3
IPsec and IKE
IPsec is a security framework for securing IP communications. It is a Layer 3 VPN technology mainly
for data encryption and data origin authentication.
IKE provides automatic negotiation security parameters for IPsec, simplifying the configuration and
maintenance of IPsec. Security parameters for IKE negotiation include authentication and encryption
algorithms, authentication and encryption keys, IP packet encapsulation modes (tunnel mode and
transport mode), and key lifetime.
SSL and SSL VPN
SSL is a security protocol that provides secure connection services for TCP-based application layer
protocols by using the public key mechanism and digital certificates. SSL is independent of the
application layer protocol, so an application layer protocol can use a secure connection provided by
SSL without knowing SSL information. A common application is HTTPS—HTTP over SSL or HTTP
Secure.
SSL VPN is a VPN technology based on SSL. It works between the transport layer and the
application layer. SSL VPN has been widely used for secure, remote Web-based access. For
example, it can allow remote users to access the corporate network securely.
SSH
SSH is a network security protocol implementing secure remote login and file transfer over an
insecure network. Using encryption and authentication, SSH protects devices against attacks such
as IP spoofing and plaintext password interception.
Firewall and connection control
ACL based packet-filter
An ACL packet-filter implements IP packet specific filtering.
Before forwarding an IP packet, the device obtains the following header information:
• Number of the upper layer protocol carried by the IP layer
• Source address
• Destination address
• Source port number
• Destination port number
The device compares the head information against the preset ACL rules and processes (discards or
forwards) the packet based on the comparison result.
ASPF
An ASPF implements status-based packet filtering, and provides the following functions:
• Transport layer protocol inspection (generic TCP and UDP inspection)—ASPF checks a
TCP/UDP packet's source and destination addresses and port numbers to determine whether
to permit the packet to pass through the firewall into the internal network.
• Application layer protocol inspection—ASPF checks application layer information for
packets, such as the protocol type and port number, and monitors the application layer protocol
status for each connection. ASPF maintains status information for each connection, and based
on status information, determines whether to permit a packet to pass through the firewall into
the internal network, thus defending the internal network against attacks.
ASPF also supports other security functions, such as port to application mapping, Java blocking,
ActiveX blocking, ICMP error message inspection and first packet inspection for TCP connection.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide
the network with a security policy that is more comprehensive and better satisfies the actual needs.
To Next Page
Loading...
Need help?
General
