Site to Site VPN, Remote VPN

Virtual Private Network (VPN) is used to connect between private network and a remote network through internet connection. VPN will also provide encryption for connection that is established between one private network and a remote network (“Virtual Private,” 2012). There are two types of VPN namely, Site to Site VPN and Remote-access VPN.

Site to Site VPN are VPN that allows different LAN in fixed location to communicate over a secure communication using the internet. There are two types of VPNs namely intranet-based and extranet-based (“Virtual Private,” 2012).

Intranet based VPN will mean the company is located in multiple fixed location and they would like to combine each LAN in the company to form a WAN using intranet VPN (“Virtual Private,” 2012).

However extranet-based VPN will be referring to building a shared, secure network between two or more network. However this shared network is unable to access to others intranet. This type of intranet is used when they would like to communicate with their business partner in a secure manner (“Virtual Private,” 2012).

However remote-access VPN will be referring to establishing a secure connection in a remote location. One 

of the industries that require remote-access VPN would be insurance company. It is because one of they might require their salesperson to be able to connect to their company server in order to perform adding of sensitive data (“Virtual Private,” 2012).

There are two types of VPN component are needed in order to perform remote-access VPN. These components are, Network Access Server (NAS) and the client software. NAS could be a dedicated server or server that installs multiple programs.  NAS will then require user to provide credentials to sign in. 

Following that, they will run verify the user either using their own checking process or using authentication server that is located in the same network (“Virtual Private,” 2012).

Client software is need as well in order for remote-access VPN to work. This software is needed to establish or maintain any remote VPN connection (“Virtual Private,” 2012).

Bibliography

Virtual Private Network. (2012, May 23). Retrieved June 2, 2012, from Wikipedia: http://en.wikipedia.org/wiki/Virtual_private_network

Public Key Infrastructure (Digital Cert)

Public Key Infrastructure (PKI) allows users to information securely over an insecure network.  This can be done through the use of public key (known to all) and private key (will not be transferred over the network) (Brayton, Finneman, Turajski, & Wiltsey, 2006). PKI provides digital certificate that can identify an individual or an organization. In some cases, revocation of certification will be necessary (Brayton, Finneman, Turajski, & Wiltsey, 2006).

Previous cryptography involves the use of single key to encrypt and decrypt the data (symmetric cryptography). However such method is not as secure because if the key is intercepted by unauthorized user, the message can be decrypted by them (Brayton, Finneman, Turajski, & Wiltsey, 2006). Hence PKI is such more preferred. It is because it provides an additional layer of protection to prevent unauthorized user from decrypting the message upon intercepting the key (Khan, n.d.). PKI is also known as the asymmetric cryptography.

The following image will be showing the details about digital certificate:

Figure 1 (Digital Certificate showing the public key)

It must comprise certain component In order for PKI to work. This includes:

• Certificate Authority, one that issue and verify the authenticity of the digital certificate. This certificate will include or provide information about public key (Brayton, Finneman, Turajski, & Wiltsey, 2006).
• Registration Authority, one that verify the authenticity of the certificate authority before issuing digital certificate to individual or organization that requests it (Brayton, Finneman, Turajski, & Wiltsey, 2006).

There are two ways to send data across the network, either ensuring high confidentiality or high integrity. In order to ensure high confidentiality of the message, the sender will be encrypting the message using the receiver’s public key. The receiver will then be decrypting the data using his/her private key (Temasek Polytechinc, 2012).

To ensure high integrity of the message, the sender will be encrypting the message using his/her private key. The receiver will then be decrypting the data using the sender public key (Temasek Polytechinc, 2012).

Reference

Brayton, J., Finneman, A., Turajski, N., & Wiltsey, S. (2006, October). PKI (public key infrastructure). Retrieved May 25, 2012, from SearchSecurity: http://searchsecurity.techtarget.com/definition/PKI

Khan, S. (n.d.). What Is PKI? Retrieved May 25, 2012, from eHow: http://www.ehow.com/about_6693189_pki_.html

Temasek Polytechinc. (2012, May 25). Cryptography. Singapore, Singapore, Singapore.

IPSec (ESP, AH, DES, MD5, SHA, DH)

Internet Protocol Security (IPSec) is a protocol that is used to authenticate and encrypt every IP packet for every communication session (IPsec, 2012). It is found in the Internet Layer of the TCP/IP Model.

There are several security protocols in IPSec. This includes Encapsulating Security Payload (ESP), Authentication Header (AH). Encryption will be Data Encryption Standard (DES). For Authentication it will be MD5 and SHA. Cryptographic protocol would be Diffie–Hellman key exchange (DH).

For ESP, it will refer to protocol that is upholds integrity, authenticity and confidentiality of the packets. In order to uphold the integrity of the packets, ESP provides optional authentication services (“System Administration Guide,” n.d.). It is advisable for all packets to enable both encryption and authentication service. It is because if the packets only enable only one service, it will be rather insecure (IPsec, 2012). However ESP is only able to protect parts of the datagram at ESP encapsulate (“System Administration Guide,” n.d.).

Figure 1 will be showing how ESP encrypts the datagram.

Figure 1 (Showing how ESP works (“System Administration Guide,” n.d.))

When both services are activated, ESP will be capable of preventing eavesdropping and cut-and-paste attack¹.

AH will ensure connectionless integrity as well as the data origin authentication of IP address (IPsec, 2012). AH will helps to protect packets from IP header to transport header. This will helps to prevent cut and paste attack (“System Administration Guide,” n.d.)..

DES is previously one of the best encryption algorithms. In addition DES was highly influential in the cryptography industry (“Data Encryption,” 2012). However in today world, DES is considered “weak” in encryption. It is because COPACOBANA is able to crack DES in less than one day (“Data Encryption,” 2012). Therefore to encrypt the data, Advanced Encryption System (AES) is would be a better choice since it is the industry standard for encryption (Deutsch, n.d.).

MD5 is one of the widely used hash algorithm. It is used to check the integrity of the data. However in the recent years, MD5 flaws have been surfaced and US-CERT decided to stop using MD5 function since it is seriously flawed (MD5, 2012). As a result, most of the U.S. government decides to use SHA-2 family hash function (MD5, 2012).

SHA function is designed by the National Security Agency (U.S.). Currently there are two well-known SHA family created by National Security Agency, namely SHA-1 and SHA-2 (SHA-1, 2012). SHA-3 is under-development and it will be available once the NIST hash function competition has selected the winning function this year (SHA-1, 2012). There is an urgent need to implement SHA-3 because there are flaw in SHA-1. This will also affect SHA-2 because both uses similar algorithm (SHA-1, 2012).

In DH, it refers to a method to exchange key is a method of exchanging cryptographic keys. Under DH, it allows two parties to know their secret key over an insecure network through the use of symmetric key cipher (Diffie–Hellman key exchange, 2012)(“Diffie-Hellman,” n.d.).

The following video will be explaining how DH works in greater details:

References

Data Encryption Standard. (2012, May 2). Retrieved May 24, 2012, from Wikipedia: http://en.wikipedia.org/wiki/Data_Encryption_Standard

Diffie–Hellman key exchange. (2012, May 24). Retrieved May 25, 2012, from Wikipedia: http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

IPsec. (2012, May 7). Retrieved May 24, 2012, from Wikipedia: http://en.wikipedia.org/wiki/Encapsulating_Security_Payload

MD5. (2012, May 23). Retrieved May 25, 2012, from Wikipedia: http://en.wikipedia.org/wiki/MD5

SHA-1. (2012, May 24). Retrieved May 24, 2012, from Wikipedia: http://en.wikipedia.org/wiki/SHA-1

Deutsch, W. (n.d.). A Short History of AES Encryption. Retrieved May 24, 2012, from About.com: http://bizsecurity.about.com/od/informationsecurity/a/aes_history.htm

System Administration Guide: IP Services. (n.d.). Retrieved May 24, 2012, from Oracle: http://docs.oracle.com/cd/E19082-01/819-3000/ipsec-ov-8/index.html

---

¹Cut-and-paste attack refers to attack where hacker replaces part of the ciphertext to different ciphertext. This altered ciphertext will result in modifying valid information.

Authentication, Authorization and Accounting

Authentication, Authorization and Accounting (AAA) is refers to the security architecture that is used for Cisco router and other networking devices (“CCNA 640-553,” n.d.). There are several protocols that abide to AAA architecture this includes RADIUS and TACACS+.

In Authentication, it refers to verifying of the user identity. For instance, under AAA architecture, user is required to provide username and password when the user accesses the router via telnet. However, authentication is unable to take place when user only enter password when he/she access the router via telnet. It is because the network administrator is unable to identify who is accessing the router (“CCNA 640-553,” n.d.).

In Authorization, it will be referring to granting of rights to user or groups who are able to access to the particular system. One of the examples of performing authorization will be granting user rights based on Cisco IOS access level. In Cisco router, user with higher privilege level will be granted more rights compared to the user with lower privilege level(“CCNA 640-553,” n.d.). In privilege level 15, it is also known as the super user level.

In Accounting, it refers to task that is used to track user actions as well as provide logging of the system in order to maintain personal accountability. Accounting will only takes place when authentication and authorization has completed. One of the ways of accounting will be through logging. In logging, network administrator will be able to know which user has logged into the system, number of bytes transferred in the session (“CCNA 640-553,” n.d.).

In the industry, there are protocols such as TACACS+ and RADIUS. In TACACS+, it provides better security (the entire packet is encrypted) but lesser accounting. However, RADIUS will help to provide better accounting but poor security (only password is encrypted).

Figure 1 will be showing a list of differences between TACACS+ and RADIUS

Figure 1 (Comparison between TACACS+ and RADIUS) (Temasek Polytechic, n.d.)

References

CCNA 640-553 exam: explain the function and importance of AAA. (n.d.). Retrieved May 18, 2012, from Ciscokits: http://www.certificationkits.com/ccna-security-aaa/

Temasek Polytechic. (n.d.). TACACS+/RADIUS Comparison. Singapore, Singapore, Singapore.

Access Control List

In networking security, access list is normally used to classify packets, whether to deny the packets or to permit the packets. One of the examples would be using access control list in Network Address Translation (NAT) as well as Port Address Translation (PAT) in order to bind public pool of address with the private address (Saunders, n.d.).

Access control list is can also be used in both Cisco IOS Routers and Switches. It can specify specific ports and to set inbound and outbound rule.

Access control list can be categorized in standard Access Control List (ACLs) and extended ACL. We could actually identify which type of ACL by ID number. Table 1 will be showing the range of each ACL category.

1-99 or 1300-1999	Standard ACL
100-199 or 2000-2699	Extended ACL

Table 1 (ID range of each ACL category (Saunders, n.d.))

Besides ID ACL, there is also Named ACL. By having Named ACL, it enables network engineers to better identify each uses of each ACL. In addition, Named ACL will also enable them to remove any specific line in the ACL. Such function will also enable network engineer to remove any specific lines in the ACLs (Saunders, n.d.).

There also implicit rules to in ACL. One of the rules will be deny any traffic in at the end of the rules. The reason of placing such rule in at the end of ACL is because ACL will be processing each condition from the top till the bottom of ACL. The router and switch will discontinue such checking when there is a match in the condition (“Access Control,” n.d.).

In conclusion, the ACL will be help to protect the network by removing any unwanted traffic in order to prevent any attack in the network.

References

Access Control Lists(ACLs) Basics. (n.d.). Retrieved May 11, 2012, from Aspell: http://www.aspell.org/CCNA/CCNA-Cisco-Access-Control-List-ACL.php

Saunders, J. (n.d.). Access control lists (ACL). Retrieved May 11, 2012, from www.jlsnet.co.uk: http://www.jlsnet.co.uk/index.php?page=ccna_4a_acls

Secure Perimeter Routers & Disable Services & Logging

There are several ways to secure perimeter routers. This includes ingress and egress filtering. In ingress filtering, it refers to a techniques used to verify the identity of the incoming packet (Ingress filtering, 2012).

In this filtering technique, the packet that fails to get through the filtering process will be ignored by the router or resend the packet back to the sender to indicate the failure of sending such packet (Ingress filtering, 2012). One of the recommended policies for ingress rule is to drop this packet when the source IP address belongs to the internal network address (Cox, 2007).

As for egress filtering, it refers to filtering of outbound information from one network to another. By doing so, it will helps to prevent any unauthorized traffic from leaving the internal network (Egress filtering, 2012). One of the recommended policies for egress rule will be looking at the source IP address. If the source IP address is not private address, the perimeter router should drop the packet (Cox, 2007).

To prevent any attack in the network, such as port redirection, the network administrator is recommended to disable unwanted ports and services.

To ensure that accountability is uphold, logging of activities is crucial. Therefore there is a need to implement SYSLOG for logging purpose.

Figure 1 (Viewing of SYSLOG)

However Syslog must be well-protected. It is because in the last phase of attack, it will be covering of track (Graves, 2010). In this phase, the hacker might delete SYSLOG to prevent being discovered. To protect SYSLOG, the network administrator could encrypt the SYSLOG traffic within IPSec tunnel (Temasek Polytechnic, n.d.). Besides that, network administrator is encouraged to have more than one SYSLOG server to serve as backup when the default SYSLOG server’s log is lost.

References

[Use of Kiwi for SYSLOG]. Retrieved May 5, 2012, from: http://www.softmaximum.com/free/review/kiwi-syslog-daemon/5437/

Cox, C. (2007, January). Establish ingress and egress address filtering policies. Retrieved May 3, 2012, from SearchNetworkingChannel: http://searchnetworkingchannel.techtarget.com/tutorial/Establish-Ingress-and-Egress-address-filtering-policies

Egress filtering. (2012, March 18). Retrieved May 3, 2012, from Wikipedia: http://en.wikipedia.org/wiki/Egress_filtering

Graves, K. (2010, April 26). Certified ethical hacker. Sybex.

Ingress filtering. (2012, April 11). Retrieved May 2012, 3, from Wikipedia: http://en.wikipedia.org/wiki/Ingress_filtering

Temasek Polytechnic. (n.d.). Basic router and switch security. Singapore, Singapore, Singapore.

Common Threats to Router and Switch Physical & Mitigation

There are several physical threats in both router and switch when it comes to implementation of that device. It can be categorized as four categories. This includes hardware threats, environmental threats, electrical threats and maintenance threats.

In hardware threat, the hardware can be damaged due to act of mischief or deliberate act. To mitigate this threat, the organization shall think of ways to minimize any damage. The organization can consider limiting the number of point of entry to the server room to minimize any damage done. This includes allowing only authorized users to gain entry to the server room. Besides that, logging of every entry is also important to personal accountability. Security camera is also important because it serve as deterrent purpose (Temasek Polytechnic, n.d.).

In environmental threat, overheated router and switch will damage the equipment. Hence there is a need to “control” these environmental factors. These include air-conditioning, humidity control and environmental alarm system as well as recording to inform the helpdesk when the server has a high temperature (Temasek Polytechnic, n.d.).

In electrical threat, abrupt power outage might crash the router and switch. Therefore, by installing Uninterruptible Power Supply (UPS) will help to provide electrical supply ranging from 5 to 15 minutes (“Uninterruptible power,” 2012). In this short period of time, the technician will be able to shut down the server in a rightful manner (Temasek Polytechnic, n.d.).

In maintenance-related threat, we can limit any damage done due to maintenance-related work such as poor cabling (Sud & Edelman, 2003).  As a result, there is a need to provide label for important cables. Besides that, providing additional cables for every router and switch will helps to ensure high availability of the network.

Figure 1 (Cables in the server room (Temasek Polytechnic, n.d.))

Reference

Sud, R., & Edelman, K. (2003, December). Securing Cisco routers. Retrieved May 3, 2012, from SearchSecurity: http://searchsecurity.techtarget.com/feature/Securing-Cisco-routers

Temasek Polytechnic. (n.d.). Basic router and switch security. Singapore, Singapore, Singapore.

Uninterruptible power supply. (2012, April 19). Retrieved May 3, 2012, from Wikipedia: http://en.wikipedia.org/wiki/Uninterruptible_power_supply#Ferro-resonant