Site to Site VPN, Remote VPN

WHAT IS VPN, you ask?
Well..VPN stands for Virtual Private Network.
It is an encrypted connection between private networks over a public network such as the internet.
Basically its like a condo in Singapore, it is scalable (can be big or small) and there are security features installed within it as well as only people with the proper authorization and credentials can enter.
Here is a little image which hopefully can help in your understanding of VPN.

There are two types of VPN that's gonna appear in this post: Site-to-Site VPN and Remote VPN (as can be seen from the title).

---------------------------------------------------------------------------------------------------------------------
Site-to-Site VPN is simply an extension of the classic WAN (Wide Area Network). There are about 4 ways which this can be done. Again another image...

Note that its called Site-to-Site VPN, not Side-to-Side.
Just for convenience sake, Site-to-Site VPN shall now be called S2S VPN.

Now, a S2S VPN allows offices in multiple fixed locations secure connections with each other over a public network like the Internet. S2S VPN extends the company's network, making all the resources from all offices available to each other. One example using a S2S VPN would be a huge massive company that has multiple branches either worldwide or across the country.

From the S2S VPN, there are again another 2 different types of the S2S VPN.

Intranet-based: Multiple remote networks connecting together via intranet VPN so that each LAN joins a single WAN.

Extranet-based: For this case, a extranet VPN connects 2 or more different companies (partner, client, supplier, etc) together. The created extranet would connect all the different LANS together, allowing them to work in a secure shared network environment while preventing access to their separate intranets. Its like buying a house together, both have access to that shared house but not to each other's own personal ones.
---------------------------------------------------------------------------------------------------------------------
There is the other kind of VPN, its called the Remote VPN. It allows INDIVIDUAL USERS to establish secure connections with a remote computer network. These users would be able to access the network's resources as if the computer was plugged directly into the network's servers. An example would be Temasek Polytechnic (TP), they are getting their students to use VPN (at home, at library, in the toilet, etc) to connect to TP's resources as if the students were using the school's computers.
Now..apparently there are 2 components needed for a Remote VPN. One is a Network Access Server (NAS), A.K.A. Media Gateway A.K.A. Remote-Access Server (RAS).

Why so many names??!! Well..because NAS can also mean Network-Attached Storage (Which I might add..has a totally different purpose that the thing stated above.) OKAY, GOING BACK!

This RAS can either be a dedicated server or a multiple software application running on a shared server. The user/client would need to connect to this RAS from the Internet in order to use the VPN. As mentioned before, the user would need to input his/her credentials to login to the VPN. The VPN would use some authentication process or a authentication server running on the network to authenticate the user's credentials.

There are 2 things needed for the Remote VPN, so here's the other..client software. The user that wants to login to his/her VPN would require his machine to have some sort of application or software that have the capabilities to establish and maintain a connection to that VPN. Nowadays most Operating Systems have their own built-in software already to connect to Remote VPNs, but there are some VPNs which require their users to install a specific application just for their own security sake or possibly other reasons entirely.

How this be working then???
The software sets up a tunneled connection to the RAS; the user has to specify through its Internet address. The software also handles the encryption required to keep the connection all secure and hushhush.

For large corporations or business with awesome IT staff normally purchase, deploy and maintain their own Remote VPNs (just because they can and its safer this way). Of course..if the company has the money, they can outsource their Remote VPN services through an Enterprise Service Provider (ESP). The ESP sets up a RAS for the paying company and keeps that RAS all working just fine. But, to leave a secure connection in the hands of another organisation..food for thought eh?

That's all I have time for. See ya around!

GOOD LUCK FOR ALL FORMS OF TERM TESTS, EXAMINATIONS AND ENJOY YOUR HOLIDAYS. SPEND THEM WELL, for there'll be reports and projects that won't be doing itself...

Public Key Infrastructure (Digital Cert )

Public Key Infrastructure (PKI) uses Public Key Technology [notice the similarities? =D]
And the technology involves the use of Digital Signatures [the title my friend, the title!]

Signatures...?? Do what one??
Well, they are used for
- Authentication [Identifying and confirming that you are who you say who are]
- Integrity [The data you sent is legit and not tampered with]
- Non-repudiation [You are unable to deny that you were the one who sent the data]
- Confidentiality [Concerns with what you can see, and also the encryption and decryption of the information sent as well as ensuring no other party is viewing the data]


Public Key Infrastructure is the combination of Software, Encryption Technologies and Services. These 3 components grants organisations the capabilities to enforce security on any forms of communications or business transactions on the world wide web. It incorporates digital certificates, public-key cryptography and certificate authorities into a shared network security architecture.

Now then..moving on to digital signatures..it is different from digital certificate. Digital signatures are like physical signatures you do when you sign a form or a letter, just in a digital way. They can be used to authenticate the identity of the sender of a message or the signer of a document, as well as ensure that the content of the message or document has not been tampered with.

Digital signatures can be extremely portable, time-stamped and it is unable to be copied by anybody else. This ability to ensure that the original signed message arrived means that the sender cannot repudiate it later. It can be used for all kinds of messages regardless of encryption, just so that the receiver would know if the message received is from the right sender and if the content is unchanged.

A digital certificate has the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.

Here is a breakdown of how it works..

1) You type an email out for your colleague.
2) Using some software, you get a message hash of the email contents.
3) You use a private key that you obtained from a public-private key authority to encrypt the hash.
4) The encrypted hash becomes your digital signature of the messaage.
5) Your colleague received the email, and verify's that the sender is you by making a hash of out the received message.
6) Your colleague uses your public key to decrypt the hash.
7) If the hashes match, then everything is fine.

IPSec (ESP, AH, DES, MD5, SHA, DH)

Disclaimer: All information stated in this post may not be purely correct or purely wrong, believing this is your own choice. You are free to reference to any sources of information online to cross-reference or even correct me in the Comments Section below.

Hello!~
Other people very fast, this week I very de slow...

SO NOW I GO DO!

IPSec!!
Whats that sia?

-Protocol suite (Collection of protocols)
-used for securing Internet Protocol communications

How does it secure IP communications?
-IPSec authenticates and encrypts each IP packet of a communication session

But wait! That's not all!

-IPSec also includes protocols for establishing mutual authentication between..

Between who??

-Between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session (Meaning between the computers before the session starts, and also when agreeing on the keys to be used once session start)

Okay, I shall stop talking to myself now..
---------------------------------------------------------------------------------------------------------------------
IPSec is a end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It is able to protect data flows between the following:
- a pair of hosts (host-to-host)
- a pair of security gateways (network-to-network, for example a network router to network router)
- a security gateway to host (gateway-to-host)

If you're wondering what are the acronyms within the brackets beside "IPSec" stated in the title, then wonder-no-more! This post shall explain a few of them now, without any payment whatsoever!


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
These 2 members of the protocol suite can be used interchangeably or together.

ESP(Encapsulating Security Payloads) provides the following:
- Confidentiality [Limiting information access and disclosure to authorized and unauthorized users. Basically it means something like a Need-To-Know basis. If you have no purpose of accessing this information, then you're restricted from doing so.]
- Data-origin authentication [Verifying the messages received have not been tampered with and that they were sent from the expected sender, as the messages may have passed through a lot of nodes to reach the destination and there is always a chance of someone tampering with it along the way]
- Connectionless integrity [Ensuring that received traffic has not been modified, tampered with or changed. Integrity also includes anti-reply defenses]
- Anti-replay service [It is a form of partial sequence integrity, helps to counter denial of service attacks]
- Limited traffic-flow confidentiality [Ensuring that the network traffic is not being examined or viewed by non-authorized parties]


AH(Authentication Header) provides the following:
-Connectionless integrity [read above if you have not done so]
-Data-origin authentication [read above if you have not done so]
- Anti-replay service [read above if you have not done so]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Authentication, Authorization and Accounting

This week only got 1 post~~
About the AAA.
Then..next week Lab Test liao... T.T

Anywho....

Authentication, Authorization and Accounting (AAA)
- a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage and providing the information necessary to bill for services.
- these combined processes are considered important and much needed for effective network management and security.

Authentication, the first process, provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted.
- This process is based on each user having a unique set of criteria for gaining access.
- The AAA server compares the credentials inputted with the credentials database.
- If there is a match somewhere, then that user is granted access to the network.
- If there is no match, then the user can't enter the network.

After Authentication is Authorization. All users needs to be given the authorization to perform certain tasks.
- This process determines whether the user has any authority to perform any tasks (eg. Issuing commands)
- Authorization is the process of enforcing policies, determining what types or qualities of activities, resources or services a user is permitted.
- Usually Authorization happens together with Authentication.
- The moment a user is authenticated into the network, he/she is granted the authorization for different types of access or activity.

Last but not least is Accounting. It measures the resources a year consumes during access, possibly including the amount of system time or amount of data a user has sent/received during a session.
- Its normally done by logging of system statistics and usage information.
- Used for authorization control, billing, trend analysis, resource utilization and capacity planning activities.

AAA services are often provided by a dedicated AAA server, a program that performs all these functions.

Access Control Lists & Context Based Access Cotnrol

Okay, this week got 2 topics to post on. Access Control Lists and Context-based Access Control.

For Access Control List, here is my info:

Access Control List (ACL) are implemented in routers through the "access-list" command. ACLs are basically packet-classifying mechanisms that define the permissions of network traffic when it is applied to a particular router network.

They can appear in different forms, which is standard and extended access-lists. The difference between these two is that standard access-lists are defined to permit or deny an IP addresses or a range of IP addresses. Whereas extended access-lists define both a source and a destination IP address or IP address range. Extended access-lists can also be defined to permit or deny packets based on TCP, UDP, or ICMP

In summary, the factors that the lists can permit or deny are..

Standard Access-List : 1 IP Address or a Range of IP Addresses.
Extended Access-List : Source & Destination IP Address, TCP, UDP or ICMP and destination port number.

The access-list is only checked after a packet moves in or out of a router interface, other than that, its different from the routing functions of the router.

Having any undefined access-list means that the router would still act as though no access-list has been implemented and accepts all packets.

MOVING ON
__________________________________________________________________________________

Context Based Access Control (CBAC)

CBAC inspects the packets that enter through the firewall only if they are not specifically denied by an ACL. CBAC permit or denies specified TCP and UDP traffic through a firewall.

CBAC actually dynamically creates and deletes ACLs, and it also protects against DoS attacks.

Here's the situation
1) Packet traffic is inspected by CBAC.
2) CBAC creates a dynamic ACL that allows return traffic back through the firewall.
3) It continues to inspect the traffic and create and delete ACLs as required by the application, in addition to monitoring and protecting against application-specific attacks
4) CBAC detects when the application terminates or times out and removes ALL ACLs for that particular session.

Another example would be this:

1) User starts a telnet session
2) Return traffic for user's telnet session is permitted
3) Other telnet traffic is blocked.


CBAC is like the bouncer at a disco party where only invited people can go in.
It dynamically opens holes in the firewall so that invited traffic can pass through.

Many protocols support CBAC, and I would only name a few here.

TCP (Single channel)
UDP (Single channel)
RPC
FTP
TFTP
Unix R-commands
SMTP
HTTP (Java blocking)

and many many more!

CBAC also has other features like generating real-time alerts and audit trails.
Audit trails features use Syslog to track all network transactions.

Secure Perimeter Routers and Disable Services and Logging

Last but not least, the 4th topic.

It is definitely a must that networks be secured using some kind of security policy and parameters. The perimeter routers must be secured to ensure that corporate LAN resources are protected from the outside world.

Ingress filtering blocks packets from outside the network but containing a source address from inside the network. This helps in preventing any spoofed IP address from entering the network.

Egress filtering blocks packets from inside the network but containing a source address from outside the network. This helps in preventing any user within the network from launching any IP spoofing attacks against external machines.

Perimeter router is a router which is used to provide a connection to the untrusted network also known as the internet. It is also used to provide a local area network (LAN) connection among the trusted network which is the internal network inside the organisation. Thus, to secure the perimeter routers, we can manage the router by logging, disabling of service, software maintenance or configuration maintenance.

A way on how disabling of service works would be a hacker can use these services to his advantage by gathering information about your router, executing a denial of service (DoS) attack, or attempting to gain unauthorized access. Therefore, you need to disable all of the services on your perimeter router that you are not using or that are necessary.

Logging works in many kinds of ways. One good way of doing it would be setting a log severity level. The severity levels can be sued in the form of "more serious to less serious". Level 0 to the highest level would be ranging from the most serious at level 0 to the highest level for the least serious.

Common Threats to Router & Switch Physical and Mitigation

HELLO THIRD TOPIC!!

There are 4 categories of Common Physical Threats to Router and Switch Installations.

They are :

1) Hardware Threats
2) Environmental Threats
3) Electrical Threats
4) Maintenance Threats

Hardware Threats

Any threats that are associated with physical damages to the routers and switches are all classified as hardware threats. Through controlled access to the facilities, one can mitigate these hardware threats. One can also provide security by ensuring that there is no access to the facility via the ceilings, AC ducts, windows or walls. Mitigation of hardware threats can also be done through the installation of security cameras and the logging of entry attempts.

Environmental Threats


Any threats that are associated with climatic conditions are environmental threats. Adequate ventilation in the facility and the maintenance of temperature and humidity levels are needed to mitigate such threats. In addition, one must ensure that the temperature and humidity levels are maintained in accordance to the specifications defined in the equipment documentation. Once all these parameters are in place, the ability to remotely manage and monitor the temperature and humidity controls is a necessity. Ensuring that the facility is free from electrostatic discharge (ESD) and magnetic interference is also another way to mitigate environmental threats.

Electrical Threats

Some examples of electrical threats can be spikes, inadequate power supply, noise and power loss. An uninterruptible power supply (UPS) is needed for all your devices that you heavily rely on. A UPS provides protection against irregularities in your power distribution system. Ensure that there are redundant power supplies within your network devices for those who can support them, and also have spares always at your facility. This measure reduces the downtime of your network, should it occur.

Maintenance Threats


Some things like poor cabling, faulty labelling or electronic devices without adequate ESD deterents, they are all classified as maintenance threats. Do make sure that the cables are labelled properly and that a proper labeling convention is followed. Having properly labelled cables helps in tracing cables in the facility and helps in troubleshooting as well. Ensure that the cables have smooth bends when going around corners, for a more smoother flow of data.

Network/Port Address Translation

2nd Topic for the week!~

Network Address Translation(NAT)

It is the process of mapping internal private IP address to a pool of global IP addresses (provided by the Internet Service Providers).
It allows one to one, and many to many IP translations.

When a organisation has many users, it is pointless to purchase an equal number of global IP addresses from the Internet Service Providers. So what can be done is to set up a private network using private IP addresses. Now, since private IP addresses can be repeated as many times as possible in private networks, they need something to allow their users to access the Internet normally. That is where the NAT would come in, mapping global IP addresses to private IP addresses allows users from private networks to access the Internet as per normal.

Port Address Translation(PAT)


Port Address Translation is an extension of Network Address Translation that allows multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.

With PAT, multiple computers can be given the exact same IP address but with different port numbers assigned to it. This can happen simultaneously, and the router would still know which computer to send specific packets to because each computer has a unique internal address.

Port Address Translation is also called porting, port overloading, port-level multiplexed NAT and single address NAT.

Perimeter Router, Internal Router & Firewall

First off,

Perimeter Router

You may be wondering..
What the hell is a Perimeter Router and what is its purpose??

A Perimeter Router is a router that is installed on a perimeter segment of a network.

A perimeter segment is an area which connects a network to an untrusted network or an area which is located outside of the corporate firewalls.

Basically, a Perimeter Router is like the door to your house. It sits there and it connects your house (your network) to the world (the whole internet).

Its purpose is to offer and provide minimal protection to the trusted network from any untrusted networks apart from performing packet filtering on traffic.

Due to the fact that Perimeter Routers connect the networks that can be reached via the Internet, they are often the target of hackers trying to exploit any security vulnerabilities.

An unsecured perimeter router would be weak at filtering unwanted network traffic, as well as becoming an easy target for Denial Of Service (DoS) attacks, which can halt the network. Whereas a secured perimeter router can prevent network reconnaissance (the gathering of information to prepare for an attack) and therefore the attacks themselves.

__________________________________________________________________________________

Up next would be...

Internal Router


An Internal Router, a router that is normally set as a form of backup should the first router go down, whether due to an attack or a physical issue. This backup is to ensure that traffic can still flow within the internal network at all times.

Apart from that, it does filtering of traffic for the internal network as well.

__________________________________________________________________________________

And last but not least for the topic is...

Firewall


A Firewall is a set of related programs found at a network gateway server. It provides a certain level of protection on the resources of an internal network from users from other networks.

A Firewall is able to prevent outsiders from viewing private data and users from viewing certain outside resources.

WEEK 2 WEek 2 Week 2 week 2

This week, I am going to blog about 4 different topics, so there'll be 4 different posts.

1) Perimeter Router, Internal Router & Firewall
2) Network/ Port Address Translation
3) Common Threats To Router and Switch Physical & Mitigation
4) Secure Perimeter Routers & Disable Services & Logging.

I'll start posting about the topics stated above right after this messages..

OCP (Overseas Community Program) is coming right up most probably in our next Semester Break.
There will be NO subsidy, so you have to pay in full..
But all are encouraged to go.
Possible Countries are : Cambodia, Myanmar, China, Thailand, Germany, Britain, France, USA, and many more.
WHY WAIT?
Sign up now!

Security Policy

Security Policy, whats that?

Security Policy is the definition of what it means to be secure whether for a organisation or system.

For organisations, the security policies focuses on physical security like doors, wall and keys. For systems, it deals with constraints on functions, restrictions on access by external systems and other things including access control by any user and programs.

In this post, I would type about a few types of Security Policies, just like the previous post. (:

Different kinds of Security Policies

First

Access Control is a security policy whereby different users are given different levels of accessing any form of resource. The resource can be a building, a certain room or digital information.

It has been applied to nearly everywhere in our lives. A common example would be our keys to our homes, or the keys to our letter boxes. Even our bank cards are also a form of access control as it only allows the card holder to have access to the money in the bank.

The importance of access control is considerably high when certain information or equipment needs to be secured and kept safe.

Second

Network Security Policies are documents that contains the rules for computer network access, it also tells of how the enforcement of policies are done besides showing the basic layout of the company's security or network security environment.

Usually the document itself is quite long and drawn up by a committee, and it goes further beyond the simple purpose of "not letting anyone bad in". The document can be quite complicated and contains sentences which need time to be understood as it is meant to govern many important things ranging from data access, web-browsing permissions, passwords,, encryption and more. This document actually speaks in detail of each rule for lone users or a groups of users within the company.

Third

Last but not least I would be posting about User Account Policy.

Again, it is another document but it contains the requirements that needed to be fulfilled concerning Requesting and Maintain an account on the system or network in the organisation.

Massive sites like Facebook would most likely have their own User Account Policy implemented and given to all registering users to read and agree to it.

Some policy contents include things like

• Should state who has the authority to approve account requests.
• Should state who is the allowed to use the resources (eg. employees or students only)
• Should state any citizenship/resident requirements.
• Should state if users are allowed to share accounts or if users are allowed to have multiple accounts on a single host.
• Should state the users' rights and responsibilities.
• Should state when the account should be disabled and archived.
• Should state how long the account can remain inactive before it is disabled.
• Should stated password construction and aging rules.

The End

Common Networking Attacks Threats and Solution

Definition of Network Attack

Basically any method, way or means that is used to intentionally compromise any form of network security can be considered as a Network Attack.

How many Network Attacks are there?

Honestly, too many for myself to read on the Internet and type here. So I'll just post about a few, hopefully in words you and I can understand.

Moving on...

Any information after this sentence should pertain to the subject or topic that is "Common Network Attacks", do feel free to comment about anything on this blog or its posts as long as it is made in a polite and friendly manner. (:

Or else I will find you and hunt you down.

I'm serious.

I don't joke.
HAHAHA
Okay okay, I hope you're enjoying this post as much as I have typing this out for you all!

Back to work!

First

Data modification or data manipulation is a form of network attack where changes are made to private company data whether the data has been interpreted, modified or deleted. This network attack is considered properly completed when the sender doesn't realize that the data has been tinkered with.

Solutions: 

1) Backup the important data (whether its yours or the company's) regularly. 

2) Implementing Access Control Lists (ACLs) which would manage the users and only allow a few qualified people you trust to have permission to access your data.

3) Insert codes into your applications that can actually validate the data input to ensure that the information or data has not been tampered with.

Second

Eavesdropping is done when the perpetrator, like some sort of pervert, actually stalks and snoops in on your network traffic and just reading any data he can find. What he understands of course, depends entirely on the level of protection applied to your data.

Solutions: 

1) Use Internet Protocol Security (IPSec) to grant some form of protection on your data through encryption before the data gets sent over the network.

2) Security policies and procedures are also another way to defend your data from getting a sniffer on the network.

Note: Sniffer is a type of software or hardware that allows the user to log or record down moving traffic and intercept them on a network.

Third

IP address spoofing, in simple terms, identity theft but in IP style. The attacker masquerades his IP as one which belongs to a valid IP address to the company targeted. Upon doing so, the attacker would do his utmost best to discover the other computers on the network. Since most IP networks associate users with their specific IP addresses, this fake packet gets through the routers and lands up where ever the attacker wishes. He can then choose to change the flow of traffic or start a Denial of Service (DoS) attack.

Solutions:

1) Set up encryption at the traffics between routers and external hosts.

2) Implement ingress filters to block any inbound packets with source addresses coming from trusted users within the internal network.

The End

I have come to the end of my first post, and I do hope you all have enjoyed reading this little brief introduction on a few network attacks.

TITLE 1 SIA

Hello hello, is this thing on? Is it working??
Testing 1, Testing 2, Testing 3!