Friday, 25 May 2012

Public Key Infrastructure (Digital Cert )



public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates

A digital certificate is a digital form of identification, much like a passport or driver's license. A digital certificate is a digital credential that provides information about the identity of an entity as well as other supporting information. A digital certificate is issued by an authority, referred to as a certification authority (CA). Because a digital certificate is issued by a certification authority, that authority guarantees the validity of the information in the certificate. Also, a digital certificate is valid for only a specific period of time.


Digital certificates provide support for public key cryptography because digital certificates contain the public key of the entity identified in the certificate. Because the certificate matches a public key to a particular individual, and that certificate's authenticity is guaranteed by the issuer, the digital certificate provides a solution to the problem of how to find a user's public key and know that it is valid. These problems are solved by a user obtaining another user's public key from the digital certificate. The user knows it is valid because a trusted certification authority has issued the certificate.

In addition, digital certificates rely on public key cryptography for their own authentication. When a digital certificate is issued, the issuing certification authority signs the certificate with its own private key. To validate the authenticity of a digital certificate, a user can obtain that certification authority's public key and use it against the certificate to determine if it was signed by the certification authority.




Posted by at 2 comments:

IPSec (ESP, AH, DES, MD5, SHA, DH)


Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.


Encapsulation Security Payload (ESP) provides authentication, integrity, and confidentiality, which protect against data tampering and, most importantly, provide message content protection. ESP also provides all encryption services in IPSec. Encryption translates a readable message into an unreadable format to hide the message content. The opposite process, called decryption, translates the message content from an unreadable format to a readable message. Encryption/decryption allows only the sender and the authorized receiver to read the data. In addition, ESP has an option to perform authentication, called ESP authentication. Using ESP authentication, ESP provides authentication and integrity for the payload and not for the IP header.

Authentication Headers (AH) provides authentication, integrity, and anti-replay for the entire packet (both the IP header and the data payload carried in the packet). It does not provide confidentiality, which means it does not encrypt the data. The data is readable, but protected from modification. AH uses the HMAC algorithms described earlier to sign the packet for integrity.

Data Encryption Standard (DES) - also known as DEA (Data Encryption Algorithm) was one of the most popular forms of encryption and variants, such as Triple DES/3DES are still considered strong and fast and are actively used in banking and commerce.

Message Digest 5 (MD5) is a well-known cryptographic hash function with a 128-bit resulting hash value. MD5 is widely used in security-related applications, and is also frequently used to check the integrity of files.

Secure Hash Algorithm (SHA) is a hashing algorithm. It is used for password (and other important info) hashing. SHA is used to create digital signatures of the data. By running the algorithm on the data, we produce the hash value (also known as signature). If the data changes in any way, the signature will not match and thus we would know that the data has been compromised/tampered with. It’s not an encryption algorithm. SHA cannot be used for encryption. We use SHA1 on earlier versions (before SEE 8.0.0) and SHA2 on SEE 8.0.0 and above for hashing.

Diffie-Hellman (DH) is a specific method of exchanging cryptographic keys. It  is a public-key cryptography protocol which allows two parties to establish a shared secret key used by encryption algorithms (DES or MD5, for example) over an insecure communications channel.



Reference:
http://en.wikipedia.org/wiki/IPsec
http://documentation.netgear.com/reference/ita/vpn/VPNBasics-3-05.html
http://documentation.netgear.com/reference/ita/vpn/VPNBasics-3-05.html
http://www.symantec.com/business/support/index?page=content&id=TECH161577
Posted by at 2 comments:

Friday, 18 May 2012

Authentication, Authorization and Accounting


In computer security, AAA commonly stands for authentication, authorization and accounting. It is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.

As the first process, authentication provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access. The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied.
Following authentication, a user must gain authorization for doing certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity.
The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Benefits of Using AAA

AAA provides the following benefits:
• Increased flexibility and control of access configuration
• Scalability
• Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos
• Multiple backup systems
Authentication, authorization, and accounting services are often provided by a dedicated AAA server, a program that performs these functions. A current standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS).
References:
http://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting


Posted by at 3 comments:

Saturday, 12 May 2012

Access Control Lists

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Alice, delete), this would give Alice permission to delete the file.

How ACLs work
A router acts as a packet filter when it forwards or denies packets according to filtering rules. As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. These rules are defined using access control lists or ACLs.
 To simplify how ACL or a router uses packet filtering work, imagine  a guard stationed at a locked door. The guard's instruction is to allow only people whose names appear on a quest list to pass through the door. The guard is filtering people based on the condition of having their names on the authorized list.
When a packet arrives at the router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be dropped. Packet filtering process works at the Network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.

Why use ACLs
*   Limits network traffic to increase network performance.
*   ACLs provides traffic flow control by restricting the delivery of routing updates.
*   It can be used as additional security.
*   Controls which type of traffic are forwarded or blocked by the router.
*   Ability to control which areas a client access.

References:
http://en.wikipedia.org/wiki/Access_control_list
http://www.orbit-computer-solutions.com/Access-Control-Lists-(ACL).php
Posted by at 2 comments:

Friday, 4 May 2012

Secure Perimeter Routers & Disable Services & Logging


It is imperative that the networks be secured using some kind of security policy and parameters. The perimeter routers must be secured so that the corporate LAN resources are protected from the outside world. Perimeter security comes in different forms. If you have a small network with only one router separating you from the rest of the world, it becomes imperative that the perimeter router be secured. This security helps you protect your internal resources.

Here is an example of how to disable insecure and unnecessary services via commands:
 
Router(config)# no cdp run
 
Router(config)# no service tcp-small-servers
 
Router(config)# no service udp-small-servers
 
Router(config)# no ip finger
 
Router(config)# no ip identd
 
Router(config)# no service finger
 
Router(config)# no ip source-route
 
Router(config)# no ftp-server enable
 
Router(config)# no ip http server
 
Router(config)# no ip http secure-server
 
Router(config)# no snmp-server community public RO
 
Router(config)# no snmp-server community private RW
 
Router(config)# no snmp-server enable traps
 
Router(config)# no snmp-server system-shutdown
 
Router(config)# no snmp-server trap-auth
 
Router(config)# no snmp-server
 
Router(config)# no ip domain-lookup
 
Router(config)# no ip bootp server
 
Router(config)# no service dhcp
 
Router(config)# no service pad
 
Router(config)# no boot network
 
Router(config)# no service config
 
Router(config)# interface ethernet 0
 
Router(config-if)# no ip proxy-arp
 
Router(config-if)# no ip directed-broadcast
 
Router(config-if)# no ip unreachable
 
Router(config-if)# no ip redirect
 
Router(config-if)# no ip mask-reply
 
Router(config-if)# exit
 
Router(config)# interface ethernet 1
 
Router(config-if)# no ip proxy-arp
 
Router(config-if)# no ip directed-broadcast
 
Router(config-if)# no ip unreachable
 
Router(config-if)# no ip redirect
 
Router(config-if)# no ip mask-reply
 
Router(config-if)# exit
 
Router(config)# service tcp-keepalives-in
 
Router(config)# service tcp-keepalives-out
 
Router(config)# username admin1 privilege 15 secret geekboy
 
Router(config)# hostname Bullmastiff
 
Bullmastiff(config)# ip domain-name quizware.com
 
Bullmastiff(config)# crypto key generate rsa
 
Bullmastiff(config)# line vty 0 4
 
Bullmastiff(config-line)# login local
 
Bullmastiff(config-line)# transport input ssh
 
Bullmastiff(config-line)# transport output ssh

reference:
http://etutorials.org/Networking/Router+firewall+security/Part+II+Managing+Access+to+Routers/Chapter+4.+Disabling+Unnecessary+Services/Manual+Configuration+Example+of+Disabling+Services+on+a+Perimeter+Router/


Posted by at 1 comment:

Common Threats to Router and Switch Physical &Mitigation


Physical Installations involve four types of threats:
hardware, electrical, environmental, and maintenance.

Hardware threats

Hardware threats involve threats of physical damage to the router or switch hardware. Mission-critical Cisco network equipment should be located in wiring closets or in computer or telecommunications rooms that meet these minimum requirements:

·                     The room must be locked with only authorized personnel allowed access.
·                     The room should not be accessible via a dropped ceiling, raised floor, window, ductwork, or point of entry other than the secured access point.
·                     If possible, use electronic access control with all entry attempts logged by security systems and monitored by security personnel.
·                     If possible, security personnel should monitor activity via security cameras with automatic recording.
Hardware threats involve physical damage to network components, such as servers, routers, and switches

Electrical threats

Electrical threats include irregular fluctuations in voltage, such as brownouts and voltage spikes, Electrical threats, such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss, can be limited by adhering to these guidelines:

·                     Install uninterruptible power supply (UPS) systems for mission-critical Cisco network devices.
·                     Install backup generator systems for mission-critical supplies.
·                     Plan for and initiate regular UPS or generator testing and maintenance procedures based on the manufacturer-suggested preventative maintenance schedule.
·                     Install redundant power supplies on critical devices.
·                     Monitor and alarm power-related parameters at the power supply and device levels.


        Environmental threats

Environmental threats include very low or high temperatures, moisture, electrostatic, and magnetic Interference Environmental threats, such as temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry), also require mitigation. Take these actions to limit environmental damage to Cisco network devices:

·                     Supply the room with dependable temperature and humidity control systems. Always verify the recommended environmental parameters of the Cisco network equipment with the supplied product documentation.
·                     Remove any sources of electrostatic and magnetic interference in the room.
·                     If possible, remotely monitor and alarm the environmental parameters of the room.


      Maintenance threats

Maintenance threats include not having backup parts or components for critical network components; not labeling components and their cabling correctly Maintenance threats include poor handling of key electronic components, electrostatic discharge (ESD), lack of critical spares, poor cabling, poor labeling, and so on. Maintenance-related threats are a broad category that includes many items. Follow the general rules listed here to prevent maintenance-related threats:

·                     Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection, or incorrect termination.
·                     Use cable runs, raceways, or both to traverse rack-to-ceiling or rack-to-rack connections.
·                     Always follow ESD procedures when replacing or working with internal router and switch device components.
·                     Maintain a stock of critical spares for emergency use.
·                     Do not leave a console connected to and logged into any console port. Always log off administrative interfaces when leaving a station.
·                     Do not rely upon a locked room as the only necessary protection for a device. Always remember that no room is ever totally secure. After intruders are inside a secure room, nothing is left to stop them from connecting a terminal to the console port of a Cisco router or switch.


reference:
http://earnkori.blogspot.com/2012/02/network-security-mitigating-common.html

Posted by at 1 comment:

Network / Port Address Translation


Network Address Translation (NAT) is a technique which may be used in a routing device to convert between a "public" and a "private" address. Packet headers are rewritten as necessary; for some protocols it may be necessary to rewrite addresses embedded within the packet body for correct operation.
Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.
Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns a single IP address to the home network's router. When Computer X logs on the Internet, the router assigns the client a port number, which is appended to the internal IP address. This, in effect, gives Computer X a unique address. If Computer Z logs on the Internet at the same time, the router assigns it the same local IP address with a different port number. Although both computers are sharing the same public IP address and accessing the Internet at the same time, the router knows exactly which computer to send specific packets to because each computer has a unique internal address.
Port Address Tranlation is also called porting, port overloading, port-level multiplexed NAT and single address NAT.

The following video may explain Network and Port address:






references:
http://searchnetworking.techtarget.com/definition/Port-Address-Translation-PAT
http://www.oucs.ox.ac.uk/network/nat/
http://www.youtube.com/watch?v=tZRgSrgEvd0
Posted by at No comments:
Subscribe to: Comments (Atom)