Site to Site VPN, Remote VPN

Site to Site VPN
What is a site to site VPN? It is a VPN that allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.

There are two types of site-to-site VPNs:

• Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.

• Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate Intranets.

Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote-access VPN. Dedicated VPN client equipment, described later in this article, can accomplish this goal in a site-to-site VPN.


Remote VPN
What is a Remote VPN?  It is a VPN that allows individual users to establish secure connections with a remote computer network. Those users can access the secure resources on that network as if they were directly plugged in to the network's servers. An example of a company that needs a remote-access VPN is a large firm with hundreds of salespeople in the field. Another name for this type of VPN is virtual private dial-up network (VPDN), acknowledging that in its earliest form, a remote-access VPN required dialing in to a server using an analog telephone system. 

There are two components required in a remote-access VPN. The first is a network access server (NAS, usually pronounced "nazz" conversationally), also called a media gateway or a remote-access server (RAS). (Note: IT professionals also use NAS to mean network-attached storage.) A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server. It's a NAS that a user connects to from the Internet in order to use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN. To authenticate the user's credentials, the NAS uses either its own authentication process or a separate authentication server running on the network.

The other required component of remote-access VPNs is client software. In other words, employees who want to use the VPN from their computers require software on those computers that can establish and maintain a connection to the VPN. Most Operating Systems today have built-in software that can connect to remote-access VPNs, though some VPNs might require users to install a specific application instead. The client software sets up the tunneled connection to a NAS, which the user indicates by its Internet address. The software also manages the encryption required to keep the connection secure. You can read more about tunneling and encryption later in this article.

Large corporations or businesses with knowledgeable IT staff typically purchase, deploy and maintain their own remote-access VPNs. Businesses can also choose to outsource their remote-access VPN services through an enterprise service provider (ESP). The ESP sets up a NAS for the business and keeps that NAS running smoothly.

Reference:
http://computer.howstuffworks.com/vpn4.htm
http://computer.howstuffworks.com/vpn3.htm

Public Key Infrastructure (Digital Cert )

What is a Public Key Infrastructure (PKI)? It is a set of hardware, software, people, policies, and procedures that are needed to create, manage, distribute, use, store, and revoke digital certificates.


In cryptography, PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain.


A PKI consists of:
Certificate Authority that both issues and verifies the digital certificates.
Registration Authority that verifies the identity of users requesting information from the CA.
Central Directory
Certificate Management System


Certificate Authorities
The primary role of the CA is to digitally sign and publish the public key bound to a given user. This is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. The mechanism that binds keys to users is called the Registration Authority (RA), which may or may not be separate from the CA. The key-user binding is established, depending on the level of assurance the binding has, by software or under human supervision.

IPSec (ESP, AH, DES, MD5, SHA, DH)

What is IPSec? It is a set of protocols developed by IETF to support a secure exchange of packets at the IP Layer. IPSec has been deployed to implement Virtual Private Networks (VPNS).

IPSec supports two different encryption modes, one being Transport Mode and the other being Tunnel Mode. Transport Mode encrypts data portion (payload) of each packet only, but leaves the header untouched. Tunnel Mode securely encrypts both header and payload. An IPSec-compliant device will decrypt each packet.

There are different types of IPSec such as:
Encapsulating Security Payload (ESP)
Authentication Header (AH)
Data Encryption Standard (DES)
Message Digest 5 (MD5)
Secure Hash Algorithm (SHA)
Diffie-Hellman (DH)

ESP
The main job of the ESP is to provide privacy that users seek for IP datagrams encrypting them. ESP supports its own authentication scheme like that used in AH.

AH
The main job of the AH is to provide integrity authentication services to IPSec-capable devices, so they can verify that messages are received intact from other devices.

DES
DES is a widely-used method of data encryption using a private key that was judged so difficult to break by that it was restricted for exportation to other countries.

MD5
MD5 is used to check the integrity of the file content. If file is transferred using network, recipient can calculate the MD5 hash and check it with the MD5 check sum, and if both are the same, the user can be sure that file is not corrupted.

D-H
D-H is used within IKE to establish session keys.

References:
http://www.webopedia.com/TERM/I/IPsec.html
http://www.tcpipguide.com/free/t_IPSecEncapsulatingSecurityPayloadESP.htm
http://www.javvin.com/protocolAH.html
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

Authentication, Authorization and Accounting

What is Authentication, Authorization and Accounting (AAA)?
AAA is an architectural framework that configures a set of three independent security functions in a consistent manner. AAA helps to provide a modular way of performing the following services:

1) Authentication
How does Authentication help? It provides methods for identifying users, which includes log in and password dialog, challenge and response, messaging support, and depending on the security protocol you select, encryption. How Authentication works is that a user is identified prior to being allowed access to the network and network services. To configure AAA authentication, the user has to define a named list of authentication methods.

2) Authorization
How does Authorization help? It provides methods for remote access control, which includes one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA and Telnet. How Authorization works is by assembling a set of attributes that describe what the user is authorized to perform. The attributes are compared to the information that is contained in a database for a given user, which the result will be returned to AAA to determine the user's acutal capabilities and restrictions.

3) Accounting
How does Accounting help? It provides methods for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands such as PPP, number of packets and number of bytes. How Accounting work is that it enables the user to track the services users that are accessing as well as the amount of network resources they are consuming. The network access server reports user activity to the RADIUS or TACACS+ security server in the form of accounting records when AAA Accounting is activated.

References:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html

Access Control List

What is an Access Control List (ACL)? An ACL is a list of Access Control Entries (ACE). A trustee is identified in each ACE in an ACL, specifying the access rights allowed, audited or denied for the trustee. A securable object's Security Descriptor contains two types of ACLs: Discretionary Access Control List (DACL) and System Access Control List (SACL)

A DACL identifies trustees which are allowed or denied access to a securable object. The system will check the ACEs in a securable object's DACL when a process is trying to access the object, so as to determine the grant of access to it. When the object do not have a DACL, the system grants full access to everyone. The system will deny all attempts to access the object when the object's DACL has no ACEs, as the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds the ACEs that allow all the requested access rights, or until any requested rights are denied.

A SACL enables administrators to log attempts to access a secured object. The types of access attempts by a trustee are specified by each ACE, and it causes the system to generate a record in the security event log. When an access attempt succeeds, fails or both, an ACE in a SACL can generate audit records.

References:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx

Secure Perimeter Routers & Disable Services & Logging

Securing Perimeter Routers have two different ways:
Ingress Filtering
Egress Filtering

Ingress Filtering
This is a technique that ensures that incoming packets are from the network are what they claim to be from.
For Ingress Filtering to work, the network has to know the IP addresses of each network it is connected to, the network has to know what it will send.

Egress Filtering
This is a practice of restricting and monitoring the information outbound's flow potentially from one network to another.
For Egress Filtering to work, it requires administrative work and policy change when there is a new application that requires external network access.

Disable Services


1) Disable bootp Server
bootp is enabled by default. When not using, the user should disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on the routers.

2) Disable DNS lookup
Domain Name System lookup is enabled by default on Cisco routers and if it is not being implemented. It is advisable to disable this feature globally by using the no ip domain-lookup command.

Logging


What is logging? It is the process of using a computer to collect data through sensors, analyzing the data and save and output the results of the collection and analysis. It is commonly used in scientific experiments and in monitoring system where there is the need to collect information faster than anything that can collect information.

References:
http://www.debianadmin.com/securing-cisco-routers-by-disabling-unused-services.html
http://www.webopedia.com/TERM/D/data_logging.html

Common Threats to Router and Switch Physical & Mitigation

There are four types of threats involved during Physical Installations:
Hardware Threats
Electrical Threats
Environmental Threats
Maintenance Threats

Hardware Threats
What are Hardware Threats? It involves threats that bring physical damage to the router or switch.

Mitigations for Hardware Threats:
In the wiring closets or computer or telecommunications rooms, there should be Mission-critical Cisco network equipment that meet some requirements. Such requirements are that the room must be locked with only authorised personnel allowed access, the room should not accessible in any way possible apart from the secured access point, the room should use electronic access control with all entry attempts logged by security systems and monitored by a security personnel.

Electrical Threats
What is a Electrical Threat? It includes irregular fluctuations in voltage, such as brownouts and voltages spikes.

Mitigations for Electrical Threats
Electrical Threats can be limited by adhering to some guidelines:
1) Install Uninterruptible power supply (UPS) systems for Mission-critical Cisco network devices
2) Install back up generator systems for Mission-critical supplies
3) Install redundant power supplies on critical devices

Environmental Threats
What are Environmental Threats? It includes very low or high temperatures, moisture, electrostatic, and magnetic Interference Environmental threats, such as temperature extremes or humidity extremes.

Mitigations for Environmental Threats
To limit environmental damage to Cisco network devices, the following actions can be taken:
1) Supply the room with dependable temperature and humidity control system.
2) Remove any sources of electrostatic and magnetic interference in the room

Maintenance Threats
What is Maintenance threats? It includes not having back up parts or components for critical network components; not labeling the components and the cabling correctly. It also includes poor handling of key electronic components, electrostatic discharge, poor cabling, poor labeling, and so on.

Mitigations for Maintenance Threats
To prevent maintenance-related threats, follow the general rules:
1) Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection or incorrect termination
2) Use cable runs, raceways, or both to traverse rack-to-ceiling or rack-to-rack connections
3) Maintain a stock of critical spares for emergency use

Reference:
http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/mitigating-common-threats.html