Site to Site VPN, Remote VPN

VPN is an encrypted connection between private networks over a public network such as the Internet. There are two types of VPN:  Site to Site VPN and remote VPN.

Site to Site VPN

This allows computers at fixed locations to establish secure connections with each other over a public network such as the internet. This is like creating a tunnel and extending the network by making resources from one location available at other locations. There are 2 types of Site to Site VPN: Intranet-based, and Extranet-based.

Intranet-based

It is when there are one or more remote locations that wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.

Extranet-based

Extranet-based is like connecting LANs together. This extranet VPN allows different intranet to work together in a secure, shared network environment while preventing access to their separate intranets. 

Remote VPN

This VPN secures connections for remote users to corporate LANs over shared service provider networks. There are 2 components required in this type of VPN: Network Access Server(media gateway or remote access server), and client software.

Client software  

This software is require for people who wants to use VPN from their computers. This is needed to  establish and maintain a connection to the VPN.The client software sets up the tunnelled connection to a NAS, which the user indicates by its Internet address. The software also manages the encryption required to keep the connection secure.

REFERENCE: lecture slide

IMAGE: http://www.google.com.sg/imgres?um=1&hl=en&sa=N&biw=1366&bih=643&tbm=isch&tbnid=5PCiajLCLnlbIM:&imgrefurl=http://techeric.com/Eric-Ortiz/portfolio.html&docid=h09FmOyr6VvGJM&imgurl=http://techeric.com/Eric-Ortiz/Images/Network/Diagrams/Site-to-Site%252520VPN.jpg&w=995&h=655&ei=EE3KT6vaHM_OrQe5sLDVDg&zoom=1&iact=hc&vpx=558&vpy=189&dur=2668&hovh=182&hovw=277&tx=133&ty=149&sig=106332796734911297201&page=1&tbnh=119&tbnw=181&start=0&ndsp=18&ved=1t:429,r:2,s:0,i:88


http://www.google.com.sg/imgres?um=1&hl=en&sa=N&biw=1366&bih=600&tbm=isch&tbnid=GHPPHjbujcBtQM:&imgrefurl=http://www.infotecs.biz/vpn-remote-access.htm&docid=yZ5wWooZCgg41M&imgurl=http://www.infotecs.biz/i/vpn-remote-access.jpg&w=698&h=582&ei=pU7KT_CrFsW4rAf3t9HMDg&zoom=1&iact=hc&vpx=496&vpy=138&dur=2944&hovh=205&hovw=246&tx=137&ty=76&sig=106332796734911297201&page=1&tbnh=123&tbnw=148&start=0&ndsp=18&ved=1t:429,r:2,s:0,i:74

Public Key Infrastructure (Digital Cert)

PKI is a security architecture that has been introduced to provide an increased level of confidence for exchanging information over an increasingly insecure Internet.  Public key cryptography uses a pair of mathematically related cryptographic keys.   If one key is used to encrypt information, then only the related key can decrypt that information. 
A certificate is information referring to a public key, that has been digitally signed by a Certification Authority (CA).  Certificates conforming to that standard include information about the published identity of the owner of the corresponding private key, the key length, the algorithm used, and associated hashing algorithm, dates of validity of the certificate and the actions the key can be used for. The CA takes responsibility for identifying (to a stated extent) the correctness of the identity of the person asking for a certificate to be issued, and ensures that the information contained within the certificate is correct and digitally signs it.

Generating key pairs

The CA may generate a public key and a private key (a key pair) or the person applying for a certificate may have to generate their own key pair and send a signed request containing their public key to the CA for validation.   The person applying for a certificate may prefer to generate their own key pair so as to ensure that the private key never leaves their control and as a result is less likely to be available to anyone else.

Issuing digital certificates

There are 2 ways of getting a digital cert, by either self-creating one or purchasing one. Before a CA issues you with a certificate they will make various checks to prove that you are who you say you are. CA issues you a certificate after you provide the credentials they require to confirm your identity, and then the CA signs (stamps) the certificate to prevent modification of the details contained in the certificate.

A CA may also state the quality of the checks that were carried out before the certificate was issued. Different classes of certificate can be purchased that correspond to the level of checks made.

Using certificates

An individual may have any number of certificates issued by any number of CAs.  

Verifying certificates

The public key certificate is signed by the CA to prevent its modification or falsification.   This signature is also used when checking that the public key is still valid. The signature is validated against a list of 'Root CAs' contained within various 'PKI aware' applications. 

A public key ; This is something that you make public - it is freely distributed and can be seen by all users.
A private key ; This is something that you keep secret - it is not shared amongst users.




REFERENCE: http://www.articsoft.com/public_key_infrastructure.htm

IPSec (ESP, AH, DES, MD5, SHA, DH)

IPSec means Internet Protocol Security which is a protocol suite that help secure Internet Protocol (IP) communications by authenticating and encrypting every IP packet in the communication layer. This protocol is used for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys that will be used during the session. IPsec uses two transforms, the Authentication Header (AH) and the Encapsulating Security Payload (ESP) header and trailer, to encapsulate and secure IP packets or payloads. Some examples of IPSec are: ESP, AH, DES, MD5, SHA, and DH.


Encapsulating Security Payload(ESP)
ESP provides confidentiality, in addition to authentication, integrity, and anti-replay. ESP can be used alone, or in combination with AH. Unless it is tunneled, ESP would not normally sign the entire package.

Authentication Header(AH)

AH provides connectionless integrity, data origin authentication, and an optional anti-replay service. This is archieve by applying a keyed one-way hash function to the datagram to create a message digest. One-way hash involves the use of a secret shared between the two systems means that authenticity can be guaranteed.

Data Encryption Standard(DES)

DES is a widely-used method of data encryption using a private (secret) key . DES applies a 56-bit key to each 64-bit block of data. The process can run in several modes and involves 16 rounds or operations.

Message Digest 5(MD5)
MD5 is a widely used cryptographic hash function with a 128-bit hash value. MD5 is widely used in security-related applications, and is also frequently used to check the integrity of files. MD5 value of file is considered to be a highly reliable fingerprint that can be used to verify the integrity of the file's contents. If as little as a single bit value in the file is modified, the MD5 value for the file will completely change. Forgery of a file in a way that causes MD5 to generate the same result as that for the original file is considered to be extremely difficult.


Secure Hash Algorithm(SHA)
SHA is one of a cryptography hash function.


Diffie-Hellman(DH)
The protocol has two system parameters p and g. They are both public and may be used by all the users in a system. Parameter p is a prime number and parameter g (usually called a generator) is an integer less than p, which is capable of generating every element from 1 to p-1 when multiplied by itself a certain number of times, modulo the prime p. However, it is vulnerable to a middleperson attack.




REFERENCE: http://technet.microsoft.com/en-us/library/cc959510.aspx
                       http://www.networksorcery.com/enp/protocol/ah.htm 
                       http://www.networksorcery.com/enp/protocol/ah.htm
                       http://searchsecurity.techtarget.com/definition/Data-Encryption-Standard
                       http://www.accuhash.com/what-is-md5.html
                       http://x5.net/faqs/crypto/q24.html

Authentication, Authorization and Accounting

What does authentication, authorization and accounting mean ?

Authentication  
Authentication means to identify a certain individual, usually by username and password. There are other methods of authentication too, like: serial key(one-time password), authentication via PPP link, etc.

- Username & password
The user would be asked by the system for their login credentials in order to verify that they    are authorize user of the system/network. If the user is a authorize user, the user would be allowed access into the system/network. However there is a disadvantage to this authentication method, user frequently uses very guessable password or never change password at regular interval, making it very easy to allow hackers to hack into the system.

- Serial key(one-time password)
Whenever the user wants to login to their account they would have to get their one-time password which is generated by a serial-key program hash function. The user would than be able to login to their individual account. Different password would be generated every time, this was no one would be able to hack into the system easily.

- Authentication via PPP link
There are three types:
   Password Authentication Protocol(PAP)
   Challenge Handshake Authentication Protocol(CHAP)
   MS-CHAP



Authorization
Authorization means to give individual access to systems objects based on who they are.

Accounting
Accounting means keeping track of the user's activity while accessing a network resource.

When authentication, authorization and accounting is combined together, they provide secure remote access to the network and remote management of network device.


REFERENCE : http://www.webopedia.com/TERM/A/authentication.html
                           http://www.webopedia.com/TERM/A/accounting.html
                           lecture T22

Context-based Access Control

Context-based Access Control(CBAC) filters TCP and UDP packets based on application protocol session information, and actively inspects the activity happening behind the firewall. This provides a more sophisticated way of providing perimeter security. CBAC examines not only the network layer and transport layer but application layer information that is stored in the state table too, this allows them to learn about the state of TCP and UDP sessions. Context-based Access Control(CBAC) filters TCP and UDP packets based on application protocol session information, and actively inspects the activity happening behind the firewall. CBAC watches the outbound traffic determining which packet to be allowed in, making decisions based on how the application behaves instead of only the address and port number the application uses. CBCA also have the ability to open any more inbound channels required for the returning data that were being questioned by the outgoing data for any application.

Benefits of CBAC

- Prevention and detection of CBAC

- Real time alerts and audit trails

CBAC inspection rules allow a per-application protocol basis configuration of alerts and audit trail information, generating real-time alerts and auditing trails. System log is used by audit trails in order to track all network transactions. 

REFERENCE : http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

http://en.wikipedia.org/wiki/Context-based_access_control

http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+6+IOS+Firewall+Feature+Set+-+CBAC/Context-Based+Access+Control+CBAC/

IMAGE : http://www.google.com.sg/imgres?um=1&hl=en&sa=N&biw=1366&bih=638&tbm=isch&tbnid=tpEDewqhiCI2aM:&imgrefurl=http://cciethebeginning.wordpress.com/2008/06/13/cbac-context-based-access-control/&docid=81SLKA_Xr5XZPM&imgurl=http://cciethebeginning.files.wordpress.com/2008/06/topology.jpg&w=488&h=470&ei=vrmrT8bxJo_JrQf5ruWAAg&zoom=1&iact=hc&vpx=318&vpy=136&dur=1776&hovh=220&hovw=229&tx=149&ty=99&sig=110102777678606174354&page=1&tbnh=134&tbnw=139&start=0&ndsp=18&ved=1t:429,r:1,s:0,i:73

Access Control Lists

Access Control List(ACL) is a record of Access Control Entries(ACE). The ACE recognizes a trustee and specifies the access rights, whether they are allowed or denied, or audited for the trustee. There are 2 types of ACL: Discretionary Access Control List and System Access Control List.


Discretionary Access Control List(DACL)
This helps identify the whether the trustee is allowed or denied access to a securable object. The system will check all the ACE in the object DACL to determine granting of access when a process attempts to access a securable object. The system would grant full access to everyone if the object doesn't have DACL, as DACL does not allow any access rights.


System Access Control List(SACL)
This enables administrators to log attempts to access secure objects. The ACE in SACL can generate a record in the security log.  


* A securable object is an object that is able to have a security descriptor. All Windows object are securable object, other unnamed object like: process and thread objects, can also have security descriptor.


DACL identify the users and groups that are assigned or denied permission to access on a object, whereas SACL identify the user and groups that the administrator wants to audit whether they can access to an object.

REFERENCE : http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx
http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx
http://clintboessen.blogspot.com/2011/04/whats-difference-between-acl-ace-dacl.html

Secure Perimeter Routers & Disable Services & Logging

The general rule for perimeter router is to disable the unnecessary services on it. Some services are useful but not often used, like: TCP & UDP, NTP, CDP, and Finger, these services can be disabled using their individual commands.
As mentioned , router determines whether a data packet can pass through the network hence securing it is very important for defending our private network. There are many categories of configuration for the router.

Patches & Updates
Staying up-to-date with the latest updates and patches by subscribing to the manufacture of the network hardware.

Protocols
Dos usually take advantage of vulnerabilities which are of protocol-level. By using ingress and egress filtering, or screen ICMP traffic from internal network we can counter these kind of attack.
Using ingress and egress filtering
By setting up the router to route only outgoing packets with a valid internal IP address.Verify outgoing packets. These things would not protect us from DoS, but can keep suck attacks from originating from our own network. This would also be easier to trace the originator, as the attacker would have to use a valid and reachable source address.
ICMP traffic
By blocking ICMP traffic at the other perimeter router we can prevent attacks such as: ping flood.

Administrative access
Decide which interface and ports administration connection is allowed and which network the administration is suppose to be perform.  Restrict access to the decided interfaces and ports, and encrypt them and have countermeasures against hijacking into these interfaces.


REFERENCE : http://etutorials.org/Networking/Cisco+Certified+Security+Professional
                        +Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco
                        +Perimeter+Routers/Limit+Unneeded+TCP+IP+and+Other+Services/

                        http://msdn.microsoft.com/en-us/library/ff648651.aspx

Common Threats to Router and Switch Physical &Mitigation

There are 4 types of common threats to router and switch: Hardware threats, Environment threats, Electrical threats, and Maintenance threats.

Hardware threats
This threat refers to the hardware being physically damaged. Some ways to mitigate this problem is by: making sure that there is only authorize access, having a log on all entry attempts(monitor/ electronic log), and security cameras. This way there will not have any sabotages. And even if there is unauthorized access, they would be recorded on the cameras and immediate actions can be taken to prevent it.

Environmental threats

This threat refer to the different types of environment that might damage or slow down the hardware, like temperature, humidity, etc. Some ways of mitigating this problem is by: temperature control, positive air flow, humidity control, and remote environment alarming plus recording as well as monitoring.

Electrical threats

This threats refer to the electrical problem that might happen, like: brownouts, voltage spikes,etc. Ways of mitigating these threats can be: installing UPS systems and generator sets, following a preventative maintenance plan, performing remote alarm and monitor, and installing redundant power supplies.

Maintenance threats
This threat refer to the organization not having any spare network component that is crucial for their daily work in case their component is damage. Some ways of mitigating the problem can be: using neat cable runs and electronic software distribution procedures, labeling critical cables and components, stocking up on spare crucial component, and controlling access to console ports.

REFERENCE : http://earnkori.blogspot.com/2012/02/network-security-mitigating-common.html

Network / Port Address Translation

Network Address Translation(NAT)

NAT is a process where a network device allocates a public address to the computers in the private network. NAT helps to: eliminate re-assigning each host new IP address when changing a new ISP, eliminate the need to re-address all hosts that require external access which saves time and money, conserves addresses through application port-level multiplexing, and protects network security.

There are 2 types of NAT translation : 

Static NAT

This is designed to allow one-to-one mapping of local(private) and global(public) address. Allowing the internal host which have private IP address to still be reachable over the internet.

Dynamic NAT
This is designed to map a private IP address to a public IP address, meaning many-to-many mapping. The NAT router in the network would keep a table of the registered IP addresses, and when a private IP address request access into the network, the NAT router would choose a IP address from the table that is not use by another host and give it to the one who is requesting access.




Port Address Translation(PAT)
PAT, is an extension of NAT, uses unique source port numbers on the inside global IP address to differentiate between translations, which is a many-to-one mapping. Most of our home network uses PAT.

 

REFERENCE : http://www.webopedia.com/TERM/N/NAT.html
                         http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094
                         831.shtml

                         ENNK lecture notes

IMAGE : http://www.google.com.sg/imgresum=1&hl=en&biw=1366&bih=600&tbm=isch&tbnid=t2yC
zSFydy1i_M:&imgrefurl=http://computer.howstuffworks.com/nat1.htm&docid=rFy7vHc6rF_NhM&imgurl=http://static.ddmcdn.com/gif/natdynamic.jpg&w=399&h=179&ei=11WlT9LBBIzJrAfKzZXRAQ&zoom=1&iact=hc&vpx=228&vpy=99&dur=3947&hovh=143&hovw=319&tx=211&ty=86&sig=114794691512992017059&page=1&tbnh=67&tbnw=149&start=0&ndsp=21&ved=1t:429,r:1,s:0,i:85
                http://www.google.com.sg/imgresimgurl=http://www.techrepublic.com/i/tr/cms/contentPics/r0022
0020514dad01_02.gif&imgrefurl=http://www.techrepublic.com/article/set-up-port-address-translation-pat-in-the-ciscoios/1053789&h=402&w=538&sz=10&tbnid=4oUZvP2t_vD5ZM:&tbnh=90&tbnw=120&
zoom=1&docid=sVGR9-XgzeAJpM&sa=X&ei=MFmlT7yTBYbsrAfTq9TsAQ&ved=0CHwQ9QEwB
A&dur=1256

Perimeter Router, Internal Router and Firewall

What is a router ? A router is a equipment that forward data packets along network. Basically Perimeter router and internal router serves the same purpose except the fact that they are used in different environments.




Perimeter router is placed at the Demilitarize zone, connecting the public network and the internal network. The perimeter router would help filter the outside(public network) traffic. As the Perimeter router is often connected to a slower WAN interface, it wouldn't normally provide routing functions for the internal network.

Internal Router is placed in the internal network, linking all the internal servers and the users in the private network.

Firewall is used to help secure a network, controlling the incoming and outgoing network traffic by analyzing the data packets and determining whether the packets are allowed. It is usually between the private and public network. There are two types of firewall: hardware based, or software based.



These three hardware can be used in different network topology and can all be in the same network topology.
Standalone perimeter router topology
This topology only uses the perimeter router connecting the public(untrusted) network to the private(trusted) network. This is the most minimal protection and usually used by small businesses and organizations.
Perimeter router,Internal router & Firewall topology
This topology uses all the 3 hardware mentioned above. It gives better and greater network performance and protection, this is usually used by big or medium business and organizations. It also have greater routing options.

Another special thing that we can look into is the perimeter router which is with a integrated firewall. This have a greater protection than just the router itself and better interoperability.

REFERENCE : http://www.ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/Perimeter-Router-Networks.html
                        http://en.wikipedia.org/wiki/Firewall_(computing)

IMAGE : http://www.google.com.sg/imgresum=1&hl=en&biw=1366&bih=600&tbm=isch&tbnid=
agVEpo7l8PpRvM:&imgrefurl=http://etutorials.org/Networking/Router%2Bfirewall%2Bsecurity/Part%2BIII%2BNonstateful%2BFiltering%2BTechnologies/Chapter%2B6.%2BAccess%2BList%2BIntroduction/Access%2BList%2BOverview/&docid=HC1sbrJB9jk1OM&imgurl=http://etutorials.org/shared/images/tutorials/tutorial_56/06fig01.gif&w=500&h=368&ei=qWlTGeEsm4rAfSxdHpAQ&zoom=1&iact=hc&vpx=310&vpy=53&dur=492&hovh=148&hovw=201&tx=141&ty=84&sig=114794691512992017059&page=1&tbnh=125&tbnw=170&start=0&ndsp=18&ved=1t:429,r:1,s:0,i:71
http://seann.herdejurgen.com/resume/samag.com/html/v10/i07/a6_f1.gif
http://www.google.com.sg/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/5/5b/Firewall.png/300px-Firewall.png&imgrefurl=http://en.wikipedia.org/wiki/Firewall_(computing)&h=165&w=300&sz=30&tbnid=whJj0ztPL2e06M:&tbnh=59&tbnw=108&zoom=1&docid=Ue-U2v_FoVqaqM&sa=X&ei=WnKlT-j3A4LjrAfHmKWCAg&ved=0CJsBEPUBMAI&dur=2231

Security Policy

What is security policy ? Well, security policy is a documentation of rules for people who have access to the assets of a company that they need to follow in order for the company's technology and information to have confidentiality, integrity and availability.
Confidentiality refers to only authorized users have access to the information and assets. One way to find out if the user is authorized is to use authentication methods like having passwords and user-ID or fingerprint. These ways of authentication uniquely identify the users and control access to the assets.
Integrity refers to the state of the information whereby it is not modified by unauthorized personals, whereby the  information is reliable.
Availability refers to the information and asset that is needed is always readily available for use and access.

Organizations create Security policy for six different purposes.
In order to create a baseline of the current security posture, set up the framework for security implementation, give a standard of behavior and a standard of handling security incidents, determine necessary tools and procedures, and to communicate consensus and define roles.

There are 2 categories of security policy element: Network design factors which security policies is based, and basic Internet vectors which security policies are written to mitigate.

Network Security will be used as a continuous process around a security policy to keep making improvisations to it so that the security policy can be as secure as possible.


REFERENCE : http://it.med.miami.edu/x904.xml

Common Networking Attacks Threats and Solution

A network is always vulnerable to attacks. These attacks are commonly known as threats, which would cause damage to the organization, not only in terms of monetary but also in terms of the loss of assets.
There are two types of threats: Intentional and Accidental.

Network security threats have
- three main weakness: technology weakness, configuration weakness, and policy weakness.
- four types of security threats are: unstructured threats,structured threats, external threats, and internal threats.
- four classes of network attacks : reconnaissance attacks, access attacks, denial of service attacks, and worms, viruses and Trojan horses.

Reconnaissance attack
This attack refers to the gathering of information on a target network, enabling the hacker to be able to find the vulnerability of the network. Ping sweeps, port scans, packet sniffers, and internet information lookup,  are ways of reconnaissance attack.
Reconnaissance attack can only be mitigated and not prevented. One way of mitigating it is when a reconnaissance attack occurs IDSs at the network and host level can inform the administrator.

Access attack
This attack refers to unauthorized personals gaining access into the network. There are different types of access attacks, like password attack, trust exploitation, port redirection, and man-in-the middle attack.
One type of password attack is through the use of rainbow table.
Some ways to mitigate password attacks is having a more complicated password and having a certain number of login failure attempts.

Denial Of Service attack (DoS)
This attack prevents authorized personals from using the service. DoS is easy to execute but hard to eliminate. There are different types of DoS attacks, like ping of death, and SYN flood.
Most easiest way to control DoS is through the implementation of anti-spoof and anti-DoS.

Worms,Viruses & Trojan horses (Malicious Code Attack)
Worms not only executes codes but also in it's CPU's memory install copies of itself which can also cause other CPUs in the network to get infected.
Virus are spread from one computer to another through program files. A way to prevent is through anti-virus software.
Trojan horses is a virus that is programmed to look like a software and when the user download it, the virus will attack the CPU. One way to prevent is anti-virus and remember to keep the anti-virus up-to-date.

REFERENCE : http://www.orbit-computer-solutions.com/Types-of-Network-Attacks.php
                        http://www.orbit-computer-solutions.com/Network-Access-Attacks.php
                        http://www.orbit-computer-solutions.com/Denial-of-Service-%28DoS%29-Attacks.php
                        http://www.orbit-computer-solutions.com/Malicious-Code-Attacks.php