Site to Site VPN, Remote VPN

Site-to-site VPN

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.

There are two types of site-to-site VPNs:

• Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
• Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.

Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote-access VPN.

Remote-access VPN

A remote-access VPN allows individual users to establish secure connections with a remote computer network. Those users can access the secure resources on that network as if they were directly plugged in to the network's servers. An example of a company that needs a remote-access VPN is a large firm with hundreds of salespeople in the field. Another name for this type of VPN isvirtual private dial-up network (VPDN), acknowledging that in its earliest form, a remote-access VPN required dialing in to a server using an analog telephone system.

There are two components required in a remote-access VPN. The first is a network access server (NAS, usually pronounced "nazz" conversationally), also called a media gateway or a remote-access server (RAS). (Note: IT professionals also use NAS to mean network-attached storage.) A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server. It's a NAS that a user connects to from theInternet in order to use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN. To authenticate the user's credentials, the NAS uses either its own authentication process or a separate authentication server running on the network.

The other required component of remote-access VPNs is client software. In other words, employees who want to use the VPN from their computers require software on those computers that can establish and maintain a connection to the VPN. Most operating systems today have built-in software that can connect to remote-access VPNs, though some VPNs might require users to install a specific application instead. The client software sets up the tunneled connection to a NAS, which the user indicates by its Internet address. The software also manages the encryption required to keep the connection secure.

Reference:

http://computer.howstuffworks.com/vpn3.htm

http://computer.howstuffworks.com/vpn4.htm

Public Key Infrastructure (Digital Cert)

What is Public Key Infrastructure?

In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In aweb of trust scheme, the signature is of either the user (a self-signed certificate) or other users ("endorsements"). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.

For provable security this reliance on something external to the system has the consequence that any public key certification scheme has to rely on some special setup assumption, such as the existence of a certificate authority.

Content of a typical Digital Certificate:

• Serial Number - Used to uniquely identify the certificate.

• Subject - The person, or entity identified.

• Signature Algorithm - The algorithm used to create the signature.

• Signature - The actual signature to verify that it came from the issuer.

• Issuer - The entity that verified the information and issued the certificate.

• Valid-From - The date the certificate is first valid from.

• Valid-To - The expiration date.

• Key-Usage - Purpose of the public key (e.g. encipherment, signature, certificate signing).

• Public Key - The public key.

• Thumbprint Algorithm - The algorithm used to hash the public key.

• Thumbprint - The hash itself, used as an abbreviated form of the public key.

Certificate and Web Site Security

The most common use of certificates is for HTTPS-based web sites. A web browser validates that an SSL (Transport Layer Security) web server is authentic, so that the user can feel secure that his/her interaction with the web site has no eavesdroppers and that the web site is who it claims to be. 

This security is important for electronic commerce. In practice, a web site operator obtains a certificate by applying to a certificate provider (a CA that presents as a commercial retailer of certificates) with a certificate signing request. The certificate request is an electronic document that contains the web site name, contact email address, and company information. The certificate provider signs the request, thus producing a public certificate. 

During web browsing, this public certificate is served to any web browser that connects to the web site and proves to the web browser that the provider believes it has issued a certificate to the owner of the web site.

Before issuing a certificate, the certificate provider will request the contact email address for the web site from a public domain name registrar, and check that published address against the email address supplied in the certificate request. Therefore, an https web site is only secure to the extent that the end user can be sure that the web site is operated by someone in contact with the person who registered the domain name.

References:

http://en.wikipedia.org/wiki/Public_key_certificate

IPSec (ESP, AH, DES, MD5, SHA, DH)

What is IPSec?

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

Security Architecture

The IPsec suite is an open standard. IPsec uses the following protocols to perform various functions:

• Encapsulating Security Payloads (ESP) provide confidentiality, data-origin authentication, connection-less integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.

• Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees connectionless integrity and data origin authentication of IP packets. Further, it can optionally protect against replay attacks by using the sliding window technique and discarding old packet

IPSec also uses other existing encryption standards to make up a protocol suite.

DES Algorithm

Data Encryption Standard (DES) is used to encrypt and decrypt packet data; it turns cleartext into ciphertext via an encryption algorithm. The decryption algorithm on the remote end restores clear-text from ciphertext. Shared secret keys enable the encryption and decryption. DES uses a 56-bit key, ensuring high-performance encryption.

Message Digest 5 (MD5)

Message Digest 5 (MD5) is a hash algorithm used to authenticate packet data. Cisco routers and the PIX Firewall use the MD5 hashed message authentication code (HMAC) variant that provides an additional level of hashing. A hash is a one-way encryption algorithm that takes an input message of arbitrary length and produces a fixed-length output message. IKE, AH, and ESP can use MD5 for authentication.

Secure Hash Algorithm 1 (SHA-1)

Secure Hash Algorithm 1 (SHA-1) is a hash algorithm used to authenticate packet data. Cisco routers and the PIX Firewall use the SHA-1 HMAC variant, which provides an additional level of hashing. IKE, AH, and ESP can use SHA-1 for authentication.

Diffie-Hellman (D-H)

Diffie-Hellman (D-H) is a public-key cryptography protocol. It allows two parties to establish a shared secret key used by encryption algorithms (DES or MD5, for example) over an insecure communications channel. D-H is used within IKE (described later in this article) to establish session keys. 768-bit and 1024-bit D-H groups are supported in the Cisco routers and PIX Firewall. The 1024-bit group is more secure.


References:
http://en.wikipedia.org/wiki/IPsec
http://www.ciscopress.com/articles/article.asp?p=25470

Authentication, Authorization and Accounting

What is Authentication, Authorization and Accounting

Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security.

As the first process, authentication provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access. The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied.

Following authentication, a user must gain authorization for doing certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity.

The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Authentication, authorization, and accounting services are often provided by a dedicated AAA server, a program that performs these functions. A current standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS).

The illustration below show the overview of how RADIUS work.

References:

http://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting

Context-Based Access Control

What is CBAC?

Cisco's Context-Based Access Control (CBAC) is a component of the IOS firewall feature set. Similar to reflexive ACLs, CBAC enables dynamic modification of access lists to allow certain incoming flows by first inspecting and recording flows initiated from the protected internal network. However, whereas reflexive ACLs act solely on L2-L4 protocol attributes, CBAC is able to inspect all the way to the application layer, taking into consideration characteristics of a flow on a per-protocol basis (or context).

From the conceptual illustration, we see that there are four logical points (marked in blue) at which the router can inspect traffic:

1. Inbound on the internal interface
2. Outbound on the external interface
3. Inbound on the external interface
4. Outbound on the internal interface

While we can deploy independent, static ACLs at one, some, or all of these points simultaneously, CBAC is configured and operates per interface, dynamically modifying ACL entries facing one direction based on the traffic it sees flowing in the opposite direction.

For example, let's assume we first want to allow by default all traffic traversing the router from the internal LAN (192.168.0.0/24) toward the Internet (for our purposes, 10.0.0.0/8). This is already the case, as the router will of course forward all routable traffic when no access restrictions have been applied. We also want to deny by default all traffic flowing from the Internet toward the LAN; to accomplish this we can use a simple ACL to deny all IP traffic. We'll apply it to the external interface in the inbound direction (versus the internal interface outbound) so that the router itself is protected from untrusted traffic as well.

R1(config)# ip access-list extended DENY_ALL
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# interface f0/0
R1(config-if)# ip access-group DENY_ALL in

References:

http://packetlife.net/blog/2009/mar/10/ios-context-based-access-control-cbac/

Cisco IOS Access Control List

What is an access control list?

In the Cisco IOS, an access control list is a record that identifies and manages traffic. After identifying that traffic, an administrator can specify various events that can happen to that traffic.

What's the most common type of ACL?

IP ACLs are the most popular type of access lists because IP is the most common type of traffic. There are two types of IP ACLs: standard and extended. Standard IP ACLs can only control traffic based on the SOURCE IP address. Extended IP ACLs are far more powerful; they can identify traffic based on source IP, source port, destination IP, and destination port.

What are the most common numbers for IP ACLs?

The most common numbers used for IP ACLs are 1 to 99 for standard lists and 100 to 199 for extended lists. However, many other ranges are also possible.

• Standard IP ACLs: 1 to 99 and 1300 to 1999
• Extended IP ACLs: 100 to 199 and 2000 to 2699

How can you filter traffic using ACLs?

You can use ACLs to filter traffic according to the "three P's"—per protocol, per interface, and per direction. You can only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g., FastEthernet0/0), and one ACL per direction (i.e., IN or OUT).

How can an ACL help protect
my network from viruses?

You can use an ACL as a packet sniffer to list packets that meet a certain requirement. For example, if there's a virus on your network that's sending out traffic over IRC port 194, you could create an extended ACL (such as number 101) to identify that traffic. You could then use thedebug ip packet 101 detail command on your Internet-facing router to list all of the source IP addresses that are sending packets on port 194.

References:

http://www.techrepublic.com/article/cisco-ios-access-lists-10-things-you-should-know/5731134

Common Threats to Router and Switch Physical & Mitigation

There are typically four types of common threats for router and switch.

Hardware threats

Hardware threats involve threats of physical damage to the router or switch hardware. Mission-critical Cisco network equipment should be located in wiring closets or in computer or telecommunications rooms that meet these minimum requirements:

• The room must be locked with only authorized personnel allowed access.
• The room should not be accessible via a dropped ceiling, raised floor, window, duct-work, or point of entry other than the secured access point.
• If possible, use electronic access control with all entry attempts logged by security systems and monitored by security personnel.
• If possible, security personnel should monitor activity via security cameras with automatic recording.
• Hardware threats involve physical damage to network components, such as servers, routers, and switches

Electrical threats

Electrical threats include irregular fluctuations in voltage, such as brownouts and voltage spikes, Electrical threats, such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss, can be limited by adhering to these guidelines:

• Install uninterruptible power supply (UPS) systems for mission-critical Cisco network devices.
• Install backup generator systems for mission-critical supplies.
• Plan for and initiate regular UPS or generator testing and maintenance procedures based on the manufacturer-suggested preventative maintenance schedule.
• Install redundant power supplies on critical devices.
• Monitor and alarm power-related parameters at the power supply and device levels.

Environmental threats

Environmental threats include very low or high temperatures, moisture, electrostatic, and magnetic Interference Environmental threats, such as temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry), also require mitigation. Take these actions to limit environmental damage to Cisco network devices:

• Supply the room with dependable temperature and humidity control systems. Always verify the recommended environmental parameters of the Cisco network equipment with the supplied product documentation.
• Remove any sources of electrostatic and magnetic interference in the room.
• If possible, remotely monitor and alarm the environmental parameters of the room.

Maintenance threats

Maintenance threats include not having backup parts or components for critical network components; not labeling components and their cabling correctly Maintenance threats include poor handling of key electronic components, electrostatic discharge (ESD), lack of critical spares, poor cabling, poor labeling, and so on. Maintenance-related threats are a broad category that includes many items. Follow the general rules listed here to prevent maintenance-related threats:

• Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection, or incorrect termination.
• Use cable runs, raceways, or both to traverse rack-to-ceiling or rack-to-rack connections.
• Always follow ESD procedures when replacing or working with internal router and switch device components.
• Maintain a stock of critical spares for emergency use.
• Do not leave a console connected to and logged into any console port. Always log off administrative interfaces when leaving a station.
• Do not rely upon a locked room as the only necessary protection for a device. Always remember that no room is ever totally secure. After intruders are inside a secure room, nothing is left to stop them from connecting a terminal to the console port of a Cisco router or switch.

References:

http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/mitigating-common-threats.html

Perimeter Router, Internal Router and Firewall

There are basically few types of perimeter router standards whereby each of them suits differently depending on the size of the corporate network, each standard also provides different level of protection against network attacks. The very basic of perimeter router i'm going to talk about is the "Standalone perimeter router" which is suitable for small business network due to the minimal cost but provides only 1 layer of security.


The standalone perimeter router basically means having a router which is placed between the outside network (Global) and internal network (Local). The router does basic filtering of unwanted traffics and provides minimal protection for the internal network.


The diagram below shows the example of the Standalone Perimeter Router Topology.

Standalone Perimeter Router Topology

The next standard will be the Perimeter router with a standalone firewall. The perimeter router will again be placed between the outside network (Global) and internal network (Local).  On top of that, there will be a firewall placed just before the perimeter router within the internal network. The firewall provides greater protection and flexibility such as having packet filtering, stateful filtering, application layer filtering and NAT which is suitable for medium to large business network.

The diagram below shows the example of the Perimeter Router and Firewall Topology. 

Perimeter Router and Firewall Topology

The last standard will have at least 3 layer of protection, the perimeter router, a standalone firewall and an internal router. The internal router is to provide mitigation function of the network in case the trusted network inside had been compromise to prevent spreading of the attacks to the DMZ side. On top of that, the router also provides better routing options thus improving the performance of the network.

The diagram below shows the example of the Perimeter Router, Firewall and internal router Topology. 

Perimeter Router, Firewall and internal router Topology.

References:

OLIVE TEACHING MATERIALS

Secure Perimeter Routers & Disable Services & Logging

Ingress and Egress Filtering

The ingress filtering blocks the packets outside the network with a source address inside the network. This helps to prevent an outside attacker spoofing the address of an internal machine.


The egress filtering  blocks the packets from inside the network containing a source address that is not inside. This helps to prevent an attacker within the network from launching IP spoofing attacks against external machines.


The diagram below shows the topology of the Cisco IOS router's ingress/egress filtering in a typical corporate network.

Access List Directional Filtering

The Cisco IOS ACL is used to define traffic. Once that traffic is defined, some action can then be taken on that traffic.

Commonly, an ACL is associated with the filtering of IP packets (Network Layer 3 of the OSI Model) as they pass through a router. In other words, it is used to permit or deny traffic through a router. However, if you just define the ACL only and don’t apply it to an interface using the access-group command, nothing happens.

The diagram below shows the topology of the Cisco IOS router's ACL filtering in a typical corporate network.

IOS Firewall Router

Context-Based Access Control (stateful traffic inspection)

CBAC is a stateful firewall which keeps track the state of network connections such as TCP and UDP traffic travelling across it. It creates opening in the ACLs at the interfaces that inspect the traffic by adding a temporary ACL entry for a specific session.


The openings are created when the internal network starts a session with the outside network that would normally be denied. The traffic is only allowed back through the firewall if it is part of the same session and has the correct properties that CBAC is looking for.


Authentication proxy

The HTTP-based authentication proxy provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols.


The diagram below is an example of the HTTP-based authentication proxy.

Intrusion Detection

Acts as an in-line intrusion detection sensor.
When a packet or packets match a signature, it can perform any of the following configurable actions:

• Alarm—Send an alarm to a Cisco IDS Director or Syslog server.
• Drop—Drop the packet.
• Reset—Send TCP resets to terminate the session.

It can Identifies up to 100 common attacks depending on release.

Securing Cisco Routers by Disabling Unused Services

Disable bootp Server
Test(config)# no ip bootp server
Disable CDP
Test(config)#no cdp run
Disable ip classless
Test(config)#no ip classless
Disable DNS lookup
Test(config)#no ip domain-lookup
Disable finger service
Test(config)#no ip finger
Disable HTTP
Test(config)#no ip http server
Disable ip mask-reply
Test(config-if)#no ip mask-reply
Disable IP-Directed Broadcast
Test(config-if)#no ip directed-broadcast
Disable IP Source Routing
Test(config)#no ip source-route
Disable IP Unreachable
Test(config-if)#no ip unreachables
Disable Small Servers
Test(config)#no service tcp-small-servers
Test(config)#no service udp-small-servers

Router Management (logging)

Event logging provides you visibility into the operation of a Cisco IOS device and the network into which it is deployed. Cisco IOS software provides several flexible logging options that can help achieve the network management and visibility goals of an organization.

Log Severity Levels:

Types of Logging method:

Console
Buffered
Terminal Line
Syslog
SNMP


Log Message Format:

References:

http://en.wikipedia.org/wiki/IP_address_spoofing
http://www.techrepublic.com/blog/networking/what-you-need-to-know-about-cisco-ios-access-list-filtering/536
http://ciscoskills.net/2011/02/22/understanding-cbac
http://www.debianadmin.com/securing-cisco-routers-by-disabling-unused-services.html
OLIVE INKS teaching materials