Public Key Infrastructure

A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. Meanwhile, an Internet standard for PKI is being worked on.

The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, public key cryptography and the public key infrastructure is the preferred approach on the Internet. (The private key system is sometimes known as symmetric cryptography and the public key system as asymmetric cryptography.)

A public key infrastructure consists of:

• A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key
• A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor
• One or more directories where the certificates (with their public keys) are held
• A certificate management system

How Public and Private Key Cryptography Works
In public key cryptography, a public and private key are created simultaneously using the same algorithm (a popular one is known as RSA) by a certificate authority (CA). The private key is given only to the requesting party and the public key is made publicly available (as part of a digital certificate) in a directory that all parties can access. The private key is never shared with anyone or sent across the Internet. You use the private key to decrypt text that has been encrypted with your public key by someone else (who can find out what your public key is from a public directory). Thus, if I send you a message, I can find out your public key (but not your private key) from a central administrator and encrypt a message to you using your public key. When you receive it, you decrypt it with your private key. In addition to encrypting messages (which ensures privacy), you can authenticate yourself to me (so I know that it is really you who sent the message) by using your private key to encrypt a digital certificate. When I receive it, I can use your public key to decrypt it. 

Who Provides the Infrastructure
A number of products are offered that enable a company or group of companies to implement a PKI. The acceleration of e-commerce and business-to-business commerce over the Internet has increased the demand for PKI solutions. Related ideas are the virtual private network (VPN) and the IP Security (IPsec) standard. Among PKI leaders are:

• RSA, which has developed the main algorithms used by PKI vendors
• Verisign, which acts as a certificate authority and sells software that allows a company to create its own certificate authorities
• GTE CyberTrust, which provides a PKI implementation methodology and consultation service that it plans to vend to other companies for a fixed price
• Xcert, whose Web Sentry product that checks the revocation status of certificates on a server, using the Online Certificate Status Protocol (OCSP)
• Netscape, whose Directory Server product is said to support 50 million objects and process 5,000 queries a second; Secure E-Commerce, which allows a company or extranet manager to manage digital certificates; and Meta-Directory, which can connect all corporate directories into a single directory for security management

Pretty Good Privacy
For e-mail, the Pretty Good Privacy (PGP) product lets you encrypt a message to anyone who has a public key. You encrypt it with their public key and they then decrypt it with their private key. PGP users share a directory of public keys that is called a key ring. (If you are sending a message to someone that doesn't have access to the key ring, you can't send them an encrypted message.) As another option, PGP lets you "sign" your note with a digital signature using your private key. The recipient can then get your public key (if they get access to the key ring) and decrypt your signature to see whether it was really you who sent the message.

References:
http://searchsecurity.techtarget.com/definition/PKI

IPSec (ESP, AH, DES, MD5, SHA, DH)

IPSEC:

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

ESP:

Encapsulating Security Payload (ESP) is a security protocol used to provide confidentiality (encryption), data origin authentication, integrity, optional anti-replay service, and limited traffic-flow confidentiality by defeating traffic-flow analysis. Figure 3 shows that the data payload is encrypted with ESP.

ESP provides confidentiality by performing encryption at the IP packet layer. It supports a variety of symmetric encryption algorithms. The default algorithm for IPSec is 56-bit DES. This cipher must be implemented to guarantee interoperability among IPSec products. Cisco products also support use of 3DES for strong encryption. Confidentiality may be selected independent of all other services.

NOTE:
Deciding whether to use AH or ESP in a given situation may seem complex, yet can be simplified to a few rules. When you want to make sure that data from an authenticated source gets transferred with integrity and doesn't need confidentiality, use the AH protocol. If you need to keep data private (confidentiality), then you must use ESP. ESP will encrypt the upper-layer protocols in transport mode and the entire original IP datagram in tunnel mode so that neither is readable from the wire. However, ESP can also provide authentication for the packets.

AH: 

Authentication Header (AH) provides authentication and integrity to the datagrams passed between two systems. This is achieved by applying a keyed one-way hash function to the datagram to create a message digest. If any part of the datagram is changed during transit, this will be detected by the receiver when it performs the same one-way hash function on the datagram and compares the value of the message digest that the sender has supplied. The fact that the one-way hash also involves the use of a secret shared between the two systems means that authenticity can be guaranteed.

AH may also enforce anti-replay protection by requiring that a receiving host set the replay bit in the header to indicate that the packet has been seen. Without it, an attacker may be able to resend the same packet many times; for example, sending a packet that withdraws $100 from account X. Figure 1 shows two routers and confirms that the data between them is sent in cleartext.


The AH function is applied to the entire datagram except for any mutable IP header fields that change in transit, such as Time To Live (TTL) fields that are modified by the routers along the transmission path. AH works as follows:

1)The IP header and data payload is hashed.

2)The hash is used to build a new AH header, which is appended to the original packet.

3)The new packet is transmitted to the IPSec peer router.

4)The peer router hashes the IP header and data payload, extracts the transmitted hash from the AH header, and compares the two hashes. The hashes must match exactly. If even one bit is changed in the transmitted packet, the hash output on the received packet will change and the AH header will not match.

DES:

Data Encryption Standard (DES) is used to encrypt and decrypt packet data; it turns cleartext into ciphertext via an encryption algorithm. The decryption algorithm on the remote end restores clear-text from ciphertext. Shared secret keys enable the encryption and decryption. DES uses a 56-bit key, ensuring high-performance encryption.

MD5:

Message Digest 5 (MD5) is a hash algorithm used to authenticate packet data. Cisco routers and the PIX Firewall use the MD5 hashed message authentication code (HMAC) variant that provides an additional level of hashing. A hash is a one-way encryption algorithm that takes an input message of arbitrary length and produces a fixed-length output message. IKE, AH, and ESP can use MD5 for authentication.

SHA:

Secure Hash Algorithm 1 (SHA-1) is a hash algorithm used to authenticate packet data. Cisco routers and the PIX Firewall use the SHA-1 HMAC variant, which provides an additional level of hashing. IKE, AH, and ESP can use SHA-1 for authentication.

DH:

Diffie-Hellman (D-H) is a public-key cryptography protocol. It allows two parties to establish a shared secret key used by encryption algorithms (DES or MD5, for example) over an insecure communications channel. D-H is used within IKE (described later in this article) to establish session keys. 768-bit and 1024-bit D-H groups are supported in the Cisco routers and PIX Firewall. The 1024-bit group is more secure.

References:

http://en.wikipedia.org/wiki/IPsec

http://www.ciscopress.com/articles/article.asp?p=25470

Authentication, Authorization and Accounting

About AAA Security Services

AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing the following services:

•Authentication—Authentication provides the method of identifying users, including login and password dialog, challenge and response. Depending on the security protocol set by the user, messaging support, response and challenge can be set.

Authentication is the way a user is identified prior to being allowed access to the network and network services. You configure AAA authentication by defining a named list of authentication methods, and then applying that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they will be performed; it must be applied to a specific interface before any of the defined authentication methods will be performed. The only exception is the default method list (which is named "default"). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.

All authentication methods, except for local, line password, and enable authentication, must be defined through AAA. For information about configuring all authentication methods, including those implemented outside of the AAA security services, refer to the chapter "Configuring Authentication."


•Authorization—Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet.

AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database can be located locally on the access server or router or it can be hosted remotely on a RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. All authorization methods must be defined through AAA.

As with authentication, you configure AAA authorization by defining a named list of authorization methods, and then applying that list to various interfaces. For information about configuring authorization using AAA, refer to the chapter "Configuring Authorization."

•Accounting—Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.

Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. As with authentication and authorization, you configure AAA accounting by defining a named list of accounting methods, and then applying that list to various interfaces.

In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server.

Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA.

References:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html

Access Control Lists

Router Access Control Lists:
Access control lists filter network traffic by controlling whether packets that are being routed are sent or blocked at the router's interface. The router checks each packet to determine if it fits the criteria specified within the access lists, before deciding to forward or drop the packet.

The criteria could be the source address of the packet, the destination of the packet, the protocol or other information. Because no authentication is required, some access lists can be fooled by smarter users.

Why user configure access lists?
Access lists can be used to restrict contents of routing updates, or to provide traffic flow control. However, the most important aspect of access lists are its usage to provide a basic level of security for accessing a network. If access lists are not configured, all packets passing through the router can be allowed to all parts of the network.

Implied "Deny All Traffic" criteria statement:
At the end of every access lists, there is an implied "deny all traffic" criteria statement. When the packet does not satisfy any conditions of the access lists, it is dropped when it ultimately reaches the end of the access list.

Limitations when entering criteria statements:
Each additional criteria statement that a user enters is added to the end of the access list statements. Also, individual statements cannot be deleted after they have been created. Only the entire access list can be deleted.

The order of access list statements are important as well. When the router is deciding if it should forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order that the statements were created. After a match is found, the checking stops. E.g.: If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked, meaning all packets that reach that router interface will be forwarded

References:
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html

Perimeter Router, Internal Router and Firewall

Perimeter Router:

The perimeter router is typically a standard router providing a serial connection to the outside world and a LAN connection to the internal network. The perimeter router should provide any filtering of outside traffic to implement basic security for the dirty DMZ and preliminary filtering for the inside network. This device could be running the firewall feature set for additional security options.

Internal Router:

An internal router is a router that has OSPF neighbor relationships with interfaces in the same area. An internal router has all its interfaces in a single area.

Firewall:

A firewall is a device or set of devices designed to permit or deny network transmissions based on a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass.

Reference:

•http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/ •http://en.wikipedia.org/wiki/Firewall_(computing) •http://en.wikipedia.org/wiki/Open_Shortest_Path_First#Internal_router

Network / Port Address Translation

NAT & PAT:
NAT is like the receptionist in a large office. Let's say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for that client to call you back. You tell the receptionist that you are expecting a call from this client and to put her through.

The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that she is looking for you, the receptionist checks a lookup table that matches your name with your extension. The receptionist knows that you requested this call, and therefore forwards the caller to your extension. NAT has many forms and can work in several ways:

Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network. A diagram demonstrating the concept:



Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. A diagram demonstrating the concept:



Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT. A diagram demonstrating the concept:



Overlapping - When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses as well as translate the "external" registered addresses to addresses that are unique to the private network. This can be done either through static NAT or by using DNS and implementing dynamic NAT. A diagram demonstrating the concept:



The internal network is usually a LAN (Local Area Network), commonly referred to as the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is local, so it doesn't travel outside the internal network. A stub domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network Address Translation to communicate with the rest of the world.

Reference:http://computer.howstuffworks.com/nat1.htm

Common Threats to Router and Switch Physical & Mitigation

Common Physical Threats & Mitigation Techniques:

There are four general types of threats to physical installations. Namely, they are: hardware, electrical, environmental and maintenance.

Hardware Threats:

Hardware threats involve the threats of physical damage to router or switch hardware. Critical networking devices should be located in wiring closets or in computer or telecommunication rooms. These rooms should meet these minimum requirements:

1. The room must be locked, and access granted only to authorized personnel.
2. The room should not be accessible via a dropped ceiling, raised floors, windows, duct works, or any other point of entry other than the secured access point
3. It is advisable to use electronic access control with logged entry attempts by security systems. Security personnel should also be on hand.
4. The security personnel should monitor activities via security cameras with automatic recording.

Electrical Threats:

Electrical threats include irregular fluctuations in voltage, such as brownouts(intentional drop in voltage in an electrical supply) and voltage spikes. Unconditioned power and total power loss are other examples of electrical threats. These measures can be taken to mitigate electrical threats:

1. Install uninterruptible power supply (UPS) systems for important networking devices.
2. Install backup generators for important networking devices.
3. Plan for and initiate regular UPS or generator testing and maintenance procedures based on the manufacturer-suggested preventive maintenance schedule.
4. Install redundant power supplies on critical devices.
5. Monitor and alarm power-related parameters at the power supply and device levels.  

Environmental Threats:

Environmental threats include very low or high temperatures, moisture, electrostatic and magnetic interference. Suggested methods to mitigate environmental threats include:

1. Supplying the room with dependable temperature and humidity control systems. Manufacturer-recommended environmental parameters of the devices should be verified with the settings.
2. Removing any sources of electrostatic and magnetic interference in the room.

Besides the four above-mentioned threats, there is another group of threats known as maintenance threats.

Maintenance threats include not having backup parts or equipment for critical network devices, not labeling

components and their cabling correctly, electrostatic discharge, poor handling of devices and poor cabling. These are some rules to mitigate Maintenance threats

1. Clearly label all cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection or incorrect termination.
2. Use cable runs and raceways to traverse rack-to-ceiling or rack-to-rack connections.
3. Follow procedures when replacing or working with internal router and switch components.
4. Maintain a stock of spare parts
5. Always log off administrative interfaces when leaving a station.
6. Do not rely on a locked room as the only protection for a device. 

References:

• en.wikipedia.org/wiki/Brownout_(electricity)
• http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/mitigating-common-threats.html

Secure Perimeter Routers & Disabling Services & Logging

Perimeter Routers:
Perimeter Routers are usually standard routers providing a serial connection to the outside world, as well as connection between the devices within an internal network. The role of a perimeter router is to filter any outside traffic to implement basic security for the DMZ and preliminary filtering for the inside network. A perimeter router can run a firewall for additional security.

A DMZ is an area or more inside the network perimeter, but not on the inside of the firewall device. There are two types of DMZ. The first is often called a dirty DMZ. It refers to the LAN segment between the firewall and perimeter router. This DMZ only has the protection of the perimeter router and whatever individual security features of the devices placed within this DMZ. The second DMZ is made up of one or more additional LAN interfaces on the firewall. This DMZ is called protected DMZ, as they have the additional protection offered by the firewall device. The following diagram is an example of a protected DMZ.

Securing Routers by Disabling Unused Router Services and Interfaces:
On routers, a whole bunch of services come enabled by default. To make a router more secure, unused services should be disabled.

bootp

bootp is enabled by default, and if you are not using it, you should definitely disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on your routers:

Central(config)# no ip bootp server

CDP

Cisco Discovery Protocol (CDP) is also enabled by default, and we highly recommend that you disable this service on the router globally. You can disable CDP globally by using the no cdp runcommand in global configuration mode, or you can disable CDP on a per-interface basis by using the no cdp enable command in interface configuration mode:

Central(config)#no cdp run
Central(config-if)#no cdp enable

CAUTION

The no cdp run command disables CDP globally on the routers.

ip classless

The ip classless command is enabled on the Cisco routers by default in version 12.0 and higher. Disable ip classless if your network does not have a subnetted range of IP addresses. If you are subnetting a block of IP address allocated to you by the American Registry for Internet Numbers (ARIN), you should ensure that ip classless is enabled. You can learn more about ARIN by going to http://www.arin.net. It allows the router to advertise the subnetted addresses to its neighbors:

Central(config)#no ip classless

DNS

Domain Name System (DNS) lookup is enabled by default on Cisco routers, and if you are not implementing DNS lookup on your network, it is highly advisable to disable this feature globally by using the no ip domain-lookup command:

Central(config)#no ip domain-lookup

finger

The finger command is enabled by default and can be used to see what users are logged on to the network device. The finger command has been documented in RFC 742, and you should globally disable the finger command on network devices:

Central(config)#no ip finger

CAUTION

The no service finger command has been replaced by the no ip finger command.

CAUTION

Finger service can be disabled on the router in global configuration mode.

HTTP

Cisco routers can be accessed via a Web page, and unless you are implementing authentication proxy, we highly recommend that you turn off the HTTP service running on the router. You can use the no ip http server command to disable it.

If you want to implement HTTP-based management, we recommend that you implement HTTP authentication and limit the HTTP connections to the router using ACLs.

ip mask-reply

By default, the ip mask-reply command is disabled on all Cisco routers. The mask replies respond to Internet Control Message Protocol (ICMP) mask requests by sending out ICMP mask replies, and these mask replies contain important network information. If mask replies are enabled, make sure you disable them on the router by using the no ip mask-reply command in interface configuration mode:

Central(config-if)#no ip mask-reply

IP-Directed Broadcast

The IP-directed broadcast is another service that is commonly used in Smurf attacks. Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network. By default on IOS version 12.0 and higher, ip directed broadcast is disabled, and if you are running any version lower than 12.0, it is imperative that you disable IP directed broadcasts on the router by issuing the following command in interface configuration mode:

Central(config-if)#no ip directed-broadcast

CAUTION

Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network.

IP Source Routing

IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint. By default, IP source routing is disabled on the routers and should only be enabled if your network needs call for it. The following command disables IP source routing on the router globally:

Central(config)#no ip source-route

CAUTION

IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint.

IP Unreachable

IP unreachable messages can be used to map out the network topology, and they should be disabled on all interfaces. You can disable IP unreachables on all interfaces by issuing the following command in interface configuration mode:

Central(config-if)#no ip unreachables

CAUTION

IP unreachables should be disabled on all interfaces connected to insecure networks.

Small Servers

Cisco classifies echo, chargen, daytime, and discard as small services and recommends that these services be disabled on the router. By default, on versions 11.3 or higher, the small server service is disabled by default.

Logging:
Perimeter router logs can be used for troubleshooting, capacity planning and dealing with security incidents. For security purposes, status changes, changes to system configurations, access list matches, events detected by the firewall and intrusion detection features are logged. This logs can be viewed in a few ways.

Here are some ways:

1. Through the system using the logging console command. As some console ports are unattended or are connected to terminals with no historical storage, this information might be unavailable.
2. Servers running the syslog daemon can send logging information to sa server with the server-ip-address command.
3. Remote sessions on VTYs and local sessions on TTYs (logging monitor and terminal monitor commands.)
4. Routers can store logging information to a local RAM buffer. However, it only shows the most recent information. show memory  command shows how much free memory a router has to support a logging buffer. A buffer can be created using the buffer-size

Access List Violation Logs
To manage file size and minimize performance impacts, configure logging for those critical access list entries. Don’t log entries that will match a large number of packets and generate little useful information, such as the permit any statement.

With traffic filtering and ACLs, logging packets that violate the filter criteria should be logged. Older Cisco IOS software versions used the log keyword option, which captures the IP addresses and port numbers of packets that match an access list entry. Newer IOS versions use the log-input keyword, which adds additional information such as the receiving interface information and the MAC address of the host that sent the packet.



Reference:

• http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/
• http://en.wikipedia.org/wiki/File:DMZ_network_diagram_1_firewall.svg
• http://www.informit.com/articles/article.aspx?p=102180&seqNum=5
• http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Event+Logging+on+Perimeter+Routers/

 command.