Showing papers on "IPsec published in 1999"

Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks

Abstract: From the Book: PREFACE: Preface The Internet connects millions of people around the world and allows for immediate communication and access to a seemingly limitless amount of information. Data, video, voice, almost every single type of communication, travels across the Internet. Some of this communication is private. The language of the Internet is IP, the Internet Protocol. Everything can, and does, travel over IP. One thing IP does not provide, though, is security. IP packets can be forged, modified, and inspected en route. IPSec is a suite of protocols that seemlessly integrate security into IP and provide data source authentication, data integrity, confidentiality, and protection against replay attacks. With IPSec the power of the Internet can be exploited to its fullest potential: Communication is the lifeblood of business. Without a guarantee that a customer?s order is authentic it is difficult to bill for a service. Without a guarantee that confidential information will remain confidential it is impossible for businesses to grow and partnerships to be formed. Unless there is a guarantee that records and information can remain confidential, the health care industry cannot utilize the Internet to expand its services and cut its costs. Personal services, such as home banking, securities trading, and insurance can be greatly simplified and expanded if these transactions can be done securely. The growth of the Internet is truly dependent on security and the only technique for Internet security that works with all forms of Internet traffic is IPSec. IPSec runs over the current version of IP, IPv4, and also the next generationofIP, IPv6. In addition, IPSec can protect any protocol that runs on top of IP such as TCP, UDP, and ICMP. IPSec is truly the most extensible and complete network security solution. IPSec enables end-to-end security so that every single piece of information sent to or from a computer can be secured. It can also be deployed inside the network to form Virtual Private Networks where two distinct and disparate networks become one by connecting them with a tunnel secured by IPSec. This book discusses the architecture, design, implementation, and use of IPSec. Each of the protocols in the suite commonly referred to as "IPSec" (the Authentication Header, the Encapsulating Security Payload, and the Internet Key Exchange) is examined in detail. Common deployments of IPSec are discussed and future work on problem areas is identified. This book is intended for an audience with an interest in network security as well as those who will be implementing secure solutions using IPSec, including building VPNs, e-commerce, and end-to-end security. Cryptography and networking basics are discussed in early chapters for those who are neither cryptography nor networking professionals.Organization This book is split into three parts: overview, detailed analysis, and implementation and deployment issues. Part One is comprised of the first three chapters. Chapter One discusses the basic cryptographic building blocks upon which IPSec is built. Symmetric and public key cryptography and their use for both encryption and authentication are explained. Chapter Two discusses the basics of TCP/IP and the advantages and disadvantages of implementing security at various layers in the TCP/IP protocol stack. Chapter Three is an overview of IPSec. The IPSec Architecture is discussed and each of the protocolsNAH, ESP, and IKENand their interrelationship is touched upon. Part Two consists of chapters Four through Seven. Chapter Four is a detailed discussion of the IPSec Architecture. The basic concepts of IPSec, the different modes, selectors, security associations, and security policy are discussed. Chapters Five and Six discuss in detail the two protocols used to protect IP, the Encapsulating Security Payload and the Authentication Header, respectively. Construction and placement of protocol headers is discussed as are input and output processing rules. Chapter Seven is an in-depth discussion of the Internet Key Exchange. The different phases of negotiation, the different exchanges, the various authentication methods, and all the negotiable options are explained. Part Three is Chapters Eight through Eleven. Chapter Eight is a discussion of policy and its implication on IPSec. An architecture to support IPSec policy and a policy module is presented. Chapter Nine presents the issues surrounding the implementation of IPSec in a TCP/IP stack, in a platform-independent manner. Chapter Ten discusses different IPSec deployments: end-to-end security, virtual private networks, and the "road warrior" situation. Chapter Eleven discusses future work items for the IPSec community. These include integrating network layer compression with IPSec, extending IPSec to multicast traffic, issues associated with key recovery, IPSec interaction with the Layer Two Tunneling Protocol (L2TP), and public-key infrastructures.

An overview of PKI trust models

Abstract: If Alice and Bob each know their own private key and the other's public key, they can communicate securely, through any number of public key based protocols such as IPSec, PGP, S/MIME, or SSL. However, how do they know each other's public keys? The goal of a public key infrastructure (PKI) is to enable secure, convenient, and efficient discovery of public keys. It should be applicable within as well as between organizations, and scalable to support the Internet. There are various types of PKI that are widely deployed or have been proposed. They differ in the configuration information required, trust rules, and flexibility. There are standards such as X.509 and PKIX, but these are sufficiently flexible so that almost any model of PKI can be supported. We describe several types of PKI and discuss the advantages and disadvantages of each. We argue against several popular and widely deployed models as being insecure, unscalable, or overly inconvenient. We also recommend a particular model.

Photuris: Session-Key Management Protocol

Abstract: Photuris is a session-key management protocol intended for use with the IP Security Protocols (AH and ESP). This document defines the basic protocol mechanisms.

A Cryptographic Evaluation of IPsec

Abstract: In February 1999, we performed an evaluation of IPsec based on the November 1998 RFCs for IPsec [KA98c, KA98a, MG98a, MG98b, MD98, KA98b, Pip98, MSST98, HC98, GK98, TDG98, PA98]. Our evaluation focused primarily on the cryptographic properties of IPsec. We concentrated less on the integration aspects of IPsec, as neither of us is intimately familiar with typical IP implementations, IPsec was a great disappointment to us. Given the quality of the people that worked on it and the time that was spent on it, we expected a much better result. We are not alone in this opinion; from various discussions with the people involved, we learned that virtually nobody is satisfied with the process or the result. The development of IPsec seems to have been burdened by the committee process that it was forced to use, and it shows in the results. Even with all the serious critisisms that we have on IPsec, it is probably the best IP security protocol available at the moment. We have looked at other, functionally similar, protocols in the past (including PPTP [SM98, SM99]) in much the same manner as we have looked at IPsec. None of these protocols come anywhere near their target, but the others manage to miss the mark by a wider margin than IPsec. This difference is less significant from a security point of view; there are no points for getting security nearly right. From a marketing point of view, this is important. IPsec is the current “best practice,” no matter how badly that reflects on our ability to create a good security standard. Our main criticism of IPsec is its complexity. IPsec contains too many options and too much flexibility; there are often several ways of doing the same or similar things. This is a typical committee effect. Committees are notorious for adding features, options, and additional flexibility to satisfy various factions within the committee. As we all know, this additional complexity and bloat is seriously detrimental to a normal (functional) standard. However, it has a devastating effect on a security standard. It is instructive to compare this to the approach taken by NIST for the development of AES [NIST97a, NIST97b]. Instead of a committee, NIST organized a contest. Several small groups each created their own proposal, and the process is

A public-key based secure mobile IP

Abstract: The need of scaleable key management support for Mobile IP, especially the route‐optimized Mobile IP, is well known. In this paper, we present the design and the implementation of a public key management system that can be used with IETF basic and route optimized Mobile IP. The system, known as the Mobile IP Security (MoIPS) system, was built upon a DNS based X.509 Public Key Infrastructure and the innovation in cross certification and zero‐message key generation. The system can supply cryptographic keys for authenticating Mobile IPv.4 location management messages and establishing IPSec tunnels for Mobile IP redirected packets. It can also be used to augment firewall traversal of Mobile IP datagrams. A FreeBSD UNIX implementation of the MoIPS prototype is available for non‐commercial uses.

Security Model with Tunnel-mode IPsec for NAT Domains

Abstract: There are a variety of NAT flavors, as described in [Ref 1]. Of the domains supported by NATs, only Realm-Specific IP clients are able to pursue end-to-end IPsec secure sessions. However, all flavors of NAT are capable of offering tunnel-mode IPsec security to private domain hosts peering with nodes in external realm. This document describes a security model by which tunnel-mode IPsec security can be architected on NAT devices. A section is devoted to describing how security policies may be transparently communicated to IKE (for automated KEY exchange) during Quick Mode. Also outlined are applications that can benefit from the Security Model described.

Security rule processing for connectionless protocols

Abstract: IPSec rules are searched in an improved manner to reduce processing overhead. For selected connectionless protocols, packets are treated as if they were part of a simulated connection. A pseudo-connection memory block is allocated with the creation of each socket and IPSec security binding information is stored in the pseudo-connection memory block on a first packet. Thereafter, as long as the source address and port in incoming packets on the same socket or destination address and port in outgoing packets on the same socket remain the same, the packets are treated as part of a simulated connection. The security rules are not searched again until the simulated connection terminates or the static rule table is modified. In the preferred embodiment, security binding is made only to the static rule or placeholder.

DECIDUOUS: decentralized source identification for network-based intrusions

Abstract: DECIDUOUS is a security management framework for identifying the sources of network-based intrusions. The first key concept in DECIDUOUS is dynamic security associations, which efficiently and collectively provide location information for attack sources. DECIDUOUS is built on top of the IETF's IPSEC/ISAKMP infrastructure, and it does not introduce any new network protocol for source identification in a single administrative domain. It defines a collaborative protocol for inter-domain attack source identification. The second key concept in DECIDUOUS is the management information integration of the intrusion detection system (IDS) and attack source identification system (ASIS) across different protocol layers. For example, in DECIDUOUS, it is possible for a network-layer security control protocol (e.g., IPSEC) to collaborate with an application-layer intrusion detection system module (e.g., IDS for the SNMP engine). In this paper, we present the motivations, design, and prototype implementation of the DECIDUOUS framework.

Mobile IP registration protocol: a security attack and new secure minimal public-key based authentication

Abstract: The ubiquity of the Internet and explosive growth in wireless networking in recent years increasingly urge the demand to support mobility within the Internet, which is what Mobile IP aims to provide. This paper is concerned with the security aspect of the registration protocol in Mobile IP. The paper shows that despite the use of authenticated registration messages and replay protection, the current registration protocol differs from a possible replay attack. The paper also analyzes a proposed extension of Mobile IP that aims to provide public-key based authentication. It shows some drawbacks in the protocol design and then proposes a new secure authentication protocol that employs only minimal use of public key cryptography. Despite its practicality, the new protocol provides a scalable solution for authentication and non-repudiation, while sets only minimal computing and administration cost on the mobile node.

Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2

Abstract: The protocol described in this document is designed to satisfy some of the operational requirements within the Internet X.509 Public Key Infrastructure (IPKI). Specifically, this document addresses requirements to provide access to Public Key Infrastructure (PKI) repositories for the purposes of retrieving PKI information and managing that same information. The mechanism described in this document is based on the Lightweight Directory Access Protocol (LDAP) v2, defined in RFC 1777, defining a profile of that protocol for use within the IPKI and updates encodings for certificates and revocation lists from RFC 1778. Additional mechanisms addressing PKIX operational requirements are specified in separate documents.

Trust Management and Network Layer Security Protocols

Abstract: Network-layer security among mutually trusting hosts is a relatively straightforward problem to solve. The standard protocol technique, employed in IPSEC [KA98], involves “encapsulating” an encrypted network-layer packet inside a standard network packet, making the encryption transparent to intermediate nodes that must process packet headers for routing, etc. Outgoing packets are authenticated, encrypted, and encapsulated just before being sent to the network, and incoming packets are decapsulated, verified, and decrypted immediately upon receipt [IB93]. Key management in such a protocol is similarly straightforward in the simplest case. Two hosts can use any key-agreement protocol to negotiate keys with one another, and simply use those keys as part of the encapsulating and decapsulating packet transforms.

Mobile phone incorporating security firmware

Abstract: In accordance with the disclosed method and arrangement, for purpose of client authentication, private keys for digital certificates, or in general, any private or secret information that is necessary for client authentication can be stored in a personal SIM-card/smartcard and used in combination with the mobile telephone as a security gateway upon establishment of a IPsec tunnel. An employee staying away from his ordinary office may, by means of a personal independent access unit functioning as a security gateway, communicate with the protected Intranet of his employer. Such a scenario enables the employee to borrow any remote host in order to access the Intranet by means of a mobile communication network or a fix network, e.g. PSTN. The solution is to move the security function to the mobile telephone or the independent access unit, preferably a wireless independent access unit, where a lightweight security gateway or firewall is implemented.

Application of virtual private networking technology to standards-based management protocols across heterogeneous firewall-protected networks

Abstract: There has been tremendous growth within DoD of enterprise-wide COTS-based messaging and communications systems, including the Defense Message System, the Global Command and Control System, and the Global Combat Support System. To economize on development costs, standards-based protocols-including SMTP, SNMP, FTP, Telnet, and HTTP-are used to implement the underlying functionality of these systems, including messaging and service management. Vulnerabilities in such standards-based protocols have been identified, and security over the Internet and its connected systems has become an ever-increasing concern. Network security policies have been created to address the dilemma of protecting local systems from external attack while permitting easy communications between authorized parties. A burgeoning industry of firewall manufacturers has arisen to meet the challenge of implementing these policies effectively, safely, and reliably. Virtual private networking (VPN) technology was developed to enable separate firewall-protected enclaves to safely exchange data over unsecured networks. This technology is still maturing and standardized-using IPSec, ISAKMP, and DES encryption-to enable separate VPN implementations to interoperate over shared networks. This paper studies how virtual private networking technology can be employed to protect the use of standards-based service management protocols-including FTP, Telnet, SNMP, and NTP-across heterogeneous firewall-protected networks, balancing the requirements of enterprise service management with the need for local-level network security.

Secure protocol transformation via “expansion”: from two-party to groups

Abstract: The design of simple cryptographic protocols for elementary two-party (session oriented) tasks (such as entity authentication and key transport) has had a history (starting with [NS78]) where security has been quite evasive. Only recently we have seen protocol designs which are both provably secure and efficientCurrently, much attention of the designers of network systems and services is directed towards group operations, which will enable such important tasks as one-to-many distribution of content, group collaborative efforts, etc over the Internet and Intranets [Be98]. Rather than designing each group oriented task from scratch, we move in this work towards a more methodological approach, which derives a design of group (multicast) protocols from two-party ones. The approach, which we call secure protocol expansion, maintains the efficiency of the basic design and at the same tune preserves provable security. It enables us to achieve efficient and secure protocols for a large variety of group tasks. We consider basic group authentication and key transport protocols, as well as functional protocol extensions like multicast perfect forward secrecy, group access-control, group announcement and termination.

An architecture for managing QoS-enabled VPNs over the Internet

Abstract: This paper describes an architecture for the management of QoS-enabled virtual private networks (VPNs) over the Internet. The architecture focuses on two important issues of VPNs: security and quality-of-service (QoS). The security achieved in VPNs is based on IPSec tunnels, while QoS can be supported by mechanisms as proposed by the differentiated services currently being defined by the IETF. We describe an architecture that is based on the concept of service brokers. These service brokers are used for communication between different domains (such as ISP and customer networks) as well as within domains. The architecture described in the paper is currently being implemented as part of the CATI project funded by the Swiss National Science Foundation (SNF).

System and method for dynamic micro placement of IP connection filters

Abstract: Virtual Private Networking (VPN) is an emerging technology area enabling e-business on the Internet. A key underlying VPN technology is IP Security (IPsec), for providing private (encrypted and authenticated) secure data transmission over public (Internet) networks. The definition of what data to protect ultimately results in IP filter rules, loaded to the operating system kernel. These are used to select the correct IP datagrams and cause each to be processed by the correct IPsec Security Associations. Connection filters which are used to implement VPN connections are dynamic, and must be inserted and deleted within the currently installed set of IP filters (non-VPN related). IP filter order is crucial to proper functioning. Micro filter placement employees filter collision detection and eliminates order Aependeney collisions among a set of connection filters.

Protecting Key Exchange and Management Protocols Against Resource Clogging Attacks

Abstract: Many cryptographic key exchange and management protocols involve computationally expensive operations, such as modular exponentiations, and are therefore vulnerable to resource clogging attacks. This paper overviews and discusses the basic principles and the rationale behind an anti-clogging mechanism that was originally designed and proposed to protect the Photuris Session Key Management Protocol against resource clogging attacks. The mechanism was later approved by the IETF IPsec WG to be included into the Internet Key Management Protocol (IKMP) or Internet Key Exchange (IKE) protocol respectively. The paper introduces and discusses the Photuris anti-clogging mechanism, derives some design considerations, and elaborates on possibilities to use similar techniques to improve an existing HTTP state management protocol and to protect TCP/IP implementations against TCP SYN flooding attacks.

Fixing of security flaw in IKE protocols

Abstract: RFC 2409 provides a suite of Internet key exchange (IKE) protocols. A security flaw in these IKE protocols is observed and a simple modification proposed.

Mobile virtual private dial-up services

Abstract: Virtual private dial-up networking (VPDN) allows mobile users to access their corporate networks through the same infrastructure they use to access the Internet. The data networking industry has produced various protocols — for example, Layer 2 forwarding (L2F) and point-to-point tunneling protocol (PPTP) — to provide VPDN services. Based on these protocols, a new integrated VPDN protocol, Layer 2 tunneling protocol (L2TP), is currently being designed by the Internet Engineering Task Force (IETF). However, this solution is only meant to deal with a wired network environment. In this paper, we describe and compare different solutions that extend the wired VPDN service model over the various wireless access network technologies. The first set of solutions uses network-layer protocols such as IETF's mobile Internet protocol (IP) to perform macromobility management. In addition, IETF's secure IP (IPSEC) protocols may be used when security features are desired. The first set of solutions differs from the wired VPDN model only in terms of the location of the home agent (whether it resides in the access provider's network or the corporate network) and the availability of a hierarchical architecture to minimize hand-off latency. The second set of solutions uses both link-layer (for example, L2TP) and network-layer (for example, mobile IP) protocols to perform macromobility management. Some alternatives require the mobile hosts to play a more proactive role — for example, the voluntary tunneling approach. We briefly describe and compare the two sets of alternatives in terms of their flexibility, hand-off latency, and bandwidth overhead.

RTP payload multiplexing between IP telephony gateways

Abstract: We describe a new method to multiplex a number of low bit rate audio streams into a single RTP stream between IP telephony gateways. Audio frames from different users are assembled into a multiplexed RTP payload thus reducing the overhead of RTP/UDP/IP headers. To maintain distinction between the multiplexed audio streams sharing a single RTP stream, a 2-byte mini-header is added to each frame of an audio stream. A unique channel identifier is associated between the peer gateway entities by means of signaling procedures. Major applications of this method will be in the areas of IP telephony gateways that interconnect PSTN/PBX systems and cellular access networks. Results have indicated that the overhead is reduced by 50% to 80% depending on the size of the audio frame. Other advantages of the proposed scheme include fewer UDP/IP connections between gateways, a reduced possibility of congestion at intermediate IP routers, and a reduction of processing delays in multiprotocol label switching (MPLS), differentiated service (diff-serv) and IP security (IPsec) environments.

Method and apparatus for automatic configuration for internet protocol security tunnels in a distributed data processing system

Abstract: A method and apparatus for use in data processing system for selecting rules to filter data for a tunnel. A request is received to create a tunnel to another data processing system. A granularity of information about the data processing system is identified to form an identified granularity. The identified granularity of the information about the data processing system is used to select a rule, which matches the identified granularity. This rule is placed in a filter, wherein the filter associates data packets with the tunnel.

Security issues in Internet protocols over satellite links

Abstract: Security is an important issue in IP over satellite, since an attacker can easily intercept such communication and can even corrupt the transmitted data. In the first part of the paper we address the implications of optimizing the transport control protocol (TCP) on the security services provided by the IPSec protocol suite. We provide a set of rules for optimizing TCP without interfering with IPsec. In the second part of the paper, we address IP multicast security issues. We also introduce an efficient key distribution algorithm that can handle a large dynamic group.

ICMP Security Failures Messages

Abstract: This document specifies ICMP messages for indicating failures when using IP Security Protocols (AH and ESP).

Enhanced IP Services for Cisco Networks

Abstract: I. MANAGING ROUTING. 1. Managing Your IP Address Space. Review of Traditional IP Addressing. Subnetting a Classful Address Space. Major Nets and Subnet Masks. Classful Subnetting: An Example. Calculating the Number of Host Addresses in a Subnet. Finding Subnet Information, Given a Host Address and the Mask. Disadvantages of Subnetting. The Rules on Top and Bottom Subnets. Using Subnet-Zero to Get Around the Rules. Subnetting with Variable Length Subnet Masks. Using VLSM for Address Space Efficiency: An Example. Final VLSM Results for Widget, Inc. Overview of Classless Addressing. Using VLSM Techniques with Classless Addressing. Routing Protocols and Classless Addressing. Planning for Address Summarization. Conserving Subnets with IP Unnumbered. Scaling the Address Space with Network Address Translation. Translating Private Addresses into Public Addresses. Configuring NAT. Creating a Pool of Discontiguous Addresses. Configuring Static NAT. Special Applications and NAT. More Important Points on NAT. Summary. 2. Deploying Interior Routing Protocols. A Brief Review of Internetworking. Deploying RIP. Directly Connected Networks. Configuring RIP. Verifying RIP Configuration. Deploying IGRP. Configuring IGRP. Verifying IGRP Configuration. Deploying Enhanced IGRP. Configuring EIGRP. Verifying EIGRP Configuration. Deploying OSPF. Configuring OSPF. Verifying OSPF Configuration. Summary. 3. Managing Routing Protocols. Configuring Passive Interfaces. Filtering Routing Updates. Managing Redistribution. Configuring Redistribution--RIP and OSPF. Redistributing into IGRP and EIGRP. Understanding Administrative Distance. Controlling Redistribution Loops with Route Filters. Resolving Issues with VLSM and Classful Routing Protocols. Leveraging Default Routing. Propagation of Default Routes. Originating a Default Route with RIP. Originating a Default Route with IGRP. Originating a Default Route with EIGRP. Originating a Default Route with OSPF. Default Routing and Classful Behavior. Configuring Route Summarization. Understanding EIGRP Auto-Summarization. Configuring EIGRP Summarization. Configuring OSPF Summarization Between Areas. Configuring OSPF Summarization During Redistribution. Deploying Policy Routing with Route Maps. Forwarding Traffic with Route Maps. Classifying Packets with Route Maps. Setting Next-Hop and Precedence in Tandem. Other Policy-Routing Commands. Summary. II. MANAGING QUALITY OF SERVICE. 4. Deploying Basic Quality of Service Features. The Case for QoS. Queuing in a Router. First-In, First-Out Queuing. FIFO: An Example. Priority Queuing. Queuing and Classifying Packets with Priority Queuing. Priority Queuing Strategy. Configuring Priority Queuing. Verifying the Priority Queuing Configuration. Adjusting the Queue Sizes in Priority Queuing. Custom Queuing. Configuring Custom Queuing. Verifying the Custom Queuing Configuration. Adjusting the Queue Sizes in Custom Queuing. Understanding IP Precedence. Setting IP Precedence. QoS Benefits of IP Precedence. Diffserv Redefines IP Precedence. Weighted Fair Queuing. Configuring Weighted Fair Queuing. Fair Queuing in Action. Fair Queuing Versus FIFO. Weighting and IP Precedence. Weighted Fair Queuing on a Network. Summary. 5. Deploying Advanced Quality of Service Features. Resource Reservation Protocol. RSVP Admission Control. RSVP Signaling Versus Bulk Data. The RSVP Signaling Process. RSVP and Weighted Fair Queuing. Configuring RSVP. Verifying RSVP Configuration. Configuring IOS as a Proxy for Path and Resv Messages. RSVP Scaling Considerations. Random Early Detection. Dynamics of Network Congestion and Tail Drops. Global Synchronization. TCP Slow Start. Ill Effects of Global Synchronization and TCP Slow Start. How RED Works. RED and IP Precedence (Weighted RED). Configuring WRED. Verifying WRED Configuration. Committed Access Rate. Rate Policies. Configuring Cisco Express Forwarding. Configuring CAR. Validating CAR Configuration. Class-Based WFQ. Configuring CBWFQ. Verifying CBWFQ. Summary. III. MANAGING SECURITY. 6. Deploying Basic Security Services. Controlling Traffic with Access Control Lists. Filtering Traffic with Access Lists. Standard IP Access Lists. Important Points for Designing Access Lists. The Invisible Rule in Every Access List. Extended IP Access Lists. Access Lists for Combating Spoofing Attacks. Securing Access to the Router. Securing the Enable Mode of a Router. Securing Telnet Access. Securing Access to the Console Port. Deploying Authentication, Authorization, and Accounting. Authentication, Authorization, and Accounting. Configuring Authentication for Network Access over PPP. Using the Default Authentication List. Configuring Authentication for Router Logins. The Local Username Database. Configuring Authorization. Configuring Accounting. Pointing the Router to the RADIUS or TACACS+ AAA Server. Other IOS Commands for Basic Security. Disable TCP and UDP Small Servers. Disable IP Source Routing. Disable CDP on Public Links. Disable Directed Broadcasts on Interfaces. Summary. 7. Advanced Security Services, Part I: IPsec. IPsec Enables Virtual Private Networks. Benefits of IPsec's Layer 3 Service. Basic IPsec Security Concepts and Cryptography. Confidentiality (Encryption). Integrity. Hashing Algorithms: Examples with Message Digest 5. Origin Authentication. Anti-Replay. IPsec Concepts. Peers. Transform Sets. Security Associations. Transport and Tunnel Modes. Authentication Header and Encapsulating Security Payload. Internet Key Exchange. Tying All of the Pieces Together: A Comprehensive Example with IPsec and IKE. Configuring IKE. Configuring IKE with Pre-Shared Keys. Configuring IKE with RSA Encryption. Configuring IKE with RSA Signatures and Digital Certificates. Additional Commands for IKE. Validating IKE Configuration. When Are IKE SAs Established? Configuring IPsec. Crypto Maps. Crypto Map Configuration Overview. Configuring Crypto Access Lists. Crypto Access Lists: An Example. Configuring IPsec Transform Sets. Configuring and Applying Crypto Maps. When Are SAs Established? Configuring IPsec SA Lifetimes. Configuring Perfect Forward Secrecy. Configuring Dynamic Crypto Maps. Tunnel Endpoint Discovery. Validating IPsec Configuration. Troubleshooting IPsec and IKE. Check Configurations and Show Commands. Enable Debugging and Clearing Existing SAs. Summary. 8. Advanced Security Services, Part II: IOS Firewall Feature Set. IOS Firewall Fundamentals. Defending the Perimeter Against Attacks. How Context-Based Access Control Works. Configuring CBAC. CBAC Example: A Basic Two-Port Firewall. Validating CBAC Configuration. Configuring CBAC Inspection of Other Applications. Adjusting CBAC Timers and Thresholds. Adjusting CBAC Session Timers. Overriding Global Timers with Inspection Rules. Adjusting CBAC Denial of Service Thresholds. Enabling Auditing of Sessions. CBAC with a Demilitarized Zone. Basic Security Commands for the Firewall Router. Configuring the Inspection Rule. Configuring the Private Network Interface. Configuring the DMZ Network Interface. Configuring the Internet Interface. Notes on CBAC Performance. Configuring Java Applet Blocking for Security. The IOS Intrusion Detection System. Configuring IDS. Additional Commands for IDS. Summary. IV. APPENDIXES. Appendix A: Obtaining IETF RFCs. Via the World Wide Web. Via FTP. Via E-Mail. Finding Current RFCs. Authoring RFCs. Appendix B: Retrieving Internet Drafts. Via the World Wide Web. Via FTP. Via E-Mail. Authoring Internet Drafts. Appendix C: Common TCP and UDP Ports. Appendix D: Password Recovery. Recovering a Lost Password on Most Router Models. Recovering a Lost Password on Other Router Models. Appendix E: A Crash Course in Cisco IOS. Connecting to the Router. Connect via Direct Serial Cable to the Console Port. Connect via Telnet over the IP Network. Connect via the AUX Port or Other Asynchronous Serial Port. Modes. User EXEC Mode. Privileged EXEC Mode (Enable Mode). Global Configuration Mode. Interface Configuration Mode. Subinterface Configuration Mode. Line Configuration Mode. Other Configuration Modes. Context-Based Help, Navigation, and Line Editing. Context-Based Help. Navigation. Line Editing. Common IOS Commands. Extended Ping. Extended Traceroute. Common Configuration Tasks. The Setup Utility (Initial Configuration Dialog). Set the Enable Password. Set the Router's Hostname. Make a Banner. Set the System Clock and Date. Set the Domain Name. Set the Name Server(s). Populate the Router's Local Host Table. Set SNMP Community Strings. Set SNMP Trap Hosts. Enable the Router to Send SNMP Traps. Point the Router to a Syslog Server. Configure Timestamping of System and Debug Messages. Point the Router to a Network Time Protocol (NTP) Server. Set the Time Zone. Set Daylight Saving Time Information. Configure a Static Route. Configure a Default Route. Configure an IP Address on an Interface. Other Interface Configuration Tasks. Configure the Location of the Boot Image. Retract (undo) Configuration Commands. Common Show Commands. General Show Commands. Resource Show Commands. Interface Show Commands. Network Show Commands. Routing Show Commands. Using the Router as a Terminal Server (Communications Server). Enabling IOS Web-Based Management. Bibliography. Index.

Data Communications: From Basics to Broadband

Abstract: From the Publisher: The scope clarity, and readability of the latest edition of this widely used book make data communications accessible to the novice and vet at the same time challenging enough for the engineer or technical professional By drawing on practical examples to explain technical concepts, this book demystifies data communications It introduces the language of data communications, making the reader literate in relevant terminology, concepts, hardware, software protocols and architectures The text begins with a thorough introduction to telecommunications It then progresses logically from basic concepts to transmission and interface standards, data integrity security, architectures protocols and networking The third edition concludes with perspectives on current and future trends in digital telecommunications New features in third edition: Provides enhanced coverage of the Internet: Access technologies, like Digital Subscriber Line (DSL), cable modems, and ISDN lines; Intranets versus the Internet, thin clients, and network computersIncludes expanded coverage of protocols: TCP/IP, SMTP MIME, HTTP Telnet Rlogin, FTP, UDP SNMP, SLIP, and PPPDescribes the latest high-speed LAN environments: Fast Ethernet, Gigabit Ethernet, High-Speed Token Ring, and Layer 2-4 switchingExpands the coverage of network management: SNMP and RMONDescribes mechanisms used to enhance security: S/MIME, SSL, IPSec, and virtual private networksProvides enhanced coverage of wireless networks: AMPS, ETACS, CDMA, TDMA, and GSMProvides updates on interface and transmission technology: V90-56 kbps modems versus traditional modems, USB and Firewire interfaces, andWDMExplains changes in the telecommunications industryExpands the glossary to include over 1,100 terms and acronymsOffers a Companion Website with supplemental material

System insecurity in the Internet age

Abstract: The general-purpose computing environment that characterizes the PC and Internet was not designed for privacy or integrity. Surveying a variety of Internet targets, the author discusses likely attackers and their techniques. He offers defense mechanisms for protecting system integrity and blocking such attacks.

L2TP: Implementation and Operation

Abstract: Preface 1 Background Remote Access Telecommuters-Small Office/Home Office Remote Office/Branch Office Partner Virtual Private Networks Open System Interconnect Model Point-to-Point Protocol Sublayers The Layer 2 Role of PPP The Layer 3 Role of PPP Physical Layer Assumptions Control Protocol Operation Chronological Operation of PPP Summary 2 L2TP Basics Layer 2 Role of LAC Layer 2 Role of LNS Virtual Layer 1 History L2TP Patent Issues 3 L2TP Deployment Models VPN Deployment Models LAC Deployment, Distribution, and Support LNS Deployment, Distribution, and Support LNS "in the Cloud" Compulsory versus Voluntary Tunneling VPN Performance Considerations Multibox Multilink PPP Compulsory Tunneling Solution NAS Pool Solution Combined VPN Service and LNS Pool Solution Performance Implications Comparing L2TP to L2F and PPTP Asymmetric Digital Subscriber Line Forum Model Other VPN Technologies IP Security Protocol Generic Routing Encapsulation Mobile IP Protocol Multiprotocol Label Switching Protocol Secure Shell Protocol 4 L2TP Protocol Overview Tunnel Structure and Terminology Protocol State Machines The Typical Life of a Tunnel Protocol Assumptions Non-IP Operation Separate LAC and Remote System Passive LAC Participation Protocol Difficulties Multilink PPP Link Awareness in LNS A Look Ahead 5 Control Connection State Machine State Machine IDLE State Send SCCRQ Actions WAIT-CTL-REPLY State Send SCCN Actions Notify Sessions Actions ESTABLISHEDState Send SCCRP Actions WAIT-CTL-CONN State Send HELLO Actions Send StopCNN Actions CLEANUP-WAIT State Cleanup Actions Tunnel Authentication Initiating a Tunnel Tunnel Initiation Tie Breaker Comparing L2TP to L2F and PPTP Implementation Tips Handling Duplicate Received SCCRQ Messages Considering Timeout Conditions 6 Data and Control Messages Headers T Bit L Bit F Bit S Bit Control Bit Handling and Reserved Bits Version Length Tunnel ID Call ID Ns Nr Offset Size Offset Pad Control Message Format Attribute Value Pairs M Bit H Bit Control Bit Handling and Reserved Bits Overall Length Vendor ID Attribute Value Hiding and Unhiding Algorithms AVP Hiding Algorithm AVP Unhiding Algorithm AVP Unhiding Algorithm with No Separate Storage Area Restrictions on Hiding AVPs Comparing L2TP to L2F and PPTP Implementation Tips Meaning of AVP Mandatory Bit The Order of AVPs SCCRQ, SCCRP, and SCCCN AVPs Can Be Hidden Odd AVP Conditions 7 Control Channel Dynamics An Overview of the Control Channel Sequence Number Handling The Reliable Delivery Sender The Sender Window Sender Actions The IDLE State Send Msg, Set Timer Actions The Operating State Send Msg Actions The MaxReTx? Predicate Retransmit, Set New Timeout Actions Notify State Machine Actions The Done State Stop Timer, Free Msg Actions The Window Empty? Predicate The New Lead Ack'd Predicate Free Msg Actions Restart Timer Actions The Reliable Delivery Receiver The RecvMsg Event The ZLB? Predicate The In Window? Predicate ACK Event for Sender Actions The Duplicate? Predicate The Ns == Sr? Predicate Insert in RecvQueue Actions Send Msg up to SM, Sr++ Actions The Q Empty? Predicate The Q Head Ns == Sr? Predicate Dequeue Head Msg Actions The Before Window? Predicate Drop Msg Actions Note Ack Needed Actions The Message Delivery Process: An Example T = 0, LocalMsg for Peer A T = 10, Peer A Retransmits T = 11, Peer B Receives Message with Ns = 58, Nr = 37 T = 15, LocalMsg for Peer B T = 16, Peer A Receives Message, Ns = 37, Nr = 59 T = 21, Peer A Sends ZLB, Ns = 59, Nr = 38 T = 22, Peer B Receives ZLB, Ns = 59, Nr = 38 Packet Trace Summary Comparing L2TP to TCP Three-way Handshake Initiation Initial Sequence Numbers The Meaning of Sequence Numbers Sliding Window Comparing L2TP to L2F and PPTP Implementation Tip: Checking Sequence Number Ordering 8 Session Setup Incoming Calls Incoming Call LAC State Machine Incoming Call LNS State Machine Outgoing Calls Outgoing Call LNS State Machine Outgoing Call LAC State Machine LCP Considerations LAC Frame Inspection and Negotiation/Translation Proxy LCP Proxy Authentication Comparing L2TP to L2F and PPTP ImplementationTips Including Last-Sent LCP CONFREQ AVPs Proxy CHAP Not Secure to LNS Tunnel Teardown LCP Issues 9 Data Handling PPP Frame Handling Synchronous versus Asynchronous Framing LNS Frame Handling LAC Frame Handling for HDLC LAC Frame Handling for non-HDLC Tunnel Substrate Considerations Packet Delay Fragmentation Silent Packet Loss Reordering and Duplication Multilink PPP Coincidental MP Tunneling Multibox Multilink Performance Round-Trip Time Packet Loss and PPP Protocols with History Packet Loss and Packet Reordering Trade-off The Trade-Offs in Performance Comparing L2TP to L2F and PPTP Implementation Tips VJ Compression and Silent Packet Loss Is Bad Endpoint Discriminator with Coincidentally Tunneled MP Backward Compatibility with Draft 12 Data Flow Control 10 Security Control Channel Security PPP Security Authentication Encryption L2TP Security Summary Weak Connection Authentication Limited Encryption Scope Poor Encryption Key Management No Message Authentication No Message Integrity No Replay Protection Transport Mode IPSEC Security Associations Connection Authentication Encryption Authentication/Integrity Replay Protection L2TP-Specific IPSEC Issues L2TP Components and Security Overview The LAC/LNS Trust Relationship Comparing L2TP to L2F and PPTP Implementation Tips Avoid or Adjust for PAP Trusting Proxy CHAP Challenges Randomness Keep "Backdoor" Holes in Mind Further Reading on IPSEC 11 SNMP Management Interface Layering Management Information Base l2tpTunnelConfigTable l2tpDomainConfigTable l2tpDomainStatsTable l2tpTunnelStatsTable l2tpSessionStatsTable Mapping Tables 12 Future Direction and Resources Protocol Summary Future Direction Resources Internet Engineering Task Force PPP IPSEC Bakeoffs Appendix: Draft 12 Data Flow Control Summary of Implementations Receive Window Size AVP in Call Establishment R Bit in Data Message Header Adaptive Timeouts and Piggybacking Draft 12 Specifications Glossary Bibliography Index 0201604485T04062001

Moat: A Virtual Private Network Appliance and Services Platform

Abstract: We have implemented a system for virtual private networking, with special attention to the needs of telecommuters. In particular, we used off-the-shelf hardware and open-source software to create a platform to provide IP security and other services for in-home networks.Our experience has taught us a number of things about the scalability of the FreeS/WAN IPsec system, about the widespread mis-handling of path-MTU discovery on the internet, and about the implications of tunnels on the basic architecture of the network.Additional Keywords: VPN, Linux, Residential Gateway, MSS, fragmentation.

An user authentication infrastructure for extranet applications

Abstract: An extranet is used to connect businesses with their suppliers, customers or other businesses that share common goals in a way that automates their administrative interactions using Internet technology. The security of the communications over Internet is considered an essential feature. To guarantee secure operation the aid of some user authentication infrastructure is needed. This paper introduces a public key infrastructure (PKI) and user identification scheme to be used in extranet applications. The flexibility of the system allows it to fit the usual hierarchical organization structure.