Internet Security Standards

Raymond R. Panko, University of Hawaii

Introduction

Security Threats

Penetration Attacks

Attacks on Dialogues

An IETF Focus on Dialogue Security

Dialogue Security

Confidentiality

Authentication and Integrity

Initial Authentication

Message-by-Message Authentication

Adding Overlay Security to Individual Dialogues

Cryptographic Protection Systems (CPSs)

PPP and PPTP VPNs

IPsec VPNs

SSL/TLS VPNs

Multilayer Security

Dialogue Security and Firewalls

Adding Security to Individual Internet Standards

A Broad IETF Commitment

Security and Vulnerabilities

The Core Three: IP, TCP, and UDP

Administrative Standards

Application Layer Standards

The State of Internet Security Standards

General Insecurity

The Broad IETF Program

The Authentication Problem

Protection from Denial-of-Service Attacks

Internet Forensics Standards

Glossary

Cross References

References

INTRODUCTION

When the Internet was created, security was left out of its TCP/IP standards. At the time, the crude state of security knowledge may have made this lack of security necessary, and the low frequency of attacks made this lack of security reasonable.

Today, however, security expertise is more mature. In addition, the broad presence of security threats on the Internet means that security today must be addressed deliberately and aggressively In 2004, between 5% and 12% of all sampled traffic moving across ISP networks was malicious (Legard, 2004).

This article describes two ways to add standards-based security ...