AH Authentication Header VPN Protocols
2.3.4 Internet Key Exchange, ISAMKPOakley
In the parlance of the IPSec working documents produced by the IETF, a Security Association is any protected conversation between two possibly hostile parties. Having only ESP and AH does not complete the picture for an IPSec system. For secure communication, both parties must be able to negotiate keys for use while the communication is happening. Plus, both parties need to be able to decide which encryption and authentication algorithms to use. The Internet Key Exchange IKE protocol formerly known as ISAKMPOakley provides authentication of all peers, handles the security policies each can perform, and controls the exchange of keys. Key generation and key rotation are important because the longer the life of the key, the larger the amount of data at risk, and the easier it becomes to intercept more ciphertext for analysis. This is the concept of perfect forward secrecy. By changing the keys often, it becomes difficult for a network snoop to get the big picture if they have to keep cracking keys. Further, the keys generated on the fly should not bear any resemblance to one another, and should not be generated from environmental variables that could easily be guessed time of day, server load, etc. IKE uses the Diffie-Hellman key exchange protocol to handle this, and has proven to be adequate in its protection.2.3.5 ISO X.509 v.3 Digital Certificates
Although not a security protocol in the same fashion as ESP and AH, the X.509 system is important because it provides a level of access control with a larger scope. Because the X.509 certificate systems are used with other Public Key Infrastructure devices and software, IPSec vendors have chosen to incorporate them into their equipment to handle authentication. Certificate management, as handled by a trusted third party, will play a big role in the future of the IPSec suite, and work is already being done by vendors to have their products communicate with the public CAs Certificate Authorities for authentication.2.3.6 LDAP Lightweight Directory Access Protocol
Closely related to the X.509 system is the Lightweight Directory Access Protocol, or LDAP. LDAP is a smaller, and logically easier to implement, X.500 service that is supported on various VPN solutions to provide authentication and certificate management. Hardware products like the Bay Networks Extranet Switch use LDAP as well as some popular software solutions, such as Windows NT and Novell. It is becoming more common to use trusted third- party authentication systems such as LDAP and the X.500 directory system for remote access to a corporate network or a VPN.2.3.7 Radius
Where LDAP and the X.500 systems provide authentication and certificate management to users anywhere in the world, Radius is an authentication system used more for intra- organization lookups. The Radius system was developed as an open standard by Livingstone Enterprises, and is not currently sanctioned by the IETF, but is under consideration. Recently, Merit updated the Radius system to enhance its clientserver capabilities and its vendor 36 specific attributes, allowing manufacturers to tailor their products and services to specific markets. More VPN solutions currently support authentication using Radius than the other public certificate systems mentioned above, but a groundswell of support for the X.500 system is well underway.2.3.8 PPTP Point-to-Point Tunneling Protocol
The Point-to-Point Tunneling Protocol PPTP is an extension of the standard PPP Point-to- Point Protocol. The tunneling services provided by PPTP are intended to ride on top of the IP layer, whereas the traditional PPP protocol underlies IP. PPP was ideally suited for modification because its functionality already mimics the behavior of what a VPN would need: a point-to-point tunnel. All that was missing was the security. PPTP, however, is more of a host-to-host secure communications channel, rather than a LAN-to-LAN one. Although it is quite possible to route traffic across a PPTP tunnel, the IPSec solutions are better geared for this type of application.2.4 Methodologies for Compromising VPNs
In this section we vicariously take on the role of the people we are trying to thwart: those who want to inspect, intercept, and interfere with the transmission of your data.2.4.1 Basic Firewalling
Services that you will likely offer to the Internet include mail such as the POP, SMTP, and IMAP protocols, World Wide Web HTTP and HTTPS protocols, and a host of other things including DNS, FTP, video or audio streaming, and network time. Our discussion of services plays directly into the first section, where we begin to explore one of the introductory yet powerful ways for protecting data firewalls. Although they are not tangible like data files that contain customer credit card numbers, services that you choose to offer your customers on the Internet play a huge role in defining the form the firewall takes and what types of data you think will assist the customer. Before even embarking on the creation of the firewall, you need to develop an overall data strategy. What do customers have access to? What do normal employees have access to? What can advanced security folks see and do? Once you have spent some time in detailing the blueprint for your network, you can begin to create the doors and windows that permit visitors. Some popular services are sometimes dangerous to run, and come with security dilemmas that we can never seem to shake, but are so important that we would argue against removing them. The application that receives the most attention by security professionals is sendmail. The reasons for this are simple: the source code for the most popular implementation of sendmail the Berkeley Version 8 software is readily available and the running daemon is easily located on someones network. Because of this, pay careful attention to the sendmail servers that are available to the public and how they are configured. Our ultimate goal in setting up security barriers is to make a break-in too time- consuming, too difficult to complete, and once completed, too unrewarding to make it worth a crackers time and effort. If you look like a terrible target, they will go elsewhere and leave you alone. Most computer crimes are much like everyday real crimes—they are crimes of convenience that could be avoided by erecting a minimal deterrent.Parts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more