In terms of Internetworking Security, there are 2 types of VPN (Virtual
Private Network). VPN are private network that interconnects remote
network providing security through tunelling protocols and security
procedures. The types of VPNs are as follows:
Site-to-Site VPN
A site-to-site VPN allows offices in multiple fixed locations to
establish secure connections with each other over a public network such
as the Internet. Site-to-site VPN extends the company’s network,
allowing computer resources from one location accessible to employees at
other locations. An example of company that uses site-to-site VPN is
growing corporation with branch offices located around the world.
Similarly, there are also two types of site-to-site VPNs:
Intranet-based: If a company has one or more remote locations that they
wish to join in a single private network, they can create an intranet
VPN to connect each separate LAN to a single WAN.
Extranet-based: When a company has a close relationship with another
company (such as a partner, supplier or customer), it can build an
extranet VPN that connects those companies’ LANs. This extranet VPN
allows the companies to work together in a secure, shared network
environment while preventing access to their separate intranets.
Remote-Access VPN
A remote-access VPN allows individual users to establish secure
connections with a remote computer network. Those users can access the
secure resources on that network as if they were directly plugged into
the network’s servers. An example of a company that needs a
remote-access VPN is a large firm with hundreds of salespeople in the
field. Remote-access VPN is also known as virtual private dial-up
network (VPDN), acknowledging that in its earliest form, a remote-access
VPN required dialling in to a server using an analogue telephone
system.
There are two components required in a remote-access VPN. The first is a
network access server (NAS), also known as a media gateway or a
remote-access server (RAS). A NAS might be a dedicated server, or it
might be one of multiple software applications running on a shared
server. It’s a NAS that a user connects to from the Internet in order to
use a VPN. The NAS requires that user to provide valid credentials to
sign in to the VPN. To authenticate the user’s credentials, the NAS uses
either its own authentication process or a separate authentication
server running on the network.
The other required component is client software. This software is
required for the employees to establish and maintain a connection to the
VPN. Most operating systems today have built-on software that are
capable of connecting to remote-access VPNs, although there might be
some other VPNs which requires downloading of other specific
applications instead.
References:
http://en.wikipedia.org/wiki/Vpn_client
http://computer.howstuffworks.com/vpn4.htm
http://computer.howstuffworks.com/vpn3.htm
Wednesday, June 6, 2012
Monday, May 28, 2012
Public Key Infrastructure (Digital Cert)
Public Key Infrastructure (Digital Cert)
It is an electronic document which uses a digital signature to bind a public key with an identity, such as the name of a person or an organization, their address, etc. The certificate can be used to verify that a public key belongs to an individual.
A digital certificate is a digital form of identification, much like a passport or driver's license. A digital certificate is a digital credential that provides information about the identity of an entity as well as other supporting information. A digital certificate is issued by an authority, referred to as a certification authority (CA). Because a digital certificate is issued by a certification authority, that authority guarantees the validity of the information in the certificate. Also, a digital certificate is valid for only a specific period of time.
Digital certificates provide support for public key cryptography because digital certificates contain the public key of the entity identified in the certificate. Because the certificate matches a public key to a particular individual, and that certificate's authenticity is guaranteed by the issuer, the digital certificate provides a solution to the problem of how to find a user's public key and know that it is valid. These problems are solved by a user obtaining another user's public key from the digital certificate.
The use will knows it is valid because a trusted certification authority has issued the certificate.
In addition, digital certificates rely on public key cryptography for their own authentication. When a digital certificate is issued, the issuing certification authority signs the certificate with its own private key. To validate the authenticity of a digital certificate, a user can obtain that certification authority's public key and use it against the certificate to determine if it was signed by the certification authority.
References:
http://en.wikipedia.org/wiki/Public_key_certificate
http://technet.microsoft.com/en-us/library/bb123848%28v=exchg.65%29.aspx
It is an electronic document which uses a digital signature to bind a public key with an identity, such as the name of a person or an organization, their address, etc. The certificate can be used to verify that a public key belongs to an individual.
A digital certificate is a digital form of identification, much like a passport or driver's license. A digital certificate is a digital credential that provides information about the identity of an entity as well as other supporting information. A digital certificate is issued by an authority, referred to as a certification authority (CA). Because a digital certificate is issued by a certification authority, that authority guarantees the validity of the information in the certificate. Also, a digital certificate is valid for only a specific period of time.
Digital certificates provide support for public key cryptography because digital certificates contain the public key of the entity identified in the certificate. Because the certificate matches a public key to a particular individual, and that certificate's authenticity is guaranteed by the issuer, the digital certificate provides a solution to the problem of how to find a user's public key and know that it is valid. These problems are solved by a user obtaining another user's public key from the digital certificate.
The use will knows it is valid because a trusted certification authority has issued the certificate.
In addition, digital certificates rely on public key cryptography for their own authentication. When a digital certificate is issued, the issuing certification authority signs the certificate with its own private key. To validate the authenticity of a digital certificate, a user can obtain that certification authority's public key and use it against the certificate to determine if it was signed by the certification authority.
References:
http://en.wikipedia.org/wiki/Public_key_certificate
http://technet.microsoft.com/en-us/library/bb123848%28v=exchg.65%29.aspx
Internet Protocol Safety(IPSec)
Internet Protocol Security (IPsec)
It is a set of protocols defined by the Internet Engineering Task Force (IETF) to secure packet exchange over unprotected IP/IPv6 networks such as Internet by authentication and encryption of IP packets during a session.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite(IPS). It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
IPS mainly consists of 6 member protocols, which are the Encapsulating Security Payload(EPS), Authentication Header(AH), Data Encryption Standard (DES), Message Digest 5 (MD5), Secure Hash Algorithm (SHA) and Diffie-Hellman(DH).
Encapsulating Security Payload(EPS)
Encapsulating Security Payload (ESP) is a key protocol in the IPsec (Internet Security) architecture, which is designed to provide a mix of security services in IPv4 and IPv6. The IP Encapsulating Security Payload (ESP) seeks to provide confidentiality and integrity by encrypting data to be protected and placing the encrypted data in the data portion of the IP ESP.
Depending on the user's security requirements, this mechanism may be used to encrypt either a transport-layer segment (e.g., TCP, UDP, ICMP, IGMP) or an entire IP datagram. Encapsulating the protected data is necessary to provide confidentiality for the entire original datagram.
Authentication Header(AH)
AH is a protocol that provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram. What parts of the datagram are used for the calculation, and the placement of the header, depends whether tunnel or transport mode is used.
The presence of the AH header allows to verify the integrity of the message, but doesn't encrypt it. Thus, AH provides authentication but not privacy(ESP is used to provide encryption).
Data Encryption Standard (DES)
DES is a block cipher encryption protocol that uses a 56-bit key. A block cipher is an encryption algorithm that operates on a fixed size block of data. DES encrypts data in 64-bit blocks using a 64-bit key. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for error checking, resulting in 56 bits of usable key.
Message Digest 5 (MD5)
This is a one way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4, which is designed to strengthen the security of this hashing algorithm. SHA is more secure than MD4 and MD5. Cisco uses hashes for authentication within the IPsec framework.
Secure Hash Algorithm (SHA)
This is a one way hash put forth by NIST. SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a 160-bit digest, it is more resistant to brute-force attacks than 128-bit hashes (such as MD5), but it is slower.
Diffie-Hellman (DH)
This is a method of the establishment of a shared key over an insecure medium. Diffie-Hellman is a component of Oakley. Oakley this is a key exchange protocol that defines how to acquire authenticated keying material.
References:
http://en.wikipedia.org/wiki/IPsec
http://en.wikipedia.org/wiki/MD5
http://www.javvin.com/protocolESP.html
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
It is a set of protocols defined by the Internet Engineering Task Force (IETF) to secure packet exchange over unprotected IP/IPv6 networks such as Internet by authentication and encryption of IP packets during a session.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite(IPS). It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
IPS mainly consists of 6 member protocols, which are the Encapsulating Security Payload(EPS), Authentication Header(AH), Data Encryption Standard (DES), Message Digest 5 (MD5), Secure Hash Algorithm (SHA) and Diffie-Hellman(DH).
Encapsulating Security Payload(EPS)
Encapsulating Security Payload (ESP) is a key protocol in the IPsec (Internet Security) architecture, which is designed to provide a mix of security services in IPv4 and IPv6. The IP Encapsulating Security Payload (ESP) seeks to provide confidentiality and integrity by encrypting data to be protected and placing the encrypted data in the data portion of the IP ESP.
Depending on the user's security requirements, this mechanism may be used to encrypt either a transport-layer segment (e.g., TCP, UDP, ICMP, IGMP) or an entire IP datagram. Encapsulating the protected data is necessary to provide confidentiality for the entire original datagram.
Authentication Header(AH)
AH is a protocol that provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram. What parts of the datagram are used for the calculation, and the placement of the header, depends whether tunnel or transport mode is used.
The presence of the AH header allows to verify the integrity of the message, but doesn't encrypt it. Thus, AH provides authentication but not privacy(ESP is used to provide encryption).
Data Encryption Standard (DES)
DES is a block cipher encryption protocol that uses a 56-bit key. A block cipher is an encryption algorithm that operates on a fixed size block of data. DES encrypts data in 64-bit blocks using a 64-bit key. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for error checking, resulting in 56 bits of usable key.
Message Digest 5 (MD5)
This is a one way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4, which is designed to strengthen the security of this hashing algorithm. SHA is more secure than MD4 and MD5. Cisco uses hashes for authentication within the IPsec framework.
Secure Hash Algorithm (SHA)
This is a one way hash put forth by NIST. SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a 160-bit digest, it is more resistant to brute-force attacks than 128-bit hashes (such as MD5), but it is slower.
Diffie-Hellman (DH)
This is a method of the establishment of a shared key over an insecure medium. Diffie-Hellman is a component of Oakley. Oakley this is a key exchange protocol that defines how to acquire authenticated keying material.
References:
http://en.wikipedia.org/wiki/IPsec
http://en.wikipedia.org/wiki/MD5
http://www.javvin.com/protocolESP.html
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
Tuesday, May 22, 2012
Authentication, Authorization, and Accounting (AAA)
Authentication
Authentication provides a way of identifying a user, usually by having the user enter his/her credentials before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access.
The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are not matched, authentication fails and network access is denied.
Authorization
Following authentication, a user must get authorization(which is like a permit) for doing certain tasks. After logging into a system, for example, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands.
In other words, authorization is the process of enforcing policies in determining what types or qualities or services a user is permitted. Typically, authorization occurs within the context of authentication. For example, once a user is authenticated, they may be authorized for different types of access or activity.
Accounting
Accounting measures the resources a user consumes during access. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities. In addition, it may record events such as authentication and authorization failures.
Resources:
http://en.wikipedia.org/wiki/AAA_protocol
http://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting
Authentication provides a way of identifying a user, usually by having the user enter his/her credentials before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access.
The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are not matched, authentication fails and network access is denied.
Authorization
Following authentication, a user must get authorization(which is like a permit) for doing certain tasks. After logging into a system, for example, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands.
In other words, authorization is the process of enforcing policies in determining what types or qualities or services a user is permitted. Typically, authorization occurs within the context of authentication. For example, once a user is authenticated, they may be authorized for different types of access or activity.
Accounting
Accounting measures the resources a user consumes during access. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities. In addition, it may record events such as authentication and authorization failures.
Resources:
http://en.wikipedia.org/wiki/AAA_protocol
http://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting
Sunday, May 13, 2012
Context-Based Access Control(CBAC)
First of all, what does the Context-Based Access Control do?
It inspects the activity behind a firewall, which specifies what traffic needs to be let in and out by using access lists. However, these type of access lists include ip inspect statements that allow the inspection of the protocol to prevent tampering before the protocol is configured.
The commands avaliable in CBAC are shown below:
Advantages of CBAC:
CBAC makes decisions based on how the application behaves, not only the addresses and port number it uses.
It also opens any additional inbound channel required for returning data that were communicated by the outgoing data for a particular application/host.
It also safeguards the internal network, such as when a session times out or ends, the state table and ACL entries are deleted, and the opening closes to additional traffic.
Disadvantages:
Only IP TCP and UDP traffic is inspected by CBAC, so other types of traffic and any other Layer 3 protocols need to be filtered using extended ACLs.
Any traffic where the router is the source or destination, it will be inspected. CBAC will filter traffic passing through, but not traffic from a particular device.
Because CBAC only detects and protects against attacks that travel through the firewall router, it doesn’t have much protection from attacks from inside the network, needless to say an sabotage could bring the internal network down.
References:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+6+IOS+Firewall+Feature+Set+-+CBAC/Context-Based+Access+Control+CBAC/
It inspects the activity behind a firewall, which specifies what traffic needs to be let in and out by using access lists. However, these type of access lists include ip inspect statements that allow the inspection of the protocol to prevent tampering before the protocol is configured.
The commands avaliable in CBAC are shown below:
Advantages of CBAC:
CBAC makes decisions based on how the application behaves, not only the addresses and port number it uses.
It also opens any additional inbound channel required for returning data that were communicated by the outgoing data for a particular application/host.
It also safeguards the internal network, such as when a session times out or ends, the state table and ACL entries are deleted, and the opening closes to additional traffic.
Disadvantages:
Only IP TCP and UDP traffic is inspected by CBAC, so other types of traffic and any other Layer 3 protocols need to be filtered using extended ACLs.
Any traffic where the router is the source or destination, it will be inspected. CBAC will filter traffic passing through, but not traffic from a particular device.
Because CBAC only detects and protects against attacks that travel through the firewall router, it doesn’t have much protection from attacks from inside the network, needless to say an sabotage could bring the internal network down.
References:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+6+IOS+Firewall+Feature+Set+-+CBAC/Context-Based+Access+Control+CBAC/
Access Control Lists
For a start, what does access control lists do? Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. They can allow or drop packets depending on your controls on access lists.
To set up a access control list, we must create an access list definition, and to apply the access list to an interface. Here's an example below.
References:
http://www.linuxjunkies.org/adminstration%20Howto/webminguide/x4901.htm
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html
To set up a access control list, we must create an access list definition, and to apply the access list to an interface. Here's an example below.
Access lists should be used in firewall routers, which are usually put between internal networks and external networks, such as the Internet.. Access lists may also be used in the internal network to control traffic entering or
exiting anywhere in the network.
In conclusion, I think that access lists should be used in all routers as a necessary security protocol if possible to enhance the security of the internal network.
References:
http://www.linuxjunkies.org/adminstration%20Howto/webminguide/x4901.htm
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html
Sunday, May 6, 2012
Secure Perimeter Routers & Disable Services & Logging
One thing that we can do to secure perimeter routers is to have event logging on it. The event logs can help greatly in troubleshooting, planning of capcity and resolving security incidents. Due to security conerns, the events logged are changes to the interface status, system configuration, access list matches, firewall detections and intrusion dectection.
In disabling services and logging, disabling Cisco Discovery Protocol(CDP), finger, Network Time Protocol(NTP) ,TCP and UDP will be effective in keeping the router secure and safe.
By disabling CDP, it prevents information leakage used to exploit vulnerabilities in the router.
By disabling finger,it prevents attackers/hackers from trying to identify which users are logged on on a network device.
By disabling NTP, it prevents corruption which can subvert certain security protocols and eventually cause some processes to fail to synchronize or function.
Lastly, by disabling TCP & UDP, it prevents denial of service(DoS) and other various attacks from happening.
References:
http://etutorials.org/Networking/Router+firewall+security/Part+II+Managing+Access+to+Routers/Chapter+4.+Disabling+Unnecessary+Services/
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Event+Logging+on+Perimeter+Routers/
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Limit+Unneeded+TCP+IP+and+Other+Services/
Subscribe to:
Comments (Atom)