VPN Protocols

Internet uses the PPP-point-to-point protocol for remote access. VPN technology has incorporated additional functionality into PPP creating different protocols like PPTP-Point-to-point tunneling protocol,L2TP-Layer-2 tunneling protocol and IPSec- IP security protocol. The diversity in VPN protocols is to cater to different requirements. Some protocols cater to remote access VPN connections from mobile users or branch offices that use a local ISP. Other protocols cater to communication between ‘LAN-to-LAN’. PPTP, L2TP and L2F-Layer two forwarding have been developed for dial-up VPN’s where as IPSec caters to ‘LAN-to-LAN’ solutions.
PPTP- Point-to-Point Tunneling Protocol
PPTP is one of VPN’s first protocols built on PPP to provide remote access for VPN solutions. PPTP encapsulates PPP packets using GRE-Generic routing Protocol. This had been modified to give PPTP the flexibility of handling protocols other than IP like IPX-Internet Packet Exchange, and NetBEUI- Network basic input/output system extended user interface. PPTP uses authentication mechanisms within PPP, i.e. PAP-Password Authentication Protocol. Various other authentication and security mechanism have been developed by Microsoft and is utilized in its Operating System software.
L2F- Layer Two Forwarding Protocol
This was designed to tunnel data from corporate sites to their respective users. A protocol primarily implemented in CISCO products, it differs from PPTP in a way that it does not depend on IP. This could work on alternate media like frame relays or ATM-Asynchronous transfer Mode. L2F accepts other authentication mechanisms and allows tunnels to s upport more than one connection. L2F uses PPP for authentication of remote user. The authentication is done twice, one at the ISP and the second at the gateway to the connecting LAN. It is also a Layer-2 protocol and handles IPX and NetBEUI as well.
L2TP – Layer Two Tunneling Protocol
The best features of PPTP and L2F were combined to form L2TP. It exists in the second layer (data link) of the OSI-Open Systems Interconnect model and so its name L2TP. Approved by IETF L2TP transport is defined for packet media, Frame relay, ATM and X.25 (Standard for packet switching networks defining layers 1, 2 and 3 of the OSI model). It has its own tunneling protocol and uses PPP’s PAP and other advanced mechanisms for authentication. Its encryption method is based on that of IPSec.
Internet Protocol Security (IPSec)
IPSec is a complete VPN protocol solution. Existing in the third layer of the OSI model it uses the IKE-Internet Key Exchange to exchange and manage cryptographic keys used in a data encryption session. IPSec uses a number of encryption technologies to provide confidentiality and data integrity. IPSec allows the sender to authenticate/encrypt or authenticate and encrypt each IP packet. For this it uses two modes either of which can be chosen dependent of situations of security and traffic.
• Transport mode for authentication and encryption of the transport segment of an IP packet
• Tunnel mode authenticates and encrypts the whole IP packet.
IPSec’s strong security measures are designed mainly for IP packets and cannot handle multi-protocol non-IP network environments like NetBEUI or IPX.

VPN is a virtual environment and its advantage is that it is not dependent entirely on physical setup for its organizational needs but on its logical setup. This is its boon and its bane as well.

Null Session Countermeasure

–Null sessions require access to TCP 139 and/ or TCP 445 ports.
–You could also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.
–Edit the registry to restrict the anonymous user.
Open regedt32, navigate to HKLM\SYSTEM\CurrentControlSet\LSA
Choose edit Then add value
value name: ResticAnonymous
Data Type: REG WORD
Value: 2
“HKLM” refers to the hive “HKEY_LOCAL_MACHINE”. If this is set to “1″ anonymous connections are restricted. However, an anonymous user can still connect to the IPC$ share, though he is restricted as to which information is obtainable through that connection. A value of “1″ restricts anonymous users from enumerating SAM accounts and shares. A Value of “2″, added in Windows 2000, restricts all anonymous access unless clearly granted. Therefore, the first registry key to check would be:
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
The other keys to inspect are:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters \NullSessionShares
and HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes
These are MULTI_SZ (multi-line string) registry parameters that list the shares and pipes, respectively, that are open to null sessions. These keys should be verified so that no unwarranted shares or pipes are open. Moreover, those open should be secured such that only ‘SYSTEM’ or “Administrators’ have access to modifying these keys.
In Windows 2000, the domain security policy lays down the protection measures for the domain controller. On systems that are not domain controllers, the ‘Local Security Policy’ must be configured to restrict anonymous connections. The value “No access without explicit anonymous permission” is the most secure and the equivalent of 2 in the registry value of the key HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous discussed above.
Another step that is advisable is to disallow remote access completely except for specific accounts and groups. It would be prudent to block NetBIOS ports on the firewall or border router to increase network security. Blocking the following ports will prevent against Null Sessions (as well as other attacks that use NetBIOS)
135 TCP DCE/RPC Portmapper
137 TCP/UDP NetBIOS Name Service
138 TCP/UDP NetBIOS Datagram Service
139 TCP NetBIOS Session Service
445 TCP Microsoft-DS (Windows 2000 CIFS/SMB)
A best practice that comes in handy is to stop all services that are not otherwise required for the functioning of the system.

Firewall Types

Firewall Types
No discussion of firewalls would be complete without a discussion of the different types of firewalls. This is particularly true in this context, because it allows you to better understand exactly where in the spectrum the free firewall offerings lie. In the networking sense, a firewall is basically any component (software or hardware) that restricts the flow of network traffic.This is a sufficiently broad definition to allow for all of the various ways people have chosen to implement firewalls. Some firewalls are notoriously limited in capability and others are extremely easy to use. Within the realm of firewalls there are many different ways to restrict network traffic. Most of these methods vary in the level of intelligence that is applied to the decision-making process. For example, to permit or deny traffic based on which network device is the sender or recipient, you would use a packet-filtering firewall. In reality, even the simplest packet filtering firewalls can typically make decisions based on the source Internet Protocol (IP) address, the destination IP address, and the source and/or destination port number. While this type of firewall may sound overly simplistic, consider if you have a server running a Web site for use on the Internet. In all likelihood, the only traffic that you need to allow to the server uses a destination port of Transmission Control Protocol (TCP) 80 or 443; thus, you could configure your firewall to permit only that traffic.These ports are used for HTTP and HTTPS, respectively Because the server is available for the Internet, you can’t filter traffic based on the source address or source port, which will be different for each connection. www.syngress.com 40 Chapter 2 • Protecting Your Perimeter The primary drawback with a simple packet filter is that the packet filtering firewall has to rely on very primitive means to determine when traffic should be allowed (e.g., synchronous [SYN] or acknowledgement [ACK] bits being set). While this was adequate in the early days of the Internet when security was not as big of a concern, it won’t work any more. It is trivial to set the bits on the packet using freely available software to make the traffic look like it is a reply to another connection. Thus the stateful inspection firewall was born of necessity.This type of firewall monitors all connections (inbound or outbound), and as the connection is permitted (based on the firewall’s configured rules) it enters this connection into a table. When the reply to this connection comes back, even if the reply uses a port that the firewall was not previously configured to permit, it can intelligently realize the traffic is a response to a permitted session and permit the traffic. Unfortunately, as the firewalls get better so do the methods hackers use to circumvent them. Suppose you have configured your firewall perfectly and there are no holes: every permitted port is one you expressly want to allow. Using the previous example, no traffic is allowed to the Web server except Web traffic. Sounds good, but the problem is, if the firewall is completely secure, the server might not be. Flaws in the Web server software could allow the attacker to send the server an HTTP request that is 10,000 characters long, overflowing the buffers and allowing the attacker to execute the code of his choice.The packets used to transport the 10,000-character HTTP request are all legal TCP packets as far as the firewall is concerned: therefore, it would permit them to pass through to the Web server.The next step in firewall evolution serves to combat this type of attack.These types of firewalls are application gateways, or layer 7 firewalls. This type of firewall not only filters network traffic based on the standard network parameters, but they also understand the higher layer protocol information contained within the packet, in this example HTTP.The firewall itself knows what a legitimate HTTP request looks like and can filter out a malformed or malicious request even though, from a network perspective, it might otherwise be a permitted packet.There is a down side to this type of approach, which is that the firewall must be programmed with all the same intelligence needed to filter normal traffic, plus the firewall must fully understand the protocols it is inspecting.This means additional programming for any protocol you want the firewall to understand. Most of the major commercial application gateways offer support for the major protocols such as HTTP, File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP). With all of this information circulating in your head, you’re probably wondering which type is available for free? Generally speaking, you can find many free varieties of firewalls that perform some type of stateful inspection. Application layer gateways are not readily available for free. In reality, few organizations have the funds to use application gateways extensively. One ramification of not using an application gateway is that you need to ensure that the service that is exposed to un-trusted traffic is configured as securely as possible and that the server itself is hardened against attack. Keeping the service patches up-to-date will help reduce the odds that an application-level attack will be successful.
Source :How To Cheat At Configuring Open Source Security Tools

Web Application Firewall

“An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack.”
Standard firewalls are designed to restrict access to certain ports, or services that an administrator doesn’t want unauthorized people to access.
Web Application Firewalls are often called ‘Deep Packet Inspection Firewalls’ because they look at every request and response within the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. Some Web Application Firewalls look for certain ‘attack signatures’ to try to identify a specific attack that an intruder may be sending, while others look for abnormal behavior that doesn’t fit the websites normal traffic patterns. Web Application Firewalls can be either software, or hardware appliance based and are installed in front of a webserver in an effort to try and shield it from incoming attacks.
An open sourced Web Application Firewall for the Apache Webserver named Mod_Security can be found at http://www.modsecurity.org