Presentation is loading. Please wait.

Presentation is loading. Please wait.

2005 MTSC UC-7400 Thomas Cheng Aug-2005

Similar presentations


Presentation on theme: "2005 MTSC UC-7400 Thomas Cheng Aug-2005"— Presentation transcript:

1 2005 MTSC UC-7400 Thomas Cheng Aug-2005
Good afternoon, everybody. Welcome back to MTSC UC Training Course. I am Thomas Cheng. Aug-2005

2 2005 MTSC UC-7400 09/13 Topic 14:00-15:20 Universal Communicator – Part I 15:20-15:40 Coffee Break 15:40-17:00 – Part II 17:00-18:00 UC Exam 18:00 Dinner Divide 2 parts Between part1 and part2, there is a coffee break Then at 5 o’clock, there is a UC examination We will have a dinner

3 2005 MTSC UC-7400 UC-7400 Series Introduction
Comparisons New functions and Features iptables Introduction / Hands-On OpenVPN Introduction / Hands-On Live Demo In this section, I would like to introduce our new V1.5 firmware for UC-7400. There are four parts for this technical training of UC-7400, first is new basic feature introduction. Then we will have a in-depth function introduction and hands-on on “iptables” and “OpenVPN”. Besides, the last section there are two demo on UC to let you have a better understanding about how it work.

4 UC Family Comparisons Hardware and Software

5 HW Reset x 1 / Reset to default x 1
Hardware Comparison UC-7420 UC-7410 UC-7408 UC-7110 CPU Intel Xscale IXP MHz ARM9 32-bit 166MHz RAM 128MB 16MB Flash 32MB 8MB LAN 10/100 Mbps x 2 RS-232/422/485 8 2 Serial Protection 15 KV ESD for all signal Flow Control RTS/CTS, XON/XOFF Speed 50 bps to Kbps DI/DO N/A DI x8/DO x 8 USB 2.0 Hosts USB 1.0 Client 1 PCMCIA Cardbus x 1 Compact Flash LCM 128 x 64 dots Keypad 5 Real Time Clock Yes Buzzer Reset Button HW Reset x 1 / Reset to default x 1 Reset to default x 1 (UC-7410/7420: Hardware V1.2)

6 Software Comparison SSHv1.0/2.0,SSL,OpenVPN UC-7400 Series UC-7110
Boot Loader Redboot V1.92 Moxa Proprietary Boot Loader Kernel MontaVista Linux uClinux Kernel Protocol Stack ARP,CHAP,PAP,IPv4,ICMP,TCP, UDP,DHCP,FTP,Telnet,SNMPv1/v3, HTTP,NTP,NFS,SMTP,PPP, SSHv1.0/2.0,SSL,OpenVPN UDP,DHCP,FTP,Telnet,SNMPv1, HTTP,NTP,NFS,SMTP,PPP Flash File System JFFS2 OS Shell Command bash V2.05 mash V0.60.4 Linux normal command utility Busybox V0.60.4 Web Apache Boa Secure shell sshd V1.20 N/A Network file system NFS Server V2.2 Virtual private network OpenVPN V2.0 OpenSSL OpenSSL V0.9.6 Tool Chain Linux / Windows Linux UC-7400 support windows tool-chain

7 New Functions and Features Introduction
UC-7400 V1.5 Firmware New Functions and Features Introduction

8 UC-7400 V1.5 Firmware 921.6 Kbps (with HW V1.2) Firmware Version V1.1
Serial port 230.4 Kbps 921.6 Kbps (with HW V1.2) WLAN 802.11b (Prism2.0/2.5) 802.11b (Prism2.0/2.5), g USB Host N/A Mass Storage PNP USB Client Reset to Factory Default button Yes (with HW V1.2) Share Memory Yes Protocol stacks and utilities Arp (utility) iptable OpenVPN WatchDog API Crontable upfirm backupuf backupfs, bf minicom Replace by tip Directory Change /var User File System Change to ramdisk Apache root document /usr/html /usr/www

9 UC-7400 V1.5 Firmware New Feature Introduction WatchDog support
Support Cron function on system UART and special baud rate support System Image Backup utility “upfirm" 802.11g wireless card support Support tool chain on Windows platform, including GCC, Glibc and Insight (GDB debug tool) iptables support OpenVPN support

10 Watch Dog Timer (WDT) 1. Introduction
The WDT works like a watch dog function. You can enable it or disable it. When the user enables WDT but the application does not acknowledge it, the system will reboot. You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds. 2. How the WDT works The sWatchDog is enabled when the system boots up. The kernel will auto ack it. The user application can also enable ack. When the user does not ack, it will let the system reboot. 3. The user API The user application must include <moxadevice.h>, and link "moxalib.a".

11 Crontab 1. Introduction: Daemon to Execute Scheduled Commands
2. Description Start Cron from the directory /etc/rc.d/rc.local. Modify the file /etc/cron.d/crontab to set up your scheduled applications. Crontab files have the following format: 3. Example How to add ntpdate (synchronize time) in Cron? Everyday 5:10, system will synchronize the time from NTP Server ( ) Mm (Month) H (Hour) Dom (Date) Mon (Month) Dow (Week) User command 0-59 0-23 1-31 1-12 0-6 (0 is Sunday) #vi /etc/cron.d/crontab # m h dom mon dow user command 10 5 * * * root /usr/sbin/ntpdate ; /sbin/hwclock -w

12 UART and special baud rate support
1. Introduction The normal tty device node is located at /dev/ttyM0 … ttyM7, and the modem tty device node is located at /dev/cum0 … cum7. UC-7400 supports Linux standard termios control. Moxa UART Device API allows you to configure ttyM0 to ttyM7 as RS-232, RS-422, 2-wire RS-485, and 4-wire RS485. 2. The Function You must include <moxadevice.h> #define RS232_MODE 0 #define RS485_2WIRE_MODE 1 #define RS422_MODE 2 #define RS485_4WIRE_MODE 3 Function: MOXA_SET_OP_MODE MOXA_GET_OP_MODE

13 UART and special baud rate support
There are two Moxa private ioctl commands for setting up special baud rates. Function: MOXA_SET_SPECIAL_BAUD_RATE MOXA_GET_SPECIAL_BAUD_RATE If you use this ioctl to set a special baud rate, the termios cflag will be B , in which case the B define will be different. If the baud rate you get from termios (or from calling tcgetattr()) is B , you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate.

14 Upgrading the Firmware
New utility Upfirm

15 Upgrading the Firmware
1. Introduction UC-7400’s bios, kernel, mini file system, and user file system are combined into one firmware file, which can be downloaded from Moxa’s website (www.moxa.com). The name of the firmware file has the form "uc7400-x.x.x.frm", with "x.x.x" indicating the firmware version. ATTENTION Upgrading the firmware will erase all data on the Flash ROM

16 Upgrading the Firmware
2. Description In V1.4.3 or later version firmware, UC-7400 new add a utility "upfirm“. The utility "upfirm" is designed for upgrading the firmware (include boot-loader, kernel, mini file system, user file system and configuration) If your firmware version is early than V1.4.3, you can find the utility from Moxa Website.

17 How to upgrade firmware?
Step1. Type the following commands to enable the RAM disk: #upramdisk #cd /mnt/ramdisk Step2. Download firmware file into "ramdisk" from Moxa website. Step3. Use the upfirm command to upgrade the kernel and root file system: #upfirm uc7400-x.x.x.frm (Reference next slide to see upfirm procedure.)

18 Press any key to reboot system!!
upfirm UC frm Upgrade firmware utility version 1.0. To check source firmware file context. The source firmware file conext is OK. This step will destroy all your firmware. Do you want to continue it ? (Y/N) : Y . MTD device [/dev/mtd6] erase – 100% complete. Wait to write file . . . Compleleted 100% Now upgrade the new configuration file. Upgrade the firmware is OK. Please press any key to reboot system. Press any key to reboot system!! Note! DO NOT power off UC until the Ready LED is ON again. It will take much time for the first boot up after upgrading the firmware.

19 Setting up the Network Interfaces
IEEE802.11g

20 Configure 802.11g Wireless LAN
Step1. Unplug the CardBus Wireless LAN card first. Step2. Configure the default IP setting profile. # vi /etc/network/interfaces vi /etc/network/interfaces # g Gigabyte Cardbus wireless card iface eth0 inet static address network netmask broadcast

21 Configure 802.11g Wireless LAN
Step3. Configure the WLAN parameters # vi /etc/Wireless/RT2500STA/RT2500STA.dat #vi /etc/Wireless/RT2500STA/RT2500STA.dat # Copy this file to /etc/Wireless/RT2500STA/RT2500STA.dat # This file is a binary file and will be read on loading rt2500.o module. # # Use "vi -b RT2500STA.dat" to modify settings according to your need. # 1.) set NetworkType to "Adhoc" for using Adhoc-mode, otherwise using Infrastru # 2.) set Channel to "0" for auto-select on Infrastructure mode # 3.) set SSID for connecting to your Accss-point. # 4.) AuthMode can be "OPEN", "SHARED", "WPAPSK", "WPANONE" # 5.) EncrypType can be "NONE", "WEP", "TKIP", "AES" # for more information refer to the Readme file.

22 Configuring 802.11g Wireless LAN
The settings in "/etc/Wireless/RT2500STA/RT2500STA.dat" CountryRegion—Sets the channels for your particular country / region WirelessMode—Sets the wireless mode SSID—Sets the softAP SSID NetworkType—Sets the wireless operation mode Channel—Sets the channel AuthMode—Sets the authentication mode EncrypType—Sets encryption type DefaultKeyID—Sets default key ID Key1Str, Key2Str, Key3Str, Key4Str—Sets strings Key1 to Key4 TxBurst—WPA pre-shared key WpaPsk—Enables or disables TxBurst TurboRate—Enables or disables TurboRate BGProtection—Sets 11b/11g protection (this function is for engineering testing only) ShortSlot—Enables or disables the short slot time TxRate—Sets the TxRate RTSThreshold—Sets the RTS threshold FragThreshold—Sets the fragment threshold

23 Developing Your Application
Windows Tool Chain

24 Agenda Windows Tool Chain Introduction Development Process
Debugging with GDB

25 Windows Tool Chain Introduction
UC-7400’s Windows Tool Chain is a cross development environment that simulates the Linux root file system, allowing users to develop applications on a Windows PC. The following topics are covered in this appendix. 􀂉 Introduction 􀂉 Installation Procedure 􀂉 Using the BASH Shell 􀂉 GDB debug tool—Insight

26 Windows Tool Chain 1. Operating System: Windows 2000 or Windows XP.
2. Minimum of 500 MB Hard Disk space 3. CD-ROM or equivalent. 4. Ethernet to connect with UC-7400. 5. Be able to login as administrator. 6. Use a Windows username without spaces. 7. You will be using a BASH shell window to enter commands. 8. In addition, for editing text files, such as configuration files, you should use vi editor (Unix editor). Do NOT use WordPad (Windows editor), which could cause problems when the files are transferred to a bona fide Linux environment.

27 Developing Process Step1: Setting up the Development Environment on PC
Step2: Coding, Compiling and Debugging on Windows Tool Chain Step3: Deploying the Program to UC x86 IXP-422

28 Step1: Setting up Developing Environment
Install Windows Tool Chain on PC Windows 2K/XP Installation Tips: Default Install Path: C:\UC Default Text File Type: Unix (Recommended) Utilities: Moxa Bash Shell GDB debug tool—Insight This process could take from 5 to 30 minutes, depending on the speed of your system. x86

29 Step2: Coding, Compiling and Debugging
Code with C/C++ Program on Moxa Bash Shell (PC Windows Tool Chain) Compile/link the Source Codes with Tool-chain Compiler path setting PATH=/usr/local/mxscaleb/bin Compiling Hello.c

30 Step3: Deployment Upload the program to UC
# ftp ftp> binary ftp> put hello-release Running the program (At UC-7400 site) # chmod +x hello-release # ./hello-release # chmod +x hello-release # ./hello-release Hello

31 Debugging with GDB PC Moxa Bash Shell: UC:
1. Compile with -ggdb 3. Insight Tool (GDB Client) 4. Target remote Ethernet UC: 2. GDB Debug Server # gdbserver :2000 hello-debug

32 Debugging with GDB Step1. PC Moxa Bash Shell: Compile the program with –ggdb option then upload to UC. Step2. UC: Called hello-debug with command: # gdbserver :2000 hello-debug # chmod +x hello-debug # gdbserver :2000 hello-debug Process hello-debug created; pid = 206 1, UC: gdbserver :2000 /hello/hello-debug & 2, PC: GDB open hello-debug 3, PC: GDB connect to a, GCB Server/TCP b, c, 2000

33 Debugging with GDB Step3. PC Insight: Run GDB client
Open hello-debug file Connect to target: GCB Server/TCP 2000 1, UC: gdbserver :2000 /hello/hello-debug & 2, PC: GDB open hello-debug 3, PC: GDB connect to a, GCB Server/TCP b, c, 2000

34 iptables Introduction

35 Agenda Quick View of iptables Rules  Chains  Tables
Usage of iptables Hands-ON Practice

36 1. Quick View of iptables A User-space Command to setup/maintain the “Netfilter” sub-system of Kernel. “Netfilter” manages only the packet headers, not the content. iptables is currently one of many Firewall/NAT solutions, to be an administration tool for set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. rpc.nfsd:這個 daemon 主要的功能就是在管理 Client 是否能夠登入主機的權限啦,其中還包含這個登入者的 ID 的判別喔! rpc.mountd:這個 daemon 主要的功能,則是在管理 NFS 的檔案系統哩!當 Client 端順利的通過 rpc.nfsd 而登入主機之後,在他可以使用 NFS server 提供的檔案之前,還會經過檔案使用權限 ( 就是那個 -rwxrwxrwx 與 owner, group 那幾個權限啦 ) 的認證程序!他會去讀 NFS 的設定檔 /etc/exports來比對 Client 的權限,當通過這一關之後, Client 就可以取得使用 NFS 檔案的權限啦!(註:這個也是我們用來管理 NFS 分享之目錄的使用權限與安全設定的地方哩!) NFS 的 daemons 有 rpc.nfsd  接收遠端請求, 並將請求轉為本地端的請求. rpc.mountd  執行掛載及解除掛載的請求 rpm.portmapper  將遠端的請求對應到NFS daemon的 process ID rpc.rquotad  提通使用者磁碟引用管理 rpc.statd 當遠端主機重新啟動時, 鎖住服務 rpc.lockd  提通重新啟動系統的鎖定復原

37 1. Quick View of iptables Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a “target”, which may be a jump to a user-defined chain in the same table.

38 1. Quick View of iptables 3rd generation firewall on Linux
“ipfwadm” on Linux Kernel V2.0.X “ipchains” on Linux Kernel V2.2.X “ipchains” / “iptables” on Linux Kernel V2.4.X “iptables” on Linux Kernel V2.6.X Supports basic packet filtering as well as connection state tracking UC-7110/7400 support only “iptables”

39 Agenda Firewall, NAT and iptables Rules  Chains  Tables
Usage of iptables Hands-ON Practice

40 2.) Rules, Chains and Tables
2-1 First Match 2-2 Three Major Tables 2-3 Processing Packets 2-4 State Machine

41 2-1 First Match – The Highest Priority
Packets Yes Rule 1 Action 1 No Yes Rule 2 Action 2 No Yes 只要是防火牆機制,通常都是以『針對封包的分析規則來規範每種封包的通過與否,以及應該進行的動作』,同樣的道理,iptables 的工作方向,必須要依規則的順序來分析封包,舉個簡單的例子,假設我有十條防火牆規則好了,那麼當 Internet 來了一個封包想要進入我的主機,那麼防火牆會怎麼分析這個封包呢?我們以底下的圖示來說明好了:   圖七、封包過濾的規則動作   上面圖七的 Rule 是規則的意思,『這些規則是有順序的』,至於 Action 則是動作的意思,通常針對封包的動作有 ACCEPT/DROP (接受/丟棄) 兩種動作。什麼是『規則的順序呢』?讓我們看一下上面的例子,當 TCP 封包通過了 Rule 1 ,剛好符合 Rule 1 的規定,那麼 TCP 封包就會進行 Action 1 ,而不會理會 Rule 2 以後的規則了!而如果 TCP 不符合 Rule 1 的規定,那麼就會進入第二條規則 (Rule 2) 來檢查,....一直到 Rule 10 的時候,該 TCP 封包都沒有符合的規則可以進行,那麼此時就會以『預設動作 ( 封包政策, Policy )』來讓 TCP 封包進行通過與否的動作。所以啦,當您的規則的順序排列錯誤時,就會產生很大的困擾!怎麼說呢?我們再舉個例子好了,假設您的 Linux 主機提供了 WWW 的服務,那麼自然就要針對 port 80 來啟用通過的封包規則,但是您發現 IP 來源為 老是惡意的嘗試入侵您的系統,所以您想要將該 IP 拒絕往來,最後,所有的非 WWW 的封包都給他丟棄,就這三個規則來說,您要如何設定防火牆檢驗順序呢?   Rule 1 先抵擋 ; Rule 2 再讓要求 WWW 服務的封包通過; Rule 3 將所有的封包丟棄。   這樣的排列順序就能符合您的需求,不過,萬一您的順序排錯了,變成:   Rule 1 先讓要求 WWW 服務的封包通過; Rule 2 再抵擋 ;   此時,那個 『可以使用您的 WWW 服務』喔!因為只要他對您的主機送出 WWW 要求封包,就可以使用您的 WWW 主機功能了,因為您的規則順序定義第一條就會讓他通過,而不去考慮第二條規則!這樣可以理解規則順序的意義了嗎?!現在再來想一想,如果 Rule 1 變成了『將所有的封包丟棄』,Rule 2 才設定『WWW 服務封包通過』,請問,我的 client 可以使用我的 WWW 服務嗎?!呵呵!答案是『否~』想通了嗎?! ^_^ Action 10 Rule 10 No Default Policy

42 2-1 First Match On WWW Server, reject the attack from IP = Rule 1: Drop the packets from Rule 2: Accept WWW request packets from all the hosts Rule 3: Drop all the none-WWW packets Rule 1: Accept WWW request packets from all the hosts Rule 2: Drop the packets from Rule 3: Drop all the none-www packets is able to use the WWW service or to attack WWW service port

43 2-2 Three Major Tables Filter Table NAT Table Mangle Table
事實上,圖七就是 iptables 的『一張表格裡面的一條鏈(chains)』,您可以想像一下, iptables 的規則都是寫在『表格, table』裡面的,而每個表格又依據封包的行進路線,而可大略分為三條鏈:『進入、輸出、轉遞』等。在 iptables 裡面有兩個經常用到的內建表格 (build-in table) ,分別是針對主機的 filter 以及針對防火牆後端的主機設定的 nat 兩個,這兩個表格又分別具有三條鏈,分別是:   filter:主要跟 Linux 本機有關,這個是預設的 table 喔! INPUT:主要與封包想要進入我們 Linux 本機有關; OUTPUT:主要與我們 Linux 本機所要送出的封包有關; FORWARD:這個咚咚與 Linux 本機比較沒有關係,他可以封包『轉遞』到後端的電腦中,與 nat 這個 table 相關性很高。 nat:主要跟 NAT 主機的設定有關 PREROUTING:在進行路由判斷之前所要進行的規則 POSTROUTING:在進行路由判斷之後所要進行的規則 OUTPUT:與發送出去的封包有關 Table (表名)Explanation (注释)natnat表的主要用处是网络地址转换,即Network Address Translation,缩写为NAT。做过NAT操作的数据包的地址就被改变了,当然这种改变是根据我们的规则进行的。属于一个流的包只会经过这个表一次。如果第一个包被允许做NAT或Masqueraded,那么余下的包都会自动地被做相同的操作。也就是说,余下的包不会再通过这个表,一个一个的被NAT,而是自动地完成。这就是我们为什么不应该在这个表中做任何过滤的主要原因,对这一点,后面会有更加详细的讨论。PREROUTING 链的作用是在包刚刚到达防火墙时改变它的目的地址,如果需要的话。OUTPUT链改变本地产生的包的目的地址。POSTROUTING链在包就要离开防火墙之前改变其源地址。mangle这个表主要用来mangle数据包。我们可以改变不同的包及包头的内容,比如 TTL,TOS或MARK。注意MARK并没有真正地改动数据包,它只是在内核空间为包设了一个标记。防火墙内的其他的规则或程序(如tc)可以使用这种标记对包进行过滤或高级路由。这个表有五个内建的链: PREROUTING,POSTROUTING, OUTPUT,INPUT和 FORWARD。PREROUTING在包进入防火墙之后、路由判断之前改变包,POSTROUTING是在所有路由判断之后。 OUTPUT在确定包的目的之前更改数据包。INPUT在包被路由到本地之后,但在用户空间的程序看到它之前改变包。FORWARD在最初的路由判断之后、最后一次更改包的目的之前mangle包。注意,mangle表不能做任何NAT,它只是改变数据包的 TTL,TOS或MARK,而不是其源目地址。NAT是在nat表中操作的。filterfilter表是专门过滤包的,内建三个链,可以毫无问题地对包进行DROP、LOG、ACCEPT和REJECT等操作。FORWARD 链过滤所有不是本地产生的并且目的地不是本地(所谓本地就是防火墙了)的包,而 INPUT恰恰针对那些目的地是本地的包。OUTPUT 是用来过滤所有本地生成的包的。

44 2-2-1 Filter Table Mainly used for filtering packets.
The place that we actually take action against packets and look at what they contain and ACCEPT / DROP REJECT / LOG them, depending on their content. INPUT chain – packets enter the local host OUTPUT chain – packets output from the local host FORWARD chain – forward packets to other hosts filter表是专门过滤包的,内建三个链,可以毫无问题地对包进行DROP、LOG、ACCEPT和REJECT等操作。 FORWARD 链过滤所有不是本地产生的并且目的地不是本地(所谓本地就是防火墙了)的包,而 INPUT恰恰针对那些目的地是本地的包。OUTPUT 是用来过滤所有本地生成的包的。

45 2-2-2 NAT Table Be used for NAT on different packets
to translate the packet's source field or destination field. PREROUTING chain – to transfer the dst IP address (DNAT) POSTROUTING chain – this works after routing process and before Ethernet device process, to transfer the source IP address (SNAT/MASQUARED) OUTPUT chain – to work for local producing packets nat表的主要用处是网络地址转换,即Network Address Translation,缩写为NAT。做过NAT操作的数据包的地址就被改变了,当然这种改变是根据我们的规则进行的。 属于一个流的包只会经过这个表一次。如果第一个包被允许做NAT或Masqueraded,那么余下的包都会自动地被做相同的操作。也就是说,余下的包不会再通过这个表,一个一个的被NAT,而是自动地完成。这就是我们为什么不应该在这个表中做任何过滤的主要原因,对这一点,后面会有更加详细的讨论。 PREROUTING 链的作用是在包刚刚到达防火墙时改变它的目的地址,如果需要的话。 OUTPUT链改变本地产生的包的目的地址。 POSTROUTING链在包就要离开防火墙之前改变其源地址。

46 2-2-3 Mangle Table This table is mainly be used for
mangling packets. In other words, you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields. It can also “MARK” the packets. PREROUTING chain POSTROUTING chain INPUT, OUTPUT and FORWARD chain 这个表主要用来mangle数据包。我们可以改变不同的包及包头的内容,比如 TTL,TOS或MARK。 注意MARK并没有真正地改动数据包,它只是在内核空间为包设了一个标记。防火墙内的其他的规则或程序(如tc)可以使用这种标记对包进行过滤或高级路由。 这个表有五个内建的链: PREROUTING,POSTROUTING, OUTPUT,INPUT和 FORWARD。PREROUTING在包进入防火墙之后、路由判断之前改变包,POSTROUTING是在所有路由判断之后。 OUTPUT在确定包的目的之前更改数据包。INPUT在包被路由到本地之后,但在用户空间的程序看到它之前改变包。FORWARD在最初的路由判断之后、最后一次更改包的目的之前mangle包。注意,mangle表不能做任何NAT,它只是改变数据包的 TTL,TOS或MARK,而不是其源目地址。NAT是在nat表中操作的。

47 2-3 Processing Packets 2-3-1 Destination Local Host
2-3-2 Source Local Host 2-3-3 Forward Packets 2-3-4 State Machine

48 2-3-1 Destination Local Host

49 2-3-1 Destination Local Host
Incoming Packets NAT Table PREROUTING Filter Table INPUT Local Process

50 2-3-2 Source Local Host

51 2-3-2 Source Local Host Outgoing Packets NAT Table OUTPUT
Filter Table OUPUT Send Out Packets NAT Table POSTROUTING

52 2-3-3 Forwarded Packets

53 2-3-3 Forwarded Packets Incoming Packets NAT Table PREROUTING
Filter Table FORWARD Local Resource NAT Table POSTROUTING Other Hosts

54 2-4 State Machine So, on those chains, we can implement the rules to deal with the packets.

55 Agenda Firewall, NAT and iptables Rules  Chains  Tables
Usage of iptables Hands-ON Practice

56 3.) Usage of iptables 3-1 Load iptables Modules
3-2 Define Default Policy 3-3 Structure of a Rule 3-4 Save / Restore Rules

57 3-1 Load iptables Modules
Note: ipchains and iptables are not compatible 事實上, iptables 就是一個可以載入的模組,在開始進行 iptables 的設定之前,先確認一下,由於 ipchains 與 iptables 是不能同時存在的,所以先檢查一下 ipchains 是否不小心被載入到系統當中了呢?   上頭的 ip_tables 就是 iptables 的模組了!載入之後,我們就可以使用 iptables 的語法了!因為 iptables 的語法相當的多,所以底下我將這些語法分成規則清除、定義政策以及新增與插入規則三部分來說明:(註:防火牆的設定是相當重要的工作,另外,他的設定過程當中常常會有『測試』的意味在裡面,因為是測試,有的時候我們會不小心『將自己的連線封包擋住了!』,導致無法連線,所以,『設定防火牆的時候,盡量在本機前面設定,不要利用遠端連線服務來設定,否則很容易產生自己將自己擋掉的重大問題!』)

58 3-1 Load iptables Module Check the Current Tables Default Policy
#iptables [-t tables] [-L] [-n] Default Policy # 仔細看到上面,因為沒有加上 -t 的參數,所以預設就是 filter 這個表格,  # 在這個表格當中有三條鏈,分別是 INPUT, OUTPUT 與 FORWARD ,而且因為  # 沒有規則,所以規則裡面都是空的!同時注意一下,在每個 chain 的後面 ()   # 裡面,會發現有 policy 對吧!那就是『預設動作(政策)』咯!以上面來看,  # 雖然我們啟動了 iptables ,但是我們沒有設定規則,然後政策又是 ACCEPT,  # 所以『任何封包都會接受』的意思喔! -n – do not resolve the host name. use IP addr instead.

59 3-1 Install iptables Clear Current Policy
參數說明: -F :清除所有的已訂定的規則; -X :殺掉所有使用者建立的 chain (應該說的是 tables )囉; -Z :將所有的 chain 的計數與流量統計都歸零 # 請注意,如果在遠端連線的時候,『這三個指令必須要用 scripts 來連續執行』,  # 不然肯定『會讓您自己被主機擋在門外!』

60 3-2 Define Default Policy
#iptables –t filter nat mangle –P INPUT OUTPUT FORWARD PREROUTING POSTROUTING ACCEPT DROP

61 3-2 Define Default Policy
參數說明:  -P   :定義政策( Policy )。注意,這個 P 為大寫啊!  INPUT :封包為輸入主機的方向;  OUTPUT :封包為輸出主機的方向;  FORWARD:封包為不進入主機而向外再傳輸出去的方向;  PREROUTING :在進入路由之前進行的工作;  OUTPUT   :封包為輸出主機的方向;  POSTROUTING:在進入路由之後進行的工作。 # 除了 INPUT 之外,其他都給他設定為接受囉!在上面的設定之後,  # 我們的主機發出的封包可以出去,但是任何封包都無法進入,  # 包括回應給我們送出封包的回應封包(ACK)也無法進入喔!

62 3-3 Structure of a Rule 3-3-1 Add, Insert, Delete an Replace Rules
3-3-2 Direction 3-3-3 Matches 3-3-4 Targets

63 3-3-1 Add, Insert, Delete and Replace
#iptables –t filter nat mangle AI DR direction match –j target 3 major things needed to be considered

64 3-3-2 Direction – Chains a. filter Table: INPUT OUTPUT FORWARD
b. nat Table : PREROUTING POSTROUTING c. mangle table: … Since we seldom use the Mangle tale, please refer to the earlier slides.

65 3-3-3 Matches - Conditions
-p [proto] : tcp / udp / icmp / all -s [IP] / -d [IP] --sport [port] / --dport [port] -m state --state [state] : NEW / ESTABLISHED / INVALID / RELATED -m multiport [p1,p2,…,p15] -i [iface] / -o [oface] …etc. 6. Inner/outer 事實上, iptables 就是一個可以載入的模組,在開始進行 iptables 的設定之前,先確認一下,由於 ipchains 與 iptables 是不能同時存在的,所以先檢查一下 ipchains 是否不小心被載入到系統當中了呢?   上頭的 ip_tables 就是 iptables 的模組了!載入之後,我們就可以使用 iptables 的語法了!因為 iptables 的語法相當的多,所以底下我將這些語法分成規則清除、定義政策以及新增與插入規則三部分來說明:(註:防火牆的設定是相當重要的工作,另外,他的設定過程當中常常會有『測試』的意味在裡面,因為是測試,有的時候我們會不小心『將自己的連線封包擋住了!』,導致無法連線,所以,『設定防火牆的時候,盡量在本機前面設定,不要利用遠端連線服務來設定,否則很容易產生自己將自己擋掉的重大問題!』)

66 3-3-4 Targets - Actions a. filter Table: ACCEPT / DROP QUEUE / RETURN
target extensions: --LOG/ --ULOG/ --REJECT/ - -MIRROR b. nat table : SNAT (only in POSTROUTING) DNAT (only in PREROUTING/OUTPUT) MASQUERADE (POSTROUTING) REDIRECT (only in PREROUTING) c. mangle table: … ULOG – log to a database REJECT – response with ICMP error message MIRROR – exchange the src/dst IP addr and send it back Since we seldom use the Mangle tale, please refer to the earlier slides.

67 3-4 Save / Restore Rules It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file). Please refer to the Hands-ON practice.

68 Agenda Firewall, NAT and iptables Rules  Chains  Tables
Usage of iptables Hands-ON Practice Packet Filter NAT Machine

69 4-1 Packet Filter – Rules of filter table
Example 1: Accept all the packets incoming from lo interface Example 2: Accept all the TCP packets incoming from IP = #iptables –t filter –A INPUT –i lo –j ACCEPT 範例一:所有的來自 lo 這個介面的封包,都予以接受 root]# iptables -A INPUT -i lo -j ACCEPT # 注意一下,因為 -d, --dport, -s, --sport 等等參數都沒有設定,這表示: # 不論封包來自何處或去到哪裡,只要是來自 lo 這個介面,就予以接受! # 這個觀念挺重要的,就是『沒有設定的規定,則表示該規定完全接受』的意思! # 例如這個案例當中,關於 -s, -d...等等的參數沒有規定時!   範例二:來自 這個 IP 的封包都予以接受: root]# iptables -A INPUT -i eth0 -p tcp -s j ACCEPT # 新增一條規則,只要是來自於 的封包,不論他要去哪裡, # 使用的是那個協定 (port) 主機都會予以接受的意思~ #iptables –t filter –A INPUT –i eth0 –p tcp –s –j ACCEPT

70 4-1 Packet Filter – Rules of filter table
Example 3: Accept all the TCP packets incoming from the network /24 Example 4: Drop all the TCP packets incoming from IP = #iptables –t filter –A INPUT –i eth0 –p tcp –s /24 -j ACCEPT 範例三:來自 這個 C Class 的網域的任何一部電腦,就予以接受! root]# iptables -A INPUT -i eth0 -p tcp -s /24 -j ACCEPT # 這個是網域的寫法喔!稍微注意一下的是,在範例二當中我們僅針對一個 IP , # 至於這個範例當中,則是針對整個網域來開放吶!而網域的寫法可以是: # /24 也可以是 / 都能夠接受喔!   範例四:來自 的封包都給他丟棄去! root]# iptables -A INPUT -i eth0 -p tcp -s j DROP #iptables –t filter –A INPUT –i eth0 –p tcp –s –j DROP

71 4-1 Packet Filter – Rules of filter table
Example 5: Drop all the Incoming TCP packets with dst Port = 21 (forbid FTP Connection from eth0) Example 6: Accept TCP packets incoming from IP to local port number 137,138 and 139 #iptables –t filter –A INPUT –i eth0 –p tcp – –dport 21 –j DROP 範例五:只要是想進入本機的 port 21 的封包就給他丟棄 root]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP   範例六:來自 這個 IP 的封包,想要到我的 137,138,139 埠口時,都接受 root]# iptables -A INPUT -i eth0 -p tcp -s   \ > --dport 137:139 -j ACCEPT 不連續的port 可以用 –m multipoty --dport 80, 23,25 …. 最多15Ports.   範例七:只要是接觸到我主機的 port 25 就將該封包記錄 (LOG) 下來 root]# iptables -A INPUT -p tcp --dport 25 -j LOG # 還是請特別注意到『規則的順序排列』的問題喔! #iptables –t filter –A INPUT –i eth0 –p tcp –s – –dport 137:139 –j ACCEPT

72 4-1 Packet Filter – Rules of filter table
Example 7: Log all the Incoming/Outgoing TCP packets with to/from Port = 25 (Log SMTP Service) #iptables –t filter –A INPUT –p tcp – –dport 25 –j LOG Note: UC7110 does not support the target “LOG” 範例七:只要是接觸到我主機的 port 25 就將該封包記錄 (LOG) 下來 root]# iptables -A INPUT -p tcp --dport 25 -j LOG # 還是請特別注意到『規則的順序排列』的問題喔!

73 4-1 Packet Filter – Rules of filter table
Example 8: Drop all the [syn] packets from IP = Example 9: Drop all the packets from MAC = aa:bb:cc:dd:ee:ff #iptables –t filter –A INPUT –p tcp –i eth0 –s – –syn –j DROP #iptables –t filter –A INPUT –p all –m mac-source aa:bb:cc:dd:ee:ff –j DROP [!] --syn :這個設定僅能用於 -p tcp 的規則中,因為 TCP 封包有 syn 的旗標存   在啊!當 TCP 封包存有 syn 旗標,表示這個連線是對方『主動』連過來的!   若於 --syn 之前加上 ! 表示該封包不帶有 syn 的意思~(剛好相反之意!)   範例一:將來自 的主動連線封包丟棄: root]# iptables -A INPUT -p tcp -i eth0 -s   \ > --syn -j DROP --icmp-type:可以管制 ICMP 封包的某些類型!還記得我們在 網路基礎 裡面   談到的 ICMP 的某些類型吧!對啦!如果您不想要讓對方 ping 到您的機器,   就是利用這個項目啦!   範例二:別的主機 ping 我們主機時,我們主機不予以回應 root]# iptables -A INPUT -p icmp --icmp-type 8 -j DROP # 當您下達這樣的指令後,就表示未來別人對您使用 ping 的時候, # 我們的主機將不會回應,所以對方主機就會顯示我們主機『無法連接』的狀態! 8ICMP Echo Request請求回應訊息 0ICMP Echo Reply代表一個回應信息

74 4-1 Packet Filter – Rules of filter table
Example 10: Does not response to “ping” Example 11: ICMP “ping” burst #iptables –t filter –A INPUT –p icmp – –icmp–type 8 –j DROP #iptables –t filter –P INPUT DROP #iptables –t filter –A INPUT –p icmp –m limit 6/min – –limit-burst 10 –j ACCEPT -m :表示封包的狀態,狀態有底下數種:  -m mac --mac-source aa:bb:cc:dd:ee:ff     這個就是我們上面提到的可以控制『網路卡卡號, MAC』的設定方法囉!    那個 aa:bb:cc:dd:ee:ff 就是網路卡的 MAC !   範例三:讓 bb:cc:dd:aa:ee:ff 網路卡無法使用我們主機的資源 root]# iptables -A INPUT -p all -m mac --mac-source \ > 01:01:01:01:02:01 -j DROP # 這種方式可以用來管制網路卡卡號喔!就不怕別人使用 IP 搞怪了!

75 4-1 Packet Filter – Rules of filter table
Example 12: Accept the Established / Related packets of the local host; drop the Invalid packets and New packets which are trying to create new connection. #iptables –t filter –A INPUT –p tcp –m state – –state ESTABLISHED,RELATED –j ACCEPT #iptables –t filter –A INPUT –p tcp –m state – –state INVALID,NEW –j DROP  -m state --state <狀態>    有數種狀態,狀態有:    INVALID:無效的封包,例如資料破損的封包狀態    ESTABLISHED:已經連線成功的連線狀態;    NEW:想要新建立連線的封包狀態;    RELATED:這個最常用!表示這個封包是與我們主機發送出去的封包有關,     可能是回應封包或者是連線成功之後的傳送封包!這個狀態很常被設定,     因為設定了他之後,只要未來由本機發送出去的封包,即使我們沒有設定     封包的 INPUT 規則,該有關的封包還是可以進入我們主機喔!     可以簡化相當多的設定規則啦! 範例四:讓已經建立或者是與我們主機有關的回應封包通過,但是讓不合法的,     以及想要嘗試新建立的封包被抵擋在外! root]# iptables -A INPUT -p tcp -m state  \ > --state ESTABLISHED,RELATED -j ACCEPT root]# iptables -A INPUT -p tcp -m state  \ > --state INVALID,NEW -j DROP # 需要設定兩條喔!至於封包狀態則可以使用逗號隔開!逗號兩邊不要有空格

76 4-1 Packet Filter – Rules of filter table
Example 13: Check the packet integrity Example 14: Enable the “Passive Mode” FTP Service to a host #iptables –t filter –A INPUT –p all –m unclean –j DROP #modprobe ip_conntrack_ftp #iptables –A FORWARD –p tcp –m state – –state RELATED –j ACCEPT  -m state --state <狀態>    有數種狀態,狀態有:    INVALID:無效的封包,例如資料破損的封包狀態    ESTABLISHED:已經連線成功的連線狀態;    NEW:想要新建立連線的封包狀態;    RELATED:這個最常用!表示這個封包是與我們主機發送出去的封包有關,     可能是回應封包或者是連線成功之後的傳送封包!這個狀態很常被設定,     因為設定了他之後,只要未來由本機發送出去的封包,即使我們沒有設定     封包的 INPUT 規則,該有關的封包還是可以進入我們主機喔!     可以簡化相當多的設定規則啦! 範例四:讓已經建立或者是與我們主機有關的回應封包通過,但是讓不合法的,     以及想要嘗試新建立的封包被抵擋在外! root]# iptables -A INPUT -p tcp -m state  \ > --state ESTABLISHED,RELATED -j ACCEPT root]# iptables -A INPUT -p tcp -m state  \ > --state INVALID,NEW -j DROP # 需要設定兩條喔!至於封包狀態則可以使用逗號隔開!逗號兩邊不要有空格

77 4-2 NAT Machine Example 1: Example 2:
Redirect the Connection Request of Port 80 to Port 8080 Example 2: Masquerade the incoming packets from /24 to be local ppp0’s IP #iptables –t nat –A PREROUTING –p tcp – –dport 80 –j REDIRECT – –to-ports 8080 -j <動作>:除了比較常見的 ACCEPT 與 DROP 之外,還有哪些動作?  REDIRECT --to-ports <port number>    這個也挺常見的,基本上,就是進行本機上面 port 的轉換就是了!    不過,特別留意的是,這個動作僅能夠在 nat table 的 PREROUTING 以及    OUTPUT 鏈上面實行而已喔!(關於連線流程,請參考圖八)  MASQUERADE:封包偽裝    這個就是 NAT 主機最重要的一個機制啦!進行封包的偽裝!   範例五:將要求與 80 連線的封包轉遞到 8080 這個 port  root]# iptables -t nat -A PREROUTING -p tcp  --dport 80 \ > -j REDIRECT --to-ports # 這玩意最容易在您使用了非正規的 port 來進行某些 well known 的協定, # 例如使用 8080 這個 port 來啟動 WWW ,但是別人都以 port 80 來連線, # 所以,您就可以使用上面的方式來將對方對您主機的連線傳遞到 8080 囉!   範例六:進行封包的偽裝,將來自 /24 的封包的來源 IP 偽裝成為     本機的 ppp0 那個介面的 IP root]# iptables -t nat -A POSTROUTING -s /24 \ > -o ppp0 -j MASQUERADE -o output interface. #iptables –t nat –A PREROUTING –s /24 –o ppp0 –j MASQUERADE

78 4-2 NAT Machine Example 3: Example 4:
DNAT the incoming packet from eth0 ( ) and TCP Port 80 to internal Web sever : 80 Example 4: Redirect the incoming packet of TCP Port 80 to and TCP Port 80 #iptables –t nat –A PREROUTING –p tcp –i eth0 –d – –dport 80 –j DNAT – –to :80 -j <動作>:除了比較常見的 ACCEPT 與 DROP 之外,還有哪些動作?  DNAT --to IP[:port]    常用在防火牆後端的主機之封包轉遞上面! 範例:將來自 Internet 的 port 80 連線的封包轉遞到 這個主機上 root]# iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 \ > -j DNAT --to :80 #!/bin/bash OUT_IP=`ifconfig | grep eth0 –A1 | grep inet | awk ‘{ print $2}’ | cut –d: –f2` #iptables –t nat –A POSTROUTING –s /24 –j SNAT – –to $OUT_IP

79 Thank You!

80 OpenVPN 2.0 Stephen Lin

81 OpenVPN 2.0 Cryptography Summery OpenVPN 2.0 OpenVPN Configuration
Hands-On Practice

82 1.) Cryptography Summery
1-1 What does cryptography solve? 1-2 Symmetric Data Encryption 1-3 Hash (Digest) Function 1-4 Message Authentication Code 1-5 Asymmetric Data Encryption 1-6 Digital Signature 1-7 Certificate 1-8 Moxa UC7400

83 1-1 What does Cryptography solve?
Confidentiality Ensure that nobody can get knowledge of what you transfer even if listening the whole conversation Integrity Ensure that message has not been modified during the transmission Authenticity You can verify that you are talking to the entity you think you are talking to You can verify who is the specific individual behind that entity Non-repudiation The individual behind that asset cannot deny being associated with it The cryptography solves 4 major issues. Confidentiality, integrity, authenticity and non-repudiation confidentiality: Encrypt the data Integrity: check the data Authenticity: make sure the it is the right person that send you the data. non-repudiation: confirm the sender, and the sender can not deny it.

84 1-2 Symmetric Data Encryption
Fast, High Efficiency for data transmission Is it “secure” while transferring the key? Maintains of the keys?  (n-1)n / 2 keys DES/3DES/AES/Blowfish Secret Key Tom Bob Encryption Decryption Ciphertext Plaintext Plaintext

85 1-3 Hash (Digest) Function
Ensure Date Integrity MD5/SHA-1 Bob Tom Message Digest#1 Data Data Data Compare Hash Function Hash Function Same Hash Function Message Digest #1 Message Digest #2

86 1-4 Message Authentication Code
Ensure the Data Integrity Use a key to protect the MAC HMAC/CBC-MAC Tom Bob MAC Data Data Data Hash Function Secret Key Hash Function Compare MAC Message Digest #1 Message Digest #2 Encryption Decryption Message Digest #1

87 1-5 Asymmetric Encryption
g$5knvMd’rkvegMs” Clear text ? Encryption Things to remember Key Pair – Public/Private keys In a session, one for encryption and the other one for decryption “Public Key” can be deployed everywhere The relation between the two keys is unknown and from one key you cannot gain knowledge of the other, even if you have access to clear-text and cipher-text The two keys are interchangeable. All algorithms make no difference between public and private key. When a key pair is generated, any of the two can be public or private Less efficient than Static Key RSA/Diff-Hellman For the Keys Asymmetric Encryption. The first and the most important thing needed to be remember is, there are two keys, or you can say it is a key pair. One is Public Key, and the other is Private. The second thing is. there are relationship between the public and the private keys, if you use the public key to do the encryption, then you will be the private key in the same key pair to descript it. Third, the public key is deployed everywhere, but only the owner should always keep the private key safely. Finally, since there are more keys, it take more resource to do the encryption/description, it is less efficient than Static. Of course, it is much more safer than the Static Key Encryption. DH: These functions implement the Diffie-Hellman key agreement protocol. The generation of shared DH parameters is described in DH_generate_parameters(3); DH_generate_key(3) describes how to perform a key agreement.

88 1-5 Asymmetric Data Encryption
Confidentiality Check Recipient’s Key Pair Tom Bob Plaintext Plaintext Bob’s Public Key Bob’s Private Key Encryption Decryption ciphertext

89 1-5 Asymmetric Data Encryption
Authenticity Check Sender’s key pair Tom Bob Plaintext Plaintext Tom’s Private Key Tom’s Public Key Encryption Decryption ciphertext

90 1-6 Digital Signature Real World – Hybrid Data Integrity Authenticity
Non-repudiation Algorithm – Use the public key and Hash We have talked the Hash Function/MAC, which is used to check the data integrity and the Symmetric/Asymmetric encryption to check the data Confidentiality/authentication. Actually, the real world is a hybrid one. Those methods we have mentioned earlier will be implemented on the Daily work of course to check all the thing that needed to be verified, We will than starting with Digital Signature.

91 1-6 Digital Signature - Creating
Message or File Message Digest Digital Signature This is the document created by Gianni This is the document created by Gianni (Typically 128 bits) Py75c%bn 3kJfgf*£$& 3kJfgf*£$& RSA SHA, MD5 Asymmetric Encryption Generate Hash Calculate a short message digest from even a long input using a one-way message digest function (hash) This slide shows you how the Digital Signature is created. Start from the Message File, the first step is to generate a Hashed Message Digest, then encrypt it with sender’s private key to be a digital Singature. Finally, send the Digital Signature long with the date to the receiver. priv Signed Document Signatory's private key

92 1-6 Digital Signature - Verifying
Py75c%bn Message Digest Generate Hash This is the document created by Gianni 3kJfgf*£$& Signed Document ? Compare ? Digital Signature pub Receiving the Digital Signature and the Message Text, Receiver will use the Message to get a Hashed Message Digest #1. Descript the Digital Signature with the sender’s public key, and get the Message Digest#2 Compare the Message Digest #1 and #2. If there are the same, we are able to make sure that it is the Sender who send the message and the data is not modified by someone else. Asymmetric Decryption Py75c%bn Gianni's public key (from certificate)

93 1-6 Digital Signature Tom Bob + + Digital Signature Data Hash Function
Tom’s Private Key Tom’s Public Key Hash Function Compare MAC Encryption Decryption Message Digest #1 Message Digest #1 Message Digest #2 Digital Signature

94 1-7 Certificate The simplest certificate just contains:
A public key (for Stephen) Information about the entity that is being certified to own that public key … and the whole is Digitally signed by someone trusted (like your friend or a CA) 2wsR46%frdEWWrswe(*^$G*^%#%#%DvtrsdFDfd3%.6,7 pub This public key belongs to Stephen Can be a person, a computer, a device, a file, some code, anything … Again, we are now ub Digital Signature Certificate

95 1-7-1 CA Certificate Certification Server CA generates a key pair
User request a certificate to CA Priv Priv pub CA generates certificate Certification Server pub DS Cert pub DS Cert Private Key and Certificate are sent to the user

96 1-7-1 CA Certificate Example
Right Priv. Key signed by CA Left Priv. Key signed by CA CA Right Cert, signed by CA CA Private Key CA Pub. Key CA Pub. Key CA Pub. Key CA Pub. Key signed by CA Left Cert. signed by CA Leftt Cert. signed by CA Right Cert. signed by CA Trusts Left Right

97 1-7-2 SSL/TLS Ensures confidentiality
And integrity if digitally signed Depending on how public key are exchanged Authenticity, Identity, Non-repudiation Clear text Clear text Decrypt Encrypt Cipher 1 pub pub Priv Cipher 1 Decrypt Encrypt Cipher 2 Priv pub pub Secure Socket Layer 3.0 – first issued by Netscape. IETF Standard SSL3.1 – TLS 1.0 (Transport Layer Security) Transmission over the public network Cipher 2

98 1-8 Moxa UC7400 - Hardware Cipher
Intel Xcale Supports: Security Engines: DES, AES Algorithm methods: ECB, CBC, ECR Moxa wrap hardware acceleration inside algorithm APIs of “libcrypto.so” No need to change the source codes the new libcrypto.so is at the lower layer where libssl.so is at upper layer. A userp-spce program that has been develop on the UC was calling “libssl.so” and the “libssl.so” will call the “libcrypto.so” (old one without H/W Cipher)then. With new firmware (new libcrypto.so ), the H/W cipher is implemented and because the AP is calling the libssl.so, there is no need to change the software to have H/W cipher function.

99 1-8-1 Moxa Accelerated Algorithm – OpenSSL 0.9.7
DES_cbc_encrypt DES_ede3_cbc_encrypt AES_cbc_encrypt AES_ctr_encrypt We wrap ECB mode at a higher level (libssl.so) which openssl wraps, too. For those function without ECB, they are implemented at libcrypto.so Because the ECB mode check the data block (8 byte) too often, it will be a cost to use hardware to do that. Therefore, the ECB Mode is implemented at the upper layer libssl.so to increase the speed of the ECB Mode. ECB – 電子密碼簿, 查表式檢查, 每8 個 bytes 檢查一次. 故 1K data 需要檢查 125 次.

100 1-8-2 Performance Y Axis: CPU Time (Usage) ﹡ = H/W Cipher

101 1-8-3 Things to be noticed Moxa UC-7400 switches the operations between the software and the hardware approaches Default: Hardware Approach Any mis-configuration or business causes the switch Small packets are switched to software approach DES: 128 bytes 3DES/AES: 64 bytes

102 1-8-4 Software Package Driver: Device File: Test Program mxhw_cipher.o
mknod /dev/mxcrypto c Test Program ./io /* correctness test */ ./io /* stability test */ ./io 1 /* golden pattern */ ./io /* performance test */

103 Agenda Cryptography Summery OpenVPN 2.0 OpenVPN Configuration
Hands-On Practice

104 2.) OpenVPN 2.0 2-1 Virtual Private Network 2-2 Why OpenVPN?
2-3 OpenVPN Modes

105 2-1 Virtual Private Network
VPN Stands for Virtual Private network which not only connect different network together but also provides the ability of encryption.

106 2-1 VPN Advantages/Disadvantage
VPN: a network that is constructed by using public wires (e.g., internet) to connect nodes. VPN encrypt all network traffic, not just a few application protocols (like SSL, SSH, etc.) VPN allows the usage of protocols which are insecure by themselves. VPNs cannot be controlled and logged easily because of their encrypted nature. There are lots of advantages using VPN. For example,

107 2-2 Why OpenVPN? Usability
Open Source (GPL) Full featured SSL VPN Solution Easy to configure secure tunnel NAT/DHCP support Can use a 2048 bit shared key or digital certificates (PKI) Portability – Supports most of the platforms Linux, Solaris, Mac OS X OpenBSD, FreeBSD, NetBSD Windows2000-SP4/WindowsXP-SP1 or later

108 2-2 Why OpenVPN? Peers – each node with a client/server role
In use of kernel routing Multiple clients A user-space program A full-featured SSL-VPN solutions on top of existing SSL/TLS mechanism options between a set of security algorithms Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (5000/1194) or TCP port

109 2-2 OpenVPN Security Two Authentication Modes:
Static Key: Use pre-shared SSL/TLS: Use SSL/TLS + Certificates for Authentication Key exchange The encrypted packet is formatted as SeqN: 64-bit sequence number IV: plain text initial vector, randomized per packet IV : 解HASH 的指標 While it is true that block cipher chaining is made more complex due to the unreliable nature of UDP transport (where packets can be dropped or received out-of-order), OpenVPN (and IPSec as well)make each datagram atomic and stateless by using an "Explicit IV" where the initialiation vector is explicitly recorded in the datagram header, rather than being implicitly assumed based on the residual IV of the previous datagram. --no-replay Disable OpenVPN's protection against replay attacks OpenVPN provides datagram replay protection by default. Replay protection is accomplished by tagging each outgoing datagram with an identifier that is guaranteed to be unique for the key being used. The peer that receives the datagram will check for the uniqueness of the identifier. If the identifier was already received in a previous datagram, OpenVPN will drop the packet. Replay protection is important to defeat attacks such as a SYN flood attack, where the attacker lis­ tens in the wire, intercepts a TCP SYN packet (identifying it by the context in which it occurs in relation to other packets), then floods the receiving peer with copies of this packet. OpenVPN's replay protection is implemented in slightly different ways, depending on the key management mode you have selected. In Static Key mode or when using an CFB or OFB mode cipher, OpenVPN uses a 64 bit unique identifier that combines a time stamp with an incre­ menting sequence number. When using TLS mode for key exchange and a CBC cipher mode, OpenVPN uses only a 32 bit sequence number without a time stamp, since OpenVPN can guarantee the uniqueness of this value for each key. As in IPSec, if the sequence number is close to wrapping back to zero, OpenVPN will trig­ ger a new key exchange. To check for replays, OpenVPN uses the sliding window algorithm used by IPSec. encrypt W/ IPs HMAC IV SeqN V/ IPs payload HMAC

110 2-2 OpenVPN vs IPSec OpenVPN IPSec User-space daemon SSL/TLS
portability across operating systems firewall and NAT-friendly dynamic address support IPSec Kernel-space IP stack each operating system requires its own independent implementation of IPSec IETF Standard - multi-vendor support

111 2-3 OpenVPN Modes Bridging and Routing are two methods of linking systems via a VPN. Routed IP tunnels (layer 3) Bridged Ethernet tunnels (layer 2) Suitable for Connections: Site-to-Site Dynamic Site-to-Site (Dynamic) Client-to-Site ﹡Dynamic: Firewall/NAT/DHCP friendly

112 2-3-1 Routed IP Tunnels (TUN Mode)
Uses TUN Mode(device), a virtual point-to-point IP link that combines the inner interface together with TUN. Use the kernel routings to forward the packets. Physical Data-Link Network Transport Session Presentation Application OpenVPN TUN (3rd)

113 2-3-1 Routed IP Tunnels (TUN Mode)
Routed IP Advantages: Point-to-point Easier to configure Efficiency and scalability. Allows better tuning of MTU for efficiency. Routed IP Disadvantages: Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work. Routes must be set up linking each subnet. Software that depends on broadcasts Will Not "see" those machines on the other side of the VPN. Works only with IPv4 in general, and IPv6 in cases where tun drivers on both ends of the connection support it explicitly.

114 2-3-2 Bridged Ethernet Mode (TAP Mode)
Uses “TAP” mode, a TAP device is a Virtual Ethernet Adapter. Bridge tools (bcrtl) are required to create the virtual adapters. Need to create a script to bind eth1 and tap0 together into a bridged device called br0

115 2-3-2 Bridged Ethernet Mode (TAP Mode)
Application Application OpenVPN Presentation Presentation TUN (3rd) Session Session TAP (2nd) Transport Transport Bridging Network Network tap0 tap0 Data-Link Data-Link Physical Physical eth1 eth0 eth0 eth1 brctl addbr br # create an ethernet bridge brctl addif br0 eth1 # connect interface eth1 as a port brctl addif tap # connect virtual interface tap0 as a port

116 2-3-2 Bridged Ethernet Mode (TAP Mode)
Bridging advantages Point to Point, point to multi-point Broadcasts traverse the VPN -- this allows browsing of Windows file shares across the VPN without setting up a Samba or WINS server No route statements to configure Works with the VPN needs to be able to handle non-IP protocols such as IPX, Netware, and AppleTalk Relatively easy-to-configure solution for road warriors Bridging disadvantages Less efficient than Routing, and does not scale well 2. Because you are assigning an IP for each bridge interface.

117 Agenda Cryptography Summery OpenVPN 2.0 OpenVPN Configuration
Hands-On Practice

118 3.) OpenVPN Configuration
3-1 Getting Started 3-2 TUN Configuration 3-3 TAP Configuration 3-4 SSL/TLS – X509 Dynamic Keys

119 3-1 Getting Started VPN Tunnel Connect [CA/TLS Server] ixp0 ixp0
[VPN-Client] [VPN Server] VPN Tunnel ixp1 ixp1 LAN A LAN B Connect IP: /24 IP: /24 gw: gw:

120 3-1 Getting Started Create a Working Directory (recommended)
# mkdir /etc/openvpn Check for TUN Modules, if not # ls /dev/net  look for a character device “tun” # mknod /dev/tun c Load necessary modules # modprobe tun # modprobe bridge Generate a (pre-shared) key # openvpn --genkey --secret [KeyName] Self Diagnostic # openvpn --test-crypto --secret [KeyName]

121 3-1 Getting Started Enable IP Forwarding
# echo “1” > /proc/sys/net/ipv4/ip_forward or # vi /etc/sysctl.conf modify: “net.ipv4.ip_forward = 1” Create / Start Bridge Interface using Moxa Script # openvpn-bridge [start / stop / restart] Check the Ciphers/Authentication Support # openvpn --show-ciphers # openvpn --show-digests

122 3-2 TUN Server Configuration
Create TUN Configuration Files # vi /etc/openvpn/tunserver.conf [At VPN Client] # vi /etc/openvpn/tunclient.conf It is NECESSARY to specify the Server Address at VPN Client Local/Remote VPN IP address must be specified

123 3-2 TUN Server Configuration
Edit the Static Routings # vi /etc/openvpn/tunserver.sh # chmod +x /etc/tunserver.sh [At VPN Client] # vi /etc/eopenvpn/tunclient.sh # chmod +x /etc/tunclient.sh Start OpenVPN with the configuration file # openvpn --config /etc/tunserver.conf & # openvpn --config /etc/tunclient.conf & 2nd argument of “ifconfig”, which is now “ ”

124 3-3 TAP Configuration – VPN Server
Create TAP Configuration Files # vi /etc/openvpn/tapserver.conf [At VPN Client] # vi /etc/openvpn/tapclient.conf Mark this line if both VPN Networks are in the same subnet

125 3-2 TAP Configuration – VPN Server
Edit the Static Routings # vi /etc/openvpn/tunserver.sh [At VPN Client] # vi /etc/openvpn/tapclient.sh # chmod +x /etc/tapclient.sh Pointed to the Kernel Routing. br0 =

126 3-3 TAP Configuration – VPN Server
Start the Bridge device # vi /openvpn/openvpn-bridge # chmod +x /etc/openvpn/openvpn-bridge # /etc/openvpn/openvpn-bridge start Start OpenVPN with the configuration file # openvpn –config /etc/openvpn/tapserver.conf & # openvpn –config /etc/openvpn/tapclient &

127 3-4-1 SSL/TLS – Dynamic Keys
Edit the OpenSSL Configuration File on a Linux PC # vi /usr/share/ssl/openssl.cnf  Pre-input the default_days, default_bits, …, etc. Create New CA root Key Pair # /usr/share/ssl/misc/CA -newca Create New Client Private Key and new Certificate Request # /usr/share/ssl/misc/CA -newreq Certificate Sign-in # /usr/share/ssl/misc/CA –sign Copy the CA root certificate, client private key and the client certificate to the first client. Have the second client certificated

128 3-4-2 OpenVPN – “easy-rsa” tools
Copy the “easy-rsa” to the working directory # cp –r /openvpn-2.0/easy-rsa /etc/openvpn/ modify the vars file # vi /etc/openvpn/easy-rsa/vars Activate the vars # . /etc/openvpn/easy-rsa/vars Create CA root key # /etc/openvpn/easy-rsa/build-ca Create VPN Server Private Key and Certificate # /etc/openvpn/easy-rsa/build-key server

129 3-4-2 OpenVPN – “easy-rsa” tools
Create VPN Client private Key and Certificate # /etc/openvpn/build-key client Create Diff-Hellman Parameters # /etc/openvpn/build-dh 1024 Copy the CA certificate (ca.crt), Server key (server.key) and Server certificate (server.crt) to VPN Server Copy the CA certificate, Client key and certificate to VPN Client “easy-rsa” tools also work on UC7400 series

130 3-4-3 Configuration File Modification
txxserver.conf txxclien.conf

131 Agenda Cryptography Summery OpenVPN 2.0 Open VPN Configuration
Hands-On Practice

132 Live Demo

133 UC-7420 DEMO BOX Two of its serial ports connected to a Power Meter and Thermocouple Two LAN ports, plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site. The rest of the serial ports are looped back in ‘burn-in mode’ to demonstrate UC’s high performance and reliability.

134 Demo Box Features

135 Software Block Diagram
Temperature Range: 0 to 500°C Left side for high range: 0 to 300 VDC & Right side for low range: 0 to 20 VDC

136 UC’s LCM & keypad (F1-F5) F1 Monitoring: Temperature → Voltage →Throughput for P3 to P8 F2 System Status: LAN’s IP → Wi-Fi’s IP → CPU loading → Available Memory F3 Alarm Setting: Temperature → Voltage → burning throughput F4 Configuration Key F5 Main Menu

137 Apache Web with CGI & HTML

138 Seat Locating System

139 Score Query System

140 Appendix: What is the wireless PCMCIA card support status in 802.11g?
UC-7420's built-in Wireless driver supports "Intersil Prism 2.0 chipset" PCMCIA card. The compatible Wireless cards are: Supplier Model name ASUS WL-107g CNET CWC-854(181D version) Edmiax EW-7108PCg Amigo AWP-914W Gigbyte GN-WMKG Others which use R-Link chip set

141 Thank You!


Download ppt "2005 MTSC UC-7400 Thomas Cheng Aug-2005"

Similar presentations


Ads by Google