Home > Store > Networking > Wireless/High Speed/Optical

Virtual Private Networks: Technologies and Solutions

Register your product to gain access to bonus material or receive a coupon.

Virtual Private Networks: Technologies and Solutions

Book

  • Your Price: $39.99
  • List Price: $49.99
  • Usually ships in 24 hours.

About

Features

Description

  • Copyright 2001
  • Dimensions: 7-3/8x9-1/4
  • Pages: 336
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-70209-6
  • ISBN-13: 978-0-201-70209-5

Virtual private networks have become an essential part of today's business networks, as they provide a cost-effective means of assuring private internal and external communications over the shared Internet infrastructure. Virtual Private Networks: Technologies and Solutions is a comprehensive, practical guide to VPNs. This book presents the various technology components, concrete solutions, and best practices you need to deploy and manage a highly successful VPN.

Readers will find an overview of fundamental VPN concepts and architectures, followed by an in-depth examination of advanced features and functions such as tunneling, authentication, access control, VPN gateways, VPN clients, and VPN network and service management. Specific topics covered include:

  • IPsec, featuring the Authentication Header, Encapsulating Security Payload, Internet Key
  • Exchange, and implementation details
  • PPTP, L2F, L2TP, and MPLS as VPN tunneling protocols
  • Two-party and three-party authentication, including RADIUS and Kerberos
  • Public key infrastructure (PKI) and its integration into VPN solutions
  • Access control policies, mechanisms, and management, and their application to VPNs
  • VPN gateway functions, including site-to-site intranet, remote access, and extranet
  • Gateway configuration, provisioning, monitoring, and accounting
  • Gateway interaction with firewalls and routers
  • VPN client implementation issues, including interaction with operating systems
  • Client operation issues, including working with NAT, DNS, and link MTU limits
  • VPN management architectures and tunnel and security management
  • Outsourcing and service provider environments

The book concludes with a forward look at the future of VPNs that examines such issues as security and quality of service (QoS). VPN scenarios throughout the book demonstrate how to put the described techniques and technologies to work in a real-world Virtual Private Network.



0201702096B04232001

Sample Content

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
yuanch1.pdf

Table of Contents



Preface.

I. VPN FUNDAMENTALS.

1. Introduction.

Business Communication.

VPN Motivation.

The VPN Market.

VPN Technologies.

VPN Solutions.

2. Basic Concepts.

A Brief History of the Internet.

Network Architecture.

ISO OSI Reference Model.

IP.

Network Topology.

The Need for Security.

Cryptography.

Shared Key Cryptography.

Public Key Cryptography.

Digital Signatures.

Message Authentication Codes.

3. VPN Architectures.

Site-to-Site Intranet VPNs.

Remote Access VPNs.

Extranet VPNs.

A Security Services Taxonomy.

II. VPN TECHNOLOGIES.

4. Tunnels.

Tunneling.

Data Integrity and Confidentiality.

VPN Tunneling Protocols.

PPTP.

L2F.

L2TP.

Ipsec.

MPLS.

5. Ipsec.

Basic IPsec Concepts.

Security Protocols.

Security Associations.

Security Databases.

IPsec and VPNs.

Authentication Header.

Encapsulating Security Payload.

Internet Key Exchange.

Phase 1 Negotiation.

Phase 2 Negotiation.

Key Generation in IKE.

IPsec Implementation.

Inbound Packet Processing.

Outbound Packet Processing.

6. Authentication.

Two-Party Authentication.

PPP Authentication.

RADIUS.

S/KEY and OTP.

Trusted Third-Party Authentication.

Kerberos.

X.509 Public Key Infrastructure.

Pretty Good Privacy Trust Model.

Authentication in VPNs.

Gateway-Gateway Authentication.

Client-Gateway Authentication.

7. Public Key Infrastructure.

PKI Architecture.

Certification.

Validation.

Certificate Revocation.

Trust Models.

Digital Certificate Formats.

X.509 Digital Certificate.

PGP Certificate.

PKCS #6, Extended-Certificate Syntax Standard.

X.509 Attribute Certificate.

Certificate Management System.

Certification Authority.

Registration Authority.

Certificate and CRL Repository.

Certificate Protocols.

Certificate Use in VPNs.

Authentication.

Key Management.

Access Control.

8. Access Control.

Access Control Policy.

Attributes and Conditions.

Access Control Rules.

Access Control Mechanisms.

Access Control Lists.

Capabilities Lists.

Access Control Policy Management.

Distributed Policy Management.

Centralized Policy Management.

Policy Repository.

Access Control in VPNs.

III. VPN SOLUTIONS.

9. VPN Gateways.

VPN Gateway Functions.

Site-to-Site Intranet VPN Functions.

Remote Access VPN Functions.

Extranet VPN Functions.

Forwarding, Routing, and Filtering Functions.

Advanced Functions.

Gateway Configuration and Provisioning.

Gateway Identity Information.

External Device Information.

Security Policy Information.

Gateway Management.

Configuration Management.

Network Monitoring.

Accounting Information.

Gateway Certification.

Interaction with Firewalls.

VPN Gateway and Firewall in Parallel.

VPN Gateway and Firewall in Series.

Hybrid Configurations.

VPN Design Issues.

A VPN Solution Scenario.

10. VPN Clients.

VPN Client Functions.

Operating System Issues.

Microsoft Windows.

Other Operating Systems.

Operational Issues.

Working with the Corporate Firewall.

Working with Network Address Translation.

Fragmentation and MTU Issues.

Private and Public Domain Name Servers.

WINS Server Issues.

VPN Clients for Windows.

Layer 2 Clients.

IPsec Clients.

L2TP/IPsec Combination Clients.

VPN Client Software Installation.

VPN Clients for Other Platforms.

Layer 2 Implementations.

IPsec Implementations.

Alternative VPN Clients.

SSH as VPN Client.

SOCKS and SSL as VPN Client.

User-Level Daemon.

A Remote Access VPN Scenario.

11. VPN Network and Service Management.

Network Management Standards.

Network Management Architecture.

Network Management Station.

Managed Nodes.

Network Management Protocol.

Management Information.

Probes.

6 Other Means of Management.

SNMP.

VPN Management.

Managing Tunnels.

VPN Management in a Service Provider Environment.

Secure Management Tunnel in VPN.

Out-of-Band Access for Management.

Service Management.

Service Level Agreement.

Network Operations Center.

Customer Portal.

International Issues.

12. VPN Directions: Beyond Connectivity.

Evolutions in Network Infrastructure.

Evolutions in VPNs.

Internetworking Beyond Connectivity.

Network Security.

Quality of Service.

Intelligence in the Network.

Acronyms.
References.
Index. 0201702096T04262001

Preface

The Internet has been around in one form or anotherfor more than three decades now, but it really has been since the middleof the 1990s that the use of the Internet became a daily part of people'slives. Connectivity to the Internet is now imperative for almost all companies,regardless of what their business really is. Individuals can find Internetaccess at school, work, and home, in cafés and kiosks, and in cellphones and PDAs. Staying connected has become an obsession.

The focus has shifted from being connected to being securelyconnected. It is one thing to have Internet access, but without security,the usefulness of the connectivity is rather limited. People want to havethe reach of the Internet, but they should not have to compromise theirprivacy or expose proprietary resources.

Fortunately, all of the ingredients are present for constructinga private network on top of a public one. The challenge comes in puttingthe technologies together so that the result is a viable and secure virtualprivate network.

This book provides a comprehensive guide to the technologiesused to enable VPNs, the VPN products built from these technologies, andthe combinations of various components to provide practical VPN solutions.

VPN technologies and solutions are still rapidly evolving.This book describes the current state of the art in this field. But thingschange quickly, so when appropriate, we have attempted to point out thecontinued effort in the industry to develop new technologies and solutions.

Audience

This book is intended for a broad range of readers interestedin virtual private networks.

For network engineers and managers, this book serves asa practical guide to the technologies and solutions. It discusses issuesto be considered in designing and implementing a VPN.

For VPN software and hardware developers, it provides the necessary background material to understand the functions to be developed and the rationale behind them.

For IT managers and executives, this book sets the overallcontext of VPNs and provides the means for assessing various implementationsfrom equipment vendors and service offerings from service providers.

For students and educators, this book can be used as areference text for a course in network security or electronic commerce.

Book Organization

This book is organized in three parts. Part I--VPN Fundamentals--consistsof three chapters: Introduction, Basic Concepts, and VPN Architectures.Chapter 1 introduces the concept of VPN and how it permits flexibilityin facilitating private communication in a public network. We also classifythe relevant technologies into four distinct categories. Chapter 2 setsVPNs in context by briefly reviewing the development of the Internet andhow security has been thrust to the forefront. It also reviews the basicIP networking and cryptography concepts that pertain to VPNs. Chapter 3presents VPN architectures in two ways. The first approach is based ondesigning VPN around practical networking solutions: site-to-site intranet,extranet, and remote access. The second approach focuses on the differenttraffic aggregation points where security services are applied.

Part II--VPN Technologies--consists of five chapters:Tunnels, IPsec, Authentication, Public Key Infrastructure, and Access Control.Chapter 4 is concerned with the most important technology category--tunneling.We investigate the many different tunneling technologies that are importantin VPN solutions. Chapter 5 concentrates on IPsec, the security protocolfor IP standardized by the IETF and, in our opinion, the VPN tunnelingtechnology that will be most prevalent going forward. Chapter 6 describesauthentication in a broad context first and then describes the varioustwo-party and three-party schemes that widely applied in networking. Themost important three-party scheme--PKI--is then presented in Chapter 7.In Chapter 8, we look at access control technologies, an often overlookedbut vital aspect of VPNs. We describe how access policies can be presented,managed, and enforced in a networked environment.

Part III--VPN Solutions--consists of four chapters: VPNGateways, VPN Clients, VPN Network and Service Management, and VPN Directions:Beyond Connectivity. This part describes how the various technology componentscan be assembled to create practical VPN solutions. Chapter 9 starts withthe roles played by a VPN gateway, then derives the requirements imposedon the gateway, and finally describes the various functions that shouldbe implemented. It also presents a concrete design example. Chapter 10details the many issues of VPN clients, some similar to VPN gateways andsome different. Chapter 11 presents the needs and approaches for performingcontinued management of VPNs from the viewpoints of both a network anda service. Finally, we discuss the future directions of VPNs in Chapter12 and how important it is to realize that networking is the means, notthe goal, and to look beyond simple connectivity in the networking arena.

How to Read the Book

There are two ways to read this book. For novices, werecommend completing Part I before proceeding to either Part II or PartIII. For readers already knowledgeable in networking and security, eachchapter is self-contained and can be read separately.

Readers are encouraged to read Chapters 4 and 5 togetherto obtain a fuller grasp on the concept of tunneling and IPsec as a layer-threetunneling technology. Similarly, Chapters 6 and 7 deal with authentication,with Chapter 7 exploring public key infrastructures in detail. It is alsoa good idea to review how a certain technology is introduced in Part IIbefore seeing how it is applied to a VPN solution in Part III.

Ruixi Yuan
Tim Strayer

Boston, Massachusetts
March 2001

0201702096P04242001

Index

3COM, 66
3DES (triple DES), 38, 81, 141, 143, 176, 178, 181, 183, 191, 230, 237, 266
See also DES


Access control, 9, 12, 15, 45, 51, 153-171, 182, 247, 269, 279
access control list (ACL), 160
attributes, 155, 157-159
capabilities list (C-list), 160
centralized policy management, 165
discretionary policy, 157
distributed policy management, 164
environmental conditions, 158
filters, 191-192
in IPsec, 75
mandatory policy, 157
mechanisms, 156, 160-163, 167
policy, 156-160, 167
policy management, 156, 163-167
resource attributes, 158
rules, 159-160
stakeholders, 159
user attributes, 157
as a VPN client function, 18, 216, 218
as a VPN gateway function, 17, 176
in VPNs, 167-171
Access control list, See ACL
Accounting, 193, 198
ACL (access control list), 160-162, 260
Adapter, network, 222, 229, 233
Adapter, shim, 222, 233
Adapter, virtual, 233-234
Adleman, Leonard, 40
Advanced Encryption Standard, See AES
Advanced Research Projects Agency, See ARPA
AES (Advanced Encryption Standard), 37, 230
AH (Authentication Header), 58, 63, 70, 76-77, 79, 83-88, 100, 203
fields, 84
protocol number, 77
transport mode, 86-87
tunnel mode, 87-88
Alcatel, 187, 195-196, 231, 234
Altiga, 226, 231
Amazon.com, 7
Anti-replay protection, 75, 85
AH (Authentication Header), 84
ESP (Encapsulating Security Payload), 88
Apple, 220, 224, 234
Application layer, 30
Application programming interface (API), 195
ARPA (Advanced Research Projects Agency), 23-24
ARPANET, 23-24, 26, 33
Ascend Communications, 66
ASN.1 (Abstract Syntax Notation One), 137, 253
Asymmetric key cryptography, 36
See also Public key cryptography
Asynchronous Transfer Mode, See ATM
AT&T, 220
ATM (Asynchronous Transfer Mode), 47, 68, 185
Attack, 18, 33, 88
against CA, 147
denial of service, 34, 93, 279
dictionary, 106
distributed denial of service, 279
Internet worm, 34
on keys, 16
network-based, 34
replay, 15, 94, 122
Trojan Horse, 122
Attributes, 157
environmental conditions, 158
identity, 157
resource attributes, 158
use conditions, 158
user attributes, 157
for VPN access control, 170
X.509 attribute certificate, 145
Authentication, 9, 12, 14, 45, 47, 51, 59-60, 103-128, 153, 155, 182, 189, 217, 269, 279
AH (Authentication Header), 84-86
CHAP (Challenge Handshake Authentication Protocol), 66, 112
client-gateway, 127
cryptography used for, 36-37
EAP (Extensible Authentication Protocol), 66, 113
ESP (Encapsulating Security Payload), 88
gateway-gateway, 126
in IPsec, 63, 75
Kerberos, 119
MAC (message authentication code), 43
lack of in MPLS, 73
one-time passwords, 117
options for VPN clients, 230
PAP (Password Authentication Protocol), 66, 107, 111
password, 43, 106, 157
PGP (Pretty Good Privacy)
RADIUS (Remote Access Dial In User Service), 114
S/KEY, 109, 117
Security Association Database (SAD), 80
Security Policy Database (SPD), 81
SSH (Secure Shell), 237
trusted third-party, 14, 104
two-party, 14, 104
as a VPN client function, 18, 216-217, 231
as a VPN gateway function, 17, 176
in VPNs, 126-128
X.509 public key infrastructure, 122
Authetication Header, See AH
Autonomous system (AS), 278


BBN, 33, 146
Bellcore, 252
Bellovin, Steven M., 35, 201
Berners-Lee, Tim, 26
BGP (Border Gateway Protocol), 278
Secure-BGP, 184
BITNET, 26
Blowfish, 38, 237, 241
Border gateway, 33
BSD Unix , See Unix
BSDI, 235
Business communication, 4, 8


CA (certification authority), 122, 129-130, 132-135, 145-147, 190, 210
cross-certification, 135
Microsoft, 139
root, 135
Cable modem, 19, 46, 49-50
Capabilities list (C-list), 160, 163
Capstone, 38
CAST, 141, 143, 176
CCITT, SeeITU, 122
Centralized policy management, 165
Cerberus, 236
CERN (Center for European Nuclear Research), 26
Certificate, 122, 129, 132-133
CRL (certificate revocation list), 124
cross certificate, 135
enrollment, 152
management system, 145
PGP (Pretty Good Privacy), 141-144
protocols, 149
root, 123, 135
self-signed, 143
use-condition certificate, 158
use in VPNs, 152-154
See also Digital certificate
Certificate and CRL repository, 130, 145, 148
Certificate management system, 145-149
Certificate protocols, 149-152
PKCS #10, Certification Request Syntax Standard, 151
PKCS #7, Cryptographic Message Syntax Standard, 151
PKIX (Public Key Infrastructure for the Internet), 150
SCEP (Simple Certificate Enrollment Protocol), 152
Certificate revocation list, See CRL
Certification authority, See CA
Certification Practice Statement (CPS), 147
Challenge Handshake Authentication Protocol, See CHAP
CHAP (Challenge Handshake Authentication Protocol), 66, 108, 112-113, 230
Check Point, 187, 231
Checksum, IP, 32, 59-60, 85
Checksum, TCP, 59
Cheswick, William R., 35, 201
CIDR (Classless Inter-Domain Routing), 179
Ciphertext, 35-36
CIR (committed information rate), 46
Cisco, 66-67, 152, 187, 194, 231
Altiga VPN client, 226
Compatible Systems VPN client, 234
Clipper, 38
CMIP (Common Management Information Protocol), 247, 252
CMIS (Common Management Information Service), 247
Command line interface (CLI), 193, 196, 252
Committed information rate, See CIR
Common Management Information Protocol, SeeCMIP, 246
Common Management Information Service, SeeCMIS, 246
Compatible Systems, 234
Compression, 231
Confidentiality, 9, 38, 59-61, 70
cryptography used for, 36-37
in IPsec, 63, 75
lack of in MPLS, 73
See also Data confidentiality
Configuration file, 194
Configuration management, 193
Coordinated universal time, See UTC
CRL (certificate revocation list), 124, 129-130, 133-134, 146, 180, 210
X.509v2, 148
Cross-certification, 147
Cryptanalysis, 37
Cryptographic keys, 35
Cryptography, 35
asymmetric, 36
block cipher, 37
key management, 39
public key, 36, 38-39
shared key, 36
symmetric, 36
CSNET, 26
Customer premises equipment (CPE), 54, 272
Customer relationship management (CRM), 263


DARPA SeeARPA, 23
Data confidentiality, 9, 60, 75, 269, 279
ESP (Encapsulating Security Payload), 88
as a VPN client function, 176, 216, 219
Data Encryption Standard, See DES
Data integrity, 9, 15, 36, 59, 61, 269, 279
AH (Authentication Header), 83
in IPsec, 75
as a VPN client function, 176, 216, 219
Data link layer, 28
Data origin authentication, 75
AH (Authentication Header), 83
Data security, 13, 15, 45
as a VPN gateway function, 17
as a VPN client function, 18
See also Data confidentiality and Data integrity
DECNET, 5
Decryption, 35
public key, 38
shared key, 37
Demilitarized zone, See DMZ
Denial-of-service attack, 34, 93, 279
Department of Defense (DoD), 23
DES (Data Encryption Standard), 37-38, 81, 176, 230
cracked, 37
DHCP (Dynamic Host Configuration Protocol), 181, 190, 219, 222, 230, 248
Dial-up networking, See DUN
Dictionary attack, 106
Differentiated service code point (DSCP), 207
Diffie, Whitfield, 36, 129
Diffie-Hellman algorithm, 96, 141, 153
DiffServ, 207
Digital certificate, 81, 130, 132-136, 171, 179-180, 182-184, 189, 191, 217-218
use in access control, 154
use in authentication, 153
creation, 146
formats, 136-145
use in key management, 153
revocation, 146
X.509, 136
See also Certificate
Digital certificates, 230, 241
Digital signature, 40-43, 133, 136
DSA, 43
RSA, 43
Digital Signature Algorithm, See DSA
Digital subscriber line, See DSL
Directory Access Protocol (DAP), 166
Directory System Agent (DSA), 166
Directory User Agent (DUA), 166
Distinguished name (DN), 81-82, 123, 139, 171
relative distinguished name (RDN), 139
Distributed denial-of-service attack, 279
Distributed policy management, 164
DMZ (demilitarized zone), 204
DNS (Domain Name System), 135, 162, 181, 189, 222, 225, 227-229, 278
DNSSEC (Secure Domain Name System), 135
Domain Name System, See DNS
DSA (Digital Signature Algorithm), 43, 141-142
DSL (digital subscriber line), 19, 46, 49-50, 234, 277
DUN (dial-up networking), 229
Dynamic Host Configuration Protocol, See DHCP


EAP (Extensible Authentication Protocol), 66, 113-114
ECI Telematics, 66
E-commerce, 9, 27
B2B, 9
B2C, 9
Electronic Frontier Foundation, 37
Electronic mail, See Email
ElGamal algorithm, 40, 144
Ellison, Carl, 134
Email, 24
Encapsulating Security Payload, See ESP
Encapsulation, 13, 30, 58, 63, 215, 219, 226
ESP (Encapsulating Security Payload), 90
GRE (Generic Routing Encapsulation), 64
modes for VPN clients, 230-231
modes for VPN gateways, 179
Encryption
algorithm, 35
asymmetric, 60
ESP (Encapsulating Security Payload), 88
hardware acceleration, 187
NULL algorithm, 89
options for VPN clients, 230
public key, 38, 40
shared key, 37
symmetric, 60
Entrust, 203
ESP (Encapsulating Security Payload), 58, 63, 70, 76-77, 79, 88-91, 100, 183
fields, 89
protocol number, 77
transport mode, 90, 180
tunnel mode, 91, 179, 182
Ethernet, 257, 263
EUnet, 26
Extensible Authentication Protocol, See EAP
Extranet, 6
Extranet VPN, 46, 50-52
functions, 182-184


Federal Information Processing Standard (FIPS), 146
Feghhi, Jalal, 136
Feghhi, Jalil, 136
Finland, 140
FIPS 140-1, 146, 201
FIPS 140-1 certification, 200
Firewall, 21, 35, 48, 184, 218, 225, 230, 248, 276
DMZ (demilitarized zone), 204
interaction with VPN gateways, 201
Fischetti, Mark, 26
Fragmentation, 31, 60, 226-227
don't fragment IP flag, 31
more fragments IP flag, 31
Frame relay, 4, 9, 46-48, 67-68
CIR, 46
provisioning, 46
PVC, 46, 48
FreeBSD, 224, 234-235
FreeS/WAN, 235
FTP (File Transfer Protocol), 252, 259, 262


Gateway, 24, 29
border, 33
See also Router and VPN gateway
Generic Routing Encapsulation, See GRE
Germany, 140
GnuPG, 40, 141
See also PGP
Good, Gordon S., 167
Graphical user interface, See GUI
GRE (Generic Routing Encapsulation), 64, 67-68
GUI (graphical user interface), 194
Gutmann, Peter, 140


Hash function, 41
collision resistant, 41
one-way, 41-43
Hashed message authentication code, See HMAC
Hellman, Martin, 36, 129
HMAC (hashed message authentication code), 43, 85
Hot Standby Router Protocol, See HSRP
Howes, Timothy A., 167
HSRP (Hot Standby Router Protocol), 187
HTTP (Hypertext Transfer Protocol), 252
Hub-and-spoke, 46


IBM, 37
ICANN (Internet Corporation for Assigned Names and Numbers), 278
ICMP (Internet Control Message Protocol), 196
ping, 197
traceroute, 198
ICSA (International Computer Security Association), 200
IDEA, 38, 141, 143, 176
IETF (Internet Engineering Task Force)
firewall bypass effort, 226
IPsec standard, 12, 75, 98
L2TP Extensions working group, 69
MIB-II defined objects, 253
MPLS-based VPN effort, 276
NAT/IPsec compatibility effort, 226
PKIX Working Group, 123
RMON, 257
security policy effort, 159
SNMP, 247
VPN state synchronization effort, 187
VPN tunneling efforts, 260
IGRP (Interior Gateway Routing Protocol), 278
IKE (Internet Key Exchange), 76-77, 82, 91-99, 101, 260
use with firewalls, 203
ICSA certification, 200
key generation, 96, 179, 182-184
key management, 153
phase 1 negotiation, 94
phase 2 negotiation, 95
security policy effort, 159
Indus River, 231
Integrated Services Digital Network, See ISDN
Integrity check value (ICV), 85-86
Intel, 66, 231
Intercept driver, 222
Interface Message Processor (IMP), 24
International Computer Security Association, See ICSA
International Organization for Standardization, See ISO
International Telecommunication Union, See ITU
Internet, 3-4, 6, 8, 12, 48, 63
ARPANET, 24
Internet
attacks, 34
connectivity, 47
evolution, 269
growth, 26
history, 23
IP (Internet Protocol), 30
management, 245
security, 278
unneling, 62-63
worm, 34
Internet Activities Board, 247
Internet Control Message Protocol, See ICMP
Internet Engineering Task Force, See IETF
Internet Explorer, 135
Internet Key Exchange, See IKE
Internet Protocol. See IP
Internet Security Association and Key Management Protocol, See ISAKMP
Internet service provider, See ISP
Internet worm, 34
Internet-Draft, 289
Internetwork, 24, 57
Internetworking, 29, 277
Intranet, 6, 63, 175
Intrusion detection system (IDS), 35, 279
IP (Internet Protocol), 6, 24-25, 30-32, 47, 59, 221
address, 24, 32
destination address field, 32
don't fragment flag, 31
flags field, 31
fragment offset field, 32, 85
fragmentation, 31, 85
fragmentation field, 60
header checksum field, 32, 85
header format, 30
header length field, 31
identification field, 31
Internet, 25
internetwork, 24
IPsec, 75
IPv4, 75
IPv6, 75
more fragments flag, 31
mutable fields, 85
options field, 32
padding field, 32
protocol field, 32
SLIP (serial line IP), 67
source address field, 32
time to live field (TTL), 32, 60, 85, 198
total length field, 31
type of service field (TOS), 31, 85
version field, 31
IP header, 59, 64, 70-71
IP service platform, 272-273
ipnsec, 236
IPsec, 12, 58, 70, 75-101
Authentication Header (AH), 83
certification from ICSA, 200
concepts, 75
Encapsulating Security Payload (ESP), 88
firewall issues, 219
fragmentation issues, 227
implementations, 98, 235
Internet Key Exchange (IKE), 91
iterated tunneling, 79
use with L2TP, 69
mode, 78, 80
NAT issues, 226, 276
nested SAs, 79, 273
packet filtering, 185
protocol, 80
SA (security association), 77, 79, 93-94
Security Association Database (SAD), 79
security databases, 79
Security Parameter Index (SPI), 77
Security Policy Database (SPD), 80
security policy effort, 159
security protocols, 76
transport adjacency, 79
transport mode, 86, 90
tunnel management, 260
tunnel mode, 70, 87, 91
as a VPN tunneling protocol, 63, 83, 176, 179, 191, 216-217, 230
IPv4, 75, 86, 235
IPv6, 75, 81, 86, 235
IPX (Internetwork Packet Exchange), 47, 59, 232
ISAKMP (Internet Security Association and Key Management Protocol), 76, 92, 99, 199
cookie, 93
master key, 97
SA (security association), 93-96
ISDN (Integrated Services Digital Network), 50, 61, 66
Isenberg, David, 281
ISO (International Organization for Standardization), 27, 110, 215, 246
ISP (Internet service provider), 11-12, 49-50, 53-54, 61-68, 245, 272
Iterated tunneling, 79
ITU (International Telecommunication Union), 122, 136
network management, 247


Kaliski, Barton, 144
KAME, 235
Kent, Steve, 134, 147
Kerberos, 116, 119-122
authentication server (AS), 119
ticket, 119
Ticket-Granting Server (TGS), 121
Ticket-Granting Ticket (TGT), 121
Key escrow, 132, 146-147
Key management, 36, 39, 153
Key ring, 125
Keyed MD5, 43


L2F (Layer Two Forwarding), 58, 61, 66-69, 111
as a VPN tunneling protocol, 176, 215, 230
L2TP (Layer Two Tunneling Protocol), 58, 61, 68-70, 111, 199, 238
compression methods for, 70
L2TP Access Concentrator (LAC), 68
L2TP Extensions Working Group, 69
L2TP Network Server (LNS), 68
tunnel management, 260
as a VPN tunneling protocol, 176, 191, 215, 230
Label Distribution Protocol (LDP), 280
Label switch router, See LSR
Label switched path, See LSP
Label switching, 63
Layer Two Forwarding, See L2F
Layer Two Tunneling Protocol, See L2TP
LDAP (Lightweight Directory Access Protocol), 167, 261
Leased line, 24, 241
Lightweight Directory Access Protocol, See LDAP
Link Control Protocol (LCP), 113
Link layer, 28, 30, 58, 274
Linux, 220, 224, 234-236
Local area network (LAN), 52
LSP (label switched path), 71, 275
LSR (label switch router), 71
Lucent, 66, 115


MAC (message authentication code), 43, 60
HMAC, 43
one-way hash function, 43
Unixpasswords, 43
MacOS, 220, 224, 234
standard autopush driver, 224
VPN clients for, 234
Management information base, See MIB
Management information tree, See MIT
Maximum transmission unit, See MTU
MD4, 117
MD5, 43, 85, 113, 117, 143
keyed, 43
Message authentication code, See MAC
MIB (management information base), 20, 196, 247, 251, 253, 259-260
IKE Monitoring MIB, 197, 260
IP Tunnel MIB, 197
IPsec DOI Textual Conventions MIB, 260
IPsec Monitoring MIB, 197, 260
ISAKMP DOI-Independent Monitoring MIB, 260
L2TP MIB, 260
MPLS Traffic Engineered LSPs MIB, 260
MPLS Traffic Engineering MIB Using SMIv2, 260
RMON (Remote Monitoring), 257
TCP/IP (MIB-II), 197, 247
MIB view, 257
MIB-II, 197, 247, 253
Microsoft, 12, 66, 136, 139, 190, 218, 220-221, 229, 234
approach to VPN clients, 229
extensions to CHAP, 66
extensions to PAP, 66
Internet Explorer, 135
MS-CHAP, 66
WINS (Windows Internet Service), 181, 229
Microsoft NetBIOS, 229
Microsoft Windows, See Windows
MIT (management information tree), 251, 253, 256
MIT (Massachusetts Institute of Technology), 119
Modem
availability, 264
bank, 61, 63, 66-67
cable, 49
cost, 49
dial-back protected, 263
digital modulation standards, 49
with encryption capability, 263
NAS (network access server), 115
speed, 49-50
MOSAIC, 26
MPLS (Multiprotocol Label Switching), 63, 71-73
enabling QoS, 280
label stacking, 71, 273
shim header, 71
tunnel management, 260
as a VPN tunneling protocol, 274-276
MS-CHAP, 66, 230
MTU (maximum transmission unit), 80, 86, 90, 226-227
Multiprotocol Label Switching, See MPLS


NAS (network access server), 64-67, 69, 115-117, 199, 248
NAT (network address translation), 185, 207, 219, 226, 276
National Center for Supercomputer Applications, See NCSA
National Institute of Standards and Technology, See NIST
National Science Foundation, See NSF
National Security Agency, See NSA
Navy, U.S., 33
NCP (Network Control Program), 24
NCSA (National Center for Supercomputer Applications), 26
NDIS (Network Driver Interface Specification), 221
NetBEUI, 222
NetBIOS, 229
NetBSD, 224, 234-235
Netscape, 26, 136, 140
Communicator, 135
NetScreen, 187
Netware, Novell, 5
Network access server, See NAS
Network adapter, 233
Network Control Program, See NCP
Network Driver Interface Specification, See NDIS
Network layer, 24, 29-30, 58, 70, 75
Network management
architecture, 248
FCAPS, 246, 265
international issues, 266
Internet model, 247, 251
OSI model, 246, 250-251, 253
out-of-band access, 263
probe, 248, 251
tunnels, 260
Network management protocols, 248, 250
Network management standards, 246
Blue Book Recommendation M.30, 247
CMIP (Common Management Information Protocol), 246
CMIS (Common Management Information Service), 246
OSI Basic Reference Model, Part 4, 246
RMON (Remote Monitoring), 247
SNMP (Simple Network Management Protocol), 247
TL1 (Transaction Language One), 252
TMN (Telecommunications Management Network), 247
Network management station, See NMS
Network management system, 245
Network monitoring, 193, 196
Network operations center, See NOC
Network security, 33-35, 277-279
devices, 35
Network service management, 263-266
customer portal, 265-266
NOC (network operations center), 265
SLA (service level agreement), 264
Network Time Protocol, See NTP
Network topology, 32
NIST (National Institute of Standards and Technology), 37, 43, 106, 201
NMS (network management station), 248
NOC (network operations center), 213, 261-263, 265
Nonce, 94
Nonrepudiation, 40
Nortel Networks, 66, 187, 194-195, 231
Northern Telecom, See Nortel Networks
Novell, 5, 47
NSA (National Security Agency), 33, 37, 43
NSF (National Science Foundation), 26
NSFNET, 26, 277
NTP (Network Time Protocol), 121
NULL encryption algorithm, 70, 89


Oakley key determination protocol, 92, 98
Object identifier (OID), 253-254
One-time passwords (OTP), 108, 113, 117-118
S/KEY, 109, 117
One-way hash function, 41-43, 60, 113, 117
Open Systems Interconnection, See OSI
OpenBSD, 224, 234-236
OpenPGP, 141
OpenSSH, 236
OSI (Open Systems Interconnection), 27
network management, 247
protocol stack, 215
OSI Reference Model, 27, 29, 166, 246
OSPF (Open Shortest Path First), 187, 278
with digital signatures, 184
Over the air rekeying (OTAR), 16

Packet-switched network, 24, 29, 32, 48, 59
PAP (Password Authentication Protocol), 66, 107, 111
Password Authentication Protocol, See PAP
Passwords, 43, 66, 106, 117
challenge/response, 107
CHAP (Challenge Handshake Authentication Protocol), 108
dictionary attack, 106
entropy, 106
NIST guidelines for choosing, 106
one-time, 108
out-of-band access, 263
PAP (Password Authentication Protocol), 107, 111
RADIUS, 115, 128
salt, 106
PDU (protocol data unit), 58, 252, 254
PEM (Privacy Enhanced Mail), 135
Perlman, Radia, 134
Permanent virtual circuit, See PVC
PGP (Pretty Good Privacy), 40, 119, 124, 135, 141, 216
certificate, 141-144
GnuPG, 141
OpenPGP, 141
public key ring, 125
web of trust, 124, 144
Physical layer, 28
Ping, 197
PKCS (Public-Key Cryptography Standards), 144, 150
PKCS #10, Certification Request Syntax Standard, 151-152
PKCS #6, Extended-Certificate Syntax Standard, 144, 151
PKCS #7, Cryptographic Message Syntax Standard, 151-152
PKCS #9, Selected Object Classes and Attribute Types, 145, 151
PKI (public key infrastructure), 14, 122, 129-154, 180, 184, 200, 203, 218
architecture, 130-136
CA (certification authority), 129
certificate and CRL repository, 130
certificate revocation process, 130, 133
certification process, 129, 132
key escrow, 132
PKI (public key infrastructure)
name subordination, 135
RA (registration authority), 130
trust models, 131, 134
validation process, 129, 133
X.509, 122, 136
PKIX (Public Key Infrastructure for the Internet), 12, 123, 150
PMI (Privilege Management Infrastructure), 157
Point-to-Point Protocol, See PPP
Point-to-Point Tunneling Protocol, See PPTP
Policy management, 163
POP (point of presence), 46, 50, 52-54, 272
Port address translation, See PAT
PPP (Point-to-Point Protocol), 61-67, 69, 108, 185, 230, 232
authentication, 107, 111-114
Link Control Protocol (LCP), 111
PPPoE (PPP over Ethernet), 234
use in SSH, 237
PPPoE (Point-to-Point Protocol over Ethernet), 234
PPTP (Point-to-Point Tunneling Protocol), 58, 61, 63-69, 111, 229
authentication, 66
Microsoft, 66
PPTP Access Concentrator (PAC), 63, 68
PPTP Network Server (PNS), 63, 68
as a VPN tunneling protocol, 176, 215, 217, 230
PPTP Forum, 63, 66
Presentation layer, 30
Pretty Good Privacy, See PGP
Privacy Enhanced Mail See PEM
Private addressing, 63
Private Line Interface (PLI), 33
Private network, 4, 6, 8-9, 63, 175, 279
Privilege Management Infrastructure, SeePMI, 157
Project Athena, 119
Protocol data unit, See PDU
Protocol number, 32
Provisioning, 188
PSTN (public switched telephone network), 6, 61, 66, 263, 281
Public key certificate
X.509, 136
X.509v3, 140, 145
See alsodigital certificate, 136
Public key cryptography, 36, 38-39, 41, 129, 134
digital signature, 40
ElGamal algorithm, 40
encryption, 40
PGP (Pretty Good Privacy), 125
Rabin algorithm, 40
RSA algorithm, 40
use in SSH, 237
Public key infrastructure, See PKI
Public network, 6, 47, 175, 278
Public switched telephone network, See PSTN
Public-Key Cryptography Standards, See PKCS
PVC (permanent virtual circuit), 46, 48


QoS (quality of service)
denoted by IP TOS field, 31
for on-net traffic, 49
in the Internet, 49, 277
in IP service platform, 272
lack of standards, 12
enabled with MPLS, 63, 274-275
service beyond connectivity, 279-280
in VPN gateways, 21, 178, 186, 207
Quality of service, See QoS


RA (registration authority), 130, 132, 134, 145, 148
Rabin algorithm, 40
RADIUS (Remote Access Dial In User Service), 67, 114-117, 128
accounting for VPN gateways, 190, 199
authentication for VPN clients, 217, 230, 234
authentication for VPN gateways, 182, 190, 209-210
for storing policy information, 261
RAS (remote access server), 49, 61-62, 229
RC4, 176, 230
RC5, 230
Redcreek, 231
Registration authority, See RA
Remote Access Dial In User Service, See RADIUS
Remote access server, See RAS
Remote access VPN, 20, 45, 49-50, 54, 208
functions, 180-182
Replay attack, 15, 94, 122
Request for Comments, See RFC
RFC (Request for Comments), 33, 289
RFC Editor, 289
Rijndael algorithm, 37
RIP (Routing Info

Updates

Submit Errata

More Information

Unlimited one-month access with your purchase
Free Safari Membership