What is a Public Key Infrastructure (PKI)? It is a set of hardware, software, people, policies, and procedures that are needed to create, manage, distribute, use, store, and revoke digital certificates.
In cryptography, PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain.
A PKI consists of:
Certificate Authority that both issues and verifies the digital certificates.
Registration Authority that verifies the identity of users requesting information from the CA.
Central Directory
Certificate Management System
Certificate Authorities
The primary role of the CA is to digitally sign and publish the public key bound to a given user. This is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. The mechanism that binds keys to users is called the Registration Authority (RA), which may or may not be separate from the CA. The key-user binding is established, depending on the level of assurance the binding has, by software or under human supervision.
Sunday, 27 May 2012
IPSec (ESP, AH, DES, MD5, SHA, DH)
What is IPSec? It is a set of protocols developed by IETF to support a secure exchange of packets at the IP Layer. IPSec has been deployed to implement Virtual Private Networks (VPNS).
IPSec supports two different encryption modes, one being Transport Mode and the other being Tunnel Mode. Transport Mode encrypts data portion (payload) of each packet only, but leaves the header untouched. Tunnel Mode securely encrypts both header and payload. An IPSec-compliant device will decrypt each packet.
There are different types of IPSec such as:
Encapsulating Security Payload (ESP)
Authentication Header (AH)
Data Encryption Standard (DES)
Message Digest 5 (MD5)
Secure Hash Algorithm (SHA)
Diffie-Hellman (DH)
ESP
The main job of the ESP is to provide privacy that users seek for IP datagrams encrypting them. ESP supports its own authentication scheme like that used in AH.
AH
The main job of the AH is to provide integrity authentication services to IPSec-capable devices, so they can verify that messages are received intact from other devices.
DES
DES is a widely-used method of data encryption using a private key that was judged so difficult to break by that it was restricted for exportation to other countries.
MD5
MD5 is used to check the integrity of the file content. If file is transferred using network, recipient can calculate the MD5 hash and check it with the MD5 check sum, and if both are the same, the user can be sure that file is not corrupted.
D-H
D-H is used within IKE to establish session keys.
References:
http://www.webopedia.com/TERM/I/IPsec.html
http://www.tcpipguide.com/free/t_IPSecEncapsulatingSecurityPayloadESP.htm
http://www.javvin.com/protocolAH.html
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
IPSec supports two different encryption modes, one being Transport Mode and the other being Tunnel Mode. Transport Mode encrypts data portion (payload) of each packet only, but leaves the header untouched. Tunnel Mode securely encrypts both header and payload. An IPSec-compliant device will decrypt each packet.
There are different types of IPSec such as:
Encapsulating Security Payload (ESP)
Authentication Header (AH)
Data Encryption Standard (DES)
Message Digest 5 (MD5)
Secure Hash Algorithm (SHA)
Diffie-Hellman (DH)
ESP
The main job of the ESP is to provide privacy that users seek for IP datagrams encrypting them. ESP supports its own authentication scheme like that used in AH.
AH
The main job of the AH is to provide integrity authentication services to IPSec-capable devices, so they can verify that messages are received intact from other devices.
DES
DES is a widely-used method of data encryption using a private key that was judged so difficult to break by that it was restricted for exportation to other countries.
MD5
MD5 is used to check the integrity of the file content. If file is transferred using network, recipient can calculate the MD5 hash and check it with the MD5 check sum, and if both are the same, the user can be sure that file is not corrupted.
D-H
D-H is used within IKE to establish session keys.
References:
http://www.webopedia.com/TERM/I/IPsec.html
http://www.tcpipguide.com/free/t_IPSecEncapsulatingSecurityPayloadESP.htm
http://www.javvin.com/protocolAH.html
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
Sunday, 20 May 2012
Authentication, Authorization and Accounting
What is Authentication, Authorization and Accounting (AAA)?
AAA is an architectural framework that configures a set of three independent security functions in a consistent manner. AAA helps to provide a modular way of performing the following services:
1) Authentication
How does Authentication help? It provides methods for identifying users, which includes log in and password dialog, challenge and response, messaging support, and depending on the security protocol you select, encryption. How Authentication works is that a user is identified prior to being allowed access to the network and network services. To configure AAA authentication, the user has to define a named list of authentication methods.
2) Authorization
How does Authorization help? It provides methods for remote access control, which includes one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA and Telnet. How Authorization works is by assembling a set of attributes that describe what the user is authorized to perform. The attributes are compared to the information that is contained in a database for a given user, which the result will be returned to AAA to determine the user's acutal capabilities and restrictions.
3) Accounting
How does Accounting help? It provides methods for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands such as PPP, number of packets and number of bytes. How Accounting work is that it enables the user to track the services users that are accessing as well as the amount of network resources they are consuming. The network access server reports user activity to the RADIUS or TACACS+ security server in the form of accounting records when AAA Accounting is activated.
References:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html
AAA is an architectural framework that configures a set of three independent security functions in a consistent manner. AAA helps to provide a modular way of performing the following services:
1) Authentication
How does Authentication help? It provides methods for identifying users, which includes log in and password dialog, challenge and response, messaging support, and depending on the security protocol you select, encryption. How Authentication works is that a user is identified prior to being allowed access to the network and network services. To configure AAA authentication, the user has to define a named list of authentication methods.
2) Authorization
How does Authorization help? It provides methods for remote access control, which includes one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA and Telnet. How Authorization works is by assembling a set of attributes that describe what the user is authorized to perform. The attributes are compared to the information that is contained in a database for a given user, which the result will be returned to AAA to determine the user's acutal capabilities and restrictions.
3) Accounting
How does Accounting help? It provides methods for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands such as PPP, number of packets and number of bytes. How Accounting work is that it enables the user to track the services users that are accessing as well as the amount of network resources they are consuming. The network access server reports user activity to the RADIUS or TACACS+ security server in the form of accounting records when AAA Accounting is activated.
References:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html
Sunday, 13 May 2012
Access Control List
What is an Access Control List (ACL)? An ACL is a list of Access Control Entries (ACE). A trustee is identified in each ACE in an ACL, specifying the access rights allowed, audited or denied for the trustee. A securable object's Security Descriptor contains two types of ACLs: Discretionary Access Control List (DACL) and System Access Control List (SACL)
A DACL identifies trustees which are allowed or denied access to a securable object. The system will check the ACEs in a securable object's DACL when a process is trying to access the object, so as to determine the grant of access to it. When the object do not have a DACL, the system grants full access to everyone. The system will deny all attempts to access the object when the object's DACL has no ACEs, as the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds the ACEs that allow all the requested access rights, or until any requested rights are denied.
A SACL enables administrators to log attempts to access a secured object. The types of access attempts by a trustee are specified by each ACE, and it causes the system to generate a record in the security event log. When an access attempt succeeds, fails or both, an ACE in a SACL can generate audit records.
References:
Sunday, 6 May 2012
Secure Perimeter Routers & Disable Services & Logging
Securing Perimeter Routers have two different ways:
Ingress Filtering
Egress Filtering
Ingress Filtering
This is a technique that ensures that incoming packets are from the network are what they claim to be from.
For Ingress Filtering to work, the network has to know the IP addresses of each network it is connected to, the network has to know what it will send.
Egress Filtering
This is a practice of restricting and monitoring the information outbound's flow potentially from one network to another.
For Egress Filtering to work, it requires administrative work and policy change when there is a new application that requires external network access.
Disable Services
1) Disable bootp Server
bootp is enabled by default. When not using, the user should disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on the routers.
2) Disable DNS lookup
Domain Name System lookup is enabled by default on Cisco routers and if it is not being implemented. It is advisable to disable this feature globally by using the no ip domain-lookup command.
Logging
What is logging? It is the process of using a computer to collect data through sensors, analyzing the data and save and output the results of the collection and analysis. It is commonly used in scientific experiments and in monitoring system where there is the need to collect information faster than anything that can collect information.
References:
http://www.debianadmin.com/securing-cisco-routers-by-disabling-unused-services.html
http://www.webopedia.com/TERM/D/data_logging.html
Ingress Filtering
Egress Filtering
Ingress Filtering
This is a technique that ensures that incoming packets are from the network are what they claim to be from.
For Ingress Filtering to work, the network has to know the IP addresses of each network it is connected to, the network has to know what it will send.
Egress Filtering
This is a practice of restricting and monitoring the information outbound's flow potentially from one network to another.
For Egress Filtering to work, it requires administrative work and policy change when there is a new application that requires external network access.
Disable Services
1) Disable bootp Server
bootp is enabled by default. When not using, the user should disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on the routers.
2) Disable DNS lookup
Domain Name System lookup is enabled by default on Cisco routers and if it is not being implemented. It is advisable to disable this feature globally by using the no ip domain-lookup command.
Logging
What is logging? It is the process of using a computer to collect data through sensors, analyzing the data and save and output the results of the collection and analysis. It is commonly used in scientific experiments and in monitoring system where there is the need to collect information faster than anything that can collect information.
References:
http://www.debianadmin.com/securing-cisco-routers-by-disabling-unused-services.html
http://www.webopedia.com/TERM/D/data_logging.html
Common Threats to Router and Switch Physical & Mitigation
There are four types of threats involved during Physical Installations:
Hardware Threats
Electrical Threats
Environmental Threats
Maintenance Threats
Hardware Threats
What are Hardware Threats? It involves threats that bring physical damage to the router or switch.
Mitigations for Hardware Threats:
In the wiring closets or computer or telecommunications rooms, there should be Mission-critical Cisco network equipment that meet some requirements. Such requirements are that the room must be locked with only authorised personnel allowed access, the room should not accessible in any way possible apart from the secured access point, the room should use electronic access control with all entry attempts logged by security systems and monitored by a security personnel.
Electrical Threats
What is a Electrical Threat? It includes irregular fluctuations in voltage, such as brownouts and voltages spikes.
Mitigations for Electrical Threats
Electrical Threats can be limited by adhering to some guidelines:
1) Install Uninterruptible power supply (UPS) systems for Mission-critical Cisco network devices
2) Install back up generator systems for Mission-critical supplies
3) Install redundant power supplies on critical devices
Environmental Threats
What are Environmental Threats? It includes very low or high temperatures, moisture, electrostatic, and magnetic Interference Environmental threats, such as temperature extremes or humidity extremes.
Mitigations for Environmental Threats
To limit environmental damage to Cisco network devices, the following actions can be taken:
1) Supply the room with dependable temperature and humidity control system.
2) Remove any sources of electrostatic and magnetic interference in the room
Maintenance Threats
What is Maintenance threats? It includes not having back up parts or components for critical network components; not labeling the components and the cabling correctly. It also includes poor handling of key electronic components, electrostatic discharge, poor cabling, poor labeling, and so on.
Mitigations for Maintenance Threats
To prevent maintenance-related threats, follow the general rules:
1) Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection or incorrect termination
2) Use cable runs, raceways, or both to traverse rack-to-ceiling or rack-to-rack connections
3) Maintain a stock of critical spares for emergency use
Reference:
http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/mitigating-common-threats.html
Hardware Threats
Electrical Threats
Environmental Threats
Maintenance Threats
Hardware Threats
What are Hardware Threats? It involves threats that bring physical damage to the router or switch.
Mitigations for Hardware Threats:
In the wiring closets or computer or telecommunications rooms, there should be Mission-critical Cisco network equipment that meet some requirements. Such requirements are that the room must be locked with only authorised personnel allowed access, the room should not accessible in any way possible apart from the secured access point, the room should use electronic access control with all entry attempts logged by security systems and monitored by a security personnel.
Electrical Threats
What is a Electrical Threat? It includes irregular fluctuations in voltage, such as brownouts and voltages spikes.
Mitigations for Electrical Threats
Electrical Threats can be limited by adhering to some guidelines:
1) Install Uninterruptible power supply (UPS) systems for Mission-critical Cisco network devices
2) Install back up generator systems for Mission-critical supplies
3) Install redundant power supplies on critical devices
Environmental Threats
What are Environmental Threats? It includes very low or high temperatures, moisture, electrostatic, and magnetic Interference Environmental threats, such as temperature extremes or humidity extremes.
Mitigations for Environmental Threats
To limit environmental damage to Cisco network devices, the following actions can be taken:
1) Supply the room with dependable temperature and humidity control system.
2) Remove any sources of electrostatic and magnetic interference in the room
Maintenance Threats
What is Maintenance threats? It includes not having back up parts or components for critical network components; not labeling the components and the cabling correctly. It also includes poor handling of key electronic components, electrostatic discharge, poor cabling, poor labeling, and so on.
Mitigations for Maintenance Threats
To prevent maintenance-related threats, follow the general rules:
1) Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection or incorrect termination
2) Use cable runs, raceways, or both to traverse rack-to-ceiling or rack-to-rack connections
3) Maintain a stock of critical spares for emergency use
Reference:
http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/mitigating-common-threats.html
Network / Port Address Translation
Network Address Translation
What is Network Address Translation (NAT) ? It is an Internet standard that enables Local-Area Networks (LAN) to use a set of IP addresses for internal traffic and another set of addresses for the external traffic. NAT serves three purposes: Providing a type of firewall by hiding internal IP addresses, enabling a company to be able to use more internal IP addresses and allow a company to combine many ISDN connections into a single Internet connection.
Since there are many users using the Internet, IP addresses have to be used and the number of available IP Addresses is not enough. One solution is to redesign the address format to allow more possible addresses, however it will take years to implement this as it needs modification and the whole infrastructure of the Internet. NAT allows single devices like routers to act as an agent between the public network and the local network, which also means only a single, unique IP address is needed to represent a whole group of computers.
Port Address Translation
What is Port Address Translation (PAT) ? It is an extension to the NAT that permits many different devices on a LAN to be mapped to a single public IP Address. The purpose of the PAT is to conserve IP Addresses. PAT is used in most home networks.
In one scenario, the Internet Service Provider (ISP) assigns one IP Address to a home network's router. When Computer 1 logs on the internet, the router would assign a port number to the client, which is appended to the Internal IP Address.It gives Computer 1 a unique address. When Computer 2 logs on the internet at the same moment, the router will know which computer to send specific packets to as each computer has their own unique Internal Address.
References:
http://www.webopedia.com/TERM/N/NAT.html
http://www.howstuffworks.com/nat.htm
http://searchnetworking.techtarget.com/definition/Port-Address-Translation-PAT
What is Network Address Translation (NAT) ? It is an Internet standard that enables Local-Area Networks (LAN) to use a set of IP addresses for internal traffic and another set of addresses for the external traffic. NAT serves three purposes: Providing a type of firewall by hiding internal IP addresses, enabling a company to be able to use more internal IP addresses and allow a company to combine many ISDN connections into a single Internet connection.
Since there are many users using the Internet, IP addresses have to be used and the number of available IP Addresses is not enough. One solution is to redesign the address format to allow more possible addresses, however it will take years to implement this as it needs modification and the whole infrastructure of the Internet. NAT allows single devices like routers to act as an agent between the public network and the local network, which also means only a single, unique IP address is needed to represent a whole group of computers.
Port Address Translation
What is Port Address Translation (PAT) ? It is an extension to the NAT that permits many different devices on a LAN to be mapped to a single public IP Address. The purpose of the PAT is to conserve IP Addresses. PAT is used in most home networks.
In one scenario, the Internet Service Provider (ISP) assigns one IP Address to a home network's router. When Computer 1 logs on the internet, the router would assign a port number to the client, which is appended to the Internal IP Address.It gives Computer 1 a unique address. When Computer 2 logs on the internet at the same moment, the router will know which computer to send specific packets to as each computer has their own unique Internal Address.
References:
http://www.webopedia.com/TERM/N/NAT.html
http://www.howstuffworks.com/nat.htm
http://searchnetworking.techtarget.com/definition/Port-Address-Translation-PAT
Perimeter Router, Internal Router and Firewall
Perimeter Router
What is a Perimeter Router? It is a standard router that provides a serials connection to the internet. It is also a LAN connection to the internal network. To be able to implement basic security for the Demilitarised Zone (DMZ) and implement preliminary filtering for the internal network, the perimeter router should provide filtering of the outside traffic. As an additional security option, the router could run the firewall feature.
http://searchsecurity.techtarget.com/definition/firewall
Diagram 1:
http://etutorials.org/shared/images/tutorials/tutorial_56/15fig01.gif
Diagram 2:
http://upload.wikimedia.org/wikipedia/commons/thumb/5/5b/Firewall.png/300px-Firewall.png
What is a Perimeter Router? It is a standard router that provides a serials connection to the internet. It is also a LAN connection to the internal network. To be able to implement basic security for the Demilitarised Zone (DMZ) and implement preliminary filtering for the internal network, the perimeter router should provide filtering of the outside traffic. As an additional security option, the router could run the firewall feature.
Diagram 1
Internal Router
What is a Internal Router? It is a router that has Open Shortest Path First (OSPF) neighbor relationships with interfaces within the same area. In a single area, it has all its interfaces.
Firewall
What is a firewall? It is a set of related programs that protects the resources of a private network from users from other networks. It is located at a network gateway servers. A firewall examines each network packet, determining whether it can be forwarded towards its destination or not. Firewalls works with a proxy server that can make network requests on behalf of workstation users. In a specially designed computer separate from the rest of the network, a firewall is often installed so no incoming requests will be able to get directly at the private network resources.
Diagram 2
Reference:
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/http://searchsecurity.techtarget.com/definition/firewall
Diagram 1:
http://etutorials.org/shared/images/tutorials/tutorial_56/15fig01.gif
Diagram 2:
http://upload.wikimedia.org/wikipedia/commons/thumb/5/5b/Firewall.png/300px-Firewall.png
Subscribe to:
Posts (Atom)