A comprehensive guide to virtual private networks. Volume I

IBM Firewall, Server and Client Solutions......Page 3
Contents......Page 5
Figures......Page 11
Tables......Page 15
The Team That Wrote This Redbook......Page 17
Comments Welcome......Page 18
Part 1. VPN Description and Background......Page 21
VPN Introduction and Benefits......Page 23
Security Considerations for VPNs......Page 24
A Typical End- to- End Path......Page 25
Exposures in a Dial- In Segment......Page 26
Exposures in a Security Gateway......Page 27
Conclusions......Page 28
IPSec- Based VPN Solutions......Page 29
Layer 2- Based VPN Solutions......Page 32
Non- IPSec Network Layer- Based Components of a VPN Solution......Page 34
Non- IPSec Application Layer- Based Components of a VPN Solution......Page 36
Conclusions......Page 37
Branch Office Connection Network......Page 38
Business Partner/ Supplier Network......Page 39
Remote Access Network......Page 41
Terminology......Page 43
Symmetric or Secret- Key Algorithms......Page 44
Asymmetric or Public- Key Algorithms......Page 46
Examples of Public- Key Algorithms......Page 47
Usage of Asymmetric Keys with IPSec......Page 48
Hash Functions......Page 50
Usage of Hash Functions with IPSec......Page 52
Digital Certificates and Certification Authorities......Page 55
Random- Number Generators......Page 56
Export/ Import Restrictions on Cryptography......Page 57
Security Associations......Page 59
Tunneling......Page 60
Terminology Used throughout IPSec Redbooks......Page 61
AH Header Format......Page 62
Ways of Using AH......Page 64
IPv6 Considerations......Page 65
Encapsulating Security Payload (ESP)......Page 66
ESP Packet Format......Page 67
Ways of Using ESP......Page 68
Combining IPSec Protocols......Page 70
Case 2: Basic VPN Support......Page 72
Case 3: End- to- End Security with VPN Support......Page 73
Conclusion and an Example......Page 74
Current IPSec Internet Drafts......Page 75
Part 2. IBM eNetwork VPN Solutions......Page 77
IPSec Functionality......Page 79
Tunnel Types......Page 80
Server/ Gateway Platforms......Page 84
IBM eNetwork Firewall for AIX......Page 85
AIX V4. 3......Page 87
IBM Nways Routers......Page 89
Client Platforms......Page 90
AIX IPSec Client (Supplied with the eNetwork Firewall for AIX)......Page 91
Windows 95 IPSec Client (Supplied with the eNetwork Firewall for AIX)......Page 92
OS/ 2 TCP/ IP V4.1 IPSec Client......Page 93
Windows 95 eNetwork Communications Suite V1.1......Page 94
Interoperability between the IBM Solutions......Page 95
eNetwork Firewall for AIX......Page 96
OS/ 390 Server......Page 97
Interoperability between IBM VPN Solutions and Other Vendors......Page 98
Part 3. VPN Scenarios and Implementation......Page 99
Authenticating Backbone Traffic......Page 101
Addressing Issues......Page 102
Routing Issues......Page 103
Summary: Branch Office Connection......Page 104
Scenario Setup......Page 105
Prerequisite Steps......Page 107
Summary of the Necessary Steps......Page 108
Firewall Setup Details......Page 110
Testing the Tunnel......Page 123
Filter Rules for Tunnel Traffic......Page 124
The Flow of a Packet......Page 125
Allow Only Firewall- to- Firewall Traffic......Page 128
Allow Only Traffic between Specific Hosts......Page 129
Design Considerations......Page 131
Authenticating and Encrypting Supplier Traffic......Page 133
Addressing Issues......Page 134
Summary: Inter- Company Interconnection......Page 135
Scenario Setup......Page 136
Configuration of the Tunnel between the Firewalls......Page 137
Configuration of the AIX V4.3 Server......Page 140
Configuration of the eNetwork Communications Suite Client......Page 147
Testing the Tunnel......Page 150
Using Secure Socket Layer (SSL)......Page 151
Variations of the Business Partner/ Supplier Network Scenario......Page 152
Design Considerations......Page 153
Addressing and Routing Issues......Page 154
Summary: Remote Access......Page 155
Scenario Setup......Page 156
Prerequisite Steps......Page 157
Setup Overview......Page 158
Setup Details......Page 159
Activating and Deactivating the Dynamic Tunnel......Page 165
An Insight View to Dynamic Tunnels......Page 168
Logging......Page 171
Helpful Commands and Tools......Page 172
Helpful Commands and Tools......Page 179
Problem Determination......Page 180
Logging......Page 181
Cannot Create Dial- Up Networking Entry......Page 183
Problem Determination......Page 184
Logging......Page 185
Trace Examples......Page 186
Network Address Translation......Page 192
Interoperability between eNetwork Firewall for AIX and AIX V4.3......Page 193
Interoperability with the eNetwork Firewall for AIX......Page 194
Interoperability with the eNetwork Communications Suite......Page 196
FWTUNNL Export File Formats......Page 197
Additional OS/ 2 TCP/ IP V4.1 IPSec Client Combinations......Page 199
Configuring IPSec Filters and Tunnels......Page 200
Server......Page 206
Interoperability between Two OS/ 2 TCP/ IP V4.1 IPSec Clients......Page 207
Turning OS/ 2 Into a Mini- Firewall......Page 208
Interoperability with the eNetwork Firewall for AIX......Page 209
Part 4. VPN Future......Page 211
The Two Phases of ISAKMP/ Oakley......Page 213
Initializing Security Associations with ISAKMP/ Oakley......Page 214
Phase 1 - Setting Up ISAKMP/ Oakley Security Associations......Page 215
Phase 2 - Setting Up Non- ISAKMP/ Oakley Security Associations......Page 221
Negotiating Multiple Security Associations......Page 224
Using ISAKMP/ Oakley with Remote Access......Page 225
Appendix A. Special Notices......Page 227
B. 3 Other Publications......Page 229
B. 3.1 Web Site Reference......Page 230
How IBM Employees Can Get ITSO Redbooks......Page 231
How Customers Can Get ITSO Redbooks......Page 232
IBM Redbook Order Form......Page 233
List of Abbreviations......Page 235
A......Page 237
B......Page 238
D......Page 239
F I......Page 241
L......Page 244
O......Page 245
S......Page 246
V......Page 247
X......Page 248
ITSO Redbook Evaluation......Page 249