Presentation is loading. Please wait.

Presentation is loading. Please wait.

2005 MTSC UC-7400 Thomas Cheng Aug-2005. 09/13Topic 14:00-15:20 Universal Communicator – Part I 15:20-15:40 Coffee Break 15:40-17:00 Universal Communicator.

Similar presentations

Presentation on theme: "2005 MTSC UC-7400 Thomas Cheng Aug-2005. 09/13Topic 14:00-15:20 Universal Communicator – Part I 15:20-15:40 Coffee Break 15:40-17:00 Universal Communicator."— Presentation transcript:

1 2005 MTSC UC-7400 Thomas Cheng Aug-2005

2 09/13Topic 14:00-15:20 Universal Communicator – Part I 15:20-15:40 Coffee Break 15:40-17:00 Universal Communicator – Part II 17:00-18:00 UC Exam 18:00 Dinner 2005 MTSC UC-7400

3 UC-7400 Series Introduction 1.Comparisons 2.New functions and Features iptables Introduction / Hands-On OpenVPN Introduction / Hands-On Live Demo

4 UC Family Comparisons Hardware and Software

5 Hardware Comparison (UC-7410/7420: Hardware V1.2) UC-7420UC-7410UC-7408UC-7110 CPUIntel Xscale IXP MHz ARM9 32-bit 166MHz RAM128MB16MB Flash32MB8MB LAN10/100 Mbps x 2 RS-232/422/48582 Serial Protection15 KV ESD for all signal Flow ControlRTS/CTS, XON/XOFF Speed50 bps to Kbps DI/DON/A DI x8/DO x 8 N/A USB 2.0 Hosts2N/A USB 1.0 Client111N/A PCMCIACardbus x 1N/ACardbus x 1N/A Compact Flash1N/A1 LCM128 x 64 dots N/A Keypad55N/A Real Time ClockYes BuzzerYes Reset Button HW Reset x 1 / Reset to default x 1 Reset to default x 1

6 Software Comparison UC-7400 SeriesUC-7110 Boot LoaderRedboot V1.92Moxa Proprietary Boot Loader KernelMontaVista Linux uClinux Kernel Protocol Stack ARP,CHAP,PAP,IPv4,ICMP,TCP, UDP,DHCP,FTP,Telnet,SNMPv1/v3, HTTP,NTP,NFS,SMTP,PPP, SSHv1.0/2.0,SSL,OpenVPN ARP,CHAP,PAP,IPv4,ICMP,TCP, UDP,DHCP,FTP,Telnet,SNMPv1, HTTP,NTP,NFS,SMTP,PPP Flash File SystemJFFS2 OS Shell Commandbash V2.05mash V Linux normal command utilityBusybox V WebApache Boa Secure shellsshd V1.20N/A Network file systemNFS Server V2.2N/A Virtual private networkOpenVPN V2.0N/A OpenSSLOpenSSL V0.9.6N/A Tool Chain Linux / Windows Linux

7 UC-7400 V1.5 Firmware New Functions and Features Introduction

8 Firmware VersionV1.1V1.4.3V1.5 Serial port230.4 Kbps Kbps (with HW V1.2) WLAN b (Prism2.0/2.5) b (Prism2.0/2.5), g USB HostN/AMass Storage PNP USB ClientN/A Reset to Factory Default button N/A Yes (with HW V1.2) Share MemoryN/A Yes Protocol stacks and utilities Arp (utility)N/AYes iptableN/A Yes OpenVPNN/A Yes WatchDog APIN/A Yes CrontableN/A Yes upfirmN/AYes backupufN/AYes backupfs, bfYes N/A minicomYes Replace by tip Directory Change /varUser File System Change to ramdisk Apache root document/usr/html /usr/www UC-7400 V1.5 Firmware

9 New Feature Introduction WatchDog support Support Cron function on system UART and special baud rate support System Image Backup utility upfirm" g wireless card support Support tool chain on Windows platform, including GCC, Glibc and Insight (GDB debug tool) iptables support OpenVPN support

10 Watch Dog Timer ( WDT) 1. Introduction The WDT works like a watch dog function. You can enable it or disable it. When the user enables WDT but the application does not acknowledge it, the system will reboot. You can set the ack time from a minimum of 50 msec to a maximum of 60 seconds. 2. How the WDT works The sWatchDog is enabled when the system boots up. The kernel will auto ack it. The user application can also enable ack. When the user does not ack, it will let the system reboot. 3. The user API The user application must include, and link "moxalib.a".

11 Crontab 1. Introduction: Daemon to Execute Scheduled Commands 2. Description Start Cron from the directory /etc/rc.d/rc.local. Modify the file /etc/cron.d/crontab to set up your scheduled applications. Crontab files have the following format: 3. Example How to add ntpdate (synchronize time) in Cron? Everyday 5:10, system will synchronize the time from NTP Server ( ) Mm (Month) H (Hour) Dom (Date) Mon (Month) Dow (Week)Usercommand (0 is Sunday) #vi /etc/cron.d/crontab # m h dom mon dow user command 10 5 * * * root /usr/sbin/ntpdate ; /sbin/hwclock -w

12 UART and special baud rate support 1. Introduction The normal tty device node is located at /dev/ttyM0 … ttyM7, and the modem tty device node is located at /dev/cum0 … cum7. UC-7400 supports Linux standard termios control. Moxa UART Device API allows you to configure ttyM0 to ttyM7 as RS-232, RS-422, 2-wire RS-485, and 4-wire RS The Function You must include #define RS232_MODE 0 #define RS485_2WIRE_MODE 1 #define RS422_MODE 2 #define RS485_4WIRE_MODE 3 Function: MOXA_SET_OP_MODE MOXA_GET_OP_MODE

13 UART and special baud rate support 3. Special baud rate support There are two Moxa private ioctl commands for setting up special baud rates. Function: MOXA_SET_SPECIAL_BAUD_RATE MOXA_GET_SPECIAL_BAUD_RATE If you use this ioctl to set a special baud rate, the termios cflag will be B , in which case the B define will be different. If the baud rate you get from termios (or from calling tcgetattr()) is B , you must call ioctl with MOXA_GET_SPECIAL_BAUD_RATE to get the actual baud rate.

14 Upgrading the Firmware Upgrading the Firmware New utility Upfirm

15 Upgrading the Firmware 1. Introduction UC-7400s bios, kernel, mini file system, and user file system are combined into one firmware file, which can be downloaded from Moxas website ( The name of the firmware file has the form "uc7400-x.x.x.frm", with "x.x.x" indicating the firmware version.ATTENTION Upgrading the firmware will erase all data on the Flash ROM

16 Upgrading the Firmware 2. Description In V1.4.3 or later version firmware, UC-7400 new add a utility "upfirm. The utility "upfirm" is designed for upgrading the firmware (include boot-loader, kernel, mini file system, user file system and configuration) If your firmware version is early than V1.4.3, you can find the utility from Moxa Website.

17 How to upgrade firmware? Step1. Type the following commands to enable the RAM disk: #upramdisk #cd /mnt/ramdisk Step2. Download firmware file into "ramdisk" from Moxa website. Step3. Use the upfirm command to upgrade the kernel and root file system: #upfirm uc7400-x.x.x.frm (Reference next slide to see upfirm procedure.)

18 upfirm UC frm Upgrade firmware utility version 1.0. To check source firmware file context. The source firmware file conext is OK. This step will destroy all your firmware. Do you want to continue it ? (Y/N) : Y. MTD device [/dev/mtd6] erase – 100% complete. Wait to write file... Compleleted 100% Now upgrade the new configuration file. Upgrade the firmware is OK. Please press any key to reboot system. Press any key to reboot system!! Press any key to reboot system!! Note! DO NOT power off UC until the Ready LED is ON again. It will take much time for the first boot up after upgrading the firmware.

19 Setting up the Network Interfaces IEEE802.11g

20 Configure g Wireless LAN vi /etc/network/interfaces # g Gigabyte Cardbus wireless card iface eth0 inet static address network netmask broadcast Step1. Unplug the CardBus Wireless LAN card first. Step2. Configure the default IP setting profile. # vi /etc/network/interfaces

21 Configure g Wireless LAN #vi /etc/Wireless/RT2500STA/RT2500STA.dat # Copy this file to /etc/Wireless/RT2500STA/RT2500STA.dat # This file is a binary file and will be read on loading rt2500.o module. # # Use "vi -b RT2500STA.dat" to modify settings according to your need. # # 1.) set NetworkType to "Adhoc" for using Adhoc-mode, otherwise using Infrastru # 2.) set Channel to "0" for auto-select on Infrastructure mode # 3.) set SSID for connecting to your Accss-point. # 4.) AuthMode can be "OPEN", "SHARED", "WPAPSK", "WPANONE" # 5.) EncrypType can be "NONE", "WEP", "TKIP", "AES" # for more information refer to the Readme file. Step3. Configure the WLAN parameters # vi /etc/Wireless/RT2500STA/RT2500STA.dat

22 Configuring g Wireless LAN The settings in "/etc/Wireless/RT2500STA/RT2500STA.dat" CountryRegionSets the channels for your particular country / region WirelessModeSets the wireless mode SSIDSets the softAP SSID NetworkTypeSets the wireless operation mode ChannelSets the channel AuthModeSets the authentication mode EncrypTypeSets encryption type DefaultKeyIDSets default key ID Key1Str, Key2Str, Key3Str, Key4StrSets strings Key1 to Key4 TxBurstWPA pre-shared key WpaPskEnables or disables TxBurst TurboRateEnables or disables TurboRate BGProtectionSets 11b/11g protection (this function is for engineering testing only) ShortSlotEnables or disables the short slot time TxRateSets the TxRate RTSThresholdSets the RTS threshold FragThresholdSets the fragment threshold

23 Developing Your Application Windows Tool Chain

24 Agenda 1)Windows Tool Chain Introduction 2)Development Process 3)Debugging with GDB

25 Windows Tool Chain Introduction UC-7400s Windows Tool Chain is a cross development environment that simulates the Linux root file system, allowing users to develop applications on a Windows PC. The following topics are covered in this appendix. Introduction Installation Procedure Using the BASH Shell GDB debug toolInsight

26 Windows Tool Chain 1. Operating System: Windows 2000 or Windows XP. 2. Minimum of 500 MB Hard Disk space 3. CD-ROM or equivalent. 4. Ethernet to connect with UC Be able to login as administrator. 6. Use a Windows username without spaces. 7. You will be using a BASH shell window to enter commands. 8. In addition, for editing text files, such as configuration files, you should use vi editor (Unix editor). Do NOT use WordPad (Windows editor), which could cause problems when the files are transferred to a bona fide Linux environment.

27 Developing Process Step1: Setting up the Development Environment on PC Step2: Coding, Compiling and Debugging on Windows Tool Chain Step3: Deploying the Program to UC x86 IXP-422

28 Step1: Setting up Developing Environment Install Windows Tool Chain on PC Windows 2K/XP Installation Tips: C:\UCDefault Install Path: C:\UC Unix (Recommended)Default Text File Type: Unix (Recommended) Utilities: Moxa Bash Shell GDB debug toolInsight This process could take from 5 to 30 minutes, depending on the speed of your system. x86

29 Code with C/C++ Program on Moxa Bash Shell (PC Windows Tool Chain) Compile/link the Source Codes with Tool-chain Compiler path setting PATH=/usr/local/mxscaleb/bin Compiling Hello.c Step2: Coding, Compiling and Debugging

30 Step3: Deployment Upload the program to UC # ftp ftp> binary ftp> put hello-release Running the program (At UC-7400 site) # chmod +x hello-release #./hello-release # chmod +x hello-release #./hello-release Hello

31 Ethernet PC Moxa Bash Shell : 1. Compile with -ggdb 3. Insight Tool (GDB Client) 4. Target remote UC: 2. GDB Debug Server Debugging with GDB # gdbserver :2000 hello-debug

32 Debugging with GDB # chmod +x hello-debug # gdbserver :2000 hello-debug Process hello-debug created; pid = 206 Step1. PC Moxa Bash Shell: Compile the program with –ggdb option then upload to UC. Step2. UC: Called hello-debug with command: # gdbserver :2000 hello-debug

33 Step3. PC Insight: Run GDB client Open hello-debug file Connect to target: GCB Server/TCP Debugging with GDB

34 iptables Introduction

35 Agenda 1)Quick View of iptables 2)Rules Chains Tables 3)Usage of iptables 4)Hands-ON Practice

36 1. Quick View of iptables A User-space Command to setup/maintain the Netfilter sub-system of Kernel. Netfilter manages only the packet headers, not the content. iptables is currently one of many Firewall/NAT solutions, to be an administration tool for set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

37 1. Quick View of iptables Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a target, which may be a jump to a user-defined chain in the same table.

38 1. Quick View of iptables 3 rd generation firewall on Linux – ipfwadm on Linux Kernel V2.0.X – ipchains on Linux Kernel V2.2.X – ipchains / iptables on Linux Kernel V2.4.X – iptables on Linux Kernel V2.6.X Supports basic packet filtering as well as connection state tracking UC-7110/7400 support only iptables

39 Agenda 1)Firewall, NAT and iptables 2)Rules Chains Tables 3)Usage of iptables 4)Hands-ON Practice

40 2.) Rules, Chains and Tables 2-1 First Match 2-2 Three Major Tables 2-3 Processing Packets 2-4 State Machine

41 2-1 First Match – The Highest Priority Packets Rule 1 Rule 10 Default Policy Action 1 Action 2 No Yes Rule 2 No Action 10 Yes

42 2-1 First Match On WWW Server, reject the attack from IP = Rule 1: Drop the packets from Rule 2: Accept WWW request packets from all the hosts Rule 3: Drop all the none-WWW packets Rule 1: Accept WWW request packets from all the hosts Rule 2: Drop the packets from Rule 3: Drop all the none-www packets is able to use the WWW service or to attack WWW service port

43 2-2 Three Major Tables 1)Filter Table 2)NAT Table 3)Mangle Table

44 2-2-1 Filter Table Mainly used for filtering packets. The place that we actually take action against packets and look at what they contain and ACCEPT / DROP REJECT / LOG them, depending on their content. 1.INPUT chain – packets enter the local host 2.OUTPUT chain – packets output from the local host 3.FORWARD chain – forward packets to other hosts

45 2-2-2 NAT Table Be used for NAT on different packets to translate the packet's source field or destination field. 1)PREROUTING chain – to transfer the dst IP address (DNAT) 2)POSTROUTING chain – this works after routing process and before Ethernet device process, to transfer the source IP address (SNAT/MASQUARED) 3)OUTPUT chain – to work for local producing packets

46 2-2-3 Mangle Table This table is mainly be used for mangling packets. In other words, you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) and TTL fields. It can also MARK the packets. 1.PREROUTING chain 2.POSTROUTING chain 3.INPUT, OUTPUT and FORWARD chain

47 2-3 Processing Packets Destination Local Host Source Local Host Forward Packets State Machine

48 2-3-1 Destination Local Host

49 Incoming Packets NAT Table PREROUTING Local Process Filter Table INPUT

50 2-3-2 Source Local Host

51 NAT Table OUTPUT Outgoing Packets Filter Table OUPUT NAT Table POSTROUTING Send Out Packets

52 2-3-3 Forwarded Packets

53 NAT Table PREROUTING Local Resource NAT Table POSTROUTING Other Hosts Incoming Packets Filter Table FORWARD

54 2-4 State Machine

55 Agenda 1)Firewall, NAT and iptables 2)Rules Chains Tables 3)Usage of iptables 4)Hands-ON Practice

56 3.) Usage of iptables 3-1 Load iptables Modules 3-2 Define Default Policy 3-3 Structure of a Rule 3-4 Save / Restore Rules

57 3-1 Load iptables Modules Note: ipchains and iptables are not compatible

58 3-1 Load iptables Module Check the Current Tables #iptables [-t tables] [-L] [-n] Default Policy

59 3-1 Install iptables Clear Current Policy

60 3-2 Define Default Policy #iptables –tfilter nat mangle –PINPUT OUTPUT FORWARD PREROUTING POSTROUTING ACCEPT DROP

61 3-2 Define Default Policy

62 3-3 Structure of a Rule Add, Insert, Delete an Replace Rules Direction Matches Targets

63 3-3-1 Add, Insert, Delete and Replace #iptables –tfilter nat mangle AIDRAIDR – directionmatchtarget 3 major things needed to be considered –j

64 3-3-2 Direction – Chains a. filter Table: INPUT OUTPUT FORWARD b. nat Table : PREROUTING POSTROUTING OUTPUT c. mangle table: …

65 1.-p [proto] : tcp / udp / icmp / all 2.-s [IP] / -d [IP] 3.--sport [port] / --dport [port] 4.-m state --state [state] : NEW / ESTABLISHED / INVALID / RELATED 5.-m multiport [p1,p2,…,p15] 6.-i [iface] / -o [oface] 7.…etc Matches - Conditions

66 3-3-4 Targets - Actions a. filter Table: ACCEPT / DROP QUEUE / RETURN target extensions: --LOG/ --ULOG/ --REJECT/ - -MIRROR b. nat table : SNAT (only in POSTROUTING) DNAT (only in PREROUTING/OUTPUT) MASQUERADE (POSTROUTING) REDIRECT (only in PREROUTING) c. mangle table: …

67 3-4 Save / Restore Rules It is highly recommended to use a script file to maintain the Netfilter rule instead of using this exported file (it is not a standard script file). Please refer to the Hands-ON practice.

68 Agenda 1)Firewall, NAT and iptables 2)Rules Chains Tables 3)Usage of iptables 4)Hands-ON Practice 1)Packet Filter 2)NAT Machine

69 4-1 Packet Filter – Rules of filter table Example 1: –Accept all the packets incoming from lo interface Example 2: –Accept all the TCP packets incoming from IP = #iptables –t filter –A INPUT –i lo –j ACCEPT #iptables –t filter –A INPUT –i eth0 –p tcp –s –j ACCEPT

70 4-1 Packet Filter – Rules of filter table Example 3: –Accept all the TCP packets incoming from the network /24 Example 4: –Drop all the TCP packets incoming from IP = #iptables –t filter –A INPUT –i eth0 –p tcp –s /24 -j ACCEPT #iptables –t filter –A INPUT –i eth0 –p tcp –s –j DROP

71 4-1 Packet Filter – Rules of filter table Example 5: –Drop all the Incoming TCP packets with dst Port = 21 (forbid FTP Connection from eth0) Example 6: –Accept TCP packets incoming from IP to local port number 137,138 and 139 #iptables –t filter –A INPUT –i eth0 –p tcp – –dport 21 –j DROP #iptables –t filter –A INPUT –i eth0 –p tcp –s – –dport 137:139 –j ACCEPT

72 4-1 Packet Filter – Rules of filter table Example 7: –Log all the Incoming/Outgoing TCP packets with to/from Port = 25 (Log SMTP Service) #iptables –t filter –A INPUT –p tcp – –dport 25 –j LOG Note: UC7110 does not support the target LOG

73 4-1 Packet Filter – Rules of filter table Example 8: –Drop all the [syn] packets from IP = Example 9: –Drop all the packets from MAC = aa:bb:cc:dd:ee:ff #iptables –t filter –A INPUT –p tcp –i eth0 –s – –syn –j DROP #iptables –t filter –A INPUT –p all –m mac-source aa:bb:cc:dd:ee:ff –j DROP

74 Example 10: –Does not response to ping Example 11: –ICMP ping burst #iptables –t filter –A INPUT –p icmp – –icmp–type 8 –j DROP #iptables –t filter –P INPUT DROP #iptables –t filter –A INPUT –p icmp –m limit 6/min – –limit-burst 10 –j ACCEPT 4-1 Packet Filter – Rules of filter table

75 Example 12: –Accept the Established / Related packets of the local host; drop the Invalid packets and New packets which are trying to create new connection. #iptables –t filter –A INPUT –p tcp –m state – –state ESTABLISHED,RELATED –j ACCEPT #iptables –t filter –A INPUT –p tcp –m state – –state INVALID,NEW –j DROP 4-1 Packet Filter – Rules of filter table

76 Example 13: –Check the packet integrity Example 14: –Enable the Passive Mode FTP Service to a host #iptables –t filter –A INPUT –p all –m unclean –j DROP #modprobe ip_conntrack_ftp #iptables –A FORWARD –p tcp –m state – –state RELATED –j ACCEPT 4-1 Packet Filter – Rules of filter table

77 Example 1: –Redirect the Connection Request of Port 80 to Port 8080 Example 2: –Masquerade the incoming packets from /24 to be local ppp0s IP #iptables –t nat –A PREROUTING –p tcp – –dport 80 –j REDIRECT – –to-ports 8080 #iptables –t nat –A PREROUTING –s /24 –o ppp0 –j MASQUERADE 4-2 NAT Machine

78 Example 3: –DNAT the incoming packet from eth0 ( ) and TCP Port 80 to internal Web sever : 80 Example 4: –Redirect the incoming packet of TCP Port 80 to and TCP Port 80 #iptables –t nat –A PREROUTING –p tcp –i eth0 –d – –dport 80 –j DNAT – –to :80 #iptables –t nat –A POSTROUTING –s /24 –j SNAT – –to $OUT_IP

79 Thank You!

80 OpenVPN 2.0 Stephen Lin

81 OpenVPN 2.0 1)Cryptography Summery 2)OpenVPN 2.0 3)OpenVPN Configuration 4)Hands-On Practice

82 1.) Cryptography Summery 1-1 What does cryptography solve? 1-2 Symmetric Data Encryption 1-3 Hash (Digest) Function 1-4 Message Authentication Code 1-5 Asymmetric Data Encryption 1-6 Digital Signature 1-7 Certificate 1-8 Moxa UC7400

83 1-1 What does Cryptography solve? Confidentiality Ensure that nobody can get knowledge of what you transfer even if listening the whole conversation Integrity Ensure that message has not been modified during the transmission Authenticity You can verify that you are talking to the entity you think you are talking to You can verify who is the specific individual behind that entity Non-repudiation The individual behind that asset cannot deny being associated with it

84 1-2 Symmetric Data Encryption Fast, High Efficiency for data transmission Is it secure while transferring the key? Maintains of the keys? (n-1)n / 2 keys DES/3DES/AES/Blowfish TomBob Plaintext Ciphertext Encryption Secret Key Decryption

85 1-3 Hash (Digest) Function Ensure Date Integrity MD5/SHA-1 Tom Data Bob Data Hash Function Message Digest #1 Same Hash Function Hash Function Message Digest #2 Message Digest#1 Data Compare

86 1-4 Message Authentication Code Ensure the Data Integrity Use a key to protect the MAC HMAC/CBC-MAC Tom Data Hash Function Message Digest #1 Bob Data Message Digest #2 Hash Function MAC Encryption Message Digest #1 Decryption Compare Secret Key MAC Data

87 1-5 Asymmetric Encryption Things to remember Key Pair – Public/Private keys In a session, one for encryption and the other one for decryption Public Key can be deployed everywhere The relation between the two keys is unknown and from one key you cannot gain knowledge of the other, even if you have access to clear-text and cipher-text The two keys are interchangeable. All algorithms make no difference between public and private key. When a key pair is generated, any of the two can be public or private Less efficient than Static Key RSA/Diff-Hellman g$5knvMdr kvegMs Clear text ? Encryption

88 1-5 Asymmetric Data Encryption Tom Plaintext Bob ciphertext EncryptionDecryption Bobs Public Key Plaintext Bobs Private Key Recipients Key Pair Confidentiality Check

89 1-5 Asymmetric Data Encryption Tom Plaintext Bob ciphertext EncryptionDecryption Toms Private Key Plaintext Toms Public Key Senders key pair Authenticity Check

90 1-6 Digital Signature Real World – Hybrid 1.Data Integrity 2.Authenticity 3.Non-repudiation 4.Algorithm – Use the public key and Hash

91 1-6 Digital Signature - Creating 3kJfgf*£$& Py75c%bn This is the document created by Gianni Message or File Digital Signature Message Digest Calculate a short message digest from even a long input using a one-way message digest function (hash) Signatory's private key priv GenerateHash SHA, MD5 AsymmetricEncryption RSA This is the document created by Gianni 3kJfgf*£$& Signed Document (Typically 128 bits)

92 1-6 Digital Signature - Verifying This is the document created by Gianni 3kJfgf*£$& Signed Document Py75c%bn Message Digest GenerateHash Gianni's public key (from certificate) AsymmetricDecryption pub Digital Signature Py75c%bn ? Compare ?

93 Data 1-6 Digital Signature Tom Data Message Digest #1 Hash Function Compare Bob Data Message Digest #2 Hash Function MAC EncryptionDecryption Message Digest #1 Toms Private KeyToms Public Key Digital Signature

94 1-7 Certificate The simplest certificate just contains: A public key (for Stephen) Information about the entity that is being certified to own that public key … and the whole is Digitally signed by someone trusted (like your friend or a CA) 2wsR46%frd EWWrswe(* ^$G*^%#%# %DvtrsdFDf d3%.6,7 pub 3kJfgf*£$&4 6*gd7dT Certificate This public key belongs to Stephen Digital Signature Can be a person, a computer, a device, a file, some code, anything …

95 1-7-1 CA Certificate Priv pub Certification Server CA generates a key pair Private Key and Certificate are sent to the user pub DS Cert pub DS Cert User request a certificate to CA CA generates certificate Priv

96 Right Cert. signed by CA Leftt Cert. signed by CA CA Pub. Key signed by CA CA Certificate Example CA CA Private Key LeftRight Trusts Left Priv. Key signed by CA CA Pub. Key Right Priv. Key signed by CA CA Pub. Key Left Cert. signed by CA Right Cert, signed by CA

97 1-7-2 SSL/TLS Priv pub Priv pub Clear text Encrypt Cipher 1 Encrypt Cipher 2 Transmission over the public network Cipher 2Cipher 1 Decrypt Clear text Decrypt pub Ensures confidentiality And integrity if digitally signed Depending on how public key are exchanged Authenticity, Identity, Non- repudiation pub

98 1-8 Moxa UC Hardware Cipher Intel Xcale Supports: Security Engines: DES, AES Algorithm methods: ECB, CBC, ECR Moxa wrap hardware acceleration inside algorithm APIs of No need to change the source codes

99 1-8-1 Moxa Accelerated Algorithm – OpenSSL DES_cbc_encrypt DES_ede3_cbc_encrypt AES_cbc_encrypt AES_ctr_encrypt We wrap ECB mode at a higher level ( which openssl wraps, too.

100 1-8-2 Performance = H/W Cipher

101 1-8-3 Things to be noticed Moxa UC-7400 switches the operations between the software and the hardware approaches Default: Hardware Approach Any mis-configuration or business causes the switch Small packets are switched to software approach DES: 128 bytes 3DES/AES: 64 bytes

102 1-8-4 Software Package Driver: mxhw_cipher.o Device File: mknod /dev/mxcrypto c Test Program./io /* correctness test */./io /* stability test */./io 1/* golden pattern */./io /* performance test */

103 Agenda 1)Cryptography Summery 2)OpenVPN 2.0 3)OpenVPN Configuration 4)Hands-On Practice

104 2.) OpenVPN Virtual Private Network 2-2 Why OpenVPN? 2-3 OpenVPN Modes

105 2-1 Virtual Private Network

106 2-1 VPN Advantages/Disadvantage VPN: a network that is constructed by using public wires (e.g., internet) to connect nodes. VPN encrypt all network traffic, not just a few application protocols (like SSL, SSH, etc.) VPN allows the usage of protocols which are insecure by themselves. VPNs cannot be controlled and logged easily because of their encrypted nature.

107 2-2 Why OpenVPN? Usability Open Source (GPL) Full featured SSL VPN Solution Easy to configure secure tunnel NAT/DHCP support Can use a 2048 bit shared key or digital certificates (PKI) Portability – Supports most of the platforms Linux, Solaris, Mac OS X OpenBSD, FreeBSD, NetBSD Windows2000-SP4/WindowsXP-SP1 or later

108 2-2 Why OpenVPN? Peers – each node with a client/server role In use of kernel routing Multiple clients A user-space program A full-featured SSL-VPN solutions on top of existing SSL/TLS mechanism options between a set of security algorithms Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP (5000/1194) or TCP port

109 2-2 OpenVPN Security Two Authentication Modes: Static Key: Use pre-shared SSL/TLS: Use SSL/TLS + Certificates for Authentication Key exchange The encrypted packet is formatted as SeqN: 64-bit sequence number IV: plain text initial vector, randomized per packet HMACIVSeqNV/ IPspayload encrypt HMAC W/ IPs

110 2-2 OpenVPN vs IPSec OpenVPN User-space daemon SSL/TLS portability across operating systems firewall and NAT- friendly dynamic address support IPSec Kernel-space IP stack each operating system requires its own independent implementation of IPSec IETF Standard - multi- vendor support

111 2-3 OpenVPN Modes Bridging and Routing are two methods of linking systems via a VPN. Routed IP tunnels (layer 3) Bridged Ethernet tunnels (layer 2) Suitable for Connections: Site-to-Site Dynamic Site-to-Site (Dynamic) Client-to-Site Dynamic: Firewall/NAT/DHCP friendly

112 2-3-1 Routed IP Tunnels (TUN Mode) Uses TUN Mode(device), a virtual point-to- point IP link that combines the inner interface together with TUN. Use the kernel routings to forward the packets. Physical Data-Link Network Transport Session Presentation Application Physical Data-Link Network Transport Session Presentation Application OpenVPN TUN (3rd)

113 2-3-1 Routed IP Tunnels (TUN Mode) Routed IP Advantages: 1.Point-to-point 2.Easier to configure 3.Efficiency and scalability. 4.Allows better tuning of MTU for efficiency. Routed IP Disadvantages: 1.Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work. 2.Routes must be set up linking each subnet. 3.Software that depends on broadcasts Will Not "see" those machines on the other side of the VPN. 4.Works only with IPv4 in general, and IPv6 in cases where tun drivers on both ends of the connection support it explicitly.

114 2-3-2 Bridged Ethernet Mode (TAP Mode) Uses TAP mode, a TAP device is a Virtual Ethernet Adapter. Bridge tools (bcrtl) are required to create the virtual adapters. Need to create a script to bind eth1 and tap0 together into a bridged device called br0

115 2-3-2 Bridged Ethernet Mode (TAP Mode) brctl addbr br0 # create an ethernet bridge brctl addif br0 eth1 # connect interface eth1 as a port brctl addif tap0 # connect virtual interface tap0 as a port Physical Data-Link Network Transport Session Presentation Application Physical Data-Link Network Transport Session Presentation Application Bridging OpenVPN TUN (3rd) TAP (2nd) eth1 eth0 tap0

116 2-3-2 Bridged Ethernet Mode (TAP Mode) Bridging advantages 1.Point to Point, point to multi-point 2.Broadcasts traverse the VPN -- this allows browsing of Windows file shares across the VPN without setting up a Samba or WINS server 3.No route statements to configure 4.Works with the VPN needs to be able to handle non- IP protocols such as IPX, Netware, and AppleTalk 5.Relatively easy-to-configure solution for road warriors Bridging disadvantages 1.Less efficient than Routing, and does not scale well

117 Agenda 1)Cryptography Summery 2)OpenVPN 2.0 3)OpenVPN Configuration 4)Hands-On Practice

118 3.) OpenVPN Configuration 3-1 Getting Started 3-2 TUN Configuration 3-3 TAP Configuration 3-4 SSL/TLS – X509 Dynamic Keys

119 3-1 Getting Started ixp ixp gw: IP: /24 gw: IP: /24 LAN ALAN B VPN Tunnel Connect [VPN Server] [VPN-Client] ixp1 [CA/TLS Server]

120 3-1 Getting Started Create a Working Directory (recommended) # mkdir /etc/openvpn Check for TUN Modules, if not # ls /dev/net look for a character device tun # mknod /dev/tun c Load necessary modules # modprobe tun # modprobe bridge Generate a (pre-shared) key # openvpn --genkey --secret [KeyName] Self Diagnostic # openvpn --test-crypto --secret [KeyName]

121 3-1 Getting Started Enable IP Forwarding # echo 1 > /proc/sys/net/ipv4/ip_forward or # vi /etc/sysctl.conf modify: net.ipv4.ip_forward = 1 Create / Start Bridge Interface using Moxa Script # openvpn-bridge [start / stop / restart] Check the Ciphers/Authentication Support # openvpn --show-ciphers # openvpn --show-digests

122 Create TUN Configuration Files # vi /etc/openvpn/tunserver.conf [At VPN Client] # vi /etc/openvpn/tunclient.conf 3-2 TUN Server Configuration Local/Remote VPN IP address must be specified It is NECESSARY to specify the Server Address at VPN Client

123 3-2 TUN Server Configuration Edit the Static Routings # vi /etc/openvpn/ # chmod +x /etc/ [At VPN Client] # vi /etc/eopenvpn/ # chmod +x /etc/ Start OpenVPN with the configuration file # openvpn --config /etc/tunserver.conf & # openvpn --config /etc/tunclient.conf & 2nd argument of ifconfig, which is now

124 Create TAP Configuration Files # vi /etc/openvpn/tapserver.conf [At VPN Client] # vi /etc/openvpn/tapclient.conf 3-3 TAP Configuration – VPN Server Mark this line if both VPN Networks are in the same subnet

125 3-2 TAP Configuration – VPN Server Edit the Static Routings # vi /etc/openvpn/ [At VPN Client] # vi /etc/openvpn/ # chmod +x /etc/ Pointed to the Kernel Routing. br0 =

126 3-3 TAP Configuration – VPN Server Start the Bridge device # vi /openvpn/openvpn-bridge # chmod +x /etc/openvpn/openvpn-bridge # /etc/openvpn/openvpn-bridge start Start OpenVPN with the configuration file # openvpn –config /etc/openvpn/tapserver.conf & # openvpn –config /etc/openvpn/tapclient &

127 3-4-1 SSL/TLS – Dynamic Keys Edit the OpenSSL Configuration File on a Linux PC # vi /usr/share/ssl/openssl.cnf Pre-input the default_days, default_bits, …, etc. Create New CA root Key Pair # /usr/share/ssl/misc/CA -newca Create New Client Private Key and new Certificate Request # /usr/share/ssl/misc/CA -newreq Certificate Sign-in # /usr/share/ssl/misc/CA –sign Copy the CA root certificate, client private key and the client certificate to the first client. Have the second client certificated

128 3-4-2 OpenVPN – easy-rsa tools Copy the easy-rsa to the working directory # cp –r /openvpn-2.0/easy-rsa /etc/openvpn/ modify the vars file # vi /etc/openvpn/easy-rsa/vars Activate the vars #. /etc/openvpn/easy-rsa/vars Create CA root key # /etc/openvpn/easy-rsa/build-ca Create VPN Server Private Key and Certificate # /etc/openvpn/easy-rsa/build-key server

129 3-4-2 OpenVPN – easy-rsa tools Create VPN Client private Key and Certificate # /etc/openvpn/build-key client Create Diff-Hellman Parameters # /etc/openvpn/build-dh 1024 Copy the CA certificate (ca.crt), Server key (server.key) and Server certificate (server.crt) to VPN Server Copy the CA certificate, Client key and certificate to VPN Client easy-rsa tools also work on UC7400 series

130 3-4-3 Configuration File Modification txxserver.conf txxclien.conf

131 Agenda 1)Cryptography Summery 2)OpenVPN 2.0 3)Open VPN Configuration 4)Hands-On Practice

132 Live Demo

133 UC-7420 DEMO BOX Two of its serial ports connected to a Power Meter and Thermocouple Two LAN ports, plus an optional Wi-Fi function making it a good tool for transmitting data from remote sites to a central site. The rest of the serial ports are looped back in burn-in mode to demonstrate UCs high performance and reliability.

134 Demo Box Features

135 Software Block Diagram Temperature Range: 0 to 500°C Left side for high range: 0 to 300 VDC & Right side for low range: 0 to 20 VDC

136 UCs LCM & keypad (F1-F5) F1 Monitoring: Temperature Voltage Throughput for P3 to P8 F2 System Status: LANs IP Wi-Fis IP CPU loading Available Memory F3 Alarm Setting: Temperature Voltage burning throughput F4 Configuration Key F5 Main Menu

137 Apache Web with CGI & HTML

138 Seat Locating System

139 Score Query System

140 Appendix: What is the wireless PCMCIA card support status in g? UC-7420's built-in Wireless driver supports "Intersil Prism 2.0 chipset" PCMCIA card. The compatible Wireless cards are : SupplierModel name ASUS WL-107g CNETCWC-854(181D version) Edmiax EW-7108PCg AmigoAWP-914W GigbyteGN-WMKG Others which use R-Link chip set

141 Thank You!

Download ppt "2005 MTSC UC-7400 Thomas Cheng Aug-2005. 09/13Topic 14:00-15:20 Universal Communicator – Part I 15:20-15:40 Coffee Break 15:40-17:00 Universal Communicator."

Similar presentations

Ads by Google