mentioned, require different protection schemes which are not covered in this
whitepaper. This whitepaper is \textbf{not} an introduction to cryptography
on how to use PGP nor SSL. For background information on cryptography,
-cryptoanalysis, PGP and SSL we would like to refer the reader to the list of
-books at the end of this document.
+cryptoanalysis, PGP and SSL we would like to refer the reader to the the chapters \ref{section:Tools}, \ref{section:Links} and \ref{section:Suggested_Reading} at the end of this document.
\vskip 0.5em
a complex topic as cryptography. There are many guides and best practice
documents available when it comes to cryptography, however none of them focuses
on what a system administrator needs to do precisely for his system to harden
-its security with respect to cipher suites. Therefore we focus on copy \&
-paste-able settings.
+its security with respect to cipher suites.
\usepackage[english]{babel} % English language/hyphenation
\usepackage[protrusion=true,expansion=true]{microtype} % Better typography
\usepackage{amsmath,amsfonts,amsthm} % Math packages
-\usepackage[pdftex]{graphicx} % Enable pdflatex
+\usepackage[pdftex]{graphicx} % Enable pdflatex
%\usepackage[svgnames]{xcolor} % Enabling colors by their 'svgnames'
\usepackage[hang, small,labelfont=bf,up,textfont=it,up]{caption} % Custom captions under/above floats
\usepackage{epstopdf} % Converts .eps to .pdf
% custom changes:
\usepackage[usenames,dvipsnames,svgnames,table]{xcolor}
\usepackage{placeins}
-\usepackage{hyperref}
\usepackage{draftwatermark}
% human tables
% human tables
\usepackage{booktabs}
+
\renewcommand{\arraystretch}{1.25}
\definecolor{green}{RGB}{32,113,10}
%
% Comment out second line to disable.
\newcommand{\todo}[1]{}
-\renewcommand{\todo}[1]{{\color{red} TODO: {#1}}}
+\renewcommand{\todo}[1]{{\color{Red} TODO: {#1}}}
%%% Custom sectioning (sectsty package)
\date{\today}
+% hyperref needs to be the last package you load.
+\usepackage[pdftex,breaklinks,colorlinks,citecolor=blue,urlcolor=blue]{hyperref}
%%% Begin document
\begin{document}
\usepackage[%
- shash={a02193b},
- lhash={a02193bff5ec401117931e6ee3a9e6c36adbeb76},
- authname={Ulrich},
- authemail={ulrich.poeschl@bmlv.gv.at},
- authsdate={2013-11-20},
- authidate={2013-11-20 21:15:40 +0100},
- authudate={1384978540},
- commname={Ulrich},
- commemail={ulrich.poeschl@bmlv.gv.at},
- commsdate={2013-11-20},
- commidate={2013-11-20 21:15:40 +0100},
- commudate={1384978540},
- refnames={ (HEAD, master)}
+ shash={cd60668},
+ lhash={cd60668d65c7d16f5da48bb5a9ad75167c3247a2},
+ authname={Adi Kriegisch},
+ authemail={adi@kriegisch.at},
+ authsdate={2013-11-21},
+ authidate={2013-11-21 10:16:56 +0100},
+ authudate={1385025416},
+ commname={Adi Kriegisch},
+ commemail={adi@kriegisch.at},
+ commsdate={2013-11-21},
+ commidate={2013-11-21 10:16:56 +0100},
+ commudate={1385025416},
+ refnames={ (HEAD, origin/master, origin/HEAD, master)}
]{gitsetinfo}
\ No newline at end of file
\section{Links}
-
+\label{section:Links}
%% NOTE: this should re restructured...
Within enterprise networks and corporations with increased levels of paranoia or at least some defined security requirements it is common, NOT to allow direct connections to the public internet.
-For this reason proxy-solutions are installed, to intercept and (hopefully also) scan the traffic for potential threats within the sessions.
+For this reason proxy-solutions are installed, to intercept ans (hopefully also) scan the traffic for potential threats within the sessions.
As soon as one wants to establish an encrypted connection to a server, there are three choices:
\item Intercept (i.e. terminate) the session at the proxy, scan there and re-encrypt the session towards the client.
\end{itemize}
-While the last solution might be the most "up to date", it arises a new front in the context of this paper, because the most secure part of a client's connection could only be within the corporate network, if the proxy-server handles the connection to the destination server in an insecure manner.
+While the latest solution might be the most "up to date", it arises a new front in the context of this paper, because the most secure part of a client's connection could only be within the corporate network, if the proxy-server handles the connection to the destination server in an insecure manner.
Conclusio: Don't forget to check your proxy solutions ssl-capabilities. Also do so for your reverse-proxies!
\subsubsection{Bluecoat}
\todo{sure?}
+\subsubsection{Pound}
+% See http://www.apsis.ch/pound
+% See https://help.ubuntu.com/community/Pound
+
+Pound 2.6
+
+\begin{lstlisting}[breaklines]
+# HTTP Listener, redirects to HTTPS
+ListenHTTP
+ Address 10.10.0.10
+ Port 80
+ Service
+ Redirect "https://some.site.tld
+ End
+End
+## HTTPS Listener
+ListenHTTPS
+ Address 10.10.0.10
+ Port 443
+ AddHeader "Front-End-Https: on"
+ Cert "/path/to/your/cert.pem"
+ ## See 'man ciphers'.
+ Ciphers " TLSv1.2:!SSLv3:!SSLv2:AES256:!aNULL:!eNULL:!NULL"
+ Service
+ BackEnd
+ Address 10.20.0.10
+ Port 80
+ End
+ End
+End
+\end{lstlisting}
\ No newline at end of file
\section{Suggested Reading}
-
+\label{section:Suggested_Reading}
This section contains suggested reading material for the reader.
\begin{itemize}
\section{Tools}
-
+\label{section:Tools}
This section lists tools for checking the security settings.
\subsection{SSL \& TLS}