Authentication and Access Control

 Yes, communication and accessing the information you need is all good, but knowing exactly who it is àt the other end of the connection is vital. This means you need ways to confirm that the person or computer at the other end of the conection is really supposed to be accessing the resource it's trying to, and even whether the resources or entities that you're contacting are really who and what they appear to be. If you don't have network security firmly in place, you're flying dangerously blind--you could be inadvertently exposing critical data to people who have no right to see that intormation and mayeven intend to exploit it in a big way! So, on this blog, we'll focus on some very important pieces of the security puzzle; two of the first things on our list are Security filtering and User authentication.

Security Filtering.

How do we know who's really at the other end of our connections? The answer to that may seem simple enough because the computer or person on the other end has to identity him/ her/itself, right? Wrong! That's just not good enough because people--especially hackers lie, so it's totally naive to assume that the person or computer on the other end of the line is who they're claiming to be. Hackers use the many tools out there today with the precise goal of convincing us they're someone else, and way too many of us have been, or know of someone who has been, a victim of identity theft thanks to bad guys with the right spoofing software in hand.

This means it's imperative to control who or what can get into our network by identifying the specitic computers and individuals who have the right to gain access to it and its resources. But how do we do this? Well, for starters, we're going to cover some basic ways to safely allow the computers you want to have access into your network plus ways to keep out the ones you don't.

The first line of defense is something called security filtering, which broadly refers to ways to let people securely access your resources. This process is twofold and includes ensuring that only authorized computers get to enter your network and making sure data you're sending back and forth between networks is secured so it can't be intercepted and translated by bad guys.

Access Control Lists (ACLs)

It's rare to find a network around these days that isn't connected to the Internet, its clearly a public network that anyone can connect to, but your company's or personal network is, and should definitely be, a private one. The catch here is that every time you connect to the Internet (where everyone is welcome) from a private network, you're instantly vulnerable to security break-ins. This is where something we call a firewall comes into play. Firewalls are basically tools that you can implement to prevent any unauthorized users roaming around on public networks from gaining access to your private network.

You can create a wide array of ACLs, from the very simple to the highly complex, depending on exactly what you want to have them do for you. One example is placing separate inbound and outbound ACLs on a router to ensure that the data that's leaving your network comes trom a ditferent source than the data that's coming into it.

When confhguring ACLs between the Internet and your private network to mitigate security problems, it's a good idea to include these four conditions:

1. Deny any addresses trom your internal networks.

2. Deny any local host addresses (127.0.0.0/8).

3. Deny any reserved private addresses.

4. Deny any addresses in the IP multicast address range (224.0.0.0/4).

None of these addresses should ever be allowed to enter your internetwork. Interestingly enough, because of the way in which in-public IP addresses are issued, with Some research you can create a hlter that blocks a country, state, or even locale based on IP addresses!

Most of the time, it's wise to configure ACLs so that they'll allow or deny access based on the IP address of the source or destination device. It your network is running a protocol other than Transmission Control Protocol/Internet Protocol (TCP/IP), you can filter traffic based on a Media Access Control (MAC), or hardware, address instead of an IP address. You can still use a MAC address-based ACL if you're running TCP/IP, but keep in mind that it's a lot easier to deal with IP addresses than MAC addresses. Another point to remember is that even though most firewalls and routers will allow you to create both lP-based and MAC-based ACLs, doing so can create an exceptionally ugly situation where access is denied when it really shouldn't be.

Port Filtering

ACLs can also be used to filter based on port numbers as well as IP addresses. In fact, most firewalls default to allowing only the open ports that you specify. This is another version of the implicit deny (anything not allowed specifically is denied). When managıng a firewall, it's important to know the port numbers of all traffic that needs to be allowed through it. This means that for some of your applications, you will need to read and learn the port numbers being used.

This also explains why it's a big deal to know the port numbers of security protocols like

SSL and IPSec. Successful firewall management involves being aware of and allowing only the ports to keep things running.

Tunneling

Just thinking about the huge amount of sensitive data bouncing all over the Internet 24/7 makes me want to scream the word security! It's seriously clear that we need it almost as much as air. Worse, most of that data is sent out over the Internet without any encryption or security, but at least not the really sensitive stuff, which should be sent via one of several different security protocols available today-phew. These vital protocols are really sets of conditions or rules that define how a secure connection is maintained when we send sensitive data through an unsecure medium ike the Internet or a wireless connection. The first is a concept called tunneling, which basically means encapsulating one protocol within another to ensure that a transmission is secure. Here's an example: The lion's share of us use IP, known as a payload protocol, which can be encapsulated within a delivery protocol like Internet Protocol Security (IP'Sec). If you took a look at these packets individually, you would see that they're encrypted. If you look at the process as a whole, it appear that a point-to -point tunnel is created on the Internet.

Virtual Private Network (VPN)

No worries--VPNs aren't really that hard to understand. A VPN fits somewhere between a LAN and WAN, and many times may seem just like a WAN link because your computer, on one LAN, connects to a different, remote LAN and uses its resources remotely. The key difference with VPNs is a big one--security! So the definition of connecting a LAN (or VLAN) to a WAN may sound the same, but a VPN is'much more.

Here's the difference: A typical WAN connects two or more remote LANs together using someone else's network-like, say, your Internet service provider's (ISP's)-and a router. Your local host and router see these networks as remote networks and not as local networks or local resources. This would be a WAN in its most general definition. A VPN actually makes your local host part of the remote network by using the WAN ink that connects you to the remote LAN. The VPN will make your host appear as though it's actually local on the remote network! This means that we now have access to the remote LAN'S resources and that access is very secure.

For a simple VPN example, let's use my home office in Mumbai, India. Here, I have my personal host, but I want it to appear as it it's on a LAN in my corporate office in Bangalore, India, so I can get to my remote servers. VPN is the solution I use for this because I need the security it provides.