Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

Looking for a cost effective appliance based VPN solutions (Preferably clientless), for small business.

We have a number of small clients that we have been using the Netgear fVS-336s with a lot of success but they are no longer supporting it.
Some users remain on as much as 8-10 hours per day.

Free Tool: Subnet Calculator
LVL 12
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

We use TITAN FTP server v11.x.
Having an issue where a clients IP keeps getting blacklisted.
In the logs, i can see that they are logging in with the wrong user ID one time and immediately getting banned.
In settings at user level I have turned off the settings to ban after X attempts, and added their IP to the Client level whitelist.

Logs are below showing the user getting banned. Any idea why the action is so quick and severe? any way to make it a little more forgiving ?

2018-03-01 12:53:37 [2/1256/84c] New incoming connection from IP address:, port: 40982, socket=1488
2018-03-01 12:53:37 [2/1256/84c] OnPostCreation(pBaseCxn=0x852fb80,socket=1488), sending the '220 Welcome' message
2018-03-01 12:53:37 [2/1488/84c] RESPONSE: 220 Titan FTP Server 11.30.2350 Ready.
2018-03-01 12:53:37 [2/1488/84c] COMMAND: USER [] ***
2018-03-01 12:53:37 [2/1488/84c] Trying to find
2018-03-01 12:53:37 [2/1488/84c] User "" not found, we will fail in PASS.; returning 331
2018-03-01 12:53:37 [2/1488/84c] FindUserEx("") returned Success.
2018-03-01 12:53:37 [2/1488/84c] Adding random sleep activity for 23ms to deter hacker from realizing username is invalid
2018-03-01 12:53:37 [2/1488/84c] RESPONSE: 331 User name okay, need password.
2018-03-01 12:53:37 [2/1488/84c] COMMAND: PASS <hidden>
2018-03-01 12:53:37 [2/1488/84c] User 

Open in new window

Does Microsoft's Anti-XSS Library block:

HTTP Splitting and Cache Poisoning?

These are new concepts to me, so surely I need to spend more time reading this article:

If you have the time... :)

Which vulnerability is NOT blocked by Microsoft's Anti-XSS Library?

How Vulnerable are query string parameters and their values?

I am curious how vulnerable a website is to hacking that has little validation on the query string params.

Some argue that:
1) an unrecognized query string parameter can do no harm
2) it's too much work, since the program is always in flux, so the "poor stepchild" would not keep up
3) the code to block this (locally at least) is fragile and will always delay a solid release
4) there will be many more failed log-ins than blocked hackers

What are your thoughts on this topic?

And how does using a Web Application Firewall change the discussion?

It seems that if the benefits to security were small or non-existent, the Security Industry would not waste its time closing this vulnerability.

We are in the process of changing our 3x site IPSec VPN to a stage migration to MPLS, so single firewall.

Stage one is to get site 1 on MPLS first and leverage some of the newer features of the hosted firewall while still routing traffic across the site to site vpns accordingly.

First change we (on prem) need to do is re-configure a number of ports in the switch to accomodate the new on prem router(s).

Currently we have HSRP (i think) on the CPE which terminates on the HP L3 (2920 poe) switch.  Its currently using a Vlan with no IP address associated and has a ports connected to the two routers.
The two other vlans we have are for voice and data and each vlan has a connection to the firewall which has the two vlans configured.

The new provider would like to use trunk ports to get away from the multiple ports to multiple vlans.   Any pointers here in terms of configuration on the switch and if this can be done without changing the existing config (should all go wrong)?

Assessing Vulnerability from URL parameters

I am in the processing of helping secure a .NET website against URL hacking. So I have spent some time adding a whitelist of valid domains and sub-domains. But what about query parameters?

My instincts are to add a second whitelist of valid query string parameters, but does that do anything to protect me?

I suppose a determined hacker could, with time and experimentation, find a query string param that has some exploitation value.

What do you think?

My worry is that whitelist of query string params may be difficult to generate, as this website is quite large. And there is always a risk of rejecting a legitimate request. The query string exposure is about revealing key data in the URL, but I am asking whether there is value in asserting that each query string param is in a whitelist of such params?

So, this is a customer service versus hack risk, threat assessment. And if there is little or no measurable reduction in threat, then this parameter whitelist could cause more harm than good.



Looking for Test URL's to try against my Anti-XSS code

Can you post some URL's or a link to a site where I can get dozens of various URL's that I can use to test against my Anti-XSS URL Hack code?

I need domains in the return URL, query string parameters, to see what my code can do.

I had an attack on my site last night and I was looking in /varlog/messages and I see these entries happening every second

Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=mara] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=tigers] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=tigers] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=josie] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=josie] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=stephanie] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=stephanie] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=amanda] [service=smtp] 

Open in new window

Using Telerik FiddlerCore to make our .NET website more secure

I just learned that FiddlerCore provides much of the functionality of Fiddler, but without the UI. And it seems this is a library designed to be incorporated into .NET programs.

I am looking for ways to reduce the chance that a hacker makes a successful penetration into our website, so using FiddlerCore is interesting to me.

Is this something to be including in the Release version of the website? Is so, please explain what kinds of services it could provide?

I like having advanced functionality under the covers, but only so long as it protects me while not adding some new exposure.

I'd love to hear  your thoughts...

I am having some issues with some phones and was hoping someone could hopefully point me in the right direction. I am not a phone guy by any means, so excuse any mistakes or anything that is unclear. Our past set up was as follows

Site A - Sonicwall NSA 250 M with Avaya IP Office 8.1
Site B - Sonicwall TZ 205 with 20x Avaya 9608 phones

The sites are connected via a Site to Site VPN.

A week or so ago, we swapped out Firewalls. We moved Site A's to Site B, and put a Sonicwall NSA 2600 at Site B. We did a simple export/import of configs. Even though they were different Firewall models, Sonicwall documentation said it was supported, and we haven't had any issues. Except one.

Our phones seem to experience call dropping and quality issues. We get 10x dropped calls a day, and inside IP Office I can see Quality of Service Alarms going off like crazy.

I have set up QoS and BWM on both sides of the Firewalls, I don't believe bandwidth is the issue.  It's ONLY my remote phones at Site B, which are all H.323 phones. But if someone from Site A calls Site B, there is a chance it will drop as well. Site A can call Site A all day, or externally, no issues. I played around with H323 transformations on the Sonicwall, and that actually seemed to fix the issue, but after enabling it my phones would deregister themselves after a few hours, and would not re-register.

I have set up wireshark on both ends, nothing out of the ordinary, no increase of traffic when issues comes up. …
Free Tool: IP Lookup
LVL 12
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

My OS is win10 pro 64 bit.  Due to recent security hacking on my pc, I am thinking if NordVPN would provide the security preventing everyone from entry.  I have Avast Premier protection.  Or can I use ZoneAlarm or some other software.  Thank u and regards.
Anti-XSS Test Tool plan for Firefox

We need to support Firefox only, so I  wonder if that limitation helps me to hone my list of options, as I seek an Anti-XSS Test Tool?

I would consider at least:

and review:

plus whatever else you suggest for me to consider. So, I wonder if the fact that our site is limited to Firefox support helps us find a smaller set of AntiXSS test tools from which to choose?

Looking for a tool to test XSS Vulnerabilities on our site

I need to find a tool we can run which will enable us to help find XSS Vulnerabilities and to test our Anti-XSS fixes.

What can you suggest?

We used to use Cisco 1`941-SEC, Cisco 3945-SEC etc. for IPSEC VPN internet connections. Since then Cisco has moved over to ISR Series Cisco 4321-AX, Cisco 4331-AX etc. What is the equivalent security bundled CPE for ISR 4200 series. I hope we do not have to buy the security licenses separately.
I need a combination of best practices and a description of how the underlying exploitations of cross site scripting attacks work.

I have a domain that is spread out over 15 plus offices scattered around the globe.  All the offices have IPSec connectivity back into Corporate.  Each of the satellite offices has a domain controller onsite.   My problem is this.   When I do a nslookup from our corporate site to, or attempt to ping or resolve from corporate, I am getting routed to any of the other domain controllers and not specifically to the ones located on my site.    This is also happening on my other sites.   For example, in Australia, where I have a DC and DNS server, I get resolution to other offices when referencing the domain.    What I want is when I am in an office is for the system to resolve the domain to the local servers first and only pass  to another location should the local devices be unavailable.   We have setup this in sites and services and thought we had it, but DNS just isn't cooperating.

I had created a SITE to SITE VPN between a PFSENSE anda Sonic Wall TZ400.The VPN is up no problem. The only thing is that I cannot open ressources like folders, rdp or ping from one side to another. Anybody knows where I should look to fix this issu?

I've got single person in an office location who needs to access a lob application at site A and a different lob application at site B via RDP.

Site A and B don't need to communicate with one another.  

What would the most efficient and cost effective way to be to accomplish this, preferably using Sonicwall equipment?
The Sonicwall OS is 5.x. This is just the base router, no extra licenses for IPS, malware etc... I recently setup L2TP VPN for a couple users - using long and complex Pre-shared secret and each have a very long and complex password... I have been blocking obvious attempts from just IP addresses trying to access a webcam port using the info I found on how to do that - but blocking an IP address from WAN  - doesn't seem to affect efforts of a couple outsiders trying to access via L2TP - I see the failed messages from the different stages... but they keep trying - and added their IPs to my 'Blocked IPs' address object group has no effect.
I want to be able to deny them access to even try to authenticate and get them out of the logs - like blocking IP addresses.
Anyone savvy on the SonicWALL as to how to prevent attempted L2TP connections from undesired sources? Is there a way to create access rules to block from L2TP to ANY or LAN, we have the network on the X0 interface.
My understanding is there is a VPN access list on the SonicWALL - but it does not apply to L2TP.
Thank you!
We Need Your Input!
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Dear Experts,

mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key iocTOcioc address
crypto ipsec transform-set transet esp-3des esp-md5-hmac
 mode transport
crypto ipsec profile vpn-profile
 set transform-set transet

I have these commands but they are not recognize for the ISR 4321, are there alternate commands?
I have several Dell SonicWALL's in service but with one of them,  a TZ205 wireless-N, I can't remotely manage the Sonicwall.  I can connect to all computers at this remote location from a VPN tunnel, Site to Site.  If I connect to a PC behind that SonicWall I can then connect and manage the SonicWall.  This is an extra step that I don't want to have to deal with.

I've compared settings to my other SonicWalls's but none are the exact same model.  As far as I can tell everything is the same.

What am I missing?
I got a /23 public subnet from my provider with their gateway within that subnet x.x.91.1/23. I configured my FW with an IP address from that subnet x.x.90.1 and ping is allowed on the FW outside interface, I am trying to setup a IPSec vpn from this site back to the HQ. From HQ and my PC at home, I can ping their gateway x.x.91.1 but cannot ping  x.x.90.1. I checked in looking glass bgp table and that subnet is routable on the Internet.
They said that everything is configured correctly on their end and the issue is from my end. I am not sure I agree with them but I am not sure how to validate my argument. Thanks
I am trying to submit a form on nyc (New York City) website I get a error

You are coming from an invalid URL. Your request will not be processed. Please go to policy does not allow you to test online forms from remote servers or hard drives.

I tried IE Chrome and  Mozilla all the same results, except that in Mozilla when clicking submit I get a msg

The information you have entered on this page will be sent over an insecure connection and could be read by a third party and provides the following link

It is not related to a antivirus  program since I uninstalled all and had the same result. also tried from different locations and OS
Hey Guys,

Bit of a weird issue here.
I have a sonicwall TZ200, it is doing DHCP for the VPN users, it also does VPN for the LAN users.
This is a simple one subnet network and two interface firewall. 1 LAN and 1 WAN.

Strange thing is I have managed to get the VPN connecting for my test user, we are using global vpn client.
We are getting massive packet loss, I am pinging things on the lan and losing like 75% of packets.
Funny thing is some are going through, but all have big lag attached.

Unsure of what the issue is really yet.
My first thoughts are to do the below.
1) Use a manual IP on the virtual adapter
2) Change the version of sonicwall global vpn client

Am using a windows 10 laptop for my test user who is connecting.
We are reviewing our internet connectivity to a view of simplifying and improving performance and security.  We currently have 3 sites with Cisco routers and ASA firewalls on-premise running IPSec between them, with remote user VPNs terminating on two of them.  We are not running any additional services on the firewalls.  We also run SIP trunks into one of the offices which traverses to another.  QoS on the routers and on-premise switches.  Voice works well.
Still running many systems on prem and only have o365, no AWS/Azure yet..
We are looking at MPLS.  Would this be a better fit?  What about VPLS, SDWan or sticking with on-premise firewalls with IPsec?  
Any suggestions would be great.  

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security