Public Key Infrastructure (Digital Cert )

A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. Meanwhile, an Internet standard for PKI is being worked on.

The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, public key cryptography and the public key infrastructure is the preferred approach on the Internet. (The private key system is sometimes known as symmetric cryptography and the public key system as asymmetric cryptography.)

A public key infrastructure consists of:

• A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key
• A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor
• One or more directories where the certificates (with their public keys) are held
• A certificate management system

Reference
http://searchsecurity.techtarget.com/definition/PKI

IPSec (ESP, AH, DES, MD5, SHA, DH)

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

The main job of ESP is to provide the privacy we seek for IP datagrams by encrypting them. An encryption algorithm combines the data in the datagram with a key to transform it into an encrypted form. This is then repackaged using a special format that we will see shortly, and transmitted to the destination, which decrypts it using the same algorithm. ESP also supports its own authentication scheme like that used in AH, or can be used in conjunction with AH.

 For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates. 

 http://en.wikipedia.org/wiki/IPsec

http://www.tcpipguide.com/free/t_IPSecEncapsulatingSecurityPayloadESP.htm 

http://www.webopedia.com/TERM/I/IPsec.html

Authentication, Authorization and Accounting

Authentication
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords. Knowledge of the password is assumed to assure that the user is authentic. Each user registers initially (or is registered by someone else), using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password. The weakness in this system for transactions that are significant (such as the exchange of money) is that passwords can often be stolen, accidentally revealed, or forgotten.

For this reason, Internet business and many other transactions require a more stringent authentication process. The use of  electronic "credit card issued and verified by a Certificate Authority (CA) as part of a public key infrastructure is considered likely to become the standard way to perform authentication on the Internet. A public key infrastructure enables users of a basically insecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority.

Aunthorization
Authorization is the process of giving someone permission to do or have something. In multi-user computer systems, a system administrator defines for the system which users are allowed access to the system and what privileges of use (such as access to which file directories, hours of access, amount of allocated storage space, and so forth). Assuming that someone has logged in to a computer operating system or application, the system or application may want to identify what resources the user can be given during this session. Thus, authorization is sometimes seen as both the preliminary setting up of permissions by a system administrator and the actual checking of the permission values that have been set up when a user is getting access.
Logically, authorization is done before authentication.

Accounting 
Accounting records what the user actually did, what he accessed, and how long he accessed it, for accounting, billing, and auditing purposes. Accounting keeps track of how network resources are used. Auditing can be used to track network access and to detect network intrusions



Reference:
http://searchsecurity.techtarget.com/definition/authentication
http://en.wikipedia.org/wiki/Authorization
http://en.wikipedia.org/wiki/Accounting_software
 






 















References
http://searchsecurity.techtarget.com/definition/authentication
http://searchsoftwarequality.techtarget.com/definition/authorization

Context-based Access Control

The Context-Based Access Control (CBAC) feature of the Cisco IOS® Firewall Feature Set actively inspects the activity behind a firewall. CBAC specifies what traffic needs to be let in and what traffic needs to be let out by using access lists. However, CBAC access lists include ip inspect statements that allow the inspection of the protocol to make sure that it is not tampered with before the protocol goes to the systems behind the firewall. 

Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information to learn about the state of the TCP or UDP session. This allows support of protocols that involve multiple channels created as a result of negotiations in the FTP control channel.

Most of the multimedia protocols as well as some other protocols (such as FTP, RPC, and SQL*Net) involve multiple control channels.

CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions (sessions that originated from within the protected internal network).

CBAC does the deep packet inspection and hence it is termed to be a IOS Firewall.


 

References

http://en.wikipedia.org/wiki/Context-based_access_control 

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml 

Access Control Lists

An access list control(ACL) is a list of permission attached to a computer file and also controls traffic into and out of your network. ACL specifies which users or systems processors are granted access to computer files, as well as what operations are allowed on given computer files. Each entry in a typical ACL specifies a subject and an operand(quantity on which an operation is performed). For example, if a file has an ACL that contains ( Hafiz, Read), means Hafiz is given the permission of reading the file.





Inbound ACLs:
Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. If the packet is permitted by the tests, it is processed for routing.

Outbound ACLs:
Incoming packets are routed to the outbound interface and then processed through the outbound ACL.

References 
http://en.wikipedia.org/wiki/Access_control_list

Secure Perimeter Routers & Disable Services & Logging

The perimeter router is usually the first line of defense against security threats. The role of a perimeter router is to filter any outside traffic to implement basic security for the DMZ and preliminary filtering for the inside network. Of course there are many things that can be done to secure perimeter routers.

Disabling unused services such as CDP, finger, and TCP and UDP can increase security.  Many of these services have security issues, each with its own level of risk. A hacker may use these services to his/her own advantage by gathering information about your router, or even try to gain unauthorized access. Hence, disabling all of the unused services on the perimeter router is necessary.

For security purposes, event logging on perimeter routers is important. The events that are usually logged are interface status change, changes to system configuration, access list matches, events detected by the firewall, and intrusion detection features. Most routers are able to save system logging information to a local RAM buffer. This can be used for further reference if any security issues pop up later. However, if the router is reloaded, all the contents are lost.

References
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/

Common Threats to Router and Switch Physical &Mitigation

There are basically 4 threats:
1)Hardware
2)Electrical
3)Environmental
4)maintenance

1)Hardware
Hardware threats involve threats of physical damage to the router or switch hardware. These network equipment should be located in wiring closets or in computer or telecommunications rooms that meet these minimum requirements:

• The room must be locked with only authorized personnel allowed access.
• The room should not be accessible via a dropped ceiling, raised floor, window, ductwork, or point of entry other than the secured access point.
• If possible, use electronic access control with all entry attempts logged by security systems and monitored by security personnel.
• If possible, security personnel should monitor activity via security cameras with automatic recording

2)Electrical
Electrical threats include irregular fluctuations in voltage, such as insufficient supply of voltage and voltage spikes.Electrical threats, such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss, can be limited by adhering to these guidelines:

• install uninterruptible power supply (UPS) systems for mission-critical Cisco network devices.
• Install backup generator systems for mission-critical supplies.
• Plan for and initiate regular UPS or generator testing and maintenance procedures based on the manufacturer-suggested preventative maintenance schedule.
• Install redundant power supplies on critical devices.
• Monitor and alarm power-related parameters at the power supply and device levels.

3)Environmental
Environmental threats include very low or high temperatures, moisture, electrostatic, and magnetic Interference Environmental threats, such as temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry), also require mitigation. Take these actions to limit environmental damage to Cisco network devices:

• Supply the room with dependable temperature and humidity control systems. Always verify the recommended environmental parameters of the Cisco network equipment with the supplied product documentation.
• Remove any sources of electrostatic and magnetic interference in the room.
• If possible, remotely monitor and alarm the environmental parameters of the room.

4)Maintenance
Maintenance threats include not having backup parts or components for critical network components; not labeling components and their cabling correctly Maintenance threats include poor handling of key electronic components, electrostatic discharge (ESD), lack of critical spares, poor cabling, poor labeling, and so on. Maintenance-related threats are a broad category that includes many items. Follow the general rules listed here to prevent maintenance-related threats:

• Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection, or incorrect termination.
• Use cable runs, raceways, or both to traverse rack-to-ceiling or rack-to-rack connections.
• Always follow ESD procedures when replacing or working with internal router and switch device components.
• Maintain a stock of critical spares for emergency use.
• Do not leave a console connected to and logged into any console port. Always log off administrative interfaces when leaving a station.
• Do not rely upon a locked room as the only necessary protection for a device. Always remember that no room is ever totally secure. After intruders are inside a secure room, nothing is left to stop them from connecting a terminal to the console port of a Cisco router or switch

References
http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/mitigating-common-threats.html

Network / Port Address Translation

Network / Port Address Translation(NAT) is the process of modifying IP address information in IP packet headers while it is in transit across a traffic routing device. The simplest type of NAT provides a one to one translation of IP addresses. In this type of NAT, only the IP addresses, IP header checksum and any higher level checksums that include the IP address need to be changed. The rest of the packet can be left untouched. Basic NATs can be used when there is a requirement to interconnect two IP networks with incompatible addressing.

In the mid-1990s NAT became a popular tool for alleviating the consequences of IPv4 address exhaustion. It has become a common, indispensable feature in routers for home and small-office Internet connections. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address.

However, NAT  has serious drawbacks on the quality of Internet connectivity and requires careful attention to the details of its implementation. In particular, all types of NAT break the originally envisioned model of IP end-to-end connectivity across the Internet and Network Address Port Translation(NAPT) makes it difficult for systems behind a NAT to accept incoming communications. As a result, NAT traversal methods have been devised to alleviate the issues encountered.

References
http://en.wikipedia.org/wiki/Network_address_translation

Perimeter Router, Internal Router and Firewall

Perimeter Router

Perimeter router's are a  standard router providing a serial connection to the outside world and a LAN connection to the internal network. The perimeter router should provide any filtering of outside traffic to implement basic security for the dirty DMZ and preliminary filtering for the inside network. This device could be running the firewall feature set for additional security options.

Internal Router 

An internal router is a router that has Open Shortest Path First(OSPF) neighbor relationships with interfaces in the same area. Also, an internal router has all its interfaces in a single area.

Firewall

The objective of a router is to control the incoming and outgoing traffic of network by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A network's firewall builds a brigade between an internal network that is assumed to be secure and trusted, and another network, usually an external (inter)network, such as the Internet, that is not assumed to be secure and trusted.

^References

^{http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/}

^{http://en.wikipedia.org/wiki/Open_Shortest_Path_First}

^{http://en.wikipedia.org/wiki/Firewall_%28computing%29}