Public Key Infrastructure (Digital Cert)

The Public Key Infrastructure (PKI) is a security architecture designed to provide confidence for users in the form of security while exchanging information in an increasingly insecure internet.

As the PKI is a general overview of methods, technologies and techniques that provide a secure internet as well as the usage of public key and private key pair for authentication and proof of content, the PKI is able to provide:

• certainty of the quality of information sent and received electronically
• certainty of source and destination of that information
• certainty of the privacy of the information 
• as well as assurance that the information will be kept in such a way that it can be introduced as evidence in a court of law.

The PKI also consists of a certificate authority, which issues and verifies the digital certificate, in which is

an electronic document that uses a digital signature to bind a public key with the identity, i.e. the name or address of a person or organization. The certificate is used to verify that a public key belongs to the correct individual.

As stated above, the digital certificate provides a method of storing the public key, however in the storing of private keys, more secure measures are needed. Passwords or biometric encryption such as thumbprints can be used to ensure the security of a private key, as with the private key, the attacker can have access to more sensitive information regarding the user or his/ her organization. 

Other components that make up the PKI are such as a Registration Authority (RA) which is used by a CA. The RA performs necessary checks on the person or company requesting the certificate so as to ensure they are really who they say they are. The RA may seem like a CA to the person or company but they do not sign or validate the issued certificate. Therefore, its only purpose is to ensure that the CA issues certificates to trusted people or companies only.

Sources:

• http://www.articsoft.com/public_key_infrastructure.htm
• http://en.wikipedia.org/wiki/Public-key_infrastructure

IPSec (ESP, AH, DES, MD5, SHA, DH)

A communication session between users could include the sharing of sensitive information or classified documents. Methods are needed to secure and protect such sessions. The Internet Protocol Security, or IPSec, is a protocol with a purpose of securing IP communications. IPSec is used to encrypt as well as authenticate each IP packet sent during the session.

However, in the implementation of IPSec, there are many complex features to make consideration for. One reason for such complexity is that the IPSec provides mechanism, not policy. Instead of a an encryption algorithm or authentication function, IPSec bases itself on a framework that is able to provide almost any service that both ends require. 

Although there are many more protocols, this post will only depict 3 of them.

One protocol used by IPSec is the ESP, or Encapsulating Security Payload. This protocol encapsulates, or surrounds the data, encrypting it, ensuring that the data payload sent over is in an unreadable format. Overall, this protocol is able to provide data confidentiality, integrity, limited traffic flow confidentiality and anti-replay protection. Although this protocol does not protect (encrypt) the IP header, ESP ahas an authentication function, but only for its header and encrypted payload.

The AH, Authentication Header sends its payload in clear text, as this protocol does not provide file encryption service. Instead, the AH's main purpose is to authenticate the payload, and technically, it is possible, though rare, to use both AH and ESP together, essentially providing authentication and encryption. Hence AH is able to provide data integrity through authentication that uses a keyed-hash mechanism, origin authentication - confirmation that packets definitely originated from peer router. It also provides optional replay protection - replay is a form of attack in which perpetrators capture data physically from cables/ wires and re-inject the data back into the wire at another time.

DES, Data Encryption Standard encrypts the payload data as well. It uses matching shared secret keys on each peers and also includes encryption/ decryption algorithms. A DES encryption process is as such

1. Firstly, a shared secret key is appended to the algorithm, the payload is then submitted into the algorithms in fixed-length blocks and then converted into cypher-text, i.e. encrypt.
2. The encrypted data is transmitted to the IPSec peer via the ESP.
3. The peer receives the ESP packet, extracts the cypher-text, decrypts it through the decrypting algorithm which reveals the payload in a readable format.

The following picture shows the DES in action.

References:

• http://www.ciscopress.com/articles/article.asp?p=25473
• http://www.unixwiz.net/techtips/iguide-ipsec.html.

AAA (Authentication, Authorization, Accounting)

Basically, the skeleton of a Network Security Architecture comprises of three main components, Authentication, Authorization and Accounting, as these three functions are able to provide network security with three core questions about the user, namely, Who are you? (Authentication), What can you do/access? (Authorization) and What did you do/ how long/ how often? (Accounting).

By these questions, the system is able to provide validation and identification for users who use their services as well as procuring a log from their activities.

In each component, there are various technologies that can be utilised to implement them, in Authentication, devices such as token cards or one time passwords can be used to match valid users, ageing passwords or static passwords can also be assigned to users/created by users, which would of course increase usability but result in a weaker form of authentication. An example of a one time password being used is that a list of one-time passwords is generated by a hash function, and sent to the user over the network whereby the workstation would accept each password for one day only.

In Authorization, it is a function that determines whether a user is allowed to have access to perform certain tasks or use certain applications/programs. Authorization can be determined by restrictions such as physical location, time-of-day, as well as multiple entries by the same user.The types of services in Authorization include IP Address filtering, encryption, route assignment, bandwidth control, etc.

Finally in Accounting, the main section of which is the logging of network resource consumption by users is required for purposes such as capacity management, trend analysis, cost allocation, billing, as well as recording failures in the Authentication and Authorization components. Accounting can be implemented in batch, referring to accounting information that is saved until delivered at a later time, or real time, accounting information delivered concurrently with the consumption of resources. Information gathered would be such as identity of user, nature of service delivered, time frame of service and whether there is a status to report.

Context-Based Access Control (CBAC)

Context-Based Access Control or CBAC is part of an enhanced access list that cisco routers support. The main idea of CBAC is that it is able to securely handle multi-channel connections based on upper layer information.


The CBAC would inspect packets not denied specifically by any ACLs and then permits or denies such TCP or UDP traffic. A state table would then be maintained by associating new connection requests with existing legitimate connections. As such, since packets are filtered thoroughly, illegitimate connections would not be able to connect easily and hence, preventing DoS attacks.


The advantages of using CBAC is that it is able to generate real time audit trails and alerts. The audit trails are a feature of Syslog that monitors all ongoing network transactions and hence, with CBAC, alerts and audit trail information can be configured on a per-application protocol basis.


How a CBAC works can be explained in the following images: 

A summary of the pictures would be that CBAC monitors all incoming and outgoing traffics and is also able to dynamically or automatically create new ACL rules, i.e. allowing return traffic back to the firewall. Furthermore, it also detects when an application ends/ times out and removes all the dynamic ACLs associated with that application. The second image is mainly showing that a user would have packets from both his source and destination IP addresses permitted to enter through the firewall while blocking other traffic.

Access Control Lists (ACLs)

ACLs, or access control lists, are basically a lists of permissions that a computing device has, and in this case, the device is a router. Routers generally support 2 types of IP access lists, namely standard and extended.


The standard version filters IP packets based on the source only, while the extended IP ACLs filter packets based on more attributes such as destination/ source IP, protocol type, source/destination TCP/UDP ports as well as ICMP, IGMP message types. 


There are specific syntaxes for creating an access list in a router for the standard, extended formats. In the lists can also be numbered or named as well as the option of leaving a comment on it for purposes of easier editing and viewing. 


I.E. standard numbered ACL format - access-list access-list-number {deny | permit} source [source-wildcard]
      
       extended named ACL format - ip access-list extended access-list-name


       remark syntax - remark user-input

Access lists are also able to perform directional filtering depending on how they are configured. The two directions are inbound and outbound; for data that flows into the router interface and data that flows away from the router interface.

The syntax for configuring the direction in ACLs would be the adding of an in or out word at the end of an ACL.

i.e. - access-list access-list-number {deny | permit} source [source-wildcard] { in | out }

  
       
      

Secure Perimeter Routers, Disable Services & Logging

Securing a perimeter router can be done with two main methods - Ingress and Egress filtering.

Ingress filtering is a method to ensure that incoming packets are really from the networks they claim to be from. As spoofing an IP address is more commonplace than ever, this method of filtering is absolutely crucial in this day and age. Hence, if a router is not secured to detect spoofed IP addresses, such attacks would be able to take place easily as the packets come from seemingly trusted networks.

In ingress filtering, inbound packets would be filtered if there are packets being sent from an outer network but displays the IP address of an internal computer. To be able to perform ingress filtering, the network needs knowledge on IP address that each of its connected network may send to next hence it is not always possible as a network with a single internet connection has no way to find out if an inbound packet is spoofed or not.

Egress filtering, on the other hand, is the practice of monitoring and potentially restricting the flow of information outbound from one network to another, hence ensuring that malicious or unauthorized data does not leave the internal network. This form of filtering is done by examining TCP/IP packets as they leave the internal network by a firewall or router. Those that do not meet the security policies are then denied "egress."

The next section will be about disabling services. As routers usually come with many services enabled by default, not all of them are used and they should be disabled for security purposes. Such services are :

Disable bootp Server

bootp is enabled by default, and if you are not using it, you should definitely disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on your routers

Test(config)# no ip bootp server

Disable CDP

Cisco Discovery Protocol (CDP) is also enabled by default, and we highly recommend that you disable this service on the router globally. You can disable CDP globally by using the no cdp run command in global configuration mode, or you can disable CDP on a per-interface basis by using the no cdp enable command in interface configuration mode

Test(config)#no cdp run

Test(config-if)#no cdp enable

These are examples of services that should be disabled in the router, there are more, of course. 

The next section, logging, will talk about logging methods such as console, buffered, terminal line, syslog and SNMP. There are 8 log security levels with 0 being the lowest and 7 the highest and 6 the default. The logging function is present in routers as it is essential for changes and configurations to be recorded with details such as time, log message name/severity level and also a text that shows where it was configured/changed from.

Source - http://www.debianadmin.com/securing-cisco-routers-by-disabling-unused-services.html

Common Threats to Routers and Switches - Physical & Mitigation

Common threats to routers and switches can be such as Hardware, Environment, Electrical and Maintenance.

In the context of a Hardware threat, in order to prevent physical damage being easily done to a router, eg: a break-in, there should be protection in place that will limit such damage. The server room should be locked up to prevent unauthorised access. The room itself should be secure, meaning that there should only be one way in or out and there should not be any entry via the ceiling, raised flooring, air vents, windows. All staff who enter the room should also be logged and there should be security cameras installed for real time monitoring of the equipment.

An Environmental threat, such as fire, can also be mitigated, by having the proper temperature control as doing so would reduce the chances of a server being overheated and thereby causing a fire. In order to do so, there should be a positive air flow to ensure that heat does not build up easily and in the event of fire, there should be fire detection systems and also fire containment measures to suppress it and prevent further damage. The equipment should also be properly logged and monitored on a hourly basis to ensure that everything runs and operates as it should.

A threat involving electricity is actually one that does not. The problem here would be that there is not enough supply of electricity to run all the equipment. Hence, there would be a need for a UPS (uninterruptible power supply) as well as generator sets, backup power sets to keep the place running. All these in addition with a preventive maintenance plan as well as remote alarming and monitoring would serve as a good mitigation towards electrical threats.

Maintenance related threats would be severe to a company in anyway, especially if the hardware are cluttered and not organised. As this would all the more make the problem harder to find and rectify. To alleviate such a problem, neat cable runs should be in place as well as the proper labelling of critical cables and components. As doing so would help track the root of the problem. There should also be stock spare parts for the critical sections of the hardware available as well as controlled access to the console ports. ESD or electrical software distribution procedures should also be in place to allow for a good mitigation of maintenance related threats.

Network & Port Address Translation

Network Address Translation, or simply put, NAT is the method of modifying IP address information while it moves across a routing device.

There are a 2 main methods of implementing NAT, namely the static and dynamic methods. Static NAT, also known as one-to-one NAT, is the simplest form of providing a translation for one IP address. This form of NAT can also be utilised to interconnect two IP networks even if they have incompatible addressing.

Dynamic NAT on the other hand, is a many-to-many mapping of NAT, for example a private IP address is mapped to a public IP address drawing from a pool of registered or, public, IP addresses. Hence allowing users on the internal network (using private IPs), to be able to surf the Internet after going through the NAT router. A benefit of dynamic NAT is that it is able to aid in securing a network as it is able to mask the internal configurations of the private network and hence cannot be monitored easily by outsiders.

Port Address Translation or PAT is an extension to the NAT function as discussed above. While the main function of NAT is to allow multiple devices on a local area network to be mapped to a single public IP address, PAT's goal is to conserve IP address.

A scenario in which PAT is used would be a typical home network - a router, and two laptops (X & Z). The ISP assigns a single (public) IP address to the router, as laptop X accesses the internet, the router gives X a port number that is appended to its internal address, giving X a unique address. Hence as Z logs into the internet at the same time, another unique address is generated in the context of Z, and in effect, only 1 public IP address is used and therefore there is conservation.

Perimeter Router, Internal Router, Firewall

A network has an area where it is connected to the outside world, the Internet. Devices such as routers that have the capability of joining these two areas together and provide a connection, typically between the Internet and an organization or a connection between an ISP and the Internet.

A perimeter router would be apt for a small branch office or in a telecommuter's home, i.e. SOHO. This router would be the only 'line of defence' as there it would also be doing the filtering of outside traffic through the firewall feature so as the implement basic security on the network.

Internal routers; these are routers that provide direct connections to networks in the same area as them. These routers are usually present in network topologies of medium to large businesses in which greater routing options can be developed as the network is able to fully utilize the abilities of that router, as there would be an external router connecting to the Internet.

Firewall - A firewall is a device that segregates or joins an internal network and a DMZ. This device would be configured to prevent access from external users trying to 'intrude' on the internal network by blocking unsolicited access thereby providing a form of security for the users and the network itself.

source - http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/