The branch firewall of an enterprise is configured with NAT. As shown in the figure, USG_B is the NAT gateway. The USG_B is used to establish an IPSec VPN with the headquarters. Which parts of the USG_B need to be configured?
Which of the following IKE Negotiation Phase 1 main mode negotiation processes is the role of Message 5 and Message 6?
Note: The main mode requires a total of 6 messages in three steps to complete the first phase of negotiation, and finally establishes an IKE SA: these three steps are mode negotiation, Diffle-Hellman exchange and nonce exchange, and the identity of both parties. verification. Features of the main mode include identity protection and full utilization of ISAKMP negotiation capabilities. Among them, identity protection is particularly important when the other party wants to hide their identity. Before the messages 1, 2 are sent, the negotiation initiator and the responder must calculate and generate their own cookies, which are used to uniquely identify each individual negotiation exchange. The cookie uses the source/destination IP address, random number, date, and time to perform the MD5 operation. And put into the ISAKMP of Message 1 to identify a separate negotiated exchange. In the first exchange, the two parties need to exchange the cookie and the SA payload. The SA load carries the parameters of the IKE SA to be negotiated, including the IKE hash type, the encryption algorithm, the authentication algorithm, and the negotiation time of the IKE SA. Limits, etc. Before the second exchange after the first exchange, the communicating parties need to generate a DH value for generating a Diffle-Hellman shared key. The generation method is that each party generates a random number, and the random number is processed by the DH algorithm to obtain a DH value Xa (initiator's DH value) and Xb (responder's DH value), and then both sides calculate according to the DH algorithm. A temporary value of Ni and Nr is given. For the second exchange, the two parties exchange their respective key exchange payloads (Diffle-
Hellman exchange, including Xa and Xb) and temporary value payloads (nonce exchanges containing Ni and Nr). After the two parties exchange the temporary value loads Ni and Nr, the pre-shared key is pre-prepared, and then a pseudo-random function operation can generate a key SKEYID, which is the basis of all subsequent key generation. Then, by calculating the DH value calculated by itself, the DH value obtained by the exchange, and the SKEYID, a shared key SKEYID_d that only the two parties know is generated. This shared key is not transmitted, only the DH value and the temporary value are transmitted, so even if the third party gets these materials, the shared key cannot be calculated. After the second exchange is completed, the calculation materials required by both parties have been exchanged. At this time, both parties can calculate all the keys and use the key to provide security for subsequent IKE messages. These keys include DKEYID_a and DKEYID_e. DKEYID_a is used to provide security services such as integrity and data source authentication for IKE messages. DKEYID_e is used to encrypt IKE messages. The third exchange is the exchange of the identification load and the hash load. The identifier payload contains the identifier information, IP address or host name of the initiator; the hash payload contains the values obtained by HASH operation of the three sets of keys generated in the previous process. These two payloads are encrypted by DKEYID_e. If the payloads of both parties are the same, the authentication is successful. The IKE first-stage master mode pre-shared key exchange is complete.
The SSL VPN authentication login is unsuccessful and the message "Bad username or password" is displayed. Which one is wrong?
What are the drainage schemes that can be used in the scenario of bypass deployment in Huawei's abnormal traffic cleaning solution?
The malformed packet attack technology uses some legitimate packets to perform reconnaissance or data detection on the network. These packets are legal application types, but they are rarely used in normal networks.
Note: 4 types of network attacks: First, traffic-type attacks: commonly used Flood mode, send a large number of seemingly legitimate TCP, UDP, ICMP packets to the target host, and even some attackers also use source address forgery technology to Bypassing the monitoring of the detection system, thereby draining bandwidth or server resources. The second is scanning snooping attacks: using ping (including ICMP and TCP) scans to identify surviving systems on the network to identify potential targets and identify target weaknesses. The third is a malformed packet attack: by sending a defective packet to the target system, the target system generates an error when processing such an IP packet, or causes a system crash, which affects the normal operation of the target system. The main methods are ping of Death and Teardrop. The fourth is special packet attack: using some legitimate packets to reconnaissance or data detection on the network. These packets are legal application types, but they are rarely used in normal networks.
Keva
8 months agoStanton
9 months agoBlossom
10 months agoGretchen
10 months ago