Network Security
Description
More details
Other editions
Additional editions
Person
Content
ABBREVIATIONS xxxiii
CHAPTER 1. INTRODUCTION TO CRYPTOGRAPHY 1
1.1. The encryption function 1
1.1.1. 3DES algorithm 3
1.1.2. AES algorithm 6
1.1.3. RSA algorithm 10
1.1.4. ECC algorithm 12
1.2. Hash function 13
1.2.1. MD5 algorithm 13
1.2.2. SHA algorithm 16
1.2.3. HMAC mechanism 20
1.3. Key exchange 22
1.3.1. Secret-key generation 22
1.3.2. Public key distribution 24
CHAPTER 2. 802.1X MECHANISM 27
2.1. General introduction 27
2.2. EAPOL protocol 28
2.2.1. EAPOL-Start message 30
2.2.2. EAPOL-Logoff message 30
2.2.3. EAPOL-Key message 30
2.2.4. EAPOL-Encapsulated-ASF-Alert message 31
2.2.5. EAPOL-MKA message 31
2.2.6. EAPOL-Announcement message 31
2.2.7. EAPOL-Announcement-Req message 32
2.3. EAP protocol 32
2.3.1. EAP-Method Identity 35
2.3.2. EAP-Method Notification 35
2.3.3. EAP-Method NAK 36
2.4. RADIUS protocol 36
2.4.1. RADIUS messages 38
2.4.2. RADIUS attributes 39
2.5. Authentication procedures 42
2.5.1. EAP-MD5 procedure 44
2.5.2. EAP-TLS procedure 45
2.5.3. EAP-TTLS procedure 48
CHAPTER 3. WPA MECHANISMS 51
3.1. Introduction to Wi-Fi technology 51
3.2. Security mechanisms 54
3.3. Security policies 55
3.4. Key management 59
3.4.1. Key hierarchy 59
3.4.2. EAPOL-key messages 61
3.4.3. Four-way handshake procedure 63
3.4.4. Group key handshake procedure 67
3.5. WEP protocol 68
3.6. TKIP protocol 70
3.7. CCMP protocol 73
CHAPTER 4. IPSEC MECHANISM 77
4.1. Review of IP protocols 77
4.1.1. IPv4 protocol 77
4.1.2. IPv6 protocol 80
4.2. IPSec architecture 83
4.2.1. Security headers 85
4.2.2. Security association 89
4.2.3. PMTU processing 92
4.3. IKEv2 protocol 93
4.3.1. Message header 93
4.3.2. Blocks 96
4.3.3. Procedure 102
CHAPTER 5. SSL, TLS AND DTLS PROTOCOLS 109
5.1. Introduction 109
5.2. SSL/TLS protocols 111
5.2.1. Record header 111
5.2.2. Change_cipher_spec message 112
5.2.3. Alert message 112
5.2.4. Handshake messages 114
5.2.5. Cryptographic information 124
5.3. DTLS protocol 126
5.3.1. Adaptation to UDP transport 126
5.3.2. Adaptation to DCCP transport 129
5.3.3. Adaption to SCTP transport 130
5.3.4. Adaption to SRTP transport 131
CHAPTER 6. NETWORK MANAGEMENT 133
6.1. SNMPv3 management 133
6.1.1. Introduction 133
6.1.2. SNMPv3 architecture 135
6.1.3. SNMPv3 message structure 143
6.2. SSH protocol 146
6.2.1. SSH-TRANS protocol 146
6.2.2. SSH-USERAUTH protocol 151
6.2.3. SSH-CONNECT protocol 152
CHAPTER 7. MPLS TECHNOLOGY 155
7.1. MPLS overview 155
7.1.1. Network architecture 155
7.1.2. LSR router tables 157
7.1.3. PHP function 158
7.1.4. MPLS header format 159
7.1.5. DiffServ support 160
7.2. LDP protocol 162
7.2.1. Principles of functioning 162
7.2.2. LDP PDU format 165
7.2.3. LDP messages 167
7.3. VPN construction 170
7.3.1. Network architecture 170
7.3.2. Differentiation of routes 174
7.3.3. Route target 175
7.3.4. Principles of operation 177
7.4. Network interconnection 180
7.4.1. Hierarchical mode 181
7.4.2. Recursive mode 182
CHAPTER 8. ETHERNET VPN 185
8.1. Ethernet technology 185
8.1.1. Physical layer 186
8.1.2. MAC layer 188
8.1.3. VLAN isolation 191
8.2. PBT technology 194
8.3. VPLS technology 196
8.3.1. Network architecture 196
8.3.2. EoMPLS header 199
8.3.3. LDP 201
8.4. L2TPv3 technology 203
8.4.1. Data message 203
8.4.2. Control messages 205
8.4.3. Procedures 208
CHAPTER 9. FIREWALLS 215
9.1. Technologies 215
9.1.1. Packet filter 216
9.1.2. Applicative gateway 218
9.1.3. NAT/NAPT device 219
9.2. NAT/NAPT device crossing 222
9.2.1. ICMP protocol 223
9.2.2. IPSec mechanism 224
9.2.3. SIP, SDP and RTP protocols 227
9.2.4. FTP protocol 233
9.2.5. Fragmentation 235
CHAPTER 10. INTRUSION DETECTION 237
10.1. Typology of attacks 237
10.2. Methods of detection 239
10.2.1. Signature-based detection 240
10.2.2. Anomaly-based detection 240
10.2.3. Protocol analysis 241
10.3. Technologies 242
10.3.1. N-IDPS device 243
10.3.2. WIDPS device 246
10.3.3. H-IDPS device 248
10.3.4. NBA device 249
BIBLIOGRAPHY 253
INDEX 259
Abbreviations
3DES Triple Data Encryption Standard AAD Additional Authentication Data AC Attachment Circuit ACL Access Control List AES Advanced Encryption Standard AH Authentication Header AKM Authentication and Key Management ALG Application-Layer Gateway AP Access Point ARP Address Resolution Protocol AS Autonomous System ASN.1 Abstract Syntax Notation ATM Asynchronous Transfer Mode AVP Attribute Value Pair BSS Basic Service Set BSSID BSS Identifier CCMP Counter-mode/Cipher block chaining MAC Protocol CDN Circuit-Disconnect-Notify CE Customer Edge CFI Canonical Format Indicator CHAP Challenge-Handshake Authentication Protocol CRC Cyclic Redundancy Check C-TAG Customer TAG DCCP Datagram Congestion Control Protocol DEI Drop Eligible Indicator DES Data Encryption Standard DF Don't Fragment DIX DEC, Intel et Xerox DLCI Data Link Connection Identifier DMZ DeMilitarized Zone DNS Domain Name System DOI Domain of Interpretation DoS Denial of Service DSAP Destination Service Access Point DSCP DiffServ Code Point DTLS Datagram TLS EAP Extensible Authentication Protocol EAPOL EAP Over LAN ECC Elliptic Curve Cryptography ECN Explicit Congestion Notification E-LSP EXP-inferred-class LSP EoMPLS Ethernet over MPLS ESP Encapsulating Security Payload ESS Extented Service Set FEC Forwarding Equivalent Classes FTP File Transfer Protocol GEK Group Encryption Key GIK Group Integrity Key GIX Global Internet eXchange GMK Group Master Key GTK Group Transient Key GTKSA GTK Security Association H-IDPS Home-based IDPS HMAC Hashed Message Authentication Code ICCN Incoming-Call-Connected ICE Interactive Connectivity Establishment ICMP Internet Control Message Protocol ICRP Incoming-Call-Reply ICRQ Incoming-Call-Request ICV Integrity Check Value IDPS Intrusion Detection Prevention System IDS Intrusion Detection System IE Information Element IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IHL Internet Header Length IKE Internet Key Exchange IP Internet Protocol IPS Intrusion Prevention System IPSec Internet Protocol Security ISAKMP Internet Security Association and Key Management Protocol IS-IS Intermediate System to Intermediate System ISP Internet Service Protocol IV Initialization Vector KCK Key Confirmation Key KEK Key Encryption Key L2TPv3 Layer 2 Tunneling Protocol LAC L2TP Access Concentrator LAN Local Area Network LDP Label Distribution Protocol LFIB Label Forwarding Information Base LIB Label Information Base LLC Logical Link Control L-LSP Label-inferred-class LSP LNS L2TP Network Server LSP Label Switching Path LSR Label Switching Router MAC Medium Access Control MAC Message Authentication Code MD5 Message Digest 5 MF More Fragment MIB Management Information Base MIC Message Integrity Code MK Master Key MODP MODular exponential modulus P MP-BGP-4 Multi-Protocol - Border Gateway Protocol 4 MPLS Multi-Protocol Label Switching MSDU MAC Service Data Unit MTU Maximum Transmission Unit NAPT Network Address and Port Translation NAT Network Address Translation NAT-D NAT Discovery NAT-OA NAT Original Address NAT-T NAT Transversal NBA Network Behavior Analysis N-IDPS Network-based IDPS NIST National Institute of Standards and Technology N-PE Network-facing PE OSA Open System Authentication OSPF Open Shortest Path First OUI Organizationally Unique Identifier P Provider PAD Peer Authorization Database PB Provider Bridge PBT Provider Bridge Transport PCP Priority Code Point PDU Protocol Data Unit PE Provider Edge PHB Per-Hop Behavior PHP Penultimate Hop Popping PKI Public Key Infrastructure PMK Pairwise Master Key PMTU Path MTU PN Packet Number PPP Point-to-Point Protocol PSK Pre-Shared Key PTK Pairwise Transient Key PTKSA PTK Security Association PW Pseudo-Wire RADIUS Remote Authentication Dial-In User Service RC4 Rivest Cipher 4 RD Route Distinguisher RFC Request For Comments RIB Routing Information Base SKA Shared Key Authentication RSA Rivest, Shamir,...