Site to Site VPN, Remote VPN

 There are two types of Virtual Private Network (VPN), known as Site-to-site VPN and Remote-Access VPN.

Site-to-Site VPN

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company’s network, allowing computer resources from one location accessible to employees at other locations. An example of company that uses site-to-site VPN is growing corporation with branch offices located around the world.

Similarly, there are also two types of site-to-site VPNs:

• Intranet-based: If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.

• Extranet-based: When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies’ LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.

Even though site-to-site VPNs served a different purpose from a remote-access VPN, it could use some of the same software and equipment. Ideally, a site-to-site VPN should remove the need for each computer to run VPN client software as if it were on a remote-access VPN.

Remote-Access VPN

A remote-access VPN allows individual users to establish secure connections with a remote computer network. Those users can access the secure resources on that network as if they were directly plugged into the network’s servers. An example of a company that needs a remote-access VPN is a large firm with hundreds of salespeople in the field. Remote-access VPN is also known as virtual private dial-up network (VPDN), acknowledging that in its earliest form, a remote-access VPN required dialling in to a server using an analogue telephone system.

There are two components required in a remote-access VPN. The first is a network access server (NAS), also known as a media gateway or a remote-access server (RAS). A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server. It’s a NAS that a user connects to from the Internet in order to use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN. To authenticate the user’s credentials, the NAS uses either its own authentication process or a separate authentication server running on the network.

The other required component is client software. This software is required for the employees to establish and maintain a connection to the VPN. Most operating systems today have built-on software that are capable of connecting to remote-access VPNs, although there might be some other VPNs which requires downloading of other specific applications instead.

References:

http://computer.howstuffworks.com/vpn4.htm

http://computer.howstuffworks.com/vpn3.htm

Public Key Infrastructure (Digital Cert )

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document which uses digital signature to bind a public key with an identity; information such as the name of a person or an organization, their address, and so forth. The certificate can also be used to verify that a public key belongs to an individual.
In a public key infrastructure (PKI) scheme, the signature will be the certificate authority (CA). In a web of trust scheme, the signature is of either the user (self-signed certificate) or other users (endorsements). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.
For provable security, this reliance on something external to the system has the consequence that any public key certification scheme has to rely on some special setup assumption, such as the existence of a certificate authority.
Certificates can be created for Unix-based servers with tools such as OpenSSL’s ca command or SuSE’s gensslcert. These may be used to issue unmanaged certificates, CA certificates for managing other certificates, and user and/or computer certificate requests to be signed by the CA, as well as a number of other certificate related functions.
In order to make sure that a digital certificate is real or valid, it must have the follow contents:
Serial Number -- Used to uniquely identify the certificate.
Subject -- The person, or entity identified.
Signature Algorithm -- The algorithm used to create the signature.
Signature -- The actual signature to verify that it came from the issuer.
Issuer -- The entity that verified the information and issued the certificate.
Valid-From -- The date the certificate is first valid from.
Valid-To -- The expiration date.
Key-Usage -- Purpose of the public key (e.g. encipherment, signature, certificate signing...).
Public Key
Thumbprint Algorithm -- The algorithm used to hash the public key.
Thumbprint -- The hash itself, used as an abbreviated form of the public key.

http://en.wikipedia.org/wiki/Public_key_certificate

IPSec (ESP, AH, DES, MD5, SHA, DH)

Internet Protocol Security (IPsec) is a protocol suite to secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys that will be used during the session. Some example of IPsec includes: ESP, AH, DES, MD5, SHA and DH.

Encapsulating Security Payload (ESP)

ESP is a security protocol that is used to provide confidentiality (encryption), data origin authentication, integrity, optional anti-replay service, and limited traffic-flow confidentiality by defeating traffic-flow analysis.

Authentication Header (AH)

AH provides authentication and integrity to the datagrams that are passed between two systems. This is achieved by applying a keyed one-way hash function to the datagram to create a message digest. If any part of the datagram is changed during transit, this will be detected by the receiver when it performs the same one-way hash function on the datagram and compares the value of the message digest that the sender has supplied. The fact that the one-way hash also involves the use of a secret shared between the two systems means that authenticity can be guaranteed.

DES Algorithm

DES is used to encrypt and decrypt packet data; it is capable of turning clear text into cipher text via an encryption algorithm. The decryption algorithm on the remote end restores clear text from cipher text. The shared secret keys enable the encryption and decryption of the packet data. Also, DES uses a 56-bit key, which ensures high-performance encryption.

Message Digest 5 (MD5)

MD5 is a hash algorithm used to authenticate packet data. Cisco routers and PIX Firewall uses the MD5 hashed message authentication code (HMAC) variant that provides an additional level of hashing. A hash is a one-way encryption algorithm that takes an input message of arbitrary length and produces a fixed-length output message. MD5 authentication can also be used by IKE, AH and ESP.

Secure Hash Algorithm 1 (SHA-1)

SHA-1 is a hash algorithm used to authenticate packet data. Cisco routers and the PIX Firewall use the SHA-1 HMAC variant, which provides an additional level of hashing. Similar to MD5, SHA-1 authentication can also be used by IKE, AH and ESP.

Diffie-Hellman (D-H)

D-H is a public-key cryptography protocol which allows two parties to establish a shared secret key that will be used by encryption algorithms over an insecure communications channel. D-H is used within IKE to establish session keys. 768-bit and 1024-bit D-H groups are supported in the Cisco routers and PIX Firewall. The 1024-bit group is more secure than 768-group.

http://en.wikipedia.org/wiki/IPsec

http://www.ciscopress.com/articles/article.asp?p=25470

Authentication, Authorization and Accounting

What is Authentication, Authorization and Accounting?

Authentication refers to the process where an entity’s identity is authenticated, usually by providing evidence that represents a specific digital identity such as an identifier or credentials. Some examples of credentials include passwords, tokens, digital certificate.

Authorization is the process where it determines if a particular entity is authorized to carry out an action, usually inherited from authentication when logging on to an application or service. Authorization may be determined based on a range of restrictions, for example time-of-day restrictions, physical location restrictions or multiple access attempts from the same user or entity. Examples of some common authorization services in networking includes IP address filtering, address assignment, route assignment, quality of service/differential services, bandwidth control/traffic management, compulsory tunnelling to a specific endpoint, and encryption.

Accounting refers to the tracking of network resources used up by users for the purpose of capacity and trend analysis, cost allocation and billing. In addition, it may also record events such as authentication and authorization failures, and include auditing functionality, which permits verifying the correctness of procedures carried out based on accounting data. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources.

Some example of AAA (Authentication, Authorization, Accounting) usage in CDMA data networks:

AAA servers in CDMA data networks are entities that provide IP functionality to support the functions of authentication, authorization and accounting. The AAA server in the CDMA wireless data network architecture is similar to the HLR in the CDMA wireless voice network architecture.

Some types of AAA servers include:

• Access Network AAA – It communicates with RNC in the Access Network to enable authentication and authorization functions to be performed at the Access Network.

• Broker AAA – Acts as an intermediary to proxy AAA traffic between roaming partner networks.

• Home AAA – The Home AAA stores user profile information, responds to authentication requests, and collects accounting information.

• Visited AAA – The AAA server in the visited network from which a roamer is receiving service. The Visited AAA in the serving network communicates with the Home AAA in a roamer’s home network.

Context-based access control

Context-based access control, also known as CBAC, is capable of filtering TCP and UDP packets based on application layer protocol session information, and also can be used for intranets, extranets and internets. CBAC can also be configured to allow specified TCP and UDP traffic to travel through a firewall only when the connection is initiated from the network that requires protection. Apart from being able to inspect traffic for sessions that originate from the external network, CBAC is also capable of checking traffic for sessions that originate from either side of the firewall.

Without CBAC, it limits traffic filtering to only access list implementations that examine packets at the network layer, or furthest, the transport layer. However, CBAC examines not only network and transport layers information but also the application-layer protocol information, such as FTP connection information, to learn about the state of TCP or UDP session. This allows support of protocols that involves multiple channels created as a result of negotiations in the FTP control channel. Most of the multimedia protocols as well as some of the protocols, such as FTP, RPC, and SQL*NET, involves multiple control channels.

CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall’s access lists to allow return traffic and additional data connections for permissible sessions. And since CBAC does deep packet inspection, it is also considered to be an IOS Firewall. Apart from the above mentioned services, CBAC also prevent and detect Denial-of-Service (DoS), and also provide Real-time alerts and audit trails.

Resources:http://en.wikipedia.org/wiki/Context-based_access_control

Access Control Lists

An access control list, ACL, in a computer file system refers to a list of permissions accompanying to an object. The purpose of an ACL is to grant permission/limit access of users and system processes to objects. Each entry in an ACL specifies the subject and operation. For example, if a file has an ACL that contains (Ben, update), this would grant Ben the permission to edit the file. When a subject requests an operation on an object in an ACL-based security model, the operating system will search for an applicable entry in the ACL to determine if the requested operation is authorized. A key issue in the definition of any ACL-based security model is determining how access control lists are edited, which refers to the users and processes that are granted permissions access ACL-modification. A filesystem ACL is a data structure containing entries that specify individual user or group rights to specific system objects such as programs, processes or files. The privileges or permissions determine specific access rights, such as whether a user is able to read from, write to, or execute an object. In some implementations, an ACE can control whether a user or group of users is permitted to edit the ACL on an object.

Resources: http://en.wikipedia.org/wiki/Access_control_list

Secure Perimeter Routers & Disable Services & Logging

A network is the entry point to your applications. It provides the first gatekeepers that control access to the various servers in your environment. The servers are protected by their own OS (Operating System) gatekeepers. However, it is important not to allow them to be swamped with attacks from the network layer. In a way, it is also important to ensure that the network gatekeepers cannot be replaced or reconfigured by unauthorized users. In summary, network security involves protection of networking devices and the data that they send.

As we know, the router is the very first line of defence. Apart from routing packets, they can also be configured to block or filter forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP).

The different types of configurations available for the routers are:

• Patches and updates
• Protocols
• Administrative access
• Services
• Auditing and Logging
• Intrusion detection

By disabling redundant and inactive services like CDP, TCP and UDP can improve network security. Many of these services involves security issues, each with it individual level of risk, where a hacker could make use of these security loopholes to their own advantage by gathering information about your router or even attempting to gain unauthorized access. Thus, it is safer to disable inactive service on the perimeter router in order to avoid unnecessary risks.

Perimeter router logs may be useless in troubleshooting, capacity planning and dealing with security incidents. For security purposes, the events to log are interface status changes, system configuration changes, access list matches, events detected by firewall and intrusion detection features. System logging events can be reported to various destinations, for example:

• The system console port, as many console ports are unattended or connected to terminals with no historical storage, this information might not be available to reconstruct a major event.

• Most routers are capable of saving system logging information into a local RAM buffer. The buffer has a fixed size and keeps only the most recent information, and the contents are lost whenever the router is reloaded.

 Resources: http://etutorials.org/Networking/Router+firewall+security/Part+II+Managing+Access+to+Routers/Chapter+4.+Disabling+Unnecessary+Services/
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Chapter+Review/ 
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Event+Logging+on+Perimeter+Routers/ 
http://msdn.microsoft.com/en-us/library/ff648651.aspx 

Common Threats to Router and Switch Physical & Mitigation

In Physical Installations, it basically involves four types of threat: Hardware, Electrical, Environmental and Maintenance.

Hardware Threats:

It refers to potential threats that will cause physical damage to the router or switch hardware. Therefore, it is essential to take note of the following requirements to reduce damage risks:

1.The physical hardware must be locked in a room and only authorized personnel can access to the room.

2.The room must be secured and cannot be accessed from any windows, dropped ceiling, or point of entry except for the secured access point.

3.Adopting biometric system where every access to and from the area will be logged by security systems and monitored by security personnel.

4.Security cameras with automatic recording should be installed and monitored by security personnel.

Electrical Threats:

It refers to irregular shift in voltage such as brownouts and voltage spikes. However, these threats, such as voltage spikes, brownout, power loss, can be limited by following these guidelines mentioned:

1.Install uninterrupted power supply (UPS) system for important network devices.

2.Install backup generators systems for important network devices.

3. Having regular UPS or generator testing and maintenance.

4.Install redundant power supplies on important devices.

5.Monitor and alarm power-related parameter at the power supply and device levels.

 

Environmental Threats:

Threats include extreme temperature, moisture, electrostatic and magnetic interference. In order to make sure that these threats do not affect or deal damage to the network devices, we have to make sure that:

1.The room is being kept in a recommended temperature and humidity by control systems according to the supplied product documentation.

2. Potential sources of electrostatic and magnetic inference should be removed from the room.

3.A monitor and alarm system should be installed in the room to alert about the environmental parameters in the room.

Maintenance Threats:

These threats include not having backup parts or components for critical network components; not labelling components and their cabling correctly. It also includes inappropriate handling of key electronic components, electrostatic discharge. Thus, maintenance-related threats are generally a broad topic as it includes many items. However, it can be prevented by following the general rules below:

1.Clearly label all equipment cabling and secure the cabling to the equipment racks to prevent accidental damage, disconnection, or incorrect termination.

2.Use cable runs, raceways or both to traverse rack-to-ceiling or rack-to-rack connections.

3.Always follow ESD procedures during replacement or working with internal router and switch device components.

4. Maintain a stock of critical spares for emergency use.

5. Do not leave a console connected to and logged into any console ports. Always log off administrative interfaces when leaving a station.

6.Do not depend solely on a locked room as the only protection for a device.

Resources:http://earnkori.blogspot.com/2012/02/network-security-mitigating-common.html

Network/Port Address Translation

In networking terms, Network Address Translation, NAT, is the process of modifying IP Address information in the headers of IP packet during the movement across a traffic routing device. The most basic type of NAT provides a one-to-one translation of IP addresses. RFC 2663 type NAT is also known as the most basic form of NAT. In a basic NAT, only the IP addresses, IP header checksum and any other higher level checksums that involves IP address need to be edited, leaving the remaining of the packet untouched. Basic NATs are usually used when there is a need to interconnect two IP networks with conflicting addressing. Although it is common to hide an entire IP address space, usually made up of private IP addresses behind either a single IP address or in another address space.

As mentioned, NAT enables communication through the router only when the conversion originates in the masked network, since this creates the translation tables. However, most up-to-date NAT devices allow the network administrator to configure translation table entries for permanent use. This is known as static NAT/port forwarding and it allows traffic from the outside network to reach their destination host in the masked network.

However, NAT has some grave flaws on the quality of Internet connectivity and requires careful attention to the details of its implementation. In particular, all types of NAT break the initial image model of IP end-to-end connectivity across the Internet and NAPT makes it difficult for systems behind a NAT to accept incoming communications. Thus NAT traversal methods have been implemented to ease the problems that occurred.

PAT, which is also known as Port Address Translation, on the other hand provides most services that are similar to what NAT provides, except that PAT allows many internal hosts to share a single external IP address and for users who does not need inbound connection support do not consume public IP addresses

Resources:http://en.wikipedia.org/wiki/Network_address_translation

Perimeter Router,Internal Router and Firewall

For today we will be talking about Perimeter Router, Internal Router and Firewall.
Firstly, what is a Perimeter Router? It is actually an interface that has connections to both the inside of the network and with the outside world. Typically, an ISP is at the other end of that connection, and then the Internet.

The perimeter router is responsible of filtering outside traffic to implement basic security for the dirty DMZ and also the primary filtering for the inside network. The perimeter router could also be running the firewall feature set for additional security options.

Since the perimeter router is usually connected to a slower WAN interface on one side and it doesn’t provide routing functions for internal networks, the LAN interface speed isn’t as important as making sure decent memory and features exist to handle the outside connection. Even if the inside network is 100MB and all protected DMZ interfaces are full-duplex 100MB, if the Internet connection is a T1 (1.54MB), then a 10MB LAN interface on the perimeter router shouldn’t interfere traffic. Even most DSL or cable connections would be below 10MB.

Although bandwidth issues are important, feature sets are more important on perimeter routers. Routers can clear down to the 800 series support access list, firewall features, and so forth, making low-end devices attractive in some perimeter implementations. If intrusion detection features are needed, though, firewall feature sets for devices below 2600 do not include intrusion detection. Thus, while a 1700 or 2500 device might be able to handle the traffic, it will not provide intrusion detection services.

Next, Firewall is a device that separates or joins the internal network to the dirty DMZ and any optional protected DMZs. The firewall can be a router-running firewall feature set, a specialty server with two or more NICs in different networks, or a specialty device like the Cisco PIX that does nothing except providing firewall services. While suitable applications exist for each type of firewall, it is best is to use a dedicated device performing only security features, and leave routing and serving to other devices.

Unsolicited access from the outside directed to the inside would typically be blocked. Certain well-thought-out exceptions and configurations could be created, so e-mail server(s) residing on the inside network, instead of the DMZ, could still exchange e-mails. Securing this type of connection is covered in the firewall chapters.

A typical firewall device has two or more LAN interfaces: one for the inside and outside networks respectively. Optionally, an additional LAN interface can exist for each protected DMZ network.

Resources:http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/

Security Policy

Security Policies are important in companies as it is the scale of how secure the system should be for a system, organization or other entity.In organizations,it determines/shows the authority constraints of the members,it also applies to physical security devices,for example doors,locks and keys.

If there is truly a need for the security,it is fairly obvious that the security policies should be implemented and followed properly.In more complicated systems,these policies are also usually broken down to smaller and simplified sub-policies.Although having sub-policies is not the perfect choice,as it gives others a false sense that it is mentioning about the overall definition of security when it does not.Also,in cases where sub-policies are implemented with no super-policy usually ends up as a useless rule where it is incapable of enforcing anything.

Similarly,top level security policies are needed when there are confidential schemes being carried out,else it would totally meaningless without them.Security Policies are also known to be "living documents" which means that the policy is never completed,and it will keep on changing the contents as the environment changes,for example,the improvement in IT technology,changing of employees,equipment and even at times,their trade secrets.

For example in business industries,security policies are implement to states how the company decides to protect their physical and IT assets.And as the time changes,the main focus of the company will change the employees over the years,improving the technologies used within the company and also they might be changing their method of business approach as their target market changes.

References: http://en.wikipedia.org/wiki/Security_policy
http://searchsecurity.techtarget.com/definition/security-policy  

Common Networking Attacks Threats and Solution

Everyday,everywhere,you will also be able to see IT technology influences,and behind the technology,networking is essential for us to communicate with other everyone living in the world,including those living at the other end of Earth.
But do you know that despite the normal peaceful looking days,there are numerous of networking attacks going on around the world,for example,according to the Department of Homeland Security Official in United States,there are close to 15,000 networking attacks purely on federal sites,which means that there are at least one networking attack on federal sites every 10 seconds!! So at this point,I will be going through some common networking attack and also solutions to them.
Among all the networking attack methods,these seven methods are the most common; Spoofing,Sniffing,Mapping,Hijacking,Trojans,DoS & DDoS (Denial-of-Service & Distributed Denial-of-Service) and Social Engineering. And I will be talking about Spoofing,Trojans,Dos & DDoS. Since these are the most common networking attack threats known to everyone.


1.Spoofing
Spoofing is the process where the attacker modifies a device's protocol to plant a random IP address in the data packet's source address field,this way it will be able to conceal the payload's original source and allows the attacker to avoid being detected.
One countermeasure that is commonly used to prevent spoofing is ingress filtering which usually involves the Routers. During this process,the Routers will check the incoming IP address and determine whether the source address are reachable via the interface or not. If the source is from an unreachable range, the packets will be discarded.


2.Trojans
As most of us knows,Trojans is one of the more common type of networking attack known to everyone. Trojans are programs that appears like usual software in the systems,yet they are used to perform unintended and malicious actions when launched.An infected file will look,function and similar in the file size as the affected file.
The only way to prevent Trojan attacks is to use a crytographic checksum or binary digital signature.


3.DoS&DDoS
Commonly known as Denial-of-Service and Distributed Denial-of-Service. As most of us are aware of the hacking group,Anonymous,which hacked several U.S federal sites last year during the event where the SOPA (Stop Online Piracy Act) and PIPA (Protect IP Act) act were carried out. This hacking group,Anonymous,launched a series of DoS & DDoS attacks on the different U.S federal sites after several file sharing sites were either forced to shut down or being limited in the files they are able to share,for example,megaupload and some other commonly known online video streaming sites.
And thus,from what most of us should know if we have read the news,DoS&DDoS are actually attacks that floods the network with useless traffic so that it will disrupt the computation resources such as bandwidth,disk space and CPU time.The purposes of DoS&DDoS attack are usually to slow down the network's performance,prevents the site to be accessed by any other users.
Sadly,there isn't much ways to prevent DoS&DDoS attacks,however,ingress filtering were commonly used to control  DoS&DDoS attacks to a small extent.


Last but not least,I just hope that everyone reading this post will be able to get a fresh new idea about common networking attacks and also some countermeasures especially for these three common networking attacks.


Reference: http://ayurveda.hubpages.com/hub/Types-of-Network-Attacks