Authors: Naganand Doraswamy and Dan Harkins
Publisher: Prentice Hall PTR
Everything can travel over the Internet Protocol (IP) but there is a problem of security. This is where IPSec comes into play. IPSec is short for IP Security, a set of protocols developed by the Internet Engineering Task Force, is used to secure exchange of packets at the IP layer. If you’re interested in the subject than you’ll be glad to know that the second edition of “IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks” is out. What does this edition deliver? Read on to find out.
About the authors
Naganand Doraswamy is senior principal engineer at Nortel Networks, and an active participant in key industry panels on VPNs and IP security. He was formerly network security architect at Bay Networks, and technical lead for IP Security at FTP Software.
Dan Harkins is a senior software engineer in the Network Protocol Security Group at Cisco Systems, and active in several IETF working groups. He wrote IPsec’s standard Internet Key Exchange (IKE) key management protocol.
Inside the book
The first part of the book kicks off with an overview of cryptographic history and techniques. This chapter provides the foundation for the understanding of IPSec. The authors illustrate man’s need for keeping secrets and briefly note the problems related to internet security before moving on to write about cryptographic building blocks and crypto concepts.
Next you encounter another overview, this time it’s about TCP/IP. The chapter is rather small and provides just about the right amount of information to get you started. As we move on, you begin to learn what IP Security is and how it works as the authors give you some general information on the architecture, the Encapsulating Security Payload (ASP), the Authentication Header (AH) and the Internet Key Exchange (IKE).
The second part of the book is all about details and starts with an in-depth discussion of the IPSec architecture. Here you learn about the various components of IPSec and the protocols in the IPSec family. IPSec can be implemented in the end hosts and/or in the gateways/routers, and the authors write about both and indicate the capabilities and implications of each implementation. Underlined is the fact that implementation depends on the security requirements of the users. Also described here are IPSec modes, security associations, fragmentation, etc.
What follows is two brief chapters that contain an analysis of the Encapsulating Security Payload (ESP) and the AH. The ESP is a protocol header inserted into an IP datagram in order to provide confidentiality, data origin authentication, antireplay and data integrity services to IP. What you get here is quality material about the ESP header, the ESP modes, ESP processing, AH modes and AH processing. The material is supplemented with figures that in some case really facilitate the understanding of the presented topics.
Chapter 7 introduces IKE which creates security associations dynamically on behalf of IPSec and populates and manages the Security Association Database. The authors write about the Internet Security Association and Key Management Protocol (ISAKMP) and the IPSec domain of interpretation document. ISAKMP was developed by researchers at the National Security Agency (NSA) and it defines how two peers communicate, how the messages they use are constructed and the state of transitions they go through to secure their communication.
The following topic is policy. Here the authors discuss the issue of policy representation and management of IPSec connections. They also walk you through the steps you have to follow to set up the policy for IPSec. Next you get into IPSec implementation issues. Described here are the implementation architecture, IPSec protocol processing, ICMP processing, and more. Since implementations are platform-specific, the authors provide mostly platform-independent information in order to allow you to use this chapter as a guideline in the future.
I’ts time to see IP Security in action. The authors discuss Virtual Private Networks as well as nested and chained tunnels before giving you deployment scenarios on how to actually use IPSec to help protect a network. This is great material, and presented here are: site-to-site policies, remote access policies, firewall and VPN gateway interaction, etc. Several configurations for various deployment scenarios are discussed.
The last chapter talks about the future of IPSec. The authors note that even though IPSec is a versatile protocol for securing IP, it is still not a complete solution for all deployments. Among other topics, discussed here are Key Recovery, the Layer 2 Tunneling Protocol (L2TP) and the Public Key Infrastructure (PKI).
My 2 cents
Although not even 300 pages long, this book delivers enough information to make you understand IPSec and I would recommend it to any of you that desire a good introduction on the subject. This is a great book to start off but don’t expect hands-on details as the page count really doesn’t leave room for that.
Although some previous knowledge is required in order to really get into the material, this is natural given the complexity of the subject and the intended audience of the networking professional.