Public Key Infrastructure

A public-key infrastructure (PKI) is a set of hardware, software, people, policies and procedure that is needed to create, manage, distribute, use, store and revoke digital certificates.

- A system for the creation, storage and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity.

- PKI (1) creates digital certificates which map public keys to entities (2) stores certificates in central repository (3) revoke when needed.

* A digital certificate is an electronic document which uses a digital signature to bind a public key with an identity. Some information of the identity may include name of person or organization, their address etc. The certificate can be used to verify that a public key belongs to an individual.

A PKI is an arrangement that

- Binds public keys with respective user identities by means of a certificate authority (CA).

User identity must be unique within each CA domain.

There are three methods of certification

1) Certificate authorities (CAs)

2) Web of trust (WOT)

3) Simple public-key infrastructure (SPKI)

Certificate authorities (CAs)

CA digitally signs and publishes the public key bound to a given user. To ensure trust in the user key relies on one’s trust in the validity of the CA’s key, this is done using the CA’s own private key. The mechanism that binds keys to users is called the Registration Authority, which may or may not be separate from the CA.

Web Of Trust (WOT)

This is an alternative approach to the problem of public authentication of public-key information is the web of trust scheme, which uses self-signed certificates and third party attestations of those certificates.

Simple public-key infrastructure (SPKI)

This is considered another alternative which does not deal with public authentication of public-key information. SPKI does not associate users with persons, since they key is what is trusted, rather than the person. SPKI also does not use any notion of trust as the verifier is also the issue.

http://en.wikipedia.org/wiki/Public-key_infrastructure / http://www.articsoft.com/public_key_infrastructure.htm

IPSec (ESP, AH, DES, MD5, SHA, DH)

IPSec (ESP, AH, DES, MD5, SHA, DH)

ESP - Encapsulating Security Payloads.

AH - Authentication Headers

DES - Data Encryption Standard

MD5 - Message-digest Algorithm.

SHA - Secure Hash Algorithm

DH - Diffie-Hellman

Internet Protocol Security (IPSec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating each IP packet of a communication session. It also includes protocols for establishing mutual authentication. Operating at Internet layer of the internet protocol suite, it is an end-to-end security scheme. It is also used to protect data flow between a pair of hosts, pair of security gateways or between security gateway and a host.

- host-to-host

- network-to-network

-network-to-host

IPSec suite is an open standard. It uses some of the following protocols to perform various functions.

1) Authentication Headers (AH) – provides connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks.

- Member of IPsec protocol suite.

- Guarantees connectionless integrity and data origin authentication of IP packets.

- Uses sliding window technique to protect against replay attacks.

2) Encapsulating Security Payloads (ESP) – provides confidentiality, data-origin authentication, connectionless integrity, anti-replay service and limited traffic-flow confidentiality.

- Member of IPsec protocol suite.

- Provides origin authenticity, integrity, and confidentiality protection of packets.

- Supports encryption-only and authentication-only configurations

DES - Data Encryption Standard

- A previously predominant algorithm for the encryption of electronic data.

MD5 - Message-digest Algorithm.

- A widely used cryptographic hash function that produces a 128-bit hash value. It is commonly used to check data integrity. An MD5 hash is typically expressed as a 32-digit hexadecimal.

SHA - Secure Hash Algorithm

- One of a number of cryptographic hash functions.

DH - Diffie-Hellman

- A public-key cryptography protocols. It allows two parties to establish a shared secret key used by encryption algorithms over an insecure communications channel.

http://en.wikipedia.org/wiki/Encapsulating_Security_Payload#Encapsulating_Security_Payload
http://en.wikipedia.org/wiki/Data_Encryption_Standard

http://en.wikipedia.org/wiki/MD5
http://en.wikipedia.org/wiki/Secure_Hash_Algorithm
http://www.ciscopress.com/articles/article.asp?p=25470&seqNum=5

Authentication, Authorization and Accounting (AAA)

Authentication, Authorization and Accounting (AAA)

AAA enables control over which users are allowed access to which services, and how much of the resources they have used. The network protocol that provides this function is the RADIUS protocol. Another network that also provides the same function is the newer Diameter. The three are all important and play their own role.

Authentication

This is the process where identity is authenticated. This is usually done by providing evidence that it holds a specific digital identity. Some of these types of credentials include passwords and digital certificates.

Authorization

The authorization portion is the one that determines whether a particular entity is authorized to perform a given activity. This can be determined based on different range of restrictions. One example may be physical location restriction. This means if the user is gaining access from a particular location, the user may not get access. Another restriction may be against multiple access by the same entity or user.

Accounting

Accounting refers to the tracking of network resource consumption by user for the use of capacity and trend analysis, cost allocation or billing. In may also record events such as authentication and authorization failures. This part will show the failed attempts at logging in to the system, place etc.

The information gathered during accounting is the identity of the user or other entity, the nature of the service delivered, when the service began, and when it ended, and if there is a status to report.

http://en.wikipedia.org/wiki/AAA_protocol

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/rad_tac_phase.html

Access Control List

An access control list also known as ACL, is a table that tell a computer operating system (OS) which access right each user has to a particular system object. Examples may include a file directory or an individual file. Each of the objects has a security attribute that identifies its access control list. The whole list has an entry for each system user with access privileges. Some of the most common privileges include the ability to read, write and to execute the file. The way the list is implemented is different for each operating system.

Based Security models

When a subject requests an operation on an object in an ACL-based security model, the operating system firstly will check the ACL for an applicable entry to decide whether the requested operation is authorized. ACL models may be applied to collections of objects as well as to individual entities within the system’s hierarchy.

Filesystem ACLs

A filesystem ACL is a data structure which usually comes in a table that contains entries that specify individual user or group rights to specific system objects such as programs, processes or files.

Networking ACLs

On the other hand, on some types of proprietary computer hardware, an Access Control list may also refer to rules that are applied to port numbers or network daemon names that are available on a host or other layer 3.

http://en.wikipedia.org/wiki/Access_control_list
http://searchsoftwarequality.techtarget.com/definition/access-control-list

Securing perimeter routers

There are a few things that should be done and configured to secure the network, and using cisco routers are one of them. It will be important that the networks be secured using some kind of security policy and parameters. The perimeter routers must be secured so that the LAN resources are not threatened by the outside world.

Perimeter router and PIX Firewall

First of all, the use of Firewalls can help with the securing. Medium-sized businesses can take security to the next level by placing a firewall between the perimeter router and the internal network. By filtering out unnecessary traffic from coming into the network, the perimeter router is actually supporting and helping the firewall.

Router Running Firewall Feature

However, for the smaller sized businesses, using Cisco routers as firewalls are possible. The only thing that needs to be done is that the firewall feature set has to be loaded on the router. When all of that is done, the router should then be configured to provide protection to the network. This is done through packet filtering. The only difference is that the firewall feature set on the router will not provide the same level of protection as the one mentioned above, PIX Firewall.

The two stated above are combined when it comes to large businesses owners who want to secure their network.

Large businesses use a three-tiered approach to secure their network. Firstly, the perimeter routers will provide the preliminary protection to the PIX Firewall. After that, the real firewall will then do the actual packet filtering. Lastly, the internal routers will make sure that certain VLANS are safe from traffic coming into the corporate LANs.

http://www.informit.com/articles/article.aspx?p=102180&seqNum=3

Common threats to routers and switch

Threats and Attacks on Routers and Switch.

When someone wants to attack a network, they will target the router because it is considered the central attack point. This is because the routers are the hub to data transmission. Like the job of a traffic light, the router controls the flow. Not only do attacks cause disruption of service, routers are also exploited to capture confidential information like passwords.

There are 5 threats to the router and they are:

1) Packet Sniffing – This is where data is captured using a program that listens to network traffic.

2) XXS – A kind of attack used to reveal the user’s physical location without the user knowing about it.

3) WEP Cracking – Wired Equivalent Privacy is a form of wireless security on home-based routers. They are cracked by packet sniffing programs.

4) CSRF – Cross- Site Request Forgery is a web-based attack to get control of email and user-approved web applications. It usually comes in a form of a spam email.

5) DDoS – Distributed Denial of Service is when a user continually sends mass request to a router to overload it, causing the network to crash.

Network/ Port address translation

Network address translation

Network address translation (NAT) is the process of modifying IP address information in packet header while it is in transit across a traffic routing device. The simplest type of NAT provides a one to one translation of IP addresses. Referred to as basic NAT, it is also referred to as one-to-one NAT. In basic NAT, the ones that need to be changed include the IP addresses, IP header checksum and any higher level checksums. The rest of the packets are not changed in any way.

Advantages: Not every inside host needs outside access at the same time, therefore, it can get away with using small pool of globally unique address to serve a relatively large number of privately addressed host.

Another advantage is that network address translation has the effect of hiding the inside structure of a network. With this, the internal addresses are not visible to external host.

www.cisco.com

Port address translation

Port address translation (PAT) is an extension to network address translation (NAT). It allows multiple devices on a local area network (LAN) to be mapped to a single public IP address. The main purpose of PAT is to conserve IP addresses. 

Techrepublic.com

http://en.wikipedia.org/wiki/Network_address_translation

http://searchnetworking.techtarget.com/definition/Port-Address-Translation-PAT

Perimeter router, internal router, Firewall

Perimeter router, internal router, Firewall

Perimeter router-

The perimeter router is basically a standard router that provides serial connection to the outside world and a LAN connection to the internal network. The perimeter router provides filtering of outside traffic to implement basic security. This device could be running the firewall feature set for additional security options.

www.etutorials.org

http://en.wikipedia.org/wiki/Open_Shortest_Path_First#Internal_router

Internal router-

An internal router is a router that has Open Shortest Path First (OSPF) neighbour relationships with interfaces in the same area. An internal router has all its interfaces in a single area. OSPF is a routing protocol that is used to allow routers to dynamically learn routes from other routers and to advertise routes to other routers

Firewall-

Lastly, a firewall is a device that either separates or joins the inside network to the dirty DMZ and any optional protected DMZs. However, the firewall can also be a router- running firewall feature set. Although this is possible, it is generally better to use dedicated device performing only security features and leave the routing and serving duty to other devices.

A typical firewall usually has two or more LAN interfaces, one for the inside network, and the other for the outside network.

http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/

http://www.inetdaemon.com/tutorials/internet/ip/routing/ospf/index.shtml