PART 1 THE FOUNDATIONS OF VPNs 1
Chapter 1 Introduction to VPN Technology 3
What Is a VPN? 4
Components That Make Up a VPN 13
Who Supports VPNs? 18
The Growth of VPNs 18
Identifying a Need for VPN 20
The Business Need for VPNs 21
How to Choose VPN Services 22
Conclusion 25
Chapter 2 Network Security for VPNs 27
What Is Network Security? 28
What Can You Do to Protect Against Threats? 30
How to Identify Attacks 40
What Are Some Security Requirements of VPNs? 42
Why Is Security So Important When Implementing VPNs? 46
Implementing a Good Security Policy 48
Is Your Organization Vulnerable to Attacks? 50
What Are Some Types of Attacks? 52
Conclusion 53
Chapter 3 The Advantages and Disadvantages of VPN Technology 55
VPN Benefits 56
Cost Savings of VPNs 57
Benefits of Network Design 58
End-User Benefits of VPNs 62
Benefits of a Global Reach 64
Benefits to ISPs 65
Competitive Advantage of VPNs 66
Cost of VPN Technology 67
Additional Telecommunication Costs 77
Quality of Service Guarantees 79
Service Level Agreements 80
Conclusion 82
Chapter 4 VPN Architecture 85
Introduction to Architecture 86
Which Is the Best VPN for You? 87
VPN Supplied by Network Service Provider 93
Firewall-Based VPNs 99
Black-Box-Based VPNs 101
Router-Based VPNs 102
Remote Access-Based VPNs 104
Application-Aware/Proxy Toolkit VPNs 105
Multiservice Applications with VPNs 106
Software-Based VPNs 108
Performance Statistics/Comparisons- 109
Tunnel Switches for VPNs 109
Certification/Compliance 112
Conclusion 113
Chapter 5 Topologies of VPNs 115
Introduction to VPN Topology 116
Firewall/VPN-to-Client Topology 118
VPN/LAN-to-LAN Topology 120
VPN/Firewall-to-Intranet/Extranet Topology 123
VPN/Frame or ATM Topology 126
Hardware (Black-Box) VPN Topology 128
VPN/NAT Topology 131
VPN Switch Topology 132
VPN Nested Tunnels 134
Load Balancing and Synchronization 135
Conclusion 139
Chapter 6 Government Restrictions on VPN Technology 141
Introduction to the Politics of Encryption 142
What Role Does Government play in VPN Technology? 144
Why Would the Government s Policy Actions Affect VPN Security? 146
Where Do I Get Permission to Use Strong Security? 148
The Economic Cost of Government Intrusion 149
Legal Status of Encryption 151
International Impact on U.S.Government s Encryption Policy 152
What s Happening Today? 153
Conclusion 158
PART 2 THE VPN IMPLEMENTATION 161
Chapter 7 The Basics 163
Decide on a Game Plan 164
VPN Architecture Placement 167
Routing Problems 168
Topology Placement 172
IP/NAT Addressing Concerns 176
Remote Access Issues 183
DNS/SMTP Issues 185
Conclusion 186
Chapter 8 Installing a VPN,Part I 189
Introduction to Installing a Firewall-Based VPN 190
The Firewall-Based VPN Model 193
Obtain and Assign IP Address Space 197
Implementing a Good Security Policy 205
Implementing Management Traffic 208
Implementing SMTP and DNS Issues 209
Implementing Authentication 210
The Drop All Rule 213
Implementing the VPN Rule 214
Branch Office VPNs 215
Remote Users VPNs 217
Conclusion 218
Chapter 9 Installing a VPN,Part Ⅱ 221
Service Provider VPN Services 222
Stand-alone VPN Services 223
Aventail ExtraNet Center 223
Compatible Systems—Access Servers 232
Nortel Networks—Extranet Switch 4000 237
Radguard—clPro System 242
RedCreek—Ravlin 247
Timestep—PERMIT Enterprise 252
VPNet—VPLink Architecture 257
Conclusion 263
Chapter 10 Troubleshooting VPNs 265
Introduction to Troubleshooting VPNs 266
Remote DiaHn Users 269
LAN-to-LAN VPN 276
PPTP VPN 277
LZTP VPN 283
IPSec VPN 285
Multihoned Firewall/VPN 288
Conclusion 293
Chapter 11 Maintaining a VPN 295
Introduction 296
Redundant Links 297
Growth in Your Organization 299
Software Updates 300
Onsite Technical Support 302
Telephone Support 303
Help Desk Support to Remote Users 304
VPNs,Build or Buy? 304
Compatibility Issues 305
Alerting 306
Monitoring 306
Logging 307
Event Correlation 307
Encryption and Encapsulation 309
Key Management 311
Random-Number Generators 311
Certificates 312
Security Update 312
Support to Major Upgrade 314
Tunneling Protocols 315
Management Devices 315
Performance 316
Quality of Service 317
Authentication 317
Conclusion 318
Skilled Labor 318
PART 3 THE SECURITY OF VPNs 321
Chapter 12 Cryptography 323
What is Cryptography? 324
Private versus Public Key Cryptography 325
Block Ciphers 326
Stream Ciphers 333
Hash Functions 335
Message Authentication Codes 336
Digital Timestamps 336
Digital Signatures with Certificate Authorities 337
Strengths of Cryptographic Hash Functions 338
Random-Number Generators 339
Clipper Chip 340
Which Cryptosystem is Right for You? 341
Cryptography Timeline 342
Conclusion 352
Chapter 13 Encryption 353
Private-Key Encryption 354
Public-Key Encryption 356
Shared Secret Key 357
Digital Signatures 359
Certificate Authorities (CAs) 360
Diffie-Hellman Public-Key Algorithm 361
RSA Public-Key Algorithm 362
Pretty Good Privacy(PGP) 364
Internet Security Protocol(IPSec) 365
Encapsulating Security Payload(ESP)RFC-2406 368
Public Key Infrastructure(PKI) 372
Layer Z Forwarding Protocol(LZF) 373
Point-to-Point Tunneling Protocol(PPTP) 374
Layer Z Tunneling Protocol(LZTP) 377
Simple Key Internet Protocol(SKIP) 378
Secure Wide Area Network(S/WAN) 379
Conclusion 380
Chapter 14 Secure Communication and Authentication 381
Authentication Protocols 382
Operating System Passwords 384
S/KEY 385
Remote Authentication DiaHn Service(RADIUS) 388
Terminal Access Controller Access Control System(TACACS/XTACACS) 390
Terminal Access Controller Access Control System Plus(TACACS+) 391
Kerberos 392
Certificates 395
Smart Cards 399
Hardware Tokens/PKCS#11 400
Lightweight Directory Access Protocol(LDAP) 402
ACE/Server with SecurlD 403
Biometrics 405
Secure Modems 406
Conclusion 407
Chapter 15 VPN Operating System Vulnerabilities 409
What Are VPN Operating System Vulnerabilities? 410
UNIX Guidelines 411
UNIX Operating System Vulnerabilities 415
Windows 95 Guidelines 421
Windows 95 Vulnerabilities 422
Windows NT Guidelines 423
Windows NT Vulnerabilities 426
Novell Guidelines Conclusion 429
Chapter 16 VPN Security Attacks 431
Introduction to VPN Attacks 432
Cryptographic Algorithms Attacks 433
Random-Number Generator(RNG)Attacks 438
Government Attacksvia Key Recovery 439
Internet Security(IPSec)Attacks 440
Point-To-Point Tunneling Protocol(PPTP)Attacks 445
SKIP Attacks 449
Certificate Authorities Attacks 449
RADIUS Attacks 452
Kerberos Attacks 453
Pretty Good Privacy(PGP)Attacks 454
Denial of Service(DoS)Attacks 456
Other Attacks 461
Conclusion 462
Chapter 17 Security Toolbelt 465
What Is a Security Toolbelt? 466
The Need for a Security Toolbelt 470
RFC 2196 Site Security Handbook 473
Security Escalation Procedures 476
Building a Secure Site 477
Security Tools 480
Incident Response Centers 485
Mailing Lists/Newsgroups 487
Web Security 488
Conclusion 493
Chapter 18 Intrusion Detection and Security Scanning 495
Introduction to Intrusion Detection 496
Categories of Intrusion Systems 499
Characteristics of a Good Intrusion Detection System 502
Intrusion Detection/Footprint 503
Fooling an Intrusion Detection System 508
Intrusion Detection Tools 511
Limiting Intrusion 515
Scanners 517
Conclusion 520
Chapter 19 Emerging Technologies for VPNs 523
Introduction to Emerging Technologies 524
Advances in Computing 525
Advances in Cryptographic Systems 529
Private Doorbell 533
Steganography 535
What Are the New Threats? 538
Government Regulations 540
Wireless VPNs 543
Conclusion 544
Appendix A Links and References 547
Glossary 563
Index 581