A Technical Guide to IPSec Virtual Private Networks
eBook - ePub

A Technical Guide to IPSec Virtual Private Networks

  1. 376 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

A Technical Guide to IPSec Virtual Private Networks

About this book

What is IPSec? What's a VPN? Why do the need each other? Virtual Private Network (VPN) has become one of the most recognized terms in our industry, yet there continuously seems to be different impressions of what VPNs really are and can become. A Technical Guide to IPSec Virtual Private Networks provides a single point of information that represents hundreds or resources and years of experience with IPSec VPN solutions. It cuts through the complexity surrounding IPSec and the idiosyncrasies of design, implementation, operations, and security. Starting with a primer on the IP protocol suite, the book travels layer by layer through the protocols and the technologies that make VPNs possible. It includes security theory, cryptography, RAS, authentication, IKE, IPSec, encapsulation, keys, and policies. After explaining the technologies and their interrelationships, the book provides sections on implementation and product evaluation. A Technical Guide to IPSec Virtual Private Networks arms information security, network, and system engineers and administrators with the knowledge and the methodologies to design and deploy VPNs in the real world for real companies.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access A Technical Guide to IPSec Virtual Private Networks by James S. Tiller in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Networking. We have over one million books available in our catalogue for you to explore.

Chapter 1: Getting Started

Communications are the fundamental driver of society and the value of the information being communicated has never been greater. The advent of several technologies and communication environments has fueled a storm of changes in the relatively recent evolution that is information technology.
The Internet, its speed, reliability, and the access to it have all expanded beyond every expectation set in the early years. The Internet has fueled the changes one sees in telecommunications, and the interaction between people, organizations, and countries has been affected.
During the explosive growth, many were asking how they could exploit the Internet and the timeless communication it provides. First, the baby steps were Web pages and e-mail. Then, as people gained interest in what was being sold through these virtual displays, it expanded into providing access to the commodity for the customer. The simple commerce soon expanded into sharing information for vendor interaction to provide virtual warehousing and reduced time to market for new merchandise.
To accomplish the development and dependency that organizations have on Internet communications, a new form of connectivity was required that could provide confidence in privacy, and remain inexpensive and scalable to accommodate the foreseeable future requirements.
Virtual private networks (VPNs) were developed to fill this gap and provide for secure communications over the Internet, or any untrusted network. The result was a process that required few system or communication modifications and promised to protect communication to anywhere in the world.

Information Age

The introduction of the computer into everyday activities was the turning point of the 20th century. Throughout history, there have been decisive milestones in the advancement of human society. The ability to create and use tools, then metallurgy and chemistry, and soon the industrial revolution solidified a working social environment.
The computer, at least the personal computer, opened a window of new opportunities to individuals to accomplish things never really considered before. By the time personal computers became a reality, computers were already being used for collective processing and huge number crunching. Only the guys with white jackets were allowed to watch all the lights. The PC made the computer accessible to people, and those people who were exposed included entrepreneurs that saw opportunity.
Nearly overnight, computers were at people’s desks, instead of typewriters, using them to accomplish complicated tasks in a reduced amount of time and with increased accuracy. Tasks that seemed out of reach for small businesses just a short time earlier were now attainable. Soon, the data became increasingly more complex and large, requiring more computers and educated people to operate and manage them. As this expanded, the information became an integral part of the business success, and the protection of that data soon became a focal point for some organizations.
It was at this point, when assets veered away from machines, widgets, and warehouses to data, that the information age was born. Data is nearly everything. This seems logical — data is knowledge, and knowledge typically equates to money. Anything from a new drug formula, or the research that founded its production, to a set of architectural plans for a new house or a fighter wing, to the daily news or the stock value of a remote company in the China highlands — information has become the universal ether that surrounds us. People no longer simply work with it; they react to it and base nearly everything on it.
For society to operate and use the information, it must be communicated and controlled. The communication of information has advanced very rapidly over the last few years. Technological advancements, used to feed the desire to move information faster today than yesterday, matched with massive amounts of money to create larger and farther reaching information communications than ever before. However, during this same timeframe, but unfortunately not nearly as fast, the security of the communications was questioned. This is reminiscent of an old TV commercial where the formula for Coke passes the formula for Pepsi in a cloud of digital communications. The poetic truth is now realized, many years after the airing of that commercial: information can be very valuable.

The Internet

Since the first browser was used to provide a graphical interface for obtaining information from the Internet, the number of users and services has exploded. The Internet moved quickly and people and businesses realized the opportunities and potential of the Internet. Today, the Internet is firmly established as a basic requirement for business and social interaction; much like the telephone, it is expected almost anywhere one goes. Opportunities became very evident and opened an infinite variety of applications for business and personal endeavors.
The information coursing through the Internet evolved, seemingly overnight, from e-mail and basic Web browsing to much more sophisticated applications. Data that was being passed was becoming increasingly private and sensitive to the well-being of the original communication parties. Data that used to appear only on certain servers residing on internal networks was being accessed from across the country, moving through completely unknown territory.
As with any positive, there must be a negative. As technology increased and the use of the Internet for private interaction proliferated, criminals grew with the technology. Soon it was evident that deliberate abuse of the Internet could become a powerful weapon to cause disruption or increase personal wealth. A relationship developed between the development of technology to increase communication possibilities and the criminal’s ability to take advantage of them. Criminals discovered vulnerabilities at an astounding rate. As processes and applications were implemented to mitigate the new threats, new ones would be discovered and those too would require steps to protect information from the new vulnerability. This process of find-and-fix-and-find-again has not stopped. The constant pushing toward ultimate communication and discoveries of new technologies will certainly breed a continuous flow of unforeseen weaknesses.
However, the vulnerabilities can be reduced with certain technologies that address one aspect of the communication. A well-defined set of protection measures can provide enough defense against theoretical types of attack to carry into the next form of technology. IPSec is a perfect example of protection measures that can remain applied at a certain level within the communication and allow other aspects of the communication to evolve. IPSec has become a robust foundation that appears to be applicable for many years to come.

Security Considerations

Communication technology has eliminated the basic level of interaction between individuals. For two people talking in a room, it can be assured — to a degree — that the information from one individual has not been altered prior to meeting the listener’s ears. It can be also assumed that the person who is seen talking is the originator of the voice that is being heard. This example is basic, assumed, and never questioned — it is trusted. However, the same type of communication over alternate media must be closely scrutinized due to the massive numbers of vulnerabilities to which the session is exposed.
Computers have added several layers of complexity to the trusting process, and the Internet has introduced some very interesting vulnerabilities. With a theoretically unlimited number of people on a network, the options for attacks are similarly unlimited. As soon as a message takes advantage of the Internet for a communication medium without several layers of protection, all bets are off.

Authentication

Authentication is a service that allows a system to determine the identity of another entity that has presented its credentials. Authentication is the basis of many security mechanisms and some designs authenticate both parties in the communication.
Authentication is based on factors, such as 1, 2, or 3. The mantra of authentication is that it is based on something the user knows, something the user has, and something the user is. A good example of two-factor authentication is where users have something they know and something they have, such as a token. Users provide what they know, a username and password, combined with something they have, such as a number generated from a token. The number validates the possession of the token, which further validates the user with the name and password supplied.
The something the user knows is typically a password, pass phrase, or a Personal Identification Number (PIN) that only that person should know the value. Combine the personal knowledge of a private number or word with something the user has. This is typically associated with a token. Either one of these can be used in conjunction with something the user is. This is referred to as biometrics, the identification based on physical attributes. Biometrics can operate in many ways that range from entering a username or code in combination with a scan, or it can include something the user has, such as an access card.
There are several forms of authentication mechanisms used in nearly every aspect in system access. In the realm of IPSec and VPNs, the highest level currently being used is two-factor authentication. With most solutions, the protocol to include a tokengenerated number is nothing more than an extended use of CHAP or PAP, which are well-suited for remote access. However, in investigating IPSec remote access solutions more closely, one sees that there is absolutely no standard that provides for these extended authentication mechanisms. What is available today is simply what the vendor felt was the best technology that fit the proposed solution. In the absence of a standard, anything is fair game.

Access Controls

Access controls limit access to network and system resources based on communication attributes such as authentication data, traffic patterns or type, protocol, application, or any identifying characteristics of the communication that an administrator wishes to allow or stop.
Examples of simple access controls are ACLs, or access control lists, which are common among routers or access devices. An example might be:

permit ip 147.151.77.0 0.0.0.255 host 194.72.6.205

This ACL allows IP traffic from the network 147.151.77.0 to a specific host identified by its IP address, 194.71.6.205. To display the other characteristics that can be used in an ACL, more information can be provided:
permit tcp 147.151.77.0 0.0.0.255 host 194.72.6.205 eq 80
This ACL is very similar to the first; however, the protocol has been limited to TCP and only port 80. In these examples, one sees that restrictions can be applied to several differentiating factors in the communication. The first example simply isolated the network and system and the protocol being used to communicate. In the second version, the specific layer 4 protocols and the service port were isolated. (Many details of TCP/IP are covered in Chapter 2.)
There are solutions that integrate the authentication process with access controls. Kerberos is an example. In Kerberos authentication, the user authenticates to a central system, a Key Distribution Center (KDC), and is ultimately provided a ticket that can be presented to a resource for access. The level of access permitted can be directly related to the user, who is identified by an authenticated ticket. Therefore, the user’s access controls are associated with his identity, which has been validated by a trusted KDC. It is easy to imagine a situation where access is controlled by the individual’s identity, the protocol they are attempting to access with, and the application that is being run. It is this situation that is expounded upon in IPSec by the addition of varying levels of protection based on the same access control attributes. It is necessary to understand that limitations and access controls can be related to any attribute that has the ability of uniquely identifying a process, person, or activity. Within IPSec, there are properties called selectors that can be used to control communications in the VPN. Not only can the selectors be leveraged for applying access controls but they also allow the administrator to provide various protection levels to various communication patterns and flows. Much more of this is covered in detail in later chapters.

Data Integrity

Data integrity is the validity of the data at any given state. There are three basic states of data:
  1. storage
  2. processing
  3. transmission
Typically, data in storage and being transmitted are the focal points of protection and integrity checking. When data is transmitted across an untrusted network, it is exposed to countless vulnerabilities and unwanted interaction. Data could possibly be modified while in transit and the valid participants could be completely unaware.
Data integrity is ensured by providing an authenticator, or an unchangeable representation of the data. Many protocols, including TCP/IP, provide a checksum process that produces a fingerprint that is transmitted with the original data. As the message and the checksum reach the destination, the recipient can verify that the data has not been altered in transit by verifying the checksum.
IPSec provides data integrity by employing message authentication processes (HASH algorithms) to produce a message fingerprint that can be used to verify data integrity. Message authentication is an essential process that IPSec provides. IPSec has two basic security protocols, one of which has the sole purpose of providing message authentication. The importance of knowing what is received is the same as what was sent is imperative. IPSec is constructed in a way that even if a key is obtained and used to modify the data, obtaining the necessary information to create an alternate authentication is highly complex. The details of message authentication and its application in IPSec are discussed in later chapters.

Confidentiality

Confidentiality is the ability to keep the data private and unexposed to unauthorized viewers. In the realm of communication security, confidentiality is synonymous with encryption technology. Encryption is the process of converting information into unintelligible data and, typically, back into the original information and format given a specific key, password, or any private data or device.

Non-repudiation

Non-repudiation is the inability to transmit information and then claim not having done so. In the nontechnical domain, papers can be signed, authorized, and witnessed to provide a legal binding between the person and the activity, document, or statement. In the digital world, this is a much more complicated process, but is based on a similar foundation as with signatures on documents. The inclusion of a third party and the use of multiple keys in the sharing of data provide an acceptable form of insurance that the information was signed by the claimed individual. To support this, several priorities must be met to ensure that the signing process is valid and unencumbered by unauthorized influence.

Policy

The term “policy” relates to an enormous amount of security implications for organizations. Policies are typically associated with company standards, guidelines, and procedures that ensure a secure working environment. Policies provide a means of stating a security posture and defining the associated requirements to accomplish its implementation. Policy is also a crucial aspect of IPSec with respect implementing a comprehensive VPN. IPSec policies are necessary to determine traffic flow and the protection it is to be provided, among other attributes. IPSec communications must not only be cognizant of the participants, data, and services allowed, but also the management of the connection with regard to maintaining security and communication integrity.
Network security — fundamentally what is being discussed here — is the synergy between required services and offerings, the protection of those services and data, and the operational conditions, or environment. Security policies exist to define the environment or it will be completely nebulous to the surrounding influences. In other words, without a defined posture, it would be nearly impossible to secure. IPSec influences the network security policy because it affects the very foundation of information security. Communication over untrusted networks is available through the use of IPSec VPNs, but the impact of data manipulation on those remote systems and networks represents a security concern for many organizations. Thus, policies exist to define network security posture, and VPN policies must be included in the provisioning of the service to remote users, organizations, offices, partners, and vendors. On the other hand, policies exist for the physical application of IPSec within the organization or enterprise. IPSec policies define the technical realization of the VPN. Ironically, while a technical representation of secure communications, IPSec polices reflect network security policies very closely. It is easy to envision a network policy being quickly interpreted into an IPSec VPN policy. However, the reverse is not necessarily true. One obvious reason is that a network security policy should exist before IPSec is implemented. Another is determining that security decisions based on a technology, especially a communication technology, will not result in a comprehensive security policy.
The following sections discuss properties of network security, the policies that accompany it, and the qualities of VPNs that affect policy; and finally, the technical aspects of VPN policies are introduced.

Network Security Considerations

The security-related decisions that are made, or fail to be made, largely determine how secure or insecure the network is, how much functionality the network offers, and how easy the network is to use. However, good decisions cannot be made about security without first determining what the security goals are. Until the security goals are determined, effective use of any collection of security tools and services cannot be properly utilized because no one will know what to check for and what restrictions to impose.
An organization’s goals will be largely determined by the following key trade-offs.
Services Offered versus Security Provided. Each service offered to users carries its own security risks. For s...

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Other Auerbach Publications
  5. Dedication
  6. Foreword
  7. Acknowledgments
  8. Introduction
  9. Chapter 1: Getting Started
  10. Chapter 2: Technical Primer
  11. Chapter 3: IP Security Primer
  12. Chapter 4: Cryptography
  13. Chapter 5: Implementation Theory
  14. Chapter 6: Authentication
  15. Chapter 7: IPSec Architecture
  16. Chapter 8: Security Protocols
  17. Chapter 9: Key Management
  18. Chapter 10: IKE in Action
  19. Chapter 11: Areas of Interest within IKE
  20. Chapter 12: Security Policies and the Security of VPNs
  21. Chapter 13: Implementation Considerations
  22. Chapter 14: Product Evaluation
  23. Chapter 15: Report on IPSec
  24. Appendix