<option value="/reference/dir.intranetandextranetdevelopment1.html">Intranet Dev
			<option value="/reference/dir.middleware.html">Middleware
			<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=4//-->
<!--PAGES=139-141//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="136-139.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="141-143.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P><FONT SIZE="+1"><B>Encapsulation Security Payload</B></FONT></P>
<P>ESP can provide privacy, integrity, or both using one of two modes. If the entire IP packet is encrypted, and then concatenated to a cleartext version of the IP header before being sent on the network, this is known as <I>tunnel mode</I>. The receiving system uses the decryption key defined by the security association to decrypt the encrypted IP header and packet. Verification of the packet contents depends on successful decryption for privacy or successful hashing for integrity. Privacy for the datagram passed to the IP layer&#151;the data portion of the IP packet&#151;can be implemented separately in <I>transport mode</I>. Because only the datagram from the layer above undergoes cryptographic transformation, and not the IP packet header, performance is improved. Naturally, IPsec is slower than unprotected IP traffic because of the additional path lengths introduced for cryptographic computations and session parameter negotiation. Any packets that do not decrypt properly are dropped. This capability prevents address impersonation attempts.</P>
<H3><A NAME="Heading20"></A><FONT COLOR="#000077">Supporting Protocols for IP</FONT></H3>
<P>A number of other protocols are useful in the IP model. The three most important&#151;ARP, DNS, and RIP&#151;are briefly discussed in the following sections.
</P>
<H4 ALIGN="LEFT"><A NAME="Heading21"></A><FONT COLOR="#000077">Address Resolution Protocol (ARP)</FONT></H4>
<P>Network communications ultimately occur at a layer below IP. The network adapters have unique physical addresses that are needed to deliver the packets between network nodes. A mapping is needed between the conceptual address of IP and the physical address of the adapter. When the Ethernet device driver receives an IP packet for delivery, it sends out a special broadcast packet containing the destination IP address of the IP packet. As part of the behavior of a correctly implemented device driver, a node whose IP address matches sends back a reply with the physical address of its Ethernet adapter. The original node now encapsulates the IP packet into an Ethernet packet and uses the newly found Ethernet address as the target. This is essentially how the ARP works. Different network device drivers might implement ARP using something other than a broadcast, but this is only a slight difference.
</P>
<P>Most nodes cache results from ARP broadcasts for performance. Earlier ARP cache implementations would accept unsolicited ARP replies and update their caches. This form of address impersonation occurs at the physical instead of the IP layer. Indeed, nothing in the ARP protocol provides strong authentication. An impostor can respond with an ARP reply before the true owner and consequently spoof the requesting node. To be successful, the real owner of the IP address must be disabled or at least significantly hindered so that it cannot respond to network messages.</P>
<P>Note that address impersonation at this layer and at the IP layer has beneficial value, too. For cluster or high-availability environments, it is sometimes necessary for one node to impersonate the address of another to support a fail-over relationship. Controlled impersonation like this is unlikely to be configured across unsecure networks, though.</P>
<H4 ALIGN="LEFT"><A NAME="Heading22"></A><FONT COLOR="#000077">Domain Name System (DNS)</FONT></H4>
<P>Dotted decimal addresses are paired with more semantically meaningful names by pairing each octet with an alphanumeric string. The address 198.29.36.126 could be referred to as webserver1.boulder.ibm.com. The association between octets and string names is actually inverted, but this is not an important security issue. Like the decimal addresses, domain names are assigned by a registration authority. DNS is a protocol that is used to manage lookups for converting between dotted decimal and domain name versions of an address. Because the Internet depends heavily on this capability, a group of hierarchically related, tightly controlled <I>nameservers</I> populates the Internet. Each nameserver is responsible for names without a fixed domain but can request name resolution from other nameservers to which it is connected. DNS also defines a protocol for how nameservers communicate and receive updates to their universe of names, or <I>namespace</I>. Each nameserver is identified by one or more IP addresses.</P>
<P>Now that you know you can impersonate IP addresses, you can see that spoofing a nameserver can lead to serious consequences on the Internet. By feeding fake information to a nameserver or by impersonating the nameserver itself, you can intercept and forge traffic for arbitrary nodes. Frequent impersonation attacks against nameservers forced many changes to the programs used to implement DNS, most notably the <I>bind</I> program. Today, most nameservers on the Internet have been upgraded to avoid known attacks, but new threats are sure to arise. Luckily, the maintainer of <I>bind</I> is very responsive and has provided timely fixes to security problems. A good review of DNS is given in Bellovin (1995).</P>
<P>A proposed standard for secure, authenticated DNS has been implemented for some nameservers on the Internet. Trusted Information Systems is a leading vendor in this effort. Secure DNS is achieved by using cryptographic protocols for message exchanges between nameservers. Implementations can be found on the Internet. More details on DNS and how to administer it are available in Link (1995).</P>
<H4 ALIGN="LEFT"><A NAME="Heading23"></A><FONT COLOR="#000077">Routing Interchange Protocol (RIP)</FONT></H4>
<P>Like ARP and DNS, RIP is used to provide message delivery information on the Internet or in private networks. Instead of helping to locate the target of a message, RIP is used to find the best route for a message to travel. RIP suffers from the same problems as insecure DNS in that RIP depends only on the source IP address for I&#38;A of the message. A secure version of RIP is also available.
</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="136-139.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="141-143.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->