| |
| |
| Preface | |
| |
| |
| Introduction | |
| |
| |
| About This Book | |
| |
| |
| Intended Audience | |
| |
| |
| How This Book is Organized | |
| |
| |
| How to Use This Book | |
| |
| |
| From Intranets to Extranets to Virtual Private Networks: A Virtual Evolution | |
| |
| |
| Private Networks vs. Virtual Private Networks: Exploring Network Security | |
| |
| |
| Legacy Systems and the LAN Paradigm | |
| |
| |
| The Traditional Business Model: The End of an Era | |
| |
| |
| Redefining the Business World: A Manic Moment | |
| |
| |
| The DP Manager: From Corporate Czar to Scapegoat | |
| |
| |
| LANs: A New Information System Paradigm | |
| |
| |
| The Performance Model Unveiled | |
| |
| |
| Performance Analysis | |
| |
| |
| Cause Analysis | |
| |
| |
| Resolution Analysis | |
| |
| |
| The New Paradigm in Action | |
| |
| |
| The Learning Organization | |
| |
| |
| Private Networks: Fortresses of Solitude | |
| |
| |
| Private Networks Defined | |
| |
| |
| Private Networking with ISPs | |
| |
| |
| Firewalls and Other Perimeter Defenses | |
| |
| |
| Concentric Layers of Encryption | |
| |
| |
| Electronic Passports | |
| |
| |
| The Price of Global Privacy | |
| |
| |
| Private Networks: The Backward Evolution of Intranets | |
| |
| |
| The Technology Adoption Cycle of Private Networks | |
| |
| |
| The Impact of Hackers and Other Network Interlopers | |
| |
| |
| The Cost of a Private War | |
| |
| |
| Extranets: The Forward Evolution of Intranets | |
| |
| |
| Bringing your Business Partners, Suppliers, and Customers Online | |
| |
| |
| A Classic Example | |
| |
| |
| The Future of Intranets | |
| |
| |
| Virtual Private Networks: Where Extranets End and VPNs Begin | |
| |
| |
| VPNs: An Extranet of Another Variety | |
| |
| |
| Virtual Private Networks: The Magic WAN | |
| |
| |
| VPNs and Firewalls: A Marriage Made in Cyberspace | |
| |
| |
| The Reality of VPNs | |
| |
| |
| Why VPNs Will Proliferate | |
| |
| |
| Politics: Who's in the Fray | |
| |
| |
| Speaking of Ubiquity...Microsoft | |
| |
| |
| NT: The New Operating System of Choice for Firewalls | |
| |
| |
| NT Bugtraq Web Site | |
| |
| |
| The Debacle of PPTP | |
| |
| |
| Cisco's Layer 2 Forwarding (L2F) Protocol | |
| |
| |
| The Economics of VPNs | |
| |
| |
| De Facto and Emerging Standards | |
| |
| |
| Tunneling Protocols | |
| |
| |
| The Arrival of Secure IP, aka. IP Security or IPSec | |
| |
| |
| IPSec Security Protocols and Encryption | |
| |
| |
| IPSec Transport Mode Security Association | |
| |
| |
| IPSec Tunnel Mode Security Association | |
| |
| |
| IPSec Key Exchange and Key Management | |
| |
| |
| The Layer 2 Tunneling Protocol (L2TP) | |
| |
| |
| Crossing the Firewall Divide with SOCKS | |
| |
| |
| User Authentication | |
| |
| |
| Remote Authentication DiaHn User Service (RADIUS) | |
| |
| |
| Strong User Authentication | |
| |
| |
| Two-Factor User Authentication: SecurID and CRYPTOCard | |
| |
| |
| S/KEY | |
| |
| |
| X.509 Digital Certificate Standard | |
| |
| |
| Data Authentication and Integrity | |
| |
| |
| The Digital Signature Process | |
| |
| |
| Cryptographic Hash/Digest Function | |
| |
| |
| Certificate Authorities and Public Key Infrastructure | |
| |
| |
| Encryption Schemes | |
| |
| |
| Private Key (Symmetric) Cryptosystem | |
| |
| |
| Pubic Key (Asymmetric) Cryptosystem | |
| |
| |
| Key Management Protocols | |
| |
| |
| ISAKMP/IKE--The Mother Lode | |
| |
| |
| Authenticating Users with ISAKMP | |
| |
| |
| Applying Digital Signatures through ISAKMP | |
| |
| |
| Security Associations and ISAKMP | |
| |
| |
| ISAKMP vs. SKIP | |
| |
| |
| Hacker Attacks and Security Breaches: A Primer | |
| |
| |
| Hacker Attacks for the Hall of Fame | |
| |
| |
| The New Cold War | |
| |
| |
| The Economic and Political Reality | |
| |
| |
| Speaking of Irony, Russia Attacks Citibank | |
| |
| |
| The Sniffer Software Caper | |
| |
| |
| The Berlin Firewall | |
| |
| |
| The Texas "Firewall" Massacre | |
| |
| |
| The Bank of London Held Hostage | |
| |
| |
| Sponsored Break-in by RSA | |
| |
| |
| How They Do It | |
| |
| |
| How Firewalls Are Breached | |
| |
| |
| Brute-Force and Trojan Horse Attacks | |
| |
| |
| Java Applets and ActiveX Controls Security Holes | |
| |
| |
| Telltale Signs That You've Been Breached | |
| |
| |
| Popular Attacks | |
| |
| |
| IP Address Spoofing | |
| |
| |
| IP Address Spoofing with Active Host | |
| |
| |
| IP Source Routing | |
| |
| |
| Java and ActiveX Attacks | |
| |
| |
| How Sniffer Software Programs Work | |
| |
| |
| TCP Attacks | |
| |
| |
| Ping of Death | |
| |
| |
| Other Attacks | |
| |
| |
| Recommended Web Sites | |
| |
| |
| The Java Security Site | |
| |
| |
| The ICSA Site | |
| |
| |
| When Firewalls Fail: Coping with the Aftermath | |
| |
| |
| Refiguring Your Misconfiguration | |
| |
| |
| Apathy: The Fastest Way to Get Burned | |
| |
| |
| Dial-in for Firewalls | |
| |
| |
| Incoming Traffic: The Smoke Alarms of Firewalls | |
| |
| |
| Software Upgrades: Fuel for Firewalls | |
| |
| |
| Key Firewall Web Sites | |
| |
| |
| Going Under The Hood | |
| |
| |
| The Technology of VPNs | |
| |
| |
| Private Information Highways | |
| |
| |
| How Do They Work? | |
| |
| |
| Dynamic Exchange through Public Key Algorithms | |
| |
| |
| Weak vs. Strong User Authentication | |
| |
| |
| Progression Authentication Techniques | |
| |
| |
| Data Authentication (Integrity Check) | |
| |
| |
| Size Does Matter | |
| |
| |
| IPSec (IP Security) Encryption Technology Implementations | |
| |
| |
| ISAKMP/IKE Key Management and Exchange between Endpoints | |
| |
| |
| Layer 2 Tunneling Protocol (L2TP) | |
| |
| |
| SOCKS Regaining Its Footing | |
| |
| |
| The Architecture, Technology, and Services of Firewalls | |
| |
| |
| Mapping the Open Systems Interconnection (OSI) Model | |
| |
| |
| Packet Filtering Approaches | |
| |
| |
| Simple Packet Filtering Systems | |
| |
| |
| Stateful Packet Filtering Architecture | |
| |
| |
| Circuit-Level Architecture | |
| |
| |
| Application Proxy Approach | |
| |
| |
| Stateful Inspection Technology | |
| |
| |
| Application Proxy Technology | |
| |
| |
| Standard Features | |
| |
| |
| Network Address Translation | |
| |
| |
| Address Hiding | |
| |
| |
| Address Transparency | |
| |
| |
| Access Control | |
| |
| |
| System Load Balancing among Gateways | |
| |
| |
| Event/Connections Logging | |
| |
| |
| Antispoofing Feature | |
| |
| |
| Router Management | |
| |
| |
| Third-Party Support and Interoperability | |
| |
| |
| Basic Services and Protocols Supported | |
| |
| |
| Security Proxy Concepts | |
| |
| |
| Key Service Offerings | |
| |
| |
| Secure Web Browsing: HTTP Security | |
| |
| |
| Secure Email: SMTP Security | |
| |
| |
| Secure Domain Name System (DNS) Server | |
| |
| |
| File Transfer Protocol Server | |
| |
| |
| Stateless Protocols Security Server | |
| |
| |
| URL Screening and Selective Blocking Server | |
| |
| |
| Innovative Firewall Implementations | |
| |
| |
| Firewall Innovation Drivers | |
| |
| |
| The Lucent "Brick" | |
| |
| |
| Optical Data Systems' Screaming Demon Firewall | |
| |
| |
| WatchGuard's Fancy Firewall Solution | |
| |
| |
| Outsourcing Firewall/VPN Management | |
| |
| |
| Epilogue: Firewalls that Include Everything, but the Kitchen Sink | |
| |
| |
| Other Key VPN Concepts and Technologies | |
| |
| |
| Content Vectoring Protocol | |
| |
| |
| Applying Digital Signatures to Diffie-Hellman with RSA | |
| |
| |
| Key Exchange Properties according to ISAKMP | |
| |
| |
| Smart Cards | |
| |
| |
| TACACS+: Yet Another System for User Authentication | |
| |
| |
| Lightweight Directory Access Protocol (LDAP) | |
| |
| |
| Exploring VPN and Firewall Security Policy Concepts | |
| |
| |
| Enterprisewide Security Management | |
| |
| |
| Rule Base Editor | |
| |
| |
| Rule Base Attributes in Packet-Filtering Systems | |
| |
| |
| Rule Base Attributes in Application Proxy Systems | |
| |
| |
| Object Classes and Management | |
| |
| |
| Characteristics of Centralized Security (Rule Base) Management | |
| |
| |
| Centralized Management and Control | |
| |
| |
| Optimal Deployment of Security Gateways | |
| |
| |
| Network Traffic Logging and Monitoring | |
| |
| |
| Real-Time Event Alerting and Notification | |
| |
| |
| Special Features | |
| |
| |
| Synchronization of Firewall Modules | |
| |
| |
| Suspicious Activity Monitoring | |
| |
| |
| Exploring the Logic of Rule Base Editors | |
| |
| |
| External Users Send Emails to Local Users | |
| |
| |
| Local Users Access Entire Network | |
| |
| |
| Implicit Communication Drop on Login | |
| |
| |
| "Stealthing" the Gateway | |
| |
| |
| Translating More-Complex Policy into Rules | |
| |
| |
| Select User Access to Select Services at Specific Time | |
| |
| |
| VPN Performance Considerations and Review | |
| |
| |
| Performance in the Real World | |
| |
| |
| The VPN Performance Challenge | |
| |
| |
| Inherent Performance Factors of VPNs | |
| |
| |
| Other Performance Considerations | |
| |
| |
| VPN Implementations And Business Assessment, Just For The Record | |
| |
| |
| VPN Implementations: Evaluating Your Business Needs | |
| |
| |
| Configuring Your Organization's VPN Checklist | |
| |
| |
| General Implementation Considerations | |
| |
| |
| User Access Considerations | |
| |
| |
| Security Requirements | |
| |
| |
| User Authentication Desired | |
| |
| |
| Client/Server Considerations | |
| |
| |
| Let's Test Your Mettle | |
| |
| |
| VPN Business Assessment: Multinational and Large Enterprises | |
| |
| |
| Multinational Enterprises/Corporations | |
| |
| |
| Business Goals | |
| |
| |
| Organization Considerations | |
| |
| |
| Pinpointing Worldwide Communications Requirements | |
| |
| |
| Private Networks vs. VPNs | |
| |
| |
| Attack of the 56K Monsters | |
| |
| |
| Large Corporations | |
| |
| |
| Business Goals | |
| |
| |
| Organization | |
| |
| |
| Pinpointing Enterprisewide Communications Requirements | |
| |
| |
| Private Networks vs. VPNs | |
| |
| |
| Last-Minute Considerations | |
| |
| |
| VPN Business Assessment: Small/Medium Companies | |
| |
| |
| Business Goals | |
| |
| |
| Organization | |
| |
| |
| Pinpointing Communications Requirements | |
| |
| |
| Private Networks vs. VPNs | |
| |
| |
| A Few Additional Considerations | |
| |
| |
| Solutions Of VPN Providers | |
| |
| |
| The Playing Field | |
| |
| |
| VPN Architecture Implementation | |
| |
| |
| Client-to-LAN Implementation Review | |
| |
| |
| LAN-to-LAN Implementations | |
| |
| |
| Security Services | |
| |
| |
| Tunneling Protocols Supported | |
| |
| |
| IPSec Certification | |
| |
| |
| Encryption and Data Authentication | |
| |
| |
| Key Management Considerations | |
| |
| |
| User Authentication Implementations | |
| |
| |
| Two-Factor User Authentication | |
| |
| |
| Three-tier Strong User Authentication | |
| |
| |
| Management and Administration | |
| |
| |
| Intruder Alert | |
| |
| |
| VPN Performance | |
| |
| |
| Let's Configure a Firewall | |
| |
| |
| Setting the Stage | |
| |
| |
| Defining the Network Objects | |
| |
| |
| Defining User and Group Objects | |
| |
| |
| Defining the Firewall Object | |
| |
| |
| Building the Rule Base | |
| |
| |
| Let's Configure a VPN | |
| |
| |
| Setting the Stage | |
| |
| |
| Defining Network Objects | |
| |
| |
| Designating Encryption Domains | |
| |
| |
| Defining More Network Objects | |
| |
| |
| Designating Encryption Domains (West Coast) | |
| |
| |
| Building the VPN Rule Base | |
| |
| |
| Client-to-LAN Implementation | |
| |
| |
| RSA Examples | |
| |
| |
| Glossary | |
| |
| |
| Index | |