Setting Up the Policy

In this section, let us try and walk through the steps one has to follow to set up the policy for IPSec.

The first step is to set up the policy for phase I of IKE negotiation. The policy can either be global (i.e., the same IKE phase I policy is used for all the hosts) or it can be host or network prefix-specific, or it can be domain-specific. The following attributes have to be set up for Phase I:

• Phase I mode: main or aggressive

• Protection suite(s)

Once the phase I policy is set up, IKE is ready for phase II, where it can negotiate the security services afforded to an IP packet. The following attributes can be defined:

• The selectors that identify the flow. The granularity can range from being very coarse to being very fine-grained. The spectrum may range from one policy for all packets to a different policy for each flow belonging to a particular identity.

• The security attributes for each flow. This includes the protocols, their modes, the transforms they should be using, and various attributes of these transforms such as lifetime and replay windows.

• Action (secure, drop, or pass) to be taken for each flow.

The phase I and the phase II policies govern the security services afforded to the IP packets originating or destined to the network/domain/host. IPSec provides a very rich set of options. One drawback of providing a rich set of options is that it makes the process of setting and negotiating complicated. If two entities have to negotiate a set of options or choose from a set of options, they need to talk the same language, that is, they should have the same understanding for values passed in the protocol headers. The values that two entities should use to negotiate security parameters are described in the IPSec DOI (see Chapter 7). The IPSec DOI consolidates the various options and values for Phase II negotiation. Any policy system should support all the options described in this document.

Top Previous page Table of content Next page IPSec (2nd Edition) ISBN: 013046189X EAN: 2147483647 Year: 2004 Pages: 76 Authors: Naganand Doraswamy, Dan Harkins BUY ON AMAZON Inside Network Security Assessment: Guarding Your IT Infrastructure Process for Assessing Risk Level I Assessments Level III Assessments Post-Assessment Activities Security Tool Websites A+ Fast Pass Domain 1 Installation, Configuration, and Upgrading Domain 3 Preventive Maintenance Domain 5 Printers Domain 2 Installation, Configuration, and Upgrading Domain 4 Networks Adobe After Effects 7.0 Studio Techniques Transform Offsets Tell Me More Backlighting, Flares, Light Volume Pyrotechnics: Fire, Explosions, Energy Phenomena In a Blaze of Glory Special Edition Using Crystal Reports 10 Introduction Crystal Reports Semantic Layer Business Views Setting Report Options Establishing Project Requirements Part VII. Customized Report Distribution Using Crystal Enterprise Embedded Edition Junos Cookbook (Cookbooks (OReilly)) Collecting Router Operational Information with SNMP Using VRRP on Ethernet Interfaces Logging the Traffic on an Interface Tracing BGP Protocol Traffic Verifying Packet Labels Programming .Net Windows Applications System Requirements Start Page DateTimePicker Updating Data Using DataSets Deployment flylib.com © 2008-2017. If you may any questions please contact us: flylib@qtcs.net Privacy policy This website uses cookies. Click here to find out more. Accept cookies