| |
| |
Preface | |
| |
| |
Introduction | |
| |
| |
About This Book | |
| |
| |
Intended Audience | |
| |
| |
How This Book is Organized | |
| |
| |
How to Use This Book | |
| |
| |
From Intranets to Extranets to Virtual Private Networks: A Virtual Evolution | |
| |
| |
Private Networks vs. Virtual Private Networks: Exploring Network Security | |
| |
| |
Legacy Systems and the LAN Paradigm | |
| |
| |
The Traditional Business Model: The End of an Era | |
| |
| |
Redefining the Business World: A Manic Moment | |
| |
| |
The DP Manager: From Corporate Czar to Scapegoat | |
| |
| |
LANs: A New Information System Paradigm | |
| |
| |
The Performance Model Unveiled | |
| |
| |
Performance Analysis | |
| |
| |
Cause Analysis | |
| |
| |
Resolution Analysis | |
| |
| |
The New Paradigm in Action | |
| |
| |
The Learning Organization | |
| |
| |
Private Networks: Fortresses of Solitude | |
| |
| |
Private Networks Defined | |
| |
| |
Private Networking with ISPs | |
| |
| |
Firewalls and Other Perimeter Defenses | |
| |
| |
Concentric Layers of Encryption | |
| |
| |
Electronic Passports | |
| |
| |
The Price of Global Privacy | |
| |
| |
Private Networks: The Backward Evolution of Intranets | |
| |
| |
The Technology Adoption Cycle of Private Networks | |
| |
| |
The Impact of Hackers and Other Network Interlopers | |
| |
| |
The Cost of a Private War | |
| |
| |
Extranets: The Forward Evolution of Intranets | |
| |
| |
Bringing your Business Partners, Suppliers, and Customers Online | |
| |
| |
A Classic Example | |
| |
| |
The Future of Intranets | |
| |
| |
Virtual Private Networks: Where Extranets End and VPNs Begin | |
| |
| |
VPNs: An Extranet of Another Variety | |
| |
| |
Virtual Private Networks: The Magic WAN | |
| |
| |
VPNs and Firewalls: A Marriage Made in Cyberspace | |
| |
| |
The Reality of VPNs | |
| |
| |
Why VPNs Will Proliferate | |
| |
| |
Politics: Who's in the Fray | |
| |
| |
Speaking of Ubiquity...Microsoft | |
| |
| |
NT: The New Operating System of Choice for Firewalls | |
| |
| |
NT Bugtraq Web Site | |
| |
| |
The Debacle of PPTP | |
| |
| |
Cisco's Layer 2 Forwarding (L2F) Protocol | |
| |
| |
The Economics of VPNs | |
| |
| |
De Facto and Emerging Standards | |
| |
| |
Tunneling Protocols | |
| |
| |
The Arrival of Secure IP, aka. IP Security or IPSec | |
| |
| |
IPSec Security Protocols and Encryption | |
| |
| |
IPSec Transport Mode Security Association | |
| |
| |
IPSec Tunnel Mode Security Association | |
| |
| |
IPSec Key Exchange and Key Management | |
| |
| |
The Layer 2 Tunneling Protocol (L2TP) | |
| |
| |
Crossing the Firewall Divide with SOCKS | |
| |
| |
User Authentication | |
| |
| |
Remote Authentication DiaHn User Service (RADIUS) | |
| |
| |
Strong User Authentication | |
| |
| |
Two-Factor User Authentication: SecurID and CRYPTOCard | |
| |
| |
S/KEY | |
| |
| |
X.509 Digital Certificate Standard | |
| |
| |
Data Authentication and Integrity | |
| |
| |
The Digital Signature Process | |
| |
| |
Cryptographic Hash/Digest Function | |
| |
| |
Certificate Authorities and Public Key Infrastructure | |
| |
| |
Encryption Schemes | |
| |
| |
Private Key (Symmetric) Cryptosystem | |
| |
| |
Pubic Key (Asymmetric) Cryptosystem | |
| |
| |
Key Management Protocols | |
| |
| |
ISAKMP/IKE--The Mother Lode | |
| |
| |
Authenticating Users with ISAKMP | |
| |
| |
Applying Digital Signatures through ISAKMP | |
| |
| |
Security Associations and ISAKMP | |
| |
| |
ISAKMP vs. SKIP | |
| |
| |
Hacker Attacks and Security Breaches: A Primer | |
| |
| |
Hacker Attacks for the Hall of Fame | |
| |
| |
The New Cold War | |
| |
| |
The Economic and Political Reality | |
| |
| |
Speaking of Irony, Russia Attacks Citibank | |
| |
| |
The Sniffer Software Caper | |
| |
| |
The Berlin Firewall | |
| |
| |
The Texas "Firewall" Massacre | |
| |
| |
The Bank of London Held Hostage | |
| |
| |
Sponsored Break-in by RSA | |
| |
| |
How They Do It | |
| |
| |
How Firewalls Are Breached | |
| |
| |
Brute-Force and Trojan Horse Attacks | |
| |
| |
Java Applets and ActiveX Controls Security Holes | |
| |
| |
Telltale Signs That You've Been Breached | |
| |
| |
Popular Attacks | |
| |
| |
IP Address Spoofing | |
| |
| |
IP Address Spoofing with Active Host | |
| |
| |
IP Source Routing | |
| |
| |
Java and ActiveX Attacks | |
| |
| |
How Sniffer Software Programs Work | |
| |
| |
TCP Attacks | |
| |
| |
Ping of Death | |
| |
| |
Other Attacks | |
| |
| |
Recommended Web Sites | |
| |
| |
The Java Security Site | |
| |
| |
The ICSA Site | |
| |
| |
When Firewalls Fail: Coping with the Aftermath | |
| |
| |
Refiguring Your Misconfiguration | |
| |
| |
Apathy: The Fastest Way to Get Burned | |
| |
| |
Dial-in for Firewalls | |
| |
| |
Incoming Traffic: The Smoke Alarms of Firewalls | |
| |
| |
Software Upgrades: Fuel for Firewalls | |
| |
| |
Key Firewall Web Sites | |
| |
| |
Going Under The Hood | |
| |
| |
The Technology of VPNs | |
| |
| |
Private Information Highways | |
| |
| |
How Do They Work? | |
| |
| |
Dynamic Exchange through Public Key Algorithms | |
| |
| |
Weak vs. Strong User Authentication | |
| |
| |
Progression Authentication Techniques | |
| |
| |
Data Authentication (Integrity Check) | |
| |
| |
Size Does Matter | |
| |
| |
IPSec (IP Security) Encryption Technology Implementations | |
| |
| |
ISAKMP/IKE Key Management and Exchange between Endpoints | |
| |
| |
Layer 2 Tunneling Protocol (L2TP) | |
| |
| |
SOCKS Regaining Its Footing | |
| |
| |
The Architecture, Technology, and Services of Firewalls | |
| |
| |
Mapping the Open Systems Interconnection (OSI) Model | |
| |
| |
Packet Filtering Approaches | |
| |
| |
Simple Packet Filtering Systems | |
| |
| |
Stateful Packet Filtering Architecture | |
| |
| |
Circuit-Level Architecture | |
| |
| |
Application Proxy Approach | |
| |
| |
Stateful Inspection Technology | |
| |
| |
Application Proxy Technology | |
| |
| |
Standard Features | |
| |
| |
Network Address Translation | |
| |
| |
Address Hiding | |
| |
| |
Address Transparency | |
| |
| |
Access Control | |
| |
| |
System Load Balancing among Gateways | |
| |
| |
Event/Connections Logging | |
| |
| |
Antispoofing Feature | |
| |
| |
Router Management | |
| |
| |
Third-Party Support and Interoperability | |
| |
| |
Basic Services and Protocols Supported | |
| |
| |
Security Proxy Concepts | |
| |
| |
Key Service Offerings | |
| |
| |
Secure Web Browsing: HTTP Security | |
| |
| |
Secure Email: SMTP Security | |
| |
| |
Secure Domain Name System (DNS) Server | |
| |
| |
File Transfer Protocol Server | |
| |
| |
Stateless Protocols Security Server | |
| |
| |
URL Screening and Selective Blocking Server | |
| |
| |
Innovative Firewall Implementations | |
| |
| |
Firewall Innovation Drivers | |
| |
| |
The Lucent "Brick" | |
| |
| |
Optical Data Systems' Screaming Demon Firewall | |
| |
| |
WatchGuard's Fancy Firewall Solution | |
| |
| |
Outsourcing Firewall/VPN Management | |
| |
| |
Epilogue: Firewalls that Include Everything, but the Kitchen Sink | |
| |
| |
Other Key VPN Concepts and Technologies | |
| |
| |
Content Vectoring Protocol | |
| |
| |
Applying Digital Signatures to Diffie-Hellman with RSA | |
| |
| |
Key Exchange Properties according to ISAKMP | |
| |
| |
Smart Cards | |
| |
| |
TACACS+: Yet Another System for User Authentication | |
| |
| |
Lightweight Directory Access Protocol (LDAP) | |
| |
| |
Exploring VPN and Firewall Security Policy Concepts | |
| |
| |
Enterprisewide Security Management | |
| |
| |
Rule Base Editor | |
| |
| |
Rule Base Attributes in Packet-Filtering Systems | |
| |
| |
Rule Base Attributes in Application Proxy Systems | |
| |
| |
Object Classes and Management | |
| |
| |
Characteristics of Centralized Security (Rule Base) Management | |
| |
| |
Centralized Management and Control | |
| |
| |
Optimal Deployment of Security Gateways | |
| |
| |
Network Traffic Logging and Monitoring | |
| |
| |
Real-Time Event Alerting and Notification | |
| |
| |
Special Features | |
| |
| |
Synchronization of Firewall Modules | |
| |
| |
Suspicious Activity Monitoring | |
| |
| |
Exploring the Logic of Rule Base Editors | |
| |
| |
External Users Send Emails to Local Users | |
| |
| |
Local Users Access Entire Network | |
| |
| |
Implicit Communication Drop on Login | |
| |
| |
"Stealthing" the Gateway | |
| |
| |
Translating More-Complex Policy into Rules | |
| |
| |
Select User Access to Select Services at Specific Time | |
| |
| |
VPN Performance Considerations and Review | |
| |
| |
Performance in the Real World | |
| |
| |
The VPN Performance Challenge | |
| |
| |
Inherent Performance Factors of VPNs | |
| |
| |
Other Performance Considerations | |
| |
| |
VPN Implementations And Business Assessment, Just For The Record | |
| |
| |
VPN Implementations: Evaluating Your Business Needs | |
| |
| |
Configuring Your Organization's VPN Checklist | |
| |
| |
General Implementation Considerations | |
| |
| |
User Access Considerations | |
| |
| |
Security Requirements | |
| |
| |
User Authentication Desired | |
| |
| |
Client/Server Considerations | |
| |
| |
Let's Test Your Mettle | |
| |
| |
VPN Business Assessment: Multinational and Large Enterprises | |
| |
| |
Multinational Enterprises/Corporations | |
| |
| |
Business Goals | |
| |
| |
Organization Considerations | |
| |
| |
Pinpointing Worldwide Communications Requirements | |
| |
| |
Private Networks vs. VPNs | |
| |
| |
Attack of the 56K Monsters | |
| |
| |
Large Corporations | |
| |
| |
Business Goals | |
| |
| |
Organization | |
| |
| |
Pinpointing Enterprisewide Communications Requirements | |
| |
| |
Private Networks vs. VPNs | |
| |
| |
Last-Minute Considerations | |
| |
| |
VPN Business Assessment: Small/Medium Companies | |
| |
| |
Business Goals | |
| |
| |
Organization | |
| |
| |
Pinpointing Communications Requirements | |
| |
| |
Private Networks vs. VPNs | |
| |
| |
A Few Additional Considerations | |
| |
| |
Solutions Of VPN Providers | |
| |
| |
The Playing Field | |
| |
| |
VPN Architecture Implementation | |
| |
| |
Client-to-LAN Implementation Review | |
| |
| |
LAN-to-LAN Implementations | |
| |
| |
Security Services | |
| |
| |
Tunneling Protocols Supported | |
| |
| |
IPSec Certification | |
| |
| |
Encryption and Data Authentication | |
| |
| |
Key Management Considerations | |
| |
| |
User Authentication Implementations | |
| |
| |
Two-Factor User Authentication | |
| |
| |
Three-tier Strong User Authentication | |
| |
| |
Management and Administration | |
| |
| |
Intruder Alert | |
| |
| |
VPN Performance | |
| |
| |
Let's Configure a Firewall | |
| |
| |
Setting the Stage | |
| |
| |
Defining the Network Objects | |
| |
| |
Defining User and Group Objects | |
| |
| |
Defining the Firewall Object | |
| |
| |
Building the Rule Base | |
| |
| |
Let's Configure a VPN | |
| |
| |
Setting the Stage | |
| |
| |
Defining Network Objects | |
| |
| |
Designating Encryption Domains | |
| |
| |
Defining More Network Objects | |
| |
| |
Designating Encryption Domains (West Coast) | |
| |
| |
Building the VPN Rule Base | |
| |
| |
Client-to-LAN Implementation | |
| |
| |
RSA Examples | |
| |
| |
Glossary | |
| |
| |
Index | |