Foreword | p. xvii |
Acknowledgments | p. xix |
Preface | p. xxi |
Broadband Network Security Fundamentals | |
An Overview of Broadband Communication | p. 3 |
A Brief History of Telecommunication | p. 4 |
That Was Then | p. 6 |
This Is Now | p. 6 |
What is Broadband Access? | p. 7 |
Existing Broadband Access Technologies | p. 7 |
Cable | p. 8 |
DSL | p. 9 |
Fixed Wireless | p. 9 |
Two-Way Satellite | p. 10 |
The Future of Broadband | p. 10 |
Fiber Optics | p. 11 |
The Importance of Security in Broadband Networks | p. 12 |
Security and the Average User | p. 12 |
Securing the Network Infrastructure | p. 15 |
References | p. 16 |
Choosing the Right Tools: Security Services and Cryptography | p. 17 |
Security Services and Mechanisms | p. 17 |
Confidentiality | p. 18 |
Integrity | p. 19 |
Authentication | p. 19 |
Nonrepudiation | p. 19 |
Authorization and Access Control | p. 20 |
Availability | p. 21 |
The Basics of Cryptography | p. 21 |
Random Number Generation | p. 23 |
Symmetric-Key Cryptography | p. 25 |
Message Digests | p. 36 |
Public-Key Cryptography | p. 40 |
Public-Key Cryptography Standards | p. 48 |
Federal Information Processing Standards and Certification | p. 51 |
Store-and-Forward vs. Session-Based Encryption | p. 52 |
Choosing the Appropriate Cryptographic Tools | p. 53 |
Using Stream Ciphers | p. 53 |
Using Block Ciphers | p. 54 |
Using Message Digests | p. 56 |
Using Public-Key Algorithms | p. 56 |
Interoperability Notes | p. 57 |
How Secure Is Too Secure? | p. 57 |
References | p. 58 |
The Need for Security: Network Threats and Countermeasures | p. 61 |
Who, What, and Why? Attackers and Their Motivations | p. 62 |
When? "The Network Administrator Went Home Hours Ago..." | p. 66 |
Where? The Internet's a Big Place! | p. 67 |
Broadband Access vs. Dial-up Access | p. 67 |
Categorizing Common Attacks | p. 68 |
Passive Attacks vs. Active Attacks | p. 69 |
Eavesdropping | p. 69 |
Impersonation | p. 73 |
Denial of Service | p. 75 |
Data Modification | p. 77 |
Packet Replay | p. 79 |
Routing Attacks | p. 80 |
TCP/IP-Specific Attacks | p. 83 |
Address Spoofing | p. 83 |
Session Hijacking | p. 86 |
Countermeasures for Address-Spoofing and Session-Hijacking Attacks | p. 89 |
TCP/IP Denial of Service | p. 90 |
IP and ICMP Fragmentation | p. 92 |
Attacks on Cryptography | p. 95 |
Cryptanalysis | p. 95 |
Testing for Weak Keys | p. 97 |
Block Replay | p. 97 |
Man-in-the-Middle Attacks | p. 97 |
Countermeasures for Attacks Against Cryptographic Mechanisms | p. 98 |
Social Engineering and Dumpster Diving | p. 100 |
References | p. 100 |
Broadband Networking Technologies | p. 103 |
The Origins of Broadband | p. 104 |
The ISO/OSI Reference Model | p. 106 |
Layer 7--Application | p. 107 |
Layer 6--Presentation | p. 107 |
Layer 5--Session | p. 107 |
Layer 4--Transport | p. 107 |
Layer 3--Network | p. 108 |
Layer 2--Data Link | p. 108 |
Layer 1--Physical | p. 109 |
The TCP/IP Reference Model | p. 110 |
Data Encapsulation | p. 111 |
Communication Protocol Characteristics | p. 113 |
Service Provider Networks | p. 114 |
Cable | p. 115 |
Digital Subscriber Line | p. 120 |
Fixed Wireless Technology | p. 123 |
Two-Way Satellite Communication | p. 126 |
Quality of Service | p. 129 |
QoS Parameters | p. 130 |
Degrees of QoS | p. 136 |
The Great Debate: Cell-Relay vs. Standard Packet Switching | p. 136 |
Models for QoS over IP Networks | p. 139 |
References | p. 143 |
A Survey of Existing Broadband Security Standards and Specifications | p. 145 |
Standards Bodies and the Role of Standardization | p. 146 |
ANSI (American National Standards Institute) | p. 146 |
The BWIF (Broadband Wireless Internet Forum) | p. 146 |
Cable Television Laboratories | p. 147 |
The DVB (Digital Video Broadcasting) Project | p. 147 |
The DSL Forum | p. 147 |
ETSI (European Telecommunications Standards Institute) | p. 147 |
The IETF (Internet Engineering Task Force) | p. 148 |
The ITU (International Telecommunication Union) | p. 148 |
The IEEE (Institute of Electrical and Electronics Engineers) | p. 148 |
The ISO (International Standards Organization) | p. 148 |
Current Broadband Security Standards and Specifications | p. 149 |
The DOCSIS 1.0 Baseline Privacy Interface | p. 149 |
The DOCSIS 1.1 Baseline Privacy Plus Interface | p. 151 |
The PacketCable Security Specification | p. 154 |
The H.235 Security Standard | p. 154 |
The DVB Multimedia Home Platform | p. 160 |
The OpenCable Copy Protection System | p. 161 |
Security Gone Wrong--A Case Study of 802.11 WEP Encryption | p. 165 |
References | p. 168 |
Broadband Security Design Considerations | |
Existing Network Security Protocols | p. 171 |
IPSec | p. 172 |
Transport and Tunnel Modes | p. 174 |
Security Associations | p. 177 |
Security Policy Database | p. 179 |
Security Associations Database | p. 180 |
Authentication Header | p. 181 |
Encapsulating Security Payload | p. 186 |
Internet Key Exchange | p. 191 |
SSL and TLS | p. 197 |
A Brief History of SSL | p. 198 |
SSL in Detail | p. 198 |
Application Layer--Kerberos | p. 216 |
Kerberos Authentication | p. 217 |
Cross-Realm Authentication | p. 219 |
Public-Key Authentication with Kerberos | p. 220 |
References | p. 220 |
Placing Security Services and Mechanisms | p. 223 |
Binding Security Services and Mechanisms to Data | p. 223 |
Which Network Layer? | p. 225 |
Application Transparency | p. 225 |
Extent of Coverage | p. 230 |
Performance | p. 232 |
Comparing Existing Security Protocols | p. 233 |
Security Protocol Implementation | p. 234 |
Host-Based Security vs. Security Gateways | p. 237 |
Extent of Coverage | p. 238 |
Implementation, Configuration, and Maintenance | p. 241 |
Securing Traffic Between a Large Number of Hosts or Applications | p. 242 |
Distinct Traffic Flows | p. 243 |
User Contexts | p. 243 |
Coordination with Existing Security Policy | p. 244 |
A Final Word on Encryption and Protocol Headers | p. 245 |
References | p. 245 |
Security Side Effects | p. 247 |
Network Performance and QoS | p. 248 |
Embedded Device Constraints | p. 249 |
Cryptography and Performance | p. 250 |
General Considerations for Choosing Cryptographic Algorithms | p. 251 |
Dedicated Cryptographic Hardware | p. 262 |
Encryption and Compression | p. 263 |
Security Protocol Tuning | p. 264 |
Additional Tips for Improving Security in Real-Time Multimedia Applications | p. 265 |
Manageability | p. 266 |
References | p. 269 |
Case Studies | |
Securing Broadband Internet Access: DOCSIS BPI+ | p. 273 |
An Overview of the Baseline Privacy Plus Interface | p. 275 |
DOCSIS MAC Layer Frame Formats | p. 277 |
Baseline Privacy Key Management Protocol | p. 279 |
Authorization State Machine | p. 280 |
TEK State Machine | p. 285 |
BPI+ Key Encryption, Traffic Encryption, and Authentication Algorithms | p. 289 |
DOCSIS 1.1 BPI+ X.509 Certificate Usage and PKI Hierarchies | p. 292 |
BPI+ Cable Modem Certificate Hierarchy | p. 292 |
BPI+ Certificate Formats | p. 297 |
Certificate Validation on the CMTS | p. 301 |
Certificate Revocation and Hot Lists | p. 303 |
TFTP Configuration Files | p. 303 |
Signed Software Upgrade Verification | p. 304 |
Generation and Verification of Signed Software Upgrade Files | p. 307 |
References | p. 309 |
Securing Real-Time Multimedia: PacketCable Security | p. 311 |
Overview of PacketCable Security | p. 319 |
IPSec | p. 322 |
Internet Key Exchange | p. 325 |
SNMPv3 Security | p. 326 |
PacketCable's Use of kerberos | p. 327 |
Kerberized Key Management for IPSec and SNMPv3 | p. 330 |
Cross-Realm Operation | p. 336 |
Securing RTP and RTCP | p. 337 |
Key Management for RTP and RTCP | p. 341 |
PacketCable Security Certificate Usage and PKI Hierarchies | p. 345 |
PacketCable Certificate Validation | p. 356 |
Physical Protection of Keying Material | p. 357 |
Secure Software Upgrades | p. 358 |
References | p. 358 |
Securing Interactive Television: DVB MHP Security | p. 359 |
The Multimedia Home Platform | p. 360 |
MHP Security Overview | p. 362 |
Authentication Messages | p. 363 |
Hash Files | p. 365 |
Signature Files | p. 366 |
Certificate Files | p. 368 |
The Object Authentication Process | p. 369 |
MHP X.509 Certificate Usage and PKI Hierarchy | p. 372 |
Storage and Management of Root Certificates | p. 373 |
Certificate Revocation | p. 374 |
Application Security Policy | p. 375 |
Permission Request File | p. 375 |
Return Channel Security | p. 379 |
Supported Java Security Classes | p. 380 |
References | p. 381 |
Design Scenarios | p. 383 |
Initial Design Steps | p. 383 |
Identify Your Assets and Assess Their Value | p. 384 |
Identifying the Threats | p. 385 |
Selecting the Appropriate Security Services | p. 386 |
Choosing Suitable Security Mechanisms | p. 388 |
Identifying the Need for Persistent Security Services and Mechanisms | p. 390 |
Choosing a Network Layer | p. 391 |
Choosing Between Host-Based Security and Security Gateways | p. 391 |
Identifying Existing Security Protocols That Meet Your Needs | p. 392 |
Designing a New Protocol | p. 393 |
Sample Design Scenarios | p. 394 |
A Flawed Design | p. 394 |
Designing Security from the Ground Up | p. 403 |
TCP/IP Primer | p. 415 |
Encapsulation | p. 416 |
Internet Protocol | p. 417 |
IP Headers | p. 419 |
IP Routing | p. 423 |
Address Resolution Protocol and Reverse Address Resolution Protocol | p. 425 |
Internet Control Message Protocol | p. 426 |
Transmission Control Protocol | p. 429 |
TCP Headers | p. 430 |
Windowing | p. 432 |
User Datagram Protocol | p. 433 |
UDP Headers | p. 434 |
Resources | p. 435 |
Digital Certificates and Public-Key Infrastructure | p. 437 |
Digital Certificates | p. 437 |
Certificate Types and Classes | p. 439 |
Contents of a Digital Certificate | p. 440 |
Validating a Digital Certificate | p. 443 |
Certificate Revocation | p. 445 |
Public-Key Infrastructure | p. 448 |
CA Operations | p. 448 |
Trust Models | p. 450 |
Path Discovery and Validation | p. 454 |
References | p. 455 |
Index | p. 457 |
Table of Contents provided by Syndetics. All Rights Reserved. |