VPN is able to provide secure communication channel between the user and the network and provides security procedures such as encryption and through tunneling protocols. One of the main reasons why many companies choose to have VPN implemented into their network is because VPNs reduce costs as they replace the need of using dedicated leased lines between networks and instead use existing infrastructures such as the Internet to connect networks and adds a layer of security. There are 2 types of VPN. They are Remote-access VPN and Site-to-site VPN.
Thursday, 31 May 2012
Site to Site VPN and Remote VPN
VPN refers to virtual private network, a network that can be accessed from anywhere and the user does not need to be physically present at the network's location (such as the company) to be able to use the network. The only thing the user requires is the access to the Internet.
Wednesday, 30 May 2012
Public Key Infrastructure (Digital Cert )
A Public Key Infrastructure is a system where hardwares, softwares, people, policies and procedures come together to create, manage, distribute and revoke digital certificates. Digital certificates are attached to data information to verify the sender's identity.
PKI
In cryptography, PKI is an arrangement which binds public keys with specific user identities using a certificate authority. Each user identity must be unique within the certificate authority domain. The binding is done through registration and issuance and may be carried out using a software or under human supervision.
Basically, PKI enables users to securely communicate on an insecure public network and verify the identity of a user through the use of digital signatures. It involves the four components of certificate authority, registration authority , central directory for storage of index keys and a certificate management system.
To acquire the trust and verify the user, there are three approaches to it. Certificate authorities is one of them, web of trust and the simple public-key infrastructure.
Certificate Authorities
The main role of a certificate authority is to digitally sign and publish the public key bound to the given user by using CA's own private key. The component that bounds a key to a user is called the Registration Authority.
A different kind of certificate authority involves a certificate authority server issuing digital certificates to users who has to log into the system only once to access many functions of the system.
Web of Trust
This method involves using self-signed certificates, allowing one to implement his own web of trust along with third party attestations.
Simple Public-Key Infrastructure
This method is implemented by combining the components of the other three methods. But instead of trusting the user, the system is only concerned with whether the key is trustworthy or not and does not concern about the user's integrity.
PKI
In cryptography, PKI is an arrangement which binds public keys with specific user identities using a certificate authority. Each user identity must be unique within the certificate authority domain. The binding is done through registration and issuance and may be carried out using a software or under human supervision.
Basically, PKI enables users to securely communicate on an insecure public network and verify the identity of a user through the use of digital signatures. It involves the four components of certificate authority, registration authority , central directory for storage of index keys and a certificate management system.
To acquire the trust and verify the user, there are three approaches to it. Certificate authorities is one of them, web of trust and the simple public-key infrastructure.
Certificate Authorities
The main role of a certificate authority is to digitally sign and publish the public key bound to the given user by using CA's own private key. The component that bounds a key to a user is called the Registration Authority.
A different kind of certificate authority involves a certificate authority server issuing digital certificates to users who has to log into the system only once to access many functions of the system.
Web of Trust
This method involves using self-signed certificates, allowing one to implement his own web of trust along with third party attestations.
Simple Public-Key Infrastructure
This method is implemented by combining the components of the other three methods. But instead of trusting the user, the system is only concerned with whether the key is trustworthy or not and does not concern about the user's integrity.
IPSec (ESP, AH, DES, MD5, SHA, DH)
IPsec( Internet Protocol Security) is a protocol that secures Internet Protocol by authentication and encrypting each IP packet involved in a communication session. It operates in the Internet layer of the Internet Protocol Suite protecting data traffic between hosts and networks. It uses the various protocols such as Encapsulating Security Protocols, Authentication Headers and encryption technologies like Data Encryption Standard , MD5, Secure Hash Algorithm and Diffle-Hellman .
Encapsulation Security Protocols
It is a security protocol that provides data confidentiality, data source authentication, connectionless integrity. It also prevents anti-replay service (for e.g, someone log in with the credential used by other people to log into a system).
Authentication Header
Authentication Header is a member of the IPsec protocol suite that provides authentication, integrity and anti-replay for the entire data packet. Although it does not encrypt the data, it modifies the data using HMAC algorithms to ensure its integrity By doing so, one can ensure that the data is not altered without permission.
Data Encryption Standard
DES is a previously predominant encryption algorithm for electronic data. However, compared to today's encryption standards, is considered to be insecure due to its use of a 56-bit key. DES was developed to meet the US government's computer security needs and through this, it jump started the study and development of encryption algorithms..
DES works by taking in a fixed-length string plaintext and turns it into a ciphertext of the same size as the plaintext data. As it uses a particular key to customize the encryption, only authorized people who knows the key can use it to decrypt.
MD5
MD5(also known as MD5 Message-Digest Algorithm) is widely used as a cryptography hash function to encrypt data. It has been employed in a wide variety of security applications and used for checking data integrity.
SHA
SHA also known as Secure Hash Algorithm is one of the cryptography hash functions. There are 4 types of SHA invented and each is denoted with a number behind.
Diffle-Hellman
Also known as DH. It is a method of exchanging cryptography keys which allows two parties (with no prior knowledge of the other party) to establish a shared secret key while using insecure communications channel. This key encrypts data communications with a symmetric key cipher.
Saturday, 19 May 2012
Authentication, Authorization and Accounting
Authentication
Authentication refers to the method of proving that you are somebody using to prove that you are who you are. For eg, you are a student user of your school website. Therefore you log in with your student account and password to validate yourself.Authorization
Authorization refers to what data can you access or what you can do in a network. For eg, as a student, I can log in to the school website and access course study materials.
Accounting
Accounting is a factor that accounts the action that you have taken in a network. For example, I accessed the school website 10 times a day to access my school study materials.
Wednesday, 9 May 2012
Context-based Access Control
Although access lists can help to filter traffic that passes through the firewall, it can only filter packets that work on the network and transport layer of the OSI Model (using protocols such as IP protocol). CBAC on the other hand can filter network and transport layer protocol packets as well as application layer packets.
CBAC also has its benefits. Not only does it filters packet and deny or allow packets to pass through based on the configuration, it can also detect and prevent Denial-of-Service attacks and provide real-time alerts and provide audit trails which makes it easier to track the activities of users or the chain of events taking place in the network.
Access Control Lists
An access list is basically a table that tells the OS(operating system) of a computer which access rights is granted for each user to a specific system object such as a file directory. Each access list is identified by the security attributes of each object. These access lists define the access privileges each user have such as the ability to read or modify the content in a file.
The above picture is an example how we can set simple account privileges for each user just by checking or un-checking the boxes. For example, David wants to write a file. I can
Friday, 4 May 2012
Secure Perimeter Routers & Disable Services & Logging
Securing perimeter routers
When a perimeter router is deployed, it is exposed to many forms of danger while serving its purpose such as filtering incoming packets. I will explain two types of filtering which can be employed to safeguard the perimeter router. They are ingress and egress.Network/Port Address Translation
"An example of NAT diagram"
Common Threats to Router and Switch Physical & Mitigation
We all know regardless of how well our technological equipment perform, there is always a chance that it might break, malfunction or even explode(Makes me wonder how on earth did you ever take care of it if it ever explodes). In the cyber world, not only can our computers and other electronical devices get damaged physically, it can also be virtually damaged. How? By viruses such as trojan horses, malwares and other pesky cyber nuisances. Even networking devices such as routers and switches are not spared from these terrible nuisances!
Thursday, 3 May 2012
Perimeter Router, Internal Router and Firewall
"A simple diagram of a network implementing a perimeter router with firewall capabilities"
So what is a perimeter router? As the name suggests, it has something that got to do with security(DUH!). In this case, a perimeter router is a router(You don't say...) that acts as a border between you and someone else's network."The famous 38th parallel that seperates North and South Korea"
Unleash your imagination and pretend that the left side of the line is your home network. The right side of the line will be a stranger's network or the Internet. Now what do you think the soldier on the line will be?Wednesday, 2 May 2012
New Topics For The Week
YAWN~ Looks like they have awoken me from my slumber with 4 new topics to do on Inter-networking Security @_@.
They will be:
Perimeter Router, Internal Router and Firewall
Network / Port Address Translation
Common Threats to Router and Switch Physical & Mitigation
Secure Perimeter Routers & Disable Services & Logging
Each topic will most likely be covered in a single post. Let's get to work on the first topic now, shall we?
Subscribe to:
Posts (Atom)