VMware Hosting

How to Prevent Faulty Microsoft SUSE Virtio Driver from Causing Your Windows Server 2012 & 2008 VM To Fail To Boot

Atlantic.Net NOC December 10, 2015 by under VMware Hosting 0 Comments

As part of the group of patches Microsoft rolled out with their Patch Tuesday offerings from 8 December 2015, there is one optional update to the SUSE Block Driver that is causing booting issues (i.e., blue screens of death, or BSODs) for virtual machines that install it. Until Microsoft offers a fix for this faulty patch, we STRONGLY ADVISE that you avoid applying this SUSE patch.

Finding the Driver Update

The SUSE driver update is part of the optional group of updates. To be sure you don’t inadvertently select–or if you already have optional updates automatically selected–it would be safest to deselect and hide the SUSE updates.

You can find the update options in Windows 2008 and 2012 in Control Panel –> System and Security –> Windows Update. Select the link for “optional updates available”.

Finding Optional Updates

Finding Optional Updates

Deselect the Update

The faulty driver to look out for is called, “SUSE – Storage Controller – SUSE Block Driver for Windows”. As long as that line remains unchecked, your cloud server will be safe.

Hide the Update

If you’d like to be sure you don’t accidentally select this patch, you can hide it by right-clicking on the line and selecting “Hide Update” from the pop-up menu.

Hide Update Option

Hide Update Option

This action will hide the update from showing up the next time you open up your updates and examine optional updates.

For the Extra Cautious

The only driver update reported to be causing issues is the Block Driver. Until Microsoft issues a replacement patch that addresses the problems this one causes, you may also decide to avoid installing or hiding any SUSE patch for the time being.

Restoring Hidden Updates (After Microsoft Issues a Patch Fix)

When Microsoft does issue the new patch, you may restore any hidden patches from the menu item “Restore hidden updates” on the left side of the Windows Update screen.

Restore Hidden Updates

Restore Hidden Updates

More About Atlantic.Net

Atlantic.Net offers world-class hosting solutions, including VMware hosting services.


How to Import a VM Export on Windows Server 2012

Jose Velazquez July 17, 2015 by under VMware Hosting 0 Comments
Verified and Tested 03/31/2015

Introduction

In this how-to we will walk you through importing a VM in Windows Server 2012. Click here for more information on how to export a Virtual Machine.

Prerequisites

– A Server with Windows Server 2012 running Hyper-V.

– The exported VM must be copied to the local host server prior to starting the import.

Importing a VM Export on Windows Server 2012

From Hyper-V Manger, Click on Hyper-V server and select Import Virtual Machine.

Importing a Cloned VM in Windows Server 2012-1

This is the output of the Import option in the Hyper-V Manager

Select the virtual machine folder path (This is the folder that contains the exported machine files).

Importing a Cloned VM in Windows Server 2012-2

This is the output that you will see in order to specify the Import location

Once you’ve selected the path, the next page will show the machine name in Import Virtual Machine page. Select your VM and click next.

Importing a Cloned VM in Windows Server 2012-3

This is the screenshot that you will see to select your virtual machine

Select the Import mode.

Note that exported files can be reused to clone additional VMs only by using “Copy The virtual machine (create a new unique ID)” option.

Importing a Cloned VM in Windows Server 2012-4

This is the screenshot that you will see to Choose your Import Type

– Register the virtual machine in-place
– Restore the virtual machine
– Copy the virtual machine (because we want to reuse the export, we’re using this option)

Importing a Cloned VM in Windows Server 2012-5

This is the screen shot that you will see to specify the location that you want to import your VM

Select the Virtual Machine storage path to store virtual machine files. We’re using the default values here, but if you want to store your VMs in a specific folder, this is where you would make the change.

Importing a Cloned VM in Windows Server 2012-6

This is the screenshot that you will see after you Choose your VM location

Select the folder path to store Virtual Machine hard disk.

Importing a Cloned VM in Windows Server 2012-7

This is the screenshot that you will see after you review and confirmed your options

Review your configuration selection, and click on Finish to complete the import.

Congratulations! You have just Imported A VM in Windows Server 2012. Thank you for following along in this How-To! Check back with us for any new updates, and try a VMware hosting solution.


How to Install FAMP (FreeBSD 10, Apache, MySQL, PHP) on a Cloud or VPS Server

Jose Velazquez June 25, 2015 by under VMware Hosting 0 Comments
Verified and Tested 06/15/15

Introduction

This how-to will help you with your FAMP installation in FreeBSD 10 so that you can successfully run a high available stable platform for your web environment. FAMP is simply a software bundle that consists of 4 components that work together to form a powerful web server.  However, in this setup the acronym’s are as follows: FreeBSD (F) is the core of the platform which will sustain the other components. Apache (A) is used for the web service. MySQL (M) is used for database management,  and PHP (P) is used as the programming language.

Prerequisites

You need a FreeBSD server that is configured with a static IP address. If you do not have a server already, you can visit our cloud hosting options page  and spin a new server up in under 30 seconds.

Install FAMP on FreeBSD 10

To get started, login to your FreeBSD server via SSH or through the VNC Console here. Atlantic.Net Cloud servers are setup as minimal installations to avoid having unnecessary packages from being installed and never used. If some software packages that you’re used to using aren’t installed by default, feel free to install them as needed. Let us download nano so we can simplify this tutorial.

pkg install nano

Let’s make sure that your server is fully up-to-date so we can complete the preparation.

freebsd-update fetch
freebsd-update install

 

With the server up-to-date, we can continue the process and install FAMP on your server.

Install Apache on FreeBSD 10

Begin by installing Apache with the following command:

pkg install apache24

Enable and start the Apache service with the following commands:

sysrc apache24_enable=yes
service apache24 start

To edit the main Apache configuration file for one or many websites according to your preference, they are configured in the following directory:

nano /usr/local/etc/apache24/httpd.conf

To verify and test the installation, create/edit the test HTML file in the following directory with the command below:

nano /usr/local/www/apache24/data/index.html

Insert/replace the following code in the HTML file then save and exit:

<html>
<title>CONGRATULATIONS</title>
<body>
<h2>You have just installed Apache on your FreeBSD Server</h2>
</body>
</html>

You can now verify that Apache is installed correctly by typing http:// and your IP address on your browser(http://YOUR.IP.ADD.RESS ) To get your servers IP Address enter the following command:

ifconfig vtnet0 | grep "inet " | awk '{ print $2 }'
This is the test page created to verify Apache was installed correctly in FreeBSD

This is the test page created to verify Apache was installed correctly in FreeBSD

Restart the Apache service so the changes can take effect on your system.

service apache24 restart

Install MySQL on FreeBSD 10

We then would like to continue by installing MySQL. After running the following MySQL, command hit enter to select y confirm your installation by tapping Enter.

pkg install mysql55-server

Enable and start the MySQL service with the following commands:

sysrc mysql_enable=yes
service mysql-server start

To ensure the security of the default settings of MySQL, continue with the command below:

mysql_secure_installation

Note: When prompt with “Enter current password for root” hit enter for none then Y(Yes) to set MYSQL password. You will then be prompted with a series of questions. Just type Y for yes on all of them, see the screen shot below:

This is the secure installation of screen when installing MySql on a FreeBSD FAMP Stack server

This is the secure installation of screen when installing MySql on a FreeBSD FAMP Stack server

Install PHP on FreeBSD 10

Finally, we will conclude with the FAMP Stack by installing PHP and configuring it to work with Apache.

pkg install mod_php56 php56-mysql php56-mysqli

With PHP installed, we can go ahead a begin the preparation to configure it with Apache. Copy the sample PHP configuration file to the correct location.

cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Then run the following command to refresh the new changes to the system.

rehash

Update the Apache Configuration file with the following command:

nano /usr/local/etc/apache24/httpd.conf

Locate the DirectoryIndex line and add index.php in front of the existing index.html, so Apache reads the PHP files. The line should look like the following:

This is how the Apache file output after adding index.php to the configuration

This is how the Apache output should look after adding index.php to the DirectoryIndex line

(note: use the Ctrl+w in nano to search DirectoryIndex)

Add the following lines at the bottom of the configuration file so Apache can function PHP information accordingly.

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
    SetHandler application/x-httpd-php-source
</FilesMatch>

Fantastic! You can now save the file and restart Apache, so all your configuration take effect.

service apache24 restart

To verify and test the installation, create a test PHP file in the following directory with the command below:

nano /usr/local/www/apache24/data/info.php

Insert the following PHP code in the empty file then save and exit:

<?php phpinfo(); ?>

Restart the Apache HTTP service one last time so all the changes take effect.

service apache24 restart

You can now verify that PHP is installed correctly by typing the following on your browser.
http://YOUR.IP.ADD.RESS/info.php

This is the default page after installing PHP on an FAMP Stack FreeBSD server

This is the default page after installing PHP on an FAMP Stack FreeBSD server

What Next?

Congratulations! You now have a server with an FAMP Stack platform for your web environment. Thank you for following along and feel free to check back with us for further updates or to learn more about services from Atlantic.Net, like VMware hosting.


What is Shared Key Exchange (How VPNs Work, Part 3)

Mason Moody May 20, 2015 by under VMware Hosting 0 Comments

This article in the “How VPNs Work” series describes how a shared key exchange works. If you’re already lost, don’t panic! This series of articles is written to explain the concepts and methods behind VPNs without requiring a deep dive into the mathematics that powers them.

If you’re completely new to the concept of VPNs, check out this introduction. If you already know a little about the how VPNs work and want to know a little more, this series is for you. Each article addresses one aspect of the means by which a VPN helps to secure data by telling a story which serves as a metaphor of the logical mechanisms involved. These stories involve two people, Adam and Burt, trying to keep a secret and a third person, Cesar, trying to nefariously discover their secret. Since VPNs have no perfect physical world equivalent, there may be some elements that stretch the bounds of credibility (for example, Cesar has access to a duplicator ray). Remember, it’s just a story…

Each article also has expandable sections (indicated with the gear icon) which contain a slightly more in-depth explanation that is somewhat more technical but still avoids getting too lost in the mathematics. These sections tie the events of the story a little more to the components or steps of encryption or authentication but are not required to get a basic understanding of the topic.

Shared Key Exchange

Shared Key ExchangeIn earlier adventures, our friends Adam and Burt have tried to keep their comic book project secret from Cesar’s snooping by securing the messages they exchange with a shared key and a more elaborate public-/private-key pair system. Each system has its strengths and weaknesses. But the boys need a break from this project, and lucky for them, there’s a fair going on nearby. They enter the chili cook-off, and, because they love keeping their creations secret, they devise a way of keeping their recipe secret, even as they prepare it in front of onlookers. In fact, the recipe will be so secure, even they won’t know it!

A Well-Known Starting Point

To pull this feat off, Adam and Burt will each need to come up with a portion of the recipe without knowing anything about what the other has contributed. If neither of them knows the whole recipe, neither can reveal it. They do, though, agree on a common base of ingredients (a mixture of tomato base, chili seasoning, beef, and beans). There’s no need to keep this part secret–most of the other contestants start with a similar base, so they gain little in spending the effort to obscure these ingredients.

The fact that the two parties can start with this negotiation over an insecure, public medium is one of the core and clever ideas behind this method of initiating encryption. Before any encryption can occur, there needs to be some unencrypted traffic between peers, otherwise, neither will know how to decrypt any future messages. This initial step lets one host tell another that it wishes to begin a negotiation of an encryption method by offering a couple of initial values to a well-known mathematical formula (which, in this example, is the base of the chili). The real magic comes in the next steps.

 

Seeding the Key

Diffie-Hellman key exchange startAdam and Burt have independently and secretly prepared a portion of seasoning and additional ingredients sealed in an opaque, rice-paper pouch that will dissolve once immersed in the chili. In this cook-off, Adam’s pouch contains tomatillos, chipotles, cayenne pepper, and cinnamon; Burt’s contains Cajun seasoning, beer, cumin, oregano, and Worcester sauce*. Adam tosses his packet into his pot and stirs, tasting his chili until he is sure the pouch has dissolved and released its ingredients. Burt does the same with his pot. At this point, Adam and Burt have two different chilis.

* (in case you are wondering why this isn’t already dissolving from the beer, let’s say that Burt has pre-frozen any liquids prior to placing them in the dissolvable pouch.)

 

In the actual key exchange process, these “ingredients” are actually very large prime numbers. In the key-exchange process, these large prime numbers are randomly generated. The larger the numbers used to input into this key exchange, the more difficult it is to use brute-force techniques to crack. The size of these numbers is called a bit group. A group of prime numbers of the same length in binary bits (e.g., 1024 or 2048 or even larger bit lengths) all belong to the same group. The larger the bit group, the more robust this key exchange process becomes and the more resistant it becomes to analysis and potential compromise.

 

Completing the Exchange

Diffie-Hellman key exchange completionNow they switch the pots they are tending to, so Burt is at the pot Adam started, and vice versa. They each take another pouch identical to the one they started with and add this second pouch to the pot that the other had started (so Adam adds his tomatillos, chipotles, cayenne pepper, and cinammon to the pot Burt started with the Cajun seasoning, beer, cumin, oregano, and Worcester sauce; and Burt adds his pouch to the pot Adam started). After each of them stirs their respective pots and dissolves the pouches to release the secret ingredients, they can be sure that each pot now contains identical chilis.

In mathematical terms, the algorithm governing shared key exchange is commutative–it can be performed in any order and get to the same result. Also, note that neither Adam nor Burt have the means to reconstruct the key alone. Each of them only know the random value each contributed to the algorithm. And, since each also generates a copy of the key upon completion of the negotiation, each also has a copy of the final key without its having had been transmitted over a network.

This shared key exchange or negotiation is called the Diffie-Hellman Key Exchange, named for the authors of the paper that first detailed this method, Whitfield Diffie and Martin Hellman. Their work built upon previous work done by Ralph Merkle, so it has been suggested (by Hellman himself) this method be called the Diffie-Hellman-Merkle Key Exchange. In actual configurations, you will often see this method applied as DH Groups, different groups corresponding to keys of different lengths in binary bits.

 

Complex Tastes

During the preparation, any of the judges could have seen and sampled from the starting pots or the intermediate pots. Even if Cesar, intent on learning the secret recipe, poses as a judge, he wouldn’t be able to reliably reconstruct the final recipe Adam and Burt used. (This example assumes that Cesar doesn’t have the ability to distinguish all the individual flavors included in the chili and that to attempt to identify the ingredients and their amounts via laboratory analysis would be expensive enough in time and energy invested to make it infeasible.)

If an attacker wanted to compromise any communication encrypted with this key, a typical man-in-the-middle eavesdropping attack would be insufficient. An attacker could, however, insert himself as a transit man-in-the-middle. If an attacker set himself up so that all communication between the two hosts had to go through him, he could perform a Diffie-Hellman negotiation with each peer. Each side of the connection would only know whether a successful key is negotiated, but not with whom. In this position, the man-in-the-middle would be able to see the whole conversation–in fact, he’d have to decrypt incoming traffic and re-encrypt it before sending it out the other side to maintain the impression that each end still has its “secure” connection.

It’s also possible for an attacker to attempt to stage a man-in-the-middle attack to downgrade the DH group to a group whose bit length is much smaller and less secure. That attacker could then collect the weakly encrypted data and perform an offline brute force attack against the encryption to crack it in a reasonable amount of time. Attacks such as FREAK and Logjam use some sort of downgrade methodology to weaken the Diffie-Hellman key exchange.

 

More in the How VPNs Work Series:

Part 1: Symmetrical Encryption Algorithms
Part 2: Public Key Cryptography
Learn more about services from Atlantic.Net, including VMware hosting.


What is Public Key Cryptography (How VPNs Work, Part 2)

Mason Moody May 13, 2015 by under VMware Hosting 0 Comments

This article in the “How VPNs Work” series describes how public key cryptography (asymmetric encryption) works. If you’re already lost, don’t panic! This series of articles is written to explain the concepts and methods behind VPNs without requiring a deep dive into the mathematics that powers them.

If you’re completely new to the concept of VPNs, check out this introduction. If you already know a little about the how VPNs work and want to know a little more, this series is for you. Each article addresses one aspect of the means by which a VPN helps to secure data by telling a story which serves as a metaphor of the logical mechanisms involved. These stories involve two people, Adam and Burt, trying to keep a secret and a third person, Cesar, trying to nefariously discover their secret. Since VPNs have no perfect physical world equivalent, there may be some elements that stretch the bounds of credibility (for example, Cesar has access to a duplicator ray). Remember, it’s just a story…

Each article also has expandable sections (indicated with the gear icon) which contain a slightly more in-depth explanation that is somewhat more technical but still avoids getting too lost in the mathematics. These sections tie the events of the story a little more to the components or steps of encryption or authentication but are not required to get a basic understanding of the topic.

Adam and Burt have already discovered the weakness in using a lockbox with a shared symmetric key to keep things secure. So, Burt proposes they try a new method in which each of them has their own unique set of keys (asymmetric encryption).

Public Key Cryptography

Public Key Cryptography is an asymmetric encryption methodology that seeks to maintain confidentiality without having to ever share a secret key over an insecure channel (such as unencrypted email). In this explanation, Adam and Burt each have a unique lock, but for the remainder of this example, we’ll cover Burt’s lock and keys (Adam’s lock and keys will work in the same fashion). Each lock has two special properties: first, the lock has two distinct and related keys that can work with it, and second, each key that works with the lock can only turn in the lock in one direction–for the sake of this example, they only turn clockwise.

Paired Keys

Public KeyThe two keys in this asymmetric system only work as a pair. If Burt were to re-key this lock, he’d need to create two new keys. To make it simpler to distinguish the two keys, Burt color-codes them. One he makes green and the other red. Burt keeps the red key secured (his private key), but he can make the green key widely available to anyone who wants it (his public key). This may sound counterintuitive. But an important feature of these keys is that while they are related, it is virtually impossible to figure out one key based on knowledge of the the other. As such, one key can be made publicly available without revealing anything about its counterpart.

 

Private KeyThese keys are, in actual use, called the public and private keys (the color designations are to help make the explanation a little easier to follow). The generation of these keys involves some pretty nifty and complicated mathematics. (These algorithms begin with calculations involving the product of two very large prime numbers and is far beyond the scope of this example.) Common algorithms used in public key cryptography include RSA (named for its creators, Rivest, Shamir, and Adleman), DSA/DSS (Digital Signature Algorithm/Digital Signature Standard), and ECDSA (Elliptic Curve Digital Signature Algorithm). This latter algorithm instead utilizes the mathematics around elliptic curves and is at least as intimidating to the math-averse as the RSA algorithm.

The Clockwise Lock (How the Keys Work)

Private KeyBesides only working as part of a pair, these keys also only work in the lock in one direction. For example, Burt uses the green (public) key to secure the lock, which requires a half-turn in the lock. Since the lock only works in one direction, the green key can’t unlock the lock by reversing direction like an ordinary lock. At this point, because of the special nature of this locking mechanism, the only way to unlock it is to use the paired red (private) key.

In this fashion, when the lock is secured with the green (public) key, only the person who possesses the red (private) key can open it. This is how Burt can make the green key widely available to the public. He can send a copy of the green key to Adam (he could even make a copy available for public pickup or duplication). Anyone who has a copy of this green key can lock this lock, and at that point, only Burt–assuming he keeps his red (private) key secure–can open the lock. Now, when Adam wants to securely send something to Burt, he can use Burt’s green (public) key. Similarly, Adam would have his own key pair, and he could also make his green key available for Burt (or anyone else) to use.

Now, if our ne’er-do-well Cesar were to try to crack this method of security, he’d need to crack two different locks in order to get the whole conversation. Even if he were able to get past just one, he’d only be able to see one half of the conversation.

This usage of one-way encryption is employed in some secure email exchanges, such as with the use of PGP (Pretty Good Privacy) or GPG (Gnu Privacy Guard). If you’ve ever seen mention of someone’s PGP or GPG public key (and likely a block of random-looking text that was the key itself), you can see why it can be published as a part of an email signature or a publicly accessible website. With that key, anyone can encrypt an email that only the possessor of the private key (the recipient) can decrypt.

A Twice-Locked Box

A Twice-Locked BoxHere’s where Burt gets a clever idea. He places some artwork for the comic book he and Adam are working on in a box, places his lock on the box, and secures it with his green (public) key. Now, he’s the only person (since he has the only copy of the red key) that can unlock this box. He sends this box to Adam.

Adam, not having a copy of Burt’s red (private) key, can’t unlock the lock. But he can place his own lock on the box. He secures this lock with his own green (public) key. Adam sends this twice-locked box back to Burt.

Burt gets the box, and the only way he can open it is if he has both his own red key and Adam’s red key. But Adam is keeping his red key just as secret as Burt keeps his own red key, so Burt won’t be able to open the box. Burt, though, doesn’t want to open the box–remember, he started this process, so he wants Adam to get the art contained within the box. He can, though, unlock his own lock with his own red (private) key. When he does this, the only security on the box is the lock that Adam secured.

Burt sends the box back to Adam, and now Adam, using his red key, unlocks the remaining lock. Burt has successfully and securely sent this package. This method adds a couple of layers of security, in that there are two layers of locking/encryption and in the fact that no shared key needs to ever be exchanged via a potentially insecure medium. However, it isn’t a very efficient system if they need to send more secure messages back and forth in a more timely manner.

This ability is one of the interesting features of the mathematics behind public key cryptography. A message can be encrypted multiple times; then, when decrypting it, that decryption can be done in any order. It works in a commutative way the way some simple mathematic functions work. For example, if you were to start with the number 10 and add three other numbers–say, 3, 5, and 7 (so, 10 + 3 + 5 + 7 to get 25), you could then subtract them from your total in any order to get back to the same original number (25 – 5 – 7 – 3 = 10). Of course, the mathematics behind this cryptography is significantly more intricate.

 

A Complicated, Robust Lock

Robust LockSo while Adam and Burt now have worked out a public-key cryptography method, it’s not without its drawbacks. This twice-locked box method of keeping communication secure takes three times as long per message. In addition, public-key cryptography methods tend to be more work-intensive when it comes to carrying out the encryption or decryption. In the example above, imagine that instead of each key turning in the lock one half turn, it requires 10 full rotations. That would mean 40 rotations (Burt locks (10) + Adam locks (10) + Burt unlocks (10) + Adam unlocks (10)) per message!

There is, however, one advantage to this inefficiency. If Cesar were to use a device that could simulate any key, and assuming that to open one of these locks requires the full 10 rotations just to see if that key works, then the time it would take him to try every key combination (a brute force attack) goes up by a factor of 10 as well.

The length of an encryption key is measured in bits. The larger the bit length of the key, the more resistant that key is being discovered via brute-force cracking attempts. The larger the bit length of the key also means that the work required to perform encryption or decryption increases. However, since asymmetric and symmetric encryption algorithms work in different ways, their key lengths aren’t directly comparable. For example, an RSA (asymmetric) 1024-bit key has about the same strength as an 80-bit symmetric key. There are tools available to compare relative key lengths across the different encryption methods, such as the one maintained by BlueKrypt, that can help illuminate the difference in computational cost between these methods.

These differences highlight one of the primary conundrums of computer security: security vs. convenience. Work done to improve one often comes at the expense of the other. Increasing the bit-length of the encryption key increases its strength, but it also means that it will take longer to perform that encryption and decryption. When measures are made to improve convenience, such as increasing computing power or reducing the length of the key, those same measures also mean it requires less work to successfully guess the key through brute-force methods.

 

More in the “How VPNs Work” Series

Part 1: Symmetrical Encryption Algorithms
Part 3: Shared Key Exchange
Learn more about services from Atlantic.Net, including VMware hosting.


What is Symmetric-Key Encryption (How VPNs Work, Part 1)

Mason Moody April 24, 2015 by under VMware Hosting 0 Comments

This article in the “How VPNs Work” series describes how symmetric-key encryption works. If you’re already lost, don’t panic! This series of articles is written to explain the concepts and methods behind VPNs without requiring a deep dive into the mathematics that powers them.

If you’re completely new to the concept of VPNs, check out this introduction. If you already know a little about the how VPNs work and want to know a little more, this series is for you. Each article addresses one aspect of the means by which a VPN helps to secure data by telling a story which serves as a metaphor of the logical mechanisms involved. These stories involve two people, Adam and Burt, trying to keep a secret and a third person, Cesar, trying to nefariously discover their secret. Since VPNs have no perfect physical world equivalent, there may be some elements that stretch the bounds of credibility (for example, Cesar has access to a duplicator ray). Remember, it’s just a story….

Each article also has expandable sections (indicated with the gear icon) which contain a slightly more in-depth explanation that is somewhat more technical but still avoids getting too lost in the mathematics. These sections tie the events of the story a little more to the components or steps of encryption or authentication but are not required to get a basic understanding of the topic.

Basic Symmetric-Key Encryption

Adam_symmetric_keyLet’s suppose that Adam and Burt are writing a comic book. Since they live in nearby towns and can’t meet in person all that often, they send drafts of their book to each other via the Greater Metropolitan Area Post Office. They don’t want anyone getting a peek at their book before it’s finished, so they use a lockbox (encryption) and make a copy of the key (encryption key) for each of them. Now, when Adam finishes a script, he can send it to Burt in this lockbox and be sure that only Burt can unlock it when he gets it in the mail.

This mechanism is analogous to one of the earliest widely-used encryption standards for computer data, DES (Digital Encryption Standard). DES is a symmetric-key encryption algorithm, meaning that the key that is used to encrypt the data is also used to decrypt it. On a simplified level, a symmetrical-key encryption algorithm is a method of applying a series of predefined mathematical steps, and the key is a sort of pivotal variable (one might say, a “key” variable) that plugs into that method to produce unique output–the encrypted data. This process can also be reversed by applying the same method in reverse, again with the same key.

 

The Threat

Burt_symmetric_keyNow, Cesar enters the picture. Cesar is obsessed with Adam and Burt’s comic book and can’t wait to learn more about it. For the sake of this story, Cesar has a duplicator ray. He is also a master of disguise, so he uses his talents to pose as a postal worker. His ultimate goal is to find a way to intercept the box Adam and Burt send back and forth to get a peek inside. Soon Cesar insinuates his way deeply enough into the Greater Metropolitan Area Post Office that he gains access to the central mail sorting room, and he spots the box from Adam to Burt. Cesar doesn’t want to arouse suspicion from either Adam or Burt from a delayed delivery, so he uses his duplicator ray to make a copy of the box. Sadly for Cesar, this box is also locked (encrypted), the same as the original. But, among his talents, he is a journeyman locksmith, so he takes this duplicate box to his lair to attempt to bypass the lock.

Network traffic is sent in discrete units called packets. So, whether you are sending something small (a short email) or something large (a video), the data will be segmented into easily managed packets before being transmitted. It’s the equivalent of sending a jigsaw puzzle to someone a piece at a time. Once it arrives at its destination, it will be reassembled.

This process of examining network traffic in transit is called “packet inspection” (sometimes more informally called “packet sniffing” or “sniffing the wire”). Packet inspection allows network administrators to identify and block much hostile traffic on their network. It can also be quite useful to help troubleshoot connectivity issues within a network.

It can also be used for less constructive purposes, such as eavesdropping. In these circumstances, this sort of use is often called a Man-in-the-Middle (MitM) attack. For someone like Cesar, who manages to insert himself in the transit path these messages take, this attack allows an interloper to copy all passing traffic (without delaying it and potentially alerting either end that something might be amiss) in order to analyze it later. Traffic that is not encrypted can be easily reassembled, allowing anyone with the proper tools to read the email or see the web page requested. Encrypted data would require knowing or discovering the key to decrypt each packet before reassembling it.

 

Brute Force Crack

Cesar_symmetric_keyLet us say, then, that Cesar spends time working on this lock and manages to finally pick the lock. After some practice, he learns to cut this time down significantly. Then, he intercepts the next package Burt sends back to Adam, copies it, and sends the original back on its way to Adam. Now, Cesar can pick the lock at his leisure, and, since Adam received the package without delay, he and Burt have no idea anything could be amiss. So imagine their surprise and dismay when Cesar posts all the spoiler details of their new comic book on his blog (called, naturally, “The Cesarian Section”).

Adam and Burt realize they will need to come up with a better way to securely exchange messages. If they were to re-key the lock, it would likely not take Cesar long to learn how to pick this new lock. They decide to invest in a lock with a much more complicated key (a stronger symmetric-key encryption algorithm). But how long might it take Cesar to crack this lock?

DES is no longer considered a strong means of encryption, implemented on its own. In 2008, SciEngines GmbH announced they were able to break DES in less than a day.

A variation called Triple Digital Encryption Standard (abbreviated 3DES, usually pronounced “triple-dez”) has, in many instances, supplanted DES. As its name implies, it functions using the DES algorithm but run three times. The key is three times as long, and in its strongest implementation, it is made up of three different DES keys, one for each iteration of the DES algorithm. It can be helpful to imagine this algorithm functioning as if it were an intricate puzzle box. The first key might be the combination of twists and machinations (as with a Rubik’s Cube) required to reveal a sliding-tile style puzzle, which, when solved (the second key), would expose a keyhole for your key (the third key).

An even stronger symmetric-key encryption algorithm is AES (Advanced Encryption Standard, though you may also sometimes see it referred to by its original name “Rijndael”, pronounced “rain-doll”). The strength of these sorts of algorithms is measured by the effective lengths of their keys (in bits). 3DES uses 168-bit keys (in its strongest implementation), though certain attacks have been shown to reduce that strength equivalent to an 80-bit key. AES can use 128-, 192-, and 256-bit keys. As the length of each of these keys goes up, so does its associated strength and computational requirements.

 

The Evolution of Encryption

strong symmetric-key encryptionNaturally, Adam and Burt have concerns that maintaining this lockbox solution, even if it is top-of-the-line, may not be as secure as they would like. A ne’er-do-well such as Cesar has several means to attempt to defeat this system. He can attempt to illicitly obtain a copy of the key from either Adam or Burt, or from the means they use to exchange the key in the first place (especially if this exchange is over an unsecured medium). Finally, he may, after practice and/or technological advance, discover a way to more efficiently “guess” the key. If they want to stay ahead of Cesar, they’ll need to find some new ways to make it much more difficult for him to find a way around or through.

More in the How VPNs Work Series:

Part 2: Public Key Cryptography
Part 3: Shared Key Exchange
Learn more about services from Atlantic.Net, including VMware hosting.


What Is a VPN?

Mason Moody April 22, 2015 by under VMware Hosting 0 Comments

What Is a VPN?So what is a VPN? Maybe you’ve heard some of your tech-savvy friends or co-workers talk about a VPN. Perhaps you even use one and want to know a little bit about what a VPN is and how it works. (If you already know the basics and would like to know more about the algorithms and cryptography underlying VPNs, check out the links below.)

VPN is short for Virtual Private Network. Let’s unpack each of those terms. We’ll start with the last word first. (Each of these sections provides a very basic overview of each term accompanied by a more in-depth explanation indicated by the icon. Just click on that icon to expand that section.)

 

Network (The “N” in VPN)

A network, in the context of computing, is a collection of devices which all share a membership in the same group. For example, all computers and related equipment in an office might comprise a network.

In the example of a company, different departments might exist within this one company, and each of these could be considered subnetworks (in computer networking, this term is usually shortened to “subnet”). If the employees of this company needed to interact with employees from another company, they might form a relationship, an inter-network. Inter-network can be shortened to “internet”, which, when capitalized, refers to the Internet most of us are familiar with. The Internet is an inter-network of thousands of distinct, connected computer networks and subnetworks.

 

Private (The “P” in VPN)

When we refer to a network being Private, we are often referring to a local segment of a network, sometimes called a Local Area Network (LAN). A network is usually kept private by setting it up behind a device called a firewall, which helps to protect the LAN from the public Internet.

To understand what a private network is, it might help to think of the difference between sending a report to a colleague at your office versus sending a report to a colleague in a remote office in another city. If you need to send a report to your work colleague in the same office, you might just address it to that person by name, maybe department. Anyone in your office would probably know how to get that report to “Julie in Accounting”, for example. But if you wanted to mail that report to “Eartha in Accounting” at your remote office, you’ll need a different addressing scheme if you wanted someone to successfully deliver your report.

Similarly, computers that are a part of a network will have an address. Addresses for devices on a network (called “IP addresses”) are made up of a series of digits that looks a bit like a phone number, except in the format of “nnn.nnn.nnn.nnn”. So, for example, a well known Google IP address is “8.8.8.8”. This address is a public address, the computer equivalent of a mailing address. So if you wanted to send a packet (in our post office metaphor, think of a packet like an envelope) to that address, any device that is properly connected to the Internet should know how to get it there.

There are certain IP address ranges, though, that are set aside and never used as a part of the public Internet. These are reserved, instead, for private use. If you’ve ever set up a home router, you’ve probably seen an example of this sort of private address (something like “192.168.0.1” or “192.168.1.1”). In the example above, “Julie in Accounting” would be the equivalent of a private address.

 

Virtual (The “V” in VPN)

Virtual TunnelOften a private network is physically self-contained. All devices that are part of the same network might be in the same geographical area (maybe a computer closet, a cabinet in a data center, or even an entire building, for example). It is possible, though, to create a private network between devices which might be within separated areas, such as different rooms in a building, different buildings in a city, or even different locations around the globe. This is where the “virtual” part comes into play, via a process called “encapsulation”. Data on a virtual private network can be sent to another private target by disguising it to appear to be public traffic. (This encapsulation process also often involves encryption to further protect it.) You might also hear a VPN referred to as a “tunnel”. In a sense, private messages are being sent within a public network as though it were traversing a private tunnel within that public network.

Imagine that you work in a building whose security department is in the basement. You have just been transferred to security, and on your tour of the department, they show you that there is a tunnel leading to another section of the security department that is located in the basement of a nearby but separate building. This tunnel acts to link these two separate buildings so, from the point of view of someone who works in this security department, the whole security section is one unit (a “network”). And since only authorized security personnel are allowed in this department, it can be considered a private tunnel. This example, though, features a physical tunnel. How do you make that virtual?

Creating a “virtual” tunnel involves a form of encapsulation. In most cases, this means that private traffic, before leaving one portion of a private network, is encapsulated to look like ordinary traffic on the publicly accessible Internet. When it reaches the destination specified in its encapsulation data, it sheds that encapsulation and resumes its travel to its final destination on this separate portion of the private network. In our example with the security department, imagine that we open a new security office across town. It wouldn’t be practical to build a physical tunnel all the way across town, but we could utilize a delivery service to send private messages there, similarly to how inter-office mail between geographically separate remote offices works. So, for example, we would place a report in an envelope addressed to “Burgess in Remote Security Services”, and then we could place that envelope in a larger package (encapsulating it) addressed to our remote security office with its full mailing address. We send the package via a courier to the remote office, and once it gets there, Frank the mail clerk opens the package (de-encapsulation), and he can then deliver the envelope to “Burgess in Remote Security Services” (private address). It could be said that we have “tunneled” this message through the courier service.

Also, since our department is concerned with security, we’d want to be sure that our message to Burgess isn’t tampered with or peaked at while it’s in transit. We might place a lock (which only we and our colleagues at the remote office could unlock) on the package before handing it over to the courier. The “lock” for traffic on a VPN would be an encryption algorithm. In VPN terminology, the device that handles the encapsulation and any encryption is called a “VPN gateway” or “VPN peer”. Not every VPN utilizes encryption, but it is prevalent when it’s important to keep data secure or private.

 

Putting It Together

Broadly speaking, a VPN keeps data traffic “within” a private network while it is sent over a public network. It is addressed so that it can be delivered over the Internet (encapsulation) and gets locked so no one can peek at the contents while it’s in transit (encryption).

Why Use a VPN?

The example above demonstrates one way VPNs are employed to maintain private communication over a public network. VPNs can also be used to offer a degree of privacy on a public network.

Ordinarily, your Internet Service Provider (ISP) assigns to your connection a public address so that the sites and services you request online can know how to send information back to you. This public address can be used to provide an approximate location for your Internet connection. It is also possible that anyone with the appropriate means can see the websites you are going to, as well as the content you are requesting (especially when you visit a website whose URL begins with “http:” and whose contents are sent unencrypted).

So another use of a VPN is to offer a degree of privacy from snooping. In this case, rather than having both ends of a tunnel linking two ends of a private network, it’s possible to have one end act as a public access point to the Internet. In this way, someone who directly connects to the Internet in Chicago can appear to be accessing it from New York, for example.

VPN encryption techniques involve some pretty complicated mathematics, but if you’d like to read a little more about these techniques–and don’t have the time to earn an advance mathematics degree–check out these articles:

Additional Articles

Part 1: Symmetrical Encryption Algorithms
Part 2: Public Key Cryptography
Part 3: Shared Key Exchange
Learn more about services from Atlantic.Net, including VMware hosting.


How to Install Hyper-V Role on a Windows Server 2008 R2 Server

Atlantic.Net NOC February 28, 2015 by under VMware Hosting 0 Comments
Verified and Tested 02/28/2015

Introduction

This how-to will guide you through installing Hyper-V on your Windows Server 2008 R2. Hyper-V is used to manage Virtual Machines within your Server.

Prerequisites

A Windows server with Administrative access. If you need a server, you can spin up a reliable cloud hosting server with Atlantic.net in under 30 seconds.

Read More


How to Set Up Apache Virtual Hosts on Ubuntu 14.04

Michael Douse February 5, 2015 by under VMware Hosting 0 Comments
Verified and Tested 02/17/15

Introduction

In this article, we will go over how to add additional virtual hosts to a Linux cloud server with Apache installed. Each virtual host handles a specific website or domain that will be hosted on the server, including sub-domains. This is referred to as named-based hosting because it allows multiple websites to utilize one set of resources, such as a single IP.

Prerequisites

This article assumes that you have already installed Apache and performed the basic configuration of it. If you have not done so, follow our how-to on this here.

Read More



New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Resources

We use cookies for advertising, social media and analytics purposes. Read about how we use cookies in our updated Privacy Policy. If you continue to use this site, you consent to our use of cookies and our Privacy Policy.