Public Key Infrastructure (Digital Cert )

A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. Meanwhile, an Internet standard for PKI is being worked on.

The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, public key cryptography and the public key infrastructure is the preferred approach on the Internet. (The private key system is sometimes known as symmetric cryptography and the public key system as asymmetric cryptography.)

A public key infrastructure consists of:

• A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key
• A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor
• One or more directories where the certificates (with their public keys) are held
• A certificate management system

How Public and Private Key Cryptography Works

In public key cryptography, a public and private key are created simultaneously using the samealgorithm (a popular one is known as RSA) by a certificate authority (CA). The private key is given only to the requesting party and the public key is made publicly available (as part of a digital certificate) in a directory that all parties can access. The private key is never shared with anyone or sent across the Internet. You use the private key to decrypt text that has been encrypted with your public key by someone else (who can find out what your public key is from a public directory). Thus, if I send you a message, I can find out your public key (but not your private key) from a central administrator and encrypt a message to you using your public key. When you receive it, you decrypt it with your private key. In addition to encrypting messages (which ensures privacy), you can authenticate yourself to me (so I know that it is really you who sent the message) by using your private key to encrypt a digital certificate. When I receive it, I can use your public key to decrypt it. Here's a table that restates it:

To do this	Use whose	Kind of key
Send an encrypted message	Use the receiver's	Public key
Send an encrypted signature	Use the sender's	Private key
Decrypt an encrypted message	Use the receiver's	Private key
Decrypt an encrypted signature (and authenticate the sender)	Use the sender's	Public key

Who Provides the Infrastructure

A number of products are offered that enable a company or group of companies to implement a PKI. The acceleration of e-commerce and business-to-business commerce over the Internet has increased the demand for PKI solutions. Related ideas are the virtual private network (VPN) and the IP Security (IPsec) standard. Among PKI leaders are:

• RSA, which has developed the main algorithms used by PKI vendors
• Verisign, which acts as a certificate authority and sells software that allows a company to create its own certificate authorities
• GTE CyberTrust, which provides a PKI implementation methodology and consultation service that it plans to vend to other companies for a fixed price
• Xcert, whose Web Sentry product that checks the revocation status of certificates on a server, using the Online Certificate Status Protocol (OCSP)
• Netscape, whose Directory Server product is said to support 50 million objects and process 5,000 queries a second; Secure E-Commerce, which allows a company or extranet manager to manage digital certificates; and Meta-Directory, which can connect all corporate directories into a single directory for security management

Pretty Good Privacy

For e-mail, the Pretty Good Privacy (PGP) product lets you encrypt a message to anyone who has a public key. You encrypt it with their public key and they then decrypt it with their private key. PGP users share a directory of public keys that is called a key ring. (If you are sending a message to someone that doesn't have access to the key ring, you can't send them an encrypted message.) As another option, PGP lets you "sign" your note with a digital signature using your private key. The recipient can then get your public key (if they get access to the key ring) and decrypt your signature to see whether it was really you who sent the message.

IPSec (ESP, AH, DES, MD5, SHA, DH)

IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication, integrity, and confidentiality as data is transferred between communication points across IP networks. IPSec provides data security at the IP packet level. A packet is a data bundle that is organized for transmission across a network, and it includes a header and payload (the data in the packet). IPSec emerged as a viable network security standard because enterprises wanted to ensure that data could be securely transmitted over the Internet. IPSec protects against possible security exposures by protecting data while in transit.
IPSec is the most secure method commercially available for connecting network sites. IPSec was designed to provide the following security features when transferring packets across networks:

• Authentication: Verifies that the packet received is actually from the claimed sender.
• Integrity: Ensures that the contents of the packet did not change in transit.
• Confidentiality: Conceals the message content through encryption.

IPSec contains the following elements:

• Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity.
• Authentication Header (AH): Provides authentication and integrity.
• Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.

Encapsulating Security Payload (ESP)

ESP provides authentication, integrity, and confidentiality, which protect against data tampering and, most importantly, provide message content protection.

IPSec provides an open framework for implementing industry standard algorithms, such as SHA and MD5. The algorithms IPSec uses produce a unique and unforgeable identifier for each packet, which is a data equivalent of a fingerprint. This fingerprint allows the device to determine if a packet has been tampered with. Furthermore, packets that are not authenticated are discarded and not delivered to the intended receiver.

ESP also provides all encryption services in IPSec. Encryption translates a readable message into an unreadable format to hide the message content. The opposite process, called decryption, translates the message content from an unreadable format to a readable message. Encryption/decryption allows only the sender and the authorized receiver to read the data. In addition, ESP has an option to perform authentication, called ESP authentication. Using ESP authentication, ESP provides authentication and integrity for the payload and not for the IP header.

Figure 2-1

The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication.


Authentication Header (AH)

AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP. AH also provides optional anti-replay protection, which protects against unauthorized retransmission of packets. The authentication header is inserted into the packet between the IP header and any subsequent packet contents. The payload is not touched.

Although AH protects the packet's origin, destination, and contents from being tampered with, the identity of the sender and receiver is known. In addition, AH does not protect the data's confidentiality. If data is intercepted and only AH is used, the message contents can be read. ESP protects data confidentiality. For added protection in certain cases, AH and ESP can be used together. In the following table, IP HDR represents the IP header and includes both source and destination IP addresses.

Figure 2-2

Security Association (SA)

IPSec introduces the concept of the Security Association (SA). An SA is a logical connection between two devices transferring data. An SA provides data protection for unidirectional traffic by using the defined IPSec protocols. An IPSec tunnel typically consists of two unidirectional SAs, which together provide a protected, full-duplex data channel.

The SAs allow an enterprise to control exactly what resources may communicate securely, according to security policy. To do this an enterprise can set up multiple SAs to enable multiple secure VPNs, as well as define SAs within the VPN to support different departments and business partners.
Mode

SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, but transport mode is used for host-to-host IPSec tunnel protection. A gateway is a device that monitors and manages incoming and outgoing network traffic and routes the traffic accordingly. A host is a device that sends and receives network traffic.


Transport Mode: The transport mode IPSec implementation encapsulates only the packet's payload. The IP header is not changed. After the packet is processed with IPSec, the new IP packet contains the old IP header (with the source and destination IP addresses unchanged) and the processed packet payload. Transport mode does not shield the information in the IP header; therefore, an attacker can learn where the packet is coming from and where it is going to. Figure 2-1 and Figure 2-2 above show a packet in transport mode.

Tunnel Mode: The tunnel mode IPSec implementation encapsulates the entire IP packet. The entire packet becomes the payload of the packet that is processed with IPSec. A new IP header is created that contains the two IPSec gateway addresses. The gateways perform the encapsulation/decapsulation on behalf of the hosts. Tunnel mode ESP prevents an attacker from analyzing the data and deciphering it, as well as knowing who the packet is from and where it is going.


Note: .AH and ESP can be used in both transport mode and tunnel mode.

Figure 2-3

Key Management

IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it.

IPSec requires that keys be re-created, or refreshed, frequently so that the parties can communicate securely with each other. IKE manages the process of refreshing keys; however, a user can control the key strength and the refresh frequency. Refreshing keys on a regular basis ensures data confidentiality between sender and receiver.

Authentication, Authorization and Accounting

Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security.

As the first process, authentication provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access. The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied.

Following authentication, a user must gain authorization for doing certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity.

The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Authentication, authorization, and accounting services are often provided by a dedicated AAA server, a program that performs these functions. A current standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS).

Context-Based Access Control

Context-Based Access Control (CBAC) is a feature of firewall that actively inspects the activity behind a firewall. CBAC specifies what traffic needs to be let in and what traffic needs to be let out by using access lists. CBAC access lists include IP inspect statements that allow the inspection of the protocol to make sure that it is not tampered with before the protocol goes to the systems behind the firewall. CBAC provides internal users with secure access control for each application and for all traffic across network perimeters. CBAC enhances security by scrutinizing both source and destination addresses and by tracking each application's connection status. For instance, CBAC can be configured to track connections that originate within the local network. This session information is kept in a state table by CBAC. CBAC will open temporary holes in the firewall to allow those connections to come back in to the local network.

This ability allows CBAC to both monitor and prevent DoS and other network attacks. If CBAC detects an attack, it can be configured to either drop the session (plus block the source), or sent an alert message indicating an attack is occurring.

To configure CBAC, we must accomplish the following:

• Configuring Auditing

• Set timeouts and thresholds

• Identify the type of traffic we want to inspect, such as HTTP, FTP, SMTPetc.

• Apply CBAC to an interface

Timeouts and thresholds help CBAC determine when a DoS or network attack is occurring. These thresholds include:

• Total number of half-opened TCP/UDP sessions

• Number of half-opened sessions over a given time period

• Number of half-opened session from a specific host

A half-opened TCP session indicates that the three-way handshake has not

yet completed. A half-opened UDP session indicates that no return UDP

traffic has been sent. A large number of half-opened sessions on a router will

chew up resources, while preventing legitimate connections from being

established.

Access Control List

An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed,denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs which is DACL and SACL.

A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied.

A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both.

Do not try to work directly with the contents of an ACL. To ensure that ACLs are semantically correct, use the appropriate functions to create and manipulate ACLs. For more information, see Getting Information from an ACL and Creating or Modifying an ACL.

ACLs also provide access control to Microsoft Active Directory directory service objects. Active Directory Service Interfaces (ADSI) includes routines to create and modify the contents of these ACLs.

Perimeter router, Internal router and Firewall

A perimeter router is an entry point that allows external application to gain access through the internal services. It is basically inside a perimeter network known as demilitarized zone (DMZ) which is used to access the resources in private network through firewall. The internal router helps to ensure that certain VLAN are protected from traffic coming into the LAN. The firewall does the actual packet filtering.

How does it work for perimeter router?

There will be 4 steps in total that how a perimeter router works. The first step is external application sends a request message. This message will be address to the service’s external interface of the perimeter service router. The service will then hides the internal endpoint address. The second step is perimeter service router forwards request message to the service. This step basically forwards the message to the correct endpoint address and its base on the request of the correct services on the specific address where it was sent. The third steps is service sends a response. The service will perform a check such as authentication to ensure the security before processing the request. The last steps is perimeter service router forward the response to the external application. It basically refers to step 3. If the response in step 3 is processed, the perimeter service router will then forward the response to the external application.

Network/Port Address Translation

It is the process where network device usually is a firewall that assigns public address to a computer inside a private network. Its main purpose is to limit the number of public IP addresses for security purposes. Network Address Translation (NAT) has other uses too beyond simply allowing workstation with internal IP addresses to access the internet. It can act as Web servers and require access from the internet. It can also allow selective access to outside of the network. For instance, workstation requiring special access outside the network can be assigned specific external IPs using the NAT which allows them to communicate but it require a unique public IP address. NAT also handles conversion of the public and private addresses as showing only the public IP on the internet keeping the private IP hidden. This will help to ensure the security and also offers the opportunity to qualify or authenticate the request to the request.NAT also acts as the firewall and it is an important feature of firewall security. It conserves the public address used in a company and allows stricter control of access to resources on the firewall.

Reference:

 http://www.howstuffworks.com/nat.htm

 http://macsense.wikidot.com/tn:34

Common threat to router and switch & mitigation

There are four common threats to router and switch & mitigation. The first threat is Hardware. Basically hardware threats involve threats of physical damage to the router, switch and also servers. To prevent this from happening, we can always do the security check such as locking the room with only authorized person can access; rooms should not be accessible via dropped ceiling, window, point of entry etc. Use electronic access control in all entry which are logged by security system and also monitored by security personnel. Install security cameras with automatic recording to act as evidence if there is a mishap. The second threats are Electrical. It includes voltage spikes, insufficient supply voltage, total power loss etc. It can be limit by installing an uninterruptible power supply (UPS) which may helps to backup any data when problem occurs such as total power loss. The third threat is Environmental. It includes extreme low or high temperature like moisture, humidity, electrostatic etc.  It can be also mitigated by supplying the room with dependable temperature control system. Remove any sources of electrostatic interference in the room. The last threat is Maintenance. It includes not having backup parts, not labeling the component, poor cabling etc. To prevent this from happening, we can always follow ESD procedures when replacing or working with internal router device components.

Secure Perimeter Routers & Disable Services & Logging

Secure Perimeter Router can be in many forms. It will help to protect internal resources. It basically acts as a first line defense against security threats. We can secure the perimeter router by limiting the number of failed login attempts by typing this command “security authentication failure rate 5 log”. This will help to prevent hacker that uses brute-force method to hack through the router. We can also secure our password by typing this command “service password-encryption” to convert plain text to encrypt password. Another way to secure the router is by setting a login inactivity timer. For instance, if an administrator provides appropriate information and logs into the router, the router could become vulnerable to attack if the administrator walks away.

We can also disable unused router interfaces that it not in use. Here are some typically unused services which are BOOTP, CDP, FTP, configuration autoloading, TCP and UDP minor services etc. Despite that, we can also disable those management protocols that include SNMP, HTTP or HTTPS and also DNS. This will help to prevent hacker from using other ports to get access into the router or other devices. By disabling feature like ICMP and IP source routing will help preventing re-directing your traffic. Finger, ICMP unreachable and ICMP mask reply are techniques for probes and scans which may helps to prevent reconnaissance attacks.

Reference: http://cdn.ttgtmedia.com/searchSecurityChannel/downloads/CCNA_Security_Official_Exam_Certification_Guide_1587202204_ch03.pdf