Deployment

So far, we have discussed the capabilities a policy system should provide and how it may be represented, stored, and managed. In this section, we discuss some of the deployment issues. This includes node level and domain level security, gateway traversal, and some issues associated with policy configuration.

As IPSec provides end-to-end security and can be used to build intranets and VPNs, it is desirable to provide the ability to configure security on a node and a domain level. We discussed node-level security in previous sections. The advantages of domain-level security are discussed here. In the networking world, a domain normally refers to a routing domain. A routing domain is delimited by a set of routers. This implies any packet leaving the domain has to hit one of the routers. It is possible, to a certain extent, to control which routers a particular packet traverses. However, if there is more than one exit point from an organization, it is difficult for the host to control which router is used to exit, particularly if a link goes down. Under these circumstances, defining a domain-level policy and distributing it to all the border routers is extremely important. If all the border routers share the same policy, the security service afforded to a flow is the same irrespective of the border router over which the packet exits or enters the domain.

Policy incompatibility is an issue in policy configuration. Two domains that need to talk securely may configure their policy such that their intersection is NULL set. Consider the network shown in Figure 8.2.

RA and RB are the edge routers for domain A and B respectively. RA is configured such that all the packets destined to domain B are secured by ESP in tunnel mode using 3DES. However, RB is configured such that all packets it receives from domain A are configured for ESP in tunnel mode using DES. In this case, the two domains never get to talk to each other as IKE negotiation never succeeds.

Top Previous page Table of content Next page IPSec (2nd Edition) ISBN: 013046189X EAN: 2147483647 Year: 2004 Pages: 76 Authors: Naganand Doraswamy, Dan Harkins BUY ON AMAZON Project Management JumpStart Developing Project Management Skills Initiating the Project Defining the Project Goals Executing the Project Appendix B Sample Project Management Forms Snort Cookbook Sniffing Gigabit Ethernet Running Snort as a Linux Daemon Suppressing Rules Writing Your Own Preprocessor Installing and Configuring Barnyard Managing Enterprise Systems with the Windows Script Host Logon Scripts and Scheduling Networking Resources Application Automation Internet Applications Exchange Server Cisco Voice Gateways and Gatekeepers Troubleshooting Tools Analog Circuits Assigning COR Lists with Cisco CallManager Express Gatekeeper Functionality Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies) The Functional Triad Computers in Persuasive Roles Computers as Persuasive Media Simulation Credibility and Computers Credibility and the World Wide Web Captology Looking Forward Understanding Digital Signal Processing (2nd Edition) SAMPLING BANDPASS SIGNALS WINDOWS RELATIONSHIP OF THE FFT TO THE DFT Chapter Eleven. Signal Averaging FIXED-POINT BINARY FORMATS flylib.com © 2008-2017. If you may any questions please contact us: flylib@qtcs.net Privacy policy This website uses cookies. Click here to find out more. Accept cookies