Site to Site VPN, Remote VPN

Site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.

There are two types of site-to-site VPNs:

• Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
• Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranet.

Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote-access VPN. Dedicated VPN client equipment, described later in this article, can accomplish this goal in a site-to-site VPN.

Remote VPN is a VPN supplies network connectivity over a possibly long physical distance. In this respect, a VPN is a form of Wide Area Network (WAN). VPNs enable file sharing, video conferencing and similar network services. Virtual private networks generally don't provide any new functionality that isn't already offered through alternative mechanisms, but a VPN implements those services more efficiently / cheaply in most cases.

A key feature of a VPN is its ability to work over both private networks as well as public networks like the Internet. Using a method called tunneling, a VPN use the same hardware infrastructure as existing Internet or intranet links. VPN technologies includes various security mechanisms to protect the virtual, private connections.

Specifically, a VPN supports at least three different modes of use:

Internet remote access client connections

LAN-to-LAN internetworking

Controlled access within an intranet

Internet VPNs for Remote Access

In recent years, many organizations have increased the mobility of their workers by allowing more employees to telecommute. Employees also continue to travel and face a growing need to stay connected to their company networks.

A VPN can be set up to support remote, protected access to the corporate home offices over the Internet. An Internet VPN solution uses a client/server design works as follows:

1. A remote host (client) wanting to log into the company network first connects to any public Internet Service Provider (ISP).

2. Next, the host initiates a VPN connection to the company VPN server. This connection is made via a VPN client installed on the remote host.

3. Once the connection has been established, the remote client can communicate with the internal company systems over the Internet just as if it were a local host.

Before VPNs, remote workers accessed company networks over private leased lines or through dialup remote access servers. While VPN clients and servers careful require installation of hardware and software, an Internet VPN is a superior solution in many situations.

VPNs for Internetworking

Besides using virtual private networks for remote access, a VPN can also bridge two networks together. In this mode of operation, an entire remote network (rather than just a single remote client) can join to a different company network to form an extended intranet. This solution uses a VPN server to VPN server connection.

Intranet / Local Network VPNs

Internal networks may also utilize VPN technology to implement controlled access to individual subnets within a private network. In this mode of operation, VPN clients connect to a VPN server that acts as the network gateway.

This type of VPN use does not involve an Internet Service Provider (ISP) or public network cabling. However, it allows the security benefits of VPN to be deployed inside an organization. This approach has become especially popular as a way for businesses to protect their WiFi local networks.

Public Key Infrastructure (Digital Cert )

In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users ("endorsements"). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.

For provable security this reliance on something external to the system has the consequence that any public key certification scheme has to rely on some special setup assumption, such as the existence of a certificate authority.

Certificates can be created for Unix-based servers with tools such as OpenSSL's ca command or SuSE's gensslcert. These may be used to issue unmanaged certificates, Certification Authority (CA) certificates for managing other certificates, and user and/or computer certificate requests to be signed by the CA, as well as a number of other certificate related functions.

Similarly, Microsoft Windows 2000 Server and Windows Server 2003 contain a Certification Authority (CA) as part of Certificate Services for the creation of digital certificates. In Windows Server 2008 the CA may be installed as part of Active Directory Certificate Services. The CA is used to manage and centrally issue certificates to users and/or computers. Microsoft also provides a number of different certificate utilities, such as SelfSSL.exe for creating unmanaged certificates, and Certreq.exe for creating and submitting certificate requests to be signed by the CA, and certutil.exe for a number of other certificate related functions.

IPSec (ESP, AH, DES, MD5, SHA, DH)

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of the TCP/IP model. In the past, the use of TLS/SSL had to be designed into an application to protect the application protocols. In contrast, since day one, applications did not need to be specifically designed to use IPsec. Hence, IPsec protects any application traffic across an IP network. This holds true now for SSL as well with the rise of SSL based VPN revolution with implementations like OpenVPN.

IPsec originally was developed at the Naval Research Laboratory as part of a DARPA-sponsored research project. ESP was derived directly from the SP3D protocol, rather than being derived from the ISO Network-Layer Security Protocol (NLSP). The SP3D protocol specification was published by NIST, but designed by the Secure Data Network System project of the National Security Agency (NSA), IPsec AH is derived in part from previous IETF standards work for authentication of the Simple Network Management Protocol (SNMP).
IPsec is officially specified by the Internet Engineering Task Force (IETF) in a series of Request for Comments documents addressing various components and extensions. It specifies the spelling of the protocol name to be IPsec.

Authentication, Authorization and Accounting

AAA refers to authentication, authorization and accounting.It refers to a security architecture for distributed systems, which enables control over which users are allowed access to which services, and how much of the resources they have used. Two network protocols providing this functionality are particularly popular: the RADIUS protocol and its newer Diameter counterpart.

Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the corresponding credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).

The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service. Authorization may be determined based on a range of restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple access by the same entity or user. Typical authorization in everyday computer life is for example granting read access to a specific file for authenticated user. Examples of types of service include, but are not limited to: IP address filtering, address assignment, route assignment, quality of Service/differential services, bandwidth control/traffic management, compulsory tunneling to a specific endpoint, and encryption.

Accounting refers to the tracking of network resource consumption by users for the purpose of capacity and trend analysis, cost allocation, billing. In addition, it may record events such as authentication and authorization failures, and include auditing functionality, which permits verifying the correctness of procedures carried out based on accounting data. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user or other entity, the nature of the service delivered, when the service began, and when it ended, and if there is a status to report.

Context-based Access Control

CBAC can be used to inspect packets that are entering the firewall if they are not specifically denied by an ACL. CBAC is used to permits or denies specific TCP and UDP traffic through the use of a firewall. A state table is maintained with session information. CBAC can also protect against DoS attacks.

Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information (such as FTP connection information) to learn about the state of the TCP or UDP session. This allows support of protocols that involve multiple channels created as a result of negotiations in the FTP control channel. Most of the multimedia protocols as well as some other protocols (such as FTP, RPC, and SQL*Net) involve multiple control channels.

This is the steps to configure CBAC:

Step 1: Set audit trails and alerts.

Step 2: Set global timeouts and thresholds.

Step 3: Define Port-to-Application Mapping (PAM)

Step 4: Define inspection rules.

Step 5: Apply inspection rules and also ACLs to interfaces.

Step 6: Test and then verify.

Access Control Lists

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation
Access links goes in 2 different directions:
Inbound—Data flows toward router interface.
Outbound—Data flows away from router interface.


Cisco routers can identify access lists using two methods:
Access list number (All IOS versions)—The number of the access list determines what protocol it is filtering:
(1-99) and (1300-1399)—Standard IP access lists.
(100-199) and (2000-2699)—Extended IP access lists.
(800-899)—Standard IPX access lists.
Access list name (IOS versions > 11.2)—You provide the name of the access list:
Names contain alphanumeric characters.
Names cannot contain spaces or punctuation and must begin with a alphabetic character.

Cisco routers also support two basic types of IP access lists:
Standard—Filter IP packets based on the source address only.
Extended—Filter IP packets based on several attributes, including protocol type, source and destination IP addresses, source and destination TCP/UDP ports, ICMP and IGMP message types.

Secure Perimeter Routers & Disable Services & Logging

Perimeter router is router which is used to provide a connection to the untrusted network also known as the internet. It is also used to provide a local area network (LAN) connection among the trusted network which is the internal network inside the organisation.  Thus, to secure the perimeter routers, we can manage the router by logging, disabling of service, software maintenance or configuration maintenance.

  A way on how disabling of service works would be a hacker can use these services to his advantage by gathering information about your router, executing a denial of service (DoS) attack, or attempting to gain unauthorized access. Therefore, you need to disable all of the services on your perimeter router that you are not using or that are unnecessary.

 

  Logging works in many kinds of ways. One good way of doing it would be setting a log severity levels. The severity levels can be use in the form of " more dangerous to less dangerous". The more dangerous one would be level 0 while the less dangerous one would be at the highest level. Level 0 would usually be used in a really emergency situation where as the highest level would be the opposite.