Dipti's Technical Learning Library

This blog is created for sharing knowledge only. The contents provided here are related to computer, hardware, software, networking, telecom, cyber security and other new technologies. As well there are some advisories provided for digital safety and cyber practices. The information provided here are just for basic understandings. The idea is to keep all technologies and information at one address. If you like it, then follow and share it with others. Put your comments and suggestions. Thanks !

Friday, November 27, 2020

Basics of Time To Leave (TTL)

Basics of Time to Live (TTL)

Many times we have seen this word ttl during any ping request to any device or router. The output comes as;

Reply from xx.xx.xx.xx: bytes=32 time=1ms TTL=255

So this may be wonder that, what is this TTL actually. Here is the basic info on TTL,

Time-to-live (TTL) is a system generated value ranging from (1-255) in an Internet Protocol (IP) packet that, used during communication. When you use the ping request to any network device from a network tool or through command lines. It states a router either the packet is in the network for a long time and need to be discarded or communicated. Notifies the time for packet reachability.

Each router receives the packet deducts at least 1 from the count; if the count remains greater than 0, the router forwards the packet, otherwise it discards it and sends an ICMP message back to the source host. After that a resend can be performed.

The ping and the traceroute functions both use the TTL value to attempt to reach a given host computer or to trace a route to that host.

It prevents data packets circulating randomly in the network. As a general it have 8 bit time to live (TTL) for IPV4 system and called Hop count for IPV6 system.

-DR

Thursday, November 26, 2020

Basics of VOIP

VOIP

Voice over internet protocol or IP telephony

VOIP technology allows us to make phone calls over internet. Traditional telephone calls depend upon PSTN whereas, VOIP calls depends on the router, switch and internet. VOIP call have overcome the traditional analogue signal by using the digital signal and data packets using the packet switching technology.

An IP Phone to be connected to switch in LAN. Switch transmits the digital packets to other IP Telephone through the router and a internet cloud. It uses RJ45 connector instead of RJ11 connector (traditional telephone/landlines).

There is one private branch exchange (PBX)which helps the switching of VOIP packets. Basically, this is used at business/corporate environments.

It has advantages of high-quality sound with many flexibility options on its operation but still needs a high-speed internet connection.

It gives advanced calling feature at your hand with international calling facility at a lower cost or free.

It works on H.323 protocol is a standard which describes a set of protocols to provide audio and visual communication over a computer network.

Illustrative IP Telephone from Cisco

Besides the use of IP Phone or VOIP phone at corporate or larger networks, you can use this technology at home also. All you need the things to choose the right device, right service provider and right connectivity configurations.

Many IP Phone models lack in automatic security patch update, whereas some cisco IP Phones have this feature which can help in meeting the regulatory risk compliance.

Now, the 7800 Series of cisco supports the latest encryption to help secure your voice communications.

-DR

Basics of Network Load Balancer

Basics of Network Load Balancer (NLB)

A load balancer helps as the single point of contact for clients. The load balancer allocates incoming traffic across several targets. They direct systems and individual servers in a network based on factors such as server processor utilization, number of connections to a server or overall server performance. Load balancers are used at organizations to minimize the chance that any specific server will be overwhelmed and to enhance the bandwidth available to each computer in the network.

A Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. After the load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP/IP connection to the designated target on the port specified in the listener configuration.

A load balancer can be applied as a security software or hardware solution, and it is usually associated with a device such as a router, a firewall etc. A load balancer distributes the traffic intended for a website into individual requests that are then rotated to redundant servers as they become available.

A key issue with load balancers is scheduling i.e. defining how to split up the work and distribute it across servers or devices.

Advantages

It has capability to handle volatile workloads and scale to millions of requests per second.
Network health and Optimization.
Fault Tolerance
Cost and Performance benefit

-DR

Tuesday, November 24, 2020

Basics of UTM

Basics of UTM

Unified Threat Management

Unified threat management (UTM) is an approach to information security in which a single hardware or software that provides multiple security functions (intrusion prevention, antivirus, content filtering etc.). Sometimes it is called USM (Unified Security Management). In a single place you can review all logs rather than to check individual devices.

An UTM can provide services such as;

Network firewall
Intrusion detection
Intrusion prevention
Gateway anti-virus
Proxy firewall
Deep packet inspection
Web proxy and content filtering
Data loss prevention (DLP)
Security information and event management (SIEM)
Virtual private network (VPN)

Its all-in-one approach simplifies installation, configuration and maintenance. The disadvantages of combining everything into one include a potential single point of failure and dependence on one OEM.

UTM devices are often bundled as network security appliances that can help guard networks against combined security threats, including malware and attacks that simultaneously target distinct parts of the network.

It prevents attacks before they enter the network by inspecting the packet headers. Generally an UTM inspects the traffic in two ways, i.e. flow based inspection and proxy based inspection.

Flow-based inspection or stream-based inspection through which it samples data that enters in to a UTM device, and then uses pattern matching to determine whether there is malicious content in the data flow or not.
Proxy-based inspection acts as a proxy to recreate the content entering a UTM device, and then performs a full inspection of the content to search for potential security threats.

There are many vendors/OEMs with their appliance such as Fortinet/ FortiGate, Checkpoint, Cisco, Sophos, Sonicwall, Juniper, etc.

-DR

Monday, November 23, 2020

Basics of Packet Filtering Firewall

Packet Filtering Firewall

A packet-filtering firewall is a type of network security firewall. It has filters that relate incoming and outgoing packets against a standard set of rules to decide whether to allow them to pass through. In most cases, the rule set is called as access list. The access list is predefined, based on a variety of metrics. Packet filtering happens at Layer 3 and Layer 4 of the OSI model.

The common filtering options are as below;

The source IP address of the incoming packets (IP Packets) indicate where they were originated. Packets/Traffic can be approved or denied by its source IP address. For example, many unauthorized sites or botnets can be blocked based on their IP addresses.

The destination IP addresses are the intended location of the packet at the receiving end of a transmission.

Unicast packets have a single destination IP address and are normally intended for a single machine. Multicast or broadcast packets have a variety of destination IP addresses and usually are destined for multiple machines on the network.

Rule sets can be developed to block traffic to a particular IP address on the network to reduce the load on the target machine. Such measures can also be used to block unauthorized access to highly confidential system on internal networks.

The type of Internet protocols the packet contains are Layer 2 and Layer 3 packets that includes the type of protocol being used as part of their header structure.

These packets can be any of the following types:

Normal data-carrying IP packet
Message control packet (ICMP)
Address resolution packet (ARP)
Reverse Address Resolution Protocol (RARP)
Boot-up Protocol (BOOTP)
Dynamic Host Configuration Protocol (DHCP)

Filtering can be based on the protocol information that the packets carry so you can block traffic that is transmitted by a certain protocol.

Advantage:

Using of packet-filtering firewalls are achieved, because most of the work takes place at Layer 3 or lower. Packet-filtering firewalls are employed at the very periphery of an organization’s security networks.

For example, packet-filtering firewalls are highly operative in protecting against denial-of-service (DoS) attacks that aim to take down sensitive systems on internal networks.

Disadvantage:

One major disadvantage is, because of packet-filtering firewalls work at OSI Layer 3 or lower, it is impossible for them to examine application-level data.

Thus, application explicit attacks can simply get into internal networks. When an attacker spoofs network IP addresses, firewall filters are ineffective at filtering this Layer 3 information. Many packet-filtering firewalls cannot detect spoofed IP or ARP addresses. The main reason for deploying packet-filtering firewalls is to protect against the most general denial-of-service attacks and not against targeted attacks.

Stateful packet-filtering firewall/Dynamic Packet Filtering

Stateful packet-filtering or dynamic packet filtering systems use a complex approach, although recollecting the basic abilities of packet-filtering firewalls. They work at Layer 4 and the connection pairs usually contain on four parameters:

Source address and port
Destination address and port

Stateful inspection techniques employ a dynamic memory that stores the state tables of the incoming and established connections. Any time an external host requests a connection to your internal host, the connection parameters are written to the state tables. As with packet-filtering firewalls, you can create rules to define whether certain packets can permit through.

As example, a firewall rule can need dropping packets that comprise port numbers higher than 1023, as most servers respond on standard ports numbered from zero to 1023.

Stateful packet filtering firewalls are not as elastic or as robust as regular packet-filtering firewalls.

Incorporating a dynamic state table and other features into the firewall makes the architecture more complex, which directly slows the speed of operation. This appears to users as a decrease in network performance speed.

In addition, stateful packet filtering firewalls cannot entirely access higher-layer protocols and application services for review.

Just a views..

-DR

Wednesday, November 18, 2020

What to consider in Data Centre Security

Data Centre Security Requirements

A Data Centre environment is very complex and critical in nature. This is the core infrastructure or spine of any internet world. Without data centre and high end systems no network and no internet can be thought. So considering the critically there must be a security concern to keep safe of all data and information. There are various parameters need to be considered for security perspective such as network security, Antivirus, Server security, Authentication, Data security, Firewall services, IDS and IPS, Incident Response, etc.

Here I am giving some basic parameters for some devices mentioned above briefly.

Antivirus Security

An antivirus should be a host based and web based. Means we can use or install antivirus agent at all my host systems including servers and systems inside the Data centre and can be monitored centralized, can be updated from web time to time.
The antivirus must have all inbound and outbound monitoring of all data transfer mechanism including email scans.
It should have both offline and online scanning features.
It should manage its own patch in timely means timely update to virus engine and signature files.
It should allow rule based detection for unknown viruses.
It should support and ensure safe payment, tracker proof.

Host Server Security

It should have strong access control lists, so that it can restrict unauthorized access.
Server must be able to prevent hackers with root access from shutting down the system remotely.
Disable unnecessary protocols and ports.
Disable default user accounts
The server should have super admin user right.
Server side Encryption should be there.

Network Security

There should be login banner during the login time with notes and important precaution messages.
It should restrict unauthorized traffic by implementing network traffic filters, firewall and access control list.
There should be controls to ensure integrity and confidentiality of the domains and data.
There should be network based intrusion detection tools.
Virtual Private network must be used for each working employee at onsite and remote site supporting staff.
There should be strong Secure Socket Layer (SSL) and strong encryption techniques for network access through public access.
There should be real time monitoring of all systems and network devices/ systems to detect potential security violations.
Monitor all logs of devices as well as retain the logs for future forensic investigation. All the log information should be kept secure and confidential.
Host based Intrusion Prevention System (IPS) should be there to discover attacks, protect operating systems and applications and trigger alarm in case of any exploitation occurs in the network.

Identity, Authorization

All the users should be identified and authorized by the system.
A access control list must be there and need to be reviewed in time to time.
There should be effective password management.
For the web based applications the cookies should be encrypted so that no middle man can compromise with cookies.
Policy information should be stored directly in LDAP.

The above parameters are just for understanding some basic security points whereas it may not cover all the expected requirements as security is very depth in nature, so depending on the network and application the security layer can be designed for a Data Centre. Many security device details are covered in this blog. Please refer them to know more about them.

If you have any suggestions, please provide in comments below. Do follow and share if you like the contents.

-DR

Tuesday, November 17, 2020

Basics of Data Centre

Data Centre (DC)

A data centre is a physical facility that organizations use to store their critical applications hosted and store data. Its made to achieve the business goals of an organization.

A traditional DC consists of core routers and Switches. The common infrastructure of the date center broadly includes:

Active/Passive Infrastructure
Compute Infrastructure
Storage Infrastructure
Network & Security Infrastructure

A data Centre’s design is based on both IT and Non-IT assets. Out of IT assets there are many network devices, security devices, servers and storage solutions that enable the delivery of shared applications. Those includes PCs, routers, switches, firewalls, storage systems, servers, and application-delivery controllers.

Basic IT Systems:

Compute System - Rack Servers, Blade
Network System - Router, Spine Switches, Leaf Switches, Management Switches , Link Load Balancer, SDN Controller.
Storage System - SAN Switches, Enterprise Storage, Tape Library.
Cyber Security System - Next Generation Firewall, AAA , DDoS, Anti APT, DLP , Vulnerability Solution.
Endpoint Security - Antivirus, HIPS, E-mail & Spam Protection.
VM Based Licenses - Cloud Management & Orchestration, Enterprise Management System.
Licenses - Windows, MS Office, Oracle DB, MS SQL, My SQL, RHEL, Post gre Sql.

Besides above there are many Non-IT devices which play vital role for the operation of DC. Non-IT assets are; Transformers, BBT (Bus Bar Tracking), Diesel Generator, Power cabling, UPS, PAC (Cooling System and piping), Fire Suppression, Smoke Detection, Humidity and Temperature Sensor, PA system, CCTV, Rodent Repellant, Access Control, Passive Structured cabling, DCIM, BMS Systems Fire rated wall, raised floor, false ceiling, Water sprinkler system, etc.

The commonly used standard for infrastructure design of DC is ANSI/TIA-942. Along with this DC design has been distinguished in to four (4) no of tiers (T-I, T-II, T-III and T-IV).

Image Source: Nexcess, Google

General Attributes of a DC:

Highly software-centric.
Highly virtualized across compute, networking, and storage elements.
Appropriate context of users, applications, devices, locations Virtual Machine, Network attributes, Advanced infrastructure needs, Security and audit, Performance management.
Adaptable and extensible though modular software and hardware components.
Service-oriented architecture (SOA)
Agile components.
ITIL and ISO/IEC standard processes

Security posture of DC

AAA
Access control
Secure and encrypted data handling
Resistance against attacks
Strong authentication between components that interact.
Physical Security deployment
Perimeter security configuration

There should be service level for a DC operation or facility manager for which the service is being provided. The service levels should be agreed upon the customer with the standard defined service level agreement (SLA).

The SLA can be segregated in to multiple parameters such as;

Performance related Service level
IT infrastructure related service level
Virtual Infrastructure related Service level
Security and Incident Management related service level
Helpdesk support services
Manpower related service level
Compliance & MIS reporting related service level
Civil major and minor Works

In case of performance related service level, we can measure and ensure the required DC uptime as per the TIER standard. We can monitor server availability, storage availability, network device availability etc.

Further these can be measured through using a application/ EMS tool (Enterprise Management System) or NMS (Network Management System).

There are large data centres around Globe available starting from 1000 racks up to higher. Such DC service providers are such as Yotta, Web werks, NTT, Nxtra etc.

For example according to the Hiranandani Group's (Yotta), the Yotta NM1 DC itself offers a highly scalable data centre infrastructure, capable of hosting global cloud, content and OTT operators, besides mission-critical applications of enterprises and governments.

It have one first hyper-scale data centre park under construction and will be spread across 20-acres, it will host six data centre buildings with 30,000 racks capacity and offer 250MW of total power. This will become Asia's largest DC.

-DR

Thursday, November 12, 2020

Basics of IPS

IPS

Intrusion Prevention System

An IPS is a network security tool/device that can not only detect intruders, but also prevent them from successfully initiation of any known attack. Intrusion prevention systems combine the abilities of firewalls and intrusion detection systems. However, implementing an IPS on an effective scale can be costly, so businesses should carefully measure their IT risks before making the investment.

IPS are not as fast as robust like firewalls and IDS, so an IPS might not be an suitable solution when speed is an entire requirement.

One key difference to make is the variance between intrusion prevention and active response. An active response device dynamically reconfigures or alters network or system access controls, session streams or separate packets based on triggers from packet inspection and other detection devices. Active response happens after the event has occurred; thus, a single packet attack will be successful on the first effort but will be blocked in future attempts; for example, a DDoS attack will be successful on the first packets but will be blocked afterwards. While active response devices are beneficial, this one aspect makes them unsuitable as an overall solution. Network intrusion prevention devices, on the other hand, are typically inline devices on the network that inspect packets and make decisions before forwarding them on to the destination.

This type of device has the ability to defend against single packet attacks on the first attempt by blocking or modifying the attack inline.

Most important, an IPS must perform packet inspection and analysis at wire speed. Intrusion prevention systems should be performing detailed packet inspection to detect intrusions, including application-layer and zero-day attacks.

System or host intrusion prevention devices are also inline at the operating system level. They have the capability to intercept system calls, file, memory, processes and other system functions to prevent attacks. There are several intrusion prevention technologies, including the following:

System memory and process protection:

This type of intrusion prevention strategy exist at the system level. Memory protection consists of a mechanism to prevent a process from corrupting the memory of another process running on the same system. Process protection consists of a mechanism for monitoring process execution, with the ability to kill processes that are suspected of being attacks.

Inline network devices:

This type of intrusion prevention approach places a network device directly in the path of network communications with the capability to modify and block attack packets as they traverse the device’s interfaces. It acts much like a router or firewall combined with the signature-matching capabilities of an IDS. The detection and response happens in real time before the packet is passed on to the destination network.

Session sniping:

This type of intrusion prevention strategy terminates a TCP session by sending a TCP RST packet to both ends of the connection. When an attempted attack is detected, the TCP RST is sent and the attempted exploit is flushed from the buffers and thus prevented. Note that the TCP RST packets must have the correct sequence and acknowledgement numbers to be effective.

Session sniping system identification is another concern when deploying active response IPSs. When systems terminate sessions with RST packets, an attacker might be able to discover not only that an IPS is involved but also the type of underlying system. Readily accessible passive operating system identification tools examine packets to determine the underlying operating system.

TCP RST or TCP Reset is when an unexpected TCP packet arrives at a host, that host usually responds by sending a reset packet back on the same connection. A reset packet is simply one with no payload and with the RST bit set in the TCP header flags.

Gateway interaction devices:

This type of intrusion prevention strategy allows a detection device to dynamically interact with network gateway devices such as routers or firewalls. When an attempted attack is detected, the detection device can direct the router or firewall to block the attack.

There are several risks when deploying intrusion prevention technologies. Most notable is the recurring issue of false positives in today’s intrusion detection systems. On some occasions, legitimate traffic will display characteristics similar to malicious traffic. This could be anything from inadvertently identical signatures to uncharacteristically high traffic volume. Even a finely tuned IDS can present false positives when this occurs. When intrusion prevention is involved, false positives can make a denial-of-service (DoS) condition for real traffic. Attackers who control or suspect the use of intrusion prevention methods can purposely create a DoS attack against legitimate networks and sources by sending attacks with spoofed source IP addresses. A simple mitigation to some DoS conditions is to use a whitelisting policy.

Another risk with active response IPSs involves gateway interaction timing and race conditions. In this scenario, a detection device directs a router or firewall to block the attempted attack. However, because of network latency, the attack has already passed the gateway device before it receives this direction from the detection device. A similar situation could occur with a scenario that creates a race condition on the gateway device itself between the attack and the response.

During positioning an IPS, everyone should carefully monitor and tune your systems and be aware of the risks involved. Everyone must also have an in-depth understanding of their network, its traffic, and both its normal and abnormal characteristics. It is always recommended to run IPS and active response technologies in test mode for a while to thoroughly understand their performance.

-DR

Basics of IDS

IDS

Intrusion Detection System

An IDS improves cybersecurity by recognizing a hacker or malicious software on a network so organization can remove it promptly to prevent a breach, incident or other problems, and use the data logged about the event to better defend against similar intrusion incidents in the future.

Investing in an IDS that enables you respond to attacks speedily can be far less costly than rectifying the damage from an attack and dealing with the subsequent legal issues.

From time to time, attackers will accomplish to compromise other security measures, such as cryptography, firewalls and so on. It is crucial that information about these compromises immediately flow to administrators, which can be easily accomplished using an intrusion detection system.

Deploying an IDS can also help administrators proactively identify vulnerabilities or exploits that a potential attacker could take advantage of. IDS can be grouped into the following categories:

Now the IDS comes in to the picture in below forms as;

• Network intrusion detection system (NIDS)

• Host-based intrusion detection system (HIDS)

• Perimeter Intrusion Detection System (PIDS)

• VM based Intrusion Detection System (VMIDS)

Host-based intrusion detection systems

Host-based IDSs are designed to monitor, detect and respond to activity and attacks on a given host. In most cases, attackers target specific systems on corporate networks that have confidential information. They will often try to install scanning programs and exploit other vulnerabilities that can record user activity on a particular host. Some host-based IDS tools provide policy management, statistical analytics and data forensics at the host level.

Host-based IDSs are best used when an intruder tries to access particular files or other services that reside on the host computer. Because attackers mainly attention on operating system vulnerabilities to breakdown into hosts, in most cases, the host-based IDS is integrated into the operating systems that the host is running.

Network-based intrusion detection systems

Network traffic based IDSs capture network traffic to detect intruders. Most often, these systems work as packet sniffers that read through incoming traffic and use specific metrics to assess whether a network has been compromised. Various internet and other proprietary protocols that handle messages between external and internal networks, such as TCP/IP, NetBEUI and XNS, are vulnerable to attack and require additional ways to detect malicious events. Frequently, intrusion detection systems have difficulty working with encrypted information and traffic from virtual private networks. Speed over 1Gbps is also a constraining factor, although modern and costly network-based IDSs have the capability to work fast over this speed.

Cooperative agents are one of the most important components of a distributed intrusion detection architecture. An agent is an autonomous or semi-autonomous piece of software that runs in the background and performs useful tasks for another. Relative to IDSs, an agent is generally a piece of software that senses intrusions locally and reports attack information to central analysis servers. The cooperative agents can form a network amongst themselves for data transmission and processing. The use of multiple agents across a network allows a broader view of the network than might be possible with a single IDS or centralized IDSs.

Perimeter intrusion detection system

A perimeter intrusion detection system is a device or sensor that detects the presence of an intruder attempting to breach the physical perimeter of a property, building, or other secured area. A PIDS is typically deployed as part of an overall security system and is often found in high-security environments like airport, military base, power plant, nuclear plant etc.

-DR