AAA... Battries or yet another practice in networking?

When we say "AAA" infront of someone, the first thought is often:

Triple A Batteries, which look somewhat like this:



Right, enough fooling around, lets get to business.


AAA is acronym of three processes that is usually done by a Network Access Server (NAS for short). The three As represents:

Process	Explaination: How it works
Authentication	An entity is identified through variables given by the entity that uniquely specifies the entity. Such variables include password, username and one-time passwords (or tokens)
Authorization	An entity's permission to access or operate within the network is defined. This is done after the authentication phrase and is enforced to prevent unintentional damage to the network by restricting access to part of the network to the general users.
Accounting	Used to take note or log a entity's behaviour and actions.

Context-Based Access Control

Context-Based Access Control

CBAC or Context-Based Access Control inspects packets that are entering the firewall which are not specifically denied by an ACL.

CBAC will allow connection which has already have an establish link or is a reply to a sent packet from inside the trusted network, denying any connections and packets appears otherwise.

Sessions information will be maintained in state table until connection is terminated or times out.

---

Uses of CBAC

CBAC is normally termed as an IOS Firewall as it does deep packet inspection. Hence it provides services like Denial-of-Service prevention and prevention, and Real-time alerts and audits trails.

Access Control Lists

Its this time of the week again!

So, this week we will be doing Access Control Lists!

I will try to put this down in table form yet again, cause I don't get bored doing it!

Access Control List

Access control can be used for many purposes.

For starters, I have used it on my own Desktop-PC to prevent myself from playing games on it while I work! ( I will show you some pictures about it later on in the week! )

Now back to INKS, Access Control can also be used in routers to control traffic!

So to say, there is 2 types of access list used for Access Control in a router. They are:

Standard Access List	Extended Access List
Can filter IP packets based on origins or source address	Gains added ability to filter packet based on the following: Protocol types. (E.g. EIGRP, ICMP, OSPF, TCP, UDP etc.) Source and Destination IP addresses ( Also known as origin and target) Source and Destination ports of either TCP or UDP

For a network to be secure, Access Control Lists(ACLs) are a must! Hence, a network administrator must know the difference between a standard and extended access list.

---

Standard and Extended ACLs makes use of the following commands:

Standard Access Control Lists:
access-list [1-99] [deny|permit] host [Source Address]

For example, a Standard ACL command like this:
access-list 1 permit host 192.168.1.0
Will permit Any host with IP address 192.168.1.2 connection

Extended Access Control Lists:

access-list [100-199] [permit|deny] [protocol] host [Source address] host [destination]

For example, a Extended ACL command like this:
access-list 100 permit tcp host 192.168.1.2 host 212.64.1.21
Will permit Any host with IP address 192.168.1.2 TCP connection to a host with 212.64.1.21

---

ACLs works in Hierarchical order:

Access Control List (regardless standard or extended) works hierarchically, from the first-most entered Control list taking most precedence and the last-most taking least precedence.

In the case where the ACLs that have been establish are in this manner:

access-list 100 permit tcp host 192.168.1.254 any access-list 100 deny tcp any any

Will allow tcp connection to any one with source address 192.168.1.254(Formally known IP for SingTel's Mio Router's default IP) to any destination address, while any source address other then 192.168.1.254 will be denied connection with any destination address.

Well, Thats all about ACLs,

We will be moving onto the next part of Access Control, Context-Based Access Control(CBAC)!

Secure Perimeter Routers & Disable Services & Logging

Lastly, Securing the perimeter Routers and disabling services and logging will be the last part I will review for this week!

* This post will be re-edited with table format ASAP

There are several reason for implementing filtering and mitigations protocols on the perimeter Routers, and here are some following:

• To prevent DoS or DDoS attacks
• Prevent IP address Spoofing
• Prevent SYN Attack Mitigation

Of the several processes is:

Ingress and Egress Filtering:

• Ingress filtering makes sure that an incoming packet are actually from networks they claim to be. For Ingress filtering to work, neighbouring network have to cooperate to provide information to the validity of the origins of the packet and if the IP matches the route.

• Egress filtering makes sure that an outgoing packet is actually originating from inside the network. This is done by checking if the IP is present or is reachable through the interface or link. When IP is not reachable or present in the link, packets are either dropped or will send a error message to the sender.

Common Threats to Router and Switch Physical & Mitigation

Continuing from NAT/PAT! My next review will be on the Mitigation from the common threats to hardware, specifically Router and Switches!

Threat Mitigation	Methods of Mitigation
Physical/Hardware	Limit Physical Damage to equipment by: Locking up access to equipment. (Doors, Locking Chasis, etc.) Windowless room if appropriate. Security Camera to observe premises .
Environmental	Limit Damage to equipment by Environment through the following procedures: Temperature Control - Hardware performs best at low temperature. Cool environment also prevents overheating of any equipment that might result in the failure of service. Humidity Control - A very humid room can cause equipments to mulfunction due to the oxidation of certain parts, causing rusting to the degree of causing extensive damage to equipment
Electrical	Limit Electrical supply problem by: Installing Uninterruptible Power Supply (UPS) systems Devising and following preventative maintenance plan Installing redundant power supply - Redundant power supplies work as the last fail safe of the whole Electical supply problem, whereby it will kick in when the emergency power supply goes down, together with the main.
Maintainence	Limit maintainence-related threats by: Organizing and laying neat cables Label all cables and components - Prevents the incidental removal or disconnection of cables critical to a currently working system during maintanence, causing downtime to service.

After listing all this mitigation methods, it still bears down the team to implement the mitigation methods properly. After all, most of this threats are due to human errors!

Network/Port Address Translation

Continuing from Perimeter Router, Firewall and Internal Routers, let review our knowledge of NAT (Network Address Translation) and PAT (Port Address Translation)!

Address Translation	Explaination of Usage
Network	Provides Many to Many IP translation. Works by mapping Internal Private IP to Internal Global IP (or IP provided by Service Providers.) Internal Private IPs are mapped to Global IPs temporary (Unless otherwise stated by configuring static NAT), and is mapped until no more traffic is using the IP, whereby the router will then unmap the IPs and assign the now vacant Global IP to another Private IP that is requesting for a connection.
Port	Provides Many to One IP translation. Works by mapping Internal Private IP to port of Global IP (or IP provided by Service Providers.) Internal Private IPs are mapped to Global IPs port, and is mapped until no more traffic is using the IP, whereby the router will then unmap the IPs and assign the now vacant Global IP to another Private IP that is requesting for a connection.

NAT and PAT are two of many solutions employed in easing the gradual decline of the amount of available IP that can be used. As such, NAT and PAT might be obselete when IPV6, a improved IP address scheme which is 128bits long, thus paving way for essentially, an unlimited amount of address, to the extend where one can say "Unless we find another thousand civilization out there, addresses can never run out!).

Perimeter Router, Firewall and Internal Routers, What a chore!

Hey all, its the time of the week for a post again!

As per the previous post, I will put everything I can in table form(partly due to the fact that I enjoy creating tables for no apparent reason and also because the look GOOD)

So yea, lets cut the chase and review what we have learned for this week:

Periperhal Name	Explaination of Usage
Perimeter Router (Standalone)	To Provide protection for an enclosed network from the cloud (General Internet) Protection provided is minimal and is only used to prevent casual attacks from outside of the trusted network.
Internal Router(Normally used with Firewall and Perimeter Router already in place)	To provide connectivity to other parts of the network in the case that the perimeter router is unavailable. (E.g Connection to the Corporate's own server in the DMZ is available for connections from private network, but is not available for connections originating from the cloud (internet)
Firewall	Used to provide packet screening and directing of packets. Useful in networks with DMZ and private network so as to prevent the cloud(internet) from gaining unauthorized access to the network or services.

*Please note that table above only states the usage of NON-INTEGRATED PERIPHERALS

A small business usually only employ the use of a Perimeter Router but may also employ the use of a Firewall integrated in a Perimeter Router which can also be used by medium sized businesses.

A large or huge Corporate will usually make use of either of the two following setups:

Dedicated Perimeter Router and Firewall

Dedicated Perimeter Router, Firewall and Internal Router