Site to Site VPN, Remote VPN

Last post before TERM BREAK!! And Term Tests... Anyway! This post is about VPN, Site to Site and Remote. 

VPN stands for Virtual Private Network, which basically means it is a private network that is connected securely via the Internet (virtualllyyyyyy). It works via this mode called Tunneling to create the private network. Before you create a VPN, you have to have a NAS (Network Access Server), so that users from the other -places are able to access the internal network of the organization. There are two types of VPN, which is the site to site and remote access. 

Site to Site VPN: In Site to Site VPN, users are able to connect to each other even though they are in separate buildings, thanks to the site-to-site connection. Just site to site VPN alone, there are two types, namely the Extranet-based and Intranet-based. The concept is actually very simple - Extranet-based is for connecting two different companies, while intranet-based is for connecting two different departments in the same company. In extranet-based site to site VPN, the two different companies will not be able to access each other's internal network.

 

The diagram above illustrates how the site-to-site VPN works.

Next, remote access VPN: Imagine you are at home and want to access to your company's internal network, but you cannot really do that since it is the company's Internal network. This is where remote access VPN steps in. Through this VPN, it creates a connection between you and the company's network, so that you will able to access it securely through the Internet.

The diagram above illustrates how remote-access VPN works.

We configure VPN on a router, and since we are learning about Cisco and its related stuff, I'm going to provide a link for EasyVPN configuration example [http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/ezvpn.html] , do read up if you are interested! All in all, I hope you guys have a better understanding towards VPN, especially the two different types of VPN. 

E-tutorial 5

IP (AH, ESP, DES, MD5, SHA, DH)

IP security is developed by the IETF to support secure exchange of packets at the IP layer. IPsec is mostly used for implementing Virtual Private Networks and remote user access through dial-up connection to private networks.

The advantage of using IPsec is that users may handle security arrangments without having to do any changes to individual user computers. Cisco has been a leader in proposing IPsec as a standard (or combination of standards and technologies) and has included support for it in its network routers.
IPsec provides two choices of security service: 

• Authentication Header (AH), which essentially allows authentication of the sender of data

• Encapsulating Security Payload (ESP), which supports both the authentication of the sender and encryption of data as well. 

The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header. Separate key protocols can be selected, such as the ISAKMP/Oakley protocol.
A public key is needed for both sending and receiving device in order for IPsec to work. Internet Security Association and Key Management Protocol/Oakley is used to allow the receiver to obtain a public key and authenticate the sender by using digital certificates. Diffie Helman (DH), uses a public / private key algorithm to share symmetric keys.
Symmetric keying algorithms provide the capability to achieve greater
throughput when encrypting & decrypting data than that of asymetric keys. 


IPsec supports two encryption modes:

•  Transport mode , which encrypts only the data portion (payload) of each packet, but does not encrypt the header. 
• Tunnel mode, which is much more secure, encrypts both the header and the payload. 

An IPSec-compliant device would then decrypts each packet.

IPsec uses these cryptography algorithm:

• DES, for confidentiality  
• SHA, for integrity protection and authenticity.
• MD5

Public Key Infrastructure  (Digital Cert )  
Examples of some typical Digital Certificate 
Issuer: The entity that verified the information and issued the certificate.
Key-Usage: Purpose of the public key. 
Public Key: The public key. 
Serial Number: Used to uniquely identify the certificate.
Subject: The person, or entity identified.
Signature Algorithm: The algorithm used to create the signature.
Signature: The actual signature to verify that it came from the issuer.
Thumbprint Algorithm: The algorithm used to hash the public key.
Thumbprint: The hash itself, used as an abbreviated form of the public key.
Valid-From: The date the certificate is first valid from.
Valid-To: The expiration date.

Reference: http://justfor-homework.blogspot.com/2012/05/ip-esp-ah-des-md5-sha-dh-ip-security-by.html

Authentication, Authorization and Accounting

When we say "AAA" infront of someone, the first thought is often:

Triple A Batteries, which look somewhat like this:


Right, enough fooling around, lets get to business.


AAA is acronym of three processes that is usually done by a Network Access Server (NAS for short). The three As represents:

Process	Explaination: How it works
Authentication	An entity is identified through variables given by the entity that uniquely specifies the entity. Such variables include password, username and one-time passwords (or tokens)
Authorization	An entity's permission to access or operate within the network is defined. This is done after the authentication phrase and is enforced to prevent unintentional damage to the network by restricting access to part of the network to the general users.
Accounting	Used to take note or log a entity's behaviour and actions.

Access Control Lists (ACL)

An access control list for short is a rule to filter the traffic.

There are three kinds of control list, Standard IP, Extended IP and Standard IPX. I will be talking only about the first two kinds in this post.
In both standard and extended, there is the numbered access-list and the named access-list.

When writing access-list commands, you have to place the more specific statements at the top and the general statements at the bottom.

There are a few steps to writing ACLs.
Step 1- Understand the network flow, configure the ACL policy
                 Create access-list (standard or extended)
Step 2- Confirm the filtering & directions are correct
Step 3- Apply ACL policy to interface (inbound or outbound)

Standard	Extended
Number 1-99	Number 100-199
Uses only SourceIP	Uses Source, Destination IP and Port Number
Applied closest to the destination	Applied closest to the source

CONFIGURATIONS EXAMPLES :

Standard Number	Standard Named
access-list (#) access-list(#) permit/deny srcIP WildcardMask	ip access-list standard (name) permit/deny srcIP WildcardMask

Extended Number	Extended Named
access-list (#) permit/deny protocol srcIP mask avg port destIP mask avg port	ip access-list extended (name) permit/deny protocol srcIP mask avg port destIP mask port

Source: http://justfor-homework.blogspot.com/2012/05/accesscontrol-lists-acl-access-control.html

Context-Based Access Control

Context-Based Access Control

Context-Based Access Control

CBAC or Context-Based Access Control inspects packets that are entering the firewall which are not specifically denied by an ACL.

CBAC will allow connection which has already have an establish link or is a reply to a sent packet from inside the trusted network, denying any connections and packets appears otherwise.

Sessions information will be maintained in state table until connection is terminated or times out.

---

Uses of CBAC

CBAC is normally termed as an IOS Firewall as it does deep packet inspection. Hence it provides services like Denial-of-Service prevention and prevention, and Real-time alerts and audits trails.

source: http://papershakeinks.blogspot.com/2012_05_06_archive.html

The network is the entry point to your application. It provides the first gatekeepers that control access to the various servers in your environment. Servers are protected with their own operating system gatekeepers, but it is important not to allow them to be deluged with attacks from the network layer. It is equally important to ensure that network gatekeepers cannot be replaced or reconfigured by imposters. In a nutshell, network security involves protecting network devices and the data that they forward.

The Diagram below show the basic components of a network, which act as the front-line gatekeepers, are the router, the firewall, and the switch. 

The router is the very first line of defense. It provides packet routing, and it can also be configured to block or filter the forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP).

If you don't have control of the router, there is little you can do to protect your network beyond asking your ISP what defense mechanisms they have in place on their routers.

The configuration categories for the router are:

• Patches and updates
• Protocols
• Administrative access
• Services
• Auditing and logging
• Intrusion detection

Patches and Updates

Subscribe to alert services provided by the manufacturer of your networking hardware so that you can stay current with both security issues and service patches. As vulnerabilities are found — and they inevitably will be found — good vendors make patches available quickly and announce these updates through e-mail or on their Web sites. Always test the updates before implementing them in a production environment.

Use Ingress and Egress Filtering

Spoofed packets are representative of probes, attacks, and a knowledgeable attacker. Incoming packets with an internal address can indicate an intrusion attempt or probe and should be denied entry to the perimeter network. Likewise, set up your router to route outgoing packets only if they have a valid internal IP address. Verifying outgoing packets does not protect you from a denial of service attack, but it does keep such attacks from originating from your network.

  Hardware threats refers involving threats of physical damage to the router or switch hardware. Mission-critical Cisco network equipment should be located in wiring closets or in computer or telecommunications rooms that meet these minimum requirements:

            The room must be locked with only authorized personnel allowed access.

The room should not be accessible via a dropped ceiling, raised floor, window, duct-work, or point of entry other than the secured access point.

If possible, use electronic access control with all entry attempts logged by security systems and monitored by security personnel.

If possible, security personnel should monitor activity via security cameras with automatic recording.

  Environmental threats refers to moisture being wet or dry or temperature being very high or low. Environmental threats such as extreme temperature or extreme humidity will require mitigation.

  Electrical threats refers to irregular fluctuations in voltage, such as brownouts and voltage spikes, Electrical threats, such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss.

  This can be solve by:

   Installing backup generator systems for mission-critical supplies.

   Install redundant power supplies on critical devices.

  Maintenance threats include not having backup parts or components for critical network components; not labeling components and their cabling correctly Maintenance threats include poor handling of key electronic components, electrostatic discharge (ESD), lack of critical spares, poor cabling, poor labeling, and so on.

  To solve this issue, we can Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection, or incorrect termination. Always follow ESD procedures when replacing or working with internal router and switch device components. Maintain a stock of critical spares for emergency use.

Source:http://xclwz.blogspot.com/

Network/Port Address Translation

Continuing from Perimeter Router, Firewall and Internal Routers, let review our knowledge of NAT (Network Address Translation) and PAT (Port Address Translation)!

Address Translation	Explaination of Usage
Network	Provides Many to Many IP translation. Works by mapping Internal Private IP to Internal Global IP (or IP provided by Service Providers.) Internal Private IPs are mapped to Global IPs temporary (Unless otherwise stated by configuring static NAT), and is mapped until no more traffic is using the IP, whereby the router will then unmap the IPs and assign the now vacant Global IP to another Private IP that is requesting for a connection.
Port	Provides Many to One IP translation. Works by mapping Internal Private IP to port of Global IP (or IP provided by Service Providers.) Internal Private IPs are mapped to Global IPs port, and is mapped until no more traffic is using the IP, whereby the router will then unmap the IPs and assign the now vacant Global IP to another Private IP that is requesting for a connection.

NAT and PAT are two of many solutions employed in easing the gradual decline of the amount of available IP that can be used. As such, NAT and PAT might be obselete when IPV6, a improved IP address scheme which is 128bits long, thus paving way for essentially, an unlimited amount of address, to the extend where one can say "Unless we find another thousand civilization out there, addresses can never run out!).

Source: http://papershakeinks.blogspot.com/2012_04_29_archive.html

Perimeter Router, Internal Router and Firewall

The perimeter router is typically a standard router providing a serial connection to the outside world (untrusted network) and a LAN connection to the internal network. The perimeter router should provide any filtering of outside traffic to implement basic security for the DMZ and preliminary filtering for the inside network.

The internal router is usually meant to protect against DOS attacks against your network, just in case that your perimeter router goes down due to DOS attacks, there will still be connection within the organization due to the internal router, otherwise the entire organization will have  no connection even within it's own network. It also performs filtering of traffic for the internal network.

A firewall is a device or set of devices designed to permit or deny network transmissions based on a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass. Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range". Firewalls often have such functionality to hide the true address of protected hosts. Hiding the addresses of protected devices has become an increasingly important defense against network reconnaissance.

Source: http://joel-hong.blogspot.com/