Site to Site VPN, Remote VPN

VPN is an encrypted connection between private networks over a public network such as the Internet. There are two types of VPN:  Site to Site VPN and remote VPN.

Site to Site VPN

This allows computers at fixed locations to establish secure connections with each other over a public network such as the internet. This is like creating a tunnel and extending the network by making resources from one location available at other locations. There are 2 types of Site to Site VPN: Intranet-based, and Extranet-based.

Intranet-based

It is when there are one or more remote locations that wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.

Extranet-based

Extranet-based is like connecting LANs together. This extranet VPN allows different intranet to work together in a secure, shared network environment while preventing access to their separate intranets. 

Remote VPN

This VPN secures connections for remote users to corporate LANs over shared service provider networks. There are 2 components required in this type of VPN: Network Access Server(media gateway or remote access server), and client software.

Client software  

This software is require for people who wants to use VPN from their computers. This is needed to  establish and maintain a connection to the VPN.The client software sets up the tunnelled connection to a NAS, which the user indicates by its Internet address. The software also manages the encryption required to keep the connection secure.

REFERENCE: lecture slide

IMAGE: http://www.google.com.sg/imgres?um=1&hl=en&sa=N&biw=1366&bih=643&tbm=isch&tbnid=5PCiajLCLnlbIM:&imgrefurl=http://techeric.com/Eric-Ortiz/portfolio.html&docid=h09FmOyr6VvGJM&imgurl=http://techeric.com/Eric-Ortiz/Images/Network/Diagrams/Site-to-Site%252520VPN.jpg&w=995&h=655&ei=EE3KT6vaHM_OrQe5sLDVDg&zoom=1&iact=hc&vpx=558&vpy=189&dur=2668&hovh=182&hovw=277&tx=133&ty=149&sig=106332796734911297201&page=1&tbnh=119&tbnw=181&start=0&ndsp=18&ved=1t:429,r:2,s:0,i:88


http://www.google.com.sg/imgres?um=1&hl=en&sa=N&biw=1366&bih=600&tbm=isch&tbnid=GHPPHjbujcBtQM:&imgrefurl=http://www.infotecs.biz/vpn-remote-access.htm&docid=yZ5wWooZCgg41M&imgurl=http://www.infotecs.biz/i/vpn-remote-access.jpg&w=698&h=582&ei=pU7KT_CrFsW4rAf3t9HMDg&zoom=1&iact=hc&vpx=496&vpy=138&dur=2944&hovh=205&hovw=246&tx=137&ty=76&sig=106332796734911297201&page=1&tbnh=123&tbnw=148&start=0&ndsp=18&ved=1t:429,r:2,s:0,i:74

Public Key Infrastructure (Digital Cert)

PKI is a security architecture that has been introduced to provide an increased level of confidence for exchanging information over an increasingly insecure Internet.  Public key cryptography uses a pair of mathematically related cryptographic keys.   If one key is used to encrypt information, then only the related key can decrypt that information. 
A certificate is information referring to a public key, that has been digitally signed by a Certification Authority (CA).  Certificates conforming to that standard include information about the published identity of the owner of the corresponding private key, the key length, the algorithm used, and associated hashing algorithm, dates of validity of the certificate and the actions the key can be used for. The CA takes responsibility for identifying (to a stated extent) the correctness of the identity of the person asking for a certificate to be issued, and ensures that the information contained within the certificate is correct and digitally signs it.

Generating key pairs

The CA may generate a public key and a private key (a key pair) or the person applying for a certificate may have to generate their own key pair and send a signed request containing their public key to the CA for validation.   The person applying for a certificate may prefer to generate their own key pair so as to ensure that the private key never leaves their control and as a result is less likely to be available to anyone else.

Issuing digital certificates

There are 2 ways of getting a digital cert, by either self-creating one or purchasing one. Before a CA issues you with a certificate they will make various checks to prove that you are who you say you are. CA issues you a certificate after you provide the credentials they require to confirm your identity, and then the CA signs (stamps) the certificate to prevent modification of the details contained in the certificate.

A CA may also state the quality of the checks that were carried out before the certificate was issued. Different classes of certificate can be purchased that correspond to the level of checks made.

Using certificates

An individual may have any number of certificates issued by any number of CAs.  

Verifying certificates

The public key certificate is signed by the CA to prevent its modification or falsification.   This signature is also used when checking that the public key is still valid. The signature is validated against a list of 'Root CAs' contained within various 'PKI aware' applications. 

A public key ; This is something that you make public - it is freely distributed and can be seen by all users.
A private key ; This is something that you keep secret - it is not shared amongst users.




REFERENCE: http://www.articsoft.com/public_key_infrastructure.htm

IPSec (ESP, AH, DES, MD5, SHA, DH)

IPSec means Internet Protocol Security which is a protocol suite that help secure Internet Protocol (IP) communications by authenticating and encrypting every IP packet in the communication layer. This protocol is used for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys that will be used during the session. IPsec uses two transforms, the Authentication Header (AH) and the Encapsulating Security Payload (ESP) header and trailer, to encapsulate and secure IP packets or payloads. Some examples of IPSec are: ESP, AH, DES, MD5, SHA, and DH.


Encapsulating Security Payload(ESP)
ESP provides confidentiality, in addition to authentication, integrity, and anti-replay. ESP can be used alone, or in combination with AH. Unless it is tunneled, ESP would not normally sign the entire package.

Authentication Header(AH)

AH provides connectionless integrity, data origin authentication, and an optional anti-replay service. This is archieve by applying a keyed one-way hash function to the datagram to create a message digest. One-way hash involves the use of a secret shared between the two systems means that authenticity can be guaranteed.

Data Encryption Standard(DES)

DES is a widely-used method of data encryption using a private (secret) key . DES applies a 56-bit key to each 64-bit block of data. The process can run in several modes and involves 16 rounds or operations.

Message Digest 5(MD5)
MD5 is a widely used cryptographic hash function with a 128-bit hash value. MD5 is widely used in security-related applications, and is also frequently used to check the integrity of files. MD5 value of file is considered to be a highly reliable fingerprint that can be used to verify the integrity of the file's contents. If as little as a single bit value in the file is modified, the MD5 value for the file will completely change. Forgery of a file in a way that causes MD5 to generate the same result as that for the original file is considered to be extremely difficult.


Secure Hash Algorithm(SHA)
SHA is one of a cryptography hash function.


Diffie-Hellman(DH)
The protocol has two system parameters p and g. They are both public and may be used by all the users in a system. Parameter p is a prime number and parameter g (usually called a generator) is an integer less than p, which is capable of generating every element from 1 to p-1 when multiplied by itself a certain number of times, modulo the prime p. However, it is vulnerable to a middleperson attack.




REFERENCE: http://technet.microsoft.com/en-us/library/cc959510.aspx
                       http://www.networksorcery.com/enp/protocol/ah.htm 
                       http://www.networksorcery.com/enp/protocol/ah.htm
                       http://searchsecurity.techtarget.com/definition/Data-Encryption-Standard
                       http://www.accuhash.com/what-is-md5.html
                       http://x5.net/faqs/crypto/q24.html

Authentication, Authorization and Accounting

What does authentication, authorization and accounting mean ?

Authentication  
Authentication means to identify a certain individual, usually by username and password. There are other methods of authentication too, like: serial key(one-time password), authentication via PPP link, etc.

- Username & password
The user would be asked by the system for their login credentials in order to verify that they    are authorize user of the system/network. If the user is a authorize user, the user would be allowed access into the system/network. However there is a disadvantage to this authentication method, user frequently uses very guessable password or never change password at regular interval, making it very easy to allow hackers to hack into the system.

- Serial key(one-time password)
Whenever the user wants to login to their account they would have to get their one-time password which is generated by a serial-key program hash function. The user would than be able to login to their individual account. Different password would be generated every time, this was no one would be able to hack into the system easily.

- Authentication via PPP link
There are three types:
   Password Authentication Protocol(PAP)
   Challenge Handshake Authentication Protocol(CHAP)
   MS-CHAP



Authorization
Authorization means to give individual access to systems objects based on who they are.

Accounting
Accounting means keeping track of the user's activity while accessing a network resource.

When authentication, authorization and accounting is combined together, they provide secure remote access to the network and remote management of network device.


REFERENCE : http://www.webopedia.com/TERM/A/authentication.html
                           http://www.webopedia.com/TERM/A/accounting.html
                           lecture T22

Context-based Access Control

Context-based Access Control(CBAC) filters TCP and UDP packets based on application protocol session information, and actively inspects the activity happening behind the firewall. This provides a more sophisticated way of providing perimeter security. CBAC examines not only the network layer and transport layer but application layer information that is stored in the state table too, this allows them to learn about the state of TCP and UDP sessions. Context-based Access Control(CBAC) filters TCP and UDP packets based on application protocol session information, and actively inspects the activity happening behind the firewall. CBAC watches the outbound traffic determining which packet to be allowed in, making decisions based on how the application behaves instead of only the address and port number the application uses. CBCA also have the ability to open any more inbound channels required for the returning data that were being questioned by the outgoing data for any application.

Benefits of CBAC

- Prevention and detection of CBAC

- Real time alerts and audit trails

CBAC inspection rules allow a per-application protocol basis configuration of alerts and audit trail information, generating real-time alerts and auditing trails. System log is used by audit trails in order to track all network transactions. 

REFERENCE : http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

http://en.wikipedia.org/wiki/Context-based_access_control

http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+6+IOS+Firewall+Feature+Set+-+CBAC/Context-Based+Access+Control+CBAC/

IMAGE : http://www.google.com.sg/imgres?um=1&hl=en&sa=N&biw=1366&bih=638&tbm=isch&tbnid=tpEDewqhiCI2aM:&imgrefurl=http://cciethebeginning.wordpress.com/2008/06/13/cbac-context-based-access-control/&docid=81SLKA_Xr5XZPM&imgurl=http://cciethebeginning.files.wordpress.com/2008/06/topology.jpg&w=488&h=470&ei=vrmrT8bxJo_JrQf5ruWAAg&zoom=1&iact=hc&vpx=318&vpy=136&dur=1776&hovh=220&hovw=229&tx=149&ty=99&sig=110102777678606174354&page=1&tbnh=134&tbnw=139&start=0&ndsp=18&ved=1t:429,r:1,s:0,i:73

Access Control Lists

Access Control List(ACL) is a record of Access Control Entries(ACE). The ACE recognizes a trustee and specifies the access rights, whether they are allowed or denied, or audited for the trustee. There are 2 types of ACL: Discretionary Access Control List and System Access Control List.


Discretionary Access Control List(DACL)
This helps identify the whether the trustee is allowed or denied access to a securable object. The system will check all the ACE in the object DACL to determine granting of access when a process attempts to access a securable object. The system would grant full access to everyone if the object doesn't have DACL, as DACL does not allow any access rights.


System Access Control List(SACL)
This enables administrators to log attempts to access secure objects. The ACE in SACL can generate a record in the security log.  


* A securable object is an object that is able to have a security descriptor. All Windows object are securable object, other unnamed object like: process and thread objects, can also have security descriptor.


DACL identify the users and groups that are assigned or denied permission to access on a object, whereas SACL identify the user and groups that the administrator wants to audit whether they can access to an object.

REFERENCE : http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx
http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx
http://clintboessen.blogspot.com/2011/04/whats-difference-between-acl-ace-dacl.html

Secure Perimeter Routers & Disable Services & Logging

The general rule for perimeter router is to disable the unnecessary services on it. Some services are useful but not often used, like: TCP & UDP, NTP, CDP, and Finger, these services can be disabled using their individual commands.
As mentioned , router determines whether a data packet can pass through the network hence securing it is very important for defending our private network. There are many categories of configuration for the router.

Patches & Updates
Staying up-to-date with the latest updates and patches by subscribing to the manufacture of the network hardware.

Protocols
Dos usually take advantage of vulnerabilities which are of protocol-level. By using ingress and egress filtering, or screen ICMP traffic from internal network we can counter these kind of attack.
Using ingress and egress filtering
By setting up the router to route only outgoing packets with a valid internal IP address.Verify outgoing packets. These things would not protect us from DoS, but can keep suck attacks from originating from our own network. This would also be easier to trace the originator, as the attacker would have to use a valid and reachable source address.
ICMP traffic
By blocking ICMP traffic at the other perimeter router we can prevent attacks such as: ping flood.

Administrative access
Decide which interface and ports administration connection is allowed and which network the administration is suppose to be perform.  Restrict access to the decided interfaces and ports, and encrypt them and have countermeasures against hijacking into these interfaces.


REFERENCE : http://etutorials.org/Networking/Cisco+Certified+Security+Professional
                        +Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco
                        +Perimeter+Routers/Limit+Unneeded+TCP+IP+and+Other+Services/

                        http://msdn.microsoft.com/en-us/library/ff648651.aspx