Thursday, 18 June 2020
Digital Certificate
#what_is_digital_signature??
#How_digital_signature_works??
#Asymmetric_vs_Symmetric_Encryption
#Digital_certificate??
I will explain everything here but...
First let's understand Cryptography, if the same key is used to encrypt the data and to decrypt as well, then it is called symmetric encryption and key is called symmetric key...... For eg... Our normal home locking keys... But if one key is used to encrypt the data and another key to decrypt that data...or Vice-Versa.. Then it is called Asymmetric Encryption and keys are called Asymmetric keys
[i.e. private and public keys] ....
Suppose key1 is used to encrypt the data, then key2 will be used to decrypt that data.... But key2 can also be used to encrypt the data where key1 will decrypt that data.... Meaning data encrypted by key1 can ONLY be decrypted by key2 and data encrypted by key2 can ONLY be decrypted by key1, provided that key1 and key2 are the pair of asymmetric keys. Let me elaborate it further... So, let's suppose i want a secure communication with my friend. So, for that what i would do is.... I will encrypt the msg using key1 and send it to him/her.... so what s/he will do is.... S/he will use key2 for decrypting that msg.... So, here in this example: key1 is my private key and key2 is my public key. Again if my friend wants to send me a msg... Then what s/he will do is....
S/he will use key2 for encrypting the msg and will send it to me... And after receiving, i will decrypt it using key1.... So, in this case key2 is my friend's private key and key1 will be my friend's public key.... Though it depends on the condition and frame of reference,
IN GENERAL you can understand private key as a key used to encrypt the data while the public key as a key used to decrypt the data. IN GENERAL OKEY....
Till now you understood about symmetric and asymmetric Cryptography.
Now let's understand the digital signature and digital certificate..... But at first we need to know its necessity... Why do we need it..... We need it mainly for digital verification i.e. To verify whether a msg is really from an authenticated source or not... Like in many cases the msg might have be modified or altered by the hackers using man in the middle attack. So, concept of digital signature helps to verify the original sender of the msg or the original issuer of any document. But let me clear one misconception at first.... Digital certificate is NOT the scanned picture of any documents which many people might think. So, digital certificate
Is the electronic document used to prove the ownership of the public key.
Let's understand it by the example.... Suppose i completed my B.E. and TU [my University] gave my Marksheet in the form of digital certificate. So, what TU will do
for that is... It will convert all of my details like name, symbol no, marks etc... In fact it will convert the whole data of my Marksheet into the hash code. AND UNDERSTAND ONE THING HASH IS A NON REVERSIBLE FUNCTION SO, ANY DATA PASSED THROUGH THE HASH FUNCTION CANNOT BE DECRYPTED. IT IS A ONE WAY FUNCTION.
Now i was in the hash code, right??
So, after converting the whole data of my Marksheet into the hashcode.... NEXT STEP WHAT TU WILL IS.... IT WILL ENCRYPT THAT HASH CODE USING ITS PRIVATE KEY. SO, THIS PROCESS OF ENCRYPTING THE HASH CODE OF ANY CERTIFICATE DATA OR ANY IMP DATA, USING A PRIVATE KEY BY THE ORGANISATION IS CALLED DIGITAL SIGNATURE OR TO SIGN ANY CERTIFICATE DIGITALLY.
Now TU will give me the DIGITAL CERTIFICATE of my Marksheet which will contain three things... [it will contain other details too but they are just additional, main are these 3 things]
[1] Unencrypted plain data as it is in my Marksheet.
[2] Hash code of data in the Marksheet along with the name of hash function used like md5, SHA ... Etc..
[3] Encrypted data of that Hash code which was encrypted using issuer's private key.
Now suppose i applied for the job in Any Telecom company. And i will show my digital certificate. So, to verify it... What they will do is.... They will pass the details of no. 1 above through th
#How_digital_signature_works??
#Asymmetric_vs_Symmetric_Encryption
#Digital_certificate??
I will explain everything here but...
First let's understand Cryptography, if the same key is used to encrypt the data and to decrypt as well, then it is called symmetric encryption and key is called symmetric key...... For eg... Our normal home locking keys... But if one key is used to encrypt the data and another key to decrypt that data...or Vice-Versa.. Then it is called Asymmetric Encryption and keys are called Asymmetric keys
[i.e. private and public keys] ....
Suppose key1 is used to encrypt the data, then key2 will be used to decrypt that data.... But key2 can also be used to encrypt the data where key1 will decrypt that data.... Meaning data encrypted by key1 can ONLY be decrypted by key2 and data encrypted by key2 can ONLY be decrypted by key1, provided that key1 and key2 are the pair of asymmetric keys. Let me elaborate it further... So, let's suppose i want a secure communication with my friend. So, for that what i would do is.... I will encrypt the msg using key1 and send it to him/her.... so what s/he will do is.... S/he will use key2 for decrypting that msg.... So, here in this example: key1 is my private key and key2 is my public key. Again if my friend wants to send me a msg... Then what s/he will do is....
S/he will use key2 for encrypting the msg and will send it to me... And after receiving, i will decrypt it using key1.... So, in this case key2 is my friend's private key and key1 will be my friend's public key.... Though it depends on the condition and frame of reference,
IN GENERAL you can understand private key as a key used to encrypt the data while the public key as a key used to decrypt the data. IN GENERAL OKEY....
Till now you understood about symmetric and asymmetric Cryptography.
Now let's understand the digital signature and digital certificate..... But at first we need to know its necessity... Why do we need it..... We need it mainly for digital verification i.e. To verify whether a msg is really from an authenticated source or not... Like in many cases the msg might have be modified or altered by the hackers using man in the middle attack. So, concept of digital signature helps to verify the original sender of the msg or the original issuer of any document. But let me clear one misconception at first.... Digital certificate is NOT the scanned picture of any documents which many people might think. So, digital certificate
Is the electronic document used to prove the ownership of the public key.
Let's understand it by the example.... Suppose i completed my B.E. and TU [my University] gave my Marksheet in the form of digital certificate. So, what TU will do
for that is... It will convert all of my details like name, symbol no, marks etc... In fact it will convert the whole data of my Marksheet into the hash code. AND UNDERSTAND ONE THING HASH IS A NON REVERSIBLE FUNCTION SO, ANY DATA PASSED THROUGH THE HASH FUNCTION CANNOT BE DECRYPTED. IT IS A ONE WAY FUNCTION.
Now i was in the hash code, right??
So, after converting the whole data of my Marksheet into the hashcode.... NEXT STEP WHAT TU WILL IS.... IT WILL ENCRYPT THAT HASH CODE USING ITS PRIVATE KEY. SO, THIS PROCESS OF ENCRYPTING THE HASH CODE OF ANY CERTIFICATE DATA OR ANY IMP DATA, USING A PRIVATE KEY BY THE ORGANISATION IS CALLED DIGITAL SIGNATURE OR TO SIGN ANY CERTIFICATE DIGITALLY.
Now TU will give me the DIGITAL CERTIFICATE of my Marksheet which will contain three things... [it will contain other details too but they are just additional, main are these 3 things]
[1] Unencrypted plain data as it is in my Marksheet.
[2] Hash code of data in the Marksheet along with the name of hash function used like md5, SHA ... Etc..
[3] Encrypted data of that Hash code which was encrypted using issuer's private key.
Now suppose i applied for the job in Any Telecom company. And i will show my digital certificate. So, to verify it... What they will do is.... They will pass the details of no. 1 above through th
Tuesday, 16 June 2020
Load balancing vs Load sharing
Load balancing:
Is to send equal amount of packets on links.
Load sharing:
Is to send non equal packets on links
Is to send equal amount of packets on links.
Load sharing:
Is to send non equal packets on links
Diff bw One arm and Two arm mode
The main difference between one arm and two arm is
In one arm, VIP and node in the same subnet
In two arm, VIP and node are in different subnet
one arm mode: The traffic that the client initializes will get to the Load-Balancer that has the virtual load-balanced IP. The load-sharing algorithm will pick a physical server to which the Load-Balancer will forward the traffic with destination IP NATed to the physical IP of the server and forward it out the same interface towards the physical server.
SNAT is required in both the deployment, one arm and two arm to make it symmetric
BUT the Load-balancer also needs to do source IP nat so that the server reply will go back from the server to the Load-Balancer and not directly back to the Client, who is not expecting a reply directly from physical server IP. From the physical servers perspective, all the traffic is coming from Load-Balancer..
In one arm, VIP and node in the same subnet
In two arm, VIP and node are in different subnet
one arm mode: The traffic that the client initializes will get to the Load-Balancer that has the virtual load-balanced IP. The load-sharing algorithm will pick a physical server to which the Load-Balancer will forward the traffic with destination IP NATed to the physical IP of the server and forward it out the same interface towards the physical server.
SNAT is required in both the deployment, one arm and two arm to make it symmetric
BUT the Load-balancer also needs to do source IP nat so that the server reply will go back from the server to the Load-Balancer and not directly back to the Client, who is not expecting a reply directly from physical server IP. From the physical servers perspective, all the traffic is coming from Load-Balancer..
One-Arm Mode
One arm means only single interface is used of f5.Means command vlan subnet.Thats why it's called one arm mode.See the picture again you will surely see one means only interface of f5 is used
Two-Arm Mode
Saturday, 13 June 2020
F5 que
What is intelligent SNAT and what's the use case of iSNAT?
And:--It's just irule based snat
An example case is when your downstream is different clients eg your pool members are routers, when destination is A -> use SNAT pool A, when its B use SNAT pool B.
but its basically any scenario when you need to use more than a single SNAT configuration for traffic leaving a virtual server.
or you need overrides, say there is a test call that is used to test the web->app->db framework so the firewall rules are setup to allow this test from specific source addresses. Normal customer traffic has what SNAT is assigned to the virtual server. When the test HTTP web call is detected the iRule can override to a different SNAT address thats specifically permitted for testing.
And:--It's just irule based snat
An example case is when your downstream is different clients eg your pool members are routers, when destination is A -> use SNAT pool A, when its B use SNAT pool B.
but its basically any scenario when you need to use more than a single SNAT configuration for traffic leaving a virtual server.
or you need overrides, say there is a test call that is used to test the web->app->db framework so the firewall rules are setup to allow this test from specific source addresses. Normal customer traffic has what SNAT is assigned to the virtual server. When the test HTTP web call is detected the iRule can override to a different SNAT address thats specifically permitted for testing.
intelligent SNAT just means YOU can define the rules when it is applied.
Thursday, 11 June 2020
F5 Questions
Some Imp F5 questions:
1. SNAT benefits
2. WHich functions can be offloaded ?
3. Deployment methods on F5 - One armed, two armed, npath
4. AVR metrics
5. Virtual Server Precedence
6. LTM device security config to protect again DDOS
7. Enable Security on F5 VS: How is the VS listening, where,
8. SNAT pool over SNAT automap
9. Different Types of VS
10. Translation of VS to pool member. WHich setting ?
11. GTM & LTM diff
12. Priority Activation Group
13. UCS and SCF
14. Multiple clientssl to a VS
15. GA in GTM and similar in LTM
1. SNAT benefits
2. WHich functions can be offloaded ?
3. Deployment methods on F5 - One armed, two armed, npath
4. AVR metrics
5. Virtual Server Precedence
6. LTM device security config to protect again DDOS
7. Enable Security on F5 VS: How is the VS listening, where,
8. SNAT pool over SNAT automap
9. Different Types of VS
10. Translation of VS to pool member. WHich setting ?
11. GTM & LTM diff
12. Priority Activation Group
13. UCS and SCF
14. Multiple clientssl to a VS
15. GA in GTM and similar in LTM
Monday, 1 June 2020
F5
1-) SSL Offloading: It means that client to F5 traffic is encrypted, SSL ends on F5, then clear text traffic goes through from F5 to server. ClientSSL profile is needed and http monitor is used for servers. You can also add http profile and optimize traffic according to Layer 7 traffic. Cookie persistency can be used.
2-) SSL Bridging: It means that client to F5 traffic is encrypted, and F5 to server traffic is encrypted. But each site has separate SSL session. ClientSSL and ServerSSL profile are needed, https monitor is used for servers. You can also add http profile and optimize traffic according to Layer 7 traffic. Cookie persistency can be used.
3-) SSL passthrough: It means that F5 only load balances traffic at TCP level and SSL ends on Servers. You should NOT add clientSSL and serverSSL profile. You CANNOT use http profile, therefore you CANNOT optimize layer 7 traffic. Cookie persistency CANNOT be used.
2-) SSL Bridging: It means that client to F5 traffic is encrypted, and F5 to server traffic is encrypted. But each site has separate SSL session. ClientSSL and ServerSSL profile are needed, https monitor is used for servers. You can also add http profile and optimize traffic according to Layer 7 traffic. Cookie persistency can be used.
3-) SSL passthrough: It means that F5 only load balances traffic at TCP level and SSL ends on Servers. You should NOT add clientSSL and serverSSL profile. You CANNOT use http profile, therefore you CANNOT optimize layer 7 traffic. Cookie persistency CANNOT be used.
Subscribe to:
Posts (Atom)
-
An important detail, all commands in this list have been validated in TMOS v13 . Older or newer versions may have differences, so confirm...
-
In Web Development, "Webhook" is a method of augmenting or altering the behavior of a Web Page or Web Application with custom ca... -
TMSH (TMOS Shell) Hierarchical Structure • Root ► modules ► sub-modules or components • Modules – net, sys, ltm • Sub-modules – monitor,...