Site to Site VPN, Remote VPN

VPNs, or Virtual Private Networks, allow remote users to access a public infrastructure with the same network connectivity as they would have in a private network. I.e. an employee for Prudential is able to access a customer's information while outside of the company's private network.

Convenient as it may seem, before creating a VPN, certain measures must be taken to provide authenticity, data integrity and encryption so as to ensure that the users are who they say they are, as well as secure the data in a unreadable format to provide confidentiality and integrity.

There are two main types of VPNs, Site to Site (LAN to LAN) and Remote Access VPN.

Firstly, in Site to Site VPN or (StS), its main feature is allowing users from two separate LANs to communicate and interact with each other as if they were in the same building, i.e. a HQ-LAN in UK communicating with a Branch-LAN in Singapore. This is possible because of a feature - tunnelling. The VPN creates a private tunnel between the two LANs through the internet. This tunnel however, needs to be secured, and it can be done so through technological options such as; SSL, IPSec, GRE, MPL5, PPTP, MPPE, L2TP, L2F. These options are able to secure the Application Layer, Transport/ Network Layer and the Physical Layer.

Next in Remote Access VPN, where this particular VPN is designed to mobile users and home telecommuters, i.e. Prudential example above, tunnelling is also required in this service but different technologies and protocols are needed so secure the Remote Access VPN.

How does a Remote Access VPN work?

Easy. With a VPN server such as Easy VPN as well as a VPN client; Cisco VPN Client. The steps required are listed below:

1. The VPN Client initiates the IKE (Internet Key Exchange) Phase 1 process.
2. The VPN Client establishes a IKE SA.
3. The VPN server accepts the SA proposal.
4. The VPN server initiates a username/password challenge.
5. The mode configuration process is initiated. 
6. The Reverse Route Injection (RRI) process is initiated.
7. IKE quick mode completes the connection.

In conclusion, these are two overviews about the two main types of VPNs available. Thank you for taking your time to read. (:

Public Key Infrastructure (Digital Cert)

The Public Key Infrastructure (PKI) is a security architecture designed to provide confidence for users in the form of security while exchanging information in an increasingly insecure internet.

As the PKI is a general overview of methods, technologies and techniques that provide a secure internet as well as the usage of public key and private key pair for authentication and proof of content, the PKI is able to provide:

• certainty of the quality of information sent and received electronically
• certainty of source and destination of that information
• certainty of the privacy of the information 
• as well as assurance that the information will be kept in such a way that it can be introduced as evidence in a court of law.

The PKI also consists of a certificate authority, which issues and verifies the digital certificate, in which is

an electronic document that uses a digital signature to bind a public key with the identity, i.e. the name or address of a person or organization. The certificate is used to verify that a public key belongs to the correct individual.

As stated above, the digital certificate provides a method of storing the public key, however in the storing of private keys, more secure measures are needed. Passwords or biometric encryption such as thumbprints can be used to ensure the security of a private key, as with the private key, the attacker can have access to more sensitive information regarding the user or his/ her organization. 

Other components that make up the PKI are such as a Registration Authority (RA) which is used by a CA. The RA performs necessary checks on the person or company requesting the certificate so as to ensure they are really who they say they are. The RA may seem like a CA to the person or company but they do not sign or validate the issued certificate. Therefore, its only purpose is to ensure that the CA issues certificates to trusted people or companies only.

Sources:

• http://www.articsoft.com/public_key_infrastructure.htm
• http://en.wikipedia.org/wiki/Public-key_infrastructure

IPSec (ESP, AH, DES, MD5, SHA, DH)

A communication session between users could include the sharing of sensitive information or classified documents. Methods are needed to secure and protect such sessions. The Internet Protocol Security, or IPSec, is a protocol with a purpose of securing IP communications. IPSec is used to encrypt as well as authenticate each IP packet sent during the session.

However, in the implementation of IPSec, there are many complex features to make consideration for. One reason for such complexity is that the IPSec provides mechanism, not policy. Instead of a an encryption algorithm or authentication function, IPSec bases itself on a framework that is able to provide almost any service that both ends require. 

Although there are many more protocols, this post will only depict 3 of them.

One protocol used by IPSec is the ESP, or Encapsulating Security Payload. This protocol encapsulates, or surrounds the data, encrypting it, ensuring that the data payload sent over is in an unreadable format. Overall, this protocol is able to provide data confidentiality, integrity, limited traffic flow confidentiality and anti-replay protection. Although this protocol does not protect (encrypt) the IP header, ESP ahas an authentication function, but only for its header and encrypted payload.

The AH, Authentication Header sends its payload in clear text, as this protocol does not provide file encryption service. Instead, the AH's main purpose is to authenticate the payload, and technically, it is possible, though rare, to use both AH and ESP together, essentially providing authentication and encryption. Hence AH is able to provide data integrity through authentication that uses a keyed-hash mechanism, origin authentication - confirmation that packets definitely originated from peer router. It also provides optional replay protection - replay is a form of attack in which perpetrators capture data physically from cables/ wires and re-inject the data back into the wire at another time.

DES, Data Encryption Standard encrypts the payload data as well. It uses matching shared secret keys on each peers and also includes encryption/ decryption algorithms. A DES encryption process is as such

1. Firstly, a shared secret key is appended to the algorithm, the payload is then submitted into the algorithms in fixed-length blocks and then converted into cypher-text, i.e. encrypt.
2. The encrypted data is transmitted to the IPSec peer via the ESP.
3. The peer receives the ESP packet, extracts the cypher-text, decrypts it through the decrypting algorithm which reveals the payload in a readable format.

The following picture shows the DES in action.

References:

• http://www.ciscopress.com/articles/article.asp?p=25473
• http://www.unixwiz.net/techtips/iguide-ipsec.html.

AAA (Authentication, Authorization, Accounting)

Basically, the skeleton of a Network Security Architecture comprises of three main components, Authentication, Authorization and Accounting, as these three functions are able to provide network security with three core questions about the user, namely, Who are you? (Authentication), What can you do/access? (Authorization) and What did you do/ how long/ how often? (Accounting).

By these questions, the system is able to provide validation and identification for users who use their services as well as procuring a log from their activities.

In each component, there are various technologies that can be utilised to implement them, in Authentication, devices such as token cards or one time passwords can be used to match valid users, ageing passwords or static passwords can also be assigned to users/created by users, which would of course increase usability but result in a weaker form of authentication. An example of a one time password being used is that a list of one-time passwords is generated by a hash function, and sent to the user over the network whereby the workstation would accept each password for one day only.

In Authorization, it is a function that determines whether a user is allowed to have access to perform certain tasks or use certain applications/programs. Authorization can be determined by restrictions such as physical location, time-of-day, as well as multiple entries by the same user.The types of services in Authorization include IP Address filtering, encryption, route assignment, bandwidth control, etc.

Finally in Accounting, the main section of which is the logging of network resource consumption by users is required for purposes such as capacity management, trend analysis, cost allocation, billing, as well as recording failures in the Authentication and Authorization components. Accounting can be implemented in batch, referring to accounting information that is saved until delivered at a later time, or real time, accounting information delivered concurrently with the consumption of resources. Information gathered would be such as identity of user, nature of service delivered, time frame of service and whether there is a status to report.

Context-Based Access Control (CBAC)

Context-Based Access Control or CBAC is part of an enhanced access list that cisco routers support. The main idea of CBAC is that it is able to securely handle multi-channel connections based on upper layer information.


The CBAC would inspect packets not denied specifically by any ACLs and then permits or denies such TCP or UDP traffic. A state table would then be maintained by associating new connection requests with existing legitimate connections. As such, since packets are filtered thoroughly, illegitimate connections would not be able to connect easily and hence, preventing DoS attacks.


The advantages of using CBAC is that it is able to generate real time audit trails and alerts. The audit trails are a feature of Syslog that monitors all ongoing network transactions and hence, with CBAC, alerts and audit trail information can be configured on a per-application protocol basis.


How a CBAC works can be explained in the following images: 

A summary of the pictures would be that CBAC monitors all incoming and outgoing traffics and is also able to dynamically or automatically create new ACL rules, i.e. allowing return traffic back to the firewall. Furthermore, it also detects when an application ends/ times out and removes all the dynamic ACLs associated with that application. The second image is mainly showing that a user would have packets from both his source and destination IP addresses permitted to enter through the firewall while blocking other traffic.

Access Control Lists (ACLs)

ACLs, or access control lists, are basically a lists of permissions that a computing device has, and in this case, the device is a router. Routers generally support 2 types of IP access lists, namely standard and extended.


The standard version filters IP packets based on the source only, while the extended IP ACLs filter packets based on more attributes such as destination/ source IP, protocol type, source/destination TCP/UDP ports as well as ICMP, IGMP message types. 


There are specific syntaxes for creating an access list in a router for the standard, extended formats. In the lists can also be numbered or named as well as the option of leaving a comment on it for purposes of easier editing and viewing. 


I.E. standard numbered ACL format - access-list access-list-number {deny | permit} source [source-wildcard]
      
       extended named ACL format - ip access-list extended access-list-name


       remark syntax - remark user-input

Access lists are also able to perform directional filtering depending on how they are configured. The two directions are inbound and outbound; for data that flows into the router interface and data that flows away from the router interface.

The syntax for configuring the direction in ACLs would be the adding of an in or out word at the end of an ACL.

i.e. - access-list access-list-number {deny | permit} source [source-wildcard] { in | out }

  
       
      

Secure Perimeter Routers, Disable Services & Logging

Securing a perimeter router can be done with two main methods - Ingress and Egress filtering.

Ingress filtering is a method to ensure that incoming packets are really from the networks they claim to be from. As spoofing an IP address is more commonplace than ever, this method of filtering is absolutely crucial in this day and age. Hence, if a router is not secured to detect spoofed IP addresses, such attacks would be able to take place easily as the packets come from seemingly trusted networks.

In ingress filtering, inbound packets would be filtered if there are packets being sent from an outer network but displays the IP address of an internal computer. To be able to perform ingress filtering, the network needs knowledge on IP address that each of its connected network may send to next hence it is not always possible as a network with a single internet connection has no way to find out if an inbound packet is spoofed or not.

Egress filtering, on the other hand, is the practice of monitoring and potentially restricting the flow of information outbound from one network to another, hence ensuring that malicious or unauthorized data does not leave the internal network. This form of filtering is done by examining TCP/IP packets as they leave the internal network by a firewall or router. Those that do not meet the security policies are then denied "egress."

The next section will be about disabling services. As routers usually come with many services enabled by default, not all of them are used and they should be disabled for security purposes. Such services are :

Disable bootp Server

bootp is enabled by default, and if you are not using it, you should definitely disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on your routers

Test(config)# no ip bootp server

Disable CDP

Cisco Discovery Protocol (CDP) is also enabled by default, and we highly recommend that you disable this service on the router globally. You can disable CDP globally by using the no cdp run command in global configuration mode, or you can disable CDP on a per-interface basis by using the no cdp enable command in interface configuration mode

Test(config)#no cdp run

Test(config-if)#no cdp enable

These are examples of services that should be disabled in the router, there are more, of course. 

The next section, logging, will talk about logging methods such as console, buffered, terminal line, syslog and SNMP. There are 8 log security levels with 0 being the lowest and 7 the highest and 6 the default. The logging function is present in routers as it is essential for changes and configurations to be recorded with details such as time, log message name/severity level and also a text that shows where it was configured/changed from.

Source - http://www.debianadmin.com/securing-cisco-routers-by-disabling-unused-services.html