Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

Looking for a cost effective appliance based VPN solutions (Preferably clientless), for small business.

We have a number of small clients that we have been using the Netgear fVS-336s with a lot of success but they are no longer supporting it.
Some users remain on as much as 8-10 hours per day.

Free Tool: IP Lookup
LVL 12
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

I have an IPSec VPN tunnel going between a main office and a home office (Cisco router at the main office end and Draytek at the home office end).  I am wanting the user to be able to log into the Terminal Server down the tunnel from home to the main office.  From her computer I can RDP to any other server but I can't RDP to the Terminal server.  It gets stuck on 'Securing remote Connection' after entering the credentials for up to 2 mins before eventually erroring out with a non-descript general 'Can't connect' error.  We've tried on a different laptop (Win 10 vs Win7, and wired and wireless) and have replaced the home office router with another model Draytek but the issue has remained the same.

After A LOT of googling and a little bit of Wiresharking, and trial and error I think the issue is down to MTU issues but I'm not an expert in this field and I'm trying to learn all I can.

My testing with 'ping -f -l' I've found:
  • Terminal Server at the main office can ping with a limit of 1472 to the router at the main office and out to Google (
  • Terminal Server cannot ping the home office router at 1472 - its too big.  I cut it down to 1400 and the first ping timed out and then was too big
  • On the laptop at the home office end I can ping with a limit of 1472 to the home office router, to Google, AND to the router at the main office end.

Another interesting and likely related symptom is…
We use TITAN FTP server v11.x.
Having an issue where a clients IP keeps getting blacklisted.
In the logs, i can see that they are logging in with the wrong user ID one time and immediately getting banned.
In settings at user level I have turned off the settings to ban after X attempts, and added their IP to the Client level whitelist.

Logs are below showing the user getting banned. Any idea why the action is so quick and severe? any way to make it a little more forgiving ?

2018-03-01 12:53:37 [2/1256/84c] New incoming connection from IP address:, port: 40982, socket=1488
2018-03-01 12:53:37 [2/1256/84c] OnPostCreation(pBaseCxn=0x852fb80,socket=1488), sending the '220 Welcome' message
2018-03-01 12:53:37 [2/1488/84c] RESPONSE: 220 Titan FTP Server 11.30.2350 Ready.
2018-03-01 12:53:37 [2/1488/84c] COMMAND: USER [] ***
2018-03-01 12:53:37 [2/1488/84c] Trying to find
2018-03-01 12:53:37 [2/1488/84c] User "" not found, we will fail in PASS.; returning 331
2018-03-01 12:53:37 [2/1488/84c] FindUserEx("") returned Success.
2018-03-01 12:53:37 [2/1488/84c] Adding random sleep activity for 23ms to deter hacker from realizing username is invalid
2018-03-01 12:53:37 [2/1488/84c] RESPONSE: 331 User name okay, need password.
2018-03-01 12:53:37 [2/1488/84c] COMMAND: PASS <hidden>
2018-03-01 12:53:37 [2/1488/84c] User 

Open in new window

Does Microsoft's Anti-XSS Library block:

HTTP Splitting and Cache Poisoning?

These are new concepts to me, so surely I need to spend more time reading this article:

If you have the time... :)

Which vulnerability is NOT blocked by Microsoft's Anti-XSS Library?

How Vulnerable are query string parameters and their values?

I am curious how vulnerable a website is to hacking that has little validation on the query string params.

Some argue that:
1) an unrecognized query string parameter can do no harm
2) it's too much work, since the program is always in flux, so the "poor stepchild" would not keep up
3) the code to block this (locally at least) is fragile and will always delay a solid release
4) there will be many more failed log-ins than blocked hackers

What are your thoughts on this topic?

And how does using a Web Application Firewall change the discussion?

It seems that if the benefits to security were small or non-existent, the Security Industry would not waste its time closing this vulnerability.

We are in the process of changing our 3x site IPSec VPN to a stage migration to MPLS, so single firewall.

Stage one is to get site 1 on MPLS first and leverage some of the newer features of the hosted firewall while still routing traffic across the site to site vpns accordingly.

First change we (on prem) need to do is re-configure a number of ports in the switch to accomodate the new on prem router(s).

Currently we have HSRP (i think) on the CPE which terminates on the HP L3 (2920 poe) switch.  Its currently using a Vlan with no IP address associated and has a ports connected to the two routers.
The two other vlans we have are for voice and data and each vlan has a connection to the firewall which has the two vlans configured.

The new provider would like to use trunk ports to get away from the multiple ports to multiple vlans.   Any pointers here in terms of configuration on the switch and if this can be done without changing the existing config (should all go wrong)?

Assessing Vulnerability from URL parameters

I am in the processing of helping secure a .NET website against URL hacking. So I have spent some time adding a whitelist of valid domains and sub-domains. But what about query parameters?

My instincts are to add a second whitelist of valid query string parameters, but does that do anything to protect me?

I suppose a determined hacker could, with time and experimentation, find a query string param that has some exploitation value.

What do you think?

My worry is that whitelist of query string params may be difficult to generate, as this website is quite large. And there is always a risk of rejecting a legitimate request. The query string exposure is about revealing key data in the URL, but I am asking whether there is value in asserting that each query string param is in a whitelist of such params?

So, this is a customer service versus hack risk, threat assessment. And if there is little or no measurable reduction in threat, then this parameter whitelist could cause more harm than good.



Looking for Test URL's to try against my Anti-XSS code

Can you post some URL's or a link to a site where I can get dozens of various URL's that I can use to test against my Anti-XSS URL Hack code?

I need domains in the return URL, query string parameters, to see what my code can do.

I had an attack on my site last night and I was looking in /varlog/messages and I see these entries happening every second

Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=mara] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=tigers] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=tigers] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=josie] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=josie] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=stephanie] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=stephanie] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=amanda] [service=smtp] 

Open in new window

Using Telerik FiddlerCore to make our .NET website more secure

I just learned that FiddlerCore provides much of the functionality of Fiddler, but without the UI. And it seems this is a library designed to be incorporated into .NET programs.

I am looking for ways to reduce the chance that a hacker makes a successful penetration into our website, so using FiddlerCore is interesting to me.

Is this something to be including in the Release version of the website? Is so, please explain what kinds of services it could provide?

I like having advanced functionality under the covers, but only so long as it protects me while not adding some new exposure.

I'd love to hear  your thoughts...

Managed Security Services Webinar - March 15
Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

I am having some issues with some phones and was hoping someone could hopefully point me in the right direction. I am not a phone guy by any means, so excuse any mistakes or anything that is unclear. Our past set up was as follows

Site A - Sonicwall NSA 250 M with Avaya IP Office 8.1
Site B - Sonicwall TZ 205 with 20x Avaya 9608 phones

The sites are connected via a Site to Site VPN.

A week or so ago, we swapped out Firewalls. We moved Site A's to Site B, and put a Sonicwall NSA 2600 at Site B. We did a simple export/import of configs. Even though they were different Firewall models, Sonicwall documentation said it was supported, and we haven't had any issues. Except one.

Our phones seem to experience call dropping and quality issues. We get 10x dropped calls a day, and inside IP Office I can see Quality of Service Alarms going off like crazy.

I have set up QoS and BWM on both sides of the Firewalls, I don't believe bandwidth is the issue.  It's ONLY my remote phones at Site B, which are all H.323 phones. But if someone from Site A calls Site B, there is a chance it will drop as well. Site A can call Site A all day, or externally, no issues. I played around with H323 transformations on the Sonicwall, and that actually seemed to fix the issue, but after enabling it my phones would deregister themselves after a few hours, and would not re-register.

I have set up wireshark on both ends, nothing out of the ordinary, no increase of traffic when issues comes up. …
My OS is win10 pro 64 bit.  Due to recent security hacking on my pc, I am thinking if NordVPN would provide the security preventing everyone from entry.  I have Avast Premier protection.  Or can I use ZoneAlarm or some other software.  Thank u and regards.
My OS is win 10 pro 64 bit.  My pc is a lennovo m72e.   I use Verizon DSL and the pc is connected via a modem, which has about 5 ports, allowing for ethernet connection.  Last week a hacker managed to hack into my pc.  My question is if I were to change the port which the ethernet cable is connected, can the hacker get into my pc again?  I have Avast security protection and the OS' own.  thank u
Anti-XSS Test Tool plan for Firefox

We need to support Firefox only, so I  wonder if that limitation helps me to hone my list of options, as I seek an Anti-XSS Test Tool?

I would consider at least:

and review:

plus whatever else you suggest for me to consider. So, I wonder if the fact that our site is limited to Firefox support helps us find a smaller set of AntiXSS test tools from which to choose?

I added a Content-Security-Policy that works in Firefox and Chrome but not Safari.  I am using Safari 10.1.2. In Safari I get the error:
“Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.”
So, I tried adding ‘unsafe-inline' to style-src but I still get the error in Safari.  I have some hashes in style-src (that were provided by Chrome), and when I get rid of the hash, Safari gives no errors as long as I have ‘unsafe-inline’ written.  If I put the hash back in, I get the error again in Safari.  The other browsers work fine.  Does anyone know what I can do to get the Content-Security-Policy working in Safari?  Any help is greatly appreciated!
Looking for a tool to test XSS Vulnerabilities on our site

I need to find a tool we can run which will enable us to help find XSS Vulnerabilities and to test our Anti-XSS fixes.

What can you suggest?

We used to use Cisco 1`941-SEC, Cisco 3945-SEC etc. for IPSEC VPN internet connections. Since then Cisco has moved over to ISR Series Cisco 4321-AX, Cisco 4331-AX etc. What is the equivalent security bundled CPE for ISR 4200 series. I hope we do not have to buy the security licenses separately.
I need a combination of best practices and a description of how the underlying exploitations of cross site scripting attacks work.

I have a domain that is spread out over 15 plus offices scattered around the globe.  All the offices have IPSec connectivity back into Corporate.  Each of the satellite offices has a domain controller onsite.   My problem is this.   When I do a nslookup from our corporate site to, or attempt to ping or resolve from corporate, I am getting routed to any of the other domain controllers and not specifically to the ones located on my site.    This is also happening on my other sites.   For example, in Australia, where I have a DC and DNS server, I get resolution to other offices when referencing the domain.    What I want is when I am in an office is for the system to resolve the domain to the local servers first and only pass  to another location should the local devices be unavailable.   We have setup this in sites and services and thought we had it, but DNS just isn't cooperating.
Will You Be GDPR Compliant by 5/28/2018?
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!


I had created a SITE to SITE VPN between a PFSENSE anda Sonic Wall TZ400.The VPN is up no problem. The only thing is that I cannot open ressources like folders, rdp or ping from one side to another. Anybody knows where I should look to fix this issu?

I've got single person in an office location who needs to access a lob application at site A and a different lob application at site B via RDP.

Site A and B don't need to communicate with one another.  

What would the most efficient and cost effective way to be to accomplish this, preferably using Sonicwall equipment?
I built LAN to LAN vpn between two company , both ASA5510 , but when I finished configuring , I do ' show crypto isakmp sa ' ,
then deploy  'there are no isakmp' ,
when I do ' packet-tracer input inside tcp 80 80' , the vpn tunnel could up successful , and ‘show crypto isakmp sa ' has some content :
1   IKE Peer: a.a.a.a
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE    

and two company could access each other , but an strange  thing appeared , after 10 minutes , the vpn tunnel was drop  ,  'there are no isakmp' appeared again ,  I could not do packet tracer every 10 minutes , another method ,  I use a server to ping opposite server all the time , the tunnel won't drop .

here is configuration :
asa5510 A:
access-list QM-test extended permit ip
access-list acl_nat0 extended permit ip
nat (inside) 0 access-list acl_nat0
crypto ipsec transform-set test-QM esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 43200
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address QM-test
crypto map mymap 10 set peer a.a.a.a
crypto map mymap 10 set transform-set test-QM
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
I have been trying to work with Sonicwall support on this issue and have made no progress.  We have been using the appliance in the past with split tunnel enabled but, due to security requirements, we can no longer allow split tunnel.  If we turn it off,  remote users can access internal resources we have configured, but cannot access anything on the Internet. It seems that we need to create a resource which is "anything" on the Internet but we don't know how to do that. We don't see any kind of wild card options.  We have not given our users access to "Any" resource.  We need to specifically define the resource they have access to.  We need an "Internet" resource and then we can give them access to that.  Is this possible.  Or, is there some other way to approach this?

Sonicwall support had us upgrade the firmware to 11.40-468 with the 708 hotfixes but that did not create an options for resolving this requirement.
We're using a Cisco RV320 at one of our locations.
It's primarily used for two Hardware VPN's using IPSec.  Tunnel 1 goes to our hosted server (which has no issues) and Tunnel 2 goes to a Rogers hosted server.

Recently, the Rogers hosted server location changed their WAN IP.  Therefore, I rebuilt Tunnel 2 to point to the new WAN IP and was able to establish the connection and the Tunnel went UP.  All remote LAN IP's and IPSec protocols remained the same, the only change was the WAN IP.

Since this change, accessing remote server resources on Tunnel 2 is intermittent.  i.e in the morning it will be inaccessible, but a few hours in the afternoon it will be accessible  During this whole time, VPN Tunnel 2 remains UP and doesn't go down, we just cannot communicate with the Remote LAN IP....

I asked the Rogers tech to change back to the old Remote WAN IP for testing.  As soon as we changed back to the old Remote WAN IP, all resources became available again.....  We then changed back to the new Remote WAN IP and server resources once again became unavailable.  During these VPN changes, I've made sure to reboot our Cisco RV320 numerous time's as well as rebuilt this tunnel.

In addition to this, we have 4 other locations with the same Cisco RV320 on the same firmware connecting to the old Remote WAN IP of the Rogers hosted server.  We briefly tested the remote WAN IP change on another router's Tunnel 2, and the same issue occurred as it did on the other one.

My …
The Sonicwall OS is 5.x. This is just the base router, no extra licenses for IPS, malware etc... I recently setup L2TP VPN for a couple users - using long and complex Pre-shared secret and each have a very long and complex password... I have been blocking obvious attempts from just IP addresses trying to access a webcam port using the info I found on how to do that - but blocking an IP address from WAN  - doesn't seem to affect efforts of a couple outsiders trying to access via L2TP - I see the failed messages from the different stages... but they keep trying - and added their IPs to my 'Blocked IPs' address object group has no effect.
I want to be able to deny them access to even try to authenticate and get them out of the logs - like blocking IP addresses.
Anyone savvy on the SonicWALL as to how to prevent attempted L2TP connections from undesired sources? Is there a way to create access rules to block from L2TP to ANY or LAN, we have the network on the X0 interface.
My understanding is there is a VPN access list on the SonicWALL - but it does not apply to L2TP.
Thank you!

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security