Site-to-site VPN and Remote Access VPN

Site to Site VPN:

A site-to-site VPN connection lets branch offices use the Internet as a conduit for accessing the main office's intranet.

HowStuffWorks.com

Site-to-site VPN

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.

There are two types of site-to-site VPNs:

• Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
• Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.

Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote-access VPN. Dedicated VPN client equipment, described later in this article, can accomplish this goal in a site-to-site VPN.

Remote Access VPN:

A remote-access VPN connection allows an individual user to connect to a private business network from a remote location using a laptop or desktop computer connected to the Internet.

HowStuffWorks.com

Remote-access VPN

A remote-access VPN allows individual users to establish secure connections with a remote computer network. Those users can access the secure resources on that network as if they were directly plugged in to the network's servers. An example of a company that needs a remote-access VPN is a large firm with hundreds of salespeople in the field. Another name for this type of VPN isvirtual private dial-up network (VPDN), acknowledging that in its earliest form, a remote-access VPN required dialing in to a server using an analog telephone system.

There are two components required in a remote-access VPN. The first is a network access server (NAS, usually pronounced "nazz" conversationally), also called a media gateway or a remote-access server (RAS). (Note: IT professionals also use NAS to mean network-attached storage.) A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server. It's a NAS that a user connects to from the Internet in order to use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN. To authenticate the user's credentials, the NAS uses either its own authentication process or a separate authentication server running on the network.

The other required component of remote-access VPNs is client software. In other words, employees who want to use the VPN from their computers require software on those computers that can establish and maintain a connection to the VPN. Most operating systems today have built-in software that can connect to remote-access VPNs, though some VPNs might require users to install a specific application instead. The client software sets up the tunneled connection to a NAS, which the user indicates by its Internet address. The software also manages the encryption required to keep the connection secure. You can read more about tunneling and encryption later in this article.

Large corporations or businesses with knowledgeable IT staff typically purchase, deploy and maintain their own remote-access VPNs. Businesses can also choose to outsource their remote-access VPN services through an enterprise service provider (ESP). The ESP sets up a NAS for the business and keeps that NAS running smoothly.

References:

http://computer.howstuffworks.com/vpn4.htm

http://computer.howstuffworks.com/vpn3.htm

Public Key Infrastructure

A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. Meanwhile, an Internet standard for PKI is being worked on.

The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, public key cryptography and the public key infrastructure is the preferred approach on the Internet. (The private key system is sometimes known as symmetric cryptography and the public key system as asymmetric cryptography.)

A public key infrastructure consists of:

• A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key
• A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor
• One or more directories where the certificates (with their public keys) are held
• A certificate management system

How Public and Private Key Cryptography Works
In public key cryptography, a public and private key are created simultaneously using the same algorithm (a popular one is known as RSA) by a certificate authority (CA). The private key is given only to the requesting party and the public key is made publicly available (as part of a digital certificate) in a directory that all parties can access. The private key is never shared with anyone or sent across the Internet. You use the private key to decrypt text that has been encrypted with your public key by someone else (who can find out what your public key is from a public directory). Thus, if I send you a message, I can find out your public key (but not your private key) from a central administrator and encrypt a message to you using your public key. When you receive it, you decrypt it with your private key. In addition to encrypting messages (which ensures privacy), you can authenticate yourself to me (so I know that it is really you who sent the message) by using your private key to encrypt a digital certificate. When I receive it, I can use your public key to decrypt it. 

Who Provides the Infrastructure
A number of products are offered that enable a company or group of companies to implement a PKI. The acceleration of e-commerce and business-to-business commerce over the Internet has increased the demand for PKI solutions. Related ideas are the virtual private network (VPN) and the IP Security (IPsec) standard. Among PKI leaders are:

• RSA, which has developed the main algorithms used by PKI vendors
• Verisign, which acts as a certificate authority and sells software that allows a company to create its own certificate authorities
• GTE CyberTrust, which provides a PKI implementation methodology and consultation service that it plans to vend to other companies for a fixed price
• Xcert, whose Web Sentry product that checks the revocation status of certificates on a server, using the Online Certificate Status Protocol (OCSP)
• Netscape, whose Directory Server product is said to support 50 million objects and process 5,000 queries a second; Secure E-Commerce, which allows a company or extranet manager to manage digital certificates; and Meta-Directory, which can connect all corporate directories into a single directory for security management

Pretty Good Privacy
For e-mail, the Pretty Good Privacy (PGP) product lets you encrypt a message to anyone who has a public key. You encrypt it with their public key and they then decrypt it with their private key. PGP users share a directory of public keys that is called a key ring. (If you are sending a message to someone that doesn't have access to the key ring, you can't send them an encrypted message.) As another option, PGP lets you "sign" your note with a digital signature using your private key. The recipient can then get your public key (if they get access to the key ring) and decrypt your signature to see whether it was really you who sent the message.

References:
http://searchsecurity.techtarget.com/definition/PKI

IPSec (ESP, AH, DES, MD5, SHA, DH)

IPSEC:

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

ESP:

Encapsulating Security Payload (ESP) is a security protocol used to provide confidentiality (encryption), data origin authentication, integrity, optional anti-replay service, and limited traffic-flow confidentiality by defeating traffic-flow analysis. Figure 3 shows that the data payload is encrypted with ESP.

ESP provides confidentiality by performing encryption at the IP packet layer. It supports a variety of symmetric encryption algorithms. The default algorithm for IPSec is 56-bit DES. This cipher must be implemented to guarantee interoperability among IPSec products. Cisco products also support use of 3DES for strong encryption. Confidentiality may be selected independent of all other services.

NOTE:
Deciding whether to use AH or ESP in a given situation may seem complex, yet can be simplified to a few rules. When you want to make sure that data from an authenticated source gets transferred with integrity and doesn't need confidentiality, use the AH protocol. If you need to keep data private (confidentiality), then you must use ESP. ESP will encrypt the upper-layer protocols in transport mode and the entire original IP datagram in tunnel mode so that neither is readable from the wire. However, ESP can also provide authentication for the packets.

AH: 

Authentication Header (AH) provides authentication and integrity to the datagrams passed between two systems. This is achieved by applying a keyed one-way hash function to the datagram to create a message digest. If any part of the datagram is changed during transit, this will be detected by the receiver when it performs the same one-way hash function on the datagram and compares the value of the message digest that the sender has supplied. The fact that the one-way hash also involves the use of a secret shared between the two systems means that authenticity can be guaranteed.

AH may also enforce anti-replay protection by requiring that a receiving host set the replay bit in the header to indicate that the packet has been seen. Without it, an attacker may be able to resend the same packet many times; for example, sending a packet that withdraws $100 from account X. Figure 1 shows two routers and confirms that the data between them is sent in cleartext.


The AH function is applied to the entire datagram except for any mutable IP header fields that change in transit, such as Time To Live (TTL) fields that are modified by the routers along the transmission path. AH works as follows:

1)The IP header and data payload is hashed.

2)The hash is used to build a new AH header, which is appended to the original packet.

3)The new packet is transmitted to the IPSec peer router.

4)The peer router hashes the IP header and data payload, extracts the transmitted hash from the AH header, and compares the two hashes. The hashes must match exactly. If even one bit is changed in the transmitted packet, the hash output on the received packet will change and the AH header will not match.

DES:

Data Encryption Standard (DES) is used to encrypt and decrypt packet data; it turns cleartext into ciphertext via an encryption algorithm. The decryption algorithm on the remote end restores clear-text from ciphertext. Shared secret keys enable the encryption and decryption. DES uses a 56-bit key, ensuring high-performance encryption.

MD5:

Message Digest 5 (MD5) is a hash algorithm used to authenticate packet data. Cisco routers and the PIX Firewall use the MD5 hashed message authentication code (HMAC) variant that provides an additional level of hashing. A hash is a one-way encryption algorithm that takes an input message of arbitrary length and produces a fixed-length output message. IKE, AH, and ESP can use MD5 for authentication.

SHA:

Secure Hash Algorithm 1 (SHA-1) is a hash algorithm used to authenticate packet data. Cisco routers and the PIX Firewall use the SHA-1 HMAC variant, which provides an additional level of hashing. IKE, AH, and ESP can use SHA-1 for authentication.

DH:

Diffie-Hellman (D-H) is a public-key cryptography protocol. It allows two parties to establish a shared secret key used by encryption algorithms (DES or MD5, for example) over an insecure communications channel. D-H is used within IKE (described later in this article) to establish session keys. 768-bit and 1024-bit D-H groups are supported in the Cisco routers and PIX Firewall. The 1024-bit group is more secure.

References:

http://en.wikipedia.org/wiki/IPsec

http://www.ciscopress.com/articles/article.asp?p=25470

Authentication, Authorization and Accounting

About AAA Security Services

AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing the following services:

•Authentication—Authentication provides the method of identifying users, including login and password dialog, challenge and response. Depending on the security protocol set by the user, messaging support, response and challenge can be set.

Authentication is the way a user is identified prior to being allowed access to the network and network services. You configure AAA authentication by defining a named list of authentication methods, and then applying that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they will be performed; it must be applied to a specific interface before any of the defined authentication methods will be performed. The only exception is the default method list (which is named "default"). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.

All authentication methods, except for local, line password, and enable authentication, must be defined through AAA. For information about configuring all authentication methods, including those implemented outside of the AAA security services, refer to the chapter "Configuring Authentication."


•Authorization—Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet.

AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database can be located locally on the access server or router or it can be hosted remotely on a RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. All authorization methods must be defined through AAA.

As with authentication, you configure AAA authorization by defining a named list of authorization methods, and then applying that list to various interfaces. For information about configuring authorization using AAA, refer to the chapter "Configuring Authorization."

•Accounting—Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.

Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. As with authentication and authorization, you configure AAA accounting by defining a named list of accounting methods, and then applying that list to various interfaces.

In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server.

Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA.

References:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html

Access Control Lists

Router Access Control Lists:
Access control lists filter network traffic by controlling whether packets that are being routed are sent or blocked at the router's interface. The router checks each packet to determine if it fits the criteria specified within the access lists, before deciding to forward or drop the packet.

The criteria could be the source address of the packet, the destination of the packet, the protocol or other information. Because no authentication is required, some access lists can be fooled by smarter users.

Why user configure access lists?
Access lists can be used to restrict contents of routing updates, or to provide traffic flow control. However, the most important aspect of access lists are its usage to provide a basic level of security for accessing a network. If access lists are not configured, all packets passing through the router can be allowed to all parts of the network.

Implied "Deny All Traffic" criteria statement:
At the end of every access lists, there is an implied "deny all traffic" criteria statement. When the packet does not satisfy any conditions of the access lists, it is dropped when it ultimately reaches the end of the access list.

Limitations when entering criteria statements:
Each additional criteria statement that a user enters is added to the end of the access list statements. Also, individual statements cannot be deleted after they have been created. Only the entire access list can be deleted.

The order of access list statements are important as well. When the router is deciding if it should forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order that the statements were created. After a match is found, the checking stops. E.g.: If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked, meaning all packets that reach that router interface will be forwarded

References:
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html

Perimeter Router, Internal Router and Firewall

Perimeter Router:

The perimeter router is typically a standard router providing a serial connection to the outside world and a LAN connection to the internal network. The perimeter router should provide any filtering of outside traffic to implement basic security for the dirty DMZ and preliminary filtering for the inside network. This device could be running the firewall feature set for additional security options.

Internal Router:

An internal router is a router that has OSPF neighbor relationships with interfaces in the same area. An internal router has all its interfaces in a single area.

Firewall:

A firewall is a device or set of devices designed to permit or deny network transmissions based on a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass.

Reference:

•http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/ •http://en.wikipedia.org/wiki/Firewall_(computing) •http://en.wikipedia.org/wiki/Open_Shortest_Path_First#Internal_router

Network / Port Address Translation

NAT & PAT:
NAT is like the receptionist in a large office. Let's say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for that client to call you back. You tell the receptionist that you are expecting a call from this client and to put her through.

The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that she is looking for you, the receptionist checks a lookup table that matches your name with your extension. The receptionist knows that you requested this call, and therefore forwards the caller to your extension. NAT has many forms and can work in several ways:

Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network. A diagram demonstrating the concept:



Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. A diagram demonstrating the concept:



Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT. A diagram demonstrating the concept:



Overlapping - When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses as well as translate the "external" registered addresses to addresses that are unique to the private network. This can be done either through static NAT or by using DNS and implementing dynamic NAT. A diagram demonstrating the concept:



The internal network is usually a LAN (Local Area Network), commonly referred to as the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is local, so it doesn't travel outside the internal network. A stub domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network Address Translation to communicate with the rest of the world.

Reference:http://computer.howstuffworks.com/nat1.htm