Site to Site VPN, Remote VPN

 There are two types of Virtual Private Network (VPN), known as Site-to-site VPN and Remote-Access VPN.

Site-to-Site VPN

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company’s network, allowing computer resources from one location accessible to employees at other locations. An example of company that uses site-to-site VPN is growing corporation with branch offices located around the world.

Similarly, there are also two types of site-to-site VPNs:

• Intranet-based: If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.

• Extranet-based: When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies’ LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.

Even though site-to-site VPNs served a different purpose from a remote-access VPN, it could use some of the same software and equipment. Ideally, a site-to-site VPN should remove the need for each computer to run VPN client software as if it were on a remote-access VPN.

Remote-Access VPN

A remote-access VPN allows individual users to establish secure connections with a remote computer network. Those users can access the secure resources on that network as if they were directly plugged into the network’s servers. An example of a company that needs a remote-access VPN is a large firm with hundreds of salespeople in the field. Remote-access VPN is also known as virtual private dial-up network (VPDN), acknowledging that in its earliest form, a remote-access VPN required dialling in to a server using an analogue telephone system.

There are two components required in a remote-access VPN. The first is a network access server (NAS), also known as a media gateway or a remote-access server (RAS). A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server. It’s a NAS that a user connects to from the Internet in order to use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN. To authenticate the user’s credentials, the NAS uses either its own authentication process or a separate authentication server running on the network.

The other required component is client software. This software is required for the employees to establish and maintain a connection to the VPN. Most operating systems today have built-on software that are capable of connecting to remote-access VPNs, although there might be some other VPNs which requires downloading of other specific applications instead.

References:

http://computer.howstuffworks.com/vpn4.htm

http://computer.howstuffworks.com/vpn3.htm

Public Key Infrastructure (Digital Cert )

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document which uses digital signature to bind a public key with an identity; information such as the name of a person or an organization, their address, and so forth. The certificate can also be used to verify that a public key belongs to an individual.
In a public key infrastructure (PKI) scheme, the signature will be the certificate authority (CA). In a web of trust scheme, the signature is of either the user (self-signed certificate) or other users (endorsements). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.
For provable security, this reliance on something external to the system has the consequence that any public key certification scheme has to rely on some special setup assumption, such as the existence of a certificate authority.
Certificates can be created for Unix-based servers with tools such as OpenSSL’s ca command or SuSE’s gensslcert. These may be used to issue unmanaged certificates, CA certificates for managing other certificates, and user and/or computer certificate requests to be signed by the CA, as well as a number of other certificate related functions.
In order to make sure that a digital certificate is real or valid, it must have the follow contents:
Serial Number -- Used to uniquely identify the certificate.
Subject -- The person, or entity identified.
Signature Algorithm -- The algorithm used to create the signature.
Signature -- The actual signature to verify that it came from the issuer.
Issuer -- The entity that verified the information and issued the certificate.
Valid-From -- The date the certificate is first valid from.
Valid-To -- The expiration date.
Key-Usage -- Purpose of the public key (e.g. encipherment, signature, certificate signing...).
Public Key
Thumbprint Algorithm -- The algorithm used to hash the public key.
Thumbprint -- The hash itself, used as an abbreviated form of the public key.

http://en.wikipedia.org/wiki/Public_key_certificate

IPSec (ESP, AH, DES, MD5, SHA, DH)

Internet Protocol Security (IPsec) is a protocol suite to secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys that will be used during the session. Some example of IPsec includes: ESP, AH, DES, MD5, SHA and DH.

Encapsulating Security Payload (ESP)

ESP is a security protocol that is used to provide confidentiality (encryption), data origin authentication, integrity, optional anti-replay service, and limited traffic-flow confidentiality by defeating traffic-flow analysis.

Authentication Header (AH)

AH provides authentication and integrity to the datagrams that are passed between two systems. This is achieved by applying a keyed one-way hash function to the datagram to create a message digest. If any part of the datagram is changed during transit, this will be detected by the receiver when it performs the same one-way hash function on the datagram and compares the value of the message digest that the sender has supplied. The fact that the one-way hash also involves the use of a secret shared between the two systems means that authenticity can be guaranteed.

DES Algorithm

DES is used to encrypt and decrypt packet data; it is capable of turning clear text into cipher text via an encryption algorithm. The decryption algorithm on the remote end restores clear text from cipher text. The shared secret keys enable the encryption and decryption of the packet data. Also, DES uses a 56-bit key, which ensures high-performance encryption.

Message Digest 5 (MD5)

MD5 is a hash algorithm used to authenticate packet data. Cisco routers and PIX Firewall uses the MD5 hashed message authentication code (HMAC) variant that provides an additional level of hashing. A hash is a one-way encryption algorithm that takes an input message of arbitrary length and produces a fixed-length output message. MD5 authentication can also be used by IKE, AH and ESP.

Secure Hash Algorithm 1 (SHA-1)

SHA-1 is a hash algorithm used to authenticate packet data. Cisco routers and the PIX Firewall use the SHA-1 HMAC variant, which provides an additional level of hashing. Similar to MD5, SHA-1 authentication can also be used by IKE, AH and ESP.

Diffie-Hellman (D-H)

D-H is a public-key cryptography protocol which allows two parties to establish a shared secret key that will be used by encryption algorithms over an insecure communications channel. D-H is used within IKE to establish session keys. 768-bit and 1024-bit D-H groups are supported in the Cisco routers and PIX Firewall. The 1024-bit group is more secure than 768-group.

http://en.wikipedia.org/wiki/IPsec

http://www.ciscopress.com/articles/article.asp?p=25470

Authentication, Authorization and Accounting

What is Authentication, Authorization and Accounting?

Authentication refers to the process where an entity’s identity is authenticated, usually by providing evidence that represents a specific digital identity such as an identifier or credentials. Some examples of credentials include passwords, tokens, digital certificate.

Authorization is the process where it determines if a particular entity is authorized to carry out an action, usually inherited from authentication when logging on to an application or service. Authorization may be determined based on a range of restrictions, for example time-of-day restrictions, physical location restrictions or multiple access attempts from the same user or entity. Examples of some common authorization services in networking includes IP address filtering, address assignment, route assignment, quality of service/differential services, bandwidth control/traffic management, compulsory tunnelling to a specific endpoint, and encryption.

Accounting refers to the tracking of network resources used up by users for the purpose of capacity and trend analysis, cost allocation and billing. In addition, it may also record events such as authentication and authorization failures, and include auditing functionality, which permits verifying the correctness of procedures carried out based on accounting data. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources.

Some example of AAA (Authentication, Authorization, Accounting) usage in CDMA data networks:

AAA servers in CDMA data networks are entities that provide IP functionality to support the functions of authentication, authorization and accounting. The AAA server in the CDMA wireless data network architecture is similar to the HLR in the CDMA wireless voice network architecture.

Some types of AAA servers include:

• Access Network AAA – It communicates with RNC in the Access Network to enable authentication and authorization functions to be performed at the Access Network.

• Broker AAA – Acts as an intermediary to proxy AAA traffic between roaming partner networks.

• Home AAA – The Home AAA stores user profile information, responds to authentication requests, and collects accounting information.

• Visited AAA – The AAA server in the visited network from which a roamer is receiving service. The Visited AAA in the serving network communicates with the Home AAA in a roamer’s home network.

Context-based access control

Context-based access control, also known as CBAC, is capable of filtering TCP and UDP packets based on application layer protocol session information, and also can be used for intranets, extranets and internets. CBAC can also be configured to allow specified TCP and UDP traffic to travel through a firewall only when the connection is initiated from the network that requires protection. Apart from being able to inspect traffic for sessions that originate from the external network, CBAC is also capable of checking traffic for sessions that originate from either side of the firewall.

Without CBAC, it limits traffic filtering to only access list implementations that examine packets at the network layer, or furthest, the transport layer. However, CBAC examines not only network and transport layers information but also the application-layer protocol information, such as FTP connection information, to learn about the state of TCP or UDP session. This allows support of protocols that involves multiple channels created as a result of negotiations in the FTP control channel. Most of the multimedia protocols as well as some of the protocols, such as FTP, RPC, and SQL*NET, involves multiple control channels.

CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall’s access lists to allow return traffic and additional data connections for permissible sessions. And since CBAC does deep packet inspection, it is also considered to be an IOS Firewall. Apart from the above mentioned services, CBAC also prevent and detect Denial-of-Service (DoS), and also provide Real-time alerts and audit trails.

Resources:http://en.wikipedia.org/wiki/Context-based_access_control

Access Control Lists

An access control list, ACL, in a computer file system refers to a list of permissions accompanying to an object. The purpose of an ACL is to grant permission/limit access of users and system processes to objects. Each entry in an ACL specifies the subject and operation. For example, if a file has an ACL that contains (Ben, update), this would grant Ben the permission to edit the file. When a subject requests an operation on an object in an ACL-based security model, the operating system will search for an applicable entry in the ACL to determine if the requested operation is authorized. A key issue in the definition of any ACL-based security model is determining how access control lists are edited, which refers to the users and processes that are granted permissions access ACL-modification. A filesystem ACL is a data structure containing entries that specify individual user or group rights to specific system objects such as programs, processes or files. The privileges or permissions determine specific access rights, such as whether a user is able to read from, write to, or execute an object. In some implementations, an ACE can control whether a user or group of users is permitted to edit the ACL on an object.

Resources: http://en.wikipedia.org/wiki/Access_control_list

Secure Perimeter Routers & Disable Services & Logging

A network is the entry point to your applications. It provides the first gatekeepers that control access to the various servers in your environment. The servers are protected by their own OS (Operating System) gatekeepers. However, it is important not to allow them to be swamped with attacks from the network layer. In a way, it is also important to ensure that the network gatekeepers cannot be replaced or reconfigured by unauthorized users. In summary, network security involves protection of networking devices and the data that they send.

As we know, the router is the very first line of defence. Apart from routing packets, they can also be configured to block or filter forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP).

The different types of configurations available for the routers are:

• Patches and updates
• Protocols
• Administrative access
• Services
• Auditing and Logging
• Intrusion detection

By disabling redundant and inactive services like CDP, TCP and UDP can improve network security. Many of these services involves security issues, each with it individual level of risk, where a hacker could make use of these security loopholes to their own advantage by gathering information about your router or even attempting to gain unauthorized access. Thus, it is safer to disable inactive service on the perimeter router in order to avoid unnecessary risks.

Perimeter router logs may be useless in troubleshooting, capacity planning and dealing with security incidents. For security purposes, the events to log are interface status changes, system configuration changes, access list matches, events detected by firewall and intrusion detection features. System logging events can be reported to various destinations, for example:

• The system console port, as many console ports are unattended or connected to terminals with no historical storage, this information might not be available to reconstruct a major event.

• Most routers are capable of saving system logging information into a local RAM buffer. The buffer has a fixed size and keeps only the most recent information, and the contents are lost whenever the router is reloaded.

 Resources: http://etutorials.org/Networking/Router+firewall+security/Part+II+Managing+Access+to+Routers/Chapter+4.+Disabling+Unnecessary+Services/
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Chapter+Review/ 
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Event+Logging+on+Perimeter+Routers/ 
http://msdn.microsoft.com/en-us/library/ff648651.aspx