IPsec Virtual Private Network Fundamentals (Paperback)
James Henry Carmouche
- 出版商: Cisco Press
- 出版日期: 2006-07-01
- 售價: $2,480
- 貴賓價: 9.5 折 $2,356
- 語言: 英文
- 頁數: 480
- 裝訂: Paperback
- ISBN: 1587052075
- ISBN-13: 9781587052071
海外代購書籍(需單獨結帳)
買這商品的人也買了...
-
$823Simulation Modeling and Analysis, 3/e
-
$2,310$2,195 -
$1,102Unix Network Programming, Vol. 1 : The Sockets Networking API, 3/e (IE-Paperback)
-
$750$593 -
$780$616 -
$2,540$2,413 -
$880$695 -
$2,375$2,250 -
$790$624 -
$650$514 -
$780$702 -
$650$507 -
$980$774 -
$880$695 -
$880$695 -
$680$537 -
$720$569 -
$550$435 -
$580$522 -
$1,200$948 -
$490$382 -
$399CWNA: Certified Wireless Network Administrator Official Study Guide: (Exam PW0-104), 2/e (Paperback)
-
$2,950$2,803 -
$1,881Implementing SSL / TLS Using Cryptography and PKI (Paperback)
-
$1,590$1,511
商品描述
Description
An introduction to designing and configuring Cisco IPsec VPNs
Understand the basics of the IPsec protocol and learn implementation best practices Study up-to-date IPsec design, incorporating current Cisco innovations in the security and VPN marketplace Learn how to avoid common pitfalls related to IPsec deployment Reinforce theory with case studies, configuration examples showing how IPsec maps to real-world solutions
IPsec Virtual Private Network Fundamentals provides a basic working knowledge of IPsec on various Cisco routing and switching platforms. It provides the foundation necessary to understand the different components of Cisco IPsec implementation and how it can be successfully implemented in a variety of network topologies and markets (service provider, enterprise, financial, government). This book views IPsec as an emerging requirement in most major vertical markets, explaining the need for increased information authentication, confidentiality, and non-repudiation for secure transmission of confidential data. The book is written using a layered approach, starting with basic explanations of why IPsec was developed and the types of organizations relying on IPsec to secure data transmissions. It then outlines the basic IPsec/ISAKMP fundamentals that were developed to meet demand for secure data transmission. The book covers the design and implementation of IPsec VPN architectures using an array of Cisco products, starting with basic concepts and proceeding to more advanced topics including high availability solutions and public key infrastructure (PKI). Sample topology diagrams and configuration examples are provided in each chapter to reinforce the fundamentals expressed in text and to assist readers in translating concepts into practical deployment scenarios. Additionally, comprehensive case studies are incorporated throughout to map topics to real-world solutions.
Table of Contents
Contents
Introduction
Part I Introductory Concepts and Configuration/Troubleshooting
Chapter 1 Introduction to VPN Technologies
VPN Overview of Common Terms
Characteristics of an Effective VPN
VPN Technologies
Virtual Private Dialup Networks
Multiprotocol Label Switching VPNs
IPsec VPNs
Transport Layer VPNs
Common VPN Deployments
Site-to-Site VPNs
Remote Access VPNs
Business Drivers for VPNs
Remote Access VPN Business Drivers–A Practical Example
Site-to-Site VPN Business Drivers–A Practical Example
IPsec VPNs and the Cisco Security Framework
Summary
Chapter 2 IPsec Fundamentals
Overview of Cryptographic Components
Asymmetric Encryption
Symmetric Encryption
Message Authentication, Message Integrity, and Sender Nonrepudiation Mechanisms
Public Key Encryption Methods
RSA Public-Key Technologies
Diffie-Hellman Key Exchange
The IP Security Protocol (IPsec)
IPsec Modes
IPsec Transforms
IPsec SA
IPsec Configuration Elements
Manual Keying
The Need for Security Association and Key Management
IKE and ISAKMP
IKE and ISAKMP Terminology and Background
IKE SA Negotiation and Maintenance
IPsec Diffie-Hellman Shared Secret Key Generation Using IKE
IKE Authentication Services
IKE Phase I Negotiation
IKE Phase II Negotiation
Configuring ISAKMP
IKE with RAVPN Extensions
Summary
Chapter 3 Basic IPsec VPN Topologies and Configurations
Site-to-Site IPsec VPN Deployments
Site-to-Site VPN Architectural Overview for a Dedicated Circuit
Site-to-Site Architectural Overview over a Routed Domain
Site-to-Site IPsec VPN Deployments and GRE (IPsec+GRE)
Site-to-Site IPsec+GRE Architectural Overview
Site-to-Site IPsec+GRE Sample Configurations
Hub-and-Spoke IPsec VPN Deployments
Hub-and-Spoke Architectural Overview
Standard Hub-and-Spoke Design without High Availability
Clustered Spoke Design to Redundant Hubs
Redundant Clustered Spoke Design to Redundant Hubs
Remote Access VPN Deployments
RAVPN Architectural Overview
RAVPN Clients
Standalone VPN Concentrator Designs
Clustered VPN Concentrator Designs
Summary
Chapter 4 Common IPsec VPN Issues
IPsec Diagnostic Tools within Cisco IOS
Common Configuration Issues with IPsec VPNs
IKE SA Proposal Mismatches
IKE Authentication Failures and Errors
IPsec SA Proposal Mismatches
Crypto-Protected Address Space Issues (Crypto ACL Errors)
Architectural and Design Issues with IPsec VPNs
Troubleshooting IPsec VPNs in Firewalled Environments
NAT Issues in IPsec VPN Designs
The Influence of IPsec on Traffic Flows Requiring QoS
Solving Fragmentation Issues in IPsec VPNs
The Effect of Recursive Routing on IPsec VPNs
Summary
Part II Designing VPN Architectures
Chapter 5 Designing for High Availability
Network and Path Redundancy
IPSec Tunnel Termination Redundancy
Multiple Physical Interface HA with Highly Available Tunnel Termination Interfaces
Tunnel Termination HA Using HSRP/VRRP Virtual Interfaces
HA with Multiple Peer Statements
RP-based IPSec HA
Managing Peer and Path Availability
Peer Availability
Path Availability
Managing Path Symmetry
Load Balancing, Load Sharing, and High Availability
Load-Sharing with Peer Statements
Routing
Domain Name System (DNS)
Cisco VPN3000 Concentrator Clustering
IPSec Session Load-Balancing Using External Load Balancers
Summary
Chapter 6 Solutions for Local Site-to-Site High Availability
Using Multiple Crypto Interfaces for High Availability
Impact of Routing Protocol Reconvergence on IPsec Reconvergence
Impact of Stale SAs on IPsec Reconvergence
Impact of IPsec and ISAKMP SA Renegotiation on IPsec Reconvergence
Stateless IPsec VPN High-Availability Alternatives
Solution Overview for Stateless IPsec High Availability
Stateless High Availability Failover Process
Stateful IPsec VPN High-Availability Alternatives
Solution Overview for Stateful IPsec High Availability
Stateful High Availability Failover Process
Summary
Stateless IPsec VPN High Availability Design Summary
Stateful IPsec VPN High Availability Design Summary
Chapter 7 Solutions for Geographic Site-to-Site High Availability
Geographic IPsec VPN HA with Reverse Route Injection and Multiple IPsec Peers
Solution Overview for RRI with Multiple IPsec Peers
Geographic IPsec VPN High Availability with IPsec+GRE and Encrypted Routing
Protocols
Solution Overview for IPsec+GRE with Encrypted Routing Protocols
Dynamic Multipoint Virtual Private Networks
DMVPN Solution Design Drivers
DMVPN Component-Level Overview and System Operation
Summary
Chapter 8 Handling Vendor Interoperability with High Availability
Vendor Interoperability Impact on Peer Availability
The Inability to Specify Multiple Peers
Lack of Peer Availability Mechanisms
Vendor Interoperability Impact on Path Availability
IPSec HA Design Considerations for Platforms with Limited Routing
Protocol Support
IPSec HA Design Considerations for Lack of RRI Support
IPSec HA Design Considerations for Lack of Generic Routing Encapsulation (GRE)
Support
Vendor Interoperability Design Considerations and Options
Phase 1 and 2 SA Lifetime Expiry
SADB Management with Quick Mode Delete Notify Messages
Invalid Security Parameter Index Recovery
Vendor Interoperability with Stateful IPSec HA
Summary
Chapter 9 Solutions for Remote-Access VPN High Availability
IPsec RAVPN Concentrator High Availability Using Virtual Interfaces for Tunnel
Termination
IPsec RAVPN Concentrator High Availability Using VRRP
IPsec RAVPN Concentrator HA Using HSRP
IPsec RAVPN Concentrator HA Using the VCA Protocol
IPsec RAVPN Geographic HA Design Options
VPN Concentrator Session Load Balancing Using DNS
VPN Concentrator Redundancy Using Multiple Peers
Summary
Chapter 10 Further Architectural Options for IPsec
IPsec VPN Termination On-a-Stick
IPsec with Router-on-a-Stick Design Overview
Case Study: Small Branch IPsec VPN Tunnel Termination with NAT On-a-Stick
In-Path Versus Out-of-Path Encryption with IPsec
Out-of-Path Encryption Design Overview
Case Study: Firewalled Site-to-Site IPsec VPN Tunnel Termination
Separate Termination of IPsec and GRE (GRE-Offload)
GRE-Offload Design Overview
Case Study: Large-Scale IPsec VPN Tunnel Termination with GRE Offload
Summary
Part III Advanced Topics
Chapter 11 Public Key Infrastructure and IPsec VPNs
PKI Background
PKI Components
Public Key Certificates
Registration Authorities
Certificate Revocation Lists and CRL Issuers
Certificate Authorities
PKI Cryptographic Endpoints
Life of a Public Key Certificate
RSA Signatures and X.509v3 Certificates
Generating Asymmetric Keypairs on Cryptographic Endpoints
Registration and Endpoint Authentication
Receipt and Authentication of the CA’s Certificate
Forwarding and Signing of Public Keys
Obtaining and Using Public Key Certificates
PKI and the IPSec Protocol Suite–Where PKI Fits into the IPSec model
OCSP and CRL Scalability
OCSP
Case Studies and Sample Configurations
Case Study 1: PKI Integration of Cryptographic Endpoints
Case Study 2: PKI with CA and RA
Case Study 3: PKI with Redundant CAs (CA Hierarchy)
Summary
Chapter 12 Solutions for Handling Dynamically Addressed Peers
Dynamic Crypto Maps
Dynamic Crypto Map Impact on VPN Behavior
Dynamic Crypto Map Configuration and Verification
Tunnel Endpoint Discovery
TED Configuration and Verification
Case Study–Using Dynamic Addressing with Low-Maintenance Small Home Office
Deployments
Summary
Appendix A Resources
Books
RFCs
Web and Other Resources
Index
商品描述(中文翻譯)
描述
介紹設計和配置思科IPsec VPN的基礎知識
了解IPsec協議的基礎知識,並學習實施最佳實踐
研究最新的IPsec設計,融入當前思科在安全和VPN市場的創新
學習如何避免與IPsec部署相關的常見問題
通過案例研究和配置示例加強理論,展示IPsec如何應用於實際解決方案
IPsec虛擬私人網絡基礎提供了對思科路由器和交換平台上的IPsec的基本工作知識。它提供了理解思科IPsec實施的不同組件以及如何在各種網絡拓撲和市場(服務提供商、企業、金融、政府)中成功實施的基礎。本書將IPsec視為大多數主要垂直市場中的新需求,解釋了對於機密數據的安全傳輸而言,提高信息驗證、機密性和不可否認性的需求。本書採用分層方法撰寫,從基本解釋為什麼開發IPsec以及依賴IPsec來保護數據傳輸的組織類型開始。然後概述了為滿足對安全數據傳輸的需求而開發的基本IPsec/ISAKMP基礎知識。本書涵蓋了使用一系列思科產品設計和實施IPsec VPN架構,從基本概念開始,進一步探討高可用性解決方案和公鑰基礎設施(PKI)等更高級主題。每章提供示例拓撲圖和配置示例,以加強文本中表達的基本原理,並幫助讀者將概念轉化為實際部署場景。此外,全面的案例研究貫穿始終,將主題映射到實際解決方案。
目錄
目錄
介紹
第一部分 初級概念和配置/故障排除
第1章 VPN技術簡介
常見術語的VPN概述
有效VPN的特點
VPN技術
虛擬私人撥號網絡
多協議標籤交換VPN
IPsec VPN
傳輸層VPN
常見的VPN部署
站點到站點VPN
遠程訪問VPN
VPN的業務驅動因素
遠程訪問VPN業務驅動因素-實際例子
站點到站點VPN業務驅動因素-實際例子