A Technical Guide to IPSec Virtual Private Networks / Edition 1 available in Paperback
What is IPSec? What's a VPN? Why do the need each other? Virtual Private Network (VPN) has become one of the most recognized terms in our industry, yet there continuously seems to be different impressions of what VPNs really are and can become.
A Technical Guide to IPSec Virtual Private Networks provides a single point of information that represents hundreds or resources and years of experience with IPSec VPN solutions. It cuts through the complexity surrounding IPSec and the idiosyncrasies of design, implementation, operations, and security.
Starting with a primer on the IP protocol suite, the book travels layer by layer through the protocols and the technologies that make VPNs possible. It includes security theory, cryptography, RAS, authentication, IKE, IPSec, encapsulation, keys, and policies.
After explaining the technologies and their interrelationships, the book provides sections on implementation and product evaluation. A Technical Guide to IPSec Virtual Private Networks arms information security, network, and system engineers and administrators with the knowledge and the methodologies to design and deploy VPNs in the real world for real companies.
|Publisher:||Taylor & Francis|
|Edition description:||New Edition|
|Product dimensions:||7.00(w) x 10.00(h) x 0.70(d)|
Read an Excerpt
1. Getting StartedThe Internet, its speed, reliability, and the access to it have all expanded beyond every expectation set in the early years. The Internet has fueled the changes one sees in telecommunications, and the interaction between people, organizations, and countries has been affected.
During the explosive growth, many were asking how they could exploit the Internet and the timeless communication it provides. First, the baby steps were Web pages and e-mail. Then, as people gained interest in what was being sold through these virtual displays, it expanded into providing access to the commodity for the customer. The simple commerce soon expanded into sharing information for vendor interaction to provide virtual warehousing and reduced time to market for new merchandise.
To accomplish the development and dependency that organizations have on Internet communications, a new form of connectivity was required that could provide confidence in privacy, and remain inexpensive and scalable to accommodate the foreseeable future requirements.
Virtual private networks (VPNs) were developed to fill this gap and provide for secure communications over the Internet, or any untrusted network. The result was a process that required few system or communication modifications and promised to protect communication to anywhere in the world.
The introduction of the computer into everyday activities was the turning point of the 20th century. Throughout history, there have been decisive milestones in the advancement of human society. The ability to create and use tools, then metallurgy and chemistry, and soon the industrial revolution solidified aworking social environment.
The computer, at least the personal computer, opened a window of new opportunities to individuals to accomplish things never really considered before. By the time personal computers became a reality, computers were already being used for collective processing and huge number crunching. Only the guys with white jackets were allowed to watch all the lights. The PC made the computer accessible to people, and those people who were exposed included entrepreneurs that saw opportunity.
Nearly overnight, computers were at people's desks, instead of typewriters, using them to accomplish complicated tasks in a reduced amount of time and with increased accuracy. Tasks that seemed out of reach for small businesses just a short time earlier were now attainable. Soon, the data became increasingly more complex and large, requiring more computers and educated people to operate and manage them. As this expanded, the information became an integral part of the business success, and the protection of that data soon became a focal point for some organizations.
It was at this point, when assets veered away from machines, widgets, and warehouses to data, that the information age was born. Data is nearly everything. This seems logical - data is knowledge, and knowledge typically equates to money. Anything from a new drug formula, or the research that founded its production, to a set of architectural plans for a new house or a fighter wing, to the daily news or the stock value of a remote company in the China highlands - information has become the universal ether that surrounds us. People no longer simply work with it; they react to it and base nearly everything on it.
For society to operate and use the information, it must be communicated and controlled. The communication of information has advanced very rapidly over the last few years. Technological advancements, used to feed the desire to move information faster today than yesterday, matched with massive amounts of money to create larger and farther reaching information communications than ever before. However, during this same timeframe, but unfortunately not nearly as fast, the security of the communications was questioned. This is reminiscent of an old TV commercial where the formula for Coke passes the formula for Pepsi in a cloud of digital communications. The poetic truth is now realized, many years after the airing of that commercial: information can be very valuable.
Since the first browser was used to provide a graphical interface for obtaining information from the Internet, the number of users and services has exploded. The Internet moved quickly and people and businesses realized the opportunities and potential of the Internet. Today, the Internet is firmly established as a basic requirement for business and social interaction; much like the telephone, it is expected almost anywhere one goes. Opportunities became very evident and opened an infinite variety of applications for business and personal endeavors.
The information coursing through the Internet evolved, seemingly overnight, from e-mail and basic Web browsing to much more sophisticated applications. Data that was being passed was becoming increasingly private and sensitive to the well-being of the original communication parties. Data that used to appear only on certain servers residing on internal networks was being accessed from across the country, moving through completely unknown territory.
As with any positive, there must be a negative. As technology increased and the use of the Internet for private interaction proliferated, criminals grew with than technology. Soon it was evident that deliberate abuse of the Internet could become a powerful weapon to cause disruption or increase personal wealth. A relationship developed between the development of technology to increase communication possibilities and the criminal's ability to take advantage of them. Criminals discovered vulnerabilities at an astounding rate. As processes and applications were implemented to mitigate the new threats, new ones would be discovered and those too would require steps to protect information from the new vulnerability. This process of findand-fix-and-find-again has not stopped. The constant pushing toward ultimate communication and discoveries of new technologies will certainly breed a continuous flow of unforeseen weaknesses.
However, the vulnerabilities can be reduced with certain technologies that address one aspect of the communication. A well-defined set of protection measures can provide enough defense against theoretical types of attack to carry into the next form of technology. IPSec is a perfect example of protection measures that can remain applied at a certain level within the communication and allow other aspects of the communication to evolve. IPSec has become a robust foundation that appears to be applicable for many years to come.
Communication technology has eliminated the basic level of interaction between individuals. For two people talking in a room, it can be assured - to a degree that the information from one individual has not been altered prior to meeting the listener's ears. It can be also assumed that the person who is seen talking is the originator of the voice that is being heard. This example is basic, assumed, and never questioned - it is trusted. However, the same type of communication over alternate media must be closely scrutinized due to the massive numbers of vulnerabilities to which the session is exposed.
Computers have added several layers of complexity to the trusting process, and the Internet has introduced some very interesting vulnerabilities. With a theoretically unlimited number of people on a network, the options for attacks are similarly unlimited. As soon as a message takes advantage of the Internet for a communication medium without several layers of protection, all bets are off.
Authentication is a service that allows a system to determine the identity of another entity that has presented its credentials. Authentication is the basis of many security mechanisms and some designs authenticate both parties in the communication.
Authentication is based on factors, such as 1, 2, or 3. The mantra of authentication is that it is based on something the user knows, something the user has, and something the user is. A good example of two-factor authentication is where users have something they know and something they have, such as a token. Users provide what they know, a username and password, combined with something they have, such as a number generated from a token. The number validates the possession of the token, which further validates the user with the name and password supplied.
The something the user knows is typically a password, pass phrase, or a Personal Identification Number (PIN) that only that person should know the value. Combine the personal knowledge of a private number or word with something the user has. This is typically associated with a token. Either one of these can be used in conjunction with something the user is. This is referred to as biometrics, the identification based on physical attributes. Biometrics can operate in many ways that range from entering a username or code in combination with a scan, or it can include something the user has, such as an access card.
There are several forms of authentication mechanisms used in nearly every aspect in system access. In the realm of IPSec and VPNs, the highest level currently being used is two-factor authentication. With most solutions, the protocol to include a tokengenerated number is nothing more than an extended use of CHAP or PAP, which are well-suited for remote access. However, in investigating IPSec remote access solutions more closely, one sees that there is absolutely no standard that provides for these extended authentication mechanisms. What is available today is simply what the vendor felt was the best technology that fit the proposed solution. In the absence of a standard, anything is fair game...
Table of Contents
Know the Terrain
The Other Guys
Why are "VPNs" So HOT?
IP Security Primer
Quality of Service
Message Authentication Code
Perfect Forward Secrecy
Domain of Interpretation
Public Key Cryptography
Encapsulating Security Payload
The Roll of Key Management
Creating IKE for IPSec
Network to Network
Client to Network
Most Helpful Customer Reviews
This is a very good book! Written very simply, yet concisely. I work with VPN's on a daily basis and find the book to be an amazing resource. Highly recommend for the experienced network admin or someone seeking to know more about VPN's in general.
Very informative and direct for the answers I was looking for.
Book is technically sound. Author depicts a strong command of secure technologies.
Mr Tiller has great command of knowledge in this field. Very insightful yet easy to read.
I love the way this author breaks down VPNs into plain, easy to comprehend reading. With more and more companies scrambling to secure the company confidential information of their 'telecommuting' workforce, this book is going to help the IT professional understand how it is done. Great Job Mr. Tiller!
I was lucky enough to come across this book at a book show in New York. I am happy to see that an author has seen fit to properly address what is becoming a hot technology for enterprise businesses as well as service providers. Mr. Tiller obviously speaks from the voice of experience, as opposed to some works I have seen which are products of cut and paste artists. I particularly enjoyed the section on IKE. This is a commonly misunderstood yet essential component in any secure remote access architecture. The book is easy enough for most security neophytes to understand yet still meaty enough to satisfy and teach veteran bit-heads. Read this book and then keep it nearby. I hope the author has more books planned, this was great.