NVGRE Gateway Security and Firewalls?

Similar Messages

• My iPhone won't restore. It is in dfu mode and when I try and restore I get an error 21 message. I have tried to reinstall iTunes and disable my security and firewalls. No luck apple say send in for a 348 buck hardware reset/fix. Any thoughts.

  I am open to trying anything. Until I plugged it into computer I just kept getting a apple symbol then it would turn off every five second it would light up then turn off. I man the boost network and don't live near an apple store. 3 hours away! Would Telstra or Optus shop look at it ? Or should I just send it too Apple and pay. It is 14 months old my iPhone 5

  Error 20, 21, 23, 26, 28, 29, 34, 36, 37, and 40
  These errors typically occur when security software interferes with the restore and update process. Use the steps to troubleshoot security software issues to resolve this issue. In rare cases, these errors may be a hardware issue. If the errors persist on another computer, the device may need service.
  Also, check your hosts file to verify that it's not blocking iTunes from communicating with the update server. See the steps under the heading "Blocked by configuration (Mac OS X / Windows) > Rebuild network information > Mac OS X > The hosts file may also be blocking the iTunes Store." If you have software used to perform unauthorized modifications to the iOS device, uninstall this software prior to editing the hosts file to prevent that software from automatically modifying the hosts file again on restart.

• Any ideas for security and parental control software yet???

  Just received two of the touchpads from the fire sale and gave them to my kids, both under 10.  I am very interested in limiting the sites that can be accessed through the browser, as well as a few other things.  Has anyone found a practical means of doing this?  I'd hate to give up on this and switch it over to Android, especially since there is only Gingerbread available.  But, I just don't know what else I can do about these.  Any ideas? 
  Thanks!
  Post relates to: HP TouchPad (WiFi)

  Please take this post with a grain of salt. I don't claim to be a security and parental control software expert, but I have researched these solutions and have some personal experience with them. That being said, here's some ideas to get you started.
  As speedtouch mentioned, OpenDNS is a fantastic solution for website filtering. They have a great set of filters that can be customized and are one of the easiest systems to set up. Simply install an updater app on one of your desktop computers (or directly on your router if it's supported), configure your router to use their DNS servers, and you're good to go. I personally use this system mysefl and it works really well. The only downside in my experience is that there is not a temporary override system (at least, not in the free version that I use). An example of when this might be handy: my wife goes clothes shopping and looking at new bras. Every once in a while, a perfectly legitimate site might get blocked (in this case, probably something I don't want my kid looking at but perfectly fine for my wife). The option to "temporarily override the block" or "temporarily allow" the site would be nice, but it doesn't exist.
  Another FANTASTIC solution that I've used in the past is the Astaro Security Gateway. They have a free home version of their "Software Appliance" that goes above and beyond OpenDNS. I haven't used it in a while, but when I did it was able to not only filter web sites but also monitor Instant Messaging and other online activites. It's a bit more involved as you need your own hardware (I used an old computer with 2 network cards and stuck it in between my router and my broadband modem), but the results are pretty powerful.
  The downside to all these solutions, however, is that they will only work when the TouchPad is on your network. If they connect to a neighbors network of if the go to a friends house, all of these systems will be moot because they are completely bypassed. The only way to monitor that content from ANY network would be to install an application on the device itself and to my knowledge, none exist.

• Using AX as wireless router, how to set up w/ security and airtunes on XP

  I previously had a Linksys wireless router. I just purchased an Airport express to use as the wireless router (and remove the Linksys router) as well as use the Airtunes functionality.
  After some trial and error, I have been able to wireless connect my computer to the AX on it's own (the linksys router is now unplugged and out of the equation). I can connect to the internet fine on my PC (XP Pro SP2).
  Trouble is, when I use the Network Setup Assistant, it shows the apple network listed, but it can't connect to it, no matter how many times I try, reboot my machine or reboot the AX. I've tried both the "setting up a new network" and "editing an existing network" option, and in each selection, after a few minutes of trying to connect to the network, I just get a failure message.
  If I try and use the Admin utility, nothing shows up in the left-hand list window, and when I Press re-scan, still nothing shows (it doesn't even appear to scan).
  I'm not sure what I'm doing wrong. I can't find simple instructions on how to set up the AX as the only wireless router for a PC and set up security and Airtunes (I'm assuming enabling airtunes is done in these applications, as I haven't seen anything about that yet either).
  Any ideas on how this is done with a PC? Much thanks!
  Dell 4500 series

  I have found the 'DHCP Reservations' option on the AirPort Extreme to be buggy.  I seem to remember it causing IP conflicts for some reason.  I think what I remember is that if the computer with the reservation was off, and the DHCP server then handed out that IP to another DHCP client, then there would be a conflict when the reserved IP computer was turned back on.  Maybe it was an issue in ealier versions of the AE or OS X as the case may be, and maybe it's been corrected, but I've never bothered using it agian since the method I describe below has always worked without fail.  Also, I'm guessing DHCP Reservations would work fine if one manually enters IPs outside of the DHCP range but in the AE 'DHCP Reservation Setup Assistant' the IP options provided are within the DHCP range which to me makes no sense and increases the potential for IP conflicts.
  Here's what I do to setup a mixed environment of static and dynamic IPs on my network.  It works like a charm and does not require the DHCP server (beyond the distribution of dynamic IPs to hosts using DHCP).
  For machines on my network that are accepting services from the public network, I set them up with static IPs using the 'Manually' option (System Preferences/Network/Ethernet/Configure IPv4).  The settings for 'Router' IP address and 'DNS Server' IP address should both be set with your gateway/router LAN IP).  Use an IP address below or above the DHCP range of adresses (in AE/Internet/DHCP/DHCP Beginning & Ending Address).
  i.e. if my subnet is 10.0.1.1 and my DHCP range is 10.0.1.100 to 10.0.1.150, you could set the static IPs on your local hosts as 10.0.1.x where x = any number from 2 - 99 or from 151 - 200 as an example.
  All other machines and devices that do not require static routing are setup as DHCP clients and get a dynamic IP from the AE.  To me it's a simpler setup though it might take a little extra time to setup initially.
  John

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• NVGRE Gateway Cluster Problem

  Hello
  We have following setup:
  Management Hyper-V hosts running WAP, SPF and SCVMM 2012 R2 components
  Gateway Hyper-V host: single node gateway hyper-v host, configured as a single node cluster to be able to join extra hardware in the future
  this Hyper-V host runs 2 Windows Server Gateway VMs,configured as a failover cluster.
  The following script is used to deploy these windows server gateway VMs as a high available NVGRE gateway service:
  http://www.hyper-v.nu/archives/mscholman/2015/01/hyper-v-nvgre-gateway-toolkit/
  two tenant Hyper-V hosts running VMs which are using network virtualization
  The setup is completed successfully and when creating a tenant in WAP and creating VM network for this tenant using NAT, the VMs of this tenant are accessible and can access Internet using the HA Gateway cluster.
  The Gateway Hyper-V host and NVGRE Gateway VMs are running in a DMZ zone, in a DMZ Active Directory Domain.
  Management and Tenant Hyper-V hosts, incl all Management VMs, are running in a dedicated internal Active Directory domain.
  Problems start when we failover the Windows Server Gateway service to the other VM node of the NVGRE Gateway cluster. We see in the lookup records on the Gateway Hyper-V host that the MAC address of the gateway record for tenants is updated with the new
  MAC address of the VM node running the gateway service.
  But in SCVMM, apparently, this record is not updated. The tenant hosts still use the old MAC address of the other Gateway VM node.
  When looking in the SCVMM database, we can also see that in the VMNetworkGateway table that the record representing the gateway of the tenant, still points to the MAC address of the PA network adapter of the other node of the NVGRE Gateway cluster, not to the
  new node on which the gateway service is running after initiating a failover.
  On the tenant hyper-v hosts, the lookup record for the gateway also points to the old node as well.
  When manually changing the record in the VMNetworkGateway table to the new MAC address, and refreshing the tenant hosts in SCVMM, all starts working again and the tenant VMs can access the gateway again.
  Anybody else facing this issue? Or is running a NVGRE Gateway cluster on a single Hyper-V node not supported?
  To be complete, the deployed VMs running the gateway service are not configured as HA VMs.
  Regards
  Stijn

  If i understand your post correctly you have a single Hyper-V Host running 2 GW VM's. I think the problem is that when you deploy a HA VM Gateway Cluster it wants to create a Cluster Resource (PA IP Address) on the Hyper-V host as well. So when you run 2
  hyper-v hosts and 2 gw vm's and you move the active role to another host it will move the Provider Address to the other Hyper-V host as well. I believe this is by design. You should ask yourself also the question why running 2 vm's in a cluster on the same
  node ;-)
  I would recommend to use 2 node Hyper-V Host Cluster (This is needed for the HA PA Address, And not necessary for your GW VM's )
  Then run the deployment toolkit again. Now when that's done again, take a close look on how the Active node on the Hyper-V host has the corresponding PA assiogned on that Hyper-V host. Then do a failover, refresh the cluster manager and take notice
  of the PA address that has moved along to the other Hyper-V host that is the active one. It is diffuclt to explain, in a couple of sentences but i hope you have the opportunity to build the 2nd Hyper-V host aswell and create a cluste.
  Side note: if you want to keep the excising VM Gateway cluster. remove all gateways from VM Networks and remove the Gateway service from VMM. Then provision the second Hyper-V Host, Configure Cluster, Live migrate 1 GW VM node to it. Reconfigure
  Shared VHDX for quorum and csv and  then add back the network service again. Don't try to leave it as a network service in VMM and move the VM to another node. It will not work when failover.
  Best regards, Mark Scholman. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• How to resolve Issues while implement gateway security by using reginfo,secinfo?

  Hi,
  I want to implement gateway security using  gw/reg_info,  gw/sec_info,  gw/reg_no_conn_info.
  so far I have created reginfo and secinfo files to allow all internal traffic and I kept gw/reg_no_conn_info=11, gw/acl_mode=1
  reginfo
  ======
  #VERSION=2
  P TP=*,HOST=local
  P TP=*,HOST=internal
  P TP=*,HOST=*.abc.com
  with the above setting I believe all the programs with in sap systems(including app servers), also system from domain abc.com can register programs with out having any issues.
  secinfo:
  ======
  #VERSION=2
  P TP=* USER=* USER-HOST=local HOST=local
  P TP=* USER=* USER-HOST=internal HOST=internal
  similarly  as per secinfo content I believe that all the internal traffic can go with out any issue with in sap system.
  beside that I have activated gateway logging to find the rejecting connections if any.
  I have following questions:
  ===================
  1)As the reginfo,secinfo files maintained can I remove gw/acl_mode=1 parameter ?
  2)if I want to add a specific programs to register from 3rd party system, suppose a program called "zram" from system "172.198.10.1" where I suppose to add it. Do I need to add that IP to secinfo along with reginfo?
  3)when I set parameter gw/reg_no_conn_info=11 when convert to binary it equals to 00001011
  what exactly this means from the following definitions from note 1444282
  1 1298433 Bypassing security in reginfo & secinfo
  2 1434 117 Bypassing sec_info without reg_info
  4 1465129 CANCEL registered programs
  8 1473017 Uppercase/lowercase in the files reg_info and sec_info
  will that means 8+2+1 means satisfying the above 3 lines except condition 4 ?
  4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
  5)From simulation mode I got to know that It will satisfy reginfo,secinfo restrictions and it will allow all other traffic.so what is the added advantage with this when activate?
  6)is there any sap native tools which help while preparing reginfo, secinfo files?
  Regards,
  Koteswararao.Davuluri(Koti).

  Hi,
  Here is answers for questions 4 and 5.
  4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
  SMGW->Goto->Expert functions->logging
  In the above path if you select security->(under that)->Rejected access only
  when you select that it should show you the connections getting rejected.
  5)For simulation mode you have 2 options. you can activate directly from the above path.Other option  if you maintain gw/sim_mode = 1  that will make the permanent simulation mode. But once after all the entries set in reginfo you have to disable simulation mode. with secinfo you will not have much problems.
  After doing steps 4, 5 you can see rejected entries in Gateway log.

• Comodo Antispam Gateway & Security Manager Walkthrough

  hi all,
  Michel from Comodo is hosting a short web demo of their Antispam Gateway & Security Manager.
  It is scheduled for Thursday, July 9th at 11am.
  I know the notice is quite short but if anybody is able to join in here is the link;
  https://global.gotomeeting.com/join/214089781
  -Super_J
  This topic first appeared in the Spiceworks Community

  Hi,
  Check this post:
  Solving the Gateway 20071 event
  http://michelkamp.wordpress.com/2012/01/05/solving-the-gateway-20071-event/
  and this: Event ID 21001 and 20057 on SCOM agents - duplicate SPN:
  http://blogs.technet.com/b/kevinholman/archive/2011/08/08/opsmgr-2012-what-should-the-spn-s-look-like.aspx
  Similar answer has been provided by DKTOA Here:
  https://social.technet.microsoft.com/forums/systemcenter/en-US/05019b70-73a3-4a37-993b-66b607f3c222/scom-2012-gateway-server-isses-20057-21001-20071-ids
  Did it solve your problem?
  Regards
  Jure
  Jure Labrovic | Blog

• Network Switch requirements behind a NVGRE Gateway

  Hello there,
  I'm looking forward to set up a nice System Center 2012 R2 Environment, with one Major Site where the Infrastructure for System Center and the Virtual Machines reside. There are another 2 Sites which will get an NVGRE Gateway so I can have the same IP Setup
  both sites matched to the deployed VMs. We will call the Site where all the big Hardware sits Site A, Site B and C only will have a NVGRE Gateway so that physical Machines on Site B and C can Access their VM's with their locally assigned IP Addresses and not
  what Site A is configured with.
  My question seems a bit silly but I haven't found any answer to this (neither in the Hybrid Cloud Guide nor somewhere else)
  If I deploy the following layout on all 3 sites (simplified), what features will the Switch on the local site need? Any certain numbers like ARP Entries or anything?
  Layout: [Hardware] ---- [Switch] ---- [NVGRE Gateway] ---- [ISP]
  My ISP has assured me I'm on full IPv4/6 Dualstack and I can have an ASN on the site where the Hardware is. The other two sites are simple enough ADSL IPv4 Lines where the x86 commodity Hardware NVGRE Gateways will be set up. I understand that eBGP will
  not be possible with this kind of Setup but iBGP should be working?
  So do I need something like a Juniper EX-4200+ Series Switch on each Site behind the NVGRE Gateway or will be a basic L2(+ ?) Switch do the Job on the local Networks or do I need to watch out for some specific Switch supported features to get going?
  Thanks for your help in advance guys!

  So over 100 Views and no one can tell me if a simple L2 Switch will do on the local only fabric or not? Do I need a MS Support Case just to get a clarification on that?

• NVGRE Gateway stops forwarding packets

  I've deployed NVGRE Gateway and added a virtual network using NAT and it works fine..
  ...about 15 minutes then everything stops. I have ping running to external IP address and it works fine when adding a NAT connection to the virtual network, but suddenly stops after approx 15minutes. No events can be found from the guest VM, from the GW
  VM, from the gateway host or from the SCVMM. 
  Everything come back to normal when removing the NAT connection and re-adding it.
  I have installed the hotfix 2918813 (http://support.microsoft.com/kb/2918813) on the GatewayVM but it doesn't change anything.
  Any ideas how to troubleshoot?

  If you have several default gateways configured on your virtualization gateways, it is important to configure metrics and eventually static routes.
  Just check this blog post to see if it is relevant: http://kristiannese.blogspot.no/2014/02/configuring-metrics-and-static-routes.html
  Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

• Gateway Security parameter

  Hi Team,
  My EWA report is showing red alert, as the sec_info & reg_info file is containing default entries(P TP=* etc).
  For a new system we can add the entries to the list easily, but what should be done for an existing system?
  Can anyone help me with what are the entries which has to be considered to be added in the sec_info & reg_info for an existing system?
  Please advice.
  Regards,
  Nivin

  EWA report will mention the SAP notes to be used for reference.
  You just need to read those SAP notes and configure the security files accordingly.
  Start with these
  1425765 - Generating sec_info reg_info
  1105897 - GW: reginfo and secinfo with permit and deny ACL
  1529849 - Gateway security setting in an SCS instance, AS Java
  1069911 - GW: Changes to the ACL list of the gateway (reginfo)
  https://help.sap.com/saphelp_nw73/helpdata/en/e2/16d0427a2440fc8bfc25e786b8e11c/content.htm
  Regards
  RB

• Security and/or filtering error in data form creation

  Hi,
  I am getting this error when I am trying to preview my data form.
  This is the first time I am creating an application and data form in Hyperion.
  The data form is multicurrency and plan type is Plan1.
  Row:
  Account members: Descendants(Account)
  Column:
  Year:Descendants(FY10)
  Period:Descendants(YearTotal)
  Page Dimension(s)
  Entity:Descendants(Entity)
  Scenario:Current
  Version:BU Version_1
  POV:
  Currency:USD
  Disabled all options in "Other options" and Not selected any business rukes.
  When selecting preview data form I am getting below error:
  Security and/or filtering has resulted in a required dimension not being represented on this data form
  I have not selected any security/filter settings as of now. Please suggest whats causing this.
  Thanks,

  Hi Jake,
  I did what you suggested,but I am still getting same error.
  Here I would like to point out that. I have selected my application to support multicurrency, but 'HSP_RATES' does not come in Dimension selection drop down. I can see 'HSP_RATES' in Performance settings tab, but I cant see it in Dimensions tab or Evaluation order tab.
  Is this causing problem? Should I add it manually?
  Thanks,
  Rajni.

• Securing file download with standard web security and ssl

  Hi,
  I want to put some files for download in my webapp. At the same time, I want to protect these files using standard servlet security and ssl. So I added <security-constraint> in my web.xml and configured tomcat to allow SSL connection. Now I got the files protected as I expected. When I try to access the file directly from browser, tomcat shows me the login page. However, after correct login, I.E. pops up an error saying something like "Internet Explorer cannot download XXX from XXX. The file could not be written to the cache.". The log file showed the following exception:
  javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1154)
       at com.sun.net.ssl.internal.ssl.AppInputStream.available(AppInputStream.java:40)
       at org.apache.tomcat.util.net.TcpConnection.shutdownInput(TcpConnection.java:90)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:752)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:526)
       at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
       at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1443)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1407)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:64)
       at org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalOutputBuffer.java:747)
       at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:403)
       at org.apache.coyote.http11.InternalOutputBuffer.endRequest(InternalOutputBuffer.java:400)
       at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:961)
       at org.apache.coyote.Response.action(Response.java:182)
       at org.apache.coyote.Response.finish(Response.java:304)
       at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:281)
       at org.apache.catalina.connector.Response.finishResponse(Response.java:473)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:738)
       ... 4 more
  Caused by: java.net.SocketException: Connection reset by peer: socket write error
       at java.net.SocketOutputStream.socketWrite0(Native Method)
       at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
       at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
       at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:283)
       at com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:272)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:663)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
       ... 15 more
  I've tried separating concerns, for example protect files but not require SSL, and enable SSL but do not protect files. Both works respectively but not together. I also tried using a download4j's DownloadServlet. Still doesn't work.
  Have any of you encouter the same situation? If so, could you enlight me what I did wrong? It maybe just a simple SSL configuration or something. Thanks in advance!
  Jack

  My environment setup is:
  JDK 1.5.01
  Tomcat 5.5.7
  For downloading files, I just use plain old <a href> method. I simply right-click the link and choose "save target as...".
  Thanks,
  Jack

• Secure and non-secure access to the web application in one war

  Say we have one web application (in one war) which includes JSP, servlets and the security intercepter. There is one business requirement to have most of the JSP(s) accessed via HTTPS, but a few JSP(S) accessed via HTTP.
  My questions are:
  a. Is this possible, or a reasonable requirement or a good practice?
  b. if yes, what can we do to make it happen in the security intercepter implementation?
  c. If not, what is the technical reasons?
  Thanks much.

  a) Yes its is reasonable and good practive, there is an overhead using https, so you should only encrypt file you need to. When you use an online store, only account details / payments are https, the shop itself is http
  b) I dont really understand your difficulty. You can define a folder as 'secure' and put all your secure pages in this folder, leaving non secure files in a different folder. Whenever a page in the secure folder is accessed, https is automatically invoked.

• After AVG PC Tune up, software update message for security and stability update is available FireFox 3.6.18. Should I Update?

  My Dell laptop (Operating on Windows XP) was hit with multiple viruses - I could not open Mozilla Firefox or any other applications for that matter. After much time and many attempts, I was finally able to install and run an AVG Scan and then an AVG PC Tune up. 4,559 problems found and repaired. After the repairs, I received the following message:
  "Software Update - A security and stability update for Firefox is available: Firefox 3.6.18 - It is strongly recommended that you apply this update for Firefox as soon as possible. - an underlined link reading, "View more information about this update" and then 2 choices - "Ask Later" or "Update Firefox." Since part of the problem was with Firefox and some error messages pointed to that, I'm hesitant to click on any of the three options above. Can you help me to get past this error message, please. I am sending this from my home computer. Thank you. Diane

  Sometimes the updater gets in a funny state - Go to http://www.mozilla.org/en-US/firefox/new/ and download the full installer. Close Firefox and run the installer