Friday, November 11, 2011

What is difference between tacacs and radius?

 TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). Some administrators recommend using TACACS+ because TCP is seen as a more reliable protocol. Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates the two operations.


RADIUS
TACACS+
Combines authentication & authorization.
Separates all 3 elements of AAA, making it more flexible.
Encrypts only the password.
Encrypts the username and password.
Requires each network device to contain
Authorization configuration.
Central management for authorization configuration.
No command logging.
Full command logging.
Minimal vendor support for authorization.
Supported by most major vendors.
UDP- Connectionless
UDP ports 1645/1646, 1812/1813
TCP- Connection oriented
TCP port 49
Designed for subscriber AAA
Designed for administrator AAA


Many vendors support the TACACS+ protocol, including Adtran, Alcatel/Lucent, Aruba,
Brocade/Foundry, Cisco/Linksys, Ericsson/Redback, Extreme, Fortinet, Fujitsu, HP/3Com,
Huawei, Juniper/Netscreen, Netgear, Nortel, and others.

Thursday, November 10, 2011

PFS in IPsec VPN

PFS-Perfect Forward Secrecy
Both sides of the VPN must be able to support PFS in order for PFS to work.
When PFS is turned on, for every negotiation of a new phase 2 SA the two gateways must generate a new set of phase 1 keys.
This is an extra layer of protection that PFS adds, which ensures if the phase 2 SA’s have expired, the keys used for new phase 2 SA’s have not been generated from the current phase 1 keying material.
Of course if PFS is not turned on then the current keying material already established at phase 1 will be used again to generate phase 2 SA’s.
Therefore using PFS provides a more secure VPN connection.

Although using PFS does have its drawback. It will require more processing power, and take slightly longer for phase 1 and 2 to complete.
PFS in general is known as a session key. A session key is a key just created for a particular session, and when the session is bought down, the key is destroyed and not used again. Next time a session is initiated a new and completely different session key is created.

Differences of tunnel and transport mode in IPsec VPN

What is tunnel mode and transport mode in IPsec?
IPSec tunnel mode—the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. with tunnel mode, an attacker can only determine the tunnel endpoints and not the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.

IPSec transport mode—only the IP payload is encrypted, and the original IP headers are left intact.

Tunnel mode and Transport mode
When using ESP you can specify one of two modes, in which ESP operates in. Tunnel mode encrypts the whole packet. Tunnel mode is used for site to site VPN, when securing communication between security gateways, concentrators, firewalls, etc. Tunnel mode provides security for the entire original IP packet, that is the headers and the payload.
The other mode ESP can operate in is Transport mode, which is not as secure as it only encrypts the data portion and not the whole packet unlike tunel tunnel mode.
Transport mode encrypts the data portion of the packet. It works between two different workstations running some kind of VPN software. Transport mode protects payload of packet and the high layer protocols. Transport mode leaves the original IP addresses in open clear text. Using transport mode the final destination is not a gateway or router, generally the host itself. Transport mode provides security to the higher layer protocols only.
 

Why cleanup rule need to add explicitly in Checkpoint Smartdash board?

Why need to write Cleanup rule ? anyhow by default FW will drop packets if no rule exist
* Cleanup rule is required to drop all traffic that did not match any of the other rules (from top to bottom)However there is an Implied rule in Checkpoint that does the same action of dropping packets if no rule exists ( as you mentioned) but logging is not enabled for this implied rule.

Normally and also as the best practice administrators add the cleanup rule in order to log the traffic which is being dropped, so that we are made aware of the traffic which are being dropped which might be a attack or legitimate traffic for which access has not been allowed ( This would be helpful in troubleshooting and attack analysis).

How UDP connection state is processed in Stateful Inspection

UDP connections in Statefull Firewalls
UDP connections are simplier to maintain, as they are stateless.  When a UDP packet is allowed through the firewall (based on the rulebase) a entry is added to the connections table.  Any UDP packet can return within the timeout period (default 40 seconds) as long as both the SRC/DST IP addresses and SRC/DST ports match.  For example, below is a DNS query.
 
Src_IP          Src_Prt Dst_IP          Dst_Prt IP_prot Kbuf    Type    Flags           Timeout
192.168.1.10    1111    136.1.1.20      53      17      0       16386   ff01ff00        34/40
192.168.1.10    1111    136.1.1.20      0       17      0       16386   ff01ff00        34/40

Here you see the system 192.168.1.10 doing a dns query to the server 136.1.1.20.  For 40 seconds (Timeout) that system can return as many UDP packets as it wants, as long as both the SRC/DST IPs match, and the SRC/DST ports match.  Notice how there is two entries, both are identical execept for the Dst_Prt, which is 53 and 0.  I do not know why FW-1 creates a second entry for a Dst_Prt of 0.  However, this is common for most, if not all UDP traffic that FW-1 filters.

Differences between Cisco ASA and Checkpoint Firewall


   
Cisoco ASACheckpotin Firewall
1
CISCO ASA - Firewall throughput ranges from 5 Gbps upto 20 Gbps ( Low end device - on 5500 Series supports 5Gbps, High end Device supports 20Gbps), with VPN Throughput reduces to 1Gbps to 5Gbps, with IPS Performance would further reduce.Checkpoint Firewall - Firewall through ranges from 3Gbps upto 200 Gbps ( Low end device 2200 Appliance supprts 3Gbps , High end Device 61000 supports 200Gbps), with IPS, throughput reduces to 2Gbps (on the lower end device) to 85 Gbps ( on the higher end device).
2
Context based mode available in Cisco Checkpoint has a similar offering which is Security Gateway Virtual Edition (VE)
3
Context based mode in Cisco has the following limitations:
1.VPN Services will not work such as Remote access or Site to Site VPN Tunnels
2.In context mode dynamic routing protocols not supported, you have to use static routes only
3. Threat Detection ( IDS/IPS) not supported
4.QOS not supported
5.ASA Resources are shared for various contexts within the Hardware platform
Checkpoint will not have his limitation since you can scale up the base hardware based on requirement on number of Virtual firewalls you would want to implement and also easily portable to new hardware
4
Cisco ASA can have only 2 gateways in a active/active Cluster Checkpoint Cluster XL can support upto 5 Gateways in a cluster
5
Cisco ASA active/active is not a true cluster(active/active) since it is available or is of use only if you are running multiple contexts ( one context will will be active on one gateway and another context is active in another gateway)where as Checkpoint Cluster XL is a true cluster, you can utilize all the 5 gateways simulatenously
6
Cisco is base of routing later as per market demands they develop securityStateful firewall was first invented by checkpoint (Nir ZUK)
7
ASA doesn't support FQDNFQDN is supported in checkpoint
8
not possible in ASAUser based access can be provided in checkpoint ( Identity awareness blade) based on active directory login information
9
this is not possible in ASAAccess can be granted based on the system name or destination domain object rather than the IP in checkpoint
10
Cisco ASA doesnt provide this information other than this Cisco ASA requires seperate syslog server for logging in ciscoLogging and tracking is easy and comprehensive in checkpoint, with identity awareness blade, you would have machined details along with user ID information logged.