Site to Site VPN, Remote VPN

WHAT IS VPN, you ask?
Well..VPN stands for Virtual Private Network.
It is an encrypted connection between private networks over a public network such as the internet.
Basically its like a condo in Singapore, it is scalable (can be big or small) and there are security features installed within it as well as only people with the proper authorization and credentials can enter.
Here is a little image which hopefully can help in your understanding of VPN.

There are two types of VPN that's gonna appear in this post: Site-to-Site VPN and Remote VPN (as can be seen from the title).

---------------------------------------------------------------------------------------------------------------------
Site-to-Site VPN is simply an extension of the classic WAN (Wide Area Network). There are about 4 ways which this can be done. Again another image...

Note that its called Site-to-Site VPN, not Side-to-Side.
Just for convenience sake, Site-to-Site VPN shall now be called S2S VPN.

Now, a S2S VPN allows offices in multiple fixed locations secure connections with each other over a public network like the Internet. S2S VPN extends the company's network, making all the resources from all offices available to each other. One example using a S2S VPN would be a huge massive company that has multiple branches either worldwide or across the country.

From the S2S VPN, there are again another 2 different types of the S2S VPN.

Intranet-based: Multiple remote networks connecting together via intranet VPN so that each LAN joins a single WAN.

Extranet-based: For this case, a extranet VPN connects 2 or more different companies (partner, client, supplier, etc) together. The created extranet would connect all the different LANS together, allowing them to work in a secure shared network environment while preventing access to their separate intranets. Its like buying a house together, both have access to that shared house but not to each other's own personal ones.
---------------------------------------------------------------------------------------------------------------------
There is the other kind of VPN, its called the Remote VPN. It allows INDIVIDUAL USERS to establish secure connections with a remote computer network. These users would be able to access the network's resources as if the computer was plugged directly into the network's servers. An example would be Temasek Polytechnic (TP), they are getting their students to use VPN (at home, at library, in the toilet, etc) to connect to TP's resources as if the students were using the school's computers.
Now..apparently there are 2 components needed for a Remote VPN. One is a Network Access Server (NAS), A.K.A. Media Gateway A.K.A. Remote-Access Server (RAS).

Why so many names??!! Well..because NAS can also mean Network-Attached Storage (Which I might add..has a totally different purpose that the thing stated above.) OKAY, GOING BACK!

This RAS can either be a dedicated server or a multiple software application running on a shared server. The user/client would need to connect to this RAS from the Internet in order to use the VPN. As mentioned before, the user would need to input his/her credentials to login to the VPN. The VPN would use some authentication process or a authentication server running on the network to authenticate the user's credentials.

There are 2 things needed for the Remote VPN, so here's the other..client software. The user that wants to login to his/her VPN would require his machine to have some sort of application or software that have the capabilities to establish and maintain a connection to that VPN. Nowadays most Operating Systems have their own built-in software already to connect to Remote VPNs, but there are some VPNs which require their users to install a specific application just for their own security sake or possibly other reasons entirely.

How this be working then???
The software sets up a tunneled connection to the RAS; the user has to specify through its Internet address. The software also handles the encryption required to keep the connection all secure and hushhush.

For large corporations or business with awesome IT staff normally purchase, deploy and maintain their own Remote VPNs (just because they can and its safer this way). Of course..if the company has the money, they can outsource their Remote VPN services through an Enterprise Service Provider (ESP). The ESP sets up a RAS for the paying company and keeps that RAS all working just fine. But, to leave a secure connection in the hands of another organisation..food for thought eh?

That's all I have time for. See ya around!

GOOD LUCK FOR ALL FORMS OF TERM TESTS, EXAMINATIONS AND ENJOY YOUR HOLIDAYS. SPEND THEM WELL, for there'll be reports and projects that won't be doing itself...

Public Key Infrastructure (Digital Cert )

Public Key Infrastructure (PKI) uses Public Key Technology [notice the similarities? =D]
And the technology involves the use of Digital Signatures [the title my friend, the title!]

Signatures...?? Do what one??
Well, they are used for
- Authentication [Identifying and confirming that you are who you say who are]
- Integrity [The data you sent is legit and not tampered with]
- Non-repudiation [You are unable to deny that you were the one who sent the data]
- Confidentiality [Concerns with what you can see, and also the encryption and decryption of the information sent as well as ensuring no other party is viewing the data]


Public Key Infrastructure is the combination of Software, Encryption Technologies and Services. These 3 components grants organisations the capabilities to enforce security on any forms of communications or business transactions on the world wide web. It incorporates digital certificates, public-key cryptography and certificate authorities into a shared network security architecture.

Now then..moving on to digital signatures..it is different from digital certificate. Digital signatures are like physical signatures you do when you sign a form or a letter, just in a digital way. They can be used to authenticate the identity of the sender of a message or the signer of a document, as well as ensure that the content of the message or document has not been tampered with.

Digital signatures can be extremely portable, time-stamped and it is unable to be copied by anybody else. This ability to ensure that the original signed message arrived means that the sender cannot repudiate it later. It can be used for all kinds of messages regardless of encryption, just so that the receiver would know if the message received is from the right sender and if the content is unchanged.

A digital certificate has the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.

Here is a breakdown of how it works..

1) You type an email out for your colleague.
2) Using some software, you get a message hash of the email contents.
3) You use a private key that you obtained from a public-private key authority to encrypt the hash.
4) The encrypted hash becomes your digital signature of the messaage.
5) Your colleague received the email, and verify's that the sender is you by making a hash of out the received message.
6) Your colleague uses your public key to decrypt the hash.
7) If the hashes match, then everything is fine.

IPSec (ESP, AH, DES, MD5, SHA, DH)

Disclaimer: All information stated in this post may not be purely correct or purely wrong, believing this is your own choice. You are free to reference to any sources of information online to cross-reference or even correct me in the Comments Section below.

Hello!~
Other people very fast, this week I very de slow...

SO NOW I GO DO!

IPSec!!
Whats that sia?

-Protocol suite (Collection of protocols)
-used for securing Internet Protocol communications

How does it secure IP communications?
-IPSec authenticates and encrypts each IP packet of a communication session

But wait! That's not all!

-IPSec also includes protocols for establishing mutual authentication between..

Between who??

-Between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session (Meaning between the computers before the session starts, and also when agreeing on the keys to be used once session start)

Okay, I shall stop talking to myself now..
---------------------------------------------------------------------------------------------------------------------
IPSec is a end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It is able to protect data flows between the following:
- a pair of hosts (host-to-host)
- a pair of security gateways (network-to-network, for example a network router to network router)
- a security gateway to host (gateway-to-host)

If you're wondering what are the acronyms within the brackets beside "IPSec" stated in the title, then wonder-no-more! This post shall explain a few of them now, without any payment whatsoever!


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
These 2 members of the protocol suite can be used interchangeably or together.

ESP(Encapsulating Security Payloads) provides the following:
- Confidentiality [Limiting information access and disclosure to authorized and unauthorized users. Basically it means something like a Need-To-Know basis. If you have no purpose of accessing this information, then you're restricted from doing so.]
- Data-origin authentication [Verifying the messages received have not been tampered with and that they were sent from the expected sender, as the messages may have passed through a lot of nodes to reach the destination and there is always a chance of someone tampering with it along the way]
- Connectionless integrity [Ensuring that received traffic has not been modified, tampered with or changed. Integrity also includes anti-reply defenses]
- Anti-replay service [It is a form of partial sequence integrity, helps to counter denial of service attacks]
- Limited traffic-flow confidentiality [Ensuring that the network traffic is not being examined or viewed by non-authorized parties]


AH(Authentication Header) provides the following:
-Connectionless integrity [read above if you have not done so]
-Data-origin authentication [read above if you have not done so]
- Anti-replay service [read above if you have not done so]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Authentication, Authorization and Accounting

This week only got 1 post~~
About the AAA.
Then..next week Lab Test liao... T.T

Anywho....

Authentication, Authorization and Accounting (AAA)
- a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage and providing the information necessary to bill for services.
- these combined processes are considered important and much needed for effective network management and security.

Authentication, the first process, provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted.
- This process is based on each user having a unique set of criteria for gaining access.
- The AAA server compares the credentials inputted with the credentials database.
- If there is a match somewhere, then that user is granted access to the network.
- If there is no match, then the user can't enter the network.

After Authentication is Authorization. All users needs to be given the authorization to perform certain tasks.
- This process determines whether the user has any authority to perform any tasks (eg. Issuing commands)
- Authorization is the process of enforcing policies, determining what types or qualities of activities, resources or services a user is permitted.
- Usually Authorization happens together with Authentication.
- The moment a user is authenticated into the network, he/she is granted the authorization for different types of access or activity.

Last but not least is Accounting. It measures the resources a year consumes during access, possibly including the amount of system time or amount of data a user has sent/received during a session.
- Its normally done by logging of system statistics and usage information.
- Used for authorization control, billing, trend analysis, resource utilization and capacity planning activities.

AAA services are often provided by a dedicated AAA server, a program that performs all these functions.

Access Control Lists & Context Based Access Cotnrol

Okay, this week got 2 topics to post on. Access Control Lists and Context-based Access Control.

For Access Control List, here is my info:

Access Control List (ACL) are implemented in routers through the "access-list" command. ACLs are basically packet-classifying mechanisms that define the permissions of network traffic when it is applied to a particular router network.

They can appear in different forms, which is standard and extended access-lists. The difference between these two is that standard access-lists are defined to permit or deny an IP addresses or a range of IP addresses. Whereas extended access-lists define both a source and a destination IP address or IP address range. Extended access-lists can also be defined to permit or deny packets based on TCP, UDP, or ICMP

In summary, the factors that the lists can permit or deny are..

Standard Access-List : 1 IP Address or a Range of IP Addresses.
Extended Access-List : Source & Destination IP Address, TCP, UDP or ICMP and destination port number.

The access-list is only checked after a packet moves in or out of a router interface, other than that, its different from the routing functions of the router.

Having any undefined access-list means that the router would still act as though no access-list has been implemented and accepts all packets.

MOVING ON
__________________________________________________________________________________

Context Based Access Control (CBAC)

CBAC inspects the packets that enter through the firewall only if they are not specifically denied by an ACL. CBAC permit or denies specified TCP and UDP traffic through a firewall.

CBAC actually dynamically creates and deletes ACLs, and it also protects against DoS attacks.

Here's the situation
1) Packet traffic is inspected by CBAC.
2) CBAC creates a dynamic ACL that allows return traffic back through the firewall.
3) It continues to inspect the traffic and create and delete ACLs as required by the application, in addition to monitoring and protecting against application-specific attacks
4) CBAC detects when the application terminates or times out and removes ALL ACLs for that particular session.

Another example would be this:

1) User starts a telnet session
2) Return traffic for user's telnet session is permitted
3) Other telnet traffic is blocked.


CBAC is like the bouncer at a disco party where only invited people can go in.
It dynamically opens holes in the firewall so that invited traffic can pass through.

Many protocols support CBAC, and I would only name a few here.

TCP (Single channel)
UDP (Single channel)
RPC
FTP
TFTP
Unix R-commands
SMTP
HTTP (Java blocking)

and many many more!

CBAC also has other features like generating real-time alerts and audit trails.
Audit trails features use Syslog to track all network transactions.

Secure Perimeter Routers and Disable Services and Logging

Last but not least, the 4th topic.

It is definitely a must that networks be secured using some kind of security policy and parameters. The perimeter routers must be secured to ensure that corporate LAN resources are protected from the outside world.

Ingress filtering blocks packets from outside the network but containing a source address from inside the network. This helps in preventing any spoofed IP address from entering the network.

Egress filtering blocks packets from inside the network but containing a source address from outside the network. This helps in preventing any user within the network from launching any IP spoofing attacks against external machines.

Perimeter router is a router which is used to provide a connection to the untrusted network also known as the internet. It is also used to provide a local area network (LAN) connection among the trusted network which is the internal network inside the organisation. Thus, to secure the perimeter routers, we can manage the router by logging, disabling of service, software maintenance or configuration maintenance.

A way on how disabling of service works would be a hacker can use these services to his advantage by gathering information about your router, executing a denial of service (DoS) attack, or attempting to gain unauthorized access. Therefore, you need to disable all of the services on your perimeter router that you are not using or that are necessary.

Logging works in many kinds of ways. One good way of doing it would be setting a log severity level. The severity levels can be sued in the form of "more serious to less serious". Level 0 to the highest level would be ranging from the most serious at level 0 to the highest level for the least serious.

Common Threats to Router & Switch Physical and Mitigation

HELLO THIRD TOPIC!!

There are 4 categories of Common Physical Threats to Router and Switch Installations.

They are :

1) Hardware Threats
2) Environmental Threats
3) Electrical Threats
4) Maintenance Threats

Hardware Threats

Any threats that are associated with physical damages to the routers and switches are all classified as hardware threats. Through controlled access to the facilities, one can mitigate these hardware threats. One can also provide security by ensuring that there is no access to the facility via the ceilings, AC ducts, windows or walls. Mitigation of hardware threats can also be done through the installation of security cameras and the logging of entry attempts.

Environmental Threats


Any threats that are associated with climatic conditions are environmental threats. Adequate ventilation in the facility and the maintenance of temperature and humidity levels are needed to mitigate such threats. In addition, one must ensure that the temperature and humidity levels are maintained in accordance to the specifications defined in the equipment documentation. Once all these parameters are in place, the ability to remotely manage and monitor the temperature and humidity controls is a necessity. Ensuring that the facility is free from electrostatic discharge (ESD) and magnetic interference is also another way to mitigate environmental threats.

Electrical Threats

Some examples of electrical threats can be spikes, inadequate power supply, noise and power loss. An uninterruptible power supply (UPS) is needed for all your devices that you heavily rely on. A UPS provides protection against irregularities in your power distribution system. Ensure that there are redundant power supplies within your network devices for those who can support them, and also have spares always at your facility. This measure reduces the downtime of your network, should it occur.

Maintenance Threats


Some things like poor cabling, faulty labelling or electronic devices without adequate ESD deterents, they are all classified as maintenance threats. Do make sure that the cables are labelled properly and that a proper labeling convention is followed. Having properly labelled cables helps in tracing cables in the facility and helps in troubleshooting as well. Ensure that the cables have smooth bends when going around corners, for a more smoother flow of data.