Escolar Documentos
Profissional Documentos
Cultura Documentos
Security
ESS Comptia Security + Mentoring Program
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Firewalls
Routers
Switches
Load Balancers
Proxies
Web security gateways
VPN concentrators
NIDS and NIPS (Behavior based,
signature based, anomaly based,
heuristic)
Protocol analyzers
Sniffers
Spam filter, all-in-one security
appliances
Web application firewall vs. network
firewall
Hewlett-Packard Development
Company,
L.P. The information contained herein is subject to change without notice.
Copyright
URL2012
filtering,
content
inspection,
Firewalls
Are one of the first lines of defense in a network. There are different
types of firewalls, and they can be either stand-alone systems or
included in other devices such as routers or servers. You can find
firewall solutions that are marketed as hardware only and others that
are software only. Many firewalls, however, consist of add-in software
that is available for servers or workstations.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Switches
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Routers
The primary instrument used for connectivity between two or more
networks is the router. Routers work by providing a path between the
networks. A router has two connections that are used to join the
networks. Each connection has its own address and appears as a valid
address in its respective network.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Load Balancer
Load balancing refers to shifting a load from one device to another.
Most often the device in question is a server, but the term could be
used for a hard drive, a CPU, or almost any device that you want to
avoid overloading. Using a server as the device in question, balancing
the load between multiple servers instead of relying on only one
reduces the response time, maximizes throughput, and allows better
allocation of resources.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Proxies
In computer networks, a proxy server is a server (a computer
system or an application) that acts as an intermediary for
requests from clients seeking resources from other servers. A
client connects to the proxy server, requesting some service,
such as a file, connection, web page, or other resource
available from a different server and the proxy server
evaluates the request as a way to simplify and control its
complexity.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Proxy Types
A proxy server that passes requests and responses
unmodified is usually called a gateway or sometimes a
tunneling proxy.
A forward proxy is an Internet-facing proxy used to retrieve
from a wide range of sources (in most cases anywhere on
the Internet).
A reverse proxy is usually an Internet-facing proxy used as
a front-end to control and protect access to a server on a
private network, commonly also performing tasks such as
load-balancing, authentication, decryption or caching
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
VPN concentrator
A VPN concentrator is a hardware device used to create remote
access VPNs. The concentrator creates encrypted tunnel sessions
between hosts, and many use two-factor authentication for additional
security. Cisco models often incorporate Scalable Encryption
Processing (SEP) modules to allow for hardware-based encryption
and/or redundancy.
10
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
NIDS& NIPS
NIDS
Attaches the system to a point in the network where it can monitor
and report on all network traffic, this is configured to detect attacks
within the network but just report its activity.
NIPS Network Intrusion Prevention Systems
These systems focus on signature matches and then take a course of
action. For example, if it appears as if an attack might be under way,
packets can be dropped, ignored, and so forth. In order to be able to
do this, the NIPS must be able to detect the attack occurring, and thus
it can be argued that NIPS is a subset of NIDS
11
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
15
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Spam Filters
Spam filters can be added to catch unwanted email and filter it out
before it gets delivered internally. The filtering is done based on rules
that are established (block email coming from certain IP addresses,
email that contains particular words in the subject line, and the like).
While spam filters are usually used to scan incoming messages, they
can also be used to scan outgoing as well and thus act as a quick
identifier of internal PCs that may have contracted a virus.
16
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
URL Filtering
URL filtering involves blocking websites (or sections of websites)
based solely on the URL; restricting access to specified websites and
certain web-based applications. This is in contrast to content filters,
which block data based on its content rather than where it is coming
from. Within Internet Explorer, the Phishing Filter included with IE7
acted as a URL filter. The Phishing Filter was replaced with the
SmartScreen Filter with IE8 and subsequent releases.
17
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
18
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Content Inspection
Instead of relying on a website to be previously identified as
questionable, as URL filtering does, content inspection works
by looking at the data coming in. Within the most recent
versions of Internet Explorer, content filtering can be
configured using Content Advisor.
19
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Malware Inspection
It is important to stop malware before it ever gets hold of a
system. While tools that identify malware when they find it on
a system are useful, real-time tools that stop it from ever
making it to the system are better.
20
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
21
Rule-based management
Firewall rules
VLAN management
Secure router configuration
Access control lists
Port Security
802.1x
Flood guards
Loop protection
Implicit deny
Prevent network bridging by network
separation
Log analysis
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Rule-based management
Rule-based management, also known as label-based management,
defines conditions for access to objects. The access is granted to the
object based on both the object's sensitivity label and the user's
sensitivity label. Most software packages that allow you to implement
rule-based management divide correlation rules into two categories,
system rules and custom rules, with the former being predefined outof-the-box settings.
With all rules, an action must be defined. That action is triggered
when conditions are/aren't met.
22
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Firewall Rules
Firewall rules act like ACLs and are used to dictate what traffic can
pass between the firewall and the internal network. Three possible
actions can be taken based on the rule's criteria:
Block the connection.
Allow the connection.
Allow the connection only if it is secured.
The rules can be applied to inbound traffic or outbound traffic and any
type of network (LAN, wireless, BPN, remote access). On a regular
basis, you should audit the firewall rules and verify that you are
obtaining the results you wish and make any modifications needed.
23
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
VLAN management
A virtual local area network (VLAN) allows you to create
groups of users and systems and segment them on the
network. This segmentation lets you hide segments of the
network from other segments and thereby control access. You
can also set up VLANs to control the paths that data takes to
get from one point to another. A VLAN is a good way to
contain network traffic to a certain area in a network.
Think of a VLAN as a network of hosts that act as if they're
connected by a physical wire even though there is no such
wire between them.
24
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
27
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Port Security
Works at level 2 of the OSI model and allows an administrator to
configure switch ports so that only certain MAC addresses can use the
port. This is a common feature on both Cisco's Catalyst as well as
Juniper's EX Series switches and essentially differentiates so-called
dumb switches from managed.
28
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
802.1X
The IEEE standard 802.1X defines port-based security for wireless
network access control. As such, it offers a means of authentication
and defines the Extensible Authentication Protocol (EAP) over IEEE
802, discussed in Chapter 12, and is often known as EAP over LAN
(EAPOL). The biggest benefit of using 802.1X is that the access points
and the switches do not need to do the authentication but instead rely
on the authentication server to do the actual work.
29
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
A flood guard
30
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Loop protection
is a similar feature that works in layer 2 switching configurations and
is intended to prevent broadcast loops. When configuring it in most
systems, you can choose to disable broadcast forwarding and protect
against duplicate ARP requests (those having the same target
protocol address). The Spanning Tree Protocol (STP) is intended to
ensure loop-free bridged Ethernet LANs. It operates at the data link
layer and makes sure there is only one active path between two
stations
31
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Implicit Deny
Within ACLs, there exists a condition known as implicit deny. An
implicit deny clause is implied at the end of each ACL and it means
that if the proviso in question has not been explicitly granted, then it
is denied.
32
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Log Analysis
Log analysis is crucial to identifying problems that occur
related to security. As an administrator, you have the ability
to turn on logging at many different locations and levels. The
next step, however, is the most importantwhat you do with
the log information collected. Far too many administrators
turn on logging and then fail to properly (if ever) analyze
what they collect because it is a lot of information and a lot of
work.
34
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
35
Subnetting
VLAN
NAT
Remote Access
Telephony
NAC
Virtualization
Cloud Computing
Platform as a Service
Software as a Service
Infrastructure as a Service
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
DMZ
Is an area in a network that allows restrictive access to untrusted
users and isolates the internal network from access by external users
and systems. It does so by using routers and firewalls to limit access
to sensitive network resources.
36
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Subnetting
A subnetwork, or subnet, is a logically visible subdivision of an IP
network.[1] The practice of dividing a network into two or more
networks is called subnetting.
All computers that belong to a subnet are addressed with a common,
identical, most-significant bit-group in their IP address. This results in
the logical division of an IP address into two fields, a network or
routing prefix and the rest field or host identifier. The rest field is an
identifier for a specific host or network interface.
37
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
VLAN Management
A virtual local area network (VLAN) allows you to create groups of
users and systems and segment them on the network. This
segmentation lets you hide segments of the network from other
segments and thereby control access. You can also set up VLANs to
control the paths that data takes to get from one point to another. A
VLAN is a good way to contain network traffic to a certain area in a
network.
38
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
NAT
Creates a unique opportunity to assist in the security of a network.
Originally, NAT extended the number of usable Internet addresses.
Now it allows an organization to present a single address to the
Internet for all computer connections. The NAT server provides IP
addresses to the hosts or systems in the network and tracks inbound
and outbound traffic.
39
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Remote Access
Refers to any server service that offers the ability to connect remote
systems. The current Microsoft product for Windows-based clients is
called Routing and Remote Access Services (RRAS), but it was
previously known as Remote Access Services (RAS). Because of this,
you'll encounter the term RAS used interchangeably to describe both
the Microsoft product and the process of connecting to remote
systems.
40
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Telephony
When telephone technology is married with information technology,
the result is known as telephony. A breach in your telephony
infrastructure is just as devastating as any other violation and can
lead to the loss of valuable data.
With the exodus from land lines to Voice over IP (VoIP) in order for
companies to save money
41
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
NAC
When a computer connects to a computer network, it is not
permitted to access anything unless it complies with a
business defined policy; including anti-virus protection level,
system update level and configuration. While the computer is
being checked by a pre-installed software agent, it can only
access resources that can remediate (resolve or update) any
issues. Once the policy is met, the computer is able to access
network resources and the Internet, within the policies
defined within the NAC system. NAC is mainly used for
endpoint health checks, but it is often tied to Role based
Access. Access to the network will be given according to
profile of the person and the results of a posture/health
check. For example, in an enterprise, the HR department
could access only HR department files if both the role and the
42
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Virtualization
If cloud computing has grown in popularity, virtualization has
become the technology du jour. Virtualizationallowing one
set of hardware to host multiple virtual machinesis in use at
most large corporations and becoming more common at
smaller businesses as well.
Some of the security risks that are possible with virtualization
include the following:
43
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Virtualization
Platform as a Service :The Platform as a Service (PaaS) model is
also known as cloud platform services. In this model, vendors allow
apps to be created and run on their infrastructure. Two well-known
models of this implementation are Amazon Web Services and
Google Code.
Software as a Service: The Software as a Service (SaaS) model is
the one often thought of when users generically think of cloud
computing. In this model, applications are remotely run over the
Web. The big advantage is that no local hardware is required (other
than to obtain web access) and no software applications need be
installed on the machine accessing the site. The best known model
of this is Salesforce.com. Costs are usually computed on a
subscription basis.
Infrastructure as a Service: The Infrastructure as a Service
(IaaS) model utilizes virtualization, and clients pay an outsourcer
45
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
47
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
48
SNMP
SSH
DNS
TLS
SSL
TCP/IP
FTPS
HTTPS
SFTP
SCP
ICMP
IPv4 vs. IPv6
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
IPsec
Is a security protocol that provides authentication and encryption
across the Internet. IPSec is becoming a standard for encrypting
virtual private network (VPN) channels and is built into IPv6. It's
available on most network platforms, and it's considered to be highly
secure.
49
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
51
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
52
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
53
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
54
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HTTPS
Hypertext Transport Protocol over SSL (HTTPS)also known as
Hypertext Transport Protocol Secureis the secure version of HTTP,
the language of the World Wide Web. HTTPS uses SSL to secure the
channel between the client and server. Many e-business systems use
HTTPS for secure transactions. An HTTPS session is identified by the
https in the URL and by a key that is displayed on the web browser.
HTTPS uses port 443 by default.
57
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ICMP
Provides maintenance and reporting functions. It's used by
the Ping program. When a user wants to test connectivity to
another host, they can enter the PING command with the IP
address, and the user's system will test connectivity to the
other host's system. If connectivity is good, ICMP will return
data to the originating host. ICMP will also report if a
destination is unreachable. Routers and other network
devices report path information between hosts with ICMP.
58
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
IGMP
Internet Group Management Protocol Internet Group
Management Protocol (IGMP) is responsible primarily for
managing IP multicast groups. IP multicasts can send
messages or packets to a specified group of hosts. This is
different from a broadcast, which all users in a network
receive.
59
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
IPV4 Vs IPV6
The TCP/IP protocol suite in use today has been around since the
earliest days of the Internetprior to it even being known by that
name. The remarkable fact that it has been able to scale to the level it
is used at today is testament to the forward thinking of those involved
in its creation.
Several years back, however, a panic arose amid fears that there
would not be enough IP addresses to assign to every host needing to
connect. The current numbering system, known as IP version 4 (IPv4)
even though there really weren't publically released prior versions, is
what is described throughout this chapter and still widely used today.
IP version 6 (IPv6) was introduced several years ago to replace IPv4
but has failed to do so, and most systems currently support both at
the Internet layer.
Key things to know for the exam are that IPv6 supports 128-bit
addresses, while IPv4 supports 32-bit addresses (see "
60
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
61
FTP
SFTP
FTPS
TFTP
TELNET
HTTP
HTTPS
SCP
SSH
NetBIOS
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
62
TCP Port
Number
Service
20
21
22
23
25
49
80
110
115
119
137
138
139
143
389
443
989
990
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Service
SSH and SCP
TACACS authentication service
DNS name queries
Trivial File Transfer Protocol (TFTP)
HTTP (used for the World Wide Web)
NetBIOS name service
NetBIOS datagram service
NetBIOS session service
IMAP
SNMP
LDAP
FTPS (data channel)
FTPS (control channel)
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
64
WPA
WPA2
WEP
EAP
PEAP
LEAP
MAC filter
SSID broadcast
TKIP
CCMP
Antenna Placement
Power level controls
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
65
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
WPA
Security protocol developed by the Wi-Fi Alliance to protect
wireless networks and surpass what WEP offered. There are
two versions, WPA and WPA2, with the latter being the full
implementation of the security features.
WPA is a security protocols and security certification
programs developed by the Wi-Fi Alliance to secure wireless
computer networks. The Alliance defined these in response to
serious weaknesses researchers had found in the previous
system, WEP (Wired Equivalent Privacy)
66
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
WPA2
WPA2 has replaced WPA. WPA2, which requires testing and
certification by the Wi-Fi Alliance, implements the mandatory
elements of IEEE 802.11i. In particular, it introduces CCMP, a new
AES-based encryption mode with strong security. Certification began
in September, 2004; from March 13, 2006, WPA2 certification is
mandatory for all new devices to bear the Wi-Fi trademark.
WPA also mandates the use of TKIP, while WPA2 favors Counter Mode
with Cipher Block Chaining Message Authentication Code Protocol
(CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization
vector. With the larger initialization vector, it increases the difficulty in
cracking and minimizes the risk of replay.
67
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
EAP
Extensible Authentication Protocol (EAP) provides a
framework for authentication that is often used with wireless
networks. Among the five EAP types adopted by the
WPA/WPA2 standard are EAP-TLS, EAP-PSK, EAP-MD5,
68
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
LEAP
Lightweight Extensible Authentication Protocol (LEAP) was
created by Cisco as an extension to EAP but is being phased
out in favor of PEAP. Because it is a proprietary protocol to
Cisco and created only as a quick fix for problems with WEP, it
lacks native Windows support.
LEAP requires mutual authentication to improve security but
is susceptible to dictionary attacks. It is considered a weak
EAP protocol, and Cisco does not currently recommend using
it.
69
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
PEAP
Protected Extensible Authentication Protocol (PEAP) was
created by Cisco, RSA, and Microsoft. It replaces LEAP and
there is native support for it in Windows (which previously
favored EAP-TLS) beginning with Windows XP. There is support
for it in all Windows operating systems since then, including
Windows Vista and Windows 7.
70
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
MAC Filtering
Limit access to the network to MAC addresses that are known,
and filter out those that are not. Even in a home network, you
can implement MAC filtering with most routers and typically
have an option of choosing to only allow computers with MAC
addresses that you list or only deny computers with MAC
addresses that you list.
71
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SSID Broadcast
One method of "protecting" the network that is often
recommended is to turn off the SSID broadcast. The access
point is still there and can still be accessed by those who
know of it, but it prevents those who are just scanning from
finding it. This should be considered a very weak form of
security because there are still other ways, albeit a bit more
complicated, to discover the presence of the access point
besides the SSID broadcast.
72
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
73
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
CCMP
WPA also mandates the use of TKIP, while WPA2 favors
Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol (CCMP). CCMP uses 128-bit AES
encryption with a 48-bit initialization vector. With the larger
initialization vector, it increases the difficulty in cracking and
minimizes the risk of replay.
74
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Antenna Placement
Antenna placement can be crucial in allowing clients to reach the
access point. There isn't any one universal solution to this issue, and
it depends on the environment in which the access point is placed. As
a general rule, the greater the distance the signal must travel, the
more it will attenuate, but you can lose a signal quickly in a short
space as well if the building materials reflect or absorb the signal. You
should try to avoid placing access points near metal (which includes
appliances) or near the ground. In the center of the area to be served
and high enough to get around most obstacles is recommended.
75
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
76
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Questions?
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
https://
www.rooms.hp.com/attend/default.
aspx?key=RPCR4R86FW
https://www.rooms.hp.com/attend/d
efault.aspx?key=RPCR4R86FW
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.