E-Tutorial 6 ( Site to Site VPN, Remote VPN )

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.



There are two types of site-to-site VPNs:

• Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
• Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.

 
A remote-access VPN allows individual users to establish secure connections with a remote computer network. Those users can access the secure resources on that network as if they were directly plugged in to the network's servers. An example of a company that needs a remote-access VPN is a large firm with hundreds of salespeople in the field. Another name for this type of VPN is virtual private dial-up network (VPDN), acknowledging that in its earliest form, a remote-access VPN required dialing in to a server using an analog telephone system.

There are two components required in a remote-access VPN. The first is a network access server, also called a media gateway or a remote-access server (RAS). A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server. It's a NAS that a user connects to from the Internet in order to use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN. To authenticate the user's credentials, the NAS uses either its own authentication process or a separate authentication server running on the network.
The other required component of remote-access VPNs is client software. In other words, employees who want to use the VPN from their computers require software on those computers that can establish and maintain a connection to the VPN

E-Tutorial 5 ( IPsec )

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

 

IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

 

The IPsec suite is an open standard. IPsec uses the following protocols to perform various functions:

• Authentication Headers (AH) provide connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks.

• Encapsulating Security Payloads (ESP) provide confidentiality, data-origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.

• Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary to operate the AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.

E-Tutorial 5 ( Public Key Infrastructure )

Public-key infrastructure

A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). The RA ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation.

Certificate authorities

The primary role of the CA is to digitally sign and publish the public key bound to a given user. This is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. The mechanism that binds keys to users is called the Registration Authority (RA), which may or may not be separate from the CA. The key-user binding is established, depending on the level of assurance the binding has, by software or under human supervision.

The term trusted third party (TTP) may also be used for certificate authority (CA). Moreover, PKI is itself often used as a synonym for a CA implementation.

Temporary certificates & single sign-on

This approach involves a server that acts as an online certificate authority within a single sign-on system. A single sign-on server will issue digital certificates into the client system, but never stores them. Users can execute programs, etc. with the temporary certificate. It is common to find this solution variety with x.509-based certificates

 

Web of trust 

An alternative approach to the problem of public authentication of public-key information is the web of trust scheme, which uses self-signed certificates and third party attestations of those certificates. The singular term "web of trust" does not imply the existence of a single web of trust, or common point of trust, but rather one of any number of potentially disjoint "webs of trust". Examples of implementations of this approach are PGP (Pretty Good Privacy) and GnuPG (an implementation of OpenPGP, the standardized specification of PGP). Because PGP and implementations allow the use of e-mail digital signatures for self-publication of public-key information, it is relatively easy to implement one's own web of trust.

One of the benefits of the web of trust, such as in PGP, is that it can interoperate with a PKI CA fully trusted by all parties in a domain (such as an internal CA in a company) that is willing to guarantee certificates, as a trusted introducer. Only if the "web of trust" is completely trusted, and because of the nature of a web of trust, trusting one certificate is granting trust to all the certificates in that web. A PKI is only as valuable as the standards and practices that control the issuance of certificates and including PGP or a personally instituted web of trust could significantly degrade the trustability of that enterprise's or domain's implementation of PKI

E-Tutorial 4 ( Authentication, Authorization and Accounting )

AAA commonly stands for authentication, authorization and accounting. It refers to a security architecture for distributed systems, which enables control over which users are allowed access to which services, and how much of the resources they have used.

Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the corresponding credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates

The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service. Authorization may be determined based on a range of restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple access by the same entity or user. Typical authorization in everyday computer life is for example granting read access to a specific file for authenticated user.

Accounting refers to the tracking of network resource consumption by users for the purpose of capacity and trend analysis, cost allocation, billing In addition, it may record events such as authentication and authorization failures, and include auditing functionality, which permits verifying the correctness of procedures carried out based on accounting data. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time.

http://en.wikipedia.org/wiki/AAA_protocol

E-Tutorial 3 ( Context-based access control )

Context-based access control (CBAC) intelligently filters TCP and UDP packets based on application layer protocol session information and can be used for intranets, extranets and internets. CBAC can be configured to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network needing protection. (In other words, CBAC can inspect traffic for sessions that originate from the external network.) However, while this example discusses inspecting traffic for sessions that originate from the external network, CBAC can inspect traffic for sessions that originate from either side of the firewall. This is the basic function of a stateful inspection firewall

CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions (sessions that originated from within the protected internal network).

CBAC does the deep packet inspection and hence it is termed to be a IOS Firewall.

CBAC also provides the following benefits:

• Denial-of-Service prevention and detection
• Real-time alerts and audit trails

http://en.wikipedia.org/wiki/Context-based_access_control

E-Tutorial 3 ( Access Control lists )

ACLs are basically a set of commands, grouped together by a number or name that is used to filter traffic entering or leaving an interface.
When activating an ACL on an interface, you must specify in which direction the traffic should be filtered: 
Inbound (as the traffic comes into an interface) 
Outbound (before the traffic exits an interface)

Inbound ACLs:
Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. If the packet is permitted by the tests, it is processed for routing.

Outbound ACLs:
Incoming packets are routed to the outbound interface and then processed through the outbound ACL.

Access List Ranges

Type	Range
IP Standard	1–99
IP Extended	100–199
IP Standard Expanded Range	1300–1999
IP Extended Expanded Range	2000–2699

http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/access-control-list.html

E-Tutorial 2 (Secure Perimeter Routers & Disable Services & Logging)

Using ACLs on the perimeter routers can mitigate some common security threats. Threat mitigation starts by disabling unused services running on the router. You can also mitigate threats on the network by limiting the number of users and services on the router.

ACLs are the most effective because they act as filters between the world and your network. You can also use ACLs to create and enforce corporate security policy in your corporation. 

Telnet

You can use ACLs to limit Telnet access to certain devices on your network. You can apply access lists to the VTY lines with the access-class command.

IP Spoofing

Spoofing is a technique used to gain access to unauthorized networks or resources by sending a data stream to a host with an IP address that indicates that the message is coming from a trusted host.As a golden rule, you should never allow any IP datagrams coming inbound to a protected network that contain the source address of any internal host or network

DoS SYN Attack Mitigation

To overcome this issue, you can use the TCP intercept command. The TCP intercept command examines each inbound TCP connection attempt and ensures that the external source address is not spoofed but is actually reachable. 

E-Tutorial 2 ( Common Threats to Router and Switch Physical &Mitigation )

Improper and incomplete network device installation is an often-overlooked security threat that, if left unaddressed, can have terrible results. Software-based security measures alone cannot prevent intended or even accidental network damage caused by poor installation.

Hardware threats  

Hardware threats involve threats of physical damage to the router or switch hardware. Mission-critical Cisco network equipment should be located in wiring closets or in computer or telecommunications rooms.

• The room should not be accessible via a dropped ceiling, raised floor, window, ductwork, or point of entry other than the secured access point.

Electrical threats

Electrical threats include irregular fluctuations in voltage, such as brownouts and voltage spikes, Electrical threats, such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss, can be limited.

• Install backup generator systems for mission-critical supplies.

Environmental threats

Environmental threats include very low or high temperatures, moisture, electrostatic, and magnetic Interference Environmental threats, such as temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry), also require mitigation.

•  Remove any sources of electrostatic and magnetic interference in the room.

Maintenance threats

Maintenance threats include not having backup parts or components for critical network components; not labeling components and their cabling correctly Maintenance threats include poor handling of key electronic components, electrostatic discharge (ESD), lack of critical spares, poor cabling, poor labeling, and so on. Maintenance-related threats are a broad category that includes many items.

• Always follow ESD procedures when replacing or working with internal router and switch device components.

E-Tutorial 2 ( Network / Port Address Translation )

Network address translation, an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT box located where the LAN meets the Internet makes all necessary IP address translations. 

NAT purposes:

• Provides a type of firewall by hiding internal IP addresses 

• Enables a company to use more internal IP addresses. Since they're used internally only, there's no possibility of conflict with IP addresses used by other companies and organizations.

 

Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.

Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns a single IP address to the home network's router. When Computer X logs on the Internet, the router assigns the client a port number, which is appended to the internal IP address. This, in effect, gives Computer X a unique address. If Computer Z logs on the Internet at the same time, the router assigns it the same local IP address with a different port number. Although both computers are sharing the same public IP address and accessing the Internet at the same time, the router knows exactly which computer to send specific packets to because each computer has a unique internal address.

E-Tutorial 2 ( Perimeter Router, Internal Router and Firewall )

The perimeter router is typically a standard router providing a serial connection to the outside world (untrusted network) and a LAN connection to the internal network. The perimeter router should provide any filtering of outside traffic to implement basic security for the DMZ and preliminary filtering for the inside network.

The internal router is usually meant to protect against DOS attacks against your network, just in case that your perimeter router goes down due to DOS attacks, there will still be connection within the organization due to the internal router, otherwise the entire organization will have  no connection even within it's own network. It also performs filtering of traffic for the internal network.

A firewall is a device or set of devices designed to permit or deny network transmissions based on a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass. Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range". Firewalls often have such functionality to hide the true address of protected hosts. Hiding the addresses of protected devices has become an increasingly important defense against network reconnaissance.

E-Tutorial 1 ( Security Policy )

Security policy is a definition of what it means to be secure for a organization or system. For an organization, it monitors the behavior of its members and imposes mechanisms such as doors, locks, keys and walls. For systems, the security policy monitors the functions and flow among them and constraints the access of external systems and others including programs and access to data by people.

The many types of security policies are such as:

Computer security policy

Network security policy

Information protection policy

Computer security policy

A computer security policy defines the goals and elements of an organization's computer systems. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. A technical implementation defines whether a computer system is secure or insecure. These formal policy models can be categorized into the core security principles of: Confidentiality, Integrity and Availability.

Network security policy

A network security policy is a generic document that outlines rules for network access, determines how policies are enforced and lays out some of the basic architecture of the company secure environment. It's a very detailed document, meant to control data access, internet surfing habits, use of passwords and email attachments and much more others. It specifies these rules for individuals or groups throughout the company.

Information protection policy

Information protection policy is a document which provides guidelines to users on the processing, storage and transmission of sensitive information. The main goal is to ensure information is appropriately protected from modification or disclosure. It may be appropriate to have new employees sign policy as part of their agreement which would define the levels of sensitivity on information.

Reference :http://en.wikipedia.org/wiki/Security_policy

E-Tutorial 1 ( Common Network Attacks )

There are many types of network attacks such as:

-Hijacking

-Spoofing

-DoS

1) Hijacking (Man in the middle attack)

 Man-in-middle attacks is a stranger assuming your identity in order to read your conversation with your friend. The person on the other end or your friend will most likely continue to think that they are still talking to you, because the stranger that assumed your indenity is continuing to reply to the conversations acting like you and thus will try to keep the conversation going for as long as possible to gain more information.

Solution:

The integrity of public keys must generally be assured in some manner, but need not be secret, passwords and shared secret keys have the additional secrecy requirement. Public keys can be verified by a certificate authority, whose public key is distributed through a secure channel

2) Spoofing

Any internet connected device that sends data through the internet will carry the sender's IP address as well as other important data. If the attacker obtains control over the software running on a network device, they can then easily modify the device's protocols to place an IP address into the data packet's source address field. which makes any packets source IP look like what the attacker wants it to be.

Solution:

The countermeasure for spoofing is ingress filtering which routers usually perform. Routers that perform filtering checks the IP address of incoming packets and determine whether the source addresses that are known to be reachable via that interface. If it can't be reached, the packet is discarded.

3) DoS

A denial of service attack is a special kind of Internet attack targeted at large websites. It is a type of attack on a network that is meant to bring the network down by flooding it with useless traffic.

Solution:

Only ingress filtering only can control DoS attack that are on a smaller scale.

Reference: http://ayurveda.hubpages.com/hub/Types-of-Network-Attacks