question archive Part B: Secure LAW using ZPF Implement ZPF on the LAW router On the LAW router , configure ZPF using the following parameters : Zones: Create an inside zone named and an outside zone named ACL 100: Create an ACL 192
Subject:Computer SciencePrice:9.82 Bought3
Part B: Secure LAW using ZPF Implement ZPF on the LAW router On the LAW router , configure ZPF using the following parameters : Zones: Create an inside zone named and an outside zone named ACL 100: Create an ACL 192.168.0.0 /24 going to anywhere Class map : Identify the traffic to inspect using the class map name matching ACL 100 Policy Map : Create a policy map named to inspect the configured class map Zone pair : Create a zone pair named .Specify the source and destination zones that were created and the previously created policy map Verify the ZPF configuration From PC3 : ping PC2 . The pings should be successful From PC2 : ping PC3 . The pings should not be successful Part C: Secure LAN Traffic Between R2 and BR1 Configure VPN settings on R2 and BRI On R2 and BRI , configure reciprocating extended named ACLs called consisting of one ACE making the R.2 LAN traffic (i.e., 10.1.0.0 /16 ) and BRI LAN (i.e., 172.16.1.0 /24 ) traffic interesting IKE Phase 1 ISAKMP policy parameters Policy number Encryption Authentication : Pre -share Diffie -Hellman group : Crypto key: IKE Phase 2 IPsec policy parameters Transform -set name Encryption Authentication Crypto Map parameters : Crypto Map name : Use sequence number and identify it as an ipsec-isakmp map . Verify VPN operation
See below;
Step-by-step explanation
You must register two SPNs for the user running the service: one with the hostname and one with the fully
qualified domain name.
If you are running the service under a network user service account, you must register the two SPNs for each
computer running this service.
This is the Milestone SPN naming scheme:
VideoOS/[DNS Host Name]:[Port]
VideoOS/[Fully qualified domain name]:[Port]
The following is an example of SPNs for the recording server service running on a computer with the following
details:
Hostname: Record-Server1
Domain: Surveillance.com
SPNs to register:
VideoOS/Record-Server1:7609
VideoOS/Record-Server1.Surveillance.com:7609
Encrypt your recordings
Milestone recommends that you secure your recordings by enabling at least Light encryption on your
recording servers' storage and archives. Milestone uses the AES-256 algorithm for encryption. When
you select Light encryption, only a part of the recording is encrypted. When you select Strong
encryption, the entire recording is encrypted.
• Secure the network
Milestone recommends that you select cameras that support HTTPS. It is recommended that you set
the cameras on separate VLANs and use HTTPS for your camera to recording server communication.
It is recommended that XProtect Smart Clients and XProtect Smart Walls are on the same VLAN as the
servers.
Use a VPN encrypted network or similar if using Smart Client or Smart Wall from a remote location.
• Enable and document the intended retention time
According to Article 4(1)(e) of the GDPR, recordings must not be retained longer than necessary for the
specific purposes for which they were made. Milestone recommends that you set the retention time
according to regional laws and requirements, and in any case, to set the retention time to a maximum
of 30 days.
• Secure exports
Milestone recommends that you only allow access to export functionality for a select set of users that
need this permission.
Milestone also recommends that the Smart Client profile is changed to only allow export in XProtect
Format with encryption enabled. AVI and JPEG exports should not be allowed, because they can not be
made secure. This makes export of any evidence material password protected, encrypted and digitally
signed, making sure forensic material is genuine, untampered with and viewed by the authorized
receiver only.
• Enable privacy masking - permanent or liftable
Use privacy masking to help eliminate surveillance of areas irrelevant to your surveillance target.
Milestone recommends that you set a liftable blurring mask for sensitive areas and in places where
person identification is not allowed. Create then a second role that can authorize the mask to be lifted.
• Restrict access rights with roles
Apply the principle of least privilege (PoLP).
Milestone recommends that you only allow access to functionality for a select set of users that need
this permission. By default, only the system administrator can access the system and perform tasks. All
new roles and users that are created have no access to any functions until they are deliberately
configured by an administrator.
Set up permissions for all functionality, including: viewing live video and recordings, listening to audio,
accessing metadata, controlling PTZ cameras, accessing and configuring Smart Wall, lifting privacy
masks, working with exports, saving snapshots, and so on.
Grant access to only the cameras that the specific operator needs to access, and restrict access to
recorded video, audio, and metadata for operators, either completely, or grant access to only the video,
audio, or metadata recorded in the past few hours or less.
Regularly assess and review roles and responsibilities for operators, investigators, system
administrators and others with access to the system. Does the principle of least privilege still apply?
: Password Authentication Delay: C#
private void AuthenticateRequest(object obj, EventArgs ea)
{
HttpApplication objApp = (HttpApplication) obj;
HttpContext objContext = (HttpContext) objApp.Context;
// If user identity is not blank, pause for a random amount of time
if ( objApp.User.Identity.Name != "")
{
Random rand = new Random();
Thread.Sleep(rand.Next(minSeconds, maxSeconds) * 1000);
Password Authentication Delay: VB.NET
Public Sub AuthenticateRequest(ByVal obj As Object, ByVal ea As System.EventArgs)
Dim objApp As HttpApplication
Dim objContext As HttpContext
Dim ran As Random
objApp = obj
objContext = objApp.Context
' If user identity is not blank, pause for a random amount of time
If objApp.User.Identity.Name <> "" Then
ran = New Random
Thread.Sleep(ran.Next(ran.Next(minSeconds, maxSeconds) * 1000))
End If
End Sub