Wednesday, 13 June 2012

Site to Site VPN vs Remote VPN

Virtual Private Network (VPN) provide secured connections from remote networks to the private network of a company through the Internet. There are several ways VPN can be deploy; the two most common VPN configurations are the Site-to-site VPN and the remote access VPN.

Site to Site VPN




Site-to-site VPN provide secured connections from one geographic location to another, by placing two VPN servers at each location. These will make resources from one location available at the other location, example employee at the remote office will be able to access resources from the HQ branch as if he is directly connected to the HQ's network. Site-to-site VPN only requires to establish one tunnel connection with the VPN servers in order for all employees at the remote office to be able to access the HQ's network.

There are two types of Site-to-site VPN, which serves different purposes:

Intranet - To link the company's own remote offices/branch over dedicated connections (Not open for public)

Extranet - To link to the LAN of business partners, suppliers or customers, in order to work together in a secure environment, yet prevents separate access to the intranets.

Remote Access VPN




Remote access VPN allow connection for any remote users through the Internet to the private network of the company. Remote access VPN can be access using Internet browser or specific VPN softwares. Each client connecting using the remote access VPN, will establish an individual connection with the VPN server location at the network of the company.
Posted by at No comments:

Tuesday, 29 May 2012

Public Key Infrastructure (Digital Cert )

Public-key infrastructure (PKI) is a combination of hardware, software, policies, processes, and encryption technologies that are required to secure the communication and transactions of an organization. PKI relies on the exchange of digital certificates between the authenticated users and the trusted source.

Digital certificate is an electronic credential consist of public keys that has the information on the subject, validity and applications that use this certificate. It provide a way to secure data, as well as manage identification credentials of users and computers.

Applications that use PKI:

  • Digital signatures
  • Smart card logon
  • Secure e-mail
  • Software code signing
  • IP Security (IPSec)
  • Software restriction policy
  • Internet authentication
  • Encrypting File System
PKI consist of a few components which are closely related together:
  • Certificate and CA management tools 
  • Certification Authority (CA)
  • Registration Authority (RA)
  • Validation Authority (VA)
  • Attribute Authority (AA)
  • Attribute Certificates
  • Certificate Template
  • Digital Certificate
  • PKI enabled applications and services

Reference:
Posted by at 2 comments:

IPSec (ESP, AH, DES, MD5, SHA, DH)

IP security (IPSec) was designed by the IEFT to allow encrypted and digitally signed communication to pass between two computers or between computers and a router over the public network. IPSec defines two functions : Data encryption and Data integrity. IPSec uses the authentication header (AH) to provide authentication and integrity, but without encryption. It uses the encapsulating security payload (ESP) to provide authentication and integrity, with encryption. With IPSec uses the security key that is only known by the sender and recipient. The recipient will be able to know if the transmission is from the original sender, if the authentication data is valid.

Benefits of IPSec:

  • IPSec is an international standard, it can provide security for communication with a huge variety of different networks.
  • IPSec can be applied to all sizes of networks; very scalable
  • IPSec function at a low network level, will not affect the performance of higher level such as users and applications
  • IPSec has a high compatibility with any applications, it does not limit to specific application.
Drawback of IPSec:

  • IPSec has a complex configuration
  • IPSec reduce the performance of the network due to high overheads
  • Not all Firewalls or routers support IPSec

A few protocols used by IPSec are:

ESP uses IP protocol 50 to provide confidentially using encryption and authentication. It works in transport mode and does not provide integrity and authentication for the entire packet; only the IP payload is protected. ESP protects everything except the IP header.

AH uses IP protocol 51 to provide authentication, integrity, and anti-reply protection for the entire packet; but it does not provide encryption for the data, which means the data is readable but cannot be modified. 

Using both AH and ESP is the only way to protect both IP header and provide encryption to the data.

DES is an data encyption algorithm standard used in computer cryptography which uses 56-bits key size for encryption. Due to the 56-bit key size being too small, DES is now considered to be insecure as it can be decrypt using the brute force attacks. DES was later improved to Triple DES, which provides a relatively simple method of increasing the key size of DES to protect against the brute force attacks.

MD5 is a hashing algorithm used in hash functions that produces a 128-bit (16-byte) hash value. It is use to check for data integrity, and is widely employed in many security applications.

SHA is also a hashing algorithm, but it uses a longer hash value as compare to MD5, which means it is much more secured than MD5. SHA employes three type of hashing algorithms, SHA-0, SHA-1 and SHA-2; each with different hashing value for different purposes.

DH is a key exchange method in cartographic which allows two computers to establish a shared secret key over an insecure communications channel. The purpose of key exchange is to  encrypt subsequent communications using a symmetric key cipher.

Posted by at No comments:

Sunday, 20 May 2012

Authentication, Authorization and Accounting

Authentication, Authorization and Accounting (AAA) is a concept used by the router or access control servers to manage network access. Using this concept, the access control servers are able to:

  • Implement user credential management
  • Provide profiles for different user roles
  • Track resources (such as logging and auditing)

AAA consist of three independent security functions:

Authentication
Authentication verifies users before they are allowed access to the network and network services using different methods such as login and password dialog, challenge and response, message support and etc. AAA authentication is configured by defining a named list of authentication methods, and apply the list to various interfaces on the router or access control servers.

In Cisco router or access servers, all authentication methods must be defined through AAA except for local, line password, and enable authentication.

Authorization
Authorization describe what function or services the authenticated user is permitted to perform. AAA authorization is able to provide authorization for:
  • Remote access control
  • One-time authorization
  • Per-user account list and profile
  • User groups
  • Different services such as IP, IPX and telnet

Accounting 
Accounting provides a way of logging and recording usage information. It enables administrations to track the services users are accessing as well as the amount of network resources they are consuming. AAA accounting are used for collecting and sending security server information which can be use for:
  • Billing
  • Auditing
  • Reporting
  • Identify/track users

AAA provides several benefits such as:
  • Increased flexibility and control of access configuration
  • Scalability
  • Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos
  • Multiple backup systems


Posted by at No comments:

Tuesday, 15 May 2012

Context-based Access Control

Context-based Access Control (CBAC) are quite similar to the extended access control list, both filter using source and destination IP address ;and source and destination ports. The different is, extended access control list are created manually, whereas context-based access control is one of a firewall feature which is dynamically created. CBAC can be created to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the protected network.

Context-based access control examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections that travel through the firewall to discover and manage these state information for TCP and UDP sessions. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions

CBAC also provides a few benefits such as Java blocking, Denial-of-service (DOS) prevention and detection and real-time alerts and audit trails.

How CBAC works:


Posted by at No comments:

Sunday, 13 May 2012

Access Control Lists

Access control lists (ACL) is a configuration script that controls the traffics on a router or firewall. Access control lists permits or denies packets passing through the router or firewall interfaces base on the criteria stated in the packet header and the ACL. If the packet matches the criteria set, the router or firewall will grant or deny access base on the ACL.

Take a look at the video below to have a better understand on how exactly the ACL works.



The three general rule for applying an ACLs:

  • One ACL per protocol
  • One ACL per direction
  • One ACL per interface
There are two types of Cisco ACLs : Standard and Extended
  • Standard ACLs filter packets based on the source IP address only
  • Extended ACLs filter packets based on several attributes such as the source and destination IP addresses

Standard ACL:
Router(config)# access-list 10 permit 192.168.10.0 0.0.0.255

This standard ACL statement allows all traffic from the network 192.168.10.0/24. Standard ACL are identified using the access list number 1 to 99 and 1300 to 1399.

Extended ACL:
Router(config)# access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80

This extended ACL statement permits traffic from any address on the 192.168.10.0/24  network to any destination through port 80 (HTTP). Extended ACL are identified using access list number 100 to 199 and 2000 to 2699; or using a Named ACL
Posted by at No comments:

Sunday, 6 May 2012

Secure Perimeter Routers & Disable Services & Logging

As discussed in the previous post about perimeter routers, we have a better understanding on the importance of securing the perimeter router. Perimeter routers act as the gateway to the external network, filtering unwanted traffics to enter the secured-internal network. There are also additional methods for hardening the security of the perimeter router, such as using of the ingress and egress filtering; and access list directional filtering.

Ingress and Egress Filtering:
The ingress filtering make sure that the incoming packets are from the legitimate networks that they claim to be from. Egress filtering focus on monitoring and restricting the potential flow of information outbound from one network the other.

Access List Directional Filtering:
 This type of filtering based on the direction of the traffic where the packet came from. Packets flowing towards the router's interface is consider as the inbound traffic and packets flowing away from the router's interface is consider as the outbound traffic.

Apart from implementing various security aspects such as access control, disabling the unused services and perform logging operations on the router are equally important. Disabling the IOS network services which are not in use, can prevent unauthorized access through the ports required to be open for the network services.

List of IOS services which should be disable/restrict when not in used:



**Picture taken from INKS Lecture note,
 T12 - Basic Router and Switch Security











Lastly, managing a proper logging system for the perimeter router can ensure the accountability for the network. In the event of any downtime or incident, the network administrator will be able to easily and quickly spot the errors or the person who create the error. Implementing the Syslog server on the perimeter router and encrypting the logs are recommended as the best practice.


Reference:
INKS week 2 lecture notes - Basic Router and Switch Security
http://en.wikipedia.org/wiki/Ingress_filtering
 http://en.wikipedia.org/wiki/Egress_filtering

Posted by at No comments:
Subscribe to: Comments (Atom)