Wednesday, 13 June 2012

Site to Site VPN vs Remote VPN

Virtual Private Network (VPN) provide secured connections from remote networks to the private network of a company through the Internet. There are several ways VPN can be deploy; the two most common VPN configurations are the Site-to-site VPN and the remote access VPN.

Site to Site VPN




Site-to-site VPN provide secured connections from one geographic location to another, by placing two VPN servers at each location. These will make resources from one location available at the other location, example employee at the remote office will be able to access resources from the HQ branch as if he is directly connected to the HQ's network. Site-to-site VPN only requires to establish one tunnel connection with the VPN servers in order for all employees at the remote office to be able to access the HQ's network.

There are two types of Site-to-site VPN, which serves different purposes:

Intranet - To link the company's own remote offices/branch over dedicated connections (Not open for public)

Extranet - To link to the LAN of business partners, suppliers or customers, in order to work together in a secure environment, yet prevents separate access to the intranets.

Remote Access VPN




Remote access VPN allow connection for any remote users through the Internet to the private network of the company. Remote access VPN can be access using Internet browser or specific VPN softwares. Each client connecting using the remote access VPN, will establish an individual connection with the VPN server location at the network of the company.
Posted by at No comments:

Tuesday, 29 May 2012

Public Key Infrastructure (Digital Cert )

Public-key infrastructure (PKI) is a combination of hardware, software, policies, processes, and encryption technologies that are required to secure the communication and transactions of an organization. PKI relies on the exchange of digital certificates between the authenticated users and the trusted source.

Digital certificate is an electronic credential consist of public keys that has the information on the subject, validity and applications that use this certificate. It provide a way to secure data, as well as manage identification credentials of users and computers.

Applications that use PKI:

  • Digital signatures
  • Smart card logon
  • Secure e-mail
  • Software code signing
  • IP Security (IPSec)
  • Software restriction policy
  • Internet authentication
  • Encrypting File System
PKI consist of a few components which are closely related together:
  • Certificate and CA management tools 
  • Certification Authority (CA)
  • Registration Authority (RA)
  • Validation Authority (VA)
  • Attribute Authority (AA)
  • Attribute Certificates
  • Certificate Template
  • Digital Certificate
  • PKI enabled applications and services

Reference:
Posted by at 2 comments:

IPSec (ESP, AH, DES, MD5, SHA, DH)

IP security (IPSec) was designed by the IEFT to allow encrypted and digitally signed communication to pass between two computers or between computers and a router over the public network. IPSec defines two functions : Data encryption and Data integrity. IPSec uses the authentication header (AH) to provide authentication and integrity, but without encryption. It uses the encapsulating security payload (ESP) to provide authentication and integrity, with encryption. With IPSec uses the security key that is only known by the sender and recipient. The recipient will be able to know if the transmission is from the original sender, if the authentication data is valid.

Benefits of IPSec:

  • IPSec is an international standard, it can provide security for communication with a huge variety of different networks.
  • IPSec can be applied to all sizes of networks; very scalable
  • IPSec function at a low network level, will not affect the performance of higher level such as users and applications
  • IPSec has a high compatibility with any applications, it does not limit to specific application.
Drawback of IPSec:

  • IPSec has a complex configuration
  • IPSec reduce the performance of the network due to high overheads
  • Not all Firewalls or routers support IPSec

A few protocols used by IPSec are:

ESP uses IP protocol 50 to provide confidentially using encryption and authentication. It works in transport mode and does not provide integrity and authentication for the entire packet; only the IP payload is protected. ESP protects everything except the IP header.

AH uses IP protocol 51 to provide authentication, integrity, and anti-reply protection for the entire packet; but it does not provide encryption for the data, which means the data is readable but cannot be modified. 

Using both AH and ESP is the only way to protect both IP header and provide encryption to the data.

DES is an data encyption algorithm standard used in computer cryptography which uses 56-bits key size for encryption. Due to the 56-bit key size being too small, DES is now considered to be insecure as it can be decrypt using the brute force attacks. DES was later improved to Triple DES, which provides a relatively simple method of increasing the key size of DES to protect against the brute force attacks.

MD5 is a hashing algorithm used in hash functions that produces a 128-bit (16-byte) hash value. It is use to check for data integrity, and is widely employed in many security applications.

SHA is also a hashing algorithm, but it uses a longer hash value as compare to MD5, which means it is much more secured than MD5. SHA employes three type of hashing algorithms, SHA-0, SHA-1 and SHA-2; each with different hashing value for different purposes.

DH is a key exchange method in cartographic which allows two computers to establish a shared secret key over an insecure communications channel. The purpose of key exchange is to  encrypt subsequent communications using a symmetric key cipher.

Posted by at No comments:

Sunday, 20 May 2012

Authentication, Authorization and Accounting

Authentication, Authorization and Accounting (AAA) is a concept used by the router or access control servers to manage network access. Using this concept, the access control servers are able to:

  • Implement user credential management
  • Provide profiles for different user roles
  • Track resources (such as logging and auditing)

AAA consist of three independent security functions:

Authentication
Authentication verifies users before they are allowed access to the network and network services using different methods such as login and password dialog, challenge and response, message support and etc. AAA authentication is configured by defining a named list of authentication methods, and apply the list to various interfaces on the router or access control servers.

In Cisco router or access servers, all authentication methods must be defined through AAA except for local, line password, and enable authentication.

Authorization
Authorization describe what function or services the authenticated user is permitted to perform. AAA authorization is able to provide authorization for:
  • Remote access control
  • One-time authorization
  • Per-user account list and profile
  • User groups
  • Different services such as IP, IPX and telnet

Accounting 
Accounting provides a way of logging and recording usage information. It enables administrations to track the services users are accessing as well as the amount of network resources they are consuming. AAA accounting are used for collecting and sending security server information which can be use for:
  • Billing
  • Auditing
  • Reporting
  • Identify/track users

AAA provides several benefits such as:
  • Increased flexibility and control of access configuration
  • Scalability
  • Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos
  • Multiple backup systems


Posted by at No comments:

Tuesday, 15 May 2012

Context-based Access Control

Context-based Access Control (CBAC) are quite similar to the extended access control list, both filter using source and destination IP address ;and source and destination ports. The different is, extended access control list are created manually, whereas context-based access control is one of a firewall feature which is dynamically created. CBAC can be created to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the protected network.

Context-based access control examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections that travel through the firewall to discover and manage these state information for TCP and UDP sessions. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions

CBAC also provides a few benefits such as Java blocking, Denial-of-service (DOS) prevention and detection and real-time alerts and audit trails.

How CBAC works:


Posted by at No comments:

Sunday, 13 May 2012

Access Control Lists

Access control lists (ACL) is a configuration script that controls the traffics on a router or firewall. Access control lists permits or denies packets passing through the router or firewall interfaces base on the criteria stated in the packet header and the ACL. If the packet matches the criteria set, the router or firewall will grant or deny access base on the ACL.

Take a look at the video below to have a better understand on how exactly the ACL works.



The three general rule for applying an ACLs:

  • One ACL per protocol
  • One ACL per direction
  • One ACL per interface
There are two types of Cisco ACLs : Standard and Extended
  • Standard ACLs filter packets based on the source IP address only
  • Extended ACLs filter packets based on several attributes such as the source and destination IP addresses

Standard ACL:
Router(config)# access-list 10 permit 192.168.10.0 0.0.0.255

This standard ACL statement allows all traffic from the network 192.168.10.0/24. Standard ACL are identified using the access list number 1 to 99 and 1300 to 1399.

Extended ACL:
Router(config)# access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80

This extended ACL statement permits traffic from any address on the 192.168.10.0/24  network to any destination through port 80 (HTTP). Extended ACL are identified using access list number 100 to 199 and 2000 to 2699; or using a Named ACL
Posted by at No comments:

Sunday, 6 May 2012

Secure Perimeter Routers & Disable Services & Logging

As discussed in the previous post about perimeter routers, we have a better understanding on the importance of securing the perimeter router. Perimeter routers act as the gateway to the external network, filtering unwanted traffics to enter the secured-internal network. There are also additional methods for hardening the security of the perimeter router, such as using of the ingress and egress filtering; and access list directional filtering.

Ingress and Egress Filtering:
The ingress filtering make sure that the incoming packets are from the legitimate networks that they claim to be from. Egress filtering focus on monitoring and restricting the potential flow of information outbound from one network the other.

Access List Directional Filtering:
 This type of filtering based on the direction of the traffic where the packet came from. Packets flowing towards the router's interface is consider as the inbound traffic and packets flowing away from the router's interface is consider as the outbound traffic.

Apart from implementing various security aspects such as access control, disabling the unused services and perform logging operations on the router are equally important. Disabling the IOS network services which are not in use, can prevent unauthorized access through the ports required to be open for the network services.

List of IOS services which should be disable/restrict when not in used:



**Picture taken from INKS Lecture note,
 T12 - Basic Router and Switch Security











Lastly, managing a proper logging system for the perimeter router can ensure the accountability for the network. In the event of any downtime or incident, the network administrator will be able to easily and quickly spot the errors or the person who create the error. Implementing the Syslog server on the perimeter router and encrypting the logs are recommended as the best practice.


Reference:
INKS week 2 lecture notes - Basic Router and Switch Security
http://en.wikipedia.org/wiki/Ingress_filtering
 http://en.wikipedia.org/wiki/Egress_filtering

Posted by at No comments:

Common Threats to Router and Switch Physical &Mitigation

Routers and switches are commonly placed or installed within the server room, where other servers equipment are in placed. Therefore, the server room requires a high level or physical security to prevent any unauthorized access to all the devices/servers inside. Not only physical security, the devices has to be protected with well-control temperature, reliable power supply and hardware support.

There are FOUR common threats faced by routers and switches during physical installations:
Hardware Threats, Environmental Threats, Electrical Threats and Maintenance Threats

Hardware Threats:
This threat refers to any risk that will cause physical damage to hardware (router, switch and servers).
The simplest way to mitigate this threat is to ensure that the router and switch could not be access (NOT even touch) by any unauthorized personnel.

Few ways commonly used to mitigate unauthorized access to the router and switch:
  • Prevent access via the ceiling, raised flooring, windows, duct-work
  • Prevent unauthorized access using access cards and implement man-traps
  • Implement port security on all on the switches
  • Install civilian cameras with logging features
Environmental Threats:
This threat refers to the temperatures, moisture, electrostatic, and magnetic interference of the server room's environment. Bad control of these environmental components will cause the environmental threats, spoiling the equipments in the server room.

In order to mitigate the environmental threats :
  • Make sure that the temperature is not too extreme (too cold / too hot)
  • Make sure that the humanity in the server room is just right (cannot be too wet or too dry)
  • Remove any sources that will cause electrode-magnetic interference in the server room
  • Control the airflow in the server room
Electrical Threats:
This threat refers to the irregular change in the voltage of the systems, such as voltage spikes, insufficient voltage supply, unconditioned power supply, and total power loss. As power supply is the most crucial requirement for any devices in the server room to work, redundant power supply can be implement to prevent single-point of power failure.

To mitigate electrical threats:
  • Install the uninterruptible power supply (UPS) systems
  • Implement redundant power cables or hardware
  • Install backup generator systems
  • Plan and implement preventative maintenance
  • Implement monitoring and alarms for power-related parameters at the power supply and device levels
Maintenance Threats:
This threat refers to the lack of backup parts, network components or electronic components; or lack of proper labeling on devices, cables and other related components; or even poor handling of electronic components which causes electrostatic discharge (ESD). A general list of rules should be follow in order to maintain and mitigate this threats.

The general list of rules to mitigate maintenance threats inclues:
  •  Label  clearly for the cabling and secure them to the racks to prevent accidental damage, disconnection, or incorrect termination
  • User proper cables runways
  • Follow the proper ESD procedures for handling the internal components of the router or switch
  • Disconnect any console connection and administrative interfaces when not in use
  • Stock up with some of the critical spares such as cables or router/switch adapters

Reference:
INKS week 2 lecture notes - Basic Router and Switch Security
http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/mitigating-common-threats.html
Posted by at No comments:

Saturday, 5 May 2012

Network / Port Address Translation

Network Address Translation (NAT), from the name we can easily derive it is something to do with Translation and Network addresses (IP addresses). NAT is actually the process of translating between the private IP addresses and the public IP address. The purpose of NAT is to act as a gateway for the internal network (uses private IP address) and the public network ( uses public IP address); providing communication between the two networks. The operations of the translations are stored in the NAT table of the router or NAT-enabled devices. NAT operations are transparent to both the internal and external hosts.

   There are a few benefits through the use of NAT:


With so many benefits of the NAT, the disadvantage of NAT are likely to be seen as a unconcerned matter to the network administrator. The disadvantage of NAT is that NAT operations requires additional processing power on the routers or NAT-enabled devices. As such, NAT operations will slow down the network communications due to the the process of IP address translation.


There are three types of NAT operations available: Static NAT, Dynamic NAT and Overloading NAT.

Static NAT (One-to-one Mapping) :

Static NAT are more commonly configured on nodes that requires high Internet availability or which do not requires to be reboot frequently such as the servers or printers. It maps only one private IP address to one public IP address, and thus the device which is configured with static NAT will have its own public IP address.

Dynamic NAT (Many-to-many Mapping):

Dynamic NAT are just like the static NAT, it is more commonly implemented within larger networks. It maps the private addresses to a group of public IP addresses. This means all the hosts in the private network will share a pool of public IP addresses (example 100 host share 20 public IP addresses). As such, not all hosts in the private network will be able to access the Internet at the same time, there will be a timeout period for each translation; and thereby making the public address available again for another translation.

Overloading NAT (Many-to-one Mapping):

Overloading NAT are also known as the Port Address Translation (PAT). PAT is the most commonly NAT method used for networks to connect to the Internet. Our home broadband for example, connects to the ISP using PAT, which makes it cheaper for us to purchase the Internet connection services (public IP address).

The process of overloading NAT is like this:

Private IP addresses                     Public IP address
192.168.1.2 + port 2000   -->        203.0.0.1 + port 2000
192.168.1.3 + port 23       -->        203.0.0.1 + port 23

The return packet from the Internet will pass through the same port to identify the host in the private network.

Reference:
http://en.wikipedia.org/wiki/Network_address_translation
http://www.simonzone.com/software/guidedog/manual/whatisnat.html
http://www.bglug.ca/articles/nat_and_ip_masquerade.pdf
Posted by at No comments:

Perimeter Router, Internal Router and Firewall

















From the figure above (illustrated using Microsoft Visio 2010), is a simple company's network with back-to-back firewall implementation. It consist of a local area network (internal network) and a demilitarized network (perimeter network) connecting to the Internet (external or public network). Before we discuss more about what is a perimeter router, internal router and firewall; you may wish to read and understand more about the internal network and perimeter network by clicking on the highlighted link.

A perimeter router is a router which connects the perimeter network to the external network (as you can see from the figure above). A perimeter router can work as a firewall as well as a NAT device, controlling the network traffic between the company's network and the public network; and translating between the private and public IP address for communication between the two networks. In any cases, the perimeter router should be configured to allow any traffic from the external network to access only the devices in the perimeter network; any traffic from the external network should be denied access to the internal network of the company for security purposes.

A internal router is basically a router placed between the company's internal network and the perimeter network. The internal router work like a firewall with access list created. It route traffic from the internal network to the external network and block any traffic from the external network into the internal network. A internal router may be configured with any routing protocol such as RIP v2, EIGRP (Cisco only) or OSPF for routing.

Firewall is an application or a appliance designed to permit or deny network transmissions based on the firewall policy. The firewall policy is a set of rules or controls used to protect networks from unauthorized access while permitting legitimate communications to pass. A firewall rules can be configure with inbound and outbound rules base on the IP address, the URL, an application, services (List of Official Internet Protocols) or etc.

Take a look at this interesting video below, about how packets are being transmitted by the routers through the firewall ports (How network works).



Reference:
http://en.wikipedia.org/wiki/Firewall_(computing)

Posted by at No comments:

Sunday, 29 April 2012

Security Policy


The purpose of security policies is to secure an organization system by imposing constraints to the secured areas such as the server rooms and information in the system. Security policies of an organization could be enforced using the defense-in-depth security model.

The defense-in-depth securitymodel uses multiple computer security techniques to mitigate the risk of a single component of defense being compromised. The security model includes data, application, host, internal network, perimeter network, physical security and procedures.

Data – Securing information (or sensitive data) with encryption and configure access permission to the files using NTFS file system. Policy on how or who the data can be access.

Application – Vulnerabilities of applications running of the servers are potentially at risk from attacker executing malicious code to it. Therefore all application running on the servers should be tested before installed and only authorized personnel should be allow to install/update any application on the servers. Application should also be configure to be allowed access to only authorized users.

Host –There are risks of attackers accessing the host machine through vulnerabilities found in the operating system’s listening services. The operating system of any device connecting to the server (including the server itself) should be updated.

Internal Network – Data are being transmitted within the internal network can be intercept by an attacker connecting to the network, using a sniffing tool. Private security certificates can be configured of sensitive data within the internal network.

Perimeter Network – The perimeter network are often the demilitarize zones (DMZ) where external users will be able to gain access to certain data or application of the organization. This is where servers should as the web server, mail servers and FTP servers could be placed in. The perimeter should be carefully configured and security policy should be enforced to allow the public to access a minimal level of information. As such, the access policy on firewalls between the internal network and the DMZ should be carefully planned.

Physical security – Physical security should be seen as the highest priority of all the layers in the defense-in-depth security model and non-authorized access should be deny. Any security breach to this layer could be as severe losing the whole IT system or information in the system. The doors, gates, wall are basic physical security systems.

Procedures – Any organization should have a list of procedures list or guide people what to do during any disasters. The administrators should follow this as a security policy to complete any recovery. Trainings for staffs are also important, as this could promote the awareness on security measures in the organization’s network.


References:
http://www.techrepublic.com/blog/security/understanding-layered-security-and-defense-in-depth/703
http://www.tisn.gov.au/Documents/SIFT-Defence-in-Depth-CIO+-+15+Oct+2008.pdf
http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)
http://academy.delmar.edu/Courses/ITNW1454/Handouts/AntivirusDefenseInDepth-Chapter3_AntivirusDefense-in-Depth.htm

Posted by at 2 comments:

Common Networking Attacks Threats and Solution


Computer Networks are system where a collection of computers and servers to be connected together to communicate or share information through various communication channels. Communication channels include the Internet, local area network, or wireless local are nework. Various threats or vulnerabilities can be potentially presented in any of these communication channels. There are basically no computers that are totally safe from any threats or vulnerabilities, except a powered-off computer.

Due to the technology and ease of communication, the Internet has become so popular that it has been incorporate virtually into every aspect of a modern human’s life. As such, connection to this big network made it even more susceptible to threats and vulnerabilities. Let’s discuss on two of the well-known network attacks, the TCP SYN flood attack and SQL injection.

1) TCP SYN flood attack – Any service that binds to or listens on a TCP port is potentially at risk with the    TCP SYN flood attacks. TCP SYN flood attacks in turn would lead to a clear potential of the denial-of-service attack (which will be discuss later). Attackers made use of the TCP 3-way handshake to perform the TCP SYN flood attack. In a normal connection, the TCP protocol establishes the connection using a 3-way handshake with these three steps:

I.        The client requests a connection by sending a SYN (synchronize) message to the server
II.      The server acknowledges this request by sending SYN-ACK back to the client
III.     The client responds with an ACK, and the connection is established



The attack works by leaving the connection half-open by not responding with the expected ACK. As a result, the server be waiting for the ACK till the server’s resources are being used up and refused accept any new connection.






The solution to the TCP SYN flood attack is to patch the server's operating system, where the TCP protocol stack are being update with the bug fixed. After the fixed the length of each three-way handshake queues were increased and the timeout value was also reduced.

2) SQL injection aims to attack the database through the website using the code injection technique to exploits the vulnerability of the website's software (often due to misconfiguration). The attacker insert a string of SQL commands through the web forms, it will change the content of the database when the SQL server execution these malicious codes. Watch the below below to see how this exploitation works.


To prevent SQL injection attacks, web administrators should always validate through the user input by testing the type, length, format, and range of the web page. The web administrator should also take precautions against malicious input, by testing out the web page with commons malicious codes.

Reference:

http://en.wikipedia.org/wiki/Computer_network
http://icapeople.epfl.ch/thiran/CoursED/Ch1_Intro.pdf
http://www.networkcomputing.com/unixworld/security/004/004.txt.html
http://en.wikipedia.org/wiki/SYN_flood
http://en.wikipedia.org/wiki/SQL_injection
http://msdn.microsoft.com/en-us/library/ms161953.aspx
Posted by at No comments:
Subscribe to: Comments (Atom)