Public Key Infrastructure (Digital Cert)

A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). The RA ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation.

The primary role of the CA is to digitally sign and publish the public key bound to a given user. This is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. The mechanism that binds keys to users is called the Registration Authority (RA), which may or may not be separate from the CA. The key-user binding is established, depending on the level of assurance the binding has, by software or under human supervision

A digital cert contains these info:

Serial Number: Used to uniquely identify the certificate.

Subject: The person, or entity identified.

Signature Algorithm: The algorithm used to create the signature.

Signature: The actual signature to verify that it came from the issuer.

Issuer: The entity that verified the information and issued the certificate.

Valid-From: The date the certificate is first valid from.

Valid-To: The expiration date.

Key-Usage: Purpose of the public key (e.g. encipherment, signature, certificate signing...).

Public Key: The public key.

Thumbprint Algorithm: The algorithm used to hash the public key.

Thumbprint: The hash itself, used as an abbreviated form of the public key.

IPSec (ESP, AH, DES, MD5, SHA, DH)

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.


The IPSec framework consists of the IPSec protocol (e.g. ESP, ESP+AH), encryption (e.g. DES, 3 DES), authentication (e.g. MD5, SHA), and the Defiie-Hellman options (e.g. DH1, DH2).


The IPsec has protocol has 5 basic steps. First, it will identify the interesting traffic meaning the network traffic which they network administrator wants to apply security on. They would then start the first phase of the IKE(Internet Key Exchange) with the router on the other end. They would negotiate the policy to check whether both sides are using the same IPsec policy as this is important. For example, is one side is using the DES encryption method which the other is using the 3 DES, the data sent over will only appear as garbage. They would then do the Diffie-Hellman Exchange and Verify the peer identity using for example, pre-shared keys, RSA signatures or RSA encrypted nonces. Next, the transform sets will be negotiates. A transform set is a combination of algorithms and protocols that enact a security policy for traffic. The SA(security Association) are exchanged between the peer routers. When the SA has reached a time-out, the IPsec SA will be removed and the and process will repeat to create another tunnel

Authentication, Authorization and Accounting (AAA)

It refers to a security architecture for distributed systems, which enables control over which users are allowed access to which services, and how much of the resources they have used.


Authentication
Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the corresponding credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers.


Authorization
The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service. Authorization may be determined based on a range of restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple access by the same entity or user. Typical authorization in everyday computer life is for example granting read access to a specific file for authenticated user. Examples of types of service include, but are not limited to: IP address filtering, address assignment, route assignment, quality of Service/differential services, bandwidth control/traffic management, compulsory tunneling to a specific endpoint, and encryption.


Accounting
Accounting refers to the tracking of network resource consumption by users for the purpose of capacity and trend analysis, cost allocation, billing. In addition, it may record events such as authentication and authorization failures, and include auditing functionality, which permits verifying the correctness of procedures carried out based on accounting data. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user or other entity, the nature of the service delivered, when the service began, and when it ended, and if there is a status to report.

Context-Based Access Control

Context Based Access Control (CBAC) intelligently filters TCP and UDP packets based on application layer protocol session information and can be used for intranets, extranets and internets. CBAC can be configured to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network needing protection. (In other words, CBAC can inspect traffic for sessions that originate from the external network.) However, while this example discusses inspecting traffic for sessions that originate from the external network, CBAC can inspect traffic for sessions that originate from either side of the firewall. This is the basic function of a stateful inspection firewall.

Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information (such as FTP connection information) to learn about the state of the TCP or UDP session. This allows support of protocols that involve multiple channels created as a result of negotiations in the FTP control channel. Most of the multimedia protocols as well as some other protocols (such as FTP, RPC, and SQL*Net) involve multiple control channels.

CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions (sessions that originated from within the protected internal network).

CBAC does the deep packet inspection and hence it is termed to be a IOS Firewall.

Access Control Lists

An access control list (ACL) is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file. 

There are two basic types of ACLs for cisco routers. The standard and extended routers.

The standard ACL filter IP packets based on the source address only while the extended ACL filter IP packets based on several attributes such as the protocol type, source and destination IP addresses, source and destination TCP/UDP ports or ICMP and IGMP message types. 

cisco router syntax for standard ACLs:

access-list access-list-number {deny | permit } source [source-wildcard]

Cisco router syntax for extended ACLs:

access-list access-list-number {deny | permit} {protocol-number | protocol-keyword}{source source-wildcard | any | host} {source-port} {destination destination-wildcard | any |host} {destination-port} [established] [log | log-input]

Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like Firewalls, ACLs are subject to security regulations and standards such as PCI DSS.

Secure Perimeter Routers & Disable Services & Logging

At the perimeter router, there should be a login banner and it should:

•          Specify what is “proper use”of the system

•          Specify that the system is being monitored

•          Specify that privacy should not be expected when using this system

•          Do not use the word “welcome”

•          Have legal department review the content of the message

Also use good password practices such as:

•          Avoid dictionary words, names, phone numbers, and dates.

•           Include at least one lowercase letter, uppercase letter, digit, and special character.

•           Make all passwords at least eight characters long.

•           Avoid more than four digits or same-case letters in a row.

•          Change passwords often.

Services that are not in used should be turned off or removed as each service may have their security vulnerabilities and by having them turn on, you are exposing yourself to more security risks.

When possible, the following practices are advised:

•          Encrypt Syslog traffic within an IPSec tunnel.

•          When allowing Syslog access from devices on the outside of a firewall, implement RFC 2827 filtering (Network Ingress Filtering: Defeating DoS Attacks) at the perimeter router.

•          ACLs should also be implemented on the firewall in order to allow Syslog data from only the managed devices themselves to reach the management hosts. 

Common Threats to Router and Switch Physical & Mitigation

Besides network threats and security threats to a network, there are also physical threats and they are equally important to take care off.

1. Hardware threats -- All threats that are associated with physical damage to the routers and switches are classified as hardware threats. You can mitigate hardware threats by providing controlled access to the facilities. You limit access to only network-related personnel into the main distribution facility (MDF), intermediate distribution facility (IDF), and network operations center (NOC). You can provide security by ensuring that there is no access to the facility via the ceiling, raised floors, AC ducts, or windows. You can also mitigate hardware threats by using security cameras and by logging entry attempts.

2. Environmental threats -- Threats associated with climatic conditions are environmental threats. To mitigate environmental threats, you need to ensure that there is adequate ventilation in the facility and that the temperature and humidity levels are maintained in accordance with the specifications defined in the equipment documentation. Once these parameters are in place, ensure that you have the ability to remotely manage and monitor temperature and humidity controls. Also make sure that the facility is free from electrostatic discharge (ESD) and magnetic interference.

3. Electrical threats -- Brown-outs, spikes, inadequate power supply, noise and power loss are typical examples of electrical threats. We highly recommend that your mission-critical devices are hooked up to an uninterrupted power supply (UPS). A UPS provides line conditioning and protects your network devices against irregularities in your power distribution system. Ensure that you have redundant power supplies in your network devices (if they support them) or some hot spares at the facility. This measure reduces the amount of downtime on your network. A generator can be an alternate source for power in case of a power outage if your environment is mission critical.

4. Maintenance threats -- Poor cabling, faulty labeling and electronic devices without adequate ESD deterrents are classified as maintenance threats. Make sure that the equipment cabling is labeled properly and that a proper labeling convention is followed. This measure helps in tracing cables in the facility and aids in quick troubleshooting as well. Ensure that cables have smooth bends when you go around the corner. You want no kinks on the cable, so you can guarantee the smooth flow of data.