Knowledge management (KM) is the process of organizing, creating, using, and sharing collective knowledge within an organization. Successful knowledge management includes maintaining information in a place where it is easy to access.
Only a few initiatives are able to truly transform how an organization operates, and knowledge management is one of them.
Knowledge management (KM) is the process of organizing, creating, using, and sharing collective knowledge within an organization. Successful knowledge management includes maintaining information in a place where it is easy to access.
Only a few initiatives are able to truly transform how an organization operates, and knowledge management is one of them.
Knowledge management (KM) is the process of organizing, creating, using, and sharing collective knowledge within an organization. Successful knowledge management includes maintaining information in a place where it is easy to access.
Only a few initiatives are able to truly transform how an organization operates, and knowledge management is one of them.
• Security for VPN and Next Generation Technologies • 1. VPN Security • 2. Security in Multimedia Networks • 3. Various Computing Platforms: HPC, Cluster and Computing Grids • 4. Virtualization and Cloud Technology and Security VPN-Virtual Private Network • As the popularity of the Internet has grown, businesses have turned to it as a means of extending their own networks. First came intranets, which are sites designed for use only by company employees. Now, many companies create their own Virtual Private Networks (VPNs) to accommodate the needs of remote employees and distant offices. VPN-Virtual Private Network • A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real−world connection, such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee. Types • Remote−AccessVirtual Private Dial−up Network (VPDN), is a user−to−LAN connection used by a company that has employees who need to connect to the private network from various remote locations. A corporation provides Internet dial−up account to their users using an Internet service provider (ISP). • The telecommuters can then dial a 1−800 number to reach the Internet and use their VPN client software to access the corporate network. • An example- a large firm with hundreds of sales people in the field. Remote−access VPNs permit secure, encrypted connections between a company's private network and remote users through a third−party service provider Types • Site−to−SiteThrough the use of dedicated equipment and large−scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. • Each site needs only a local connection to the same public network, thereby saving money on long private leased−lines. Site−to−site VPNs can be further categorized into intranets or extranets. • A site−to−site VPN built between offices of the same company is said to be an intranet VPN, while a VPN built to connect the company to its partner or customer is referred to as an extranet VPN. Benefits • Extend geographic connectivity • Reduce operational costs versus traditional WANs • Reduce transit times and traveling costs for remote users • Improve productivity • Simplify network topology • Provide global networking opportunities • Provide telecommuter support • Provide faster Return On Investment (ROI) than traditional WAN VPN-Virtual Private Network • A well−designed VPN? It should incorporate following • Security • Reliability • Scalability • Network Management • Policy Management VPN-Virtual Private Network • A well−designed VPN uses several methods in order to keep your connection and data secure. • Data Confidentiality-This is perhaps the most important service provided by any VPN implementation. Since your private data travels over a public network, data confidentiality is vital and can be attained by encrypting the data. This is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. VPN-Virtual Private Network • Data Integrity- While it is important that your data is encrypted over a public network, it is just as important to verify that it has not been changed while in transit. For example, IPsec has a mechanism to ensure that the encrypted portion of the packet, or the entire header and data portion of the packet, has not been tampered with. If tampering is detected, the packet is dropped. Data integrity can also involve authenticating the remote peer. VPN-Virtual Private Network • Data Origin Authentication-It is extremely important to verify the identity of the source of the data that is sent. This is necessary to guard against a number of attacks that depend on spoofing the identity of the sender. • Anti Replay-This is the ability to detect and reject replayed packets and helps prevent spoofing VPN-Virtual Private Network • Data Tunnelling /Traffic Flow Confidentiality- Tunnelling is the process of encapsulating an entire packet within another packet and sending it over a network. Data tunneling is helpful in cases where it is desirable to hide the identity of the device originating the traffic. For example, a single device that uses IPsec encapsulates traffic that belongs to a number of hosts behind it and adds its own header on top of the existing packets. VPN-Virtual Private Network • By encrypting the original packet and header (and routing the packet based on the additional layer 3 header added on top), the tunneling device effectively hides the actual source of the packet. Only the trusted peer is able to determine the true source, after it strips away the additional header and decrypts the original header VPN-Virtual Private Network • AAA Authentication, authorization, and accounting -is used for more secure access in a remote−access VPN environment. Without user authentication, anyone who sits at a laptop/PC with pre−configured VPN client software can establish a secure connection into the remote network. • With user authentication however, a valid username and password also has to be entered before the connection is completed. Usernames and passwords can be stored on the VPN termination device itself, or on an external AAA server, which can provide authentication to numerous other databases such as Windows NT, Novell, LDAP, and so on. VPN-Virtual Private Network • Non-repudiation -In certain data transfers, especially those related to financial transactions, Non-repudiation is a highly desirable feature. • This is helpful in preventing situations where one end denies having taken part in a transaction. Much like a bank requires your signature before honouring your check, non-repudiation works by attaching a digital signature to the sent message, thus precluding VPN-Virtual Private Network • Based on the type of VPN (remote−access or site−to−site), you need to put in place certain components to build your VPN. These might include: • Desktop software client for each remote user • Dedicated hardware such as a Cisco VPN Concentrator or a Cisco Secure PIX Firewall • Dedicated VPN server for dial−up services • Network Access Server (NAS) used by service provider for remote user VPN access • Private network and policy management center TYPES OF VPN PRODUCT
• A firewall-based VPN is one that is equipped
with both firewall and VPN capabilities. This type of VPN makes use of the security mechanisms in firewalls to restrict access to an internal network. The features it provides include address translation, user authentication, real time alarms and extensive logging. TYPES OF VPN PRODUCT
• A hardware-based VPN offers high network
throughput, better performance and more reliability, since there is no processor overhead. However, it is also more expensive. • A software-based VPN provides the most flexibility in how traffic is managed. This type is suitable when VPN endpoints are not controlled by the same party, and where different firewalls and routers are used. It can be used with hardware encryption accelerators to enhance performance. TYPES OF VPN PRODUCT
• An SSL VPN allows users to connect to VPN
devices using a web browser. The SSL (Secure Sockets Layer) protocol or TLS (Transport Layer Security) protocol is used to encrypt traffic between the web browser and the SSL VPN device. One advantage of using SSL VPNs is ease of use, because all standard web browsers support the SSL protocol, therefore users do not need to do any software installation or configuration. RISKS & LIMITATIONS OF VPN • HACKING ATTACKS -A client machine may become a target of attack, or a staging point for an attack, from within the connecting network. An intruder could exploit bugs or mis-configuration in a client machine, or use other types of hacking tools to launch an attack. These can include VPN hijacking or man-in-the-middle attacks: RISKS & LIMITATIONS OF VPN
1. VPN hijacking is the unauthorised take-over of an
established VPN connection from a remote client, and impersonating that client on the connecting network. 2. Man-in-the-middle attacks affect traffic being sent between communicating parties, and can include interception, insertion, deletion, and modification of messages, reflecting messages back at the sender, replaying old messages and redirecting messages. RISKS & LIMITATIONS OF VPN • USER AUTHENTICATION -By default VPN does not provide / enforce strong user authentication. A VPN connection should only be established by an authenticated user. If the authentication is not strong enough to restrict unauthorised access, an unauthorised party could access the connected network and its resources. Most VPN implementations provide limited authentication methods. RISKS & LIMITATIONS OF VPN • CLIENT SIDE RISKS -The VPN client machines of, say, home users may be connected to the Internet via a standard broadband connection while at the same time holding a VPN connection to a private network, using split tunnelling. This may pose a risk to the private network being connected to. • client machine may also be shared with other parties RISKS & LIMITATIONS OF VPN • CLIENT SIDE RISKS - A laptop used by a mobile user may be connected to the Internet, a wireless LAN at a hotel, airport or on other foreign networks. However, the security protection in most of these public connection points is inadequate for VPN access. • Compromised VPN client machine poses a risk to the connecting network RISKS & LIMITATIONS OF VPN • VIRUS / MALWARE INFECTIONS -A connecting network can be compromised if the client side is infected with a virus. If a virus or spyware infects a client machine, there is chance that the password for the VPN connection might be leaked to an attacker. In the case of an intranet or extranet VPN connection, if one network is infected by a virus or worm, that virus / worm can be spread quickly to other networks if anti-virus protection systems are ineffective. RISKS & LIMITATIONS OF VPN • INCORRECT NETWORK ACCESS RIGHTS -Some client and/or connecting networks may have been granted more access rights than is actually needed. • INTEROPERABILITY / COMPATIBILITY- Software from different vendors may not be interoperable GENERAL VPN SECURITY CONSIDERATIONS
• VPN connections can be strengthened by the
use of firewalls. • An IDS / IPS (Intrusion Detection / Prevention System) is recommended in order to monitor attacks more effectively • Anti-virus software should be installed on remote clients and network servers to prevent the spread of any virus / worm if either end is infected. GENERAL VPN SECURITY CONSIDERATIONS
• Unsecured or unmanaged systems with simple or no
authentication should not be allowed to make VPN connections to the internal network • Logging and auditing functions should be provided to record network connections, especially any unauthorised attempts at access. The log should be reviewed regularly. • Training should be given to network/security administrators and supporting staff, as well as to remote users, to ensure that they follow security best practices and policies during the implementation and ongoing use of the VPN. GENERAL VPN SECURITY CONSIDERATIONS
• Security policies and guidelines on the
appropriate use of VPN and network support should be distributed to responsible parties to control and govern their use of the VPN. • Placing the VPN entry point in a Demilitarised Zone (DMZ) is recommended in order to protect the internal network • It is advisable not to use split tunnelling to access the Internet or any other insecure network simultaneously during a VPN connection GENERAL VPN SECURITY CONSIDERATIONS
• If split tunnelling is used, a firewall and IDS
should be used to detect and prevent any potential attack coming from insecure networks
• Unnecessary access to internal networks
should be restricted and controlled. EXTRANET VPN SECURITY CONSIDERATIONS The following are additional security considerations for extranet VPN deployment: 1. Strong user authentication mechanisms should be enforced. 2. The VPN entry point should be placed inside a DMZ to prevent partners from accessing the internal network. 3. Access rights should be granted on an as-needed basis. Only necessary resources should be available to external partners. Owners of these resources should review access permissions regularly. CLIENT SIDE VPN SECURITY CONSIDERATIONS • Strong authentication is required - • By means of certificates and/or smart cards, or tokens • A smart card is used to store a user profile, encryption keys and algorithms. A PIN number is usually required to invoke the smart card. A token card provides a one-time password. When the user authenticates correctly on the token by entering the correct PIN number, the card will display a one-time passcode that will allow access to the network. CLIENT SIDE VPN SECURITY CONSIDERATIONS
• By means of add-on authentication system,
like TACACS+, RADIUS. • This kind of central authentication system contains a profile of all VPN users, controlling the access to the private network CLIENT SIDE VPN SECURITY CONSIDERATIONS
• Personal firewalls should be installed and configured
properly on client VPN machines to block unauthorised access to the client, ensuring it is safe from attack. Many of the more recent remote access VPN clients include personal firewalls. • Some may also include other configuration checks, such as the client not being able to connect to the network if anti-virus software is not running, or if virus signatures are out of date CLIENT SIDE VPN SECURITY CONSIDERATIONS
• The client machine should have anti-virus software
installed, with up-to-date signatures, to detect and prevent virus infections. • The user should remain aware of the physical security of the machine, in particular when authentication information is stored on the machine. • All users should be educated on good Internet security practices. Access from home should be considered an insecure channel, as traffic is routed over the Internet.