security risk assessment for quality web design
TRANSCRIPT
Security Risk Assessment for Quality Web Design
Ting Yin
Submitted to: Jude Lamour
SE571 Principles of Information Security and Privacy
Keller Graduate School of Management
Submitted: November 16, 2014
1
Table of Contents
Executive Summary………………………………………………………………………….3
Company Overview…………………………………………………………………………..3
Security Vulnerabilities……………………………………………………………………....3
Threats………………………………………………………………………………… ……4
Risk Assessment ……………………………………………………………………..……..5
The Consequence …………………………………………………………………….…….6
The Affects on The Company Competitive Advantages .......................................................7
The Definition of Solution ………….……………………………………………………..15
Justification …………………………………………………………………………………6
Impact on Business Processes ………………………………………………………………10
Reference…………………………………………………………………………………….19
2
Executive Summary
Dell Sonic Firewall TCO recommends QWD to use Dell NSA 250m and NSA 6600 and
to replace its current IPSec VPN. NSA 250m and NSA 6600 appliances come with a wide range
and heighted level of security protection services and additional security protection hardware and
software bundles. Based on a reputable technology survey, NSA 250 m and NSA 6600 are given
rating of 5 out of 5 (NSA Review). NSA 6600 system should be located near QWD office
headquarters and NSA 250m should be located near in QWD remote office. Both NSA systems
have the right tools to protect QWD from intrusion, denial of service, and SQL attacks. In
addition to the security protection, NSA systems offer mobile service for workers, business
partners, customer, clients or QWD affiliations to be able to collaborate online on QWD related
projects. The remote access and connectivity can further improve QWD business process and
even increase revenue.
Company Overview
Quality Web Design (QWD) is a web design and development company that designs and
creates client side web application for different industries. The web application that QWD make
can help their clients to market their client information in form of web content to the outside
world. QWD has a basic Microsoft (MS) shop that uses a Visual Studio (VS) Team Foundation
to support its image repository. For quality analysis and site development, QWD uses VS. QWD
also utilizes MS SQL Server and MS Exchange (SEC 517).
Two Security Vulnerabilities
In this paper, I will discuss three security vulnerabilities: one is associated with
hardware, the second is associated with the software. The first vulnerability is found within the
3
network infrastructure (hardware). The second vulnerability is associated with SQL injection
attack into the client’s web page (SEC 517).
Threats Against VPN or Server
In this section, two threats against a VPN will be discussed: 1) Intrusions; 2) Denial of
Service. Intrusion is a form of threat that offers opportunities for unauthorized outsider to access
and to control over parts of the VPN. The parts that can affect could be internal computers,
servers, network elements, and other network components. To access into internal information or
equipment as hackers or intruders, the malicious individual first inject code for traffic control
into the VPN. In a simple case of the virtual invasion and unauthorized internal control is to send
a single IP packet to a destination in the VPN (Threat Against).
The terminals or phones and other mobile devices that are left opened and neglected are
one of the primary reason that unauthorized individual can gain access to the internal resources
that lie with QWD. “VPNs will likely continue to be the weakness link in an organization’s
security infrastructure for some time to come.” (VPNs Virtual) Any organization is as secure as
its weakest links or connections. VPNs provide illusion of a false sense of security, due to “poor
implementation and maintenance.” Perhaps, VPN can be considered as one the weakest link in
QWD (The Myth).
Denial of service is another threat from outside against the VPN. Unlike intrusion
discussed above this section, DoS prevents other from accessing the web. For hackers to
complete DoS, s/he first needs to able to inject packets into the trusted zone of the VPN. The
DoS attack can also interfere the VP user indirectly. When a PE router is affected by DoS attack
can affect a given VPN that affect PE, which in turn can negatively affect the connected VPN
(Threat Against).
4
The third threat is related to the potential SQL code insertion or injection client’s web
application. SQL injection is found as one of most prevalent destructive system attack. Open
Web Application Security Project (OWASP) point out SQL injection as the number one threat.
Injecting extraneous code into the textboxes can potentially debilitate the entire database. SQL
injection can potentially be used to perform the following types of attacks. The injection can
allow hacker to illegally logon to the internal application and illegally earn the privilege to
manipulate the data stored in database and to disclose confidential information (SQL Injection).
Risk Assessment
In 2006, the U.K. Department of Trade and Industry (DTI) did a survey and released the
results on businesses regarding security incidents. Of organization surveyed, it was found that
intrusion was constant at 17 percent in their period of survey study, and failure of equipment was
up to 29 percent (Pfleeger, 256) . In an official study, it was found that 87-percent of businesses
surveyed have suffered a service degradation up to a full outage in 2013 from a DDoS attack
(XAND LAUNCHES). SQL inject was found to be one of the six most commonly reported
threats for Web applications. SQL among with other top five threats accounted for 40 percentage
of threats found in 2012 (HP 2012).
Level of Risk and Its Influence on QWD Operation
Threat Level of Risk
Denial of Service 4
Intrusion 3
SQL Inject 3
4- Critical: QWD business will not be operational when it encounters the type of threat as listed
5
3- Medium –Critical: QWD business still can somewhat manage its operations, but it has to do it
under the interference caused by the threats.
The Consequence
The consequences of security breach through VPN can lead to the theft of QWD
proprietary or confidential information or loss of client information, to the exploitation or
manipulation of confidential information, to web page content modification, etc. The
authentication method used by IPsec authentication can weaken authentication process and can
be unmanageable for QWD in deploying web services for multiple clients’ organizations. The
expenses and the complexities associated with IPsec deployment, IPsec VPN selectors are
insufficient to meet the need of the authorization-associated policies that QWD must have in
today highly regulated environment (The Myth).
To compensate the weaker authentication by IPsec VPN, QWD have to create relatively
more complicated constituency-orientated policies to limited user access. IPsec VPN remote
access need VPN client software and policy configuration at the end devices. With the need of
additional supports and resources, QWD simply cannot deliver cost-effective secure remote
access to all users from all devices. When a client is connected using IPsec, every resource inside
this protected network is potentially available to the user, and therefore vulnerable to misuse and
attack from that client during the entire connection (The Myth).
DDoS attacks can cause costly and destructive downtime on the client’s hosted
applications and resources. During the downtime caused by DDoS, the users of the websites
developed and designed by QWD would be able to access the websites and the services that are
offered by the clients through the web pages. In the meantime, QWD and its clients cannot
communicate with the users and the clients’ customers due to the malfunctioning of the websites
6
(The Myth). The Ponemon Institute “estimates that the average cost of one minute of downtime
due to a DDoS attack is $22,000. The average attack lasts at least an hour, inflicting devastating
and expensive downtime on business operations.” (Xand Launches).
Through SQL Injection, the hackers can obtain unauthorized access to MS SQL 2008
database (DB) server or the DB located in the corporate office. The hackers can create, review,
insert, alter, or remove QWD images or confidential information stored in the QDW back-end
database. Through SQL injection and manipulation, the hackers can potentially can lock or
delete tables stored in the DB at the QWD servers. The malicious manipulation of the data can
cause denial of service to authorized users and can unauthorized-ly grant remote command
executions that are normally reserved for administrators (SQL Injection).
The Affects on the Company Competitive Advantages
More of QWD may go to its competitors to see more similar services to decreased trust
about the security and service provided by QWD. The outrage can cause an increase in volume
of customer inquiries about the outage, which can result in a loss in revenue. The security fear
can drive decline in stock prices and investor confidence. The comprised IT system at QWD can
further be susceptible to multiple attacks within relatively short period of time (DDoS).
With data breach of confidential information (QWD corporate confidential information,
employee private information and client private information) can potentially raise lawsuit not
only against QWD Company itself but also to its employees as well. If hackers are able to
intrude into the system developed by the software developer or engineers, the computer
professional are liable to lawsuits (Five Ways).
7
Justification for Using Dell Sonic NSA 220 M and NSA 6600
Dell SonicWall Firwall TCO Comparison and analysis tool and model take into
consideration of QWD current firewall requirements. Based on the client system requirement and
configuration, Dell TCO make product recommendation that can improve the QWD system
condition and it then make compares the selection of Dell SonicWALL product and service with
a similar version of a Cisco solution. The TCO suggested solution are Dell SonicWall NSA 6600
and NSA 250 QWD system (Dell).
Total TCO Savings 3 Year-over-Year of Dell SonicWall NSA over Cisco ASA is
$381,405. The percentage of difference for Total Cost of Ownership (over 3 years) for Dell
Sonic Wall NSA over Cisco ASA is -88.4%. QWD can save at least 88.4% when it purchases
the Dell product over the Cisco version. Percent of difference projected number of labor FTEs of
Dell SonicWall over Cisco ASA is 74.4%. Staff to device support ratio (Devices per 1 FTE) of
DellSonic Wall is 159.9%. Firewall TCO per user (NPV over 3 years) is 88.4% of Cisco ASA
(Figure 1) (Dell).
Figure 1: Total Cost of Ownership Comparsion
Total Cost of Ownership (TCO)
Dell
SonicWALL Cisco Difference
Percent
Difference
Appliance Hardware and Support $41,321 $144,956 $103,635 71.5%
Additional Security Services $7,664 $282,512 $274,848 97.3%
Implementation / Configuration / $903 $2,810 $1,907 67.9%
8
Training
Ongoing Operational (IT Labor) $125 $1,141 $1,015 89.0%
Total TCO - Total Cost of
Ownership (over 3 years) $50,014 $431,419 $381,405 88.4%
Key Performance Indicators
Dell
SonicWALL Cisco Difference
Percent
Difference
Projected Number of Labor FTEs 0.0 0.1 0.0 74.4%
Staff to Device support ratio (Devices
per 1 FTE) 143.7 55.3 88.4 159.9%
Firewall TCO per user (NPV over 3
years) $50 $431 $381 88.4%
Dell SonicWall NSA products include Comprehensive Gateway Security Suite (CGSS),
Simple Firewall, Gateway Anti-Virus/Anti-Spyware (GAV), Intrusion Prevention Service
Bundle, Application Intelligence and Control , Content Filtering Service , Botnet Filter , Context
Aware Security Support Level, IPSec VPN License, and SSL VPN license. The cost saving of
Dell SonicWall NSA over Cisco ASA is $157,247 and the TCO different of Dell over Cisco is –
92.6%. This mean Dell SonicWall’s security package cost 92.6% less than Cisco version (Figure
2) (Dell).
9
Figure 2: Additional Security Services Appliances and Licensing Costs
Additional Security Services Appliances and
Licensing Costs
Dell
SonicWALL Cisco Difference
Percent
Difference
Selected Deep Packet Inspection Services $0 $149,847 $149,847 100.0%
√
Intrusion Prevention Service (IPS) Appliance
(Dell-Not Req. ) $0 $86,490 $86,490 100.0%
√
Intrusion Prevention Service (IPS) Licensing
(Dell-Included ) (Cisco-Included ) $0 $0 $0 100.0%
√
Application Intelligence and Control (AIC)
(Dell-Included ) (Cisco-Included ) $0 $0 $0 100.0%
√
Content Filtering Service (CFS) (Dell-
Included ) (Cisco-Not Incl. ) $0 $0 $0 100.0%
Selected Client Services $595 $7,995 $7,400 92.6%
√ IPSec VPN (Dell-Included ) $0 $0 $0 0.0%
√ SSL VPN $595 $7,995 $7,400 92.6%
Impact on Business Process
Dell SonicWall technologies integrate both SSL/IPsec VPN into its system. The
SSL/IPsec VPN offers the capability to securely and conveniently extends the corporate network
10
access beyond managed desktops to different user services. Secure Remote Access, powered by
the Sonic Wall SSL/IPsec VPN edition, enables QWD to securely and seamlessly provide
authorized company resources access to a wide ranger of users, contractors, and business
partners on the wide variety of mobile and fixed workstations (SNA 6600, SNA 220).
With inclusive support for unrestricted full-network access, as well as controlled access
select web-based applications and network resources, the sonic wall VPN network platform
provide flexibility needed by any VPN deployment in QWD. The VPN provides an effective and
efficient combination of seamless controlled access, firewall, intrusion prevention inspection and
web threat prevention that empower QWD mobile worker to be productive while protecting
corporate asset or interest (SNA 6600, SNA 220)
Combined SSL/ISpec VPN technology into one platform can deliver a highly
customizable, simple, and flexible one-box solution for VPN deployment environments, and
reduce the expense of deploying remote-access solutions (SNA 6600, SNA 220). Through client-
based SSL or IPsec VPN, corporate managed laptop can remotely access seamlessly to QWD
corporate network resources. Through clientless SSL VPN, remote user such QWD clients may
gain access web-based application from their terminal. Business partner or other professional
affiliation can access to specific QWD resources and application.
NSA 6600 should be located in the corporate office. NSA 6600 supports a wide range of
deployment and application environments, NSA 660 delivers maximum value to QWD with the
most comprehensive set of Secure Socket Layer (SSL) and IP security (IPsec) VPN features,
performance, and scalability (SNA 6600, SNA 220). The solution is comprised of a single
unified platform: the NSA 6600 and the Secure Mobility Solution, enables QWD to use a highly
effective combination of seamless controlled access, firewall, intrusion prevention inspection
11
and web threat prevention that enables QWD mobile workers , stationary workers and clients to
be productive while helping to improve corporate profit by increasing sales. With Dell inclusive
support for unrestricted full-network access, as well as controlled access to select web-based
applications and network resources in QWD, the platform provides the flexibility required by
any VPN deployment in QWD (Figure 3) (SNA 6600, SNA 220).
Figure 3: Dell NSA 6600 in Corporate Headquarter Office
12
Figure 2: Dell NSA 250 M in Remote Office
13
NSA 250M and NSA 6600 Expert Rating
Category Rating
Feature 5/5
Ease of Use 5/5
Performance 5/5
Documentations 5/5
Support 5/5
Value for Money 5/5
Overall Rating 5/5
The wireless network capabilities offered by NSA 250M and NSA 6600 can empower
mobile worker, who can work anywhere while protected by the security service offered the Dell
technology. Based on the survey answered by the users of the NSA system, it seem that all these
users are 100% satisfied with the system. They give them 5 out 5 for overall rating (NSA
Review). By allowing employee the option to work at home at a certain time of a week can
improve business result. Evidences have shown around two thirds of people want to work at
home and eighty percentage of employee did the survey consider telework as perk.
Approximately 6 out 10 employers identify telecommunication as cost saving plan for the
employer. IBM saves real estate cost by $50 million, and Nortel save $100,000 per employee,
who works at home. Sun Microsystem saves $68 million a year from its telecomm workers
(Advantage).
14
By using Dell to brand its business can potentially attract more customer to QWD. Once
the customers understand the heightened level of protection offered by Dell technology, they are
more willingly to do more business with QWD or even recommend more customers to QWD.
Quality Web Design can potentially experience fewer incidences of system malfunction and data
breach that are resulted from intrusion, denial of service, sql injection or other. By having fewer
number of incidents can potentially reduce the time and expense involved in litigation workload
and cost associated with data breach and unauthorized access.
Hard Solution and Security Service Solution
Dell SonicWALL is a multi-service platform. The security protection extends from the
network core to the perimeter of the system. Unified Threat Management (UTM) integrates
support from SonicWALL’s Gateway Anti-Spyware, Anti-Virus, and Intrusion Protection
service and Application. These all security appliance delivers real-time protection against the
innovative mixtures of threats that include intrusion threat and SQL. The effective combination
of protection against application-layer and content-based attacks is a heightened level of gateway
protection defends against multiple threat coming from the access points (AP) and thoroughly
look through all network layers for threats that either involve or include intrusion threat (SNA
6600, SNA 220).
The Dell SonicWall Intrusion Prevention System (IPS) Service provides network
protection 24 hours a day and 7 days week. Its major specification is 4.5 Gbps, Maximum
Inspected Connection is 500,000, and New Connections/Per Second is 90,000. Dell’s IPS
Service is activated on Dell Sonic WALL and Network Security Appliance (NSA). IPS provides
high performance and deep pocket inspection with countermeasure for complete protection
15
against application exploitation and malicious traffic. The Dell IPS service is scalable to provide
service to organization of all sizes. When QWD expands its business and has more customers, it
still can use the Dell SonicWall system. IPS provides a layer of security enforcement and
protection between each network zone and the Internet and between Internet zones for additional
security against intrusion (SNA 6600, SNA 220).
IPS provides bi-directional and full stack inspection that check for inbound and
outbound of critical application traffic providing defense against a wide variety of attacks, such
as SQL injection, cross-site scripting, remote code execution, shell code payloads, and remote
procedure calls. It has a wide range of payload inspection: it spans a wide range of protocols,
including MySQL, TCP, DNS, HTTP, HTTPS, SMTP, SNMP, POP3, FTP, Telnet, RTP, etc.
Firewall and Networking part of the Dell Sonic Wall offer SYN Flood protection. SYN Flood
provides a defense against DOS attacks using both Layer 2 SYN blacklisting and Layer 3 SYN
proxies. It provides the ability to defend against DOS/DDoS through UDP/ICMP flood
protection and connection rate limiting (SNA 6600, SNA 220).
Dell SonicWall Virtual Private Networking technology can make network and
security management more efficient for network managers/administrator. Using Dell SonicWall
VPN, the network managers can establish a more secure and extensive VPN that can be more
readily to control and manage. Dell Sonic VPN technology includes integrated IPSec VPN, for
securing site-to-site communication. The VPN technology offers both SSL VPN and IPSec VPN
for remote client-secure access. The VPN technology line also offer a complete of Secure
Remote Access/SSL VPN appliances that come with remote access and management capabilities
to a wide range of organizational size with varying network complexities and specification and
security requirement (SNA 6600, SNA 220).
16
Dell NSA 250 M Specification
Operating system SonicOS 5.9
Security Processor 2x 700 MHz
Memory (RAM) 512 MB
Firewall inspection
throughput1
750 Mbps
Full DPI throughput2 130 Mbps
Application inspection
throughput2
250 Mbps
IPS throughput2 250 Mbps
Anti-malware inspection
throughput2
140 Mbps
IMIX throughput3 210 Mbps
SSL Inspection and Decryption
(DPI SSL)2
Available
VPN throughput3 200 Mbps
VLAN interfaces 35
VPN
Site-to-Site VPN Tunnels 50
IPSec VPN clients (Maximum) 2(25)
SSL VPN licenses (Maximum) 2(15)
Encryption/Authentication DES, 3DES, AES (128, 192, 256-bit)/MD5,
17
SHA-1
Key exchange Diffie Hellman Groups 1, 2, 5, 14
Route-based VPN RIP, OSPF
IP address assignment Static, (DHCP PPPoE, L2TP and PPTP
client), Internal DHCP server, DHCP Relay
NAT modes 1:1, many:1, 1:many, flexible NAT
(overlapping IPS), PAT, transparent mode
Routing protocols BGP, OSPF, RIPv1/v2, static routes, policy-
based routing, multicast
Authentication XAUTH/RADIUS, Active Directory, SSO,
LDAP, Novell, internal user database,
Terminal Services, Citrix
Standards TCP/IP, ICMP, HTTP, HTTPS, IPSec,
ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP,
PPTP, RADIUS, IEEE 802.3
Hardware
Form factor Desktop (1U Rack Mountable Kit Available)
NSA 6600 Specification
Operating system SonicOS 6.2
18
Security Processor 24x 1.0 GHz
Firewall inspection throughput1 12.0 Gbps
Full DPI throughput2 3.0 Gbps
Application inspection throughput2 4.5 Gbps
IPS throughput2 4.5 Gbps
Anti-malware inspection throughput2 3.0 Gbps
IMIX throughput3 3.5 Gbps
SSL Inspection and Decryption (DPI SSL)2 1.3 Gbps
VPN throughput3 5.0 Gbps
VPN
Site-to-Site VPN Tunnels 6000
IPSec VPN clients (Maximum) 2,000 (6,000)
SSL VPN licenses (Maximum) 2 (50)
Encryption/Authentication DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1
Key exchange Diffie Hellman Groups 1, 2, 5, 14
Route-based VPN RIP, OSPF
Networking
IP address assignemnet Static, DHCP, PPPoE, L2TP, PPTP client),
Internal DhCP server, DHCP Relay
Authetnicaiton XAUTH/RADIUS, Active Directory,
SSO, LADP, Novell, Internal user database,
19
Terminal Services, Citrix
Certifications VPNC, ICSA Firewall, ICSA Anti-Virus
Reference
20
Advantage of Telecommuting. (2014). Global Workplace Analytics. http://globalworkplaceanalytics.com/resources/costs-benefits
An Anomaly-Based Approach for Intrusion Detection in Web Traffic. (n.d.) Retrieved from:
http://webcache.googleusercontent.com/search?client=safari&rls=en&q=cache:hmDApgF38E4J:http://digital.csic.es/bitstream/10261/40544/1/ARTICULOS315428%255B1%255D.pdf%2Bconsequence+intrusion+web+security&oe=UTF-8&hl=en&as_q&nfpr&spell=1&&ct=clnk
Dell SonicWALL Firewall Appliance TCO Comparison. (2014). SonicWall. Retrieved from: https://roianalyst.alinean.com/SonicWALL/
Five Ways Programmers Can be Suit. (n.d.) Retrieved from:
http://www.techinsurance.com/blog/computer-consultants/5-ways-web-programmers-
can-be-sued/
DDoS Boot Camp: Basic Training for an Increasing Cyber Threat . (n.d.) Retrieved from:
www.prolexic.com/...ddos-boot-camp/DDoS_Boot_Camp-Prolexic_executive _
series_white_paper-073113.pdf
How to Prevent Security Breaches from Known Vulnerabilities. (n.d.)
http://www.esecurityplanet.com/network-security/how-to-prevent-security-breaches-
from-known-vulnerabilities.html
HP 2012 Cyber Risk Report. (n.d.) Retrieved from:
www.hpenterprisesecurity.com/collateral/whitepaper/HP2012CyberRiskReport_0213.pdf
%2BHP+2012+Cyber+Risk+Report&client=safari&rls=en&oe=UTF-
8&hl=en&&ct=clnk
21
NSA 220 Network Security Appliance. (2014). Dell SonicWall. Retrieved from :http://www.sonicwall.com/us/en/products/NSA-220.html
NSA 6600 Next-Generation Firewall (NGFW). (2014).Dell SonicWall. Retrieved from: http://www.sonicwall.com/us/en/products/NSA-6600.html
NSA Review. (2009). Retrieved from :http://www.scmagazine.com/sonicwall-nsa-240/review/2678/
The Myth of the Secure Virtual Desktop Avoid a false sense of security with your VPN
or VDI endpoints. (n.d.) Retrieved from:
http://webcache.googleusercontent.com/search?q=cache:7LfeJvdlN_kJ:http://
www.npcdataguard.com/The%2520Myth%2520of%2520the%2520Secure%2520Virtual
%2520Desktop.pdf
%2BThe+Myth+of+the+Secure+Virtual+Desktop&client=safari&rls=en&oe=UTF-
8&hl=en&&ct=clnk
SEC 517 Course: Security Assessment and Recommendations [class handout]. (2014). New
York, NY: Keller School of Management, New York, NY
Smith, D. (2010). Profiles of major American psychologists [Class handout]. Department of
Psychology, Harvard University, Boston, MA.
SQL Injection Tutorial. (n.d.) Retrieved from :http://www.w3resource.com/sql/sql-injection/sql-
injection.php#sthash.Rq9nWIAW.dpuf
Threats Against a VPN. (n.d.) Retrieved from:
http://etutorials.org/Networking/MPLS+VPN+security/Part+I+MPLS+VPN+and+Security+F
undamentals/Chapter+2.+A+Threat+Model+for+MPLS+VPNs/Threats+Against+a+VPN/
VPNs (Virtual Private Nightmares). Retrieved from:
http://www.secureworks.com/resources/newsletter/2004-05/
22
Why Replace Your IPSec for Remote Access. (n.d.) Retrieved from:
http://webcache.googleusercontent.com/search?q=cache:UnLmTmaPU8wJ:https://
www.sonicwall.com/downloads/WP-ENG-035_Why-Replace-Your-IPSec_US.pdf
%2BWhy+Replace+Your+IPSec+for+Remote+Access&client=safari&rls=en&oe=UTF-
8&hl=en&&ct=clnk
XAND Launches Distributed Denial of Service (DDOS) Protection Services to Proactively
Services to Proactively Safeguard Mission-Critical IT Infrastructure. (n.d.)
http://webcache.googleusercontent.com/search?
client=safari&rls=en&q=cache:ZABMjDDDhLQJ:http://www.xand.com/06/press-
releases/xand-launches-distributed-denial-of-service-ddos-protection-services-to-
proactively-safeguard-mission-critical-it-infrastructure/
%2Bdenial+of+service+percentage+risk&oe=UTF-8&hl=en&&ct=clnk
23