Site-to-site VPN, Remote access VPN

What is Remote access VPN? 

A remote-access VPN allows individual users to establish secure connections with a remote computer network.

Those users can access the secure resources on that network as if they were directly plugged in to the network's servers. Another name for this type of VPN is virtual private dial-up network (VPDN).

There are two components required in a remote-access VPN. The first is a network access server also called a media gateway or a remote-access server (RAS).  A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server.

What is Site-to-site VPN?

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet.

Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations.

There are two types of site-to-site VPNs:

• Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
• Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranet.

http://computer.howstuffworks.com/vpn4.htm

http://computer.howstuffworks.com/vpn3.htm

Public Key Infrastructure

What is a PKI?


A public key infrastructure (PKI) is the combination of software, encryption technologies, processes, and services that enable an organization to secure its communications and business transactions. The ability of a PKI to secure communications and business transactions is based on the exchange of digital certificates between authenticated users and trusted resources. 

PKI Technologies

Organizations need enhanced security for data and strong credentials for identity management. You can use certificates to secure data and manage identification credentials from users and computers both within and outside your organization.

A public key infrastructure (PKI) is the combination of software, encryption technologies, processes, and services that enable an organization to secure its communications and business transactions. The ability of a PKI to secure communications and business transactions is based on the exchange of digital certificates between authenticated users and trusted resources.

You can design a PKI solution to meet the following security and technical requirements of your organization:

• Confidentiality. You use a PKI to encrypt data that is stored or transmitted.
  
• Integrity. You use a PKI to digitally sign data. A digital signature helps you identify whether another user or process modified the data.
  
• Authenticity. A PKI provides several authenticity mechanisms. Authentication data passes through hash algorithms, such as Shivest Hash Algorithm 1 (SHA1), to produce a message digest. The message digest is then digitally signed by using the sender’s private key to prove that the message digest was produced by the sender.
  
• Nonrepudiation. When data is digitally signed, the digital signature provides proof of the integrity of the signed data and proof of the origin of the data. A third party can verify the integrity and origin of the data at any time. This verification cannot be refuted by the owner of the certificate that digitally signed the data. 

Root Hierarchies

In a root CA hierarchy, all of the CAs in the organization’s CA hierarchy are chained to a common root CA. The following figure illustrates a root CA hierarchy.

Root CA Hierarchy

http://technet.microsoft.com/en-us/library/cc779826(v=ws.10).aspx

IPsec

What is IPsec?


IPsec is a list of protocols for securing network connections, but the details and many variations quickly become overwhelming. 


Why is there many settings which "quickly becomes overwhelming"?


IPsec provides mechanism, not policy.
Rather than define such-and-such encryption algorithm or a certain authentication function, it provides a framework that allows an implementation to provide nearly anything that both ends agree upon.

IKE versus manual keys

Since both sides of the conversation need to know the secret values used in hashing or encryption, there is the question of just how this data is exchanged. Manual keys require manual entry of the secret values on both ends, presumably conveyed by some out-of-band mechanism, and IKE (Internet Key Exchange) is a sophisticated mechanism for doing this online.

Main mode versus aggressive mode

These modes control an efficiency-versus-security tradeoff during initial IKE key exchange. "Main mode" requires six packets back and forth, but affords complete security during the establishment of an IPsec connection, while Aggressive mode uses half the exchanges providing a bit less security because some information is transmitted in cleartext.

AH versus ESP

"Authentication Header" (AH) and "Encapsulating Security Payload" (ESP) are the two main wire-level protocols used by IPsec, and they authenticate (AH) and encrypt+authenticate (ESP) the data flowing over that connection. They are typically used independently, though it's possible (but uncommon) to use them both together.

IP Datagram

IP header have all the traffic in it, therefore we will take a look at it first.

Some IP protocol codes

Protocol code	Protocol Description
1	ICMP — Internet Control Message Protocol
2	IGMP — Internet Group Management Protocol
4	IP within IP (a kind of encapsulation)
6	TCP — Transmission Control Protocol
17	UDP — User Datagram Protocol
41	IPv6 — next-generation TCP/IP
47	GRE — Generic Router Encapsulation (used by PPTP)
50	IPsec: ESP — Encapsulating Security Payload
51	IPsec: AH — Authentication Header

Authentication Algorithms

AH carries an Integrity Check Value in the Authentication Data portion of the header, and it's typically (but not always) built on top of standard cryptographic hash algorithms such as MD5 or SHA-1.

Rather than use a straight checksum, which would provide no real security against intentional tampering, it uses a Hashed Message Authentication Code (HMAC) which incorporates a secret value while creating the ICV. Though an attacker can easily recompute a hash, without the secret value he won't be able to recreate the proper ICV.

http://www.unixwiz.net/techtips/iguide-ipsec.html

Authentication, Authorizing and Accounting(AAA)

Wikipedia: In computer security, AAA commonly stands for authentication, authorization and accounting. It refers to a security architecture for distributed systems, which enables control over which users are allowed access to which services, and how much of the resources they have used.
http://en.wikipedia.org/wiki/AAA_protocol

Search Security: Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.
http://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting

Cisco: Access control is the way you control who is allowed access to the network server and what services they are allowed to use once they have access. Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your router or access server.http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html

In summary, AAA is a set of security rules or protocols which provides secure control over your network, allowing or disallowing traffic intelligently. There may a specialised server to carry out these commands, and a database to store certain security information. There are three roots to this process, which I will further discuss.

Firstly, Authentication.
Authentication speaks of identifying a user through his/her credentials before being authorized. This process is based on unique methods for gaining access.

For example, a security card, a code, a password, biometrics and so on.

The AAA server will then compare this with its database, searching for a match. If there is no match, or the system fails to compare with the correct credentials, access will be denied. Else, access is granted which will be based on the next root, Authorizing.

Cisco says: Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet.

Access will be given if user fulfils all the criteria the AAA server is looking for. Such as a combination of username and password, or even matching biometrics. The heart of Authorization depends on the stored information inside of the AAA server. Any user wanting to clear for authorisation must have a record inside the database of the AAA server, or must provide enough information before being authorized by the AAA protocol. This is so that the AAA can recognise the user, and process information upon him and granting him access to the system.

So once a user clear for the system, the AAA is finished? The answer is no.

Wikipedia has this to say: Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user or other entity, the nature of the service delivered, when the service began, and when it ended, and if there is a status to report.
How then does accounting come into play then? Is it even a security measure?

Accounting has a great role to play in the AAA protocol, which the AAA server will have to carry out when instructed. I believe that AAA may be the most powerful security aspect in this area. Because Authentication and Authorizing may be at the front line of security tasks, accounting a great deterrent to anybody trying to breach the system protected by AAA.

To do this, the Accounting aspect will record any information about the session of a user. This may include the amount of time or data a user has sent or received. This can be carried out by logging of sessions statistics and information of usage and is designed for authorization control, trend analysis, resource utilization and capacity planning activities.

With Accounting, administrators can monitor every movement of a user, whether if someone is abusing their privileges or carrying out threats to the system by planting malicious software. Furthermore, administrators can better improve their systems through accounting by revoking several rights of a suspicious user, or a user who do not require that much access to the system.

Access Control List

What is access control list?
http://en.wikipedia.org/wiki/Access_control_list Wikipedia says: An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation.


http://www.techrepublic.com/article/cisco-ios-access-lists-10-things-you-should-know/5731134 Tech Republic says: In the Cisco IOS, an access control list is a record that identifies and manages traffic. After identifying that traffic, an administrator can specify various events that can happen to that traffic.


So from these two sites, an access control list is a list of commands to control traffic in and out of a networking device, a router for example.


Above is an example of a ACL or Access Control List from magnolia documentation http://documentation.magnolia-cms.com/administration/security/accesscontrollists.html

What's the most common type of ACL?

Since ACL controls traffic, the one most common type of ACL would be IP ACLS, since IP are the more common type of traffic.There are two types of IP ACLs: standard and extended. Standard ACLs can only control traffic by the source IP address. Extended IP ACLs are more versatile, able to recognise traffic based on source IP, source port, destination IP, and destination port.

• Standard IP ACLs: 1 to 99 and 1300 to 1999
• Extended IP ACLs: 100 to 199 and 2000 to 2699

Examples: 

Access-list 1 permit any Access-list 1 deny host 10.1.1.1 Access-list 1 deny any

The first line permits anything thus all traffic meets this requirement, so the router will permit all traffic, and processing will then stop.

*Any other IP not mentioned or configured will be automatically dropped/denied

Security Policy

What is a Security Policy?
http://searchsecurity.techtarget.com/definition/security-policy says : "A security policy is continuously updated as technology and employee requirements change. A company's security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company's assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made."


http://www.windowsecurity.com/articles/Defining_a_Security_Policy.html says: "a policy would be some form 


of documentation that is created to enforce specific rules or regulations and keep a structure on procedures. 


","in the context of ‘security’, is simply a policy based around procedures revolving around security" and "a 


disaster recovery policy is a set of procedures, rules and plans revolving around having a disaster and how 


to recover from it. "


-Description of how the company plans to educate its employees about protecting the company's assets


-Explanation of how security measures are carried out

- Procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made


- Specific rules and regulations and keep a structure on procedures


-Like a disaster recovery policy, how to recover from a disaster


So basically a security policy is what a company should have, a black-and-white of information which the company would include its education plans for the employees about safeguarding company's assets. Also, it would serve as a backup plan, of how security measures are enforced, such as having credentials or personal authorisation methods. Finally, it should be able to improve on its effectiveness and make sure that any flaw would be corrected.

Common Networking Attacks Threats and Solution

A Network attack can be defined as a threat, intrusion, denial of service or other attack on a network that will try to bring down your network by crashing it or to corrupting it. The attacker might not only be interested in exploiting software applications, but also try to obtain unauthorized access to network devices or classified information.


In most organizations, every email,  web page request, user logon, and transmittable file is usually handled by a network device. Under some setups, telephone service and voice messaging are also handled by network devices.If attackers are able to control these details, they have already successfully dealt a network attack. Network attacks cut across all categories of software and platform type. Some examples are: Spoofing, Sniffing, Mapping, Hijacking, Trojans, Denial of Service(DoS)

Spoofing

Any internet connected device sends data containing its origin and destinations. Such internet data packets carry the sender's IP address as well as header/encapsulation data. If the attackers were to have control over the application interpreting the internet data, they can then easily modify the device's protocols to place an fake IP address into the data packet's address. This is known as IP spoofing, which makes any information or data appear to come from any source. With a spoofed source IP address on a datagram, it makes it difficult to find the original sender.

Solution to Spoofing

The countermeasure for spoofing is ingress filtering. Routers usually perform this. Routers will check if the IP address of incoming datagrams are able to be reached by that interface. If the source addresses that are known to be reachable via that interface, data are considered legitimate. If the source address is not in the valid range, then such packets will be dropped.

Sniffing

Packet sniffing is the intercepting data packets which are going around a network. A sniffer program works at the Ethernet layer with network interface cards(NIC) to capture all traffic traveling to and from internet host site. In addition, any of the Ethernet NIC cards that are in promiscuous mode will be picked up by the snifprogram, including all communication packets floating by anywhere near the internet host site. A sniffer placed on any backbone device, inter-network link or network aggregation point will therefore be able to monitor a whole lot of traffic. Most of packet sniffers are passive and they listen all data link layer frames passing by the device's network interface. There are dozens of freely available packet sniffer programs on the internet. The more sophisticated ones allow more active intrusion.

The key to detecting packet sniffing is to detect network interfaces that are running in promiscuous mode. Sniffing can be detected two ways:

1. Host-based : Software commands exist that can be run on individual host machines to tell if the NIC is running in promiscuous mode.
2. Network-based : Solutions tend to check for the presence of running processes and log files, which sniffer programs consume a lot of. However, sophisticated intruders almost always hide their tracks by disguising the process and cleaning up the log files.

The best countermeasure against sniffing is end-to-end or user-to-user encryption.

Source: http://ayurveda.hubpages.com/hub/Types-of-Network-Attacks