Binarycse Blog

1. Evolving Internet Requirements:

 

Internet access has become vital to the normal operations of virtually every organization. In the 2003 UCLA Internet Report over 90% of all respondents rated the Internet as a moderate to extremely important source of information. Studies show it has enabled Organizations to:

 

1.       Greatly facilitate collaboration between employees, partners, suppliers and clients through vehicles such as email, file sharing and web conferences

 

2.       Rapidly access information through on-line searching, databases and e-training

 

3.       Inexpensively provide services to outside organizations through web sites, email distribution and on-line commerce applications

 

 

In summary, the Internet is used widely across most organizations, enabling them to increase productivity and the quality of services, while decreasing costs. With this widespread adoption has come a change in user and management attitudes. Internet access is no longer a luxury. It is a mandatory business requirement. Unencumbered, transparent access is expected at all levels in the organization on a non-stop basis.

 

2. Current Security Risks:

 

Unfortunately the Internet has a dark side too. Just as it provides transparent access to numerous external resources for an organization, it can also provide external parties, not all of who have good intentions, relatively easy access to the organization’s internal computers and information. All types businesses are at risk. On a whim, in 2002 a 22-year old hacker scanned the New York Times’ Internet gateways, and was easily able to access numerous databases providing personal information on sources, employees and customers. Even highly sophisticated businesses like computer game maker Valve Software have experienced Internet breaches. Valve has had information and source code for pending product releases posted on the Internet, a breach that may have severe financial impact on Valve. The diversity of methods used to malevolently access or attack organizations’ computers through the Internet is truly stunning. On top of this, inappropriate internal use of the Internet is also turning out to be a big issue. The following are some of the forms of abuse reported by IT managers to be of greatest concern:

 

Network Security Facts:

 

·         The average cost of an external security breach in 2002: $226,000.

·         The average cost of a virus infection in 2002: $81,000.

·         The average cost of a DoS attack in 2002: $297,000.

 

3. Type of Attack Description & Economic Implication:

 

Hackers: Hackers, or skilled programmers who find challenge in breaking into other people’s computer systems, were traditionally the greatest threat to organizations’ computer security. While they still pose a threat, widespread deployment of counter measures such as firewalls has caused other forms of more sophisticated malicious attacks to emerge. (Note: Although the term hacker can also mean one who is proficient at using a computer for legitimate needs.). After breaking into a system a hacker may steal, delete or alter valuable data, programs or identities.

 

Malware: Malware (viruses, worms, etc.) are pieces of disguised code that are typically designed to cause an undesirable event, such as altering existing computer files or making the computer inoperable. They can be transmitted by disk, email or other communications vehicles. Because email usage is so prevalent and traditional security systems remain Vulnerable to viruses, viruses are now one of the major security concerns of IT managers. 86% if all infections stem from email attachments. The cost of lost productivity, restoring damaged files and cleaning up viruses was a staggering $13.2 billion worldwide in 2001.

 

Spy ware: Spy ware is software that gathers information about a computer user and his or her Web surfing habits without the user’s explicit knowledge or consent and reports this information over the Internet Sensitive information can be stolen without even noticed by the user.

 

Spam: Unsolicited commercial email messages (spam) are not created with the same malicious intent as threats like viruses, but are now having a negative economic impact on the same order of magnitude. Spam clogs networks, hogs disk space, and wastes countless hours of users’ time reading and dealing with the messages. Estimated cost to U.S. and European businesses in 2002 was $8.9 and $2.5 billion respectively.

 

Phishing:“Phishing” is a technique used by online criminals to steal passwords or other account information from internet users. Phisher’s usually work by sending out spam e-mail to large numbers of potential victims. These direct the recipient to a Web page which appears to belong to their online bank, for instance, but in fact captures their account information for the phisher’s use.

Analyst firm Gartner estimates that phishing cost banks and credit card companies $1.2 billion in direct losses in 2004, and that 1.4 million computer users have suffered identity theft from these activities.

 

Denial of Service (DoS): A DoS attack is one in which the perpetrator deprives an organization of the use of a network resource (such as the email system or web site) by sending network traffic that exploits a weakness in the receiving system (for example, an inability to deal with a large number of email connection requests in a short time). The more sophisticated Distributed DoS attack utilizes a common exploit to first penetrate numerous widely dispersed systems, and then launch the attack from those systems, making it harder to detect and block. Since organizations depend upon these services to conduct business, the impact on revenues and productivity can be quite substantial.

 

Inappropriate Web Usage: Because Internet usage cannot be casually monitored, some individuals use it to access inappropriate material (pornography, hate material, copyrighted audio files) and conduct inappropriate activities (excessive personal business, etc.).Given the large number of employees with Internet access, clearly there is potential productivity issues associated with unrestricted usage. A growing concern is associated legal issues. Allowing the downloading of inappropriate material without controls can result in expensive lawsuits for a hostile workplace environment and copyright violations.

 

Insider Attacks: Although most attacks originate from outside the organization, internal attacks are not infrequent, especially those related to theft or destruction of proprietary information. Roughly half such attacks originate internally. Disgruntled employees, as well as those seeking personal financial gain have used their insider status to access, and sell or destroy valuable company information. Insider attacks can be more harmful than attacks by hackers due to the knowledge the perpetrator has about the location and use of Valuable data.

 

Reading and altering confidential data: Malicious hackers can read or even change proprietary and confidential information if it’s transmitted over the internet unprotected. Loss (disclosure) of confidential information can have severe impact on any business.

 

 

 

 

4. Assessing the Risks

 

Clearly the Internet presents a variety of real threats to those connecting to it. The first question facing any organization with limited resources is: “Which, if any of these threats is substantial enough to justify spending money and management attention on?”. As a starting point, ponder the data from the annual survey conducted by the FBI and Computer Security Institute. Results show that roughly 80% of organizations now site the Internet as a source of frequent attacks, with the percentage experiencing frequent attacks growing steadily. Unfortunately not only is the volume of attacks increasing, but also the variety and sophistication of attacks is on the rise. A survey of IT leaders shows that the top five forms of breaches (successful attacks) have been experienced by 63% to 82% of IT leaders surveyed in 2002! The statistics for unintentionally harmful threats are equally substantial. Consider:

 

1.       46% of all email today is spam.

 

2.       In 2002, 60% of surveyed employees with Internet access reported they use the web to conduct personal business, while 57% reported they use email for personal transactions. Clearly this data shows that every organization, no matter what its size, has reason to believe that it will be subject to a significant variety of Internet-based threats. The economic impact of such threats is more difficult to quantify because they vary depending upon the type of organization (business, non-profit, etc.), the nature of the breach, salaries and so forth. But some of the general statistics available do provide an idea of the magnitude of the impact:

 

3.       The average cost of an external security breach was reported to be $226,000 in 2002 according to the FBI/CSI survey of 503 organizations.

 

4.       DoS attacks cost $297,000 on average.

 

5.       The average cost of a serious virus infection (25 or more PC’s) was reported to be $81,000 in the 2002 ICSA survey.

 

6.       Damages in lawsuits for work hostile environments have ranged from $25,000 to multiple millions of dollars.

 

 

5. Security Solutions:

 

Just as different forms of attack emerged separately over time, so do have a variety of corresponding point security solutions. Major solutions currently being deployed include: Security Solution Description

 

 

Firewall: A device that is placed at the point where the Internet enters a facility, controlling network traffic for security purposes. It examines all inbound and outbound traffic; permitting only traffic meeting predetermined criteria to pass. This allows unsolicited traffic from hackers to be blocked (including DoS attacks), while maintaining transparent Internet access for employees and customers. Firewalls that incorporate application proxies can block some forms of attack disguised as legitimate traffic and perform other security and inspection functions. To minimize internal threats firewalls can also be used to segment an internal network.

 

Intrusion Detection and Prevention (IDS/IPS)

 

An application which scans traffic coming from the outside to detect malicious code hidden within the traffic. The common detection methods use signatures of knows attacks which are stored in a database and updated regularly. A second method to detect possible illegitimate traffic is “Anomaly Detection” which checks the traffic against normal traffic habits of the network. If malicious or abnormal traffic is detected the application can inform the administrator (Intrusion detection) or even block the traffic immediately (Intrusion Prevention).

 

 

Virus (Malware) Protection

 

A form of computer program that searches targeted software, such as email and attachments, for known or potential malware such as viruses. Two forms of protection are commonly available:

 

1.       Host-based scanners: Installed on every computer in the organization, including mail servers and desktop PC’s, they scan each file received or sent from that system.

 

2.       Gateway-based scanners: These reside on a single computer (or gateway appliance) that sits at the Internet’s point of entry to an organization, scanning all inbound and outbound email and attachments. Ideally an organization should install both forms of protection to add an extra layer of security. However, if budgets are limited, the perimeter approach is easier to administer, more secure and more cost effective.

 

 

Spam Protection

One or more electronic filters, each using a particular detection technique, which together work to identify and block spam. Common techniques include:

 

1.       Real-time black hole list: Utilize one of the publicly available lists constantly updated with the addresses of known spammers to block messages. List accessed via Internet by the filter.

 

2.       Sender verification: Spam protection program that verifies sender’s legitimacy by contacting the transmitting server or using DNS for Verification.

 

3.       Header Analysis: Email headers are checked for false or altered information and addresses with invalid characters.

 

4.       Heuristics: Program that rates incoming mail on the match with common spam characteristics, and allows a threshold to be set.

 

5.       Greylisting: Unknown mail servers are asked to resend messages before they are accepted (Spamers typically don’t resend their emails).

 

6.       Whitelist and Blacklist: allows the administrator to list email sources known to be legitimate and illegitimate.

 

7.       URL scanning: URLs within emails are checked against a database of known spam URLs Again; spam protection can be deployed on each desktop, or at the perimeter. Perimeter protection is more cost effective from an administrative and cost perspective.

 

 

Phishing Protection:

 

Normally a part of nowadays spam protection in order to filter phishing email. More advanced phishing protection uses URL filtering, too. So even if a phishing a email is not stopped by the spam filter the URL filter mechanism will block access to the URL contained herein if it’s identified as known phishing website.

 

 

Surf Protection (URL Filtering)

 

A computer program which typically:

 

1.       Monitors web traffic to allow analysis of utilization.

 

2.       Places web pages into categories meaningful for blocking (e.g. pornography sites, gambling sites, phishing etc.).

 

3.       Provides a means of establishing rules for blocking categories.

 

4.       Blocks and notifies users when they attempt to access a prohibited page. Logs blocking for management action. Also called Surf Protection, web blocking or content filtering.

 

 

VPN (Virtual Private Networks)

 

Computer software residing at both ends of a remote communications connection that enables the establishment of secure virtual tunnels through a shared public infrastructure such as the Internet. VPNs provide the security benefits of private lines with the cost structure of public networks.

 

Email Encryption

 

Software that allows encryption/decryption of email communication to prevent Eavesdropping or alteration of critical communication through 3rd parties. In addition digital signatures provide means to authenticate the email sender. Email encryption is typically deployed at the desktop, however due the complexity of the required key/certificate handling it is only suitable for experienced users. Again perimeter protection is more cost effective from an administrative and cost perspective and the best alternative to make email encryption even available to

small medium enterprises.

 

 

IM & P2P control

 

Tools that allow administrators to monitor and restrict the usage of instant messaging and peer-to-peer applications that might put their network, reputation and finances at significant risk from viruses and malware.

 

 

 

6. Next Generation Solutions: The Integrated Network Security Platform

 

To overcome these issues, and meet the needs of today’s resource constrained organization, a security solution should have the following attributes:

 

1.       Include protection from all the most common threats by providing firewall, intrusion detection and prevention, virus protection, URL filtering, VPN, spam protection, and spyware protection functionality at a minimum.

 

2.       Provide world-class solutions to each threat. Security is only as strong as the weakest link.

 

3.       Run on a single hardware platform, which can be upgraded as traffic volume increases without having to scrap the investment in the existing solution.

 

4.       Install all components, including a security hardened operating system, from a single CD. Alternatively it should come pre-installed on the hardware.

 

5.       Share configuration information among all components to reduce administrative effort and errors.

 

6.       Provide a common management interface for all security functions, and further minimize administrative labor and training needs by using a point-and-click paradigm.

 

7.       Be designed as a software platform, so as new threats arise they can be integrated without requiring the existing solution be scrapped.

 

8.       Provide automatic updates of all security and operating system functionality through a single Internet source, minimizing operating costs and security gaps. There is broad recognition of these needs from analysts such as Gartner and Yankee Group, as well as many in the vendor community. However significant obstacles exist for existing solution vendors in meeting these needs.

 

9.       Unless a product is specifically designed as an integrated security platform, with thought given to how different security applications are integrated at the user interface, configuration and run-time levels, it is quite difficult to “add” an additional security function in an effective, seamless manner.

 

10.   Products tied to specific hardware platforms are impeded by the fact that new software functions alter the processing, memory and storage requirements of the hardware, typically requiring a new platform.

 

11.   No single vendor has the resources or the specialized skills to provide world-class solutions to the variety of threats to be addressed. The problem requires a new approach.

 

 

 

The Firewall Policy configuration section is the “heart” of the firewall. The policies are the primary filter that is configured to allow or disallow certain types of network traffic through the firewall. The policies also regulate how bandwidth management, traffic shaping, is applied to traffic flowing through the WAN interface of the firewall.

When a new connection is being established through the firewall, the policies are evaluated, top to bottom, until a policy that matches the new connection is found. The Action of the rule is then carried out. If the action is Allow, the connection will be established and a state representing the connection is added to the firewall’s internal state table. If the action is Drop, the new connection will be refused. The section below will explain the meanings of the various action types available.

Action Types

·         Drop – Packets matching Drop rules will immediately be dropped. Such packets will be logged if logging has been enabled in the Logging Settings page.

·         Reject – Reject works in basically the same way as Drop. In addition to this, the firewall sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet was a TCP packet, a TCP RST message. Such packets will be logged if logging has been enabled in the Logging Settings page.

·         Allow – Packets matching Allow rules are passed to the stateful inspection engine, which will remember that a connection has been opened. Therefore, rules for return traffic will not be required as traffic belonging to open connections is automatically dealt with before it reaches the policies. Logging is carried out if audit logging has been enabled in the Logging Settings page.

Source and Destination Filter

·         Source Nets – Specifies the sender span of IP addresses to be compared to the received packet. Leave this blank to match everything.

 

·         Source Users/Groups – Specifies if an authenticated username is needed for this policy to match. Either make a list of usernames, separated by commas, or write Any for any authenticated user. If it’s left blank there is no need for authentication for the policy.

·         Destination Nets – Specifies the span of IP addresses to be compared to the destination IP of the received packet. Leave this blank to match everything.

·         Destination Users/Groups – Specifies if an authenticated username is needed for this policy to match. Either make a list of usernames, separated by commas, or write Any for any authenticated user. If it’s left blank there is no need for authentication for the policy.

Service Filter

Either choose a predefined service from the dropdown menu or you make a custom service.

The following custom services exist:

·         All – This service matches all protocols.

·         TCP+UDP+ICMP – This service matches all ports on either the TCP or the UDP protocol, including ICMP.

·         Custom TCP – This service is based on the TCP protocol.

·         Custom UDP – This service is based on the UDP protocol.

·         Custom TCP+UDP – This service is based on either the TCP or the UDP protocol.

Custom source/destination ports

For many services, a single destination port is sufficient. The source port most often be all ports, 0-65535. The http service, for instance, is using destination port 80. A port range can also be used, meaning that a range 137-139 covers ports 137, 138 and 139. Multiple ranges or individual ports may also be entered, separated by commas. For instance, a service can be defined as having source ports 1024-65535 and destination ports 80-82, 90-92, 95. In this case, a TCP or UDP packet with the destination port being one of 80, 81, 82, 90, 91, 92 or 95, and the source port being in the range 1024-65535, will match this service.

Schedule

If a schedule should be used for the policy, choose one from the dropdown menu, these are specified on the Schedules page. If the policy should always be active, choose Always from the dropdown menu.

Intrusion Detection / Prevention

The DFL-700 Intrusion Detection/Prevention System (IDS/IDP) is a real-time intrusion detection and prevention sensor that identifies and takes action against a wide variety of suspicious network activity. The IDS uses intrusion signatures, stored in the attack database, to identify the most common attacks. In response to an attack, the IDS protect the networks behind the DFL-700 by dropping the traffic. To notify of the attack the IDS sends an email to the system administrators if email alerting is converted. D-Link updates the attack database periodically. There are two modes that can be configured, either Inspection Only or Prevention. Inspection Only will only inspect the traffic and if the DFL-700 sees anything it will log, email an alert (if configured) and pass on the traffic, if Prevention is used the traffic will be logged the traffic dropped and if configured a email alert will be sent.

Traffic Shaping

Traffic shaping works by measuring and queuing IP packets, in transit, with respect to a number of configurable parameters. Differentiated rate limits and traffic guarantees based on source, destination and protocol parameters can be created; much the same way firewall policies are implemented.

There are three different priorities when configuring the traffic shaping, Normal, High and Critical.

Limit works by limiting the inbound and outbound traffic to the specified speed. This is the maximum bandwidth that can be used by traffic using this policy. Note however that if you have other policies using limit; which in total is more then your total internet connection and have configured the traffic limits on the WAN interface this limit is sometimes lowered to allow traffic with higher priorities to have precedence.

By using Guarantee, you can guarantee a minimum bandwidth to a policy. This will only work if the traffic limits for the WAN interface are configured correctly.

Port mapping

The Port mapping / Virtual Servers configuration section is where you can configure virtual servers like Web servers on the DMZ or similar. It’s also possible to regulate how bandwidth management, traffic shaping, is applied to traffic flowing through the WAN interface of the firewall. It is also possible to use Intrusion Detection / Prevention and Traffic shaping on Port mapped services, these are done in the same way as on policies, so see that chapter for more information.

Users

User Authentication allows an administrator to grant or reject access to specific users from specific IP addresses, based on their user credentials.

Before any traffic is allowed to pass through any policies configured with username or groups, the user must first authenticate him/her-self. The DFL-700 can either verify the user against a local database or passes along the user information to an external authentication server, which verifies the user and the given password, and transmits the result back to the firewall. If the authentication is successful, the DFL-700 will remember the source IP address of this user, and any matching policies with usernames or groups configured will be allowed. Specific policies that deal with user authentication can be defined, thus leaving policies that not require user authentication unaffected.

The DFL-700 supports the RADIUS (Remote Authentication Dial In User Service) authentication protocol. This protocol is heavily used in many scenarios where user authentication is required, either by itself or as a front-end to other authentication services.

The RADIUS Support

The DFL-700 can use RADIUS to verify users against for example Active Directory or Unix password-file. It is possible to configure up to two servers, if the first one is down it will try the second server instead.

The DFL-700 can use CHAP or PAP when communicating with the RADIUS server. CHAP (Challenge Handshake Authentication Protocol) does not allow a remote attacker to extract the user password from an intercepted RADIUS packet. However, the password must be stored in plaintext on the RADIUS server. PAP (Password Authentication Protocol) might be defined as the less secure of the two. If a RADIUS packet is intercepted while being transmitted between the firewall and the RADIUS server, the user password can be extracted, given time. The upside to this is that the password does not have to be stored in plaintext in the RADIUS server.

The DFL-700 uses a shared secret when connecting to the RADIUS server. The shared secret enables basic encryption of the user password when the RADIUS-packet is transmitted from the firewall to the RADIUS server. The shared secret is case sensitive, can contain up to 100 characters, and must be typed exactly the same on both the firewall and the RADIUS server.

Schedules

It is possible to configure a schedule for policies to take affect. By creating a schedule, the DFL-700 is allowing the firewall policies to be used at those designated times only. Any activities outside of the scheduled time slot will not follow the policies and will therefore likely not be permitted to pass through the firewall. The DFL-700 can be configured to have a start time and stop time, as well as creating 2 different time periods in a day. For example, an organization may only want the firewall to allow the internal network users to access the Internet during work hours. Therefore, one may create a schedule to allow the firewall to allow traffic Monday-Friday, 8AM-5PM only. During the non-work hours, the firewall will not allow Internet access. When using schedules it is important to have accurate system time on the firewall via time sync or by entering correct system time by hand.

Services

A service is basically a definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80.

Services are simplistic, in that they cannot carry out any action in the firewall on their own. Thus, a service definition does not include any information whether the service should be allowed through the firewall or not. That decision is made entirely by the firewall policies, in which the service is used as a filter parameter.

Protocol-independent settings

Allow ICMP errors from the destination to the source – ICMP error messages are sent in several situations: for example, when an IP packet cannot reach its destination. The purpose of these error control messages is to provide feedback about problems in the communication environment.

However, ICMP error messages and firewalls are usually not a very good combination; the ICMP error messages are initiated at the destination host (or a device within the path to the destination) and sent to the originating host. The result is that the ICMP error message will be interpreted by the firewall as a new connection and dropped, if not explicitly allowed by the firewall rule-set. Now, allowing any inbound ICMP message to be able have those error messages forwarded is generally not a good idea.

To solve this problem, DFL-700 can be instructed to pass an ICMP error message only if it is related to an existing connection. Check this option to enable this feature for connections using this service.

ALG – Like other stateful inspection based firewalls, DFL-700 filters on information found in packet headers, for instance in IP, TCP, UDP and ICMP headers.

In some situations though, filtering on header data only is not sufficient. The FTP protocol, for instance, includes IP address and port information in the protocol payload. In these cases, the firewall needs to be able to examine the payload data and carry out appropriate actions. DFL-700 provides this functionality using Application Layer Gateways, also known as ALGs.

To use an Application Layer Gateway, the appropriate Application Layer Gateway definition is selected in the dropdown menu. The selected Application Layer Gateway will thus manage network traffic that matches the policy using this service.

Currently, DFL-700 supports two Application Layer Gateways, one is used to manage the FTP protocol and the other one is a HTTP Content Filtering ALG. For detailed information about how to configure the HTTP Application Layer Gateway, please see the Content Filtering chapter.

VPN

An IPSec based VPN, such as DFL-700 VPN, is made up by two parts:

·         Internet Key Exchange protocol (IKE)

·         IPSec protocols (ESP)

The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree on which methods will be used to provide security for the underlying IP traffic. Furthermore, IKE is used to manage connections, by defining a set of Security Associations, SAs, for each connection. SAs are unidirectional, so there will be at least two SAs per IPSec connection. The other part is the actual IP data being transferred, using the encryption and authentication methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways; by using the IPSec protocol ESP.

To set up a Virtual Private Network (VPN), you do not need to configure an Access Policy to enable encryption. Just fill in the following settings: VPN Name, Source Subnet (Local Net), Destination Gateway (If LAN-to-LAN), Destination Subnet (If LAN-to-LAN) and Authentication Method (Pre-shared key or Certificate). The firewalls on both ends must use the same Pre-shared key or set of Certificates and IPSec lifetime to make a VPN connection.

VPN – Advanced Settings

Advanced settings for a VPN tunnel is used when one needs to change some characteristics of the tunnel. This is for example some times necessary when trying to connect to a third party VPN Gateway. The different settings to set per tunnel are the following:

Limit MTU

With this setting it’s possible to limit the MTU (Max Transferable Unit) of the VPN tunnel.

IKE Mode

Specify if Main mode IKE or Aggressive Mode IKE should be used when establishing outbound VPN Tunnels. Inbound main mode connections will always be allowed. Inbound aggressive mode connections will only be allowed if this setting is set to aggressive mode.

IKE DH Group

Here it’s possible to configure the Diffie-Hellman group to 1 (modp 768-bit), 2 (modp 1024-bit) or 3 (modp 1536-bit).

PFS – Perfect Forward Secrecy

If PFS, Perfect Forwarding Secrecy, is enabled, a new Diffie-Hellman exchange is performed for each phase-2 negotiation. While this is slower, it makes sure that no keys are dependent on any other previously used keys; no keys are extracted from the same initial keying material. This is to make sure that, in the unlikely event that some key was compromised; no subsequent keys can be derived.

NAT Traversal

Here it’s possible to configure how the NAT Traversal code should behave.

·         Disabled – The firewall does not send the Vendor ID’s that include NAT-T support when setting up the tunnel.

 

·         On if supported and need NAT – Will only use NAT-T if one of the VPN gateways is NATed.

·         On if supported – Always tries to use NAT-T when setting up the tunnel.

Keepalives

·         No keepalives – Keep-alive is disabled.

 

·         Automatic keepalives – The firewall will send ICMP pings to IP Addresses automatically discovered from the VPN Tunnel settings.

·         Manually configured IP addresses – Configure the source and destination IP addresses used when sending the ICMP pings

Proposal Lists

To agree on the VPN connection parameters, a negotiation process is performed. As the result of the negotiations, the IKE and IPSec security associations (SAs) are established. As the name implies, a proposal is the starting point for the negotiation. A proposal defines encryption parameters, for instance encryption algorithm, life times etc, that the VPN gateway supports.

There are two types of proposals, IKE proposals and IPSec proposals. IKE proposals are used during IKE Phase-1 (IKE Security Negotiation), while IPSec proposals are using during IKE Phase-2 (IPSec Security Negotiation).

A Proposal List is used to group several proposals. During the negotiation process, the proposals in the proposal list are offered to the remote VPN gateway one after another until a matching proposal is found.

IKE Proposal List

·         Cipher – Specifies the encryption algorithm used in this IKE proposal. Supported algorithms are AES, 3DES, DES, Blowfish, Twofish and CAST128.

 

·         Hash – Specifies the hash function used to calculate a check sum that reveals if the data packet is altered while being transmitted. MD5 and SHA1 are supported algorithms.

·         Life Times – Specifies in KB or seconds when the security associations for the VPN tunnel need to be re-negotiated.

IPSec Proposal List

·         Cipher – Specifies the encryption algorithm used in this IPSec proposal. Supported algorithms are AES, 3DES, DES, Blowfish, Twofish and CAST128.

·         HMAC – Specifies the hash function used to calculate a check sum that reveals if the data packet is altered while being transmitted. MD5 and SHA1 are supported algorithms.

·         Life Times – Specifies in KB or seconds when the security associations for the VPN tunnel need to be re-negotiated.

Certificates

Before a VPN tunnel with certificate based authentication can be set up, the firewall needs a certificate of its own and that of the remote firewall. These certificates can either be self-signed certificates, or issued by a CA.

Local identities

This is a list of all the local identity certificates that can be used in VPN tunnels. A local identity certificate is used by the firewall to prove its identity to the remote VPN peer.

To add a new local identity certificate, click Add new. The following pages will allow you to specify a name for the local identity, and upload the certificate and private key files. This certificate can be selected in the Local Identity field no the VPN page.

This list also includes a special certificate called Admin. This is the certificate used by the web interface to provide HTTPS access.

Note: The certificate named Admin can only be replaced, not deleted or renamed. This is used for HTTPS access to the DFL-700.

Certificates of remote peers

This is a list of all certificates of individual remote peers.

To add a new remote peer certificate, click Add new. The following pages will allow you to specify a name for the remote peer certificate and upload the certificate file. This certificate can be selected in the Certificates field on the VPN page.

Certificate Authorities

This is a list of all CA certificates.

To add a new Certificate Authority certificate, click Add new. The following pages will allow you to specify a name for the CA certificate and upload the certificate file. This certificate can be selected in the Certificates field on the VPN page.

Note: If the uploaded certificate is a CA certificate, it will automatically be placed in the Certificate Authorities list, even if Add New was clicked in the Remote Peers list. Similarly, a non-CA certificate will be placed in the Remote Peers list even if Add New was clicked from the Certificate Authorities list.

Identities

This is a list of all the configured Identity lists. An Identity list can be used on the VPN page to limit inbound VPN access from this list of known identities.

Normally, a VPN tunnel is established if the certificate of the remote peer is present in the Certificates field in the VPN section, or if the remote peer’s certificate is signed by a CA whose certificate is present in the Certificates field in the VPN section. However, in some cases it might be necessary to limit who can establish a VPN tunnel even among peers signed by the same CA.
The Identity list can be selected in the Identity List field on the VPN page.
If an Identity List is configured, the firewall will match the identity of the connecting remote peer against the Identity List, and only allow it to open the VPN tunnel if it matches the contents of the list.
If no Identity List is used, no identity matching is done.

Content Filtering

DFL-700 HTTP content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content.

You can configure URL blacklist to block all or just some of the pages on a website. Using this feature you can deny access to parts of a web site without denying access to it completely.

The HTTP content filter can also be configured to strip contents like ActiveX, Flash and cookies.

There is also a URL white list for URLs that should be excluded from all Content Filtering.

To have the URL white/black list match entire sites, you will most likely want to use wildcards before and after the host names, e.g. “*example.com/*”. However, this will also trigger on e.g. “myexample.com/”, so you may want to split it up in two patterns, e.g. “example.com/*” and “*.example.com/*”, to catch the domain name by itself as well as variants with prefixed host names (“www.”) without having the filter trigger on domains ending with the same text.

Note: For HTTP URL filtering to work, all HTTP traffic needs to go trough a policy using a service with the HTTP ALG, which is the case for the “http-outbound” service by default.

Also note that the HTTP content filter cannot examine HTTPS (encrypted) connections due to their encrypted nature. If you wish to block access to HTTPS sites, you will need to configure rules in the firewall policy to block access to port 443 (https) on the IP addresses in question.

Active content handling

Active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip. For example to strip ActiveX and Flash enable the checkbox named Strip ActiveX objects. It is possible to strip ActiveX, Flash, Java, JavaScript and VBScript. It is also possible to block cookies.

 

 

 

 

 

Introduction

 

It has been believed that there is no evidence to determine the dates of events in the Ramayanic era. Some historians of the past even refuse to acknowledge that Rama and other characters from the Ramayana even existed. However, Sage Valmiki has recorded the dates if events in detail, albeit by describing the positions of stars and planets. To decipher the astronomical encodings has not been a trivial task, and not many have attempted to do so. It should be noted that the ancient Indians had a prefect method of time measurement. They recorded the ‘tithis’, days according to the nakshatra on which the moon prevailed, the months, the seasons and even the different Solstices. By therefore noting a particular arrangement of the astronomical bodies, which occur once in many thousand years, the dates of the events can be calculated. Dr. P.V. Vartak has thus attempted to calculate the dates of important incidents that occured during the Ramayanic Era. The correct astronomical records goes to show that Valmiki’s has chronicled an account of a true story and also, that the an advanced time measurement system was known to the Hindus (Indians) atleast 9000 years ago. Please refer to Dr. Vartak’s celebrated book “Vastav Ramayan” for further reading.

 

Before coming to the astronomical method, it should be noted that the Mahabharat has recorded a number of facts about Ramayan (and not otherwise). The precedence of the Ramayanic era to that of the Mahabharat can therefore be inferred. An attempt to fix the dates of the events in the Mahabharat era, mainly based on internal astronomical records. The Mahabharat Era has already been dated by Dr. Vartak to 5561 B.C. [Reference: Dr. Vartak's book "Swayambhu"].

 

Genealogical links available from the Mahabharat and Puranas, Yuga calculations and some archaelogical findings also provide clues to the dating of the Ramayanic era. Also, literary references to the characters from the Ramayanic Era provide limits after which the Ramayan could not have occured. For example, Guru Valmiki (the author of Ramayana) is refered to in the Taittiriya Brahmana (dated to 4600 B.C) and therefore Ramayana must have before the Brahmana was composed. However, archaeological and literary methods can only provide approximate datelines and for determining the precise time of the Ramayanic events, astronomical calculations may alone be useful.

 

 

 

Astronomical Dating

 

Mahabharat states that Sage Vishwamitra started counting nakshatras from Shravana (Aadiparva A.71 and Ashwamedha A.44) and a new reference to time measurement thus initiated. According to the old tradition, the first place was assigned to the nakshatra prevelant on the Vernal Equinox. Vishwamitra modified this and started measuring from the nakshatra at the Autumnal Equinox. Sharvan was at this juncture at about 7500 B.C, which is therefore the probable period when Vishwamitra existed and also that of the Ramayanic Era.

 

Formerly, the year initiated with the Varsha-Rutu (season) and therefore was termed “Varsha”. Ramayan shows that the flag was being hoisted to celebrate the new year on Ashwin Paurnima (Kishkindha 16/37, Ayodhya 74/36). Ayodhya 77 mentions that the flags were defaced and damaged due to heat and showers. These descriptions point to the fact that their new year started on the Summer Solstice when heat and rain simultaneously exist. The Summer Solstice fell on Ashwin Full Moon, so the Sun was diagonally opposite at Swati nakshatra. This astral configuration can be calculated to have occured around 7400 B.C.

 

Kishkindha 26-13 describes the commencement of the rainy season. In shloka 14, refers to Shravan as “Varshika Poorva Masa”. Kishkindha 28/2 clearly shows that the rainy season began in Bhadrapada Masa. Further description “Heated by the Sun and showered by new waters, the earth is expelling vapours” (Kish.26/7) points to Bhadrapada as premonsoon. Kish.28/17 tells that there was alternate sun-shine and shadowing by the clouds. Kish.28/14 describes the on-coming rainy season. Thus Bhadrapada was the month of pre-monsoon, that is before 21st June or Summer Solstice. Naturally, months of Ashwin and Kartika formed the rainy season. It is therefore concluded that Ashwin Full Moon coincided with Summer Solstice, that year being 7400 B.C.

 

Rama started forest-exile in Chaitra and ended it in Chaitra. He was coronated in the same month and one month later, preceded to Ashokavan with Seeta (Uttar 41/18) when the Shishira Rutu terminated. So it seems that Vaishakha Masa coincided with Shishira. So the Winter Solstice was at Vaishakha with the Sun at Ashwini. At present, the Winter Solstice takes place at Moola. Thus a shift of 10 nakshatras has occured since the Ramayanic Era. Precession has a rate of 960 years per nakshatra. Therefore, Ramayan must have occured 9600 years ago, which is 7600 B.C approximately.

 

Shri Rama’s Date of Birth

 

Now we shall proceed with the astral route. Valmiki records the birth of Rama as Chaitra Shuddha Navami (9th), on Punarvasu Nakshatra and five plants were exalted then; Sun in Mesha upto 10 deg., Mars in Capricorn at 28 deg., Jupiter in Cancer at 5 deg., Venus in Pisces at 27 deg. and Saturn in Libra at 20 deg. (Bala Kanda.18/Shloka 8,9).

 

Ayodhya 4/18 states that Sun, Mars and Rahu were at Dasharatha’s nakshatra. It was the month of Chaitra, so the Sun was in Revati, Ashwini or Bharani. Naturally, either Rahu or Ketu was in any one of these nakshatra (Rahu and Ketu are diagonally opposite).

 

The planetary positions on 16th October 5561 B.C., the date of commencement of the Mahabharat War, have been calculated and known [Dating of the Mahabharat, by Dr. P.V. Vartak]. Therefore, calculating further backwards for the astral combination noted above, the date concludes to be 4th December 7323 B.C. On this date, Saturn was at 205 deg., Jupiter at 94 deg., Mars between 283 and 298 deg., Rahu at 179 deg. and Sun at 2 degrees. 4th Dec. 7323 therefore is the date of birth of Rama, when the aforementioned 4 planets exalted. Venus is always within 47 degrees from the Sun, and might be in Pisces in an exalted state. Thus Rama’s date is confirmed.

 

 

 

The Date of Exile

 

Rama completed 17 years of age (Ayodhya 20/45) and his coronation was fixed on Chaitra Shuddha 9th on Pushya day. However, he had to proceed to the forest on the same day, at the behest of Kaikeyi. At this time, Dasharatha states that Rahu, Mars and Sun were disturbing his nakshatra (Ayodhya 4/18). Calculating 17 years from Rama’s birth date, the location of Mars can be determined at 303 degrees in Dhanishta nakshatra. From here, Mars casts its fourth-sight on Krittika. Rahu, after 17 years had been at 211 degrees in Vishakha, and so was in opposition to Krittika. Being Chaitra masa, the Sun was at Mesha and so it could be at Krittika. This the planetary positions agree with Valmiki’s statement. Dasharatha’s nakshatra appears to be Krittika.

 

Valmiki has beautifully described the sky (Ayodhya 41/10), when Rama left for forest exile. He states, “Crux (Trishankhu), Mars, Jupiter and Mercury have cornered the Moon. Vaishakha and Milky Way are shining in the sky”. Crux is on line with Hasta (Corvus) on the southern side. On the eastern side of Hasta, there are Chitra, Swati and Vishakha. As seen earlier, Mars was at 303 deg. in Dhanishta. Calculations show that Jupiter was in Poorvashadha at 251 deg. Pushya was at the western horizon with the setting Moon. On the southern side, from the west to the east, all the other planets were situated. So poetically Valmiki describes the sketch as if the Moon was cornered by the planets. The description of the sky, 17 years after the birth-date of Rama, is perfect astronomically.

 

After 14 years of Rama’s stay in the forest, Valmiki tells that Rohini was imprisoned (6-24-7, 6-93-60, 6-92-60), Mars marched on Rohini (6- 93-46 or 6-92-45) and mars was torturing Rohini (5-17-24 or 5-15-22, 5-19-9, 6-113 or 116-2). The bracketed seven statements show the vicinity of Mars with Rohini. Calculations reveal those 14 years later, Mars was at Ardra and was retrograde. Mars therefore moved in the reverse direction (from Ardra) to Rohini, resided at the “gate” of Rohini, thus in a way imprisoning the latter. It is to be noted that the constellation of Rohini is V-shaped. The apex of the angle points to the west and the two limbs towards east, and therefore appears like a “gate”. Mars was situated in between the two limbs (or two doors) of the gate and appeared like a guard. Thus can the simile be explained?

 

Amavasya (No Moon Day) comes 10.883 days earlier each successive year. 25th November 7323 B.C., 9 days before Rama’s birth, was a Amavasya. In 17 years, the Amavasya shifted by 185.011 days backwards. It means that 6 Amavasyas (each 29.53 days) were completed and a shift of 7.8 deg. was noticed. The original Amavasya before Rama’s birth took place at 353 deg. Deducting 7.8 deg. from it, we obtain 345 deg. as the position of this Amavasya which falls in the Uttara Bhadrapada nakshatra. Naturally, the next month was Chaitra, when the coronation was arranged on Pushya day at 104 degrees. One ‘tithi’ contains 12 degrees. So the moon was in Pushya on 29th November 7306 B.C., when Rama proceeded to the forest. Calculations show that this day was a Thursday, so said by Seeta as well (Ayodhya 26/9).

 

Rama left for the forest on a Thursday, the 29th Nov. 7306 B.C. He completed the required 14 year period in the forest and returned on 5th Shuddha 9th was over, and the 5th tithi refered to must have been Chaitra Krishna 5th. Amavasya recedes by 10.883 days each successive year. So in 14 years it must have receded by 152.3 days. Deducting 5 Amavasya periods (29.53 days each), 4.7 days remain which implies that Amavasya came 4 days days earlier on 15th November 7292 B.C. Calculating backwards for 14 years from 29th November 7306 B.C, when the Amavasya was at 345 deg., the Amavasya falls at 340 deg. (receded by 4.7 days in 14 years). This is Uttara Bhadrapada, the month being Phalguna. Since the next month was Chaitra, Krishna 5th tithi happens to be 5th December 7292 B.C. when Rama entered Bharadwaja Ashram.

 

Hanuman’s visit to Lanka

 

Hanuman set out to Lanka in the hopes and mission to search for the kidnapped Seeta. He reached this destination at night, roamed around a little until he located Seeta the next morning. While describing Hanuman’s return in Sunder Kanda (S.56 or 57 /1/2), Valmiki states using a simile of sea to the sky:

 

“The Moon was attractive like a lotus, Sun like a good crane and a span from Pushya to Shravana was seen. Punarvasu appeared like a big fish, Mars like a crocodile, Airavata like an island and Swati like a swan.”

 

Even though a poetic simile, Valmiki provides a plot of the nakshatras from the west to the east. When Hanuman started from Lanka it was early morning, because Seeta tells him to rest for a day in some hiding place (Sunder 56/3,11; 57/18). Since it was morning, the Sun was rising and appeared like a crane and the moon like a lotus. As both the moon and the sun were present simultaneously in the sky, it probably was a Paurnima (Full Moon Day) with the moon on the western horizon and sun on the eastern. The span of nakshatras streched from Pushya to Shravan, that is from 104 deg. to 281 deg. Punarvasu was also seen. Aairavat connotes an elephant, and it is possible that Scorpio was seen like an elephant showing its trunk. The span of nakshatra’s from Punarvasu to Sharavan is seen early in the morning of Krishna paksha of Pushya Lunar month. Sun-rise could also be seen. Hence, most probably, Hanuman returned from Lanka of Pushya Paurnima or Pushya Vadya paksha.

 

Hanuman had set out for Seeta’s search after Ashwin masa as he himself says in Kishkindha 53/21, 22. So he must have started the campaign in Kartika masa. One month, that of Margashirsha was spent in the cave of Swayamprabha. Some more time was spent in the search upto the South Sea, after which Hanuman entered Lanka, possibly on Pushya Shuddha 14th. Thus it highly probably that he returned on Pushya Paurnima or Pushya Krishna 1st.

 

Ravana had abducted Seeta in the season of Hemant (Aranya 16/1) and had given a period of 1 year that is upto the next Hemant to consider marrying Ravana (Aranya 56/24, Yudh 12/19). Had Seeta not accepted this offer, Ravana would have killed her in Hemant. Hemant is composed of 2 months. Sunder 58/106 or 108 state that Seeta told Hanuman that only 2 months of her life remain, after which she will die. Seeta therefore must have conveyed this to Hanuman before Hemant began, that is, in the season of Sharad. Thus Pushya lunar month coincided with the season of Sharad.

 

According to the above description, Mars was near Punarvasu and Pushya. It was noted that during the (Lanka) war, Mars was at 102 deg. in Pushya. Naturally, since Mars many a time becomes stagnant, Mars would have been near Punarvasu and Pushya two months earlier.

 

The distance from Kishkindha (Vijayanagar to Hospet) to the centre of Lanka is about 600 miles. An army can travel about 20 miles a day, therefore accordingly, Rama’s army would have taken a month to reach Lanka. Even assuming a pessimistic speed of 30 miles per day, Hanuman may have covered the distance in 20 days. Also, it is known that the armies of Vaanar tribe were searching for Seeta in many directions, and therefore, may have taken 2 months to reach Lanka. This army had started searching for Seeta in mid-Kartika, and would have reached Lanka in mid-Pausha. The assumption that Hanuman returned from Lanka in the month of Pausha therefore appears to be reasonable. The Vanar army hurriedly returned to Kishkindha and could have spent 20 days in the interim and the date falls at Maagha Shuddha 5th. Rama marched to Lanka in one month and reached there on Phalguna Shuddha 5th (22nd Oct. 7292 B.C). Rama observes, “Today is Uttara Phalguni. Tommorrow when the moon will rise on Hasta, we will proceed to Lanka” (Yudh s.4). Probably on Magha Krishna 1st (2nd Oct. 7292 B.C), Rama commenced his journey and reached the shores of Lanka on Phalguna Shuddha 5th. Subsequent three days were spent before Rama could cross the sea. Phalguna Shuddha 8th ended. Thereafter, starting on the 9th, Nala built a temporary bridge (Seetu) within 5 days. On Phalgun Shuddha 14th (31st Oct. 7292 B.C), Rama’s army crossed over to Lanka. On Phalgun Shuddha 15th, a full moon day, Rama positioned his army at strategic points and surveilled the territory from Mount Suvela (Yudh 38/18). Ravan also observed the approaching army from a tower, held a meeting with his ministers and deployed his army for defence. On Phalgun Krishna 1st (2nd November 7292 B.C.), Ravana arranged his troops at strategic points.

 

 

 

The Great War started

 

On Phalgun Krishna 2nd, Rama’s army seiged the gates of Lanka. Angada proceeded as Rama emmisary on a peace mission to Ravana’s court. However, any peace proposal was rejected by Ravana and the next day (Phal.Kr. 3rd), Rama-Ravana war commenced. The Great War spanned 13 days and concluded on Phalgun Krishna Amavasya, with the death of Ravana. The very next day, Chaitra Shuddha 1st was celebrated as a Victory Day. This tradition still continues to be a New-Years’s Day and is marked by hoisting flags.

 

End of Rama-Ravana War. Ravana killed.

 

15th November 7292 B.C was then Phalguna Amavasya. Valmiki states that Ravan came out for the last battle on the Amavasya day (Yudh. 93/66) and was killed. In the description of the battle, Sage Valmiki writes, “Kosala’s nakshatra Vishakha is aspected by Mars” (Yudh. 103/37). The annual motion of Mars is 191.405 degrees. In 14 years, it will progress by 159.58 degrees. At the time of Rama’s exile, Mars was at 303 deg. 159 deg. added to this provides Mars at 102 deg. in Pushya. From Pushya Mars could cast its fourth-sight on Vishakha. So, the calculations presented so far seem to be correct. It also shows Valimiki’s minute observations and time recording capabilities. Thus the date of the last battle of the War is 15th November 7292 B.C.
 
Following are the dates of few events from the Ramayana:

 

   
Rama’s Birth Date            4th December 7323 B.C

 

   
Rama-Seeta Married             7th April    7307 B.C

 

   
Rama Exiled                          29th November 7306 B.C.

 

Hanuman enters Lanka         1st September 7292 B.C

 

   
Hanuman meets Seeta          2nd September 7292 B.C.

 

   
Seetu (Bridge) built                26-30th Oct.  7292 B.C
on the ocean

 

   
The War begins                     3rd November 7292 B.C

 

   
Kumbhakarna is killed           7th November 7292 B.C.

 

   
Ravana is killed by Rama     15th November 7292 B.C.

 

   
Rama returns to Ayodhya       6th December 7272 B.C.

 

 

Innovation Through Exploration

Thank you for visiting Binarycse Blog.  The world of computers and internet together is expanding with rapid speed and it is influencing our daily walk of life. Computers and Internet today has become the mainstream of every individual’s lifestyle. Our dependency on these mean machines has grown rapidly in past two decades. We can also see that computers are becoming more robust as the time is passing away and it is now able to sustain in any environment.

The major question which is posed in front of us is that “Is everyone able to cope up with daily and rapidly changing technology around us?”. It is our small attempt to help everyone in this world to cope up with rapidly changing technology. Our mission is to help everyone become self reliant when it comes to computers and internet technology.

Innovation is a key ingredient of success in every industry and here at “Binarycse” we believe in innovation through exploration. Exploration is the key to innovation henceforth defining new paths in the information technology sector.

In general technology is the relationship that society has with its tools and crafts, and to what extent society can control its environment. The Merriam-Webster dictionary offers a definition of the term: “the practical application of knowledge especially in a particular area” and “a capability given by the practical application of knowledge”. Ursula Franklin, in her 1989 “Real World of Technology” lecture, gave another definition of the concept; it is “practice, the way we do things around here .Technology can be most broadly defined as the entities, both material and immaterial, created by the application of mental and physical effort in order to achieve some value. In this usage, technology refers to tools and machines that may be used to solve real-world problems. It is a far-reaching term that may include simple tools, such as a crowbar or wooden spoon, or more complex machines, such as a space station or particle accelerator. Tools and machines need not be material; virtual technology, such as computer software and business methods, falls under this definition of technology.

The word “technology” can also be used to refer to a collection of techniques. In this context, it is the current state of humanity’s knowledge of how to combine resources to produce desired products, to solve problems, fulfill needs, or satisfies wants; it includes technical methods, skills, processes, techniques, tools and raw materials. When combined with another term, such as “medical technology” or “space technology”, it refers to the state of the respective field’s knowledge and tools. “State-of-the-art technology” refers to the high technology available to humanity in any field.

Technology can be viewed as an activity that forms or changes culture. Additionally, technology is the application of math, science, and the arts for the benefit of life as it is known. A modern example is the rise of communication technology, which has lessened barriers to human interaction and, as a result, has helped spawn new subcultures; the rise of cyber culture has, at its basis, the development of the Internet and the computer. Not all technology enhances culture in a creative way; technology can also help facilitate political oppression and war via tools such as guns. As a cultural activity, technology predates both science and engineering, each of which formalizes some aspects of technological endeavor.

Science, engineering and technology

The distinction between science, engineering and technology is not always clear. Science is the reasoned investigation or study of phenomena, aimed at discovering enduring principles among elements of the phenomenal world by employing formal techniques such as the scientific method. Technologies are not usually exclusively products of science, because they have to satisfy requirements such as utility, usability and safety.

Engineering is the goal-oriented process of designing and making tools and systems to exploit natural phenomena for practical human means, often (but not always) using results and techniques from science. The development of technology may draw upon many fields of knowledge, including scientific, engineering, mathematical, linguistic, and historical knowledge, to achieve some practical result.

Technology is often a consequence of science and engineering — although technology as a human activity precedes the two fields. For example, science might study the flow of electrons in electrical conductors, by using already-existing tools and knowledge. This new-found knowledge may then be used by engineers to create new tools and machines, such as semiconductors, computers, and other forms of advanced technology. In this sense, scientists and engineers may both be considered technologists; the three fields are often considered as one for the purposes of research and reference.

The exact relations between science and technology in particular have been debated by scientists, historians, and policymakers in the late 20th century, in part because the debate can inform the funding of basic and applied science. In immediate wake of World War II, for example, in the United States it was widely considered that technology was simply “applied science” and that to fund basic science was to reap technological results in due time. An articulation of this philosophy could be found explicitly in Vannevar Bush’s treatise on postwar science policy, Science—the Endless Frontier: “New products, new industries, and more jobs require continuous additions to knowledge of the laws of nature… This essential new knowledge can be obtained only through basic scientific research.” In the late-1960s, however, this view came under direct attack, leading towards initiatives to fund science for specific tasks (initiatives resisted by the scientific community). The issue remains contentious—though most analysts resist the model that technology simply is a result of scientific research.