Weitere ähnliche Inhalte Ähnlich wie SSL/TLS Eavesdropping with Fullpath Control (20) Kürzlich hochgeladen (20) SSL/TLS Eavesdropping with Fullpath Control2. 2©A10 Networks, Inc.
Not a Mathematician!!! -> Don’t fault me on my math.
Work for A10 Networks as a Principal Architect.
Jack of all trades
Formula One Junky
Python Junky
You can find me on LinkedIn: Layer427expert
A little about myself
3. 3©A10 Networks, Inc.
The topics of SSL/TLS is enormous.
We will not cover every topic.
We will try to give you the basis of understanding so that we can talk about
eavesdropping.
We will not be covering cryptographic attacks in the eavesdropping section.
If you have questions we will be more than happy to talk after class.
There is a lot of things we can discuss but lets stay on point.
I am the only rat hole digger in this lab. After the lab we can dig over a drink.
Actors:
About this Lab/Lecture
4. 4©A10 Networks, Inc.
Basics of SSL
Basics of SSL Eavesdropping
Utilizing SSL Eavesdropping for Defense
SSL Eavesdropping for Offense and Detection
Lab Agenda
6. 6©A10 Networks, Inc.
The TLS protocol allows client-server applications to communicate across a
network in a way designed to prevent eavesdropping and tampering. - We will come
back to this
Through Public key cryptography it is the basis for E-Commerce Security and Trust
Utilized by almost everyone: “Who wants to be secure…”
Source of pain felt globally when vulnerabilities are found.
For non-security people, it is:
– Blindly Trusted
– Never questioned
– Always Secure
What is SSL?
7. 7©A10 Networks, Inc.
Think of SSL/TLS having four parts:
– The Protocol
– Key Exchange
– Bulk Crypto Operations
– Chain of Trust
The primary purpose of SSL/TLS to compute a secret key that will be utilized for
symmetric encryption.
– This is accomplished through Asymmetric Cryptography
The Purpose of SSL/TLS
8. 8©A10 Networks, Inc.
SSL/TLS can provide:
– identification:
When the Chain of Trust can be established.
– authentication
When client authentication is enabled.
– confidentiality
Encryption of data in flight.
– integrity
Through Cipher Suites
Benefits
10. 10©A10 Networks, Inc.
Protocol Basics
Think of the TLS handshake
messages similar to TCP handshake.
The messages are to negotiate a set
of parameters that will be utilized
going forward.
11. 11©A10 Networks, Inc.
Client Hello
Purpose:
1. Establish Protocol Version
2. Send Random Number 1
3. Session ID if it exist
4. Send List of support Cipher
Suites
1. Each Cipher will tell you what it is
doing. You have to just
understand what each segment
explains
5. Compression Algorithm
12. 12©A10 Networks, Inc.
Purpose:
1. Version Number
2. Send Random Number 2
3. Session ID if exist.
4. Set the Cipher Suite
5. Send Public Certificate.
6. Compression Algorithm
Server Hello
13. 13©A10 Networks, Inc.
Client Key Exchange
Purpose:
1. Send Pre-shared Master
encrypted with Public Key
Between the Server Hello and the
Client Key Exchange the Client
Validates the Certificate against its
Root CA list.
We will discuss this a later section.
15. 15©A10 Networks, Inc.
Client Encrypted Handshake Message
Purpose:
1. First messaged send to server that is
encrypted.
2. Will be utilized by server to see if
encrypted channel is valid.
3. End of handshake from client
16. 16©A10 Networks, Inc.
Server Change Cipher Spec & Encrypted Handshake
Message
Purpose:
1. Notifies client that server decrypted
messages
2. Generates the master secrete and sends
the client a finish message encrypted.
19. 19©A10 Networks, Inc.
RSA
– RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm in 1977. Clifford Cocks, an
English mathematician, had developed an equivalent system in 1973, but it was not declassified until 1997.[1]**wikipedia
– Currently is the most widely utilized.
– Utilizes a modular arithmetic.
DH <- We are not going to cover this topic. We will talk about PFS and ECDH specifically.
– first published by Whitfield Diffie and Martin Hellman in 1976.[2] By 1975, James H. Ellis,[3] Clifford Cocks and Malcolm J. Williamson
within GCHQ, the British signals intelligence agency, had also shown how public-key cryptography could be achieved; however,
their work was kept secret until 1997.[4]Utilizes **wikipedia
– Utilizes a modular arithmetic.
ECC
– The use of elliptic curves in cryptography was suggested independently by Neal Koblitz[1] and Victor S. Miller[2] in 1985. Elliptic
curve cryptography algorithms entered wide use in 2004 to 2005.
– Based on the algebraic structure of elliptic curves over finite fields.
– Hurts my head to think don’t let the pretty graph fool you….
Public-Key Encryption Algorithms
21. 21©A10 Networks, Inc.
Cipher Suites notation
cipher id
a unique 2-3 byte cipher identifier. For example, SSL2_RC4_128_WITH_MD5 is identified as 0x010080 and TLS_RSA_WITH_3DES_EDE_CBC_SHA is
identified as 0x00000A or simply 0x000A.
Name
common cipher suite name. TLS ciphers have //TLS_Kx_[Au]_FROM_Enc_MAC// format. SSL2 only use RSA for key exchange and authentication,
so their names have //SSL2_Enc_WITH_MAC// format.
Protocol
Most ciphers suites fall into either //TLS// or //SSL/SSL2// protocols. The only exception is Microsoft's proprietary //PCT// protocol.
Kx
Key exchange algorithm. Most popular exchange methods are RSA and Diffie-Hellman (DH/DHE). Some of the more exotic methods include
Kerberos (KRB5), Pre-Shared Key (PSK), and others.
Au
Authentication algorithm. RSA is commonly used for key authentication.
Enc
Symmetric encryption algorithm (e.g. DES, 3DES, AES, RC4, etc.)
Bits
Effective symmetric encryption key size in bits. Export for export outside US are limited to 40-56 bits.
MAC
Hashing algorithm used for TLS/SSL data packets integrity and authentication checks.
Anon
Anonymous cipher suites with no key authentication. Highly vulnerable to man in the middle attack.
Export
Intentionally crippled cipher suite to conform to US export laws. Symmetric cipher used in export cipher suites typically does not exceed 56bits.
NULL
Null cipher suites do not provide any data encryption and/or data integrity. //TLS_NULL_WITH_NULL_NULL (0x0000)// cipher suite is used during
initial session establishment.
Source:https://www.thesprawl.org/research/tls-and-ssl-cipher-suites/
22. 22©A10 Networks, Inc.
Cipher Suite Examples
Cipher ID Name Protocol Kx Au Enc Bits Mac
0x000009 TLS_RSA_WITH_DES_CBC_SHA TLS RSA RSA DES_CBC 56 SHA
0x00003C TLS_RSA_WITH_AES_128_CBC_SHA256 TLS RSA RSA AES_128_CBC 128 SHA256
0x00003D TLS_RSA_WITH_AES_256_CBC_SHA256 TLS RSA RSA AES_256_CBC 256 SHA256
0x00003E TLS_DH_DSS_WITH_AES_128_CBC_SHA256 TLS DH DSS AES_128_CBC 128 SHA256
0x00003F TLS_DH_RSA_WITH_AES_128_CBC_SHA256 TLS DH RSA AES_128_CBC 128 SHA256
0x00C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS ECDH RSA AES_128_CBC 128 SHA
0x00C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS ECDH RSA AES_256_CBC 256 SHA
x00009E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS DHE RSA AES_128_GCM 128 SHA256
Green Indicates Perfect Forward Secrecy Support
24. 24©A10 Networks, Inc.
Note: We are not talking about ECC Cipher Suite yet….. We will get to that.
Based on the RSA algorithm
Encryption: c = m^e mod n
Decryption: m = c^d mod n
– Encryption and Decryption are inverse functions
Remember how back in school:
15 = 3*5 and the inverse is 5 = 15/3
RSA Asymmetric Cryptography
Where:
e = exponent
m = message
n = public cert
d = private key
c = cipher text
25. 25©A10 Networks, Inc.
Non-Padded Example
e = 7
d = 1810402843
n = 2534665157
msg = "Hello World!"
print "Message Send:", msg
cipher_buffer = []
for m in msg:
#c = pow(ord(m), e, n)
c = pow(ord(m), e, n)
print "Clear Text:",m, "| Cipher Text:",c
cipher_buffer.append(c)
print ”Message in flight", "".join(str(x) for x in cipher_buffer)
msg = ""
for c in cipher_buffer:
m = chr(pow(c,d,n))
print "Cipher Text:", c, "| Clear Text:", m
msg = msg + m
print "Message Recieved:",msg
Message Send: Hello World!
Clear Text: H | Cipher Text: 942978039
Clear Text: e | Cipher Text: 2268399915
Clear Text: l | Cipher Text: 1042287397
Clear Text: l | Cipher Text: 1042287397
Clear Text: o | Cipher Text: 1592280001
Clear Text: | Cipher Text: 1409091327
Clear Text: W | Cipher Text: 2057956152
Clear Text: o | Cipher Text: 1592280001
Clear Text: r | Cipher Text: 2200164507
Clear Text: l | Cipher Text: 1042287397
Clear Text: d | Cipher Text: 2390226036
Clear Text: ! | Cipher Text: 2063800465
Message in flight:
94297803922683999151042287397104228739715922800011
40909132720579561521592280001220016450710422873972
3902260362063800465
Cipher Text: 942978039 | Clear Text: H
Cipher Text: 2268399915 | Clear Text: e
Cipher Text: 1042287397 | Clear Text: l
Cipher Text: 1042287397 | Clear Text: l
Cipher Text: 1592280001 | Clear Text: o
Cipher Text: 1409091327 | Clear Text:
Cipher Text: 2057956152 | Clear Text: W
Cipher Text: 1592280001 | Clear Text: o
Cipher Text: 2200164507 | Clear Text: r
Cipher Text: 1042287397 | Clear Text: l
Cipher Text: 2390226036 | Clear Text: d
Cipher Text: 2063800465 | Clear Text: !
Message Received: Hello World!
26. 26©A10 Networks, Inc.
This is where padding schemas come into play.
However lots of padding attacks are discovered.
Read online about this if you want to dig deeper.
.
Plain RSA is vulnerable to attack….
28. 28©A10 Networks, Inc.
ECC Cryptography
Equation:
y^2 = x^3 + ax + b
However there is a lot of complex subject
behind it…
If you want to read a great set of post visit:
http://jeremykun.com/2014/02/08/introduci
ng-elliptic-curves/
https://www.certicom.com/10-introduction
So lets move on to ECDH to get a practical
example.
29. 29©A10 Networks, Inc.
Diffie–Hellman
Alice and Bob agree to use a prime number p = 23 and base g = 5 (which is a
primitive root modulo 23).
Alice chooses a secret integer a = 6, then sends Bob A = ga mod p
A = 56 mod 23 = 8
Bob chooses a secret integer b = 15, then sends Alice B = gb mod p
B = 515 mod 23 = 19
Alice computes s = Ba mod p
s = 196 mod 23 = 2
Bob computes s = Ab mod p
s = 815 mod 23 = 2
Alice and Bob now share a secret (the number 2).
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
30. 30©A10 Networks, Inc.
Elliptic curve Diffie–Hellman (ECDH) is an anonymous key agreement protocol
that allows two parties, each having an elliptic curve public–private key pair, to
establish a shared secret over an insecure channel.
The shared secrete will be utilized to perform symmetric encryption.
– In the case of the following Cipher Specification AES^256 is utilized:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
ECDH
When reviewing ECC I was configured about how the Finite Field was
initialized and I realized it specified in the domain parameters. For
more information
http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-56Arev1_3-8-
07.pdf
31. 31©A10 Networks, Inc.
Session 1:
FiniteField: 3851
Secret keys, Alice: 194 , Bob:33
base_point (920 (mod 3851), 303 (mod 3851)) 3014 2809
Public keys, Alice:(3014 (mod 3851), 2809 (mod 3851)) , Bob:(1324 (mod 3851),
2950 (mod 3851))
Shared secret: ALice:(2462 (mod 3851), 3558 (mod 3851)) , Bob:(2462 (mod 3851),
3558 (mod 3851))
Bob is extracing x-coordinate to get an integer shared secret: 2462
Alice is extracing x-coordinate to get an integer shared secret: 2462
ECDH Working Example Session 1
32. 32©A10 Networks, Inc.
FiniteField: 3851
Secret keys, Alice: 90 , Bob:74
base_point (920 (mod 3851), 303 (mod 3851)) 1034 733
Public keys, Alice:(1034 (mod 3851), 733 (mod 3851)) , Bob:(3241 (mod 3851), 1093
(mod 3851))
Shared secret: Alice:(2718 (mod 3851), 3657 (mod 3851)) , Bob:(2718 (mod 3851),
3657 (mod 3851))
Bob is extracing x-coordinate to get an integer shared secret: 2718
Alice is extracing x-coordinate to get an integer shared secret: 2718
ECDH Working Example Session 2
33. 33©A10 Networks, Inc.
forward secrecy is a property of key-agreement protocols ensuring that a session
key derived from a set of long-term keys cannot be compromised if one of the
long-term keys is compromised in the future.
You do not get this with RSA
– Remember Client Random 1 and Sever Random 1
– If session was recorded and private key is compromised past sessions can be compromised
– If private key is compromised then present and future sessions are also compromised.
Cipher suites that use ephemeral Diffie-Hellman (DHE) or the elliptic-curve variant
(ECDHE) will have perfect forward secrecy
Perfect Forward Secrecy
40. 40©A10 Networks, Inc.
http://threatpost.com/lenovo-superfish-
certificate-password-cracked/111165
http://www.pcworld.com/article/2453343/micros
oft-revokes-trust-in-certificate-authority-operated-
by-the-indian-government.html
http://www.fastcompany.com/3042030/tech-
forecast/the-huge-web-security-loophole-that-
most-people-dont-know-about-and-how-its-be
on and on and on
In the news
41. 41©A10 Networks, Inc.
The rest of the class we will focus on Trusted Root CA Poisoning and Root CA
Compromise.
We will focus on full-wire-control eavesdropping a.k.a Man-in-the-Middle
We not cover brute force or crypto attacks for eavesdropping.
If you want to explore server private key compromise then take a private key off
the server and utilize wire shark.
Eavesdropping
43. 43©A10 Networks, Inc.
Lets look at the chain of Trust one more time.
1. Lets talk, but I need to know if I should
trust you.
2. Here is my cert saying I know ICARus and
there is his signature.
3. Have I untrusted ICArus? No
4. Do I Trust ICArus? Let me Check
5. Here is my cert that says Carolyn Trust me
and here is her signature.
6. Have I untrusted CArolyn? No
7. Do I Trust CArolyn?
8. Here is my cert that says I Trust myself and
here is my signature signature.
--- Carolyn’s Signature was Trusted by
someone who put it their so I must Trust it,
right? Why note……
9. Hey buddy you’re a swell guy… Your Computer’s Certificate Store
TrustUnTrusted
You
ICArus
Someone
CArolyn
Kim John-Ca
1
2
3
5
4
8
7
9
6
44. 44©A10 Networks, Inc.
Lost of money gets spent to become a CA.
Last time I checked in 2002 it was going to cost more in audit fees the first year
then we calculated the first 10 years revenue would be…
Here is how to get into the Windows OS
– https://msdn.microsoft.com/en-us/library/cc751157.aspx
If you are “really” a corporation you will do everything to make sure you are
Trusted.
Not being Trusted can put you out of business…. An this is the problem…
TO be or not to be...Trusted
45. 45©A10 Networks, Inc.
From the time the CA is compromised to the time the compromise is discovered
puts anyone who trusted that CA at risk for Man in the Middle Attacks.
After the CA compromise is discovered there is still a delta between a updated
Revocation list or security update made available.
There is another delta between the revocation list or security update being made
available until it is applied by the home user or the corporate administrator.
This is the WORST OF THE WORST because it could compromise everyone on the
internet.
Effects Root CA Compromise
46. 46©A10 Networks, Inc.
This is where a ROOT CA certificate is implanted with in the Trusted ROOT CA store
with out the knowledge or authorization of the owner of the system.
How can this happen?
– Malware
– Physical Access
– Trusted programs
– Ignorance…
This is a more targeted approach. This will also be the most common
encountered.
Root CA Poisoning
47. 47©A10 Networks, Inc.
Eve’s Frame of Reference
Eve
Offensive EveDefensive Eve
Yourbank.dcc.lab
Unsupecting Bob aka you
Jerk-a-Jerk-a.dcc.lab
Eves Frame of Reference
www.hotspot.dcc.lab
Comprimised Service
HotSpot
Full Wire Control
Lab Overview
Infected Bob
Corporate Network
48. 48©A10 Networks, Inc.
Eve C2 - Defense
You are allowed one rule
group at a time.
What this means is you can fill
in every field however this will
be the compete rule set.
Click the activate button to
send the defensive
commands.
Click the disable protection
to remove the commands
Active will overwrite the
existing rule
49. 49©A10 Networks, Inc.
EVE C2 - Offense
This tool be be utilized to
inject content into the
data path.
It will also load the data
that was captured form
the Eavesdropping.
Do not goose yourself
by putting sensitive
information into the lab
systems.
50. 50©A10 Networks, Inc.
EVEC2 - Exploit
This tool in conjunction with
your browser or python scripts
will give you the ability to
send pre defined exploits to
the server over SSL.
The bot payload will send a
pre-defind payload to the
command server over SSL
52. 52©A10 Networks, Inc.
Add Server Information here when lab it build
We will be utilizing DVWA which is a vulnerable web application written in PHP for
as the target.
There are Twisted Instances that are written for
Server Type
54. 54©A10 Networks, Inc.
Cyber Threats Hidden in SSL Traffic
–35%+
of Internet traffic is encrypted
–50%
of attacks will use encryption to
bypass controls by 2017
–80%+
of organizations with firewalls, IPS, or
UTM do not decrypt SSL traffic
70%+
SSL Traffic
For some organizations
Sources:
“SSL Performance Problems,”
NSS Labs, 2013and service provider data
“Security Leaders Must Address
Threats From Rising SSL Traffic,” 2013
56. 56©A10 Networks, Inc.
Drivers for SSL Traffic Growth
Snowden Leaks in June 2013
–Revelations of NSA snooping
increased privacy concerns
Privacy watchdogs now
publish SSL report cards
57. 57©A10 Networks, Inc.
Surveillance and Search Engine Ranking
New disclosures in 2014 that governments were leveraging app
vulnerabilities to inject surveillance software in web traffic
– Targeted sites YouTube and Microsoft Live
used as conduits to inject malware
– Now YouTube & MS Live encrypt traffic
In August 2014, Google announced it
would rank SSL sites higher for SEO
Source: Washington Post
58. 58©A10 Networks, Inc.
SSL Performance Impact on Next Gen Firewalls
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Juniper SRX3600 Stonesoft 3202 Palo Alto Networks PA-
5020
SourceFire 8250 Check Point 12600 Dell SonicWALL E10800 Fortinet 3600C SourceFire 8290
Performance Impact with 2048-bit SSL Ciphers
81%: The average of performance loss across 7 NG Firewalls
Source: “SSL Performance Problems,” NSS Labs, 2013
60. 60©A10 Networks, Inc.
BACKGROUND
Organization had deployed
security devices from many
leading security vendors
SSL traffic not inspected due to
performance, scale, & complexity
RESULT OF ATTACK
Attackers infiltrated network,
installed malware, and stole data
across multiple end-points
Organization dropped internet
connectivity for days, performed
lengthy forensics and remediation
ESTIMATED FINANCIAL COSTS
Lost productivity and forensic investigation= Medium Cost
Loss of intellectual property = High Cost
Impact of Not Inspecting SSL: A Case Study
FINDINGS: Network security tools could have prevented this attack if the
tools had had visibility into SSL traffic
61. 61©A10 Networks, Inc.
How Malware Developers Exploit Encrypted Traffic
Botnet Herder
Clients
Data exfiltration over
SSL channels Command
and Control
Servers
HTTPS
Malicious file in
instant messaging
Drive-by download
from an HTTPS site
Malicious attachment
sent over SMTPS
• Encryption obscures:
– Bot installation
– C&C communication
– Data exfiltration
62. 62©A10 Networks, Inc.
Reference Architecture: Inline Deployment
1. A10 Thunder ADC decrypts
outbound SSL traffic
2. A third-party security device
inspects traffic in clear text
3. A second Thunder ADC appliance
encrypts SSL traffic and forwards it
to the Internet
4. Thunder ADC decrypts the response
from the Internet
5. The third-party security device
inspects inbound traffic
6. Thunder ADC encrypts and forwards
the response to the server
Other
DLP
UTM
IDS
Server
A10 ADC
A10 ADC
Encrypted
Decrypted
Encrypted
Inspection and
Protection
Client
1
6
2
5
3
4
63. 63©A10 Networks, Inc.
Reference Architecture: Non-inline Deployment
A Thunder ADC intercepts and
decrypts SSL traffic
Thunder ADC forwards
decrypted traffic to third party
security devices
Security devices inspects traffic
for attacks or data loss
Thunder ADC encrypts
decrypted traffic and forwards
it to the intended destination
Encrypted
Decrypted
Encrypted
Client
A10 Thunder ADC
Security Devices
Internet Server
67. 67©A10 Networks, Inc.
Governments
– Gathering Intelligence
– Hiding exfiltration traffic
– Avoid Detection
– Bot Command and Control
– others?
Criminals
– Click Fraud
– Theft of personal data
– money
– Ego
What is the motivation?
SKY-NET
– Destruction of the human race.
– Kill John Conner
70. 70©A10 Networks, Inc.
Lab 3 Scenario
You are at some coffee shop.
You need to check your bank account because your (“Mine, I am
projecting”) calls up and says I need $5000.00 today for college.
So you connect to the WIFI hot spot and…
Little did you know that DNS has been hijack and a server is in play owned
by the attacker. The Eve here has full-wire-control because they own the
hotspot.
You figure that everything would be alright. So just click ok…
72. 72©A10 Networks, Inc.
Open Your Browser and go to and type in
https://www.hotspot.dcc.lab/login/login.html
Enter any username
Enter any password
Click Login
You will be redirected.
Lab 3 Instructions: Step 1
75. 75©A10 Networks, Inc.
Application Will install
ICON on Desktop.
If the Application is Not
started click on the icon.
Enter any username and
password again.
And Click Logon,
Lab 3 Instructions: Step 4
76. 76©A10 Networks, Inc.
Since we still need to install the
certificate we will utilize a little bit
of social engineering to get you
do this.
Older Version of Windows or other
operating systems this could be
bypassed easier if we are
delegated foo super user
privileges during setup...
Just click ok… You son needs
money.
Lab 3 Instructions: Step 5
78. 78©A10 Networks, Inc.
Lab 3 Instructions: Step 7
When you see the log out
button you know
everything thing is good.
Your Browser will open
over the application
window. And take you to
your banking website.
If you are not able to
connect to install the
certificate or can not
signal to the attacker you
will be denied access.
82. 82©A10 Networks, Inc.
Governments
– Gathering Intelligence
– Hiding exfiltration traffic
– Avoid Detection
– Bot Command and Control
– others?
Criminals
– Click Fraud
– Theft of personal data
– money
– Ego
What is the motivation?
SKY-NET
– Destruction of the human race.
– Kill John Conner
85. 85©A10 Networks, Inc.
Attack Scenario
You are at some coffee shop.
You need to check your bank account because your (“Mine, I am
projecting”) calls up and says I need $5000.00 today for college.
So you connect to the WIFI hot spot and…
Little did you know that DNS has been hijack and a server is in play owned
by the attacker. The Eve here has full-wire-control because they own the
hotspot.
You figure that everything would be alright. So just click ok…
87. 87©A10 Networks, Inc.
Open Your Browser and go to and type in
https://www.hotspot.dcc.lab/login/login.html
Enter any username
Enter any password
Click Login
You will be redirected.
Redirect to the webpage
89. 89©A10 Networks, Inc.
Application Will install
ICON on Desktop.
If the Application is Not
started click on the icon.
Enter any username and
password again.
And Click Logon,
Lab 3 Instructions: Step 4
93. 93©A10 Networks, Inc.
Cert Pinning
Embedded Certificate in Compiled Code.
OCSP
CRL
How to protect against offensive attacks?
94. 94©A10 Networks, Inc.
Validation Server
My Financial Server
Unsuspecting Larry
Eve
Physically Proximity Full-wire-control is needed for a successful attack.
Potentially PGP Encrypted Payload to validation services.
Validation Server outside of last mile different path.
Third Party Alternate Path