A Technical Guide to IPSec Virtual Private Networks

Book description

What is IPSec? What's a VPN? Why do the need each other? Virtual Private Network (VPN) has become one of the most recognized terms in our industry, yet there continuously seems to be different impressions of what VPNs really are and can become. A Technical Guide to IPSec Virtual Private Networks provides a single point of information that represents hundreds or resources and years of experience with IPSec VPN solutions. It cuts through the complexity surrounding IPSec and the idiosyncrasies of design, implementation, operations, and security. Starting with a primer on the IP protocol suite, the book travels layer by layer through the protocols and the technologies that make VPNs possible. It includes security theory, cryptography, RAS, authentication, IKE, IPSec, encapsulation, keys, and policies. After explaining the technologies and their interrelationships, the book provides sections on implementation and product evaluation. A Technical Guide to IPSec Virtual Private Networks arms information security, network, and system engineers and administrators with the knowledge and the methodologies to design and deploy VPNs in the real world for real companies.

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Other Auerbach Publications
  5. Dedication
  6. Foreword
  7. Acknowledgments
  8. Introduction
  9. Chapter 1: Getting Started
    1. Information Age
    2. The Internet
    3. Security Considerations
      1. Authentication
      2. Access Controls
      3. Data Integrity
      4. Confidentiality
      5. Non-Repudiation
    4. Policy
      1. Network Security Considerations
      2. The need for Security Policies
    5. The other Guys
    6. What does VPN Mean?
    7. Why are VPNs so Popular?
      1. Cost Savings
      2. Scalability
      3. Enhanced Communication Security
    8. Intended Audience
      1. Network Professionals
      2. Consultants
      3. Developers
      4. Technical Individuals
      5. What One Should Know
  10. Chapter 2: Technical Primer
    1. TCP/IP Quickie
      1. Common TCP/IP Networks
      2. Reference Models
      3. Communication Types
      4. Packet Structure
      5. Internet Protocol
      6. Transmission Control Protocol (TCP)
      7. User Datagram Protocol (UDP)
      8. Pseudo Headers
      9. Internet Control Message Protocol (ICMP)
      10. ARP and RARP
      11. Non-routable IP Addresses
      12. Network Address Translation (NAT)
    2. IPSec and TCP/IP Layers
    3. Other VPN Standards
      1. Layer 2 Tunneling Protocol (L2TP)
      2. Layer 3
      3. Upper Layers
    4. Cryptography
      1. Encryption
      2. Hash Function
      3. Message Authentication Code
      4. Hash-Message Authentication Code
  11. Chapter 3: IP Security Primer
    1. History
    2. Structure
    3. RFCs
      1. Clients and Networks
      2. What is an SA?
      3. Authentication Header
      4. Encapsulating Security Payload
      5. Shims and Virtual Adapters
      6. Operating Systems Support
    4. Operations Within the Standard
      1. Two Distinct Operations
      2. Two Distinct Modes
    5. VPNs and Policies
  12. Chapter 4: Cryptography
    1. History
    2. Symmetrical Encryption
      1. Typical Symmetrical Algorithms
    3. Asymmetrical Encryption
      1. What is PKI?
      2. Effective PKI
      3. Third-Party Trust
      4. PKI Requirements
      5. Certificate Validation Process
    4. Message Authentication
      1. Authentication Basis
      2. Hash Function
      3. Message Authentication Code (MAC)
      4. Digests over Encryption
    5. Diffie-Hellman
    6. Perfect Forward Secrecy
  13. Chapter 5: Implementation Theory
    1. Moving to the Internet
      1. WAN Augmentation
      2. WAN Replacement
    2. Remote Access
      1. Current Remote Access Technology
      2. VPN Revolution
    3. LAN Security Augmentation
    4. Performance Considerations
      1. The Internet
      2. The Security
      3. The System
      4. Implemented Versus Required
    5. Network Address Translation
  14. Chapter 6: Authentication
    1. Pre-Shared Secret
    2. Digital Signatures
    3. Public Key Encryption
      1. Remote User Authentication
      2. History
      3. IPSec and Remote Authentication
      4. Authentication Protocols
  15. Chapter 7: IPSec Architecture
    1. Security Associations
      1. IKE Security Associations
      2. IPSec Security Associations
      3. Security Parameter Index (SPI)
      4. Security Policy Database (SPD)
      5. Selectors
      6. Security Association Database
      7. SA Configurations
    2. Transport Mode
      1. Availability Versus Standards
    3. Tunnel Mode
    4. Remote Access, Routing, and Networks
      1. IP Pools and Networks
      2. Acting as a Router Versus a Bridge
      3. Finding Gateways with Maps
    5. Vendor Modes and Remote Access
      1. Split Tunnel
      2. Single Tunnel
    6. Hybrid Tunnel Realization
      1. Reverse VPN NAT
      2. Map-Based Routing Table
      3. Arguments
    7. Implementation Considerations of Tunnel Types
    8. Data Fragmentation
      1. Discovery with ICMP
    9. Compression within IPSec
    10. Replay Protection
      1. Wrap-around
  16. Chapter 8: Security Protocols
    1. Encapsulating Security Payload (ESP)
      1. ESP Header Definition
      2. ESP Placement
      3. Process Execution
      4. ESP Authentication and Replay Protection
      5. Changes from Previous RFC
    2. Authentication Header (AH)
      1. AH Placement
      2. Process Execution
      3. The Purpose of AH
      4. Changes from Previous RFC
  17. Chapter 9: Key Management
    1. The Role of Key Management
      1. Manual Key Management
      2. Automatic Key Management
    2. Creating IKE for IPSec
      1. ISAKMP
      2. Oakley
      3. SKEME
      4. Phases and Modes
    3. ISAKMP Framework
    4. ISAKMP Header
      1. Generic Payload Header
      2. Security Association Payload
      3. Proposal Payload
      4. Transform Payload
      5. Identification Payload
      6. Certificate Payload
      7. Certificate Request Payload
      8. Notification Payload
      9. Delete Payload
      10. Information Attributes
      11. Other Payloads
    5. Phase One
      1. Main Mode
      2. Aggressive Mode
      3. Base Mode
    6. Phase Two
      1. Quick Mode
    7. Other Phase Exchanges
      1. New Group Mode
      2. Notification Exchanges
  18. Chapter 10: IKE in Action
    1. Router 1 Configuration
      1. Explanation of the R1 Configuration
    2. Router 2 Configuration
      1. Explanation of the R2 Configuration
    3. In Operation
      1. Explanation of R1 Debug
  19. Chapter 11: Areas of Interest within IKE
    1. Phase I with Shared Secret
    2. Denial of Service
    3. Commit Bit
    4. IKE, Algorithms, and the Creation of Keys
    5. Public Keys and Certificate Hashes
    6. Remote User Authentication Options
      1. CRACK
  20. Chapter 12: Security Policies and the Security of VPNs
    1. Security of Dial-in versus Continuous Internet Access
    2. What is on the Box
    3. Connected all the Time
    4. Common Operating System and Increased Vulnerabilities
      1. More Time on the Internet, More Time for Attackers
      2. Identification and Location
      3. Connected to the Internet and the VPN
      4. In Summary
    5. The Next Step
  21. Chapter 13: Implementation Considerations
    1. L2TP over IPSec Considerations
      1. IPSec and L2TP Limitations
    2. Information Security
      1. SA Provisioning
    3. IPSec Communication Policies
      1. IPSec Policy Implementation Requirements
      2. Microsoft IPSec VPN
    4. Routing within VPNs
      1. Standard Example
      2. VPN Network
      3. The Difference
      4. Solution Models
      5. Current Status of Routing and VPNs
    5. Client Character
      1. System Interaction
      2. Helpdesk Opportunity
      3. Centralized Control
      4. Interoperability with Standard Applications
    6. Client Deployment
      1. Vendor-specific Considerations
      2. Product Interoperability Considerations
      3. Deployment Options
      4. Key Encapsulation
      5. Cost Issues
  22. Chapter 14: Product Evaluation
    1. Business Drivers
      1. Functionality
      2. Authentication Process
      3. Vendor Integration
      4. Manageability
      5. Client System Support
    2. Grading Methodology
      1. Connections
      2. Routing Protocol Support
      3. Authentication Mechanisms
      4. Client Functionality
      5. Access Control
      6. Scalability
      7. Cost Information
      8. Extra Effort
      9. Lab Testing
      10. Lab Setup
  23. Chapter 15: Report on IPSec
    1. The Hybrid Report
  24. Appendix
    1. Etherpeek IKE Decode
      1. IPSEC.TXT
    2. Protocol Numbers
      1. Assigned Internet Protocol Numbers
      2. References

Product information

  • Title: A Technical Guide to IPSec Virtual Private Networks
  • Author(s): James S. Tiller
  • Release date: July 2017
  • Publisher(s): Auerbach Publications
  • ISBN: 9781135516680