Internet security protocols : protecting IP traffic

This is a complete networking professional's guide to providing end-to-end Internet security where it matters most: at the packet level. World-recognized networking consultant Uyless Black covers every essential Internet security protocol, and virtually every IP application, including data, voice, multicast, and video. Black begins by reviewing the key security risks associated with the Internet and Internet applications, including risks to privacy, secrecy, and confidentiality; risks to the integrity of information and accurate authentication; and the need for access control and non-repudiation of transactions. Understand the role of firewalls and security policies and procedures; then review each key Internet security protocol. Black covers dial-in authentication including RADIUS and DIAMETER; VPN IPSec security; the Internet Key Distribution, Certification, and Management system (ISAKMP); Internet Key Exchange; and more. The book includes detailed coverage of security in mobile networks, and explains how Diffserv can be used to establish different levels of security for different types of traffic. For all experienced networking and communications professionals.

(NOTE: Each chapter concludes with a Summary.) 1. Introduction. Security Problems. How Pervasive Are Security Attacks? Types of Security Services. Introduction to the Firewall. The Security Policy. Trusted and Untrusted Networks. Security and Risk Management. Virtual Private Networks (VPNs). The Modern VPN. VPNs and SLAs. The Debate of Privacy vs. Law Enforcement. 2. Types of Security Violations. Types of Security Problems. Denial of Service: Attacks and Counter-Attacks. Virus. Worm. Clogging or Flooding. Trojan Horse. Bomb. Trap Door. Salami. Replay Violations. Cookies. Applets and Sandboxes. Other Problems. 3. Basic Security Concepts. How Secure Is Secure? Definitions. Encryption and Decryption. Basic Encryption and Decryption Methods. The German Enigma Machine. Substitution and Transposition. One-Way Functions and Modular Arithmetic. Example of a One-Way Function. The Diffie-Hellman Idea Using Modular Arithmetic. The Hash Function. Use of a One-Way Hash Function. Randomness of Keys. Randomness or Lack Thereof Equals the Demise of a Crypto System. Key Problem: Exchanging Keys. Awkwardness of Key Distribution. The Asymmetric Key. Use of the Asymmetric Keys in Reverse Order. Asymmetric Keys for Privacy. Asymmetric Keys for Authentication: The Digital Signature. The Next Step: RSA. The RSA Key Pairs. Key Transport and Key Generation. Message Authentication Code (MAC) and Key Hashing. Putting Together the Security Functions. Paul Zimmerman and Pretty Good Privacy (PGP). PGP's Use of Key Certificates. Example of a PGP Public Key. OpenPGP. Perfect Forward Secrecy (PFS). Man-in-the-Middle Attack. Certification. The Certification Procedure. Anti-Replay Measures. Security in a Mobile Network. Authentication. Privacy Operations. 4. Firewalls. What Is a Firewall? Protection from Untrusted Networks. Permitting and Denying Services. What Firewalls Can Do and Cannot Do. Packet Filtering. Proxy or Application Firewalls. NCSA Guidance. Managed Firewall Services (MFWS). Evaluating a Firewall Service Provider. Firewalls with Internet Security Protocols (IPSec). SOCKS. 5. Prominent Internet Security Procedures. Diffie-Hellman. Diffie-Hellman and RFC 2631. Rivest, Shamir, and Adleman (RSA). RSA in RFC 2437. MD5. MD5 Vulnerabilities? RFC 2537: RSA, MD5, and DNS. RSA Public KEY Resource Records. RSA/MD5 SIG Resource Records. Performance Considerations. The Secure Hash Standard (SHA-1) and The Secure Hash Algorithm (SHA). RIPEMD-160. Comparisons of MD5, SHA-1, RIPEMD-160, and MD5-HMAC. HMAC. Performance and Security of HMAC. HMAC with IPSec. The OAKLEY Key Determination Protocol. Beyond Diffie-Hellman and STS. OAKLEY Key Exchange Processing. The Essential Key Exchange Message Fields. 6. PPP, ECP, TLS, EAP, DESE-bis, and 3DESE. PPP and HDLC. LCP. General Example of PPP Operations. PPP Phase Diagram. Link Dead (Physical Layer Not Ready). Link Establishment Phase. Authentication Phase. Network Layer Protocol Phase. Link Termination Phase. LCP Packets. Configure-Request. Configure-Ack. Configure-Nak. Configure-Reject. Terminate-Request and Terminate-Ack. Code-Reject. Protocol-Reject. Echo-Request and Echo-Reply. Discard-Request. Other Supporting Cast Members for PPP Security Services. Transport Layer Security Protocol (TLS). Goals of TLS. PPP Encryption Control Protocol (ECP). PPP Extensible Authentication Protocol (EAP). PPP DES Encryption Protocol, Version 2 (DESE-bis). Configuration Option for ECP. Packet Format for DESE. PPP Triple-DES Encryption Protocol (3DESE). The Algorithm. Keys. 3DESE Configuration Option for ECP. Packet Format for 3DESE. 7. Dial-in Operations with PAP, CHAP, RADIUS and DIAMETER. PAP and CHAP. PAP. Key Aspects of PAP. CHAP. CHAP Messages. RADIUS. RADIUS Configuration. Example of a RADIUS Message Exchange. Use of UDP. RADIUS Message Format. RADIUS Attributes. Examples of RADIUS Operations. Problems with RADIUS. DIAMETER. DIAMETER Message Formats. Message Header. Message Body for the AVP. DIAMETER-Command AVP. Message-Reject-Ind Command. Approach to the Remainder of Message Descriptions. Basic Operations. DIAMETER Support of Dial-Ins To/From SS7. Session Setup Messages Signaling Gateway/ NAS Controller Interaction. Message Exchanges Examples. 8. IPSec Architecture. Basics of IPSec. IPSec Services. IPSec Traffic Security Protocols. Security Association (SA) Databases. The IPSec Tunnel. The Security Association (SA). Cases of Security Associations: A General View. Types of SAs: Transport Mode and Tunnel Mode. Combining Security Associations: A More Detailed View. Placements of IPSec. The IPSec Databases. Selectors and SAD/SPD Operations. Destination IP Address. Source IP Address. Name. Transport Layer Protocol. Source and Destination Ports. Selectors and SAD/SPD Entries. Looking Up the SA in the SAD. Examples of IPSec Sending and Receiving Operations. Selecting and Using an SA or SA Bundle. 9. The IPSec AH and ESP Protocols. Services of the IPSec Protocols. Integrity Check Value (ICV). Relationships of AH, ESP, and the Transport and Tunnel Modes. Handling Mutable Fields. Protection Coverage of the AH and ESP Packets. AH Protection. Services and Operations of AH. RFC 1826. RFC 2402. Integrity Check Value (ICV) for Outbound Packets. Integrity Check Value (ICV) for Inbound Packets. Services and Operations of ESP. ESP Protection. RFC 1827. RFC 2406. Outbound Packet Processing. Inbound Packet Processing. AH and ESP and the "Cases." IP Addressing in the Headers. Construction of the ESP Packet. Header Construction for Tunnel Mode. HMAC Applied to AH and ESP. MD5-HMAC-96 within ESP and AH. MHAC-SHA-1-96 within ESP and AH. IPSec and NAT. 10. The Internet Key Distribution, Certification, and Management. What Is Public Key Infrastructure (PKI)? Certificates and Certification Authorities (CAs). Support for Non-Repudiation. Key Backup and Recovery. Using Two Key Pairs. Key Update and Management of Key Histories. Certificate Repositories and Certificate Distribution. Cross-Certification. ISAKMP, ISAKMP DOI, and IKE. ISAKMP. The "Protection Suite." Other Thoughts on Key Exchange. ISAKMP Negotiation Phases. Messages. The Generic Header. Data Attributes. The Payloads. OAKLEY and ISAKMP. Examples of ISAKMP Negotiations. The Base Exchange. The Identity Protection Exchange. Authentication Only Exchange. The Aggressive Exchange. ISAKMP Domain of Interpretation (DOI). IPSec/ISAKMP Payloads. 11. Internet Key Exchange (IKE). IKE Basics. Definitions. Perfect Forward Secrecy. Aspects of IKE and ISAKMP. Modes to Establish Authenticated Key Exchange. Main Mode. Aggressive Mode. Quick Mode and New Group Mode. Four Methods Used with Main or Aggressive Mode. Examples of IKE Message Exchanges. Phase One: Authenticated with Signatures. Phase One: Authenticated with Public Key Encryption. Phase One: Authenticated with a Revised Mode of Public Key Encryption. Phase One: Authenticated with a Pre-Shared Key. Phase Two: Quick Mode. New Group Mode. ISAKMP Informational Exchanges. Oakley Groups. Messages for a Complete IKE Exchange. Phase Two Using Quick Mode. IPSec, NAT, and IKE. Examples of PKI Vendors. 12. Security Operations in a Mobile Network. The IS-41-C Specification. The IS-41-C Model. The Five Security/Privacy Operations. Authentication Parameters. Authentication of Mobile Station Registration Procedures. The Parameters. At the Air Interface. On the Network Side. Unique Challenge-Response Procedures. The Parameters. At the Air Interface. On the Network Side. Authentication of Mobile Station Originating a Call. The Parameters. At the Air Interface. On the Network Side. Authentication of Call to a Terminating Mobile Station. The Parameters. At the Air Interface. On the Network Side. Updating the Shared Secret Data (SSD). The Parameters. At the Air Interface and on the Network Side. Chapter13Follow-Ups to This Book. Appendix A: Coding for Prominant Security Functions. Appendix B: Network Address Translation (NAT). Abbreviations. Index.