VPNs enable any enterprise to utilize the Internet as its own secure private network. In this book, two leading VPN implementers offer a start-to-finish, hands-on guide to constructing and operating secure VPNs. Going far beyond the theory found in most books, Ruixi Yuan and Tim Strayer present best practices for every aspect of VPN deployment, including tunneling, IPsec, authentication, public key infrastructure, and network/service management. Strayer and Yuan begin with a detailed overview of the fundamental concepts and architectures associated with enterprise VPNs, including site-to-site VPNs, remote access VPNs, and extranets. They compare all options for establishing VPN tunnels across the Internet, including PPTP, L2F, and L2TP. Next, they present in-depth coverage of implementing IPsec; establishing two-party or trusted third-party authentication; building a robust public key infrastructure; and managing access control. The book includes expert coverage of VPN gateway configuration, provisioning, and management; Windows and other VPN clients; and network/service management, including SLAs and network operations centers. Finally, the authors preview the future of VPNs, showing how they may be enhanced to provide greater quality of service and network intelligence. For all networking and IT professionals, security specialists, consultants, vendors, and service providers responsible for building or operating VPNs.



Extras

Internetworking: Beyond Connectivity

Overloading BGP for VPN Can Be Harmful

Security Service Taxonomy for VPNs

The Evolution of Multiple Protocol Label Switching (MPLS)

The VPN Client and the Windows Operating System



Sample Content

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
yuanch1.pdf

Preface.

I. VPN FUNDAMENTALS.

1. Introduction.

Business Communication.

VPN Motivation.

The VPN Market.

VPN Technologies.

VPN Solutions.

2. Basic Concepts.

A Brief History of the Internet.

Network Architecture.

ISO OSI Reference Model.

IP.

Network Topology.

The Need for Security.

Cryptography.

Shared Key Cryptography.

Public Key Cryptography.

Digital Signatures.

Message Authentication Codes.

3. VPN Architectures.

Site-to-Site Intranet VPNs.

Remote Access VPNs.

Extranet VPNs.

A Security Services Taxonomy.

II. VPN TECHNOLOGIES.

4. Tunnels.

Tunneling.

Data Integrity and Confidentiality.

VPN Tunneling Protocols.

PPTP.

L2F.

L2TP.

Ipsec.

MPLS.

5. Ipsec.

Basic IPsec Concepts.

Security Protocols.

Security Associations.

Security Databases.

IPsec and VPNs.

Authentication Header.

Encapsulating Security Payload.

Internet Key Exchange.

Phase 1 Negotiation.

Phase 2 Negotiation.

Key Generation in IKE.

IPsec Implementation.

Inbound Packet Processing.

Outbound Packet Processing.

6. Authentication.

Two-Party Authentication.

PPP Authentication.

RADIUS.

S/KEY and OTP.

Trusted Third-Party Authentication.

Kerberos.

X.509 Public Key Infrastructure.

Pretty Good Privacy Trust Model.

Authentication in VPNs.

Gateway-Gateway Authentication.

Client-Gateway Authentication.

7. Public Key Infrastructure.

PKI Architecture.

Certification.

Validation.

Certificate Revocation.

Trust Models.

Digital Certificate Formats.

X.509 Digital Certificate.

PGP Certificate.

PKCS #6, Extended-Certificate Syntax Standard.

X.509 Attribute Certificate.

Certificate Management System.

Certification Authority.

Registration Authority.

Certificate and CRL Repository.

Certificate Protocols.

Certificate Use in VPNs.

Authentication.

Key Management.

Access Control.

8. Access Control.

Access Control Policy.

Attributes and Conditions.

Access Control Rules.

Access Control Mechanisms.

Access Control Lists.

Capabilities Lists.

Access Control Policy Management.

Distributed Policy Management.

Centralized Policy Management.

Policy Repository.

Access Control in VPNs.

III. VPN SOLUTIONS.

9. VPN Gateways.

VPN Gateway Functions.

Site-to-Site Intranet VPN Functions.

Remote Access VPN Functions.

Extranet VPN Functions.

Forwarding, Routing, and Filtering Functions.

Advanced Functions.

Gateway Configuration and Provisioning.

Gateway Identity Information.

External Device Information.

Security Policy Information.

Gateway Management.

Configuration Management.

Network Monitoring.

Accounting Information.

Gateway Certification.

Interaction with Firewalls.

VPN Gateway and Firewall in Parallel.

VPN Gateway and Firewall in Series.

Hybrid Configurations.

VPN Design Issues.

A VPN Solution Scenario.

10. VPN Clients.

VPN Client Functions.

Operating System Issues.

Microsoft Windows.

Other Operating Systems.

Operational Issues.

Working with the Corporate Firewall.

Working with Network Address Translation.

Fragmentation and MTU Issues.

Private and Public Domain Name Servers.

WINS Server Issues.

VPN Clients for Windows.

Layer 2 Clients.

IPsec Clients.

L2TP/IPsec Combination Clients.

VPN Client Software Installation.

VPN Clients for Other Platforms.

Layer 2 Implementations.

IPsec Implementations.

Alternative VPN Clients.

SSH as VPN Client.

SOCKS and SSL as VPN Client.

User-Level Daemon.

A Remote Access VPN Scenario.

11. VPN Network and Service Management.

Network Management Standards.

Network Management Architecture.

Network Management Station.

Managed Nodes.

Network Management Protocol.

Management Information.

Probes.

6 Other Means of Management.

SNMP.

VPN Management.

Managing Tunnels.

VPN Management in a Service Provider Environment.

Secure Management Tunnel in VPN.

Out-of-Band Access for Management.

Service Management.

Service Level Agreement.

Network Operations Center.

Customer Portal.

International Issues.

12. VPN Directions: Beyond Connectivity.

Evolutions in Network Infrastructure.

Evolutions in VPNs.

Internetworking Beyond Connectivity.

Network Security.

Quality of Service.

Intelligence in the Network.

Acronyms.
References.
Index. 0201702096T04262001

Preface

The Internet has been around in one form or anotherfor more than three decades now, but it really has been since the middleof the 1990s that the use of the Internet became a daily part of people'slives. Connectivity to the Internet is now imperative for almost all companies,regardless of what their business really is. Individuals can find Internetaccess at school, work, and home, in cafés and kiosks, and in cellphones and PDAs. Staying connected has become an obsession.

The focus has shifted from being connected to being securelyconnected. It is one thing to have Internet access, but without security,the usefulness of the connectivity is rather limited. People want to havethe reach of the Internet, but they should not have to compromise theirprivacy or expose proprietary resources.

Fortunately, all of the ingredients are present for constructinga private network on top of a public one. The challenge comes in puttingthe technologies together so that the result is a viable and secure virtualprivate network.

This book provides a comprehensive guide to the technologiesused to enable VPNs, the VPN products built from these technologies, andthe combinations of various components to provide practical VPN solutions.

VPN technologies and solutions are still rapidly evolving.This book describes the current state of the art in this field. But thingschange quickly, so when appropriate, we have attempted to point out thecontinued effort in the industry to develop new technologies and solutions.

Audience

This book is intended for a broad range of readers interestedin virtual private networks.

For network engineers and managers, this book serves asa practical guide to the technologies and solutions. It discusses issuesto be considered in designing and implementing a VPN.

For VPN software and hardware developers, it provides the necessary background material to understand the functions to be developed and the rationale behind them.

For IT managers and executives, this book sets the overallcontext of VPNs and provides the means for assessing various implementationsfrom equipment vendors and service offerings from service providers.

For students and educators, this book can be used as areference text for a course in network security or electronic commerce.

Book Organization

This book is organized in three parts. Part I--VPN Fundamentals--consistsof three chapters: Introduction, Basic Concepts, and VPN Architectures.Chapter 1 introduces the concept of VPN and how it permits flexibilityin facilitating private communication in a public network. We also classifythe relevant technologies into four distinct categories. Chapter 2 setsVPNs in context by briefly reviewing the development of the Internet andhow security has been thrust to the forefront. It also reviews the basicIP networking and cryptography concepts that pertain to VPNs. Chapter 3presents VPN architectures in two ways. The first approach is based ondesigning VPN around practical networking solutions: site-to-site intranet,extranet, and remote access. The second approach focuses on the differenttraffic aggregation points where security services are applied.

Part II--VPN Technologies--consists of five chapters:Tunnels, IPsec, Authentication, Public Key Infrastructure, and Access Control.Chapter 4 is concerned with the most important technology category--tunneling.We investigate the many different tunneling technologies that are importantin VPN solutions. Chapter 5 concentrates on IPsec, the security protocolfor IP standardized by the IETF and, in our opinion, the VPN tunnelingtechnology that will be most prevalent going forward. Chapter 6 describesauthentication in a broad context first and then describes the varioustwo-party and three-party schemes that widely applied in networking. Themost important three-party scheme--PKI--is then presented in Chapter 7.In Chapter 8, we look at access control technologies, an often overlookedbut vital aspect of VPNs. We describe how access policies can be presented,managed, and enforced in a networked environment.

Part III--VPN Solutions--consists of four chapters: VPNGateways, VPN Clients, VPN Network and Service Management, and VPN Directions:Beyond Connectivity. This part describes how the various technology componentscan be assembled to create practical VPN solutions. Chapter 9 starts withthe roles played by a VPN gateway, then derives the requirements imposedon the gateway, and finally describes the various functions that shouldbe implemented. It also presents a concrete design example. Chapter 10details the many issues of VPN clients, some similar to VPN gateways andsome different. Chapter 11 presents the needs and approaches for performingcontinued management of VPNs from the viewpoints of both a network anda service. Finally, we discuss the future directions of VPNs in Chapter12 and how important it is to realize that networking is the means, notthe goal, and to look beyond simple connectivity in the networking arena.

How to Read the Book

There are two ways to read this book. For novices, werecommend completing Part I before proceeding to either Part II or PartIII. For readers already knowledgeable in networking and security, eachchapter is self-contained and can be read separately.

Readers are encouraged to read Chapters 4 and 5 togetherto obtain a fuller grasp on the concept of tunneling and IPsec as a layer-threetunneling technology. Similarly, Chapters 6 and 7 deal with authentication,with Chapter 7 exploring public key infrastructures in detail. It is alsoa good idea to review how a certain technology is introduced in Part IIbefore seeing how it is applied to a VPN solution in Part III.

Ruixi Yuan
Tim Strayer

Boston, Massachusetts
March 2001

0201702096P04242001

Index

3COM, 66
3DES (triple DES), 38, 81, 141, 143, 176, 178, 181, 183, 191, 230, 237, 266: See also DES
Access control, 9, 12, 15, 45, 51, 153-171, 182, 247, 269, 279: access control list (ACL), 160; attributes, 155, 157-159; capabilities list (C-list), 160; centralized policy management, 165; discretionary policy, 157; distributed policy management, 164; environmental conditions, 158; filters, 191-192; in IPsec, 75; mandatory policy, 157; mechanisms, 156, 160-163, 167; policy, 156-160, 167; policy management, 156, 163-167; resource attributes, 158; rules, 159-160; stakeholders, 159; user attributes, 157; as a VPN client function, 18, 216, 218; as a VPN gateway function, 17, 176; in VPNs, 167-171
Access control list, See ACL
Accounting, 193, 198
ACL (access control list), 160-162, 260
Adapter, network, 222, 229, 233
Adapter, shim, 222, 233
Adapter, virtual, 233-234
Adleman, Leonard, 40
Advanced Encryption Standard, See AES
Advanced Research Projects Agency, See ARPA
AES (Advanced Encryption Standard), 37, 230
AH (Authentication Header), 58, 63, 70, 76-77, 79, 83-88, 100, 203: fields, 84; protocol number, 77; transport mode, 86-87; tunnel mode, 87-88
Alcatel, 187, 195-196, 231, 234
Altiga, 226, 231
Amazon.com, 7
Anti-replay protection, 75, 85: AH (Authentication Header), 84; ESP (Encapsulating Security Payload), 88
Apple, 220, 224, 234
Application layer, 30
Application programming interface (API), 195
ARPA (Advanced Research Projects Agency), 23-24
ARPANET, 23-24, 26, 33
Ascend Communications, 66
ASN.1 (Abstract Syntax Notation One), 137, 253
Asymmetric key cryptography, 36: See also Public key cryptography
Asynchronous Transfer Mode, See ATM
AT&T, 220
ATM (Asynchronous Transfer Mode), 47, 68, 185
Attack, 18, 33, 88: against CA, 147; denial of service, 34, 93, 279; dictionary, 106; distributed denial of service, 279; Internet worm, 34; on keys, 16; network-based, 34; replay, 15, 94, 122; Trojan Horse, 122
Attributes, 157: environmental conditions, 158; identity, 157; resource attributes, 158; use conditions, 158; user attributes, 157; for VPN access control, 170; X.509 attribute certificate, 145
Authentication, 9, 12, 14, 45, 47, 51, 59-60, 103-128, 153, 155, 182, 189, 217, 269, 279: AH (Authentication Header), 84-86; CHAP (Challenge Handshake Authentication Protocol), 66, 112; client-gateway, 127; cryptography used for, 36-37; EAP (Extensible Authentication Protocol), 66, 113; ESP (Encapsulating Security Payload), 88; gateway-gateway, 126; in IPsec, 63, 75; Kerberos, 119; MAC (message authentication code), 43; lack of in MPLS, 73; one-time passwords, 117; options for VPN clients, 230; PAP (Password Authentication Protocol), 66, 107, 111; password, 43, 106, 157; PGP (Pretty Good Privacy); RADIUS (Remote Access Dial In User Service), 114; S/KEY, 109, 117; Security Association Database (SAD), 80; Security Policy Database (SPD), 81; SSH (Secure Shell), 237; trusted third-party, 14, 104; two-party, 14, 104; as a VPN client function, 18, 216-217, 231; as a VPN gateway function, 17, 176; in VPNs, 126-128; X.509 public key infrastructure, 122
Authetication Header, See AH
Autonomous system (AS), 278
BBN, 33, 146
Bellcore, 252
Bellovin, Steven M., 35, 201
Berners-Lee, Tim, 26
BGP (Border Gateway Protocol), 278: Secure-BGP, 184
BITNET, 26
Blowfish, 38, 237, 241
Border gateway, 33
BSD Unix , See Unix
BSDI, 235
Business communication, 4, 8
CA (certification authority), 122, 129-130, 132-135, 145-147, 190, 210: cross-certification, 135; Microsoft, 139; root, 135
Cable modem, 19, 46, 49-50
Capabilities list (C-list), 160, 163
Capstone, 38
CAST, 141, 143, 176
CCITT, SeeITU, 122
Centralized policy management, 165
Cerberus, 236
CERN (Center for European Nuclear Research), 26
Certificate, 122, 129, 132-133: CRL (certificate revocation list), 124; cross certificate, 135; enrollment, 152; management system, 145; PGP (Pretty Good Privacy), 141-144; protocols, 149; root, 123, 135; self-signed, 143; use-condition certificate, 158; use in VPNs, 152-154; See also Digital certificate
Certificate and CRL repository, 130, 145, 148
Certificate management system, 145-149
Certificate protocols, 149-152: PKCS #10, Certification Request Syntax Standard, 151; PKCS #7, Cryptographic Message Syntax Standard, 151; PKIX (Public Key Infrastructure for the Internet), 150; SCEP (Simple Certificate Enrollment Protocol), 152
Certificate revocation list, See CRL
Certification authority, See CA
Certification Practice Statement (CPS), 147
Challenge Handshake Authentication Protocol, See CHAP
CHAP (Challenge Handshake Authentication Protocol), 66, 108, 112-113, 230
Check Point, 187, 231
Checksum, IP, 32, 59-60, 85
Checksum, TCP, 59
Cheswick, William R., 35, 201
CIDR (Classless Inter-Domain Routing), 179
Ciphertext, 35-36
CIR (committed information rate), 46
Cisco, 66-67, 152, 187, 194, 231: Altiga VPN client, 226; Compatible Systems VPN client, 234
Clipper, 38
CMIP (Common Management Information Protocol), 247, 252
CMIS (Common Management Information Service), 247
Command line interface (CLI), 193, 196, 252
Committed information rate, See CIR
Common Management Information Protocol, SeeCMIP, 246
Common Management Information Service, SeeCMIS, 246
Compatible Systems, 234
Compression, 231
Confidentiality, 9, 38, 59-61, 70: cryptography used for, 36-37; in IPsec, 63, 75; lack of in MPLS, 73; See also Data confidentiality
Configuration file, 194
Configuration management, 193
Coordinated universal time, See UTC
CRL (certificate revocation list), 124, 129-130, 133-134, 146, 180, 210: X.509v2, 148
Cross-certification, 147
Cryptanalysis, 37
Cryptographic keys, 35
Cryptography, 35: asymmetric, 36; block cipher, 37; key management, 39; public key, 36, 38-39; shared key, 36; symmetric, 36
CSNET, 26
Customer premises equipment (CPE), 54, 272
Customer relationship management (CRM), 263
DARPA SeeARPA, 23
Data confidentiality, 9, 60, 75, 269, 279: ESP (Encapsulating Security Payload), 88; as a VPN client function, 176, 216, 219
Data Encryption Standard, See DES
Data integrity, 9, 15, 36, 59, 61, 269, 279: AH (Authentication Header), 83; in IPsec, 75; as a VPN client function, 176, 216, 219
Data link layer, 28
Data origin authentication, 75: AH (Authentication Header), 83
Data security, 13, 15, 45: as a VPN gateway function, 17; as a VPN client function, 18; See also Data confidentiality and Data integrity
DECNET, 5
Decryption, 35: public key, 38; shared key, 37
Demilitarized zone, See DMZ
Denial-of-service attack, 34, 93, 279
Department of Defense (DoD), 23
DES (Data Encryption Standard), 37-38, 81, 176, 230: cracked, 37
DHCP (Dynamic Host Configuration Protocol), 181, 190, 219, 222, 230, 248
Dial-up networking, See DUN
Dictionary attack, 106
Differentiated service code point (DSCP), 207
Diffie, Whitfield, 36, 129
Diffie-Hellman algorithm, 96, 141, 153
DiffServ, 207
Digital certificate, 81, 130, 132-136, 171, 179-180, 182-184, 189, 191, 217-218: use in access control, 154; use in authentication, 153; creation, 146; formats, 136-145; use in key management, 153; revocation, 146; X.509, 136; See also Certificate
Digital certificates, 230, 241
Digital signature, 40-43, 133, 136: DSA, 43; RSA, 43
Digital Signature Algorithm, See DSA
Digital subscriber line, See DSL
Directory Access Protocol (DAP), 166
Directory System Agent (DSA), 166
Directory User Agent (DUA), 166
Distinguished name (DN), 81-82, 123, 139, 171: relative distinguished name (RDN), 139
Distributed denial-of-service attack, 279
Distributed policy management, 164
DMZ (demilitarized zone), 204
DNS (Domain Name System), 135, 162, 181, 189, 222, 225, 227-229, 278
DNSSEC (Secure Domain Name System), 135
Domain Name System, See DNS
DSA (Digital Signature Algorithm), 43, 141-142
DSL (digital subscriber line), 19, 46, 49-50, 234, 277
DUN (dial-up networking), 229
Dynamic Host Configuration Protocol, See DHCP
EAP (Extensible Authentication Protocol), 66, 113-114
ECI Telematics, 66
E-commerce, 9, 27: B2B, 9; B2C, 9
Electronic Frontier Foundation, 37
Electronic mail, See Email
ElGamal algorithm, 40, 144
Ellison, Carl, 134
Email, 24
Encapsulating Security Payload, See ESP
Encapsulation, 13, 30, 58, 63, 215, 219, 226: ESP (Encapsulating Security Payload), 90; GRE (Generic Routing Encapsulation), 64; modes for VPN clients, 230-231; modes for VPN gateways, 179; Encryption; algorithm, 35; asymmetric, 60; ESP (Encapsulating Security Payload), 88; hardware acceleration, 187; NULL algorithm, 89; options for VPN clients, 230; public key, 38, 40; shared key, 37; symmetric, 60
Entrust, 203
ESP (Encapsulating Security Payload), 58, 63, 70, 76-77, 79, 88-91, 100, 183: fields, 89; protocol number, 77; transport mode, 90, 180; tunnel mode, 91, 179, 182
Ethernet, 257, 263
EUnet, 26
Extensible Authentication Protocol, See EAP
Extranet, 6
Extranet VPN, 46, 50-52: functions, 182-184
Federal Information Processing Standard (FIPS), 146
Feghhi, Jalal, 136
Feghhi, Jalil, 136
Finland, 140
FIPS 140-1, 146, 201
FIPS 140-1 certification, 200
Firewall, 21, 35, 48, 184, 218, 225, 230, 248, 276: DMZ (demilitarized zone), 204; interaction with VPN gateways, 201
Fischetti, Mark, 26: Fragmentation, 31, 60, 226-227; don't fragment IP flag, 31; more fragments IP flag, 31
Frame relay, 4, 9, 46-48, 67-68: CIR, 46; provisioning, 46; PVC, 46, 48
FreeBSD, 224, 234-235
FreeS/WAN, 235
FTP (File Transfer Protocol), 252, 259, 262
Gateway, 24, 29: border, 33; See also Router and VPN gateway
Generic Routing Encapsulation, See GRE
Germany, 140
GnuPG, 40, 141: See also PGP
Good, Gordon S., 167
Graphical user interface, See GUI
GRE (Generic Routing Encapsulation), 64, 67-68
GUI (graphical user interface), 194
Gutmann, Peter, 140
Hash function, 41: collision resistant, 41; one-way, 41-43
Hashed message authentication code, See HMAC
Hellman, Martin, 36, 129
HMAC (hashed message authentication code), 43, 85
Hot Standby Router Protocol, See HSRP
Howes, Timothy A., 167
HSRP (Hot Standby Router Protocol), 187
HTTP (Hypertext Transfer Protocol), 252
Hub-and-spoke, 46
IBM, 37
ICANN (Internet Corporation for Assigned Names and Numbers), 278
ICMP (Internet Control Message Protocol), 196: ping, 197; traceroute, 198
ICSA (International Computer Security Association), 200
IDEA, 38, 141, 143, 176
IETF (Internet Engineering Task Force): firewall bypass effort, 226; IPsec standard, 12, 75, 98; L2TP Extensions working group, 69; MIB-II defined objects, 253; MPLS-based VPN effort, 276; NAT/IPsec compatibility effort, 226; PKIX Working Group, 123; RMON, 257; security policy effort, 159; SNMP, 247; VPN state synchronization effort, 187; VPN tunneling efforts, 260
IGRP (Interior Gateway Routing Protocol), 278
IKE (Internet Key Exchange), 76-77, 82, 91-99, 101, 260: use with firewalls, 203; ICSA certification, 200; key generation, 96, 179, 182-184; key management, 153; phase 1 negotiation, 94; phase 2 negotiation, 95; security policy effort, 159
Indus River, 231
Integrated Services Digital Network, See ISDN
Integrity check value (ICV), 85-86
Intel, 66, 231
Intercept driver, 222
Interface Message Processor (IMP), 24
International Computer Security Association, See ICSA
International Organization for Standardization, See ISO
International Telecommunication Union, See ITU
Internet, 3-4, 6, 8, 12, 48, 63: ARPANET, 24
Internet: attacks, 34; connectivity, 47; evolution, 269; growth, 26; history, 23; IP (Internet Protocol), 30; management, 245; security, 278; unneling, 62-63; worm, 34
Internet Activities Board, 247
Internet Control Message Protocol, See ICMP
Internet Engineering Task Force, See IETF
Internet Explorer, 135
Internet Key Exchange, See IKE
Internet Protocol. See IP
Internet Security Association and Key Management Protocol, See ISAKMP
Internet service provider, See ISP
Internet worm, 34
Internet-Draft, 289
Internetwork, 24, 57
Internetworking, 29, 277
Intranet, 6, 63, 175
Intrusion detection system (IDS), 35, 279
IP (Internet Protocol), 6, 24-25, 30-32, 47, 59, 221: address, 24, 32; destination address field, 32; don't fragment flag, 31; flags field, 31; fragment offset field, 32, 85; fragmentation, 31, 85; fragmentation field, 60; header checksum field, 32, 85; header format, 30; header length field, 31; identification field, 31; Internet, 25; internetwork, 24; IPsec, 75; IPv4, 75; IPv6, 75; more fragments flag, 31; mutable fields, 85; options field, 32; padding field, 32; protocol field, 32; SLIP (serial line IP), 67; source address field, 32; time to live field (TTL), 32, 60, 85, 198; total length field, 31; type of service field (TOS), 31, 85; version field, 31
IP header, 59, 64, 70-71
IP service platform, 272-273
ipnsec, 236
IPsec, 12, 58, 70, 75-101: Authentication Header (AH), 83; certification from ICSA, 200; concepts, 75; Encapsulating Security Payload (ESP), 88; firewall issues, 219; fragmentation issues, 227; implementations, 98, 235; Internet Key Exchange (IKE), 91; iterated tunneling, 79; use with L2TP, 69; mode, 78, 80; NAT issues, 226, 276; nested SAs, 79, 273; packet filtering, 185; protocol, 80; SA (security association), 77, 79, 93-94; Security Association Database (SAD), 79; security databases, 79; Security Parameter Index (SPI), 77; Security Policy Database (SPD), 80; security policy effort, 159; security protocols, 76; transport adjacency, 79; transport mode, 86, 90; tunnel management, 260; tunnel mode, 70, 87, 91; as a VPN tunneling protocol, 63, 83, 176, 179, 191, 216-217, 230
IPv4, 75, 86, 235
IPv6, 75, 81, 86, 235
IPX (Internetwork Packet Exchange), 47, 59, 232
ISAKMP (Internet Security Association and Key Management Protocol), 76, 92, 99, 199: cookie, 93; master key, 97; SA (security association), 93-96
ISDN (Integrated Services Digital Network), 50, 61, 66
Isenberg, David, 281
ISO (International Organization for Standardization), 27, 110, 215, 246
ISP (Internet service provider), 11-12, 49-50, 53-54, 61-68, 245, 272
Iterated tunneling, 79
ITU (International Telecommunication Union), 122, 136: network management, 247
Kaliski, Barton, 144
KAME, 235
Kent, Steve, 134, 147
Kerberos, 116, 119-122: authentication server (AS), 119; ticket, 119; Ticket-Granting Server (TGS), 121; Ticket-Granting Ticket (TGT), 121
Key escrow, 132, 146-147
Key management, 36, 39, 153
Key ring, 125
Keyed MD5, 43
L2F (Layer Two Forwarding), 58, 61, 66-69, 111: as a VPN tunneling protocol, 176, 215, 230
L2TP (Layer Two Tunneling Protocol), 58, 61, 68-70, 111, 199, 238: compression methods for, 70; L2TP Access Concentrator (LAC), 68; L2TP Extensions Working Group, 69; L2TP Network Server (LNS), 68; tunnel management, 260; as a VPN tunneling protocol, 176, 191, 215, 230
Label Distribution Protocol (LDP), 280
Label switch router, See LSR
Label switched path, See LSP
Label switching, 63
Layer Two Forwarding, See L2F
Layer Two Tunneling Protocol, See L2TP
LDAP (Lightweight Directory Access Protocol), 167, 261
Leased line, 24, 241
Lightweight Directory Access Protocol, See LDAP
Link Control Protocol (LCP), 113
Link layer, 28, 30, 58, 274
Linux, 220, 224, 234-236
Local area network (LAN), 52
LSP (label switched path), 71, 275
LSR (label switch router), 71
Lucent, 66, 115
MAC (message authentication code), 43, 60: HMAC, 43; one-way hash function, 43; Unixpasswords, 43
MacOS, 220, 224, 234: standard autopush driver, 224; VPN clients for, 234
Management information base, See MIB
Management information tree, See MIT
Maximum transmission unit, See MTU
MD4, 117
MD5, 43, 85, 113, 117, 143: keyed, 43
Message authentication code, See MAC
MIB (management information base), 20, 196, 247, 251, 253, 259-260: IKE Monitoring MIB, 197, 260; IP Tunnel MIB, 197; IPsec DOI Textual Conventions MIB, 260; IPsec Monitoring MIB, 197, 260; ISAKMP DOI-Independent Monitoring MIB, 260; L2TP MIB, 260; MPLS Traffic Engineered LSPs MIB, 260; MPLS Traffic Engineering MIB Using SMIv2, 260; RMON (Remote Monitoring), 257; TCP/IP (MIB-II), 197, 247
MIB view, 257
MIB-II, 197, 247, 253
Microsoft, 12, 66, 136, 139, 190, 218, 220-221, 229, 234: approach to VPN clients, 229; extensions to CHAP, 66; extensions to PAP, 66; Internet Explorer, 135; MS-CHAP, 66; WINS (Windows Internet Service), 181, 229
Microsoft NetBIOS, 229
Microsoft Windows, See Windows
MIT (management information tree), 251, 253, 256
MIT (Massachusetts Institute of Technology), 119
Modem: availability, 264; bank, 61, 63, 66-67; cable, 49; cost, 49; dial-back protected, 263; digital modulation standards, 49; with encryption capability, 263; NAS (network access server), 115; speed, 49-50
MOSAIC, 26
MPLS (Multiprotocol Label Switching), 63, 71-73: enabling QoS, 280; label stacking, 71, 273; shim header, 71; tunnel management, 260; as a VPN tunneling protocol, 274-276
MS-CHAP, 66, 230
MTU (maximum transmission unit), 80, 86, 90, 226-227
Multiprotocol Label Switching, See MPLS
NAS (network access server), 64-67, 69, 115-117, 199, 248
NAT (network address translation), 185, 207, 219, 226, 276
National Center for Supercomputer Applications, See NCSA
National Institute of Standards and Technology, See NIST
National Science Foundation, See NSF
National Security Agency, See NSA
Navy, U.S., 33
NCP (Network Control Program), 24
NCSA (National Center for Supercomputer Applications), 26
NDIS (Network Driver Interface Specification), 221
NetBEUI, 222
NetBIOS, 229
NetBSD, 224, 234-235
Netscape, 26, 136, 140: Communicator, 135
NetScreen, 187
Netware, Novell, 5
Network access server, See NAS
Network adapter, 233
Network Control Program, See NCP
Network Driver Interface Specification, See NDIS
Network layer, 24, 29-30, 58, 70, 75
Network management: architecture, 248; FCAPS, 246, 265; international issues, 266; Internet model, 247, 251; OSI model, 246, 250-251, 253; out-of-band access, 263; probe, 248, 251; tunnels, 260
Network management protocols, 248, 250
Network management standards, 246: Blue Book Recommendation M.30, 247; CMIP (Common Management Information Protocol), 246; CMIS (Common Management Information Service), 246; OSI Basic Reference Model, Part 4, 246; RMON (Remote Monitoring), 247; SNMP (Simple Network Management Protocol), 247; TL1 (Transaction Language One), 252; TMN (Telecommunications Management Network), 247
Network management station, See NMS
Network management system, 245
Network monitoring, 193, 196
Network operations center, See NOC
Network security, 33-35, 277-279: devices, 35
Network service management, 263-266: customer portal, 265-266; NOC (network operations center), 265; SLA (service level agreement), 264
Network Time Protocol, See NTP
Network topology, 32
NIST (National Institute of Standards and Technology), 37, 43, 106, 201
NMS (network management station), 248
NOC (network operations center), 213, 261-263, 265
Nonce, 94
Nonrepudiation, 40
Nortel Networks, 66, 187, 194-195, 231
Northern Telecom, See Nortel Networks
Novell, 5, 47
NSA (National Security Agency), 33, 37, 43
NSF (National Science Foundation), 26
NSFNET, 26, 277
NTP (Network Time Protocol), 121
NULL encryption algorithm, 70, 89
Oakley key determination protocol, 92, 98
Object identifier (OID), 253-254
One-time passwords (OTP), 108, 113, 117-118: S/KEY, 109, 117
One-way hash function, 41-43, 60, 113, 117
Open Systems Interconnection, See OSI
OpenBSD, 224, 234-236
OpenPGP, 141
OpenSSH, 236
OSI (Open Systems Interconnection), 27: network management, 247; protocol stack, 215
OSI Reference Model, 27, 29, 166, 246
OSPF (Open Shortest Path First), 187, 278: with digital signatures, 184
Over the air rekeying (OTAR), 16
Packet-switched network, 24, 29, 32, 48, 59
PAP (Password Authentication Protocol), 66, 107, 111
Password Authentication Protocol, See PAP
Passwords, 43, 66, 106, 117: challenge/response, 107; CHAP (Challenge Handshake Authentication Protocol), 108; dictionary attack, 106; entropy, 106; NIST guidelines for choosing, 106; one-time, 108; out-of-band access, 263; PAP (Password Authentication Protocol), 107, 111; RADIUS, 115, 128; salt, 106
PDU (protocol data unit), 58, 252, 254
PEM (Privacy Enhanced Mail), 135
Perlman, Radia, 134
Permanent virtual circuit, See PVC
PGP (Pretty Good Privacy), 40, 119, 124, 135, 141, 216: certificate, 141-144; GnuPG, 141; OpenPGP, 141; public key ring, 125; web of trust, 124, 144
Physical layer, 28
Ping, 197
PKCS (Public-Key Cryptography Standards), 144, 150: PKCS #10, Certification Request Syntax Standard, 151-152; PKCS #6, Extended-Certificate Syntax Standard, 144, 151; PKCS #7, Cryptographic Message Syntax Standard, 151-152; PKCS #9, Selected Object Classes and Attribute Types, 145, 151
PKI (public key infrastructure), 14, 122, 129-154, 180, 184, 200, 203, 218: architecture, 130-136; CA (certification authority), 129; certificate and CRL repository, 130; certificate revocation process, 130, 133; certification process, 129, 132; key escrow, 132
PKI (public key infrastructure): name subordination, 135; RA (registration authority), 130; trust models, 131, 134; validation process, 129, 133; X.509, 122, 136
PKIX (Public Key Infrastructure for the Internet), 12, 123, 150
PMI (Privilege Management Infrastructure), 157
Point-to-Point Protocol, See PPP
Point-to-Point Tunneling Protocol, See PPTP
Policy management, 163
POP (point of presence), 46, 50, 52-54, 272
Port address translation, See PAT
PPP (Point-to-Point Protocol), 61-67, 69, 108, 185, 230, 232: authentication, 107, 111-114; Link Control Protocol (LCP), 111; PPPoE (PPP over Ethernet), 234; use in SSH, 237
PPPoE (Point-to-Point Protocol over Ethernet), 234
PPTP (Point-to-Point Tunneling Protocol), 58, 61, 63-69, 111, 229: authentication, 66; Microsoft, 66; PPTP Access Concentrator (PAC), 63, 68; PPTP Network Server (PNS), 63, 68; as a VPN tunneling protocol, 176, 215, 217, 230
PPTP Forum, 63, 66
Presentation layer, 30
Pretty Good Privacy, See PGP
Privacy Enhanced Mail See PEM
Private addressing, 63
Private Line Interface (PLI), 33
Private network, 4, 6, 8-9, 63, 175, 279
Privilege Management Infrastructure, SeePMI, 157
Project Athena, 119
Protocol data unit, See PDU
Protocol number, 32
Provisioning, 188
PSTN (public switched telephone network), 6, 61, 66, 263, 281
Public key certificate: X.509, 136; X.509v3, 140, 145; See alsodigital certificate, 136
Public key cryptography, 36, 38-39, 41, 129, 134: digital signature, 40; ElGamal algorithm, 40; encryption, 40; PGP (Pretty Good Privacy), 125; Rabin algorithm, 40; RSA algorithm, 40; use in SSH, 237
Public key infrastructure, See PKI
Public network, 6, 47, 175, 278
Public switched telephone network, See PSTN
Public-Key Cryptography Standards, See PKCS
PVC (permanent virtual circuit), 46, 48
QoS (quality of service): denoted by IP TOS field, 31; for on-net traffic, 49; in the Internet, 49, 277; in IP service platform, 272; lack of standards, 12; enabled with MPLS, 63, 274-275; service beyond connectivity, 279-280; in VPN gateways, 21, 178, 186, 207
Quality of service, See QoS
RA (registration authority), 130, 132, 134, 145, 148
Rabin algorithm, 40
RADIUS (Remote Access Dial In User Service), 67, 114-117, 128: accounting for VPN gateways, 190, 199; authentication for VPN clients, 217, 230, 234; authentication for VPN gateways, 182, 190, 209-210; for storing policy information, 261
RAS (remote access server), 49, 61-62, 229
RC4, 176, 230
RC5, 230
Redcreek, 231
Registration authority, See RA
Remote Access Dial In User Service, See RADIUS
Remote access server, See RAS
Remote access VPN, 20, 45, 49-50, 54, 208: functions, 180-182
Replay attack, 15, 94, 122
Request for Comments, See RFC
RFC (Request for Comments), 33, 289: RFC Editor, 289
Rijndael algorithm, 37
RIP (Routing Info 

Updates

Submit Errata



More Information



InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Privacy Notice

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
Such marketing is consistent with applicable law and Pearson's legal obligations.
Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

As required by law.
With the consent of the individual (or their parent, if the individual is a minor)
In response to a subpoena, court order or legal process, to the extent permitted or required by law
To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
To investigate or address actual or suspected fraud or other illegal activities
To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020

Email Address

Virtual Private Networks: Technologies and Solutions

Book

About

Features

Description