Posts Tagged ‘draci’

28
Oct

Cisco != consistency

   Posted by: cristina_crow    in technical

You do remember my love for this magnificent vendor. Now I am looking at an IKEv2 configuration when using RSA X.509 digital certificates.

The trust-point is defined as for any Cisco switch.

If for IKEv1, I would configure RSA-SIG auth like this:

crypto ikev1 enable untrusted
crypto ikev1 policy 1
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 5
 lifetime 3600

- Usually this is enough for the Phase 1 – authentication to take place. We have RSA, we need to use RSA for authentication.

But for IKEv2, trying to be CONSISTENT, a basic requirement for any equipment on the market, is done like this:

crypto ikev2 enable untrusted
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 3600
tunnel-group myIPsecGroup ipsec-attributes
 peer-id-validate cert
 chain
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate myTrustPointCA

I would sadly add: don’t you find it naturally that in IKEv2, the authentication has no place in the Phase 1 definition, but rather somewhere below, where I define the transform-sets (which, by the way, in IKEv2 are called differently) for the Phase 2 ??!!!

Not mentioning the fact that Cisco is the latest guy to arrive at the finish line with IKEv2 (heey, we are in 2011!!), they proved us again what a professional company it is. I would expect a no-name company from China not to be able to accomplish one of the most important requirements of professional software design: Consistency, but…Cisco? :(

ref: http://secret-epedemiology-statistic.org.ua/1587052091/ch17lev1sec5.html

Tags: , , ,

No Comments
11
Aug

need ideas

   Posted by: cristina_crow    in personal, thoughts

Lately I am super bored.

I’m not saying I don’t have things to do. They are just completely not-interesting and super very boring.

I need stuff to keep my brain rolling. Right now, with the things I do, my brain is at less than 10% actual usage. I need something interesting to do, to be at at least 70%, as I was while studying 4G or IPsec.

For ze record: the 2 security certifications I took in less than 1 month learning were probably taking my brain to 30% usage :(

Need ideas for cool, interesting, challenging things to do/learn.

Humanitarian cause: help my brain stay alive. Please help.

Tags:

11 Comments
4
Aug

freaking, nightmare giving CheckPoint NAT

   Posted by: cristina_crow    in technical

I believe this is how it works, at least partially. Could not find this information anywhere online, only got partial responses, that don’t actually cover all the cases. Not to mention, all the aspects on where exactly in the FW engines the NAT actually happens:

===========================================================================
Automatic NAT: 
- Static NAT
> 2 NAT rules are automatically created:
>> A source translation where translates the source between the original and
 the NAT address.
>> A destination translation where translates the destination between the
NAT and the original address.
> creates proxy ARP
 -- Translate on Client Side ON
> translates on Inbound, after VM, before routing, on interface I
> don't need anymore routes
-- Translate on Client Side OFF
> translates on Outbound, after routing, after VM, on interface O
> add route from public IP to private IP


- Hide NAT (as this is also "automatic" only works with public IP from FW interface)
> creates proxy ARP
 -- Translate on Client Side ON
> translates on Inbound, after VM, before routing, on interface I


> no more routes needed

 -- Translate on Client Side OFF
> translates on Outbound, after routing, after VM, on interface O


> no more routes needed


 ===========================================================================


Manual NAT:


- Static NAT
 -- Translate on Client Side ON
> add ARP entries to the FW for all hiding IPs
> no additional routes needed
> translates on Inbound, after VM, before routing, on interface I

 -- Translate on Client Side OFF
> add ARP entries to the FW for all hiding IPs
  --- Hiding IP in same subnet as FW external Interface
> add route from public IP to private IP
  --- Hiding IP in different subnet as FW external Interface
> add route from public IP to private IP: next hop: private IP

- Hide NAT
 -- Translate on Client Side ON
  --- Hiding IP in same subnet as FW external Interface
> no ARP changes needed
> no additional routes needed
> translates on Inbound, after VM, before routing, on interface I

  --- Hiding IP in different subnet as FW external Interface
> add ARP entry to the FW for the hiding IP
> translates on Inbound, after VM, before routing, on interface I
> routes ? 

 -- Translate on Client Side OFF
  --- Hiding IP in same subnet as FW external Interface
> add route from public IP to private IP
> translates on Outbound, after routing, after VM, on interface O

  --- Hiding IP in different subnet as FW external Interface
> add route from public IP to private IP: next hop: private IP
> translates on Outbound, after routing, after VM, on interface O


===========================================================================






CopyRight: CheckPoint


===========================================================================


Do Manual NAT when:




- Instances where remote networks only allow specifci IP addresses
- Situations where translation is desired for some services, and not others
- Environments where more granular control of address translation in VPN tunnels is needed
- Enterprises where address translation rule base must be manipulated
- When Port Address Translation is required
- Environments where granular control of address translation between internal networks is required
- When a range of IP addresses, rather than a network, will be translated



						
Tags: , , , , 
					

					
No Comments

				


    
				

					

						
2
Aug

						
why do the metal bands do that?

						
   Posted by: cristina_crow							   in media-culture						

					

					

					
						
Recently I am thinking about PoisonBlack, specifically. The only song of theirs that I actually like is Rush. I haven’t listened to all of them, because I simply did not have the patience to do that!


Man, Love InfernalMercury Falling…what’s up with that CRAP? My feeling is that they are trying to resemble HIM. Now, I know HIM is a big hit and everything, but most of HIM’s songs sound all the same. A PoisonBlack sounding like HIM, but not being HIM just does not make any freaking sense!


The saddest part of the story is that I actually LOVE Sentenced.


The Sentenced vocal, Ville Laihiala, is now the vocal of PoisonBlack. Unfortunately, Sentenced dissolved in 2006, after Miika Tenkula’s death. Miika Tenkula was writing most of the Sentenced songs – and boy, they were SUPER!


Now, if I am to go to a concert, hoping to listen to …at least _something_ that sounds like Sentenced, I have nowhere to go. I wish PoisonBlack were more like Sentenced, but only Rush sounds good, as far as I can tell so far. If only Miika were still alive! He would continue to write cool songs, and boring PoisonBlack band will have never been invented.


For those who like to listen to Sentenced, take a look at the following live concert, from my YouTube Playlist: http://www.youtube.com/watch?v=sOetxT3nMnU&feature=mh_lolz&list=PL24B495A465BFABF1

						
Tags: , , , 
					

					
1 Comment

				


    
				

					

						
25
Mar

						
crap-urile de la Vodafone

						
   Posted by: cristina_crow							   in personal						

					

					

					
						
De data asta, tonul de asteptare.


Primesc mai acu vreo 2 zile un sms, ca voi primi apel de la 800, sa mi se dea informatii despre tonurile de asteptare muzicale.


Ascult mesajul ala, am 3 optiuni in IVR, fiecare pentru cate o piesa tembela de la marii muzicanti romani pop/dance. Inchid.


Ziua urmatoare, adica ieri, ma trezesc cu ton de asteptare cu muzicanti. => CRAP DE DRACI


Am sunat la *222 si le-am zis alora sa scoata imediat tonul. L-au scos.


Cik l-au activat gratuit prima luna, oferta pt. mine, ca sunt client vechi, si apoi e pe bani. Nu au stiut sa-mi raspunda la intrebarea: de ce imi activati un serviciu pe care eu nu l-am cerut, ba chiar l-am refuzat in mod explicit?


Vodafone FAILED. Again.

						
Tags: , 
					

					
4 Comments

				


    
				

					

						
24
Jan

						
new post from Cenusa de Trandafir – burnout baby

						
   Posted by: cristina_crow							   in personal						

					

					

					
						
Nush de ce, dar pare foarte actuala la mine asta, adaugand si raceala care a nimerit taman la fix :( 


Româneşte ar însemna epuizare, dar nu genul de epuizare care trece cu  un weekend plăcut, cu un duş, un ceai şi un pui de somn sau o partidă  de sex. E vorba de epuizarea cronică, de sastisire deplină, totală si  iremediabilă. O epuizare la limita patologicului.


Poate fi provocată de serviciul tău, de relaţia cu partenerul, de  relaţia cu părinţii, casa…Şi ca orice patologie are simptome. Oboseală,  dureri de cap nesfârşite, senzaţie de greaţă, crize de plâns aparent  fără niciun rost.


Problema la burnout este că din punct de vedere logic, raţional,  cartezian, nimic nu te susţine în decizia ta de a schimba situaţia. De  aceea îi şi spune fenomen de supraadapatare. Faci mereu eforturi de a te  plia pe un mediu care nu-ţi este favorabil. Asta după ce reuşeşti să  stabileşti care e problema. Ceea ce fie vorba între noi, e dificil.


http://www.cenusadetrandafir.ro/burnout-baby

						
Tags: , 
					

					
1 Comment

				


    
				

					

						
24
Jan

						
bagaciosii

						
   Posted by: cristina_crow							   in thoughts						

					

					

					
						
Sunt peste tot. Nu mai exista scapare. Pentru ca intimitatea este over-rated.


La munca, pe strada, online. Ii vad peste tot. Ei sunt acolo, parerea lor conteaza, ei trebuie luati in seama, ei _trebuie_ sa stie: care, unde, cum, ce, de unde, cand, cine…samd


Am cel putin unul la munca. Ei nu ar dezvalui nimic despre ei insisi, gen unde stau, ce fac in vacanta, unde se duc, ce filme au mai vazut, cum isi petrec timpul liber…samd. Dar toti ceilalti colegi sunt luati la intrebari amanuntite despre unde si-au luat casa, cat au dat pe ea, ce masina au, cat au dat pe ea, unde au mers in vacanta, ce jocuri au mai jucat…samd


Iar online-ul e cel mai rau. A se citi in primul rand Facebook. Intr-adevar, poti spune linistit: ce vacanta misto am avut in Paris, si pui poze…sau…ma plimb prin Amsterdam sau Florenta si lumea se uita la poze si intreaba una-alta. Dar chiar si la cele mai banale calatorii, tot se gaseste unul care sa ceara raportul: unde esti? ce faci acolo? cat stai? cand revii?


Nu zau! Si daca nu iti zic ce faci? Mori? Esti mai multumit de viata ta amara si seaca daca simti ca iti dau eu raportul? FUCK OFF!!! Persoanele care ar putea fi interesate sa stie unde sunt, stiu. Ce pana mamii ei de treaba trebuie sa dau sfara-n tara unde ma duc si ce fac? Stiu, ma aflu pe Facebook, dar postez ce vreau si cum vreau, ma apuca toti dracii sa vina unul/una sa ma interogheze ce fac, unde sunt, vaaai! cum de sunt acoloo?????, cat stau si cand ma intorc.


My line: MIND YOUR OWN FUCKING BUSINESS, IDIOT!

						
Tags: 
					

					
2 Comments

				


    
				

					

						
23
Nov

						
dilema

						
   Posted by: cristina_crow							   in thoughts						

					

					

					
						
De ce dracului nu pricep oamenii (care se mai considera si destepti), ca cel care arata problemele face primul pas in a le rezolva?


De ce sunt apreciati cei care NU arata problemele?


Chiar am ajuns toti sa vrem sa traim in Minciuna? Cat mai e pana la Matrix?


Haideti sa ne prefacem toti, cu bucurie, ca lucrurile sunt roz. Poate vor deveni roz peste noapte, fara interventia cuiva.

						
Tags: , 
					

					
2 Comments

				


    
				

					

						
30
Oct

						
one done, no more to go :(

						
   Posted by: cristina_crow							   in personal						

					

					

					
						
http://www.iaria.org/conferences2011/ICN11.html


Ca un super goofy si jumatate ce sunt, am avut senzatia ca e in Olanda, pentru ca eu sunt mai preocupata de cotatia conferintei si de cerinte, decat de locatie in sine.


Guess what: nu era in Netherlands, ci in Netherlands ANTILLES.


600 si ceva de euro inscrierea


aproape 200 de euro cazarea pe noapte pt 2 persoane


vreo 1000 si ceva de euro avionul dus-intors, cel putin BA-ul are Bucharest – UK – Miami – Curacao


Soru-mea se jura ca vine cu mine, si ca face foamea pana in ianurie. Realitatea zice ca la conferinta asta chiar voi zice pass :) 


Hotelul e chiar pe Maho Beach == explicatia liniei de mai sus cu soru-mea care topaie pe-acasa ca ea vrea sa mearga :P  http://www.sonesta.com/mahobeach/


Dear Cristina,


Congratulations! Your contribution 10330 to ICN 2011 titled “Security Analysis of LTE Access Network”  is accepted.


………

						
Tags: , , 
					

					
No Comments

				


    
				

					

						
24
Oct

						
inovatie si ipocrizie – ca tot cu “i” incep

						
   Posted by: cristina_crow							   in personal						

					

					

					
						
De curand am ajuns la concluzia ca nu-mi pot plati singura deplasarile la diverse conferinte internationale care mi-au acceptat articolele scrise ca parte din lucrarea de doctorat. Motivele sunt mai putin importante acum.


Avand in vedere ca se pare ca ceea ce fac eu este de oarecare valoare, mai mult conferinte internationale m-au invitat sa particip si sa public in jurnalele lor, cele mai multe indexate de ISI sau IEEEXplore. Cum nu imi pot plati inregistrarea/deplasarea/cazarea acolo, am incercat si eu sa contactez diversi oameni/companii care se lauda pe la TV si pe Internet si prin ziare ca ajuta si incurajeaza cercetarea si inovatia in domeniul IT.


Mwell, concluzia mea, dupa niciun raspuns de la unii si raspuns ca “nu avem buget pentru cercetare” de la altii, este aceea ca aceste companii defapt sunt foarte ipocrite si mincinoase, pentru ca in momentul in care li se ofera ocazia sa sprijine cercetarea, ridica din umeri.


Sau, cine stie, poate ca “incurajarea” cercetarii se face cu o strangere de mana, o bataie prieteneasca pe umar si minunata urare : “Mult succes, Cristina!”.

						
Tags: , 
					

					
9 Comments

				


    				
Back to top


	
			

		

    	
					
Previous Entries