Public Key Infrastructure (Digital Cert )

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document which uses digital signature to bind a public key with an identity; information such as the name of a person or an organization, their address, and so forth. The certificate can also be used to verify that a public key belongs to an individual.
In a public key infrastructure (PKI) scheme, the signature will be the certificate authority (CA). In a web of trust scheme, the signature is of either the user (self-signed certificate) or other users (endorsements). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.
For provable security, this reliance on something external to the system has the consequence that any public key certification scheme has to rely on some special setup assumption, such as the existence of a certificate authority.
Certificates can be created for Unix-based servers with tools such as OpenSSL’s ca command or SuSE’s gensslcert. These may be used to issue unmanaged certificates, CA certificates for managing other certificates, and user and/or computer certificate requests to be signed by the CA, as well as a number of other certificate related functions.
In order to make sure that a digital certificate is real or valid, it must have the follow contents:
Serial Number -- Used to uniquely identify the certificate.
Subject -- The person, or entity identified.
Signature Algorithm -- The algorithm used to create the signature.
Signature -- The actual signature to verify that it came from the issuer.
Issuer -- The entity that verified the information and issued the certificate.
Valid-From -- The date the certificate is first valid from.
Valid-To -- The expiration date.
Key-Usage -- Purpose of the public key (e.g. encipherment, signature, certificate signing...).
Public Key
Thumbprint Algorithm -- The algorithm used to hash the public key.
Thumbprint -- The hash itself, used as an abbreviated form of the public key.

http://en.wikipedia.org/wiki/Public_key_certificate

IPSec (ESP, AH, DES, MD5, SHA, DH)

Internet Protocol Security (IPsec) is a protocol suite to secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys that will be used during the session. Some example of IPsec includes: ESP, AH, DES, MD5, SHA and DH.

Encapsulating Security Payload (ESP)

ESP is a security protocol that is used to provide confidentiality (encryption), data origin authentication, integrity, optional anti-replay service, and limited traffic-flow confidentiality by defeating traffic-flow analysis.

Authentication Header (AH)

AH provides authentication and integrity to the datagrams that are passed between two systems. This is achieved by applying a keyed one-way hash function to the datagram to create a message digest. If any part of the datagram is changed during transit, this will be detected by the receiver when it performs the same one-way hash function on the datagram and compares the value of the message digest that the sender has supplied. The fact that the one-way hash also involves the use of a secret shared between the two systems means that authenticity can be guaranteed.

DES Algorithm

DES is used to encrypt and decrypt packet data; it is capable of turning clear text into cipher text via an encryption algorithm. The decryption algorithm on the remote end restores clear text from cipher text. The shared secret keys enable the encryption and decryption of the packet data. Also, DES uses a 56-bit key, which ensures high-performance encryption.

Message Digest 5 (MD5)

MD5 is a hash algorithm used to authenticate packet data. Cisco routers and PIX Firewall uses the MD5 hashed message authentication code (HMAC) variant that provides an additional level of hashing. A hash is a one-way encryption algorithm that takes an input message of arbitrary length and produces a fixed-length output message. MD5 authentication can also be used by IKE, AH and ESP.

Secure Hash Algorithm 1 (SHA-1)

SHA-1 is a hash algorithm used to authenticate packet data. Cisco routers and the PIX Firewall use the SHA-1 HMAC variant, which provides an additional level of hashing. Similar to MD5, SHA-1 authentication can also be used by IKE, AH and ESP.

Diffie-Hellman (D-H)

D-H is a public-key cryptography protocol which allows two parties to establish a shared secret key that will be used by encryption algorithms over an insecure communications channel. D-H is used within IKE to establish session keys. 768-bit and 1024-bit D-H groups are supported in the Cisco routers and PIX Firewall. The 1024-bit group is more secure than 768-group.

http://en.wikipedia.org/wiki/IPsec

http://www.ciscopress.com/articles/article.asp?p=25470

Authentication, Authorization and Accounting

What is Authentication, Authorization and Accounting?

Authentication refers to the process where an entity’s identity is authenticated, usually by providing evidence that represents a specific digital identity such as an identifier or credentials. Some examples of credentials include passwords, tokens, digital certificate.

Authorization is the process where it determines if a particular entity is authorized to carry out an action, usually inherited from authentication when logging on to an application or service. Authorization may be determined based on a range of restrictions, for example time-of-day restrictions, physical location restrictions or multiple access attempts from the same user or entity. Examples of some common authorization services in networking includes IP address filtering, address assignment, route assignment, quality of service/differential services, bandwidth control/traffic management, compulsory tunnelling to a specific endpoint, and encryption.

Accounting refers to the tracking of network resources used up by users for the purpose of capacity and trend analysis, cost allocation and billing. In addition, it may also record events such as authentication and authorization failures, and include auditing functionality, which permits verifying the correctness of procedures carried out based on accounting data. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources.

Some example of AAA (Authentication, Authorization, Accounting) usage in CDMA data networks:

AAA servers in CDMA data networks are entities that provide IP functionality to support the functions of authentication, authorization and accounting. The AAA server in the CDMA wireless data network architecture is similar to the HLR in the CDMA wireless voice network architecture.

Some types of AAA servers include:

• Access Network AAA – It communicates with RNC in the Access Network to enable authentication and authorization functions to be performed at the Access Network.

• Broker AAA – Acts as an intermediary to proxy AAA traffic between roaming partner networks.

• Home AAA – The Home AAA stores user profile information, responds to authentication requests, and collects accounting information.

• Visited AAA – The AAA server in the visited network from which a roamer is receiving service. The Visited AAA in the serving network communicates with the Home AAA in a roamer’s home network.

Context-based access control

Context-based access control, also known as CBAC, is capable of filtering TCP and UDP packets based on application layer protocol session information, and also can be used for intranets, extranets and internets. CBAC can also be configured to allow specified TCP and UDP traffic to travel through a firewall only when the connection is initiated from the network that requires protection. Apart from being able to inspect traffic for sessions that originate from the external network, CBAC is also capable of checking traffic for sessions that originate from either side of the firewall.

Without CBAC, it limits traffic filtering to only access list implementations that examine packets at the network layer, or furthest, the transport layer. However, CBAC examines not only network and transport layers information but also the application-layer protocol information, such as FTP connection information, to learn about the state of TCP or UDP session. This allows support of protocols that involves multiple channels created as a result of negotiations in the FTP control channel. Most of the multimedia protocols as well as some of the protocols, such as FTP, RPC, and SQL*NET, involves multiple control channels.

CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall’s access lists to allow return traffic and additional data connections for permissible sessions. And since CBAC does deep packet inspection, it is also considered to be an IOS Firewall. Apart from the above mentioned services, CBAC also prevent and detect Denial-of-Service (DoS), and also provide Real-time alerts and audit trails.

Resources:http://en.wikipedia.org/wiki/Context-based_access_control

Access Control Lists

An access control list, ACL, in a computer file system refers to a list of permissions accompanying to an object. The purpose of an ACL is to grant permission/limit access of users and system processes to objects. Each entry in an ACL specifies the subject and operation. For example, if a file has an ACL that contains (Ben, update), this would grant Ben the permission to edit the file. When a subject requests an operation on an object in an ACL-based security model, the operating system will search for an applicable entry in the ACL to determine if the requested operation is authorized. A key issue in the definition of any ACL-based security model is determining how access control lists are edited, which refers to the users and processes that are granted permissions access ACL-modification. A filesystem ACL is a data structure containing entries that specify individual user or group rights to specific system objects such as programs, processes or files. The privileges or permissions determine specific access rights, such as whether a user is able to read from, write to, or execute an object. In some implementations, an ACE can control whether a user or group of users is permitted to edit the ACL on an object.

Resources: http://en.wikipedia.org/wiki/Access_control_list

Secure Perimeter Routers & Disable Services & Logging

A network is the entry point to your applications. It provides the first gatekeepers that control access to the various servers in your environment. The servers are protected by their own OS (Operating System) gatekeepers. However, it is important not to allow them to be swamped with attacks from the network layer. In a way, it is also important to ensure that the network gatekeepers cannot be replaced or reconfigured by unauthorized users. In summary, network security involves protection of networking devices and the data that they send.

As we know, the router is the very first line of defence. Apart from routing packets, they can also be configured to block or filter forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP).

The different types of configurations available for the routers are:

• Patches and updates
• Protocols
• Administrative access
• Services
• Auditing and Logging
• Intrusion detection

By disabling redundant and inactive services like CDP, TCP and UDP can improve network security. Many of these services involves security issues, each with it individual level of risk, where a hacker could make use of these security loopholes to their own advantage by gathering information about your router or even attempting to gain unauthorized access. Thus, it is safer to disable inactive service on the perimeter router in order to avoid unnecessary risks.

Perimeter router logs may be useless in troubleshooting, capacity planning and dealing with security incidents. For security purposes, the events to log are interface status changes, system configuration changes, access list matches, events detected by firewall and intrusion detection features. System logging events can be reported to various destinations, for example:

• The system console port, as many console ports are unattended or connected to terminals with no historical storage, this information might not be available to reconstruct a major event.

• Most routers are capable of saving system logging information into a local RAM buffer. The buffer has a fixed size and keeps only the most recent information, and the contents are lost whenever the router is reloaded.

 Resources: http://etutorials.org/Networking/Router+firewall+security/Part+II+Managing+Access+to+Routers/Chapter+4.+Disabling+Unnecessary+Services/
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Chapter+Review/ 
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Event+Logging+on+Perimeter+Routers/ 
http://msdn.microsoft.com/en-us/library/ff648651.aspx 

Common Threats to Router and Switch Physical & Mitigation

In Physical Installations, it basically involves four types of threat: Hardware, Electrical, Environmental and Maintenance.

Hardware Threats:

It refers to potential threats that will cause physical damage to the router or switch hardware. Therefore, it is essential to take note of the following requirements to reduce damage risks:

1.The physical hardware must be locked in a room and only authorized personnel can access to the room.

2.The room must be secured and cannot be accessed from any windows, dropped ceiling, or point of entry except for the secured access point.

3.Adopting biometric system where every access to and from the area will be logged by security systems and monitored by security personnel.

4.Security cameras with automatic recording should be installed and monitored by security personnel.

Electrical Threats:

It refers to irregular shift in voltage such as brownouts and voltage spikes. However, these threats, such as voltage spikes, brownout, power loss, can be limited by following these guidelines mentioned:

1.Install uninterrupted power supply (UPS) system for important network devices.

2.Install backup generators systems for important network devices.

3. Having regular UPS or generator testing and maintenance.

4.Install redundant power supplies on important devices.

5.Monitor and alarm power-related parameter at the power supply and device levels.

 

Environmental Threats:

Threats include extreme temperature, moisture, electrostatic and magnetic interference. In order to make sure that these threats do not affect or deal damage to the network devices, we have to make sure that:

1.The room is being kept in a recommended temperature and humidity by control systems according to the supplied product documentation.

2. Potential sources of electrostatic and magnetic inference should be removed from the room.

3.A monitor and alarm system should be installed in the room to alert about the environmental parameters in the room.

Maintenance Threats:

These threats include not having backup parts or components for critical network components; not labelling components and their cabling correctly. It also includes inappropriate handling of key electronic components, electrostatic discharge. Thus, maintenance-related threats are generally a broad topic as it includes many items. However, it can be prevented by following the general rules below:

1.Clearly label all equipment cabling and secure the cabling to the equipment racks to prevent accidental damage, disconnection, or incorrect termination.

2.Use cable runs, raceways or both to traverse rack-to-ceiling or rack-to-rack connections.

3.Always follow ESD procedures during replacement or working with internal router and switch device components.

4. Maintain a stock of critical spares for emergency use.

5. Do not leave a console connected to and logged into any console ports. Always log off administrative interfaces when leaving a station.

6.Do not depend solely on a locked room as the only protection for a device.

Resources:http://earnkori.blogspot.com/2012/02/network-security-mitigating-common.html

Network/Port Address Translation

In networking terms, Network Address Translation, NAT, is the process of modifying IP Address information in the headers of IP packet during the movement across a traffic routing device. The most basic type of NAT provides a one-to-one translation of IP addresses. RFC 2663 type NAT is also known as the most basic form of NAT. In a basic NAT, only the IP addresses, IP header checksum and any other higher level checksums that involves IP address need to be edited, leaving the remaining of the packet untouched. Basic NATs are usually used when there is a need to interconnect two IP networks with conflicting addressing. Although it is common to hide an entire IP address space, usually made up of private IP addresses behind either a single IP address or in another address space.

As mentioned, NAT enables communication through the router only when the conversion originates in the masked network, since this creates the translation tables. However, most up-to-date NAT devices allow the network administrator to configure translation table entries for permanent use. This is known as static NAT/port forwarding and it allows traffic from the outside network to reach their destination host in the masked network.

However, NAT has some grave flaws on the quality of Internet connectivity and requires careful attention to the details of its implementation. In particular, all types of NAT break the initial image model of IP end-to-end connectivity across the Internet and NAPT makes it difficult for systems behind a NAT to accept incoming communications. Thus NAT traversal methods have been implemented to ease the problems that occurred.

PAT, which is also known as Port Address Translation, on the other hand provides most services that are similar to what NAT provides, except that PAT allows many internal hosts to share a single external IP address and for users who does not need inbound connection support do not consume public IP addresses

Resources:http://en.wikipedia.org/wiki/Network_address_translation

Perimeter Router,Internal Router and Firewall

For today we will be talking about Perimeter Router, Internal Router and Firewall.
Firstly, what is a Perimeter Router? It is actually an interface that has connections to both the inside of the network and with the outside world. Typically, an ISP is at the other end of that connection, and then the Internet.

The perimeter router is responsible of filtering outside traffic to implement basic security for the dirty DMZ and also the primary filtering for the inside network. The perimeter router could also be running the firewall feature set for additional security options.

Since the perimeter router is usually connected to a slower WAN interface on one side and it doesn’t provide routing functions for internal networks, the LAN interface speed isn’t as important as making sure decent memory and features exist to handle the outside connection. Even if the inside network is 100MB and all protected DMZ interfaces are full-duplex 100MB, if the Internet connection is a T1 (1.54MB), then a 10MB LAN interface on the perimeter router shouldn’t interfere traffic. Even most DSL or cable connections would be below 10MB.

Although bandwidth issues are important, feature sets are more important on perimeter routers. Routers can clear down to the 800 series support access list, firewall features, and so forth, making low-end devices attractive in some perimeter implementations. If intrusion detection features are needed, though, firewall feature sets for devices below 2600 do not include intrusion detection. Thus, while a 1700 or 2500 device might be able to handle the traffic, it will not provide intrusion detection services.

Next, Firewall is a device that separates or joins the internal network to the dirty DMZ and any optional protected DMZs. The firewall can be a router-running firewall feature set, a specialty server with two or more NICs in different networks, or a specialty device like the Cisco PIX that does nothing except providing firewall services. While suitable applications exist for each type of firewall, it is best is to use a dedicated device performing only security features, and leave routing and serving to other devices.

Unsolicited access from the outside directed to the inside would typically be blocked. Certain well-thought-out exceptions and configurations could be created, so e-mail server(s) residing on the inside network, instead of the DMZ, could still exchange e-mails. Securing this type of connection is covered in the firewall chapters.

A typical firewall device has two or more LAN interfaces: one for the inside and outside networks respectively. Optionally, an additional LAN interface can exist for each protected DMZ network.

Resources:http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/