Public Key Infrastructure (Digital Cert)
It is an electronic document which uses a digital signature to bind a public key
with an identity, such as the name of a person or an
organization, their address, etc. The certificate can be used
to verify that a public key belongs to an individual.
A digital certificate is a digital form of identification, much like a
passport or driver's license. A digital certificate is a digital
credential that provides information about the identity of an entity as
well as other supporting information. A digital certificate is issued by
an authority, referred to as a certification authority (CA). Because a
digital certificate is issued by a certification authority, that
authority guarantees the validity of the information in the certificate.
Also, a digital certificate is valid for only a specific period of
time.
Digital certificates provide support for public key cryptography
because digital certificates contain the public key of the entity
identified in the certificate. Because the certificate matches a public
key to a particular individual, and that certificate's authenticity is
guaranteed by the issuer, the digital certificate provides a solution to
the problem of how to find a user's public key and know that it is
valid. These problems are solved by a user obtaining another user's
public key from the digital certificate.
The use will knows it is valid
because a trusted certification authority has issued the certificate.
In addition, digital certificates rely on public key cryptography for
their own authentication. When a digital certificate is issued, the
issuing certification authority signs the certificate with its own
private key. To validate the authenticity of a digital certificate, a
user can obtain that certification authority's public key and use it
against the certificate to determine if it was signed by the
certification authority.
References:
http://en.wikipedia.org/wiki/Public_key_certificate
http://technet.microsoft.com/en-us/library/bb123848%28v=exchg.65%29.aspx
Monday, May 28, 2012
Internet Protocol Safety(IPSec)
Internet Protocol Security (IPsec)
It is a set of protocols defined by the Internet Engineering Task Force (IETF) to secure packet exchange over unprotected IP/IPv6 networks such as Internet by authentication and encryption of IP packets during a session.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite(IPS). It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
IPS mainly consists of 6 member protocols, which are the Encapsulating Security Payload(EPS), Authentication Header(AH), Data Encryption Standard (DES), Message Digest 5 (MD5), Secure Hash Algorithm (SHA) and Diffie-Hellman(DH).
Encapsulating Security Payload(EPS)
Encapsulating Security Payload (ESP) is a key protocol in the IPsec (Internet Security) architecture, which is designed to provide a mix of security services in IPv4 and IPv6. The IP Encapsulating Security Payload (ESP) seeks to provide confidentiality and integrity by encrypting data to be protected and placing the encrypted data in the data portion of the IP ESP.
Depending on the user's security requirements, this mechanism may be used to encrypt either a transport-layer segment (e.g., TCP, UDP, ICMP, IGMP) or an entire IP datagram. Encapsulating the protected data is necessary to provide confidentiality for the entire original datagram.
Authentication Header(AH)
AH is a protocol that provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram. What parts of the datagram are used for the calculation, and the placement of the header, depends whether tunnel or transport mode is used.
The presence of the AH header allows to verify the integrity of the message, but doesn't encrypt it. Thus, AH provides authentication but not privacy(ESP is used to provide encryption).
Data Encryption Standard (DES)
DES is a block cipher encryption protocol that uses a 56-bit key. A block cipher is an encryption algorithm that operates on a fixed size block of data. DES encrypts data in 64-bit blocks using a 64-bit key. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for error checking, resulting in 56 bits of usable key.
Message Digest 5 (MD5)
This is a one way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4, which is designed to strengthen the security of this hashing algorithm. SHA is more secure than MD4 and MD5. Cisco uses hashes for authentication within the IPsec framework.
Secure Hash Algorithm (SHA)
This is a one way hash put forth by NIST. SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a 160-bit digest, it is more resistant to brute-force attacks than 128-bit hashes (such as MD5), but it is slower.
Diffie-Hellman (DH)
This is a method of the establishment of a shared key over an insecure medium. Diffie-Hellman is a component of Oakley. Oakley this is a key exchange protocol that defines how to acquire authenticated keying material.
References:
http://en.wikipedia.org/wiki/IPsec
http://en.wikipedia.org/wiki/MD5
http://www.javvin.com/protocolESP.html
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
It is a set of protocols defined by the Internet Engineering Task Force (IETF) to secure packet exchange over unprotected IP/IPv6 networks such as Internet by authentication and encryption of IP packets during a session.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite(IPS). It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
IPS mainly consists of 6 member protocols, which are the Encapsulating Security Payload(EPS), Authentication Header(AH), Data Encryption Standard (DES), Message Digest 5 (MD5), Secure Hash Algorithm (SHA) and Diffie-Hellman(DH).
Encapsulating Security Payload(EPS)
Encapsulating Security Payload (ESP) is a key protocol in the IPsec (Internet Security) architecture, which is designed to provide a mix of security services in IPv4 and IPv6. The IP Encapsulating Security Payload (ESP) seeks to provide confidentiality and integrity by encrypting data to be protected and placing the encrypted data in the data portion of the IP ESP.
Depending on the user's security requirements, this mechanism may be used to encrypt either a transport-layer segment (e.g., TCP, UDP, ICMP, IGMP) or an entire IP datagram. Encapsulating the protected data is necessary to provide confidentiality for the entire original datagram.
Authentication Header(AH)
AH is a protocol that provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram. What parts of the datagram are used for the calculation, and the placement of the header, depends whether tunnel or transport mode is used.
The presence of the AH header allows to verify the integrity of the message, but doesn't encrypt it. Thus, AH provides authentication but not privacy(ESP is used to provide encryption).
Data Encryption Standard (DES)
DES is a block cipher encryption protocol that uses a 56-bit key. A block cipher is an encryption algorithm that operates on a fixed size block of data. DES encrypts data in 64-bit blocks using a 64-bit key. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for error checking, resulting in 56 bits of usable key.
Message Digest 5 (MD5)
This is a one way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4, which is designed to strengthen the security of this hashing algorithm. SHA is more secure than MD4 and MD5. Cisco uses hashes for authentication within the IPsec framework.
Secure Hash Algorithm (SHA)
This is a one way hash put forth by NIST. SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a 160-bit digest, it is more resistant to brute-force attacks than 128-bit hashes (such as MD5), but it is slower.
Diffie-Hellman (DH)
This is a method of the establishment of a shared key over an insecure medium. Diffie-Hellman is a component of Oakley. Oakley this is a key exchange protocol that defines how to acquire authenticated keying material.
References:
http://en.wikipedia.org/wiki/IPsec
http://en.wikipedia.org/wiki/MD5
http://www.javvin.com/protocolESP.html
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
Tuesday, May 22, 2012
Authentication, Authorization, and Accounting (AAA)
Authentication
Authentication provides a way of identifying a user, usually by having the user enter his/her credentials before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access.
The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are not matched, authentication fails and network access is denied.
Authorization
Following authentication, a user must get authorization(which is like a permit) for doing certain tasks. After logging into a system, for example, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands.
In other words, authorization is the process of enforcing policies in determining what types or qualities or services a user is permitted. Typically, authorization occurs within the context of authentication. For example, once a user is authenticated, they may be authorized for different types of access or activity.
Accounting
Accounting measures the resources a user consumes during access. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities. In addition, it may record events such as authentication and authorization failures.
Resources:
http://en.wikipedia.org/wiki/AAA_protocol
http://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting
Authentication provides a way of identifying a user, usually by having the user enter his/her credentials before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access.
The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are not matched, authentication fails and network access is denied.
Authorization
Following authentication, a user must get authorization(which is like a permit) for doing certain tasks. After logging into a system, for example, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands.
In other words, authorization is the process of enforcing policies in determining what types or qualities or services a user is permitted. Typically, authorization occurs within the context of authentication. For example, once a user is authenticated, they may be authorized for different types of access or activity.
Accounting
Accounting measures the resources a user consumes during access. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities. In addition, it may record events such as authentication and authorization failures.
Resources:
http://en.wikipedia.org/wiki/AAA_protocol
http://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting
Sunday, May 13, 2012
Context-Based Access Control(CBAC)
First of all, what does the Context-Based Access Control do?
It inspects the activity behind a firewall, which specifies what traffic needs to be let in and out by using access lists. However, these type of access lists include ip inspect statements that allow the inspection of the protocol to prevent tampering before the protocol is configured.
The commands avaliable in CBAC are shown below:
Advantages of CBAC:
CBAC makes decisions based on how the application behaves, not only the addresses and port number it uses.
It also opens any additional inbound channel required for returning data that were communicated by the outgoing data for a particular application/host.
It also safeguards the internal network, such as when a session times out or ends, the state table and ACL entries are deleted, and the opening closes to additional traffic.
Disadvantages:
Only IP TCP and UDP traffic is inspected by CBAC, so other types of traffic and any other Layer 3 protocols need to be filtered using extended ACLs.
Any traffic where the router is the source or destination, it will be inspected. CBAC will filter traffic passing through, but not traffic from a particular device.
Because CBAC only detects and protects against attacks that travel through the firewall router, it doesn’t have much protection from attacks from inside the network, needless to say an sabotage could bring the internal network down.
References:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+6+IOS+Firewall+Feature+Set+-+CBAC/Context-Based+Access+Control+CBAC/
It inspects the activity behind a firewall, which specifies what traffic needs to be let in and out by using access lists. However, these type of access lists include ip inspect statements that allow the inspection of the protocol to prevent tampering before the protocol is configured.
The commands avaliable in CBAC are shown below:
Advantages of CBAC:
CBAC makes decisions based on how the application behaves, not only the addresses and port number it uses.
It also opens any additional inbound channel required for returning data that were communicated by the outgoing data for a particular application/host.
It also safeguards the internal network, such as when a session times out or ends, the state table and ACL entries are deleted, and the opening closes to additional traffic.
Disadvantages:
Only IP TCP and UDP traffic is inspected by CBAC, so other types of traffic and any other Layer 3 protocols need to be filtered using extended ACLs.
Any traffic where the router is the source or destination, it will be inspected. CBAC will filter traffic passing through, but not traffic from a particular device.
Because CBAC only detects and protects against attacks that travel through the firewall router, it doesn’t have much protection from attacks from inside the network, needless to say an sabotage could bring the internal network down.
References:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+6+IOS+Firewall+Feature+Set+-+CBAC/Context-Based+Access+Control+CBAC/
Access Control Lists
For a start, what does access control lists do? Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. They can allow or drop packets depending on your controls on access lists.
To set up a access control list, we must create an access list definition, and to apply the access list to an interface. Here's an example below.
References:
http://www.linuxjunkies.org/adminstration%20Howto/webminguide/x4901.htm
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html
To set up a access control list, we must create an access list definition, and to apply the access list to an interface. Here's an example below.
Access lists should be used in firewall routers, which are usually put between internal networks and external networks, such as the Internet.. Access lists may also be used in the internal network to control traffic entering or
exiting anywhere in the network.
In conclusion, I think that access lists should be used in all routers as a necessary security protocol if possible to enhance the security of the internal network.
References:
http://www.linuxjunkies.org/adminstration%20Howto/webminguide/x4901.htm
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html
Sunday, May 6, 2012
Secure Perimeter Routers & Disable Services & Logging
One thing that we can do to secure perimeter routers is to have event logging on it. The event logs can help greatly in troubleshooting, planning of capcity and resolving security incidents. Due to security conerns, the events logged are changes to the interface status, system configuration, access list matches, firewall detections and intrusion dectection.
In disabling services and logging, disabling Cisco Discovery Protocol(CDP), finger, Network Time Protocol(NTP) ,TCP and UDP will be effective in keeping the router secure and safe.
By disabling CDP, it prevents information leakage used to exploit vulnerabilities in the router.
By disabling finger,it prevents attackers/hackers from trying to identify which users are logged on on a network device.
By disabling NTP, it prevents corruption which can subvert certain security protocols and eventually cause some processes to fail to synchronize or function.
Lastly, by disabling TCP & UDP, it prevents denial of service(DoS) and other various attacks from happening.
References:
http://etutorials.org/Networking/Router+firewall+security/Part+II+Managing+Access+to+Routers/Chapter+4.+Disabling+Unnecessary+Services/
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Event+Logging+on+Perimeter+Routers/
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Limit+Unneeded+TCP+IP+and+Other+Services/
Subscribe to:
Comments (Atom)