
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå hå ]å À÷
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå ¼÷
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå ¼÷
¼÷
ßßAàâýáíÿãâ9ä ð çèÖãâÀÿAé6êÖàëãÖì <ÿþþ ýí
ßßAÿÖããïÖéÖõÀôõJèä)ôAôø]ö&ä ?âóéÀö ôâïÖäÖõ6äúõüä)óûä)óõ
ß ýíÿ ð Aà .
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò âõ å ¼÷
#
)õ¼ôë)ôä7
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò âõ #å h#å ]#å hå $ ¼÷
#
)õ¼ôë)ô7
ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ å ¼÷
#
)õ¼ôë)ôä7
ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ #å h#å ]#å hå $ ¼÷
å)]õ¼#å ôhë)#å ôh7ä8å ) ¼÷"!<äÖõ¼àôøÈùÖ
#
ýíÿ
ð5þø¼÷);4
ýíÿ
)õ¼ôë)ô7
ä ð Àÿ :C"!Aíâýþø¼í÷ âõ )"å ;40 fö õÀôë)ôä
ýíÿ
ð Àÿ :Cíâý í âõ #å h5å h#å hå $ ]ö õ¼ôë6ôä âõ¼ôë)ôä
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
#140 E
Q$ "! .)
9: ;%
8 #$ #140 E
Q$ "! .)
9: ;%
8 #) $ #140 E
Q$ "! .)
9: ;%
8 # 5) #140 E
Q$ "! .)
9: ;%
5 # # $ #140 E
Q$ "! .)
9: ;%
8 #12 #140 E
Q$ "
!
.
)
9: ;%
8 #12 #140 E
Q$ "! .)
9: ;%
8 #12$ #140 E
Q$ "! .)
.)
6
9)
"!
:= >
-)% > ? @,A )%
BA
.) "!
<þø¼÷
ý íÿ ð Àÿ5þø¼÷
à Àý÷íäÖÿõ¼ôøNùÖë)ð ôøü5éüù þÈòÖø¼÷ éüóôúå ]hö1å õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ <þð ø¼÷Àÿ íâý í hå âõ å
ýíÿ <þð ø¼÷Àÿ íâý í hå âõ å hå hå hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
à Àý÷íäÖÿõ¼ôøNùÖë)ð ôøü5éüù þÈòÖø¼÷ éüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
]ö õ¼ôë)ôä
ýíÿ ð 5þø¼÷
]ö õ¼ôë)ôä
ßßAàâýáíÿãâ9ä ð çèÖãâÀÿAé6êÖàëãÖì <ÿþþ ýí
ß
ß<êÖëÖõ¼ôøüé6ù<ïÖéÖõÀôõëããâ"é Öäâ÷-ôé áõ6ä øÈùôä)óâùÖëUã ;ðöëÖõ¼ôä)ó
ëÖõ5õ6äÖîüé6ù÷ë)ó 3;ð üöëø6ãèë)ôä Öë *RëÖõ5õ)ãâë)ûä õüä)óûä)ó<ôé
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
"!
);4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
);4
:C 0 ,
"!
);4
:C # 5 # $ "!
);4
);4 `
#14
'
,
-
C!
.
);4 `
#14
'
2F94
,FDB5
F8B5
C!
Key fingerprint
= AF19
FA27
998D
DE3D
06E4 A169 4E46
.
);4
9: ; 8 7
"!
)";4
9: ; 5 # # $ 7
"!
)";4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
);4
9: ; 8 7
"!
)";4
9: ; 5 # # $ 7
"!
)";4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
.
6
9)
"!
:= >
-)% > ? @,A %
BA
. "!
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ôßøÈùóôë6ùä)óâõ"ùÖ?ëä6óãõL÷ éÀöëÖøÈù2*ëãã)éÖäâ÷ ôé î6éüùôëÖî¼ôJöëÖõ¼ôä)ó9?é)ó<hé6ùÖä
ýíÿ
ð Aà .
ýíÿ
åhå#$]åð Àÿ¼÷:CäÖíâõ¼ýôøÈ%íùÖë)ôÈòúø¼é6ôù'îÀÈòòÖéüóâô-õ $å]"å#!<hå#àhåb
.¼÷
ýíÿ
åhå#)]åð$ Àÿ¼÷:CäÖíâõ¼ýôøÈ%íùÖë)ôÈòúø¼é6ôù'îÀÈòòÖéüóâô-õ $å ]"å#!<hå#àhåb
.¼÷
ýíÿ
å .¼÷
å h#
å $]å ð Àÿ¼÷:CäÖíâõ¼ýôøÈ%íùÖë)ôÈò5ø¼é6á'ù ÷)ÈòòÖéüóâ-ô õ $å ]"#å !<h#å à hb
ýíÿ
å .¼÷
å h#
å )]å ð$ Àÿ¼÷:CäÖíâõ¼ýôøÈ%íùÖë)ôÈò5ø¼é6á'ù ÷)ÈòòÖéüóâ-ô õ $å ]"#å !<h#å à hb
ýíÿ
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å hà 5å ) .¼÷
ýíÿ
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å hà 5å ) .¼÷
ýíÿ
ÿ¼÷:6äÖàõ¼ÿôFA27
9
øÈàùÖ;%ë)ôÈø¼òú2F94
h#
å h#å ]å $ . À÷ F8B5 06E4 A169 4E46
Key fingerprint
å h#
å $]å ð =ÀAF19
é6'ù ôÈòÖîÀò éüó998D
ô )$õ 5å FDB5
"!<à DE3D
ýíÿ
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 5å h"#å !<h#å à ]å $ . À÷
ýíÿ
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2
$. ¼÷
ýíÿ
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2
$. ¼÷
ýíÿ
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å hà 5å ) .¼÷
ýíÿ
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å hà 5å ) .¼÷
ýíÿ
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 5å h"#å !<h#å à ]å $ . À÷
ýíÿ
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 5å h"#å !<h#å à ]å $ . À÷
ýíÿ
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ
ð =ÀAF19
ÿ :6à ÿFA27
9
à ;%Èò52F94
á÷)ò 998D
)õ 8å h#
å 12DE3D
$ ¼÷ F8B5 06E4 A169 4E46
Key fingerprint
FDB5
å hå#$]å ¼÷äÖõ¼ôøÈùÖë)ôø¼é6ù'ÈòÖéüóô-$ "!<à
.
å ýhí#å ÿ
)]åð$ Àÿ9¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6ù'áÈ÷)òÖò éüóô-)$õ å8"h!<å#1à2
$. ¼÷
ýíÿ 6ãâé)ð >è À6ÿAãâä)àûä-ã )%. 6ãâé)fö!>è Èòãóø]öä ?øÀ6ô ø @,6Ahàãø]öøÀô9%)Èö-øÈ;ùáôWGä"A !
äAæð çèÖãâÀÿAé6êÖàëãÖì . "!&;à :üý
ßßAÿÖããâ"é úð JýAôóëüòõ ÖøÈù ?é)óüöiõ%êÖëÖî F5ô9é JëüùÖë)èäÀöä6ùôúõÀôë)ôøüéüù
ß ýíÿ ð Aà .âæ
ýíÿ
å ¼÷
å h#
ýíÿ
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å ]#å h#å hb
å ¼÷
å h#
ýíÿ
å h#
å
"!-à .)æ
ýíÿ
å h#
å
"!-à.)æ
ýíÿ
å h#
ýíÿ
å h#
ýíÿ
å h#
å
"!-à .)æ
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å h5å ) ¼÷
å h#
å
"!-à.)æ
ýíÿ
å h#
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12 ¼÷
å h#
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12 ¼÷
å h#
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12$ ¼÷
å h#
å
"!-à.)æ
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
:=
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã-)%.âæ 6ãâé)fö!è>Èòãóø]öä?øÀô6ø@,6Ahàãø]öúøÀô9æ%)ÈöøÈÿùþáþôäýíB"! A
ßßAàâýáíÿãâäºåð çèÖÀÿAãâé6àêëãÖì .âæ "!<ÿþþýí
ßß<êãâéÖî FøÈùèAëîî6äÖõõôéºøÈùôä)óâùÖëãùÖä)ô
ßúßAàâë6ùá9÷ãâä?õøÀôâóïÖä Öë)ô<ëãòÖ3ã ä)ó¼?)öóéÀøÀöô5;ëÖJ
îcîüäÖ õõôé õ6ä)óûä)óõ
ßúß é6ù ;J
cñõÀïÖé6áÖã)÷ êÖä5ëâ÷÷äâ÷AëüêÖé)ûä ýíÿ
ðð À5ÿ þ ø¼ý÷ íâõ å )å h5å )) "!5þø¼÷ å )
ýíÿ
ýíÿ
ðÀÿ ýí âõ åhå514 "!5þø¼÷å)
ýíÿ
ðð ÀÀÿÿ ýý íí ââõõ åå hh5å5å 14)$ ""!5!5þþø¼ø¼÷÷ åå ))
ýíÿ
ýíÿ
ðAà.å
ýíÿ
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ åå )) ¼¼÷!÷!#å#å hh5å5å hh#å#å hå )å ""!<!<àà ..åå
ýíÿ
Key fingerprint
ýíÿ
ðÀÿ5þø¼÷å) ¼÷!å]å#hå#$ "!<à
.å
ýíÿ
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ åå )) ¼¼÷!÷!åå ]]#å#å 1h4#å hhb
å ""!<!<àà ..åå b
ýíÿ
å
ýíÿ
ðÀÿ5þø¼÷å) ¼÷!å]å#) "!<à
.å
ýíÿ
ð Àÿ ý í âõ å h5å )) ¼÷18å "!
à .å ýíÿ
ð Àÿ ý í âõ å h5å 14 ¼÷18å "!
à .å ýíÿ
ð Àÿ ý í âõ å h5å 14 ¼÷18å "!
à .å ýíÿ
ð
Àÿ ý í âõ å h5
å )$ ¼÷18å "!
à .å ýíÿ
ð À9ÿ :6à ÿà ; )õ 8å h#å )) ¼÷!å 0 C!
à .å ýíÿ
ð À9ÿ :6à ÿà ; )õ 8å h#å 12 ¼÷!å 0 C!
à .å ýíÿ
ð À9ÿ :6à ÿà ; )õ 8å h#å 12 ¼÷!å 0 C!
à .å ýíÿ
ð À9ÿ :6à ÿà ; )õ 8å h#å )$ ¼÷!å 0 C!
à .å ýíÿ
ð è À6ÿAãâä)àûäUã B.å 6ãâé)>è]ö!ÈòãÖóäø]ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)Èö7øÈ;ùâáôWGä "A !
:= 6ãâé)>
ýíÿ
ßßAàâáãâäºåðåçèÖÀÿAãâé6àêëãÖì .å C!&;âà :6ý
ß
ß Öäê 6ê5?âôâýòñóéõ6@ä)ó5÷ûä6óéäÖõ õ ëãã-÷øÈóäÖî¼ô î6éüùùÖäÖî¼ôøüé6ù-ôéºøÈùôä)óâùÖä6ô
&
ÖäüS
ß ýíÿ
ð5þø¼÷)âþ;4
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò ]ö5öÖáã6ôøÈòÖé)óô âõ
å h#
å
$]Tå ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóô(õ 'å *aR*+L*
]ö
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
:= >
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
õ¼ôë)ôä âõÀôë)ôä
5þø¼÷ âþ
õ¼å ôýë)hôíå ÿä ]âå õÀð ôë)Àÿ5ôä¼þ÷äÖø¼÷õ¼ôøÈùÖë)5ôâø¼þþé6ùø¼÷ ÈòÖéüó¼ô÷!õ âþå å hå hå hå <à]öí à
ýýííÿÿ ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ ââþþ ¼¼÷!÷!åå hå ]å hå hå å <<à à íí à à
ýýííÿÿ ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ ââþþ ¼¼÷!÷!åå ]]åå hå hhåå <<àà íí àà
ýýííÿÿ ðð Àÿ5Aàþø¼÷ åå âþ ¼÷!å ]å
<à í à
à ýíÿåå ð Àÿ5þø¼÷ âþ ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð 6ãâÀÿAé)è à 6ãâä)ûäãåå 6ãâé)fö1è NòãÖóøföä øÀô ø 6Nàãø]öpøÀô åå NöJøÈùÿáþôþä ýâí
ßßAàâýáíÿãâäºåð çèÖÀÿAãâé6àêëãÖì åå -ÿþþ ýí
Key fingerprint
ßßúëããâ"é Aô=óé6AF19
ß ýíÿ ð áAêÖàãâäÖõÀïÖ.éâé)å ô øÈùè ë6ù âôâïøÈùQè ?âóéÀö øÈùôä)óâùÖëãïÖéÖõ¼ôõ
ýíÿ
ð Àÿ ý 6í föÈò1õ¼ôø)ë)îhöÖôòäââõõÀôë)å ôä30" !Aà.å8
âøâîhöÖò'ÈôâòÖä-
ýíÿ
âøâîhöÖ'
ò Èô âòð ÖÀ-ä ÿ ý 6í föÈò1õ¼ôø)ë)îhöÖôòä ââõõÀôë)#å ôh3ä5å h#å "!Aà .8å ýíÿ
ð
Àÿ ý 6
âøâîhöÖ'
ò Èô âòÖ-ä í föÈò1õ¼ôø)ë)îhöÖôòä ââõõÀôë)å ô3ä ]#å h#å ) "!Aà .8å ýíÿ
âøâîhöÖ'
ò Èô âòð ÖÀ-ä ÿ ý 6í föÈò1õ¼ôø)ë)îhöÖôòä ââõõÀôë)å ô3ä ]#å )1 "!Aà .8å ýíÿ
ð Àÿ ý 6í ÈòñôîÀò âõ å )õ6é6áóîüS
ä
õ¼ôë)ôäâõÀÈôòÖë)é)ôóâä3ô å 4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò âõ #å h#å ]#å õ¼ô)ë)õ6ôé6áä óîüSäâõÀÈôòÖë)é)ôóâ3äô å 4j)"!A$$à$ .¼8å ÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò âõ å h5å h#å )
õ¼ô)ë)õ6ôé6áäóîüSäâõÀÈôòÖë)é)ôóâä3ô å 4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ
ð Àÿ ý 6í ÈòñôîÀò âõ å h5å )1
õ¼ô)ë)õ6ôé6áä óîüSäâõÀÈôòÖë)é)ôóâ3äô å 4j)"!A$$à$ .¼8å ÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ å À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô 2j$ föõ¼ôë)ôä âõÀôë)ôä
"!-à.å
ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ #å h#å ]#å À÷äÖõ¼ôøNùÖë)ôøüéü'
"!-à .å ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ å h5å h#å )
3
"!
) ;2
9: ;%
#
$ T '
( '*aR*+L*
3
"!
) ;2
) ;4 # 5 # ) "! ) ;4 # 5 #
"! ) ;4 # #$ "! ) ;4 #14 b"! ) ;4 # # b"! ) ;4 #) "! . C.
) ;4 3
C!
. .
. C.
%
<)
"!9
:= >
-)B E ? 8@,A &
BA
. C. "!
À÷äÖõ¼ô"!-øNùÖàë)ôøüéü.ù'åÈòÖéüóô-
2j$ föõ¼ôë)ôäâõÀôë)ôä
ýíÿ
ðÀÿ ýí6Èòúá÷)ò âõ åhå5)1
À÷äÖõ¼ô"!-øNùÖàë)ôøüéü.'ù åÈòÖéüó-ô 2j$ föõ¼ôë)ôäâõÀôë)ôä
âýøâíîhöÖÿ 'ò
Èôâòð ÖÀ-ä ÿ :C íâý %íföÈò!õ¼ôë)øâôîhöÖä ò âõÀ)ôõ ë)ô8å 3ä "!A à .å8
âýøâíîhöÖÿ 'ò
Èôâòð ÖÀ-ä ÿ :C íâý %íföÈò!õ¼ôë)øâôîhöÖä ò âõÀ)ôõ ë)ô5å 3ä h#å h#å 0
"!Aà .8å âýøâíîhöÖÿ 'ò
Èôâòð ÖÀ-ä ÿ :C íâý %íföÈò!õ¼ôë)øâôîhöÖä ò âõÀ)ôõ ë)ô8å 3ä h#å h5å ) "!Aà .8å âýøâíîhöÖÿ 'ò
Èôâòð ÖÀ-ä ÿ :C íâý %íföÈò!õ¼ôë)øâôîhöÖä ò âõÀ)ôõ ë)ô8å 3ä h#å )1 "!Aà .8å ýíÿ ð Àÿ :Cíâý %í ÈòúôîÀò âõ å 0
)õ¼ôë)õ6ôé6áäóîüSäâõÀÈôòÖë)é)ôóâä3ô å 4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å ]#å h#å )
ýíÿ
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å ]#å )1
ýíÿ
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å 0
GC!Aà
.å
ýíÿ
ð Àÿ :Cíâý %í Èò5á÷)ò âõ #å h5å h#å À÷äÖõ¼ôøNùÖë)ôøüéü'
"!-à .å ýíÿ
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å ]#å h#å )
"!-à.å
ýíÿ
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å ]#å )1
"!-à .å ýíÿ
âøâîhöÖ'
ò Èô âòð ÖÀ-ä 9ÿ :6à ÿàfö;%õ¼Èò!ôë)ôøâäîhöòâõÀôâë)õ ô3äå 0"!A à .8å ýíÿ
âøâîhöÖ'
ò Èô âòð ÖÀ-ä 9ÿ :6à ÿàfö;%õ¼Èò!ôë)ôøâäîhöòâõÀôâë)õ ô3ä#å h#å h5å "!A à .8å ýíÿ
âøâîhöÖ'
ò Èô âòð ÖÀ-ä 9ÿ :6à ÿàfö;%õ¼Èò!ôë)ôøâäîhöòâõÀôâë)õ ô3äå h#å ]#å )"!Aà .8å ýíÿ
âøâîhöÖ'
ò Èô âòð ÖÀ-ä 9ÿ :6à ÿàfö;%õ¼Èò!ôë)ôøâäîhöòâõÀôâë)õ ô3äå h#å 0)1"!Aà .8å ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å )õ6é6áóîüS
ä
õ¼ôë)ôäâõÀÈôòÖë)é)ôóâä3ô å 4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ýíÿ
ðÀÿ9:6àÿà;%ÈòúôîÀò )õ å5hå#hå#0
)õ¼ôë)õ6ôé6áäóîüäSâõÀÈôòÖë)é)ôóâä3ô å4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6ù'Èòé)óôU
]ö
ýíÿ ðÀÿ9:6àÿà;%ÈòúôîÀò
)õ å8hå#hå5)
)õ6é6áóîüS
ä
ÈòÖé)óâô å 4j)$$$ ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)óUô ]ö
õ¼ôë)ôä âõÀôë)ô3ä "!Aà .8å ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å )1
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å À÷äÖõ¼ôøNùÖë)ôøüéü'
"!-à .å ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 5å h#å h#å 0
"!-à.å
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å h5å )
À
÷
Ö
ä
¼
õ
ô
N
ø
Ö
ù
éü'ù ÈòÖéüóFA27
ô 2F94
2j$998D
fö
õ¼ôë)ôä DE3D
âõÀôë)F8B5
ôä 06E4 A169 4E46
Key fingerprintë)=ôøüAF19
FDB5
"!-à .å ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å )1
"!-à.å
ýíÿ
ð è À6ÿAãâä)àûä-ã )%.å 6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)ÈöJøÈÿùâþáþôâä ýBí"! A
:= 6ãâé)>
äºå ðçèÖÀÿAãâé6àêëãÖì .å C!<ÿþþýí
ß
ûßAß ë6ÿÖóãøü3ãé6áPõ ý Aõ6ä)áóûõ6ä6ø)óî6äÖõõ èä)ôúëÖîîüäÖõõôé øÈùôä6óâùÖëãAõüä)óûä)ó7õ ?é)ó
ýíÿ
ð Aà .å ýíÿ
å $08å ) À÷!8å h#
å $ ¼÷äÖõ¼ôøÈùë)ôøüé6Eù Èòé)óâôõ
æææR*È*+å $L*
]öR*õÀô
ë)$Rô*+ä,R*aâõÀ)ôRæ ë)*+ô)ä-)L*+)Y"*+!<à))Ræ *+$.Rå*a$Y*
)$R*NTå L*
å âR
ýíÿ
å $08å ) À÷!8å h#
R*+'
å *aR*+8å ]ö õ¼ôë)å ô$ä âõ¼ô ë)ô3ä¼÷äÖõ¼ôøÈù"!-ë)ôà øüé6Eù È.òé)å óâôõ
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò fö5öáã6ôøÈòé)óô )õ
å $08å ) À÷!8å h#
åR*ÈåL*+$R*+ fö õÀôë)ôå ä,$âõÀôë) ôä-¼÷äÖõ¼ô"øÈ!<ùë)àôøüé6Eù .Èòåé)óâôõ
ýíÿ
ð è À6ÿAãâä)àûä-ã )%.å 6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)ÈöJøÈÿùâþáþôâä ýBí"! A
:= 6ãâé)>
äºTå ÚðçèÖÀÿAãâé6àêëãÖì .å C!<ÿþþýí
ßßAÿÖããâ"é AôâïÖäÖõ6äñõ6ä6óûä)óõôé îüé6ùôëÖîÀô õ6äãâäÖîÀôäâ3÷ íâýºõüä)óûä)óõ
ß
Key fingerprint
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ý íÿ ð Aà å
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å hå5hå#hå) ¼÷
â)æõ¼ôë)ôå ä ]å å <à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å hå5hå#hå) ¼÷
å )õ¼ôë)ôä
<à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å h5å h#å hå ) ¼÷
å )õ¼ôë)ôæ ä æ hå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
)å õ¼ôë)ôä hå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
åÀæ)õ¼ôhë)å ôä hå <à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å hFDB5
å h#å hå )DE3D
5
¼÷ F8B5 06E4 A169 4E46
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å h5å h#å hå ) ¼÷
â)æõ¼ôë)ôå ä ]å å <à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
å )õ¼ôë)ôä
<à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
å )õ¼ôë)ôæ ä æ hå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
)å õ¼ôë)ôä hå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
åÀæ)õ¼ôhë)å ôä hå <à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
. T
:C %
#
$ # ) # '
7
"! . T
:C %
#
)$)$ '
7
"! . T
:C %
#
$ 0$ '
7
"! . T
:C %
#
8)2 $)0 '
7
"! . T
:C %
#
T
V
'
7
"! . T
:C FA27
% 2F94 998D
#
Key fingerprint
= AF19
)$ # /
'
7
"! . T
:C %
#
)$ # b
'
7
"! . T
:C %
#
$ b
'
7
"! . T
:C %
#
$ b
'
7
"! . T
:C %
#
$ # ) # '
7
"! . T
:C %
#
)$)$ '
7
"! . T
:C %
#
$ 0$ '
7
"! . T
:C %
#
8)2 $)0 '
7
"! . T
:C %
#
T
V
'
7
"! . T
:C %
#
)$ # /
'
7
"! . T
:C %
#
ýíÿ ð 5þø¼÷ å
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ æ å hå å
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å æ âæ hå
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ å ]å
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!åÀæ hå hå
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ åå hå æ hå
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ åå hå æ håå
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å hå æ håå
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å hå håå
à Àý÷íäÖÿõ¼ôå øNùÖë)ð ôøü5éüù þÈòÖø¼÷ éüóôúå å ]hö1å õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ æ å hå å
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
)$ # b
'
7
"! . T
:C %
# 5 # ) $ b
'
7
"! . T
:C %
# 5 # ) $ b
'
7
"! . T
) V[
9: ; 8 #12 "!
) f[
9: ; 8 #12 "!
) f[
) V[&
$ # 8) #
E
8 3
"!
. T
) V[&
)0$)$
E
8 3
"!
. T
) V[&
$ $ E
8 3
"!
. T
) V[&
)4 $)
E
8 3
"!
. T
) V[&
T
0 T
E
8 3
"!
. T
) V[&
)$0 # 8 '
,
-
C!
. T
) V[&
)$0 # 8 '
,
-
C!
. T
) V[&
$0 '
,
-
C!
. T
) V[&
$0
'
,
-
C!
. T
) V[
9: ; 8 #12 "!
) f[
9: ; 8 #12 "!
) f[
) V[ `
$ # 8) #
E
8 3
"!
.
T
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å æ âæ hå
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ å ]å
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!åÀæ hå hå
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ åå hå æ hå
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ åå hå æ håå
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å hå æ håå
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å hå håå
ßßAàâýáíÿãâäºå $ð çèÖÀÿAãâé6àêëãÖì å <ÿþþ ýí
ßßAíäÖîÀïñð6áâòòÖé)óô5ëîî6äÖõõôé ð)ý N]õùÖä õ5õüä)óûä)ó
ß ýíÿ
ðAà.å$
ýíÿ
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å hå ]å ¼÷
8å )hå )1 À÷äÖõ¼ôøNùÖë)ôøüéü'
)õ¼ôë)ô7
ä "!<à .å $ ù ÈòÖéüóôúååÀæ ]ö1õ¼ôë6ôä
ýíÿ
ð è À6ÿAãâä)àûä-ã )%.å $6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå $,)ÈöJøÈÿùâþáþôâä ýBí"! A
:= 6ãâé)>
äºå )ð çèÖÀÿAãâé6àêëãÖì .å $ C!<ÿþþ ýí
ß
ß øÀó"ä Öëãã ëüù9÷ é)ó÷ä)ó<àé6áôä)óJöë õ6ä6ù÷úãâé)èâèøÈùè
9
öäõõ6ë)èäõôé î6ä6ùôóëãACõ õ6ãâé)è õ6ä)óâûä)4ó KøÀóä ÖëãLã N]õãâé)èõ
ë)óä<óé6áôäâ÷Aéüáô!øÈôõ-ãâé)èèøNùè øÈùôä)ó ?ëÖîüä í)ïÖä<êé)ó÷ä)ó
óî6éüéÈöáôä&ä)?âó-óïÖéÀöëõJøÀùôéñõ-?ãâé6øÈèóèõ¼ô5øÈùä)è ôâïøNùä)ôóâùÖä)óä)ô?ëÖøNî6ùRä ô*ä)óõ6&é?ëÖî6ä5ä ëããâé ãâé)èõôé
ß ýíÿ ð Aà .å )
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
) V[ `
)0$)$
E
8 3
"!
. T
) V[ `
$ $ E
8 3
"!
. T
) V[ `
)4 $)
'
,
-
C!
. T
) V[ `
T
0 T
E
8 3
"!
. T
) V[ `
)$0 # 8 '
,
-
C!
. T
) V[ `
)$0 # 8 '
,
F8B5
C!
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D
06E4 A169 4E46
. T
) V[ `
$0 '
,
-
C!
. T
) V[ `
$0
'
,
-
C!
. T
. T
%
<)
"!
:= >
-)% > ? @,A T6
BA
. T C!
ýíÿ ðÀÿ:Cíâýí%ÈòúôîÀò âõ å]å#) ¼÷
å hå#"!-]åàå .¼÷åäÖ) õ¼ôøÈùÖë)ôø¼é6ù'ÈòÖéüóô-$åT ]ö õ¼ôë6ôäâõ¼ôë)ôä
ýíÿ ðÀÿ:Cíâýí%Èò5á÷)ò âõ å]å#) ¼÷
å h#å "!-]åàå .¼÷åäÖ) õ¼ôøÈùÖë)ôø¼é6ù'ÈòÖéüóô-$åT ]ö õ¼ôë6ôäâõ¼ôë)ôä
ýíÿ ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 5å h#å h#å ]å $ À÷
å h#å "!-]åà å .¼÷å äÖ) õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $Tå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 5å h#å h#å ]å $ À÷
å h#å "!-]åàå .¼÷åäÖ) õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $Tå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 6ãâé)ð >è À6ÿAãâä)àûä-ã )%.å )6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ),)ÈöJøÈÿùâþáþôâä ýBí"! A
äºå ðçèÖÀÿAãâé6àêëãÖì .å) C!<ÿþþýí
Key fingerprint
ß
òÖßAß é6àóô<ä !áäùî¼óô äëø¼÷îÀïÖä6ùë6ôêã)O6Rä áÖ*ä)óõüéøüäõhõöÖôôâòºé<ôâî6ïÖé6ùäAûäÀä6öóëõ6ë)øüã-ôø¼èé6ë)ùôõä ÷Öé6ë 2ù3Nô-øÀïôâïñë6ù4èë ýíÿ
ð Aà .å ýíÿ
ð Àÿ ù :CÈòÖíâéüýóôú%í åÈå òú ôîÀ"ò!-à ¼÷!.å å ]#å 14
ýíÿ
ð À9ÿ ù È:6òÖà éüÿóôúà ;%åå Èòúô"!-îÀò à À÷!.8åå h#å 12
ýíÿ
ð è À6ÿAãâä)àûä-ã )%.å 6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)ÈöJøÈàùâáôdä þâBí"! A
:= 6ãâé)>
ýíÿ
øßâî]öÖ'ò ÈòÖé6óEôð ÈáÀÿAùóà äëÖîNïÖ.ëüêå ã6ä C!<à dþâí Àóä !âäÖî¼Eô 8øÀôâï
ßAß àâáãâäºåçèÖãâé6êëãÖì
ô9ßß é5Jë6ëùÖãë6ãèùÖäÀöä6ôä6Öùôúé)óFAõ¼ô÷ë6ôä)ûøüé6øâùúî6äëõ ãâãâé Öäâ÷-ôé-òä)ó ?é)ó¼ö ð J<ý O)áÖä6óøüäÖõ
ýíÿ
ð Aà .å ýíÿ
ð Àÿ ý 6í ÈòñôîÀò âõ å h5å $ ¼÷!å h5å h#å hå
à
¼÷.äÖåõ¼ôøÈùë)ôøüé6Eù ÈòÖé6óâôñ8å )å ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ
ð Àÿ ý 6í Èòúá÷)ò âõ å h5å $ ¼÷!å h5å h#å hå
ù ÈòÖé6óâôñ8å )å ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
à .å ýíÿ
å h#
å
h#
å
0) ¼÷äÖõ¼ôøÈùë)ôøüé6E
ù Èòé)ó)ô 8å )å ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
"!-à.å
ýíÿ
å ]#å h#å "h!-8å à$ .¼÷å äÖ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå )å ]ö õ¼ôë6ôä âõ¼ôë)ôä
#
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
:=
À÷
À÷
À÷
À÷
å hå hå -à ¼÷äÖå õ¼ôøÈùë)ôøüé6ù Èòé)ó)ô å å ]ö õ¼ôë)ôä âõ¼ôë)ôä
À÷
å ]å hå h-å à ¼÷å äÖõ¼ôøÈùÖë)ôø¼é6ù ÈòÖéüóôúå å ]ö õ¼ôë6ôä âõ¼ôë)ôä
À÷
À÷
À÷
ßßAàâýáíÿãâäºåÀæð çèÖÀÿAãâé6àêëãÖì å <ÿþþ ýí
ß
ßAíäÖîÀïñð6áâòòÖé)óô<èä)ôõóäÀöé)ôä<ëâ÷¼öiøÈùñëÖîî6äÖõâõôéúëãã
ýßøÈùþ)ôÿâùä)óâùÖïëä)ãóïÖä éÖõ¼ôõ-ëüù÷<ôâïÖä êÖé)ó÷ä)ó<óé6áôä)ó<ûøüëñõõÀï é)ó
ýíÿ
ð5þø¼÷Öæ
ýíÿ
ð ÷Àÿ Öýæ í¼ ÷!å ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!<þø¼
ýíÿ
ð
Àÿ ý í ¼÷!#
å h#å ]#å hå $ ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
"!<þø¼
÷
Öæ ýíÿ
ýíÿ
ýíÿ
ð Aà .åÀæ
ýíÿ
ýíÿ
ð Àÿ5ä þø¼÷ Ö"!Aæ àh/
å .åÈæâõ å 0$4h5å fö
¼
õ
ô
)
ë

ô
ä
âõÀôë)ô3
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
9: ;%
8 #$ #140 E
8)
%
"! . 9: ;%
8 #$ #140 E
8)
%
"! . 9: ;%
8 #$ #140$ '
)
,
"! . 9: ;%
8 #$ # #0) E
8)
%
"! . 9: ;%
8 #$ # # # 8$ '
)
"! . 9: ;%
8 #$ #
1
4
0
E
8) FDB5
% F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D
DE3D
"! . 9: ;%
8 #$ #140 E
8)
%
"! . 9: ;%
8 #$ #140$ '
)
,
"! . . %
<)
"!
:= >
-)% > ? @,A ,
BA
. C!
õ¼ôýë)ôíÿä
âõÀð ôë)Àÿ5ôä3þø¼÷ Ö"!Aæàhå/.åÈæâõ å]åhå ]ö
ýíÿ
ð Àÿ ý í6Èòúá÷)ò âõ å$140 ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6ù'Èòé)óô-$) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
#
)õ¼ôë)ô7
ýíÿ
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
å)]õ¼#å ôhë)#å ôh7ä8å $ ¼÷"!<äÖõ¼àôøÈùÖ
#
ýíÿ
)
¼
õ

ô
)
ë

ô
7
ä
"
<
!
à
.
À
å
æ
ýíÿ
#
)õ¼ôë)ô7
ýíÿ
)õ¼ôë)ô7
ä ð À9ÿ "!A:6à ÿþø¼à÷ ;ÖÀ÷!æ 8å ]ö õ¼ôë)ôä
ýíÿ
ð À9ÿ "!A:6à ÿþø¼à÷ ;ÖÀ÷!æ 5å h#å h#å ]å $ fö õÀôë)ôä
)õ¼ôë)ô7
ä
ýíÿ
ù ÈòÖéüóô(õ $)'å *+ fö õÀôë)ô,ä âõÀôë)ô-ä "!Aþø¼÷Öæ
ýíÿ
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ à .åÈæâõ å 0$12 fö
ýíÿ
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ à .åÈæâõ å 0$4h5å fö
ýíÿ
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ à .åÈæâõ å ]å hå ]ö
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $14 ¼÷
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $14 ¼÷
å]#å h#å "h!-8å à$ .¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $) fö õÀôë)ô,ä âõÀôë)ôä
#
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $2h#å ¼÷
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $2h#å ¼÷
å ]#å h#å "h!-8å à$ .¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $) fö õÀôë)ô,ä âõÀôë)ôä
#
ýíÿ
ð =ÀAF19
ÿ :6à ÿFA27
9
à ;%Èò52F94
á÷)ò 998D
)õ 8å hå ]å DE3D
F8B5
¼÷ 06E4 A169 4E46
Key fingerprint
FDB5
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
å )õ¼ôë)ôä ¼<÷äÖà õÀôøÈùÖë)ôåÀæøüé6ù'Èòé)óô-$) ]ö õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å8hå]å ¼÷
å ]å hå h-å à ¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6ù'ÈòÖéüóô-$) fö õÀôë)ôä,âõÀôë)ôä
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã åÀæ 6ãâé)è>]ö!ÈòãÖóø]äö?øÀøô%@,Ahà6ãÖø]ö!øÈô<åÀæ,)ÈöJøÈÿùâþáþôâäýíB"! A
ßßAàâýáíÿãâ9ä ð çèÖÀÿAãâé6àêëãÖì åÀæ C!<ÿþþýí
ß
ùÖßAß ä6íô ÖäÖé)îÀïñó F-ð6áâ÷òä)òÖûé)øâóîüô<äÖõèûä)ôøüë-õóôäÀäöã¼ùÖé)ôä)ôä<ëâçN÷¼øÈöiùôøÈùñä)óâëÖùÖîëî6ã äÖé6õâùõã ôìéñY ã)ä)èëÖCî
ýíÿ
ð 5þø¼÷ $$6
ÿ ;4
ýíÿ
ð À9ÿ "!A:6à ÿþø¼à÷;
$)õ$)ÿ8å ;4 $14 ]öõÀôë)ôä
)õ¼ôë)ôä7
ýíÿ
ÿ "!A:6à ÿþFA27
9
ø¼à÷ ;
$2F94
)õ 8å 998D
DE3D
]öõÀôë)F8B5
ôä 06E4 A169 4E46
Key fingerprint
)õ¼ôë)ô7
ä ð =ÀAF19
$)
ÿ ;4 $2h#å FDB5
ýíÿ
ð À9ÿ "!A:6à ÿþø¼à÷ ;
$)õ$)ÿ 8å ;4hå ]å ]ö õ¼ôë)ôä
)õ¼ôë)ô7
ä
ýíÿ
ðAà.
ýíÿ
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å hå $
ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
à .
ýíÿ
ð Àÿ5þø¼÷ $$6
à
À÷äÖ.õ¼ôøNùÖë)ôøüéü'ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å 0$
à .
ýíÿ
ð Àÿ5þø¼÷ $$6
à
. ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å hå $å
à .
ýíÿ
ð Àÿ5þø¼÷ $$6
à
ýíÿ
ð Àÿ5þø¼÷ $$6
à .
ýíÿ
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å hå æ
à
. ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ
ð Àÿ5þø¼÷ $$6
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
0 7
"! .
9: ;%
# # # 8$ "! .
.
:= >
-)%
.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
à
.
ýíÿ ðÀÿ5þø¼÷
$$6ÿ
;4&ÈòúôîÀò
¼÷!å]å0$
à
À÷äÖ.õ¼ôøNùÖë)ôøüéüù'ÈòÖéüóô- ]ö õ¼ôë)ôäâõ¼ôë)ôä3 "!
ýíÿ
ð Àÿ5þø¼÷ $$6
à
ýíÿ
ð è À6ÿAãâä)àûä-ã )%.6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]öøÈ<ô ,)ÈöJøÈÿùâþáþôâä ýíB"! A
:= 6ãâé)>
ýíÿ
ðÀÿAà. C!<ÿþþýí
ßßAàâáãâ9ä åçèÖãâé6êëãÖì
ßßúð)ôë ??3ïÖé î6ë6ùñðð DAô9é ?øÀó"ä Öëãã ë6óäúëããâé Öä)÷ ôé<ôäãüùÖä6ô9?âóéÀö
?øÈóä ÖëãâãJôé-êÖé)ó÷ä6ó<óé6áôä69
ß ýíÿ ð Aà .å ó ?é)óAóäÀöé6ôä<ëâ÷¼öøNùøâõ¼ôóë)ôøüé64ù ýíÿ
ð =ÀAF19
ÿ :Cíâý FA27
%
í Èòú2F94
ôîÀò 998D
âõ #
å hFDB5
å h#å hå )DE3D
5
¼÷!#
å F8B5
h5
å h#å hå06E4
$
Key fingerprint
A169 4E46
À÷äÖõ¼ôøNùÖë)ôøüéüù'ÈòÖéüóô- ]ö õ¼ôë)ôäâõ¼ôë)ôä3
"!<à
.å
ýíÿ
ð Àã ÿA)6à üãâé).EèÈå òóä ?]ö!ø @ãÖø]ANöà øÀ%ô 6ãÖ9å ø]öJøÈ<ô ÿþ)þÈöýøÈùâBí áôA ä "!9
:=
üãâé)E
è
6ã)ä)ûä7
9ä ðçèÖÀÿAãâé6àêëãÖì .å C!<ÿþþýí
ßpß N]î6ë)ôîÀïúëãLã NRóâáÖãâä
ß ýíÿ
ðAà.
ýíÿ
ðð ÀÀÿÿ :C íâý ý í í "!<"!<à à .. ýíÿ
ýíÿ
ðÀÿ9:6àÿà; C!<à.
ýíÿ
ð Àã ÿAGà üãâé).EèÈòóä ?]ö!ø @ãÖø]ANöà øÀ%ô 66ãÖø]ö7øÈ<ô ;)ÈöWGøÈùâA áôä "!9
:=
üãâé)E
è
6ã)ä)ûä`
ßß ýíÿ
ðÀÿAà. C!&;âà:6ý
äÖîÈïÖéºå3<üòóéîõCõüùÖä)ôøÈòûÖøÈò
.?é)óÖë)óâ÷
Yo LhK
VPN Gateway Configuration
/etc/ipsec.conf
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
î6éüù
?øÀè õ6ä6ôâáò
ß<áõ6ä-ôâïÖä<÷ä?ë6áã6ô<óé6áôä øÈùôä)ó?ëÖîüä{øÈùôä)óâùÖä6ôEÈêÖé6áâù÷
ßúëÖõôâïÖä ýðäîAøÈùôä)ó?ëÖî6ä-ëãõ6é
øÈùôä)ó ?ëî6äÖ"õ yHâ÷ä ?ëüáÖã6ôóé6áôä
ß<ßúáäÀöÖõ6òäñã)éõ¼ôäóäÖøâî¼õlô ôéî¼óÖêÖãäñòÖéã)éÖãÖîCøâFCî 4äâ÷AXéüáÖäôº3Öø]öë6öùôAäâ÷ôøüä)ë)ó¼ôöäã"øÈùÖë)ôäâ÷
õ¼ôâóøâî¼ôîÀóÖãüòÖéãøâCî yäÖõ
ßñãâéëâ÷5ëãâã-ô)ïÖäñî6é6ùùÖäî¼ôøüé6ù<÷äÖõî¼óøÈòôøüéüùõ öë)ó Fäâ&÷ ?é)ó
ßúë6áôé5ãâéâëâ÷øÈù2è òã¼áôéãâéâëâ÷ yHõüäë)óîÈï
òã¼áôéÖõ¼ôë)óô yHÖõ6äë6óîÈï
áùCø O)áÖäøÀ=÷"õ AF19
yäõ
Key fingerprint
06E4 A169 4E46
ßAôâïøâõ5øâõJôâïä5÷FA27
ä ?ë6áã62F94
ô *
êáô998D
öë Fä FDB5
øÈô ä @)òDE3D
ãÖøâîøÈ&ô F8B5
?é)ó
ß î)ãâë)óøÀô N]õ õ6ë Fä XÖä<÷é62ù Nôúëãâãâé úë6ù AòÖëÖî Fä)ô-ùÖé)ô
ßöë)ôîÈïøÈùèAë î6é6ùâùÖäÖî¼ôø¼é6ùA÷äÖõâî¼óøÈòôøüé6ùôé<òëÖõõJôâïóéüáèâï
òî6éüùÖßAù ëôâCî HïÖF÷ä-ä)ä ô?è÷ëüë)ä áô?ã6äë6ôÖáëãüô yt ÷)óéüò
ß<ùÖé)ô õ¼ôóøâî¼ôÖã ùÖääâ÷ä)÷ *ä @î6äüò9ô ?é)ó î)ãâë6óøÀô
ô )òÖä yâôâáâùùÖäã
ß<áõ6ä-àð)ÿ<êÖëõ6äâ÷5ë6áôâïä6ùôøâîüë)ôøüé67ù øÀô)ï î6ä)óôø ?øâî6ë)ôäÖõ
ßë6á?ôâïé)9óêyF)äóAèõ6ëÖõäüøÈùÖè ä)óë)ôøüé6ù ç ð)ÿ ]Jýì
<
óFäøÈèâøïÈùôóèôâõüóëÖõøüäÖøÀèõ"Fyäåy HÖîüä)óô
ß<ë6ááôâ
ïõ6QäyäÖõÈð)ò <ý ?é6ó ýðäÖîë6áô)ïÖä6ùôø)î6ë)ôøüéüù
ßöSºõø¼÷äñøâõ<ãâä?)ôBJôâïÖä9?âóäâäÖõÖë6ùñõ6äÖîÀáóøÀô-èë6ôäÖë
ãâä ?âô y#å ]#å h#å ãâä ?âôâùÖä @âôâïÖé6
ò y#å h5å ]5å å
ãâä ?âôø¼÷ yÖõ6äÖîÀáóä Êèø¼ëÖî Àä6ùôä)ó)òóøâõüäLõ Æî6éNö
ãâä ?âôî6ä)óâô yâèë)ôä Öë 2¤òÖäÀö
ß îÀïÖäÖî F õ6é6áóîüä<ëâ÷÷âóäõõé ?<áùÖä6ùîÀó âòôä)÷JòÖëÖî Fä)ôõJéüù ë)óâóøÀûëã
÷ßñø)ãâõ6éë6êëâ÷ãâäâë)î6éüóùóùÖøÀäÖûëî¼ôãøüîÈïé6ù<äCî ÷Fäyü?ùÖøÈé ùøÈôøüé6ùõ ëüáôéÀöë6ôøâî6ëãâã
ë6áôé yëâ÷â÷
ßAíâïÖ&ä ?éãâãâé øÈùè-ôâïóäâä5äüùôóøüäõJë)ó&ä ?)áùî¼ôøüé6ùëãã
ßAóäâ÷)áâù÷ë6ùô óøÀèâïô-ùé [ ù5ôâïÖ9ä ?)áô)áóRä *ô)ïÖä)óäöë
ß<êÖä<èä6ùáøNùÖä ÷Cø ??ä)óä6ùî6äÖõ-øNùñôâïä<ô âòÖäAé ?úëÖîî6äÖõâõ
ßAèóë6ùôäâ÷-ôâïÖäõ6ä èóé6áâòLõ nDä6ùî6ä-ôâïÖäñõ6äüòÖë)óë)ôä
ß5÷ä ?øNùøÀôøüéüùLõ Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßAÿÖãõ6é ùÖé6ôä-ôâïÖë)ôñãâë)óâèäêãâéÖîFõé?AôâïÖäºå$å)
ß<ùÖä)ô é)óF õÀòÖëî6ä óäÀöëÖøÈù[#í)ïøâõ ëããâé"õáõôéúë)÷÷
ß<?ë)óöé)óä<óäÀöé)ôäúî6ãÖøüä6ùôõë6ù÷<ôóäë6ôñäâëÖîÀïúé6ùÖä
ß5ß ÷õÀáCø ê?ù?ä)ä)ôóä6ùôã êñëÖõõøÀèâùøÈùèñøÀô5ôé5ë<òÖë6óôøâîÀáÖãâë)ó
î6éüùóùºøÈèâî6ïé)ô óâyòÖHé6ë6óù ë)ôä
óóøÈøÈèâèâïïôôõÀø¼áâ÷ êyùÖþä)ôyÖRðøÀôâ*oï:øNyù=y åÿRQþ â$ùô]ä)å#ó)1òóøâõ6äZõ *|:C
yþé)óâòé)óë)ôäL*
þy x
ãâãâää ?â?âôôâáõÀáòêâ÷ùÖé ä)
ùô yy48å õî¼hó5å øN0ò$-ô lñë) óâèâá6öä6ùôõlùÖää)÷äâ÷-ôéñõ6ä)ôAáòú÷ âùëÀöøâî7?øÈóäÖëãâãÖøÈùè3?é)ó î6é)óâòé)óë)ôäáõ6ä)óõC
î6éüùóùñøÈèâäâï÷ô øÀyôHé6ë6óù øüëã
óóøÈøÈèâèâïïôôõÀø¼áâ÷ êyùÖþä)ôyÖRðøÀôâ*oï:øNyù=y åÿRQþ â$ùô0ä)ó)1òóøâõ6äZõ *|:C
y÷øÀôé)óøüëYã *
þ y x
î6éüùóãâùºäøÈèâ?âõ6ïôëôõÀãâáyäÖêâHõùÖë6ùä)ô y8å h5å 0$
óøÈèâïôø¼÷ yþ yÖRð *o:y= ÿQþ âùôä)ó)òóøâõ6äZõ *|:C
yðëãâäZõ *uþ y x
óãâäøÈèâ?âïôôõÀáõÀêâáâùÖêùÖä)ôä)ôy8å øÀôâhï5å øN0ù$yå R$01
î6éüùóù øÈèâïí ô yHë6ù
óóøÈøÈèâèâïïôôõÀø¼áâ÷ êyùÖþä)ôyÖRðøÀôâ*oï:øNyù=y åÿRQþ â$ùôuä)4ó)1òóøâõ6äZõ *|:C
yâíäÖîÀïâùøâî6ëãð6áòâòÖé)óô *Rþ y x
ãâä ?âôõÀáêâùÖä)ô y8å 0
î6éüùù Eí Àèë6ôä Öë
óøÈèâïô yHë6ù
óøÈèâïôõÀáâêùÖä)ô øÀôâïøNù yå R$u41
yâíäÖîÀïâùøâî6ëãð6áòâòÖé)óô *Rþ y x
ãâä ?âôõÀáêâùÖä)ô y8å h5å ]5å )
î6éüùù5óäÖõ¼ôóøâî¼ôäâ÷
ô )òÖä yâóä !äÖî¼ô
ãâä ?âôõÀáêâùÖä)ô y8å 0
î6éüùùpøÈùôä)ó)ùÖä)ô
ô )òÖä y)òÖëõõ¼ôâïóé6áè)ï
óøÈèâïôõÀáâêùÖä)ô øÀôâïøNù yå R$018å )
y x *Rþ y x
ãâä ?âôõÀáêâùÖä)ô y00
î6éüùùAòóøÀûë6ôä
ë6áôé yøÀè)ùÖé)óä
î6éüùùAêãâéÖîCF
00
tu
te
/etc/ipsec.d/crls
20
/etc/ipsec.d/cacerts
Crontable entries
ß<áò÷ë6ôäöSºî6ä)óô*Rþ)ÿpî6ä6óôõZ*RþâàõZ*ë6ù÷9Fäõ
{øNùõ6ä)óôúî6éÀööëüù÷-ô9
é ?ä)ôé îÀ9ïÀPóä)ä6óóäøâëâõ÷øÈèâëùãã î¼óÖãAë6ù÷ õ¼ôé)óä
på x<xx øÈòõ6äÖîëüáô,
©
SA
NS
In
sti
oYL
oYL
oYLÆ
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
î6éüùùAòóøÀûë6ôäSüé)ó>âî)ãâäëüó
î6éüùùºî)ãâäë)>ó üé)Eó ÈòóøÀûë)ôä
î6éüùùºî)ãâäë)ó
î6éüùùAòÖëÖCî Fä6ô÷ä ?ëüáã6ô
î6éüùùpøÈùôä)ó)ùÖä)Eô üéüùã
óøÈèâïôø¼÷ y=þð AF19
y"R
ð *o:FA27
y= ÿþQ2F94
âùôä6óâòóøâõüäÖõ"
Key fingerprint
óãâäøÈèâ?âïôôõÀáõÀáâêâêùÖùÖä)ôä)ôyøÀôâïRøh
ù yå R 10 998D FDB5 DE3D F8B5 06E4 A169 4E46
oYLÆz /etc/ipsec.secrets
ßAèë)ô"ä Öë N]õòóøÀûë6ô-ä Fä ?ø6ã)ä
ßúð)ôé)óäâ÷ áùãâéCî Fäâ÷ t ýóé6ôäÖî¼ô<ôâï9ä ?ø6ãâäAë6ù÷
ß5÷øÀóäî¼ôé)ó Q?âóéÀöñêÖäøNùè<óäëâ÷-ê ñë6ù é6ùÖäêáô
ßAóéé)ô t øÀôâï -òÖä)ó¼öiõé6ùñ÷øÀóúë6ù<÷ )-òÖä)ó¼öiõ
ßújuàé6ùð)ÿ<Fòä ó<?øÈûë)ø6ôãâääüt èë)ôäë41Fä
oAEA0 n ~ÎC , : ;E<o * 4)o 6A03
: ; ,Ç <
¡¢£¢g¢8¤)¦È¢¦¥Z§¦¢ ¢¤Ë¥'©i¦È¢¬£E¡'§ ª ©I«¢£¤C¬I#¡R®>¯L¬G¨>°±Z¨¥¦T¤â§²¢£¯L³§â¦T¢´¶µr¯L¤S·G¸¹Ë¯£,º¤¢£¯§¢+¢¦¯I§¡§
¨¦N¢¤£¢£¯R®>º¡R®»§ ª §)§ ¯ ª 8¦ Ë¬§¯ú¥L¥<°0¨¦`¦È§®S³R® ª ¢£º¤¢£§r©>·
ß t üêøÈSù ¼êÖëÖõÀï
üáõ¼
ó õÀêøÈSù üá
ò â÷ë)ô&ä N6á <6ôüöÖò üáò â÷ë)ôä ã)é)è
ðâþ)ÿ yRèâóä66ò Ahàä)ôóø¼ä)ûäâ2÷ fAg6ôüöSò üáò )÷ë)ôä ãâé6è
ôâCø ï?¼ä6ù (A ðâþâÿ 5A t yGAAU
ë?â÷Àø ööøÈëÖù ø6)ã ô)ïÖâä6õ êÖë6AEù F4ïÖéÖ{î6õÀéNôâö ùÖëÀ<ö<ä 6ôüöâSò õÀüïÖáé6ò ó)ô ÷ë)ôòÖäëCî ãâFé)ë)3èèä)á÷òä6÷û ë)üôùEä áA ãâ3ã 9)÷ä)
û üùáãã
àâ
à :6à yRèóä6%ò ANàý J<òÖëÖî Fë)èä5îüé6
ù ?ãÖø)î¼ôAä)óóé)4ó VAU6ô¼öÖSò üá
ò â÷ë)ôä ãâé)Lè
ôâCø ï?¼ä6ù (A à
à :65à A t yGAA`
ë?â÷Àø ööøÈëÖù ø6)ã ô)ïÖâä6õ êÖë6ATùF4óó{î6é6éNó<ö óâ<áù6ùôüøNöùSò è-üááòò )â÷÷ë)ë)ôôää<ãâé6é)pù 3è ïÖ)é÷õ¼ä6ôâû ùÖüëÀùöáä ãâ3ã âõÀ9ïé))ó÷ô ä)
û A üùáãã

`$Ö , A; ½"¾¿¼ÀRÁÂÄÃYÅEÆ5Ç5ÈÉSÅSÊ5Ê2É5ËÅSÊZÌÎÍZÏYË¼Ð>ÑYÏSÊËÓÒÔ2É
ÆZÏZÕ'ÏYË5ËpÊLÏ>Ö5ÑÁSÆ'×ØË>ÏYÙÚYÆÉÖ#ÇÜÛ
Ý#Þ5ß Ò"¾#¾[àáÕ
ÚLÏ>ÖÁ5ÁÖ'âÜà6ÅSÊYÌ¼âLÅ>ÊZÌEâLÏZÕ>ÌÄÌZÏ>ãÉ'ÙEÏYËÒÀYÏYÙ
â5Ê2É'Ù>ÅYÕ¼äYÏSåÁSÆ5Ö
Ý#Þ5ÞLæ
çZÝ à,èZÅ>ÖÉEÁÊLÅZÕêéÊË
Ö2ÉÖ'Ú#ÖYÏëÁ>ìÎí>ÖYÅ>ÊZÌZÅEÆ5ÌËÅSÊZÌÀYÏYÙâ5ÊÁ5Õ5ÁSÈ5Çià
ß5Þ5Þ5ß ÒîZäZÍëÙ5ËSÆRÙÒaÊ2É5Ë
ÖïÒÈLÁSãRð
å5Ú5áÕZÉ'Ù>Å>Ö2ÉEÁÊË5ð
Ê2É'Ë
Ö'å#Ú5áË'ð ÝZÞ5ÞLæ
ç#Ý ðSèéSí>À
S P8 00
ho
rr
eta
ins
f
ull
rig
ht
s.
− 48.pdf.
½ ß ¿òñ
ó5ó5óêô4õSö÷ø5öSùLøûú¹üùÄñ>÷úýüù
þ[öLõ'ÿ'ü
÷Mõ'÷üü
ö÷Zõ÷
5üþ5þ5÷2ÿEöLõEÿ5ü
÷Øö÷øÿ÷Sú¹üù
þ[öRõEÿ'ü
÷L
2õþüEöûö÷øIþYõùRü ü
ÿZõSö÷ öSùEö{÷Zõ
üù!
ô"5ÿ"ú ÿ
ù#ÿù"þ÷[õ%$2öSù2õ'&&(
) ÿù*+%,-EøZÿS þ.*05
5
/ ü
÷[õùRü
12,3*/54êö÷Rø6$7
3
ÿE
ö8
ö5
ù912$3:<;=4>"5ÿ"ú ÿE öLõEÿ5ü
÷ý
à6èYÏ>Ñ>
? ÁSÆ'×ià
è?ià¾@@¶
@ ÒBéÊËÖÉÖ'Ú#ÖLÏëÁSì'R
A Õ'ÏYÙ
Ö#ÆÉ5Ù>ÅZÕÎÅSÊZÌ>R
A ÕEÏLÙ
Ö#ÆLÁ
Ê4É'Ù5Ë
A ÊZÈÉÊRÏ5ÏEÆRË àIéÊ2ÙÒûîZä#Í
'
â#Ö5Ö'å Û8ð5ð#Ë
ÖYÅ>ÊZÌZÅEÆ5ÌËÒÉSÏ5Ï#Ï¶ÒTÁSÆ5ÈRðSÈYÏ>Ö2ÉSÏ#Ï5Ï Ý#Þ#ß ð>ÌLÁSÑ'ÊÕ5Á'ÅEÌRð ÝZÞ5ß Ò"¾#¾ æ ¾@@i
@ ÒaåYÌ5ìïÒ
½C'
B ¿ÎíSÚË>ÅSÊÃYÏSÊ#ÊLÏEÌ5ÇÜÒEY
D ÏYË
ÖåZÆZÅYÙÖÉ'Ù>ÏYË¼ìRÁSÆÑ2É
ÆZÏZÕEÏLË5ËpÊLÏ>Ö5ÑRÁ>Æ'×
Ë>ÏYÙÚZÆÉÖ#ÇÜÒ05
/ üþF4
õùG'
) üù ø4àèRÁãYÏÂ#áRÏEÆ ß5Þ5Þ i
B ÒûîYä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò8Ù'ÁÂ#å#Ú#ÖYÏEÆ'ÑÁSÆLÕSÌÜÒÙ'Á
ÂðåZÆÉÊZÖ5Ö5â2É5Ë'ð ß5Þ#Þ L
B ð Þ à çZÝ ¾ ç à ÝH @
I ¾[à Þ5Þ ÒaâZÖEÂ2ÕÓÒ
)))KJL,2Mö 0$2ö àONÚÕSÇ ß5Þ5ÞEç Ò9ÑÁSÆLÕSÌ'Ñ2É
ÌZÏ>ÑYÅ'Æ5Ì5ÆÉãLÏ¶ÒTÁSÆ5Èià
Ñ É
ÈLÕEÏiÒaÊLÏ>ÖïÒîZä#Í
â#Ö5Ö'åËÓÛTð5ðÑÉÈLÕEÏ¶ÒaÊRÏ>ÖRðSÈEå2Ë'ðSÈEåË5ðFPQYíRDð5ÁÊÕYÉÊRÏÂÅSåðS'Ï>ãLÏSÊZÖÉÌT2¾ýÒ
5,
A
ut
½ç ¿
-2
00
½UIE¿WVLÅ>Ö5Ö'âRÏ>ÑXP#ÅYË
ÖïÒÀ'âRÏ¼ÖÁ
åòËEÏ>ãYÏSÊØË>ÏYÙÚYÆÉÖ#ÇåZÆLÁáÕEÏÂ2ËÁ>ì Ý#Þ5ß Ò"¾5¾
ÑÉ
ÆZÏZÕ'ÏYË5ËÒÀYÏLÙâ5Ê2É'ÙEÅZÕÆZÏSåÁ>Æ'ÖiZ
à YÉ
Æ VRÅEÈEÊLÏ>ÖÜàéÊÙÒEà ß5Þ5Þ'ç ÒûîZä#Í
Ñ5Ñ5ÑïÒfÅRÉ
Æ>ÂRÅEÈ'ÊLÏ>ÖïÒ8Ù5ÁÂÒTðÓÒ#Ò5ÒT5
ð YÉ
Æ VRÅEÈ'ÊLÏEÖïÒVí5ÏLÙÚYÆÉ
Ö#ÇïÒaÔ#â2É
ÖY
Ï QYÅ>åLÏ'Æ ß I¶Ò+åZÌ#ìÜÒ
tu
te
20
00
½ H ¿èÉ×ÉÖLÅWDRÁ>ÆÉ'Ë'ÁãÜàéSÅSÊXPYÁ5ÕSÌEáRÏEÆ5È¶à6ÅSÊZÌ>RYÅ>ã2É
ÌÔLÅEÈEÊLÏ'ÆÜÒzí5ÏYÙÚYÆÉÖ#Ç
ÁSì¼Ö'âRÏzÑYÏ>åêÅZÕ>ÈLÁSÆÉÖ5â'ÂÒ{ÀLÏYÙâ5Ê2É5Ù>ÅZÕ¼ÆZÏSåÁ>Æ'Öià<î#Ê#ãYÏ'ÆRË#ÉÖ#ÇòÁ>ì
à DYÏEÆ'×YÏYÕEÏEÇ¶O
à N>ÅSÊ#ÚLÅEÆ5Ç ß5Þ5Þ ¾ýÒûîZä#Í
[ ÅZÕZÉ
ìRÁSÆEÊ2ÉSÅ Z
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉ'Ë>Å5ÅLÙÒ8Ù5ËÒ+áLÏEÆ'×YÏYÕEÏ'ÇÜÒVÏEÌ'ÚðYÉ'ËEÅ5ÅLÙ'ðSÑYÏ>å æ ìZ
Å \iÒ+â#Ö'ÂÕ Ò
SA
NS
In
sti
½C]'¿òñ
ó5ó5óêô4õSö÷ø5öSùLøûú¹üù%ü'öö÷Rø6,-ZõùRüM ü
ÿZõ>ö÷^*ZùEö_+ZõRüù!`
$4üù2
õ ba25
ö EøE+YõRü
ù !%*c/5ü
÷[õùR
ü 5à%èYÏ>Ñ>?ÁEÏ>×iàè?ià8NÚÕSÇ
ì ARÕ'ÏYÙ
Ö#ÆÉ5Ù>ÅZÕÎÅSÊZ>
Ì ARÕEÏLÙ
Ö#ÆLÁ
Ê4É'Ù5W
Ë A'ÊZÈÉÊLÏ5ÏEÆË à
ß5Þ5Þ ¾ýÒBéÊËÖÉÖ'Ú#ÖLÏëÁS'
éÊÙÒîZä#Í
â#Ö5Ö'å Û8ð5ð#Ë
ÖYÅ>ÊZÌZÅEÆ5ÌËÒÉSÏ5Ï#Ï¶ÒTÁSÆ5ÈRðSÈYÏ>Ö2ÉSÏ#Ï5Ï Ý#Þ#ß ð>ÌLÁSÑ'ÊÕ5Á'ÅEÌRð ÝZÞ5ß Ò"¾ d æ>ß5Þ#Þ ¾ ÒaåYÌ5ìïÒ
©
½ Ý ¿ÍZÅEÆ5Æ5Ç0NÒeDRÕ
Ú5ÊZ×ÄÅSÊYÌ.N'Áâ5ÊÄäïÒgfÁ5Õ5Õ
áZÆYÏYÙâ#ÖïÒEQ'å5åëÏh'ÖYÏSÊ2Ë#ÉáÕEÏ
ÅSÚ#Ö'âLÏ>Ê#ÖÉ'Ù>ÅEÖÉEÁ
ÊÄåZÆRÁÖRÁ#Ù'Á#j
Õ i8Ï5ÅS
å kÒzí>ÖYÅSÊZÌYÅEÆ5Ì¶àIéÊ#ÖLÏEÆEÊLÏ>Ö
A'ÊZÈÉÊRÏ5ÏEÆÉÊYÈÀYÅYË
^
× lLÁSÆRÙEÏÓm
à VLÅEÆRÙâe
¾ @@ Ý ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉSÏ>Ö#ìïÒTÁSÆ5ÈLð>Æ5ìRÙ'ðSÆ#ìRÙ ß5ß5Ý'ç Ò+3
Ö h'
Ö S
Ê#Ú'ÂZáLÏ'
Æ T ß5ß5Ý'ç Ò
½U@E¿XN'Á
â5ÊÃRÁ
â Ò8Õ¼ÅSÊYÌ%DïÒ [ ÕZÉì5ìLÁSÆ5ÌÄèYÏ>ÑEÂRÅSÊÒÀ'âLÏ¼×YÏEÆEáLÏ'ÆLÁ#ËpÊLÏ>Ö5ÑÁSÆ'×
Ê Ë>Ï'Æ'ãÉ'Ù>Ïnifã7I7k ÒoQ#ÆLÁåÁ#Ë>ÏEÌØËÖYÅSÊZÌZÅ'Æ5Ì¶àIéÊ#ÖYÏ'ÆEÊLÏ>Ö
×^lLÁSÆRÙEÏÓà6í5ÏSå#ÖYÏSÂ#áLÏEÆ ¾@@BiÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉSÏ>Ö#ìïÒTÁSÆ5ÈLð>Æ5ìRÙ'ðSÆ#ìRÙL¾
I ¾ Þ Ò+Ö3h'ÖS
Ê#Ú'ÂZáLÏ'ÆT2¾I¾ Þ Ò
½"¾ Þ ¿'QYÅ>Ö [ ÅZÕ
âÁÚ5ÊÜàON'Á
â5ÊpN'Á
ÚYÈEâ5ÊLÏEÇiàZA#ÆÉ×qP>Ú#Ö5Ö'ÂRÅSÊÜàrPYÕEÏ>Ê.sYÁSÆEÊÜà%ÅSÊZÌ
N>ÅEÆÉ_Y5Æ'×5×ÁÓÒoRÉSÅÂÏ>ÖYÏEÆáLÅYËEÏzåYÆLÁÖRÁ#Ù5Á5ÕÓÒoQ#ÆLÁåÁ#Ë>ÏEÌØËÖYÅSÊZÌZÅ'Æ5Ì¶à
éÊ#ÖYÏEÆ'ÊLÏ>^
Ö A'ÊZÈÉÊLÏ5ÏEÆÉÊZÈÀYÅYË
^
× lLÁSÆÙ>ÏÓà6í5ÏSå#ÖLÏÂ#áLÏEÆ ß#Þ5Þ BiÒîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉSÏ>Ö#ìïÒTÁSÆ5ÈLð>Æ5ìRÙ'ðSÆ#ìRF
Ù BI Ý5Ý Ò+3
Ö h'
Ö S
Ê#Ú'ÂZáLÏ'
Æ TBI Ý5Ý Ò
[ ÅEÆLÕ{äÉ
ÈEÊRÏEÇ¶à6í>ÖYÏ>ãLÏ{Ô2É'Õ5ÕEÏSÊË àrYLÕ5ÕEÅSÊä'Ú5áRÏSÊË à6ÅSÊZÌÔ2ÉEÕ#ÕZÉSÅÂ
ull
rig
ht
s.
½"¾5¾¿
íLÉÂ#åË5Á
Ê ÒäYÏÂ2ÁÖYÏÅSÚ#Ö'âRÏSÊ#ÖÉ'ÙEÅ>ÖÉEÁ
ÊòÌÉSÅZÕÄÉÊÎÚË>ÏEÆ Ë>ÏEÆ'ã2É'Ù>Ï
iVÆZÅEÌÉÚËk ÒoR#ÆYÅEì'ÖØË
ÖYÅSÊYÌZÅEÆ5Ì¶àéÊ#ÖYÏEÆEÊRÏ>Ö^A'ÊZÈÉÊRÏ5ÏEÆÉÊYÈÀYÅYË
×^lLÁSÆRÙEÏÓà
NÚ5ÊLÏ ß5Þ5Þ5Þ ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉSÏ>Ö#ìïÒTÁSÆ5ÈLð>Æ5ìRÙ'ðSÆ#ìRÙ ß'3
Ö h'
Ö S
Ê#Ú'ÂZáLÏ'
Æ T ß'3
Ý H IiÒ+3
Ý H IiÒ
rr
eta
ins
f
½"¾ ß ¿'DYÏEÆEÊLÅ'Æ5Ì^YEáÁ
áLÅÎÅSÊZÌ>QYÅ>Ö [ ÅZÕâÁ
Ú5Ê Ò{äYÅEÌÉÚ2ËtiTÆZÏÂÁÖLÏ
ÊëÌÉ>ÅZÕêÉÊÚËEÏEÆòË>ÏEÆ'ãÉ5Ù>Ï7kÎËÚ5å5åÁSÆ'ÖÄìLÁSÆ
Ï h'ÖYÏSÊ2Ë#ÉáÕEÏÅSÚZÖ'âLÏSÊ#Ö2É'Ù>Å>ÖÉ'Á
ÊêåZÆLÁSÖRÁ#Ù'Á5j
iÏ5ÅS
å k ÒÎéÊZìLÁSÆ>ÂÅ>ÖÉEÁ
ÊRÅZÕ à
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3DÕ F8B5
06E4 A169 4E46
éÊ#ÖYÏEÆ'ÊLÏ>^
Ö A'ÊZÈÉÊLÏ5ÏEÆÉÊZÈÀYÅYË
^
× lLÁSÆÙ>ÏÓà6í5ÏSå#ÖLÏÂ#áLÏEÆ ß#Þ5Þ BiÒîZä#Í
Ù BI]@iÒ+3
Ö h'
Ö S
Ê#Ú'ÂZáLÏ'
Æ TBI]@iÒ
5,
A
ut
ho
½"¾B'¿%Y5ÆEÚ5ÊLÏLËâ^V2É'ËâZÆYÅÅSÊYÌ¼Ô2É'Õ5ÕZÉSÅÂ0YïÒgY5ÆEáRÅSÚZÈEâ ÒWYEÊØÉÊ2ÉÖÉSÅYÕËEÏYÙÚZÆÉ
Ö#Ç
ÅSÊLÅZÕSÇË#É'ËÎÁSìÖ'âLÏëÉSÏ5Ï5Ï Ý#Þ5ß Ò¾ hòË
ÖYÅSÊZÌYÅEÆ5ÌÜÒpäLÏYË>Ï5ÅEÆÙâåLÅSåLÏEÆià
î#Ê2ÉãYÏ'ÆRË#ÉÖ#Ç ÁS%
ì VLÅEÆ#ÇLÕEÅSÊZÌir
à lZÏSáZÆEÚRÅEÆ5Ç ß5Þ5Þ5ß ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò8Ù5ËÒaÚ5ÂYÌÜÒfÏEÌ'Ú3
ð ÑY
u Å5ÅYðL¾ hÜÒ+åZÌ#ìÜÒ
00
[ ÁÂ5ÂRÏ>Ê#ÖËÎÁ
Ê.v5ÅSÊ ÉÊ2ÉÖÉ>ÅZÕÄË>ÏYÙÚZÆÉÖ#ÇêÅSÊLÅZÕ>ÇRË#É'ËÎÁSìÖ'âLÏëÉSÏ5Ï5Ï
h Ë
ÖLÅSÊZÌZÅEÆ#Ì3v¶Ò{ÀLÏYÙâ5Ê2É5Ù>ÅZÕ¼ÆZÏSåÁ>Æ'ÖiàZlEÚ5Ê#×êíZÁSì5Ö5ÑYÅEÆZÏ àéÊÙÒEà
Ý#Þ5ß Ò"¾ë
½"¾ ç ¿
VLÅEÆRÙâ
00
-2
Ò îZä#Í
ß Þ5Þ#ß û
5
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒE
ì Ú5Ê#× Ò8Ù'ÁÂð>ÆZÅEÌÉÚ2Ë'ð'íZÁ#Õ
Ê2Ë'ðÚ'ÂLÌ5ÆYÏYË
å
É Ë5Ù'ÁÅLÉ
ÆRÁ
ÊLÏ>ÖÄÆZÏYË
åÁ
ÊË>ÏÖRÁpÚ5Ê2É
ãYÏEÆRË#É
Ö#ÇòÁSì¼ÂRÅEÆ5ÇLÕ'ÅSÊZÌxwCË{åRÅSåLÏEÆ¶à
[ '
y ÅSÊ ÉÊ2ÉÖÉ>ÅZÕÄË>ÏYÙÚZÆÉÖ#ÇêÅSÊLÅZÕ>ÇRË#É'ËÎÁSìÖ'âLÏëÉSÏ5Ï5Ï Ý#Þ5ß Ò"¾h
Ë
ÖYÅSÊZÌYÅEÆ5Ì y ÒE#
Q ÆLÁSÌEÚ2Ù
ÖÎá5ÚÕ5ÕEÏEÖÉÊÜà [ É'Ë#Ù'ÁíEÇRË
ÖYÏSÂ2Ë àIéÊÙÒ'àz'
Y ÚZÈEÚË
Ö
te
20
½"¾IE¿
w p.asp.
sti
tu
Ò îZäZÍ
ß Þ5Þ5ß
5
â#Ö5Ö'å 8Û ð5ðÑ5Ñ5Ñ Ò8Ù#É'Ë5Ù5ÁÓÒ8Ù'ÁÂ2ðÑYÅEÆEåð
å#Ú5áÕZÉ5Ù'ðZÙ5Ù5ð
åYÌLðSÑÉ
ÖÙ5ðEÅYÁFB3I Þ ÅSåð
åYÆLÁ>ÌLÕYÉÖðL¾ H'ÝZÞ
p p.htm.
NS
In
½"¾ H ¿¼ÃYÅEÆZÏSÊ^{YÅSÊÕEÏEÇÜÒzÐ>ãLÏEÆ'ãÉSÏEÑïÛ
Ô2É æ ìÉåZÆLÁÖYÏLÙ
ÖYÏEÌêÅYÙ5ÙEÏYË5ËÒpÀLÏYÙâ5Ê2É5Ù>ÅZÕ
ÆZÏSåÁSÆ5ÖiàÔ2É æ l_
É YLÕ5Õ'ÅSÊÙ>Ï¶ÒîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò+ÑÉ æ ìÉ ÒTÁSÆ5ÈRðEÐSåLÏSÊRí5ÏLÙ
Ö2ÉEÁÊðåZÌ#ìLðÔ2É æ lÉ
P
rotectedA ccessO verview.pdf f.
©
SA
½"¾]'¿zÔ2É æ ìÉåZÆLÁSÖYÏYÙ
ÖYÏ'ÌëÅYÙ5Ù>ÏYË#ËÛ
í>Ö#ÆLÁÊZÈ¶à_Ë
ÖYÅSÊYÌZÅEÆ5ÌRË æ áLÅYË>Ï'Ì¶à
ÉÊ#ÖYÏEÆRÁ
åLÏEÆZÅ>áÕEÏ Ë>ÏYÙ
ÚZÆÉÖ#ÇìLÁ>ÆÖÁSÌZÅEÇ3vLËpÑ2É æ ìÉÊLÏ>Ö5ÑÁSÆ'×ËÒ
Ô5â2ÉÖYÏ>åLÅSåLÏEÆiàÔ2É æ lÉ_YLÕ5ÕYÉSÅSÊÙ>Ï àrYEåZÆÉEÕ ß5Þ5Þ BiÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò+ÑÉ æ ìÉ ÒTÁSÆ5ÈRðEÐSåLÏSÊRí5ÏLÙ
Ö2ÉEÁÊðåZÌ#ìLðÔ5â4ÉÖLÏSåRÅSåRÏEÆ
Wi−
F iS ecurity4 − 29 − 03.pdf.
½"¾ Ý ¿òñ
ó5ó5óêô4õSö÷ø5öSùLø^|3}~=&#
& ÿ3~}}KL ñó5ó5óêô4õSö÷Rø#öSùLøûú¹üùÄñ>÷ú¹üSù
þ[öLõEÿ5ü
÷
õ='
÷
ü
ü
2F94
5üþ5998D
þ5
÷2ÿEFDB5
öLõEÿ5ü
÷DE3D
öS÷Rø
ÿ
÷ú¹ü06E4
ù
þ¹öLõEÿ'A169
ü
÷
Lö÷
Key fingerprint
AF19
FA27
F8B5
4E46
Zõ÷q
2õþüEöûö÷øþ<ZõùRü ü
ÿZõSöS÷ØöSùEö{÷Zõüù!
ô"5ÿúýÿ{ù#2ÿ
ù"þ
÷4õ%$2öSù4õ'&&(
)5ÿ
ù>*+%,-EøZÿþ0*
/ ü
÷4õùüp12,3*/5ê
5
4 ö÷Rø6$7
3
ÿE öO
ö
ù12$3:<;=4>"5ÿ"ú ÿEöLõEÿ5ü
÷
*Sþ÷Røþ÷4õ%( ,-EøYÿ þ0*c5
/ ü
÷4õùüp12,3*/5
4 ô#
ùÿZõ=
óY÷L
ö÷"þ÷[õý
à%èZÏ>ÑR
? ÁSÆ5×ià,èi
? à8N ÚÕSÇ ß5Þ5ÞEç ÒBéÊË
ÖÉÖ5Ú#ÖYÏêÁSì
ARÕEÏYÙ
ÖZÆÉ'Ù>ÅZÕÅSÊYÌ%R
A Õ'ÏYÙ
Ö#ÆLÁÊ2É'Ù5Ë'5
A ÊZÈÉÊLÏ#ÏEÆRË àIéÊÙÓÒûîZä#Í
â#Ö5Ö'å Û8ð5ðZÉSÏ5Ï#ÏE
h åÕ5Á>ÆZÏ¶ÒÉSÏ#Ï5Ï¶ÒTÁSÆ#ÈLðFEh åÕ5ðSÖRÁZÙÆYÏYË
ÚÕSÖïÒY
Ë
åY
S É'ËSèEÚ5Â#áRÏEÆ3T ß @ ß#ß @iÒ
ull
rig
ht
s.
½"¾@E¿%Y5ÌZÅÂ í>ÖRÁ
ÊRÏ¶ÒÀ'âLÏnw+Â4É'Ù
âLÅ5ÏZÕw,ã5ÚÕ
ÊLÏEÆYÅSá2ÉEÕZÉ
Ö#ÇÜÒG)#ÿ3K2ÿ$ö÷ZõLà
RYÏYÙ>ÏÂZáLÏEÆ ß5Þ5Þ5ß ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò+ÑÉ æ ìÉåÕEÅSÊRÏ>ÖïÒ8Ù'Á
ÂðZÙ'Á#Õ
Ú5Â#Ê2Ë'ð'ÅEÆ5ÖÉ5Ù'Õ'Ï¶Ò+å5â#åðR¾II H B ß ¾ýÒ
ins
f
½ ß5Þ ¿Îí5ÅSÊZÌ5ÆRÁWP'ÆYÏYÙâ ÅSÊZÌ0N>ÅSÊ2ÉpèÉ×#×YÅSÊLÏSÊÒEY'Ö5ÖYÅLÙ
×ËÎÁ
ÊÑÉ æ ìÉåZÆLÁSÖYÏYÙ
ÖYÏ'Ì
ÅYÙ5Ù>ÏYË#ËÒÔÁSÆ'×ËâÁ
ååZÆZÏLË>ÏSÊ#ÖYÅEÖÉEÁ
ÊÜàBèLÁãYÏÂZáLÏEÆ ß5Þ5ÞEç ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò+ÖEÂÕÓÒ+â5Ú#ÖïÒìÉEðSèLÁSÆ#ÌRËEÏYÙ ß5Þ#ÞEç ð QZÆZÏLË>Ï>Ê#ÖLÅ>Ö2ÉEÁÊË5ðSÈ#ÆZÏLÙâÒaåYÌ5ìïÒ
rr
eta
½ ß ¾¿¼äRÁ
áL=ÏEÆ5AF19
Ö%
V ÁZFA27
Ë
×RÁÑÉ
2F94
ÖÜ
ÒpÔR
Ï5Å>×'ÊLFDB5
ÏLË5ËÄÉÊ
åRÅYË5ËF8B5
å5âYÆZÅYË>06E4
ÏëÙâÁY
É'Ù>Ï 4E46
ÉÊÑ'åLÅ
Key fingerprint
998D
DE3D
A169
ÉÊ#ÖYÏEÆ#ìZÅYÙ>Ï¶Ò{ÀYÏYÙâ5Ê4É'Ù>ÅZÕ¼ÆZÏSåÁSÆ'ÖiàÀ#ÆEÚRí5ÏYÙÚZÆYÏ [ ÁSÆEåÁ>ÆZÅ>ÖÉEÁÊÜà
èLÁãYÏÂZáLÏEÆ ß5Þ5Þ Ü
B ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑÉ
ìÉÊLÏ>Ö'ÊRÏ>ÑËÒ8Ù5ÁÂðEÅEÆÙâ4ÉãLÏYË5ð Þ#Þ5ß'ç I ß Ò+â#Ö'ÂÕ Ò
ho
î#ÊÁSì5ìÉ'Ù#ÉSÅZÕ#ÕSÇ æ Ù#ÉÆRÙÚÕEÅEÖYÏEÌMÙ'Á
åZÇÜÒ
00
5,
A
ut
½ ß5ß ¿¼ÀYÅ>×YÏSâ4É
ÆLÁzÀYÅ>×YÅ>âLÅYËâ2ÉÒÔ5åLÅzåLÅYË5ËZÉãYÏÌÉ'Ù
Ö2ÉEÁ
ÊLÅEÆ#ÇëÅ>Ö5ÖYÅYÙ×
ÁãYÏEÆ'ã2ÉSÏ>ÑïÒÀYÏLÙâ5Ê2É'ÙEÅZÕÆZÏSåÁ>Æ'ÖiàÖÉÊZÇ'åLÏ5ÅSå ÒÙ'ÁÂïà6èRÁãYÏÂ#áRÏEÆ
îZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò+ÖÉÊZÇ'åLÏ5ÅSå ÒÙ'ÁÂðSÌRÁ#Ù#Ë'ðÔQ3Y
P assiveD ictionaryA ttackO verview.pdf.
½ ß B'¿'RRÁ
ÚZÈÔ5â2ÉÖ2ÉÊZÈ¶àä'ÚË#Ë>ÏZÕW{RÁ
ÚË5ÕEÏEÇ¶à6ÅSÊZÌÎèÉSÏYÕ#ËWlZÏEÆ5ÈEÚ2Ë'Á
Ê Ò
ÑÉÖ'âØÙáÙ æ ÂRÅY
Ù i"Ù5ÙÂ k ÒÎéÊZìLÁ>Æ>ÂRÅ>ÖÉ'Á
ÊLÅZÕ à6À'âLÏëéÊ#ÖYÏEÆ'ÊLÏ>Ö
^
× lLÁSÆRÙEÏÓà6í5ÏSå#ÖYÏSÂ#áLÏEÆ ß5Þ5Þ BiÒûîZä#Í
Ù B H ¾ Þ Ò+3
Ö h'
Ö S
Ê#Ú'ÂZáLÏ'
Æ TB H ¾ Þ Ò
[ Á
Ú5Ê#ÖYÏ'Æ
20
00
-2
ß5Þ5ÞEç Ò
NS
In
sti
tu
te
½ ßEç ¿qEø3
ùRöûñ>÷ú¹üùþ[öLõEÿ'ü÷>$LùRüÿ÷êô[õSö÷Rø5ö>ùLøo$
ÿEöLõEÿ'ü÷G&3(
ô "5ÿúý
ÿ EöLõ'ÿ'ü
÷¼ú¹üù õ 6*
ø ö
÷ EøpóL
÷ ù ¶õEÿ'ü
÷ô4õSöS÷Rø5öSùLn
ø 1C*EóY3
ô 4¹à
èLÁãYÏÂZáLÏEÆ ß5Þ5Þ ¾ Ò9èZÅEÖÉEÁ
ÊLÅYÕëéÊË
ÖÉ
Ö'Ú#ÖYÏêÁSìÄí>ÖYÅSÊYÌZÅEÆ5ÌRËÅ>ÊZÌ
ÀYÏYÙâ5ÊÁ5Õ5ÁSÈ5ÇïÒîZä#Í
â#Ö5Ö'å Û8ð5ð#Ù5ËÆÙÒaÊ2É'ËÖïÒÈLÁãð
å5Ú5áÕYÉ'ÙEÅ>Ö2ÉEÁÊË5ðSìÉå2Ë'ð>ìÉåËL
¾ @]Yð>ìÉåË æ ¾ @]ÜÒaåYÌ5ìïÒ
©
SA
½ß E
I ¿XN>ÅYÙ'Á
ápN'Á
Ê2Ë5Ë'Á
Ê ÒÐSÊÎÖ5âLÏÄËEÏYÙÚZÆÉ
Ö#Ç ÁSìëÙÖ#ÆêÙáÙ æ ÂRÅYÙÒpÀLÏYÙâ5Ê2É5Ù>ÅZÕ
ÆZÏSåÁSÆ5Öià,èZÅ>ÖÉEÁÊLÅZÕêéÊË
Ö2ÉÖ'Ú#ÖYÏëÁ>ìÎí>ÖYÅ>ÊZÌZÅEÆ5ÌËÅSÊZÌÀYÏYÙâ5ÊÁ5Õ5ÁSÈÉ>ÏYË à
ß5Þ5Þ5ß ÒîZäZÍëÙ5ËSÆRÙÒaÊ2É5Ë
ÖïÒÈLÁSãRð [ Æ5Ç'å#ÖRÁÀRÁ#Á5ÕS×É
ÖRð
ÂÁSÌZÏYË5ð
åZÆLÁ
åÁ#Ë>ÏEÌ>Â2ÁSÌZÏYË'ðZÙ5ÙÂð#Ù#ÙÂ æ Å'Ì2¾ ÒaåYÌ5ìïÒ
[ ÒgV2ÉÖÙâRÏZÕ5ÕÓÒ¼í#ÏYÙÚZÆÉ
Ö#ÇêÅSÊLÅZÕSÇË#É'ËÅSÊZÌ
ÉÂ#åZÆLÁSãYÏÂRÏSÊZÖË¼ìLÁSÆòÉSÏ5Ï5Ï Ý#Þ5ß Ò"¾5¾EÉ ÒÄéÊ#ÖYÏEÆ'ÊLÏ>ÖëíZÁ#Ù#É>Ï>Ö#Ç¶àZZ
l ÏSáYÆEÚLÅEÆ5Ç
I ÒîZäZÍ
ß5Þ5Þ ¶
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉ'Ë'Á#ÙÓÒTÁSÆ5ÈLðYÉ'Ë'Á#Ù'ðZÙ'ÁÊZìYÏEÆYÏSÊ2Ù>ÏLË'ðÊZÌË5Ë5ð Þ Z
I ðåZÆRÁ#ÙEÏ5Ï'ÌÉÊZÈË'ðåLÅ>åLÏ'ÆRË5ðSèRYí#í Þ I æ ¾5¾ Þ ]
½ ßH ¿
[ âLÅSÊZÈ'â5ÚLÅ%{YÏÎÅSÊZÌ0N'Á
â5Ê
½ ß ]'¿ÎíSÚË>ÅSÊ^RYÏZÕ'ÅSÊLÏEÇÜÒô*+#ôc/)$LùLöZõEÿEöO*3ÿZ÷þ÷4õ_"&-K-(
ü55ü ! ÿ÷4õ>üêõ )'ü<
ù øÄüúÎ3
ó ¹
õ ù'÷R
ö O+ZõRüS
ù !W$-
ùÿ"<
þ Zõ
ù
ô #ùÿZ=õ Òz
í Y#èZí éÊË
ÖÉ
Ö'Ú#ÖYÏÓà ß#Þ5Þ BiÒîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÈÉSÅYÙÓÒTÁSÆ5ÈLðåZÆZÅYÙ
Ö2É'ÙEÅZÕ#F
ð P [ l'Ôð'íSÚ2Ë>Å>Ê
*
D elaneyG CF W.pdf.
½ ß'Ý ¿XN'Á
â5Ê^fÉSÏEÈYÅ¶ÒÀ'âLÏ{ÂYÇ'Ö'âòÁSìëÁ
åLÏSÊØË'Á
ÚYÆRÙ>ÏëË>ÏYÙÚYÆÉÖ#ÇÜÒ ß5Þ5Þ5Þ ÒûîYä#Í
â#Ö5Ö'å Û8ð5ðZÉÖEÂÅSÊLÅEÈZÏSÂRÏSÊ#ÖïÒVÏ5ÅEÆ'Ö'âZÑYÏ>á ÒÙ'Á
ÂðZË>ÏLÙÚðEÅ'Æ'Ö2É'Ù5ÕEÏiÒaå#â5åðL¾#¾ Þ ] H
6 218512 .
ull
rig
ht
s.
½ ß @E¿'RYÅ>ãÉ
ÌÄÐSáLÅLË>ÅSÊ7ZÁ ÒpÀ'âLÏ{ÂYÇ'Ö'âòÁSìëÁ
åLÏSÊØË'Á
ÚYÆRÙ>ÏëË>ÏYÙÚYÆÉÖ#Ç
ÆZÏ>ãÉ'ËZÉÖYÏEÌÜÒ ß5Þ5Þ5ß ÒûîYä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÌZÏ>ãYÏYÕ5Á
åLÏEÆïÒ8Ù'ÁÂð#Á
åRÏSÊðEÅ'Æ'Ö2É'Ù5ÕEÏiÒaå#â5åð@ Ý B H5ß ¾ýÒ
eta
ins
f
½CB Þ ¿'?YÅ>×RÁãÎäYÏ>×5â#ÖYÏEÆ¶àäRÁáLÏEÆ'ÖVÁ#Ë×RÁÑÉÖ3¶àZRYÅSÊ2É>ÏZÕzÃYÅEÆ5ÆZÏ>Ê5áLÏEÆ5Èià
P#Ï5ÏEÆ'c
Ö N>ÅSÊÄÌZ>
Ï P'ÆLÁ5ÁSÖià6ÅSÊZ>
Ì ARÕZÉEÁÖÍZÏ5Å'ÆÜ_
Ò Y5Ì5Ì5ÆYÏYË5ËÅZÕ5Õ5ÁZÙ>Å>ÖÉEÁÊëìLÁSÆ
åZÆÉãYÅEÖYÏ ÉÊ#ÖYÏEÆ'ÊLÏ>ÖËÒ{äY
Ï \>ÚLÏLË
ÖÄìLÁSÆ [ ÁÂ5ÂRÏ>Ê#ÖËë
¾ @¾ Ý à_éÊ#ÖYÏEÆEÊRÏ>Ö
^
× lLÁSÆRÙEÏÓàû
¾ @@ H ÒûîYä#Í
#
â
5
Ö
'
Ö
å
8
Û
5
ð
ð
5
Ñ
5
Ñ
Ñ
Ò
S
É
>
Ï
#
Ö
ï
ì
T
Ò
S
Á
5
Æ
L
È
>
ð
5
Æ
R
ì
'
Ù
S
ð
#
Æ
ìRÙL
¾ @DE3D
¾ Ý Ò+3
Ö h'F8B5
Ö Ò
Key fingerprint = AF19 FA27 2F94 998D FDB5
06E4 A169 4E46
ho
rr
½CB¾¿ëéÊ#ÖYÏEÆ'ÊLÏ>ÖqYRË5Ë#ÉÈEÊLÏEÌèEÚ'ÂZáLÏEÆRËWYEÚ#Ö5âÁSÆÉÖZÇÜÒ¼íSåLÏLÙ#ÉSÅZÕ æ ÚË>ÏòÉå#ã ç
ÅEÌ5Ì5ÆZÏLË5Ë>ÏYËÒ{äY
Ï \>ÚLÏLË
ÖÄìLÁSÆ [ ÁÂ5ÂRÏ>Ê#Ö'
Ë BBB Þ à_éÊ#ÖYÏEÆEÊRÏ>Ö^A'ÊZÈÉÊRÏ5ÏEÆÉÊYÈ
ÀYÅYË
^
× lLÁSÆRÙEÏÓà ß5Þ5Þ5ß ÒûîYä#Í¼âZÖ5Ö'å ÛTð#ðÑ5Ñ5ÑïÒCÉSÏ>Ö#ìÜÒ8ÁSÆ5ÈLðSÆ#ìRÙ'ðSÆ5ì5
Ù BBB Þ Ò
Ö h5ÖïÒ
5,
A
ut
½CB ß ¿¼äYÏEÌEâLÅEÖÊLÏEÖ5ÑRÁSÆ'×òÁSì#ìZÏEÆÉÊYÈRËÒEQZÆLÁSÌEÚÙÖÌYÏYË5ÙÆÉå#ÖÉEÁ
Êïà,äYÏEÌEâLÅEÖià
éÊÙÒEà ß5Þ5Þ BiÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÆZÏEÌEâRÅ>ÖïÒ8Ù'Á
Âð#Ë'ÁSì5Ö5ÑLÅEÆYÏZð>ÆEâ#Êð#ÁSì#ìZÏ'ÆÉÊZÈË'ð Ò
00
-2
00
½CBB'¿'{RÁÑÎÖRÁÓÛ
íYÙâLÏ'ÌEÚÕEÏÅSÚ#ÖÁÂRÅ>ÖÉ5Ù{Ú5åZÌZÅ>ÖLÏYËÄÉÊÎÑ2ÉÊZÌLÁÑËEh'åÜà<Ñ2ÉÊZÌLÁÑË
ß5Þ5Þ5Þ àBÁSÆÑÉÊZÌRÁÑËË>ÏEÆ'ãLÏEÆ ß5Þ5Þ BiÒÀLÏYÙâ5Ê2É5Ù>ÅZÕ¼ÆZÏSåÁ>Æ'ÖiàmV2É'ÙÆRÁ#Ë'ÁSì'ÖÜà
éÊÙÒEà ß5Þ5Þ BiÒûîZä#Í
â#Ö5Ö'å Û8ð5ð#ËÚ5å#åÁSÆ'ÖïÒaÂ4É'ÙÆLÁZË'ÁSì'ÖïÒÙ'Á
Âð>ÌZÏ'ìZÅ>ÚÕSÖïÒVÅYË
3
å hS#Ë#Ù#É
Ì T'×'
á TÏ>Ê æ Ú
Ë B ß ] Ý B Ý Ò
tu
te
20
½CB ç ¿ÎíZÁSì'Ö5ÑLÅEÆZÏ¼Ú5åZÌZÅEÖYÏëË>ÏEÆ'ãÉ5Ù>ÏYËzÌZÏSåÕ#ÁSÇ>ÂRÏSÊZÖÄÑ'â2ÉÖYÏzåLÅSåRÏEÆÜÒÔ5â2É
ÖYÏ
åLÅSåLÏEÆie
à V2É5ÙÆLÁ#Ë'Á>ì'ÖiàéÊÙÓÒEà ß5Þ5Þ BiÒûîYä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÂ4É'ÙÆRÁ#Ë'ÁSì'Ö Ò8Ù'ÁÂðSÑÉÊZÌRÁÑË ß#Þ5Þ#Þ ðSÑÉÊZÌRÁÑËÚ#åZÌYÅ>ÖLÏZðZËÚ2Ë'ðZËÚ2ËÌYÏSåÕ5Á>Ç>ÂÏSÊZÖïÒVÅYË
å Ò
ß5Þ5Þ BiÒûîYä#Í
In
sti
½CBIE¿%YEáÁ
Ú#ÖÆEâ5ÊÒÀYÏYÙâ5Ê4É'Ù>ÅZÕ¼ÆZÏSåÁSÆ'ÖiàäYÏEÌ'âLÅ>ÖiàIéÊÙÓÒEà
â#Ö5Ö'å Û8ð5ðSÆEâ5ÊÒÆZÏEÌEâRÅ>ÖïÒ8Ù'Á
Âð
âLÏZÕåð'ÅSáÁ
ÚZÖïÒ+3
å h5ÖïÒ
©
SA
NS
½CB H ¿WV2É'ÙâLÅ#ÏZÕzäYÅYËâ Ò6QYÅ'ÆZÅSÊÁZÉÌÎåLÏSÊZÈEÚ4ÉÊ Û
RYÏ>ÖLÏYÙ
ÖÉÊYÈØËÚËåLÏLÙ
Ö
Ö#ÆZÅEì5ìÉ'ÙÒÀYÏYÙ
âèLÁSÖYÏ^@¾[àèLÁãYÏÂZáLÏEÆ ß5Þ5Þ ¾ ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒTÕZÉÊ5
Ú h3ZÁ
ÚZÆ'ÊLÅZÕÓÒ8Ù5ÁÂ2ðEÅ'Æ'Ö2É'Ù5ÕEÏiÒaå#â5åS#ËZÉ
Ì3T çZÝ ] H Ò

Planning, Implementing, and Maintaining a Secure Network

Transcription

Documents pareils

SANS Institute 2000 - 200 5, Author retains full rights.