Security level with RFC?

How much is the data secured when sent through RFC?
Is the RFC using any security protocol like https?
If we want to introduce the custom security to the RFC how to do that?
Thanks in advance.
Sounder

hey you can put Authorization in ur RFCs as far as i knw ,,, and then only the Authorized persons or Authorized system can access this RFC ... jst look out for the authorization objects
hope this will help,
bbye tac care
Ashwani

Similar Messages

4 security level with 2 FWSM contexts

Hello,
I have to implement a DC with two 6509, ACE and FWMS with only a default license for 2 VFW.
But the problem I have, is that I have 4 separate networks where I like to give a different security level.
I'm using the FWSM in transparent mode.
Any idea ? about using VRF ? ACE or something else ?
Suggestions will be appreciated.
Regards,
Omar

Hello Omar,
Although I'm not familiar with the ACE blade we do run 2 X 6509s with FWSMs.
In your case you could connect your 4 networks to a single context (VFW) since the max network connections per context is 8. You would create 4 BVIs (Bridge Virtual Interfaces.) Security levels in FWSMs don't have much meaning since you are required to specifically allow traffic to pass through the context regardless of which side of the BVI it comes from. By default no traffic flows at all. All traffic is filtered with ACLs.
You could also create a VRF on the 6509 that could act as a central or core routing point for your networks. (We do this for 18 separate contexts and call it the fusion VRF.) However you would only use a VRF if you wanted to keep the routing table isolated from the global table running on the 6509's.
Otherwise this is unnecessary.
If you chose to run the FWSMs in multiple context mode you could have two networks per context, still connect them to a fusion VRF, and also run an Active/Active FWSM configuration which allows you to do a type of load sharing along with failover. One context is active and one context is standby on FWSM A and on FWSM B the roles reverse. This shares active traffic across the FWSM blades.
Hope this brief description is helpful for you.
Simon

Help with asp ... security levels

I made a change to the security level for the end user. i add
a security feature by adding 12345 to their security level.
<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%
'check to see if the page is submitted
Dim validLogin
Dim strErrorMessage
Dim intLevel
Dim sLevel
If (Request.Form("uname")<>"") Then
'user has submitted the form
'get the entered values and hit the database
Dim strUserName
Dim strPassword
'going to use an implicit connection, no connection object
needed
Dim objRS
strUserName = UCase(Request.Form("uname"))
strPassword = UCase(Request.Form("pwd"))
response.write("strUserName")
'prepare the RS
Set objRS = Server.CreateObject("ADODB.Recordset")
'set the sql statement
objRS.Source = "SELECT * FROM tblEmployee WHERE
strEmpUserName = '" & strUserName & "' AND strEmpPassword =
'" & strPassword & "'"
' heres the implicit connection
objRS.ActiveConnection =
"Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=c:\Inetpub\db\IMPCustomers.mdb"
objRS.CursorType = 0
objRS.CursorLocation = 3
objRS.Open
'check for EOF
If(objRS.EOF) Then
'no records matched, invalid login
Response.Redirect("invalidLogin.asp")
'strErrorMessage = "Invalid Login. Try Again."
validLogin = false
Else
'added intLevel to add more security on 3/29/07
intLevel = Cint(objRS("intEmpSecurityLevel"))
intLevel = intLevel + 12345
sLevel = intLevel
'valid login, set session variables
Session("username") = UCase(strUserName)
Session("userpass") = UCase(strPassword)
Session("sLevel") = sLevel
'Session("sLevel") = objRS("intEmpSecurityLevel") - changed
to add more security on 3/29/07
Session("fn") = objRS("strEmpFN")
'release the RS
Set objRS.ActiveConnection = Nothing
Set objRS = nothing
'redirect off this page
Response.Redirect("custSearch.asp")
End If
End If
%>
I'm now having trouble removing the 12345 from their security
level in the custSearch.asp.
<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%
Dim strUserName
Dim strPassword
Dim intSLevel
Dim isum
Dim intS
Dim intNewSLevel
Dim sLevel
Dim strFN
Dim strErrorMessage
Dim strError
'get pass parameters
strUserName = Session("username")
strPassword = Session("userpass")
intSLevel = Session("sLevel")
'add on 3/29/07 for security
'get the security level
isum = sLevel
'take isum which contains sLevel and subtract 12345 from it
isum = isum - 12345
'now intS equals security level in the db
intS = isum
'put into a session
Session("intS") = intS
strFN = Session("fn")
strErrorMessage = ("strError")
'If strErrorMessage = "" Then
'strError = "There is no customer with that last name."
'End If
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<title>Employee Intranet - Customer Database, Search
for a particular customer.</title>
<meta http-equiv="content-type" content="text/html;
charset=utf-8" />
<link rel="stylesheet" type="text/css"
href="../css/pop_style.css" />
<link rel="stylesheet" type="text/css"
href="../css/forms.css" />
<style type="text/css">
/* HMTL selectors start here */
h2 {
margin-bottom:15px;
p {
margin-bottom:20px;
hr {
border:thin;
border-color:#CCCCCC;
border-style:dotted;
width:100%;
text-align:center;
table {
width:300;
align:center;
cellpadding:2px;
cellspacing:2px;
margin-left:30%;
td {
font-size:14px;
font-style:normal;
font-weight:normal;
border:0;
padding:0;
/* HMTL selectors start here */
/* ID selectors start */
#mainText {
height:400px;
font-family:Arial, Helvetica, sans-serif;
font-size:14px;
text-align:left;
margin-left:1%;
margin-right:1%;
padding: 10px 5px;
word-spacing:1px;
letter-spacing:1px;
/* id ends here */
</style>
<script language="JavaScript" type="text/JavaScript">

</script>
</head>
<body>

<script language="javascript" type="text/javascript"
src="../js/pop_core.js"></script>
<script language="javascript" type="text/javascript"
src="../js/pop_data.js"></script>

<div id="border">

<div id="secNavBar"><a
href="../index.htm">Home</a> | <a
href="../htm/quality.htm">Quality</a>
| <a href="../htm/contactUs.htm">Contact
Us</a> | <a
href="../htm/siteMap.htm"> Site
Map</a></div>

<div id="logo">
<img src="../art/NewLogo.jpg" alt="Logo of IMPulse NC,
INC." usemap="#Map" />
<map name="Map" id="Map">
<area shape="rect" coords="5,3,280,74"
href="../index.htm" alt="Return to home page" />
</map>
</div>

<div id="priNav">
<a id="home" name="home"
style="visibility:hidden;">Home</a>

</div>

<div id="mainText">
<h2>Customer Database </h2>
<p
style="font-size:14px;font-style:normal;font-weight:normal;">Welcome
<%=strFN%></p>
<p
style="font-size:14px;font-style:normal;font-weight:normal;">Please
search for a customer by using the fields below. You can use one
field or multiple fields for your search.</p>

<div id="signIn">
<div id="CSearch">
<table>
<form action="results.asp" method="post" name="search"
id="search">
<tr>
<td width="98" height="29">Last Name:</td>
<td width="150" tabindex="1"><input type="text"
name="clname" size="25" maxlength="25" /></td>
</tr>
<tr>
<td height="30">First Name:</td>
<td tabindex="2"><input type="text" size="25"
maxlength="25" name="cfname" /></td>
</tr>
<tr>
<td height="30">Company:</td>
<td tabindex="3"><input type="text" size="25"
maxlength="25" name="ccomp" /></td>
</tr>
<tr>
<td height="48" colspan="2" tabindex="4">
<input type="submit" name="login" value="Submit" />
<input type="reset" name="Reset" value="Reset" />
<a href="logOut.asp">
<input type="button" name="logOut" value="Log Out" />
</a> </td>
</tr>
</form>
</table>

</div>
<blockquote> </blockquote>

</div>

</div>
<div id="btm_Bar">
100 IMPulse Way • Mount Olive, North Carolina 28365
• Main (919) 658-2200 • Fax (919) 658-2268<br />
©2006 IMPulse NC, Inc. All Rights Reserved. </div>
</div>
<script language="javascript" type="text/javascript"
src="../js/pop_events.js"></script>

<script language="javascript" type="text/javascript">
document.search.clname.focus();
</script>

<%
Response.Write(Session("username")) & "<br />"
Response.Write(Session("userpass")) & "<br />"
Response.Write(Session("sLevel")) & "<br />"
Response.Write(Session("intS")) & "<br />"
%>
</body>
</html>
What am I doing wrong?

"pqer" <[email protected]> wrote in message
news:eugsik$kt5$[email protected]..
> What am I doing wrong?
1. You're allowing unfiltered user input into your SQL query.
I could do
some horrible damage to your system.
2. You have SELECT * in your query.
3. You're doing something that doesn't make any sense. Why
add a constant
to the security level just to subtract it again when you
actually want to
use it? You're just making more work for yourself. There is
no benefit
there.

SOAP Adapter with Security Levels - HTTP & HTTPS

We have a successfully working interface scenario where SAP XI is hosting a web service and the partner systems calling it using SOAP Adapter URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel with Security Level HTTP on the SOAP Sender Communication channel.
Going forward, for other similar interfaces (SAP XI hosting Web Service and partner systems calling it), we would like to use HTTPS and/or certificates.
If we enable HTTPS on XI J2EE server as per the guide How to configure the [SAP J2EE Engine for using SSL - Notes - PDF|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc]....
can partner systems still use the URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel or should they switch to https://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel?
can we continue to have the existing interface working using HTTP Security Level i.e. partners not having to send the certificate with each message?
If we use HTTPS security level, is it mandatory for the partner system need to send the certificate? Is it possible to have an HTTPS scenario w/o certificates?
What is the difference between Security Levels 'HTTPS Without Client Authentication' & 'HTTPS with Client Authentication'?
I appreciate your inputs on this.
thx in adv
praveen
PS: We are currently on SAP PI 7.0 SP17

Hi Praveen,
There is no need to change the interface and It is manditory for the partners to send certificates in order to validate each other. Use the https in url.
HTTPS With Client authentication:
The HTTPS client identifies itself with a certificate that is to be verified by the server. To validate the HTTPS clientu2019s certificate, the HTTPS server must have a corresponding CA certificate that validates this certificate. After validation of the clientu2019s certificate, the server maps the certificate to an actual system user executing the HTTP request.
and check this link.
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
Regards,
Prasanna

Domain level security issue with InfoPath Form

I have followed the article “Submitting Data from InfoPath 2007 to a SharePoint List” which can be found at
http://msdn.microsoft.com/en-us/library/cc162745.aspx.
But instead I am using SharePoint and InfoPath 2010.
I get the following error after deploying and running the form with its security level set to domain.
“A query to retrieve form data cannot be completed because this action would violate cross-domain restrictions. If this form template is published to a SharePoint
document library, cross-domain access for user form templates must be enabled under InfoPath Forms Services in SharePoint Central Administration, and the data connection settings must be stored in a UDC file in a data connection library in the same site collection.
If this is an administrator-approved form template, the security level of the form must be set to full trust, or the data connection settings must be stored in a UDC file by using the Manage data connection files option under InfoPath Forms Services in SharePoint
Central Administration.”
How do I get this form working on the server and client using domain level security?
Extra Note: On an additional not the form works fine in SharePoint and InfoPath designer when the security level is set to Full Trust.

Hi, Is this possible over a SharePoint "LIST"? I'm hitting brick walls and can't set the Security level on my form at all. Everything that I'm reading refers to Document Libraries but nothing about SharePoint List. It seems that this should work over a list,
but I'm hitting brick walls all the way around. Here is a copy of the question that I posed below under Todd.Wilder's post:
Hi,
Following this forum question/comment I am attempting to set the security on my Infopath form to Full Trust. But, I don't have the Security and Trust option. I can set the Trusted Location through the Trust Center but I can't find anywhere to set security.
I am using InfoPath 2010. What am I missing? Everything that I'm reading says that this is the problem and my error message is exactly like SomeGuy's message. One more piece to this is...this is a form over an Existing SharePoint List. I've found that I can
see the Security if I start InfoPath and start a New Blank Form, but by editing the form from a SharePont list, the option to edit Security is not there. HELP!!
I am following the instructions below that come from:
http://msdn.microsoft.com/en-us/library/ee526352.aspx
The InfoPath form designer automatically selects the appropriate security level (either Restricted or Domain) based on the features that you are using in the form. The security setting is always as restrictive as possible, starting at Restricted, to help
ensure a greater level of protection for you and your data. Users can manually override this automated setting to select a level of security that is more appropriate for the form by following these steps:
Click the File tab, and then click Form Options on theInfo tab.
In the Categories list, click Security and Trust.
Uncheck the Automatically determine security level (recommended) check box.
Select the desired security level.
Thank you,
~Tina~
~Tina~

[svn] 977: Bug: BLZ-93 - When a producer sends a message to a secure destination with no credentials it causes a security exception to get logged with a log level of error .

Revision: 977
Author: [email protected]
Date: 2008-03-27 17:04:59 -0700 (Thu, 27 Mar 2008)
Log Message:
Bug: BLZ-93 - When a producer sends a message to a secure destination with no credentials it causes a security exception to get logged with a log level of error.
QA: Yes
Doc: No
Details:
Updates to catch-all exception logging hinge points on the server to use a new method on MessageException that protects against repeat logging of the same exception as we unwind the call stack on the server, as well as allowing exception subclasses to control the log level, intro text and inclusion of a full stack trace in the logged output. This allows things like SecurityExceptions, which represent common errors like incorrect user credentials, to avoid polluting the log with error-level logging and stack traces. It also consolidates our catch-all handling for MessageExceptions and their subclasses in a single point, avoiding problems with needing to make updates or tweaks to our logging output in multiple places.
Ticket Links:
http://bugs.adobe.com/jira/browse/BLZ-93
Modified Paths:
blazeds/branches/3.0.x/modules/common/src/java/flex/messaging/log/Log.java
blazeds/branches/3.0.x/modules/common/src/java/flex/messaging/util/ExceptionUtil.java
blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/MessageBroker.java
blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/MessageException.java
blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/endpoints/amf/MessageBrokerFi lter.java
blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/endpoints/amf/SuspendableMess ageBrokerFilter.java
blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/security/SecurityException.ja va
blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/services/ServiceException.jav a

One thing I forgot to add, which may be causing you
problems: the "mount volume" command is not part of
the Finder dictionary. It stands alone.
bill
Mac OS X
(10.4.10) 1 GHz Powerbook G4
I tried the mount command. After executing it in Script Editor, I was prompted with login and password, but it was my Keychain!
I don't know if you have your keychain unlocked or what else..
Maybe the original poster (Rick Anderson) has his keychain locked and the prompt is from it.
Just a guess...
Ciao,
Ermanno
Dual 2 GHz PowerPC G5 Mac OS X (10.4.9) 4.5 GBy SDRAM, 5 external FW disks, 2 Internal SATA disks

Use of Security Level on ASA with ACLs

Hi,
On my configuration, I'm using extended on the inbound of my 3 interfaces (inside,dmz,outside). I was wondering if there I should remove the security levels or if they are of any use since I have ACL in place already.

Hi,
After you have attached an ACL inbound to an interface it controls the traffic for networks behind that interface. So security-levels dont have a major role anymore.
Though you should consider that there are still situations where the "security-level" might come into the picture.
If you have identical "security-level" interfaces and you want to allow traffic between them then ACLs wont be enough but you also need to use the "same-security-traffic permit " format command to allow the traffic.
Atleast in software 8.2 there is still some limitations regarding NAT depending on the "security-level" of the source and destination of the interface. I think for example you need to do Dynamic NAT/PAT between interfaces you cant do this from lower to higher direction.
Best bet is to refer to your current software level Cisco documents. Both the Command Reference and Configuration Guide PDFs found online provide good information on these commands
Please rate if the information was helpfull and/or ask more questions if needed
- Jouni

Is PhoneFactor compliant with FIPS 140-2 Security Level 1?

Hi, I'm looking for a "hard token" two-factor authentication solution for a medical application. I have a firm external requirement that the hard token used must "meet FIPS 140-2 Security Level 1 for cryptographic devices."
Given that a cell phone is not a cryptographic device, per se, can I assume that use of PhoneFactor would not meet this requirement? Or would it?
Thanks,
-Dennis

Windows Azure Multi-Factor Authentication (formerly PhoneFactor) has not been FIPS 140-2 certified because FIPS 140-2 doesn't apply to the solution.
Has there been any updates on expanding Azure and getting it FIPS 140-2 certified?

ASA 5505 Interface Security Level Question

I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
Can someone show me what I did wrong?
Thank you for any help!
To create the VLAN, I did the following:
int vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
no shutdown
int Ethernet0/1
switchport trunk allowed vlan 1 5
switchport trunk native vlan 1
switchport mode trunk
no shutdown
below is the whole config.
Result of the command: "sho run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password zGs7.eQ/0VxLuSIs encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address <External IP/Mask>
interface Vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Server1_80
host <Inside_server1_IP>
object network Inside_Server1_25
host <Inside_server1_IP>
object network Inside_Server1_443
host <Inside_server1_IP>
object network Inside_Server1_RDP
host <Inside_server1_IP>
object service RDP
service tcp destination eq 3389
object network Outside_Network1
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network TERMINALSRV_RDP
host <Inside_server2_IP>
object network Inside_Server2_RDP
host <Inside_Server2_IP>
object-group network Outside_Network
network-object object Outside_Network1
network-object object Outside_Network2
object-group network RDP_Allowed
description Group used for hosts allowed to RDP to Inside_Server1
network-object object <Outside_Network_3>
group-object Outside_Network
object-group network SBS_Services
network-object object Inside_Server1_25
network-object object Inside_Server1_443
network-object object Inside_Server1_80
object-group service SBS_Service_Ports
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
access-list Guest-VLAN_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Inside_Server1_80
nat (inside,outside) static interface service tcp www www
object network Inside_Server1_25
nat (inside,outside) static interface service tcp smtp smtp
object network Inside_Server1_443
nat (inside,outside) static interface service tcp https https
object network Inside_Server1_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network TERMINALSRV_RDP
nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
object network Inside_Server2_RDP
nat (inside,outside) static interface service tcp 3389 3390
nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Guest-VLAN_access_in in interface Guest-VLAN
route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
dhcpd lease 43200 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 prefer
username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
inspect pptp
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
: end

Hi,
To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni

ORA-20100: AppDomain could not be created for the specified security level

We recently updated our development environment to Visual Studio 2010. We have previously deployed (with success) .Net stored procedures from Visual Studio 2005 to our Oracle 10gR2 database. I am currently trying to configure a local instance (called local) of Oracle 10gR2 database to test deployment of .Net stored procedures to Oracle 10gR2 via Visual studio 2010 and ODT version 11.2.0.1.2. I have built the demo from the ode developer guide and gotten as far as deploying it but executing the stored procedures from VS 2010 or SQL*Plus produces the following error...
ORA-20100: AppDomain could not be created for the specified security level
ORA-06512: at "SYS.DBMS_CLR", line 152
ORA-06512: at "SCOTT.GETDEPTNO", line 7
Here is what I have done.
(Server)
1. Installed oracle 10gR2 with ODE.Net
2. Installed Oracle 10gR2 patch set 22
3. Installed ODE upgrade from Oracle Developer Tools for Visual Studio .NET with Oracle 10g Release 2 ODAC 10.2.0.2.21
(Client)
4. Installed Oracle Developer Tools for Visual Studio .NET with Oracle 10g Release 2 ODAC 10.2.0.2.21 (In new client home).
5. Installed patch set 22 on 10g client home.
6. Installed Oracle 11g Release 2 ODAC 11.2.0.1.2 with Oracle Developer Tools for Visual Studio(in new 11g client home, only for VS 2010)
I have made some minor changes (GAC) etc. per the following threads...
ODE.NET 11.1.0.7.20 on 10g Database?!
Re: Error: System.TypeInitializationException
The database appears to be fully functional via TOAD - SQL plus etc. I can't find much on this error but it appears Oracle needs some permissions to launch an ASP.Net application that it does not have. Any help would be GREATLY appreciated, don't hesitate to ask for additional details.

The KB article is almost what we have apart from theitalic underlined
part
Consider the following scenario:
You use a domain administrator account to log on to a computer that is running Windows 7 or Windows Server 2008 R2.
You use the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in to connect to a domain controller.
You open the Properties dialog box of a user account.
The user account has sole access to a shared folder path that cannot be accessed by the administrator account.
You set the Remote Desktop Services Home Folderattribute to the shared folder path.
NoteThis attribute is located on the
Remote Desktop Services Profiletab.
You click Apply or OK.
In this scenario, you receive the following error message:
The home folder could not be created because: The network name cannot be found.
Note If you click Apply or OK again, no error message is returned. However, the setting is not saved.
I think the important bit is
The user account has sole access to a shared folder path that cannot be accessed by the administrator account.
We manually create the shares on our NAS and then just want to enter the path in the profile tab, I suppose the question is how to we stop it trying to create the shares ?

Assist , how do i allow hosts in inside segment to reach out segment and vice versa taking into account the security levels

ASA Version 7.0(8)
hostname BUJ-IT-ASA-LAN-2
domain-name leo.bi
enable password MgKXXPviZgW4zhKc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description connects ucom lan
nameif inside
security-level 100
ip address 192.168.0.13 255.255.248.0
interface Ethernet0/1
description out interface
nameif outside
security-level 0
ip address 192.168.254.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username UcomIT password Tx95VR7l4gIiavnh encrypted
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.248.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
Cryptochecksum:ba068a6f85d256ce9351d903c60873e5
: end

Hi,
Its success really depends on the rest of the network that I dont know about.
If you hosts that you are using to PING/ICMP through the ASA are connected to the same network as the ASAs interface then you will have to make sure that the hosts both have routes towards the other network.
Also if on the "outside" of the ASA there are additional networking devices then you have to configure default route on the ASA also as mentioned in the other discussion.
route outside 0.0.0.0 0.0.0.0
The above replys ACL was just an example of the configuration format. If you wanted to allow ICMP then you would also have to allow ICMP
access-list OUTSIDE-IN permit icmp 192.168.254.0 255.255.255.0 192.168.0.0 255.255.248.0 echo
I dont see anything else wrong with the ASA configuration related to ICMP other than possibly the lacking of default route and allowing the ICMP from the "outside" with the ACL "OUTSIDE-IN".
Go through the network setup from one host to the other. On each step confirm that that device has route towards both of the networks. Otherwise the devices will naturally not be able to forward the ICMP messages from end to end.
- Jouni

Need to solve serious security problem with Oracle Reports URL

As mentioned repeatedly on this forum, Oracle Reports allows serious security breaches that allow users to see reports that they did not generate -- it's easy to guess a legal URL by changing the getjobid parameter.
I've reviewed the JavaDocs to part of the rwrun.jar file and reviewed some of the example report plugins. This shows promise in helping to solve this security problem but critical pieces are missing.
1) The javadocs are accurate for only 10g (9.0.4) but not correct for 10g (10.1.2+), which we are currently using. I need access to the updated version of this javadoc.
2) Even with the updated version of the JavaDoc, I haven't found a class from which to inherit that would give me the opportunity to generate random jobid values, which then would effectively prevent users from guessing other jobid values, and thereby gaining access to other's reports (which in our cases, may contain sensitive information.
3) We have found that we can send the parameter=value of EXPIRATION=1 which helps protect such information, but this requires that every program which invokes a report be modified to add this parameter. It would be far better for the report server to be configured to use a java class we write that inherits from some rwrun.jar class that would by default, add the EXPIRATION=1 parameter.

Hi,
Thanks for our replies. I will ask to an administrator about this security problem, now I know it depends of a security parameter.
But I would know if it could be possible to hide the technical name of the query in the url. It could improve the security level of our reports in a first time in this way.
Thanks a lot,
JW.

Safari cannot create secure connection with certain websites

I have OS X 10.10 with every available updates, and Safari's currently unable to 'establish secure connection' with some site I'm trying to connect, most disturbing being the whole Steam network (store/support.steampowered.com, steamcommunity.com, etc). IE (via Bootcamp), Chrome (both standalone and integrated into Steam client) and Firefox have no problem doing so.
Considering sometime before the in Steam browser indicated the site as insecure (a red lock icon with a cross, typically used to indicate bad cert) for a short time, and hearing of certs issued to gov agencies for man in the middle, I compared the cert for store.steampowered.com/login (which, in contrary to most content on that domain, forces a secure connection) and this discussions.apple.com. Well Firefox and IE do show a normal grey lock icon without organization name, and Chrome admits the website's ownership is unverified (in details, it says ownership is verified by the CA but there's no public verification record; the secure setting of that site has outdated, too) despite having Valve's name and green lock icon. So the cert could be a fake since it's an ordinary (I guess?) cert from a EV authority (DigiCert High Assurance EV CA-1 in this case). The certificate shown from Chrome is totally fine (not a single red cross in the chain), though.
Well there're other https resources Safari fails to create a secure connection with every now and then. I just forgot/ am unable to test them with other browsers (Sometimes it's not the page itself that can't be retrieved via https, but some resource it loads. Sadly I only know how to use Inspector in Safari, though I'm sure other browsers have similar functions, too). I suspect Safari just refuses such certificates (or the AES_128_CBC method maybe) while other browsers accept it. Is there an override for this?
Weird enough, https://ev-root.digicert.com/ has grey lock on Firefox and Safari. Seems overriding is the only workaround.
As a side note, my Safari freezes upon loading PayPal, being ir-responsive for tens of seconds on every activity such as clicking a link. For most of duration of the freeze no high CPU usage is monitored, though ocspd does sometimes take 50% or so, and the web process bursts into 100% immediately before unfreezing. Guess Yosemite has some issues with TLS on the system level.

This could be a complicated problem to solve, as there are several possible causes for it.
Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.
Step 1
From the menu bar, select
           ▹ System Preferences... ▹ Date & Time
Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.
Check the box marked
          Set date and time automatically
if it's not already checked, and select one of the Apple time servers from the menu next to it.
Step 2
Triple-click anywhere in the line below on this page to select it:
/System/Library/Keychains/SystemCACertificates.keychain
Right-click or control-click the highlighted line and select
          Services ▹ Show Info
from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.
Repeat with this line:
/System/Library/Keychains/SystemRootCertificates.keychain
If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.
Step 3
Launch the Keychain Access application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.
In the Keychains list, there should be items named System and System Roots. If not, select
          File ▹ Add Keychain
from the menu bar and add the following items:
/Library/Keychains/System.keychain
/System/Library/Keychains/SystemRootCertificates.keychain
Open the View menu in the menu bar. If one of the items in the menu is
          Show Expired Certificates
select it. Otherwise it will show
          Hide Expired Certificates
which is what you want.
From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled
          Secure Sockets Layer (SSL)
select
          no value specified
Close the inspection window. You'll be prompted for your administrator password to update the settings.
Now open the same inspection window again, and select
          When using this certificate: Use System Defaults
Save the change in the same way as before.
Revert all the certificates with non-default trust settings. Never again change any of those settings.
Step 4
Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.
Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select
          Help ▹ Keychain Access Help
from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.
Step 5
From the menu bar, select
          Keychain Access ▹ Preferences... ▹ Certificates
There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to CRL.
Step 6
Triple-click anywhere in the line of text below on this page to select it:
/var/db/crls
Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
          Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.
Restart the computer, empty the Trash, and test.
Step 7
Triple-click anywhere in the line below on this page to select it:
open -e /etc/hosts
Copy the selected text to the Clipboard by pressing the key combination command-C.
Launch the built-in Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:
# Host Database
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
127.0.0.1                              localhost
255.255.255.255          broadcasthost
::1                                        localhost
fe80::1%lo0                    localhost
If that's not what you see, post the contents of the window.

Changing Default Security Levels

I have several Windows 7 Enterprise machines that have already been deployed via image and need to lower the security settings for use on internal web based applications.
Is there an easy way to manipulate the configuration (a file) so that I may simply make the changes by overwriting the current configuration settings instead of, having to go to each device, opening the Java console, and changing the security settings that way?
I have attempted to login as the machine administration, make the changes on the Java console with the hopes this configuration would have migrated to all user profiles that log into the PC. Is there a "public profile" configuration file I can change and if so, what should I do.
Thank you in advance for the assistance

Create a "deployment.properties" file with the line "deployment.security.level=HIGH" (or what ever level you need that is supported by your version of Java) and save it in "C:/Windows/Sun/Java/Deployment/" (assuming windows client device).
More in depth info found below:
Deployment Configuration File and Properties

Security Level Medium is not working for PO initial version

Hi ,
    We have maintained security level as Medium in Purchaser user personalization. In order to restart the PO SAVED event workflow only there is a value changed while the PO is awaiting for approval.. Here is the scenario and how the start condition maintained for PO - WS 14000145 - SAVED event.
Start condition maintained for event SAVED for WF template WS14000145 as below
&_EVT_OBJECT.POTotalValue& GE 0.00
Security level(BBP_WFL_SECURITY) maintained as Medium in personalization of SU01.
my requirement is when the PO create first time ( Initial Version ) and route for approval. Three level approval is determined for the PO and first approval approved. while the PO is awainiting for second level of approval the purchaser changed the quantity. based on above start condition my expectation is , the PO has to restart and route from beginning. but that is not happening. when i see the approval preview the approval path shows the workitem is waiting in second level of approval.
I tried the below start conditions also
&_EVT_OBJECT.SimpleListOfChanges&CE TOTAL_VAL, but no result..
What is the Medium functionality?
here is the help i found from help.sap.com, but i am not clear about this..
MEDIUM It is possible to change the document The system evaluates the workflow start conditions and starts the approval workflow again if the change necessitates a new approval If this is not the case, the approval workflow continues.
Regards,
John

Hi John,
The security level works differently for PO's.
In the function 'BBP_PDH_WFL_CHECK_RESTART is a desription how the
system should work:
The workflow will be RESTARTED in the following cases:
a) One has a standard workflow with the usual type of approval (not a
   'back&forth' one). It will always be restarted independent on the
   authorization levels of the user and whether the user is a PO
   creator or not;
b) One has the 'back&forth' type of approval but the user reordering
   the PO is not the PO creator (this could be another purchaser from
   the same purchasing group);
c) It is the 'back&forth' type of approval and the user reordering the
   PO is the PO creator but he has the authorization levels that are
   less then 2, i.e '0'(not defined') or '1' (no changes allowed);
That means the security level must be below '2' to force a restart.
I hope that this clarifies how the system is working.
Kind regards,
Siobhan

Security level with RFC?

Similar Messages

Maybe you are looking for