| Foreword | p. xv |
| Introduction | p. xix |
| Getting Started | p. 1 |
| Information Age | p. 2 |
| The Internet | p. 3 |
| Security Considerations | p. 3 |
| Authentication | p. 4 |
| Access Controls | p. 4 |
| Data Integrity | p. 5 |
| Confidentiality | p. 6 |
| Non-repudiation | p. 6 |
| Policy | p. 6 |
| Network Security Considerations | p. 7 |
| Services Offered versus Security Provided | p. 7 |
| Ease of Use versus Security | p. 8 |
| Cost of Security versus Risk of Loss | p. 8 |
| The Need for Security Policies | p. 9 |
| Legal Reasons | p. 9 |
| Business Requirements | p. 9 |
| General Control | p. 10 |
| The Other Guys | p. 10 |
| What Does VPN Mean? | p. 11 |
| Why Are VPNs So Popular? | p. 13 |
| Cost Savings | p. 13 |
| Scalability | p. 14 |
| Enhanced Communication Security | p. 14 |
| Intended Audience | p. 15 |
| Network Professionals | p. 15 |
| Consultants | p. 15 |
| Developers | p. 16 |
| Technical Individuals | p. 16 |
| What One Should Know | p. 16 |
| Technical Primer | p. 19 |
| TCP/IP Quickie | p. 20 |
| Common TCP/IP Networks | p. 20 |
| Reference Models | p. 22 |
| Application Layer | p. 23 |
| Transport Layer | p. 24 |
| Network Layer | p. 24 |
| Link Layer | p. 25 |
| Communication Types | p. 25 |
| Packet Structure | p. 26 |
| Header | p. 27 |
| Internet Protocol | p. 28 |
| Routing | p. 29 |
| Structure | p. 30 |
| Transmission Control Protocol (TCP) | p. 30 |
| TCP Application Ports | p. 31 |
| Structure | p. 31 |
| User Datagram Protocol (UDP) | p. 31 |
| Structure | p. 31 |
| Pseudo Headers | p. 32 |
| Internet Control Message Protocol (ICMP) | p. 33 |
| ARP and RARP | p. 34 |
| Non-routable IP Addresses | p. 34 |
| Network Address Translation (NAT) | p. 35 |
| IPSec and TCP/IP Layers | p. 38 |
| Other VPN Standards | p. 39 |
| Layer 2 Tunneling Protocol (L2TP) | p. 39 |
| Layer 3 | p. 41 |
| Upper Layers | p. 41 |
| Aventail SSL VPN Solution | p. 42 |
| Cryptography | p. 47 |
| Encryption | p. 48 |
| Symmetrical | p. 48 |
| Asymmetrical | p. 48 |
| Hash Function | p. 48 |
| Message Authentication Code | p. 48 |
| Hash-Message Authentication Code | p. 48 |
| IP Security Primer | p. 51 |
| History | p. 52 |
| Structure | p. 52 |
| RFCs | p. 53 |
| Clients and Networks | p. 54 |
| What Is an SA? | p. 55 |
| Authentication Header | p. 55 |
| Encapsulating Security Payload | p. 56 |
| Shims and Virtual Adapters | p. 56 |
| Operating Systems Support | p. 56 |
| Operations within the Standard | p. 57 |
| Two Distinct Operations | p. 57 |
| Internet Key Exchange | p. 57 |
| IPSec Communication Suite | p. 58 |
| IKE and IPSec Relationship | p. 58 |
| Two Distinct Modes | p. 58 |
| VPNs and Policies | p. 59 |
| Cryptography | p. 61 |
| History | p. 62 |
| Symmetrical Encryption | p. 62 |
| Typical Symmetrical Algorithms | p. 63 |
| DES and 3DES | p. 64 |
| AES | p. 64 |
| MARS | p. 64 |
| RC6 | p. 65 |
| Rijndael | p. 65 |
| Serpent | p. 65 |
| Twofish | p. 65 |
| Asymmetrical Encryption | p. 66 |
| What is PKI? | p. 69 |
| Effective PKI | p. 69 |
| Third-party Trust | p. 69 |
| PKI Requirements | p. 70 |
| Public Key Certificates | p. 70 |
| Certificate Repository | p. 70 |
| Certificate Revocation (CRL) | p. 71 |
| Key Backup and Recovery | p. 71 |
| Non-repudiation | p. 71 |
| Automatic Update of Certificates and Key Pairs | p. 71 |
| Key history | p. 72 |
| Cross-certification | p. 72 |
| Certificate Validation Process | p. 72 |
| Message Authentication | p. 73 |
| Authentication Basis | p. 73 |
| Ciphertest | p. 73 |
| Message Digest | p. 75 |
| Hash Functions | p. 75 |
| Message Authentication Code (MAC) | p. 76 |
| Block Cipher-based Message Authentication | p. 76 |
| Hash Function-based Message Authentication Code (HMAC) | p. 77 |
| Digests over Encryption | p. 77 |
| Performance | p. 78 |
| Application Considerations | p. 78 |
| System Performance | p. 78 |
| Application Tampering | p. 78 |
| Legacy Utilization | p. 79 |
| Legal Restrictions | p. 79 |
| Diffie-Hellman | p. 79 |
| Perfect Forward Secrecy | p. 82 |
| Implementation Theory | p. 83 |
| Moving to the Internet | p. 84 |
| WAN Augmentation | p. 86 |
| WAN Replacement | p. 88 |
| Redundancy Concepts | p. 89 |
| Reevaluating the WAN | p. 90 |
| Remote Access | p. 91 |
| Current Remote Access Technology | p. 91 |
| VPN Revolution | p. 91 |
| LAN Security Augmentation | p. 92 |
| Performance Considerations | p. 93 |
| The Internet | p. 94 |
| The Security | p. 96 |
| The System | p. 96 |
| Implemented versus Required | p. 97 |
| Network Address Translation | p. 98 |
| Authentication | p. 101 |
| Pre-shared Secret | p. 102 |
| Digital Signatures | p. 103 |
| Public Key Encryption | p. 104 |
| Remote User Authentication | p. 105 |
| History | p. 105 |
| IPSec and Remote Authentication | p. 106 |
| Authentication Protocols | p. 107 |
| Password Authentication Protocol (PAP) | p. 107 |
| Challenge Handshake Authentication Protocol (CHAP) | p. 108 |
| RADIUS | p. 109 |
| X.500 and LDAP | p. 109 |
| IPSec Architecture | p. 111 |
| Security Associations | p. 112 |
| IKE Security Associations | p. 112 |
| IPSec Security Associations | p. 112 |
| Security Parameter Index (SPI) | p. 114 |
| Security Policy Database (SPD) | p. 114 |
| Selectors | p. 115 |
| Security Association Database | p. 116 |
| SA Configurations | p. 117 |
| Host-based VPN | p. 117 |
| Gateway-based VPN | p. 119 |
| Host to Gateway | p. 118 |
| Hosts and Gateways | p. 118 |
| Availability versus Standards | p. 120 |
| Transport Mode | p. 121 |
| Tunnel Mode | p. 122 |
| Remote Access, Routing, and Networks | p. 123 |
| IP Pools and Networks | p. 124 |
| Internally Available | p. 124 |
| Internally Networked | p. 125 |
| Virtually Networked | p. 126 |
| Support for All | p. 127 |
| Acting As a Router versus a Bridge | p. 130 |
| Finding Gateways with Maps | p. 130 |
| Map Example Internals | p. 133 |
| Vendor Modes and Remote Access | p. 135 |
| Split Tunnel | p. 136 |
| Single Tunnel | p. 137 |
| Hybrid Tunnel Realization | p. 138 |
| Reverse VPN NAT | p. 138 |
| Map-based Routing Table | p. 138 |
| Arguments | p. 139 |
| Implementation Considerations of Tunnel Types | p. 140 |
| Data Fragmentation | p. 141 |
| Discovery with ICMP | p. 144 |
| Compression within IPSec | p. 144 |
| Replay Protection | p. 147 |
| Wrap-around | p. 148 |
| Security Protocols | p. 149 |
| Encapsulating Security PAYLOAD (ESP) | p. 150 |
| ESP Header Definition | p. 150 |
| ESP Placement | p. 152 |
| Process Execution | p. 152 |
| Outbound Process | p. 152 |
| Inbound Process | p. 153 |
| ESP Authentication and Replay Protection | p. 153 |
| Changes from Previous RFC | p. 154 |
| Authentication Header (AH) | p. 154 |
| AH Placement | p. 155 |
| Process Execution | p. 155 |
| Outbound Process | p. 155 |
| Inbound Process | p. 157 |
| The Purpose of AH | p. 157 |
| Changes from Previous RFC | p. 158 |
| Key Management | p. 159 |
| The Role of Key Management | p. 160 |
| Manual Key Management | p. 161 |
| Automatic Key Management | p. 161 |
| Creating IKE for IPSec | p. 161 |
| ISAKMP | p. 162 |
| Oakley | p. 162 |
| SKEME | p. 163 |
| Phases and Modes | p. 163 |
| ISAKMP Framework | p. 164 |
| ISAKMP Header | p. 164 |
| Generic Payload Header | p. 166 |
| Security Association Payload | p. 166 |
| Proposal Payload | p. 166 |
| Transform Payload | p. 169 |
| Identification Payload | p. 170 |
| Certificate Payload | p. 170 |
| Certificate Request Payload | p. 171 |
| Notification Payload | p. 172 |
| Delete Payload | p. 172 |
| Information Attributes | p. 172 |
| Phase I Attributes | p. 174 |
| Phase II Attributes | p. 176 |
| Other Payloads | p. 177 |
| Phase I | p. 178 |
| Main Mode | p. 178 |
| Pre-shared Keys/Secret | p. 179 |
| First Exchange | p. 179 |
| Second Exchange | p. 180 |
| Third Exchange | p. 182 |
| Digital Signatures with Certificates | p. 183 |
| First Exchange | p. 184 |
| Second Exchange | p. 184 |
| Third Exchange | p. 185 |
| Public Key Encryption | p. 186 |
| First Exchange | p. 186 |
| Second Exchange | p. 187 |
| Third Exchange | p. 188 |
| Revised Public Key Encryption | p. 188 |
| First Exchange | p. 189 |
| Second Exchange | p. 190 |
| Third Exchange | p. 191 |
| Aggressive Mode | p. 191 |
| Pre-shared Keys/Secret | p. 192 |
| Primary Exchange | p. 193 |
| Final Exchange | p. 193 |
| Digital Signatures with Certificates | p. 194 |
| Primary Exchange | p. 194 |
| Final Exchange | p. 194 |
| Public Key Encryption194 | |
| Primary Exchange | p. 195 |
| Final Exchange | p. 195 |
| Public Key Encryption Revised | p. 195 |
| Base Mode | p. 196 |
| Pre-shared Keys/Secret | p. 197 |
| Digital Signature with Certificates | p. 197 |
| Public Key Encryption and Revised Public Key Encryption | p. 198 |
| Phase II | p. 199 |
| Quick Mode | p. 199 |
| Primary Exchanges | p. 200 |
| Extended Exchanges | p. 202 |
| Key Material | p. 202 |
| Initialization Vectors (IVs) in Quick Mode | p. 204 |
| Other Phase Exchanges | p. 205 |
| New Group Mode | p. 205 |
| Notification Exchanges | p. 206 |
| IKE in Action | p. 209 |
| Router 1 Configuration | p. 210 |
| Explanation of the R1 Configuration | p. 210 |
| Router 2 Configuration | p. 213 |
| Explanation of the R2 Configuration | p. 213 |
| In Operation | p. 216 |
| Explanation of R1 Debug | p. 216 |
| Areas of Interest Within IKE | p. 227 |
| Phase I with Shared Secret | p. 228 |
| Denial of Service | p. 232 |
| More on UDP 500 Limitations | p. 233 |
| IKE, Algorithms, and the Creation of Keys | p. 234 |
| Public Keys and Certificate Hashes | p. 235 |
| Remote User Authentication Options | p. 236 |
| CRACK | p. 236 |
| Security Policies and the Security of VPNs | p. 241 |
| Security of Dial-in versus Continuous Internet Access | p. 242 |
| What Is on the Box | p. 243 |
| Connected All the Time | p. 244 |
| Common Operating System and Increased Vulnerabilities | p. 245 |
| More Time on the Internet, More Time for Attackers | p. 245 |
| Identification and Location | p. 246 |
| Connected to the Internet and the VPN | p. 246 |
| In Summary | p. 247 |
| The Next Step | p. 247 |
| Implementation Considerations | p. 251 |
| L2TP over IPSec | p. 252 |
| IPSec and L2TP Limitations | p. 253 |
| Information Security | p. 255 |
| SA Provisioning | p. 255 |
| IPSec Communication Policies | p. 256 |
| IPSec Policy Implementation Requirements | p. 257 |
| Microsoft IPSec VPN | p. 260 |
| Configuration of MS VPN | p. 261 |
| Advanced Configuration of MS VPN | p. 268 |
| Policies and Performance | p. 271 |
| Routing within VPNs | p. 273 |
| Standard Example | p. 278 |
| VPN Network | p. 280 |
| The Difference | p. 281 |
| Solution Models | p. 283 |
| Current Status of Routing and VPNs | p. 285 |
| Client Character | p. 286 |
| System Interaction | p. 286 |
| Helpdesk Opportunity | p. 287 |
| Centralized Control | p. 287 |
| Interoperability with Standard Applications | p. 288 |
| Client Deployment | p. 288 |
| Vendor-specific Considerations | p. 288 |
| Product Interoperability Considerations | p. 289 |
| Deployment Options | p. 290 |
| Key Encapsulation | p. 290 |
| Cost Issues | p. 290 |
| Product Evaluation | p. 293 |
| Business Drivers | p. 294 |
| Functionality | p. 295 |
| Application Support | p. 295 |
| Infrastructure Interactions | p. 296 |
| General Functionality Areas | p. 296 |
| Authentication Process | p. 296 |
| Existing Projects | p. 297 |
| Authentication Collateral | p. 297 |
| Vendor Integration | p. 298 |
| Manageability | p. 299 |
| Out-of-Band Management | p. 299 |
| Browser | p. 299 |
| SNMP | p. 300 |
| Proprietary | p. 300 |
| Security of the Management Application | p. 300 |
| Multiple Device Support | p. 300 |
| Client System Support | p. 301 |
| Operating System Support | p. 301 |
| Grading Methodology | p. 302 |
| Connections | p. 303 |
| Routing Protocol Support | p. 303 |
| Authentication Mechanisms | p. 304 |
| Client Functionality | p. 304 |
| Access Control | p. 304 |
| Scalability | p. 304 |
| Cost Information | p. 305 |
| Extra Effort | p. 305 |
| Lab Testing | p. 306 |
| Lab Setup | p. 306 |
| Report on IPSec | p. 307 |
| The Hybrid Report | p. 308 |
| Appendix | p. 323 |
| Etherpeek IKE Decode | p. 323 |
| IPSEC.TXR | p. 323 |
| Protocol Numbers | p. 330 |
| Assigned Internet Protocol Numbers | p. 330 |
| References | p. 333 |
| Index | p. 335 |
| Table of Contents provided by Syndetics. All Rights Reserved. |
