34 Other network security systems, such as PPTP, rely predominantly on securing higher-level communications. While these methods have met with some success in their arenas, they are still very focused solutions that require complex and in-depth knowledge of how to configure and maintain them. The flexibility and power derived by using TCPIP can be extended to IPSec, and should prove to be a long-term and stable answer to the network security puzzle.

2.3.1.2 IPSec organizations

The Internet Engineering Task Force maintains the IPSec charter on their site, which is updated regularly. You can find it at http:www.ietf.orghtml.chartersipsec-charter.html . A large-scale practical example for pioneering work with the emerging IPSec standard can be seen in the vendors supporting the Automotive Network Exchange ANX, a consortium of automakers. With more than 30 members participating in furthering the role of IPSec in equipment testing, interoperability, and functional requirements, great leaps of advancement were made. It is important to note that the work done at the IPSec technical roundtables on the ANX project contributed a great deal to the roll-out of the somewhat firm IPSec standard of the summer of 1998. More information can be found at http:www.aiag.org . Another important consortium, the Internet Computer Security Association, is an independent organization that oversees the certification of security products, services, systems, and people. It is a member-oriented company that strives to build public confidence in the improved security of global computing systems. Developers, manufacturers, experts in cryptography and security, and users of computer systems make up the bulk of the ICSA. The ICSA has been active in the certification of IPSec products that have recently been brought to market. To learn more about the ICSA and to review their activities and charter, visit their web site at http:www.icsa.net .

2.3.2 ESP Encapsulating Security Payload

The fundamental unit of transmission on the Internet is the IP Internet Protocol packet, upon which most WAN and LAN communications rely. IPSec handles encryption right at the IP datagram level using a new protocol, the Encapsulating Security Protocol ESP. ESP was designed to support almost any sort of symmetric encryption, such as DES or triple DES. Currently, ESP relies minimally upon 56-bit DES. ESP also supports some authentication, partially overlapping with the next IPSec protocol we will discuss: AH, the Authentication Header. Generally, ESP can be used inside another IP packet, so that ESP can be transported across regular IP communications channels. Instead of the normal TCP or UDP packet designation, the header information would declare the packets payload to be ESP instead. Because it is encapsulated in this fashion, ESP can be transported across legacy networks, and is immediately backward compatible with the bulk of the hardware used to route networks today.

2.3.3 AH Authentication Header

Where ESP secures the data by encryption, the Authentication Header AH protocol of IPSec handles only the authentication, without confidentiality. The AH protocol can be used in conjunction with ESP, in tunnel mode, or as a stand-alone authenticator. The Authentication Header protocol handles securing the IP header information, where ESP is concerned with the payload. To support a base functionality, IPsec requires that implementations of AH contain 35 HMAC-SHA and HMAC-MD5 HMAC is a symmetric authentication system supported by these two hashes.

2.3.4 Internet Key Exchange, ISAMKPOakley

In the parlance of the IPSec working documents produced by the IETF, a Security Association is any protected conversation between two possibly hostile parties. Having only ESP and AH does not complete the picture for an IPSec system. For secure communication, both parties must be able to negotiate keys for use while the communication is happening. Plus, both parties need to be able to decide which encryption and authentication algorithms to use. The Internet Key Exchange IKE protocol formerly known as ISAKMPOakley provides authentication of all peers, handles the security policies each can perform, and controls the exchange of keys. Key generation and key rotation are important because the longer the life of the key, the larger the amount of data at risk, and the easier it becomes to intercept more ciphertext for analysis. This is the concept of perfect forward secrecy. By changing the keys often, it becomes difficult for a network snoop to get the big picture if they have to keep cracking keys. Further, the keys generated on the fly should not bear any resemblance to one another, and should not be generated from environmental variables that could easily be guessed time of day, server load, etc. IKE uses the Diffie-Hellman key exchange protocol to handle this, and has proven to be adequate in its protection.

2.3.5 ISO X.509 v.3 Digital Certificates

Although not a security protocol in the same fashion as ESP and AH, the X.509 system is important because it provides a level of access control with a larger scope. Because the X.509 certificate systems are used with other Public Key Infrastructure devices and software, IPSec vendors have chosen to incorporate them into their equipment to handle authentication. Certificate management, as handled by a trusted third party, will play a big role in the future of the IPSec suite, and work is already being done by vendors to have their products communicate with the public CAs Certificate Authorities for authentication.

2.3.6 LDAP Lightweight Directory Access Protocol

Closely related to the X.509 system is the Lightweight Directory Access Protocol, or LDAP. LDAP is a smaller, and logically easier to implement, X.500 service that is supported on various VPN solutions to provide authentication and certificate management. Hardware products like the Bay Networks Extranet Switch use LDAP as well as some popular software solutions, such as Windows NT and Novell. It is becoming more common to use trusted third- party authentication systems such as LDAP and the X.500 directory system for remote access to a corporate network or a VPN.

2.3.7 Radius

Where LDAP and the X.500 systems provide authentication and certificate management to users anywhere in the world, Radius is an authentication system used more for intra- organization lookups. The Radius system was developed as an open standard by Livingstone Enterprises, and is not currently sanctioned by the IETF, but is under consideration. Recently, Merit updated the Radius system to enhance its clientserver capabilities and its vendor