Tag: cyber security expert courses

CEH

What is Defense in Depth? & How Defense in depth Works

info savvy

Defense in depth may be a security strategy during which security professionals use many protection layers throughout associate information system. This strategy uses the military principle that it’s more difficult for associate enemy to defeat a fancy. Multi-layered defense system than to penetrate one barrier. Defense-in-depth helps to stop direct attacks against associate information system. It’s knowledge as a result of a possibility in one layer only leads the offender to successive layer. If a hacker gains access to a system, defense-in-depth minimizes any adverse impact and provides directors and engineer’s time to deploy new or updated countermeasures to stop a repeat of intrusion.

How Defense in depth Works

a layered approach to security can be apply to all or any levels of IT systems. From the lone laptop computer accessing the web from the coffee shop to the fifty thousand user enterprise. WAN, Defense in depth will considerably improve your security profile.No organization will be ever be absolutely protect by one layer of security. Wherever one door could also be closed, others are left wide open, and hackers can realize these vulnerabilities very quickly. You use a series of various defenses along, like firewalls, malware scanners, intrusion detection systems, encryption and integrity auditing solutions. You effectively shut the gaps that are created by relying on a singular security solution.

Elements of defense in depth

Security Policies and Procedures

In initial layer of defense organization must setup benchmarks, standards, policy . In some scenarios the legal rules, and also the best practices as baseline standard. Later these become actual normal for any organization. Internationally totally different standards are recognized for security data like international organization for standardization (ISO), Payment Card business (PCI) information Security standard (DSS), Control Objectives for data and connected Technology (COBIT) and plenty of a lot of. Ever y customary or regulation features a general implementation cycle.

Physical Security

It not only involved with protection the doors and sitting of guard however additionally include security of server space, laptop computer and desktop protection, and human factors.

Perimeter and Network

Security Rectification of network is core element in securing IT organization as shown in Fig three between major network segments. It starts with covering design against well-known and obvious network attacks. The perimeter of network traffic should be filter by stat-full examination of firewalls, intrusion detection mechanisms. Malware identification and obstruction technologies, filtering of close dangerous contents. To defense network perimeter it’s necessary to grasp what a network would possibly face in terms of attacks and threats. Once properly organized this layer shield data assets by allowing solely those activities that ar needed to continue business operations.

Related Product Certified Ethical Hacker | CEH Certification

Observation and work of Events

Security design remains incomplete while not correct watching and work system. Network and Security operations should be ceaselessly monitor for sign of any doable intrusion. Effective alerts and alarms will solely be generate with correct implementation of watching of security controls. Rather than simply parsing logs from one device to different complete preparation of observation system. Directors must review important logs on every day to observe advanced intrusion or threats to system.

Host Security

Host security is very important as rectification of network in security design. Antivirus, anti-malware, host intrusion detection and interference mechanism, host based mostly firewalls and package hardening should be enforced.

Session Security

It provides restrictions over a user at intervals a singular session and it’s important in internet security. Cryptographic-ally robust, applicable key and session identifiers are the simplest controls wont to implement session security. A complete guideline during this regard is offered on OWSAP.

Application Security

Security of users, data concerning credit cards, restriction on rights, vulnerability analysis, input validation, backup and restoration, passwords and access management lists (ACLs) are the controls that supports implementation of security of application.

Information Security

information outpouring interference business supported encoding like Triple encoding standard (DES) should be enforced to shield private information of organization and user together with credit card data.

Defense-in-depth architecture: Layered security

Defense-in-depth security architecture is based on controls that are designed to protect the physical, technical and administrative aspects of your network.

Physical controls – These controls include security measures that prevent physical access to IT systems, such as security guards or locked doors.

Technical controls – Technical controls include security measures that protect network systems or resources using specialized hardware or software, such as a firewall appliance or antivirus program.

Administrative controls – Administrative controls are security measures consisting of policies or procedures directed at an organization’s employees, e.g., instructing users to label sensitive information as “confidential”.
Additionally, the following security layers help protect individual facets of your network:

Access measures – Access measures include authentication controls, bio metrics, timed access and VPN.

Workstation defenses – Workstation defense measures include antivirus and anti-spam software.

Data protection – Data protection methods include data at rest encryption, hashing, secure data transmission and encrypted backups.

Perimeter defenses – Network perimeter defenses include firewalls, intrusion detection systems and intrusion prevention systems.

Monitoring and prevention – The monitoring and prevention of network attacks involves logging and auditing network activity, vulnerability scanners, sand boxing and security awareness training.

Also read this topic Top 10 Most Common Types of Cyber Attacks

The Benefits of Defense in Depth

A multi-layered approach are often tailored to totally different levels of security. Not each quality must be fully secure; instead, only the most business crucial assets, like proprietary and lead, will be protected by the foremost restricted settings.
If one system fails, there area unit different systems functioning. It’s not possible to ensure the safety of any single style of security application; there square measure continuously vulnerabilities and exploits. By mistreatment multiple systems to mitigate injury, the organization will make sure that although one (or multiple) systems fail, the system itself continues to be protected.

Read More : https://www.info-savvy.com/defense-in-depth/

————————————————————————————————

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Cyber-security

Top cyber security certifications of 2020 in India

info savvy

Top cyber security certifications

Top cyber security certifications of 2020 in India on this topic we’ll discuss in this article  like Cyber Security Certifications, their benefits, prerequisites, cost and average salaries of various Cyber Security roles intimately all things will comes in Top cyber security certifications of 2020 in India. Nowadays in our world, the technology is rising so much that every other person has at least one or two devices such as phones, laptops, computers, etc. and because of that, there are more devices than the actual population.
Nowadays people are not that scared about their accidents but are more scared about someone hacking their devices. And this cyber hacking is not just happening on a small scale but it is also affecting the bigger organizations and businesses because nowadays hackers are getting more innovative and that is where the need for cyber security is rising. Cyber security is about practicing to protect systems, networks, applications, and programs from digital attacks. These cyber attacks are usually aimed at accessing, changing, or destroying sensitive information, not just this but extorting money from people and interrupting normal business functionality. But people are becoming innovative and adopting smart decisions in order to keep their lives and organizations cyber attack free. Their approach has taken place into creating multiple layers of protection spread across the computers, networks, programs or data to keep them safe. Likewise in an organization, the people, the processes, and technology should complement each other to create an effective defense system against cyber attacks.Cyber security attacks can be of anything, it can be identity theft, extortion attempts, loss of important data, theft of money and much more. Everyone relies on crucial infrastructures like business, hospitals, power plants and financial services companies and securing these and other organizations is essential to keep our society functioning. Because of such high demand in cyber security lot of people are looking forward to opting for this path and learn the principals and techniques about cyber security and are looking forward to applying them, practice them and help people and organizations to be cyber attack free. That is why a lot of institutions have come up with cyber security certifications that teach people how to keep ourselves and others safe. But it’s just about learning, it’s about understanding those principals and learning and developing that understanding about where to implement the learning of cyber security and, there is one institution that is Infosavvy which not only offers varied cyber security certification courses but also gives an amazing learning experience and helps to develop understanding about coming up with creative solutions to solve such problems. There are a lot of courses in cyber security certification Infosavvy is offering in Mumbai that are CCISO, CEH, CTIA, ECIH, and ECSA. All these are the Top cyber security certifications of 2020 in India.

Also Read:- The 10 Secrets You Will Never Know About Cyber Security And Its Important?

EC-Council Certified Chief Information Security Officer (CCISO)

EC-Council Certified Chief Information Security Officer (CCISO) is a certification course for professionals who are aiming to build a successful information security program. In this certification, professionals will get a bigger picture for the knowledge and training required in a networking role to build networking strategies that help to interact to form a secure platform. Over here in Infosavvy, they will learn to develop and understand the best practices and techniques required to generate secure IT networking and environment. In this certification, one will learn to define, implement and manage an information security program that includes leadership, organizational structures, and processes. Also one will be able to design and develop a program to monitor firewalls and identify firewall configuration issues. Also, it will help in gaining knowledge about deploying and managing anti-virus systems. This certification will help to understand various system engineering practices. It will help the candidate to develop and manage an organizational digital forensic program. The professionals will be able to identify volatile and persistent system information.They will be able to gain the knowledge to allocate financial resources to projects, processes, and units within the information security program. Infosavvy helps professionals to identify the best practices to acquire, store and process digital evidence. It will help to understand the IA security requirements to be included in statements of work and other documents in the CCISO certification training program. Also in Infosavvy candidates will be able to experience training from the professionals in the IT industry. Infosavvy not only trains but also helps candidates to have the best learning experience,It provide Top cyber security certifications of 2020 in India.

Certified Ethical Hacker certification(CEH)

Certified Ethical Hacker certification is the most desired information security training program any information security professional will ever want to be in. To master these hacking technologies one much become a hacker but an ethical one! This course in Infosavvy provides advanced hacking tools and techniques used by hackers and information security professionals. Usually how they put it is, “to beat a hacker, you need to think like a hacker”. This course will put one into a hacker mindset so that they will be able to defend the future attacks. This ethical hacking course puts you in a driver’s seat of a hands-on environment with a systematic process. The professionals will get a very different experience of achieving information security in any organization, by hacking it! One will be able to learn to hack, scan, test and secure any information on the systems. Infosavvy’s CEH certification also helps to understand and develops skills on how to look for weaknesses and vulnerabilities in the target systems and to use hacking tools as a hacker but in a lawful way to assess the particular target in systems. And not only this but Infosavvy climbed one more step towards giving the best, therefore it is providing training and certification of ethical hacking with all new C|EH v10 which is the best training module for ethical hacking.It creates the purpose of CEH credential that is: To establish minimum standards for professional information security specialists in ethical hacking. To inform the public that credentialed individuals meet or exceed the minimum standards. To reinforce ethical hacking as a unique and self-regulating profession. And because of all this offering, Infosavvy is the best institute in Mumbai to offer this course and help people to develop an interest in it and which helps people use this knowledge and skill effectively to help people and organizations to save them from bad hackers. Not only Infosavvy provides this big platform but it also let candidates experience and learns from the training provided by the professional ethical hackers in the industry because of which the course becomes more knowledgeable and interesting.

Cyber threat incidents(CTIA)

Cyber threat incidents have been drastically increased. Nowadays a lot of organizations are concerned about losing their personally identifiable information which can be targeted by the cyber attack. It is scary that cyber threats can surprise organizations at any moment from any unexpected sources. To overcome this, organizations need to adopt Threat Intelligence (TI). Threat Intelligence is like a shred of evidence based knowledge including contexts, mechanisms, indicators, implications, and actionable advice about an existing or emerging menace or hazard to IT or information assets.An organization must be aware of attack trends in order to know the threats they are likely to face, and this is where threat intelligence comes into play. Therefore Infosavvy’s Certified Threat Intelligence Analyst (C|TIA) allows students to enhance their skills in building effective organizational cyber threat intelligence. Cyber threat intelligence includes reliable data collection from numerous sources, context analysis, production of useful intelligence, and distributing the information to stakeholders. Certified Threat Intelligence Analyst (C|TIA) is a training program designed and developed in collaboration with cyber security and threat intelligence experts across the globe to help organizations identify and mitigate business risks by converting unknown internal and external threats into known threats. Infosavvy has a structured approach which teaches of building effective threat intelligence. In this ever-changing threat landscape C|TIA is a highly professional program for those who deal with cyber security threats on a daily basis. Infosavvy is a method-driven approach that uses a holistic approach covering concepts from planning the threat intelligence to building a report to disseminate threat intelligence. This program provides the solid, professional knowledge that is required for a career in threat intelligence, and enhances your skills as a Threat Intelligence Analyst, increasing your employ ability. If you are interested in Threat Intelligence and keen towards implicating it Info-savvy’s C|TIA Certification is a way to go.

Read More : https://www.info-savvy.com/top-cybersecurity-certifications-of-2020-in-india/

————————————————————————————————————

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Clause 10.2 Continual Improvement

info savvy

Required Activity

ISO 27001 Clause 10.2 Continual Improvement, The organization continually improves the suitability, adequacy and effectiveness of the ISMS.

Why organization needs to have continual improvement?

Organizations are never static, nor their contexts. In addition, the threats to the information systems, and the ways in which they can be compromised, are rapidly changing. At the end of the day, there’s no ISMS which remains perfect; it always needs to be set on continual improvement; however, the organization and its context are not changing. Here at Infosavvy we are continually talking about how the ISMS is a systematic approach consisting of processes, technology and people that helps us to protect and manage our organisation’s information through effective risk management. It is a topic of discussion in all of our training and we make sure that our trainees also imbibe the same understanding. It has become a second nature. We are constantly looking at making improvements. It’s just not a requirement of an ISMS but need of every organization.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

As an example of non-conformity or risk-related improvements, an assessment of an ISMS component (in terms of suitability, adequacy and effectiveness) may show that it exceeds ISMS requirements or is lacking in efficiency. If so, then the ISMS can often be improved by making changes in the management system.

Area of improvements

  • Regular internal audits
  • Regular and proper management review (Clause 9.3 ISO 27001)
  • Regular external audits
  • Understanding the suggestion from the stakeholders and accordingly implementing them in information management system
  • Keeping a check whether organization is following Regulatory policies or not
  • Reviewing security controls
  • Matching the organization activities with requirements of standard ISO 27001

Also, top management can set objectives for continual improvement, e.g. through measurements of effectiveness, cost, or process maturity. ISMS is known as a crucial entity that plays a vital role in business operations. In order to keep pace with the developments, the ISMS is periodically checked for function, efficacy and consistency with the objectives of the organization. This blog addresses clause 10.2 of ISO 27001:2013 Continual improvement, Infosavvy helps you to understand the implementation of the standard and provides in-depth knowledge of IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (training certified by TÜV SÜD)

What all necessary while doing the assessment?

  1. Suitability of the ISMS, considering the external and internal issues, requirements of the interested parties, established information security objectives and identified information security risks are properly addressed through planning and implementation of the ISMS and information security controls.
  2. ISMS adequacy to find the conformity of ISMS processes and information security meets the ultimate goals, practices and processes of the company.
  3. Effectiveness of the ISMS, considering if the intended outcome(s) of the ISMS are achieved, the wants of the interested parties are met, information security risks are managed to satisfy information security objectives, nonconformities are managed, while resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS are commensurate with those results.

The assessment can also include an overview of the efficiency of the ISMS and the components of its resources, evaluating whether their usage of resources is appropriate, if there is a possibility of productivity loss or opportunity to achieve greater effectiveness. Area of improvement can also be identified while managing nonconformities with corrective actions.

Also Read: ISO 27001 Clause 10.1 Non conformity and corrective action

Once area(s) of improvement are identified, the organization should be consistent in maintaining them by:-

  1. Evaluate them to determine whether or not they are worth pursuing;
  2. Plan and implement the actions to deal with the opportunities ensuring that benefits are realized, and nonconformities don’t occur or should plan for corrective actions for non-conformities;
  3. Evaluate the effectiveness of the actions.

Read More : https://www.info-savvy.com/iso-27001-clause-10-2-continual-improvement/

————————————————————————————————————————–
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Clause 10.1 Non conformity and corrective action

info savvy

Required activity

ISO 27001 Clause 10.1 Non conformity and corrective action, Clause 10 containing sections 10.1 and 10.2 covers the “Act” part W. Edwards Deming’s Plan-Do-Check-Act (PDCA) cycle. This clause helps an organisation react to nonconformities, evaluate them and take corrective actions with the end goal of continually improving how it runs its daily activities.

Explanation

Nonconformity may be a non-fulfilment of a requirement of the ISMS. Nonconformity cannot always be avoided, because mistakes do happen in an organisation; however, what is important is that the issue is identified and handled accordingly when it presents itself. Requirements are needs or expectations that are stated, implied or obligatory. There are several types of nonconformities such as:

  1. Failure to fulfil a requirement (completely or partially) of ISO/IEC 27001 within the ISMS;
  2. Failure to properly implement or conform to a requirement, rule or control stated by the ISMS;
  3. Partial or total failure to suits legal, contractual or agreed customer requirements.

Nonconformities are often for example:

  1. Persons not behaving needless to say by procedures and policies;
  2. Suppliers not providing agreed products or services;
  3. Projects not delivering expected outcomes; and
  4. controls not operating consistent with design.

Nonconformities are often recognised by:

  1. Deficiencies of activities performed within the scope of the management system;
  2. Ineffective controls that aren’t remediated appropriately;
  3. Analysis of data security incidents, showing the non-fulfilment of a requirement of the ISMS;
  4. Complaints from customers;
  5. Alerts from users or suppliers;
  6. Monitoring and measurement results not meeting acceptance criteria; and
  7. Objectives not achieved.

Related Product: Certified Lead Implementer | ISO 27001

How should organisations deal with non-conformity?

The three basic steps when it comes to controlling nonconformity are identifying the problem or violation, recording it and taking appropriate action to put an end to it.

In general, following steps should be adopted:

  1. Identifying the extent and impact of the nonconformity.
  2. Choosing the corrections so as to limit the impact of the nonconformity. Corrections can include switching to previous, failsafe or other appropriate states. Care should be taken that corrections don’t make things worse.

To identify effective corrective action, it is strongly advised to complete a root cause analysis of the issue that occurred. If you don’t get to the bottom of why or how it happened, then it is likely that whatever fix you implement will not be fully effective.

  1. Communicating with relevant personnel to make sure that corrections are carried out.
  2. Completing corrections as decided;
  3. Monitoring things to make sure that corrections have had the intended effect and haven’t produced unintended side-effects;
  4. Acting further to correct the nonconformity if it’s still not remediated; and
  5. Communicating with other relevant interested parties, as appropriate.

However, corrections alone won’t necessarily prevent recurrence of the nonconformity. Corrective actions can occur after, or in parallel with, corrections. the subsequent process steps should be taken:

  1. The organisation needs to decide if there’s a requirement to hold out a corrective action, in accordance with established criteria (e.g. impact of the nonconformity, repetitiveness);
  2. Review of the nonconformity, considering:
    – If similar nonconformities are recorded;
    – All the results and side-effects caused by the nonconformity;
    – The corrections taken.
  3. Perform an in-depth root cause analysis of the nonconformity.
  4. Patterns and criteria which will help to spot similar situations within the future.
  5. Perform an analysis of potential consequences on the ISMS, considering:
    – whether similar nonconformities exist in other areas, e.g. by using the patterns and criteria found during the cause analysis;
    – whether other areas match the identified patterns or criteria, in order that it’s only a matter of your time before an identical nonconformity occurs.
  6. Determine actions needed to correct the cause, evaluating if they’re proportionate to the results and impact of the nonconformity, and checking for any potential side-effects which can cause other nonconformities or significant new information security risks.
  7. To plan for the corrective actions, giving priority, if possible, to areas where there are higher likelihood of recurrence and more significant consequences of the nonconformity.
  8. Implement the corrective actions consistent with the plan.
  9. Finally, to assess the corrective actions to work out whether or not they have actually handled the explanation for the nonconformity, and whether it has prevented nonconformities from occurring. This assessment should be impartial, evidence-based and documented. It should even be communicated to the acceptable roles and stakeholders.

Also Read: ISO 27001 Clause 10.2 Continual Improvement

As a result of corrections and corrective actions, it is possible that new opportunities for improvement are identified. These should be treated accordingly. Sufficient documented information is required to be retained to demonstrate that the organization has acted appropriately to deal with the nonconformity and has addressed the related consequences.All significant steps of nonconformity management (starting from discovery and corrections) and, if started, corrective action management (cause analysis, review, decision about the implementation of actions, review and alter decisions made for the ISMS itself) should be documented. The documented information is additionally required to incorporate evidence on whether or not actions taken have achieved the intended effects.

Read More : https://www.info-savvy.com/iso-27001-clause-10-1-non-conformity-and-corrective-action/

————————————————————————————————————

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Clause 9.3 Management review

info savvy

Activity

ISO 27001 Clause 9.3 Management review, Top Management conducts management review for ISO 27001 at planned intervals.

What is ISO 27001 Clause 9.3?

ISO 27001 Clause 9.3 Management review, clause highlights the significance of management review which helps to ensure continuing suitability, adequacy, and effectiveness of Information Security Management System in the organization, where Suitability refers to the continuous alignment with the objectives of the organization, Adequacy and Effectiveness call for appropriate design and organizational embedding respectively. It is a process which  is administered at various levels of the organization where the activities could range from daily, weekly or monthly organization unit meeting to simple reporting discussions. It is the responsibility of the top management to evaluate this review with contributions from all the levels of the organization.  Management Review generally happens after the ISMS internal audit is completed, and it occurs at planned intervals and in a strategic manner.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

What does Management Review incorporate?

The management review should consider the requirements of  Clause 9.3 from ISO 27001:2013, which helps the top management to facilitate effective reviews and strategic decisions which is best suited for the business needs. There are some ways by which management can review the ISMS, like receiving and reviewing measurements and reports, transmission, verbal updates. Top management should include reporting on ISMS efficiency and should frequently review it. The primary components of  the management review include the result of the information security assessment, results of internal audit, risk assessment and the status of risk management plan. While assessing the information security risk assessment, the management should check that the residual risk fulfills risk acceptance criteria that cover all applicable risks and their risk treatment options in the risk treatment plan.All aspects of the ISMS should be reviewed by management at planned intervals, a minimum of yearly, by fixing suitable schedules and agenda items in management meetings. Also, recently implemented ISMS should be reviewed frequently by management to increase overall effectiveness.

What should be the agenda of the management review?

The standard ISO 27001 – 9.3 Management review shall consider the following topics :-

  1. Status of actions from previous management reviews;
  2. Changes in external and internal issues that are relevant to the ISMS;
  3. Feedback on the information security performance, including trends, in;
  4. Non conformities and corrective actions;
  5. Monitoring and measurement results;

Audit results; 

  1. Fulfillment of information security objectives.
  2. Feedback from stakeholders , including suggestions for improvement, requests for change and complaints;
  3. Results of information security risk assessment(s) and status of risk treatment plan; and
  4. Opportunities for continual improvement, including efficiency improvements for both the ISMS and information security controls.

The input for the management review should be at an acceptable level of detail, consistent with the objectives set for the organization. For example, just a description of all things, aligned with information security objectives or high-level objectives, will be reviewed by top management.

Also Read : ISO 27001 Clause 9.2 Internal audit

The end result of this management review process will include continuous improvement of ISMS and will also address any changes if required in ISMS. End results may also include evidence of selections regarding-

  1. Changes in information security policy
  2. Changes in risk acceptance criteria and also the criteria for performing information security risk assessments
  3. Updating information security risk treatment plan or Statement of Applicability
  4. Necessary improvements in monitoring and measuring activities
  5. Change in resources

Read More : https://www.info-savvy.com/iso-27001-clause-9-3-management-review/
———————————————————

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

AWS

VPC Network Address Translation

info savvy

VPC Network Address Translation When you associate an ENI with a public IP address, the ENI maintains its private IP address. Associating a public IP with an ENI doesn’t reconfigure the ENI with a new address. Instead, the Internet gateway maps the public IP address to the ENI’s private IP address using a process called network address translation (NAT). When an instance with a public IP connects to a host on the Internet, the host sees the traffic as originating from the instance’s public IP. For example, assume an instance with a private IP address of 172.31.7.10 is associated with the EIP 35.168.241.48. When the instance attempts to send a packet to the Internet host 198.51.100.11, it will send the following packet to the Internet gateway:

The Internet gateway will translate this packet to change the source IP address to the instance’s public IP address. The translated packet, which the Internet gateway forwards to the host, looks like this:

Likewise, when a host on the Internet sends a packet to the instance’s EIP, the Internet gateway will perform network address translation on the incoming packet. The packet that reaches the Internet gateway from the Internet host will look like this:

The Internet gateway will translate this packet, replacing the destination IP address with the instance’s private IP address, as follows:

Network address translation occurs automatically at the Internet gateway when an instance has a public IP address. You can’t change this behaviour. Network address translation as described here is also sometimes called one-to-one NAT because one private IP address gets mapped to one public IP address.

Also Read:- AWS Elastic Block Storage Volumes and It’s Features

Network Address Translation Devices

Although network address translation occurs at the Internet gateway, there are two other resources that can also perform NAT.
 NAT gateway
 NAT instance AWS calls these NAT devices.
The purpose of a NAT device is to allow an instance to access the Internet while preventing hosts on the Internet from reaching the instance directly. This is useful when an instance needs to go out to the Internet to fetch updates or to upload data but does not need to service requests from clients. When you use a VPC Network Address Translation device, the instance needing Internet access does not have a public IP address allocated to it. Incidentally, this makes it impossible for hosts on the Internet to reach it directly. Instead, only the NAT device is configured with a public IP. Additionally, the VPC Network Address Translation device has an interface in a public subnet.
Refer to Table 4.7 for an example.

When db1 sends a packet to a host on the Internet with the address 198.51.100.11, the packet must first go to the NAT device. The NAT device translates the packet as follows:

The NAT device then takes the translated packet and forwards it to the Internet gateway. The Internet gateway performs NAT translation on this packet as follows:

Multiple instances can use the same NAT device, thus sharing the same public IP address for outbound connections. The function that NAT devices perform is also called port address translation (PAT).

Related Products:- AWS Certified Solutions Architect | Associate

Configuring Route Tables to Use NAT Devices

Instances that use the NAT device must send Internet-bound traffic to it, while the NAT device must send Internet-bound traffic to an Internet gateway. Hence, the NAT device and the instances that use it must use different default routes. Furthermore, they must also use different route tables and hence must reside in separate subnets. Refer to Table 4.7 again. Notice that the instances reside in the Private subnet, and the NAT device is in the Public subnet. The default routes for these subnets would follow the pattern in Table 4.8.

Refer to the diagram in Figure 4.2 to see the relationship between both of the route tables. Recall that a route target must be a VPC resource such as instance, Internet gateway, or ENI. The specific target you choose depends on the type of NAT device you use: a NAT gateway or a NAT instance.

Read More :  https://www.info-savvy.com/vpc-network-address-translation/

————————————————————————————————————————–
This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

AWS

VPC Network Access Control Lists

info savvy

VPC Network Access Control Lists (NACL) functions as a firewall in that it contains inbound and outbound rules to allow traffic based on a source or destination CIDR, protocol, and port. Also, each VPC has a default NACL that can’t be deleted.But the similarities end there. A NACL differs from a security group in many respects. Instead of being attached to an ENI, a NACL is attached to a subnet. The NACL associated with a subnet controls what traffic may enter and exit that subnet. This means that NACLs can’t be used to control traffic between instances in the same subnet. If you want to do that, you have to use security groups. A subnet can have only one NACL associated with it. When you create a new subnet in a VPC, the VPC’s default NACL is associated with the subnet by default. You can modify the default NACL, or you can create a new one and associate it with the subnet. You can also associate the same NACL with multiple subnets, provided those subnets are all in the same VPC as the NACL. Unlike a security group, which is stateful, a NACL is stateless, meaning that it doesn’t track the state of connections passing through it. This is much like an access control list (ACL) on a traditional switch or router. The stateless nature of the NACL is why each one is preconfigured with rules to allow all inbound and outbound traffic, as discussed in the following sections,VPC Network Access Control Lists.

Related Products:– AWS Certified Solutions Architect | Associate

Inbound Rules

Inbound rules determine what traffic is allowed to ingress the subnet. Each rule contains the following elements:

  • Rule number
  • Protocol
  • Port range
  • Source
  • Action

VPC Network Access Control Lists, The default NACL for a VPC with no IPv6 CIDR comes prepopulated with the two inbound rules listed in

NACL rules are processed in ascending order of the rule number. Rule 100 is the lowest numbered rule, so it gets processed first. This rule allows all traffic from any source. You can delete or modify this rule or create additional rules before or after it. For example, if you wanted to block only HTTP (TCP port 80), you could add the following rule:before or after it. For example, if you wanted to block only HTTP (TCP port 80), you could add the following rule:

This rule denies all TCP traffic with a destination port of 80. Because it’s the lowest numbered rule in the list, it gets processed first. Any traffic not matching this rule would be processed by rule 100, which allows all traffic. The last rule in Table 4.5 is the default rule. It’s designated by an asterisk (*) instead of a number and is always the last rule in the list. You can’t delete or otherwise change the default rule. The default rule causes the NACL to deny any traffic that isn’t explicitly allowed by any of the preceding rules. Complete Exercise 4.6 to create a custom NACL.

Also Read :-   Overview of the TCP/IP Networking Model

Outbound Rules

As you might expect, the outbound NACL rules follow an almost identical format as the inbound rules. Each rule contains the following elements:

  • Rule number
  • Protocol
  • Port range
  • Destination
  • Action

Each default NACL comes with the outbound rules listed in Table 4.6. Notice that the rules are identical to the default inbound rules except for the Destination element.In most cases you will need these rules whether you use the default NACL or a custom one. Because a NACL is stateless, it won’t automatically allow return traffic. Therefore, if you permit HTTPS traffic with an inbound rule, you must also explicitly permit the return traffic using an outbound rule. In this case, rule 100 permits the return traffic. If you do need to restrict access from the subnet—to block Internet access, for example—you will need to create an outbound rule to allow return traffic over ephemeral ports. Ephemeral ports are reserved TCP or UDP ports that clients listen for reply traffic on. As an example, when a client sends an HTTPS request to your instance over TCP port 80, that client may listen for a reply on TCP port 36034. Your NACL’s outbound rules must allow traffic to egress the subnet on TCP port 36034. The range of ephemeral ports varies by client operating system. Many modern operating systems use ephemeral ports in the range of 49152–65535, but don’t assume that allowing only this range will be sufficient. The range for TCP ports may differ from the range for UDP, and older or customized operating systems may use a different range altogether. To maintain compatibility, do not restrict outbound traffic using a NACL. Use a security group instead. If your VPC includes an IPv6 CIDR, AWS will automatically add inbound and outbound rules to permit IPv6 traffic.

Read More : https://www.info-savvy.com/vpc-network-access-control-lists/

————————————————————————————————————

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

AWS

Overview of an Amazon Virtual Private Cloud

info savvy

Overview of an Amazon Virtual Private Cloud Virtual service provides the networking layer of EC2. A VPC is a virtual network that can contain EC2 instances as well as network resources for other AWS services. By default, every VPC is isolated from all other networks.You can, however, connect your VPC to other networks, including the Internet and other VPCs. In addition to EC2, VPCs are foundational to many AWS services, so understanding how they work is fundamental to your success on the exam and as an AWS architect. Don’t assume you can ignore VPCs just because you’re not using EC2. A VPC can exist only within an AWS region. When you create a VPC in a region, it won’t show up in any other regions. You can have multiple VPCs in your account and create multiple VPCs in a single region. To keep things simple, I’ll start by assuming only one VPC in one region. Later, I’ll cover considerations for multiple VPCs. If you’re familiar with the components of a traditional network, you’ll find many VPC components to be familiar. But although VPCs function like a traditional TCP/IP network, they are scalable, allowing you to expand and extend your network without having to add physical hardware. To make this scalability possible, some components that you’d find in a traditional network—such as routers, switches, and VLANs—don’t exist in VPCs. Instead, they’re abstracted into software functions and called by different names.

Related Products:– AWS Certified Solutions Architect | Associate

VPC CIDR Blocks

Like a traditional network, a VPC consists of at least one range of contiguous IP addresses. This address range is represented as a Classless inter domain routing (CIDR) block. The CIDR block determines which IP addresses may be assigned to instances and other resources within the VPC. You must assign a primary CIDR block when creating a VPC. There are different ways to represent a range of IP addresses. The shortest way is by CIDR notation, sometimes called slash notation. For example, the CIDR 172.16.0.0/16 includes all addresses from 172.16.0.0 to 172.16.255.255—a total of 65,536 addresses! You may also hear the CIDR block referred to as an IP prefix. The /16 portion of the CIDR is the prefix length. The prefix length of a VPC CIDR can range from /16 to /28. There’s an inverse relationship between the prefix length and the number of IP addresses in the CIDR. The smaller the prefix length, the greater the number of IP addresses in the CIDR. A /28 prefix length gives you only 16 addresses. The acronym IP refers to Internet Protocol version 4 or IPv4. Valid IPv4 prefix lengths range from /0 to /32. Although you can specify any valid IP range for your VPC CIDR, it’s best to use one in the RFC 1918 range to avoid conflicts with public Internet addresses.

  • 10.0.0.0–10.255.255.255 (10.0.0.0/8)
  • 172.16.0.0–172.31.255.255 (172.16.0.0/12)
  • 192.168.0.0–192.168.255.255 (192.168.0.0/16)  

If you plan on connecting your VPC to another network—whether an on-premises network or another VPC—be sure the VPC CIDR you choose doesn’t overlap with addresses already in use on the other network. You can’t change the primary CIDR block, so think carefully about your address requirements before creating a VPC.

Secondary CIDR Blocks

You may optionally specify secondary CIDR blocks for a VPC after you’ve created it. These blocks must come from either the same address range as the primary or a publicly routable range, but they must not overlap with the primary or other secondary blocks. For example, if the VPC’s primary CIDR is 172.16.0.0/16, you may specify a secondary CIDR of 172.17.0.0/16. But you may not specify 192.168.0.0/16. If you think you might ever need a secondary CIDR, be careful about your choice of primary CIDR. If you choose 192.168.0.0/16 as your primary CIDR, you won’t be able to create a secondary CIDR using any of the RFC 1918 ranges.

 IPv6 CIDR Blocks

You may let AWS assign an IPv6 CIDR to your VPC. Unlike the primary CIDR, which is an IP prefix of your choice, you can’t choose your own IPv6 CIDR. Instead, AWS assigns one to your VPC at your request. The IPv6 CIDR will be a publicly routable prefix from the global unicast IPv6 address space. For example, AWS may assign you the CIDR 2600:1f18:2551:8900/56. Note that the prefix length of an IPv6 VPC CIDR is always /56. Complete Exercise 4.1 to create your own VPC.

Subnets

 A subnet is a logical container within a VPC that holds your EC2 instances. A subnet lets you isolate instances from each other, control how traffic flows to and from your instances, and lets you organize them by function. For example, you can create one subnet for public web servers that need to be accessible from the Internet and create another subnet for database servers that only the web instances can access. In concept, subnets are similar to virtual LANs (VLANs) in a traditional network. Every instance must exist within a subnet. You’ll often hear the phrase “launch an instance into a subnet.” Once you create an instance in a subnet, you can’t move it. You can, however, terminate it and create a different instance in another subnet. By extension, this also means you can’t move an instance from one VPC to another.

Also Read:– Introduction to VPC Elastic Network Interfaces

Subnet CIDR Blocks

Each subnet has its own CIDR block that must be a subset of the VPC CIDR that it resides in. For example, if your VPC has a CIDR of 172.16.0.0/16, one of your subnets may have a CIDR of 172.16.100.0/24. This range covers 172.16.100.0–172.16.100.255, which yields a total of 256 addresses. AWS reserves the first four and last IP addresses in every subnet. You can’t assign these addresses to any instances. Assuming a subnet CIDR of 172.16.100.0/24, the following addresses would be reserved:

  •  172.16.100.0–172.16.100.3
  •  172.16.100.255

The restrictions on prefix lengths for a subnet CIDR are the same as VPC CIDRs. Subnet CIDR blocks in a single VPC can’t overlap with each other. Also, once you assign a CIDR to a subnet, you can’t change it. It’s possible for a subnet and VPC to share the same CIDR. This is uncommon and won’t leave you room for additional subnets. More commonly, each subnet’s prefix length will be longer than the VPC’s to allow for multiple subnets to exist in the same VPC. A subnet can’t have multiple CIDRs. Unlike a VPC that can have secondary CIDRs, a subnet can have only one. However, if a VPC has a primary CIDR and a secondary CIDR, your subnet’s CIDR can be derived from either. For example, if your VPC has the primary CIDR of 172.16.0.0/16 and a secondary CIDR of 172.17.0.0/16, a subnet in that VPC could be 172.17.12.0/24, as it’s derived from the secondary VPC CIDR.

Read More : https://www.info-savvy.com/overview-of-an-amazon-virtual-private-cloud/

————————————————————————————————————

This Blog Article is posted byInfosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

AWS

Introduction to VPC Elastic Network Interfaces

info savvy

Introduction to VPC Elastic Network Interfaces is an elastic network interface (ENI) allows an instance to communicate with other network resources including AWS services, other instances, on-premises servers, and the Internet. It also makes it possible for you to connect to the operating system running on your instance to manage it. As the name suggests, an ENI performs the same basic function as a network interface on a physical server, although ENIs have more restrictions on how you can configure them. Every instance must have a primary network interface (also known as the primary ENI) , which is connected to only one subnet. This is the reason you have to specify a subnet when launching an instance. You can’t remove the primary ENI from an instance.

Related Products:– AWS Certified Solutions Architect | Associate

Primary and Secondary Private IP Addresses

Each instance must have a primary private IP address from the range specified by the subnet CIDR. The primary private IP address is bound to the primary ENI of the instance. You can’t change or remove this address, but you can assign secondary private IP addresses to the primary ENI. Any secondary addresses must come from the same subnet that the ENI is attached to. It’s possible to attach additional ENIs to an instance. Those ENIs may be in a different subnet, but they must be in the same availability zone as the instance. As always, any addresses associated with the ENI must come from the subnet to which it is attached.

Attaching Elastic Network Interfaces

An ENI can exist independently of an instance. You can create an ENI first and then attach it to an instance later. For example, you can create an ENI in one subnet and then attach it to an instance as the primary ENI when you launch the instance. If you disable the Delete on Termination attribute of the ENI, you can terminate the instance without deleting the ENI. You can then associate the ENI with another instance. You can also take an existing ENI and attach it to an existing instance as a secondary ENI. This lets you redirect traffic from a failed instance to a working instance by detaching the ENI from the failed instance and reattaching it to the working instance. Complete Exercise 4.3 to practice creating an ENI and attaching it to an instance.

Internet Gateways

An Internet gateway gives instances the ability to receive a public IP address, connect to the Internet, and receive requests from the Internet. When you create a VPC, it does not have an Internet gateway associated with it. You must create an Internet gateway and associate it with a VPC manually. You can associate only one Internet gateway with a VPC. But you may create multiple Internet gateways and associate each one with a different VPC. An Internet gateway is somewhat analogous to an Internet router an Internet service provider may install on-premises. But in AWS, an Internet gateway doesn’t behave exactly like a router. In a traditional network, you might configure your core router with a default gateway IP address pointing to the Internet router to give your server’s access to the Internet. An Internet gateway, however, doesn’t have a management IP address or network interface. Instead, AWS identifies an Internet gateway by its resource ID, which begins with igw- followed by an alphanumeric string. To use an Internet gateway, you must create a default route in a route table that points to the Internet gateway as a target.

Route Tables

Configurable virtual routers do not exist as VPC resources. Instead, the VPC infrastructure implements IP routing as a software function and AWS calls this function an implied router (also sometimes called an implicit router). This means there’s no virtual router on which to configure interface IP addresses or dynamic routing protocols. Rather, you only have to manage the route table which the implied router uses. Each route table consists of one or more routes and at least one subnet association. Think of a route table as being connected to multiple subnets in much the same way a traditional router would be. When you create a VPC, AWS automatically creates a default route table called the main route table and associates it with every subnet in that VPC. You can use the main route table or create a custom one that you can manually associate with one or more subnets. If you do not explicitly associate a subnet with a route table you’ve created, AWS will implicitly associate it with the main route table. A subnet cannot exist without a route table association.

Routes

Routes determine how to forward traffic from instances within the subnets associated with the route table. IP routing is destination-based, meaning that routing decisions are based only on the destination IP address, not the source. When you create a route, you must provide the following elements:

  • Destination
  • Target

The destination must be an IP prefix in CIDR notation. The target must be an AWS network resource such as an Internet gateway or an ENI. It cannot be a CIDR. Every route table contains a local route that allows instances in different subnets to communicate with each other. Table 4.2 shows what this route would look like in a VPC with the CIDR 172.31.0.0/16.

The Default Route

The local route is the only mandatory route that exists in every route table. It’s what allows communication between instances in the same VPC. Because there are no routes for any other IP prefixes, any traffic destined for an address outside of the VPC CIDR range will get dropped.To enable Internet access for your instances, you must create a default route pointing to the Internet gateway. After adding a default route, you would end up with this:

The 0.0.0.0/0 prefix encompasses all IP addresses, including those of hosts on the Internet. This is why it’s always listed as the destination in a default route. Any subnet that is associated with a route table containing a default route pointing to an Internet gateway is called a public subnet. Contrast this with a private subnet that does not have a default route. Notice that the 0.0.0.0/0 and 172.31.0.0/16 prefixes overlap. When deciding where to route traffic, the implied router will route based on the closest match. Suppose an instance sends a packet to the Internet address 198.51.100.50. Because 198.51.100.50 does not match the 172.31.0.0/16 prefix but does match the 0.0.0.0/0 prefix, the implied router will use the default route and send the packet to the Internet gateway. AWS documentation speaks of one implied router per VPC. It’s important to understand that the implied router doesn’t actually exist as a discrete resource. It’s an abstraction of an IP routing function. Nevertheless, you may find it helpful to think of each route table as a separate implied router. Follow the steps in Exercise 4.4 to create an Internet gateway and a default route.

Security Groups

A security group functions as a firewall that controls traffic to and from an instance by permitting traffic to ingress or egress that instance’s ENI. Every ENI must have at least one security group associated with it. One ENI can have multiple security groups attached, and the same security group can be attached to multiple ENIs. In practice, because most instances have only one ENI, people often think of a security group as being attached to an instance. When an instance has multiple ENIs, take care to note whether those ENIs use different security groups. When you create a security group, you must specify a group name, description, and VPC for the group to reside in. Once you create the group, you specify inbound and outbound rules to allow traffic through the security group.

Also Read:– Introduction to Amazon Glacier Service

Inbound Rules

Inbound rules specify what traffic is allowed into the attached ENI. An inbound rule consists of three required elements:

  • Source
  • Protocol
  • Port range

When you create a security group, it doesn’t contain any inbound rules. Security groups use a default-deny approach, also called whitelisting, which denies all traffic that is not explicitly allowed by a rule. When you create a new security group and attach it to an instance, all inbound traffic to that instance will be blocked. You must create inbound rules to allow traffic to your instance. For this reason, the order of rules in a security group doesn’t matter. Suppose you have an instance running an HTTPS-based web application. You want to allow anyone on the Internet to connect to this instance, so you’d need an inbound rule to allow all TCP traffic coming in on port 443 (the default port and protocol for HTTPS). To manage this instance using SSH, you’d need another inbound rule for TCP port 22. However, you don’t want to allow SSH access from just anyone. You need to allow SSH access only from the IP address 198.51.100.10. To achieve this, you would use a security group containing the inbound rules listed in Table 4.3.

The prefix 0.0.0.0/0 covers all valid IP addresses, so using the preceding rule would allow HTTPS access not only from the Internet but from all instances in the VPC as well.

Read More : https://www.info-savvy.com/introduction-to-vpc-elastic-network-interfaces/

————————————————————————————————————

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

AWS

Services Related Elastic Compute Cloud (EC2)

info savvy

Services Related Elastic Compute Cloud (EC2) in this article you will learn different types of EC2 Services like AWS Systems Manager, Placement Groups, AWS Elastic Beanstalk and Amazon Elastic Container Service and AWS Far gate etc.

EC2-Related Services

This section will briefly introduce you to a few more EC2 features. Some of these features won’t necessarily play a large role in the solutions architect exam but could definitely come in handy for you in your work at some point. Others are only touched on here but will be examined in greater detail later in the book.

Related Products:– AWS Certified Solutions Architect | Associate

AWS Systems Manager

Systems Manager Services (available through the AWS console) is a collection of tools for monitoring and managing the resources you have running in the AWS cloud and in your own on-premises infrastructure. Through the Systems Manager portal, you can organize your AWS resources into resource groups, mine various visualization tools for insights into the health and behaviour of your operations, directly execute commands or launch tasks remotely without having to log on, automate patching and other lifecycle events, and manage service parameters and access secrets.

Placement GroupsPlacement groups are useful for multiple EC2 instances that require especially low-latency network interconnectivity. There are two placement group strategies.

  • Cluster groups launch each associated instance within a single availability zone within close physical proximity to each other.
  • Spread groups separate instances physically across hardware to reduce the risk of failure-related data or service loss.

AWS Elastic Beanstalk

Elastic Beanstalk lets you upload your application code and define a few parameters, and AWS will configure, launch, and maintain all the infrastructure necessary to keep it running. That might include EC2 load-balanced and auto scaled instances, RDS database instances, and all the network plumbing you would otherwise have had to build yourself. Compatible languages and platforms include .NET, Java, Node.js, Python, and Docker. Elastic Beanstalk adds no charges beyond the cost of the running infrastructure itself.

Also Read:– AWS Elastic Block Storage Volumes and It’s Features

Amazon Elastic Container Service and AWS Far gate

Running Docker container-based applications at scale is the kind of thing that’s a natural fit for a cloud platform like AWS. Once upon a time, if you wanted to get that done, you’d have to fire up one or more robust EC2 instances and then manually provision them as your Docker hosts. With Amazon Elastic Container Service (ECS), however, AWS lets you launch a prebuilt Docker host instance and define the way you want your Docker containers to behave (called a task), and ECS will make it all happen. The containers will exist within an infrastructure that’s automated and fully integrated with your AWS resources. The more recently released Fargate tool further abstracts the ECS configuration process, removing the need for you to run and configure instances for your containers. With Fargate, all you do is package your application and set your environment requirements.

AWS Lambda

“Serverless” applications are powered by programming code that’s run on servers—just not servers under the control of the application owners. Instead, code can be configured to run when AWS’s Lambda servers are triggered by preset events. Lambda allows you to instantly perform almost any operation on demand at almost any time but without having to provision and pay for always-on servers.

VM Import/Export

VM Import/Export allows you to easily move virtual machine images back and forth between your on-premises VMware environment and your AWS account (via an S3 bucket). This can make it much simpler to manage hybrid environments and to efficiently migrate workloads up to the AWS cloud.

Read More : https://www.info-savvy.com/services-related-elastic-compute-cloud-ec2/
———————————————————————–
This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ