Friday, 1 June 2012

Site-To-Site VPN & Remote-Access VPN


Site-To-Site Virtual Private Network

A site-to-site VPN allows different offices in multiple fixed locations to establish secure connections with each other over public network such as the internet. An example would be accessing the school server from home or somewhere else other than the school. Site-to-site VPN extends the company’s network, making the computer resources from one location available to employees at other locations. There are so many companies that need a site-to-site VPN because they are a growing company/corporation with dozens of branch offices around the world.


It is important to know that there are two types of site-to-site VPNs:


1) Intranet-Based &
2) Extranet-Based.



Firstly, Intranet-Based is when a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
However, Extranet-Based is when a company has a close relationship with another company, it can build an extranet VPN that connects those companies LANs. This extranet VPN lets the corporations to work alongside each other in a safe, secured network environment while denying access to their own separate intranets.


Remote-access VPN

A remote-access VPN allows individual users to establish secure connections with a remote computer network. Those users can access the secure resources on that particular network as if they were directly plugged in to the network’s servers. An example of a company that would need a remote-access VPN is a large firm with hundreds of salespeople in the field. There are two components needed in remote-access VPN.


They are:
1) Network Access Server (NAS)
2) A client software


Firstly, it’s a NAS that user connects to form the Internet in order to use a VPN. NAS will need the user to provide valid credentials to sign in to the VPN. NAS uses its own authentication process or a separate authentication server running on the network.
The other component need is client software. Those employees who want to use the VPN from their computers will require software on those computers that can establish and also maintain a connection to the VPN.




http://computer.howstuffworks.com
Posted by at 2 comments:

Friday, 25 May 2012

Public Key Infrastructure


A public-key infrastructure (PKI) is a set of hardware, software, people, policies and procedure that is needed to create, manage, distribute, use, store and revoke digital certificates.
- A system for the creation, storage and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity.
- PKI (1) creates digital certificates which map public keys to entities (2) stores certificates in central repository (3) revoke when needed.
* A digital certificate is an electronic document which uses a digital signature to bind a public key with an identity. Some information of the identity may include name of person or organization, their address etc. The certificate can be used to verify that a public key belongs to an individual.
A PKI is an arrangement that
- Binds public keys with respective user identities by means of a certificate authority (CA).
User identity must be unique within each CA domain.
There are three methods of certification
1) Certificate authorities (CAs)
2) Web of trust (WOT)
3) Simple public-key infrastructure (SPKI)

Certificate authorities (CAs)
CA digitally signs and publishes the public key bound to a given user. To ensure trust in the user key relies on one’s trust in the validity of the CA’s key, this is done using the CA’s own private key. The mechanism that binds keys to users is called the Registration Authority, which may or may not be separate from the CA.
Web Of Trust (WOT)
This is an alternative approach to the problem of public authentication of public-key information is the web of trust scheme, which uses self-signed certificates and third party attestations of those certificates.
Simple public-key infrastructure (SPKI)
This is considered another alternative which does not deal with public authentication of public-key information. SPKI does not associate users with persons, since they key is what is trusted, rather than the person. SPKI also does not use any notion of trust as the verifier is also the issue.
http://en.wikipedia.org/wiki/Public-key_infrastructure / http://www.articsoft.com/public_key_infrastructure.htm

Posted by at 3 comments:

IPSec (ESP, AH, DES, MD5, SHA, DH)


IPSec (ESP, AH, DES, MD5, SHA, DH)
ESP - Encapsulating Security Payloads.
AH - Authentication Headers
DES - Data Encryption Standard
MD5 - Message-digest Algorithm.
SHA - Secure Hash Algorithm
DH - Diffie-Hellman
Internet Protocol Security (IPSec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating each IP packet of a communication session. It also includes protocols for establishing mutual authentication. Operating at Internet layer of the internet protocol suite, it is an end-to-end security scheme. It is also used to protect data flow between a pair of hosts, pair of security gateways or between security gateway and a host.
- host-to-host
- network-to-network
-network-to-host
IPSec suite is an open standard. It uses some of the following protocols to perform various functions.

1) Authentication Headers (AH) – provides connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks.
- Member of IPsec protocol suite.
- Guarantees connectionless integrity and data origin authentication of IP packets.
- Uses sliding window technique to protect against replay attacks.
2) Encapsulating Security Payloads (ESP) – provides confidentiality, data-origin authentication, connectionless integrity, anti-replay service and limited traffic-flow confidentiality.
- Member of IPsec protocol suite.
- Provides origin authenticity, integrity, and confidentiality protection of packets.
- Supports encryption-only and authentication-only configurations



DES - Data Encryption Standard
- A previously predominant algorithm for the encryption of electronic data.
MD5 - Message-digest Algorithm.
- A widely used cryptographic hash function that produces a 128-bit hash value. It is commonly used to check data integrity. An MD5 hash is typically expressed as a 32-digit hexadecimal.
SHA - Secure Hash Algorithm
- One of a number of cryptographic hash functions.
DH - Diffie-Hellman
- A public-key cryptography protocols. It allows two parties to establish a shared secret key used by encryption algorithms over an insecure communications channel.

http://en.wikipedia.org/wiki/Encapsulating_Security_Payload#Encapsulating_Security_Payload
http://en.wikipedia.org/wiki/Data_Encryption_Standard
http://en.wikipedia.org/wiki/MD5
http://en.wikipedia.org/wiki/Secure_Hash_Algorithm
http://www.ciscopress.com/articles/article.asp?p=25470&seqNum=5

Posted by at 2 comments:

Saturday, 19 May 2012

Authentication, Authorization and Accounting (AAA)


Authentication, Authorization and Accounting (AAA)
AAA enables control over which users are allowed access to which services, and how much of the resources they have used. The network protocol that provides this function is the RADIUS protocol. Another network that also provides the same function is the newer Diameter. The three are all important and play their own role.
Authentication
This is the process where identity is authenticated. This is usually done by providing evidence that it holds a specific digital identity. Some of these types of credentials include passwords and digital certificates.
Authorization
The authorization portion is the one that determines whether a particular entity is authorized to perform a given activity. This can be determined based on different range of restrictions. One example may be physical location restriction. This means if the user is gaining access from a particular location, the user may not get access. Another restriction may be against multiple access by the same entity or user.
Accounting
Accounting refers to the tracking of network resource consumption by user for the use of capacity and trend analysis, cost allocation or billing. In may also record events such as authentication and authorization failures. This part will show the failed attempts at logging in to the system, place etc.
The information gathered during accounting is the identity of the user or other entity, the nature of the service delivered, when the service began, and when it ended, and if there is a status to report.







http://en.wikipedia.org/wiki/AAA_protocol
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/rad_tac_phase.html

Posted by at 1 comment:

Wednesday, 9 May 2012

Access Control List


An access control list also known as ACL, is a table that tell a computer operating system (OS) which access right each user has to a particular system object. Examples may include a file directory or an individual file. Each of the objects has a security attribute that identifies its access control list. The whole list has an entry for each system user with access privileges. Some of the most common privileges include the ability to read, write and to execute the file. The way the list is implemented is different for each operating system.
Based Security models
When a subject requests an operation on an object in an ACL-based security model, the operating system firstly will check the ACL for an applicable entry to decide whether the requested operation is authorized. ACL models may be applied to collections of objects as well as to individual entities within the system’s hierarchy.
Filesystem ACLs
A filesystem ACL is a data structure which usually comes in a table that contains entries that specify individual user or group rights to specific system objects such as programs, processes or files.
Networking ACLs
On the other hand, on some types of proprietary computer hardware, an Access Control list may also refer to rules that are applied to port numbers or network daemon names that are available on a host or other layer 3.







http://en.wikipedia.org/wiki/Access_control_list
http://searchsoftwarequality.techtarget.com/definition/access-control-list
Posted by at 1 comment:

Saturday, 5 May 2012


Securing perimeter routers
There are a few things that should be done and configured to secure the network, and using cisco routers are one of them. It will be important that the networks be secured using some kind of security policy and parameters. The perimeter routers must be secured so that the LAN resources are not threatened by the outside world.


Perimeter router and PIX Firewall
First of all, the use of Firewalls can help with the securing. Medium-sized businesses can take security to the next level by placing a firewall between the perimeter router and the internal network. By filtering out unnecessary traffic from coming into the network, the perimeter router is actually supporting and helping the firewall.


Router Running Firewall Feature
However, for the smaller sized businesses, using Cisco routers as firewalls are possible. The only thing that needs to be done is that the firewall feature set has to be loaded on the router. When all of that is done, the router should then be configured to provide protection to the network. This is done through packet filtering. The only difference is that the firewall feature set on the router will not provide the same level of protection as the one mentioned above, PIX Firewall.
The two stated above are combined when it comes to large businesses owners who want to secure their network.
Large businesses use a three-tiered approach to secure their network. Firstly, the perimeter routers will provide the preliminary protection to the PIX Firewall. After that, the real firewall will then do the actual packet filtering. Lastly, the internal routers will make sure that certain VLANS are safe from traffic coming into the corporate LANs.


http://www.informit.com/articles/article.aspx?p=102180&seqNum=3


Posted by at No comments:

Friday, 4 May 2012


Common threats to routers and switch
Threats and Attacks on Routers and Switch.
When someone wants to attack a network, they will target the router because it is considered the central attack point. This is because the routers are the hub to data transmission. Like the job of a traffic light, the router controls the flow. Not only do attacks cause disruption of service, routers are also exploited to capture confidential information like passwords.
There are 5 threats to the router and they are:
1) Packet Sniffing – This is where data is captured using a program that listens to network traffic.
2) XXS – A kind of attack used to reveal the user’s physical location without the user knowing about it.
3) WEP Cracking – Wired Equivalent Privacy is a form of wireless security on home-based routers. They are cracked by packet sniffing programs.
4) CSRF – Cross- Site Request Forgery is a web-based attack to get control of email and user-approved web applications. It usually comes in a form of a spam email.
5) DDoS – Distributed Denial of Service is when a user continually sends mass request to a router to overload it, causing the network to crash.







Posted by at 2 comments:
Subscribe to: Posts (Atom)