DOCSLIB.ORG

Additional AIX Security Tools on IBM Pseries, IBM RS/6000, and SP/Cluster

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Additional AIX Security Tools on IBM Pseries, IBM RS/6000, and SP/Cluster Additional AIX Security Tools on IBM pSeries, IBM RS/6000, and SP/Cluster Customize the security of your pSeries systems Explore IBM, non-IBM, and freeware security tools Learn new approaches to security Abbas Farazdel Marc Genty Bruno Kerouanton Chune Keat Khor ibm.com/redbooks SG24-5971-00 International Technical Support Organization Additional AIX Security Tools on IBM ^ pSeries, IBM RS/6000, and SP/Cluster December 2000 Take Note! Before using this information and the product it supports, be sure to read the general information in Appendix D, “Special notices” on page 211. First Edition (December 2000) This edition applies to AIX 4.3.3. Comments may be addressed to: IBM Corporation, International Technical Support Organization Dept. JN9B Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400 When you send information to IBM, you grant IBM a non-exclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you. © Copyright International Business Machines Corporation 2000. All rights reserved. Note to U.S Government Users – Documentation related to restricted rights – Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corp. Contents Preface...................................................vii The team that wrote this redbook. ..................................viii Commentswelcome..............................................ix Chapter 1. Introduction ......................................1 1.1Securityframework-Overview...............................1 1.2 Security framework - Planning . ............................3 1.3Securityframework-Architecture.............................6 1.4Securityframework-Implementation..........................7 1.5Securityframework-Monitoring..............................8 1.6 Security framework - Incident response . ......................10 1.7Nextsteps.............................................12 Chapter 2. Firewalls ........................................13 2.1 Misconceptions about firewalls . ...........................13 2.2Typesoffirewalls........................................15 2.2.1Staticpacketfilterfirewalls.............................15 2.2.2Circuitlevelfirewalls..................................15 2.2.3Applicationlayer(proxy)firewalls........................16 2.2.4Dynamicpacketfilterfirewalls..........................16 2.2.5Comparisonbetweenthedifferenttypes...................16 2.3Firewalldesigns.........................................17 2.3.1Basicfirewalldesign..................................17 2.3.2 Firewalls with demilitarized zone (DMZ) . ................18 2.3.3Compartmentalizedfirewallenvironmentdesign.............21 2.4Securingfirewalls........................................24 2.5FirewallsonAIX.........................................24 Chapter 3. Check Point FireWall-1.............................25 3.1FireWall-1features.......................................25 3.2ComplementarysoftwareforFireWall-1.......................26 3.3SecuringFireWall-1......................................27 3.3.1 Closing vulnerabilities during system startup ...............28 3.3.2 Managing FireWall-1 logs . ...........................29 3.3.3SecuringFireWall-1defaultconfigurations.................29 3.3.4Creatingausefulrulebase.............................34 3.3.5 Viewing connections. .................................36 3.3.6 Enabling other defense mechanisms .....................37 3.4ListofportsthatCheckPointFireWall-1uses..................43 © Copyright IBM Corp. 2000 iii Chapter 4. IBM Secureway Firewall ............................47 4.1IBMSecurewayFirewallfeatures............................47 4.2ComplimentarysoftwareforIBMSecurewayFirewall.............48 4.3 Firewall hardening . ......................................49 4.4NetworkSecurityAuditor(NSA).............................49 4.4.1 Installing NSA. ......................................49 4.4.2UsingNSA.........................................50 4.4.3InterpretingNSAoutput...............................51 Chapter 5. Secure remote access .............................59 5.1SecureShell(ssh).......................................59 5.1.1ObtainingSSH......................................61 5.1.2DifferencebetweenSSH1andSSH2.....................62 5.1.3KeyconceptsofSSH.................................62 5.1.4 Installing OpenSSH on AIX. ...........................65 5.1.5 OpenSSH using SSH1 ................................68 5.1.6 OpenSSH using SSH2 ................................71 5.1.7 Other interesting SSH daemon configuration options .........75 5.1.8 SSH2 interoperability between OpenSSH and SSH.Com . .....76 5.1.9SSHclientsforthePC................................76 5.1.10ImplicationsofhavingSSH............................77 5.1.11AlternativestoSSH.................................77 5.2 TCP Wrapper ...........................................77 5.2.1 Obtaining and installing TCP Wrapper ....................78 5.2.2 Configuring TCP Wrapper. ...........................79 5.2.3 Additional TCP Wrapper security features . ................82 Chapter 6. Port and network scanning .........................83 6.1fping..................................................84 6.1.1 Obtaining and installing fping ...........................85 6.1.2Usingfping.........................................86 6.1.3 Protection against ping sweeps . ......................88 6.2 Network Mapper (NMAP) . .................................89 6.2.1 Obtaining and installing nmap...........................90 6.2.2Nmapusage........................................92 6.2.3 Protection against port scanners . ......................94 6.3SecurityAdministrator'sIntegratedNetworkTool(SAINT).........94 6.3.1 Obtaining and installing SAINT ..........................95 6.3.2UsingSAINT........................................98 6.4PortSentry.............................................98 6.4.1 Obtaining and installing PortSentry. ......................99 6.4.2DefenseprovidedbyPortSentry........................103 6.5ListOpenFiles(lsof)....................................103 iv Additional Security Tools for AIX Systems 6.5.1 Installing lsof . .....................................104 6.5.2Usinglsof.........................................105 6.6Intrusiondetection......................................106 Chapter 7. System and data integrity .........................109 7.1Tripwire..............................................110 7.1.1 Obtaining and installing Tripwire. .....................111 7.1.2ConfiguringandusingTripwire.........................112 7.1.3ConfiguringTripwire.................................114 7.1.4Commentsonconfiguration...........................118 7.1.5 When should Tripwire be run ..........................118 7.1.6AlternativestoTripwire...............................119 7.2 John the Ripper . .....................................119 7.2.1 Obtaining and installing John the Ripper . ...............120 7.2.2 Configuring John the Ripper . ..........................121 7.2.3 Using John the Ripper ...............................122 7.3PrettyGoodPrivacy(PGP)................................124 7.3.1PGPbasics.......................................124 7.3.2 Obtaining and installing PGP ..........................126 7.3.3UsingPGP........................................127 7.3.4Protectingyourprivatekey............................134 7.4MD5.................................................134 7.4.1 Ensuring the integrity of downloads .....................136 Chapter 8. Securing AIX....................................139 8.1Overview.............................................140 8.2 Step 1: Remove unnecessary services. .....................141 8.2.1Removingentriesfrom/etc/inittab......................142 8.2.2Removingentriesfrom/etc/rc.tcpip.....................144 8.2.3Removingentriesfrom/etc/inetd.conf....................148 8.3Step2:Tightenconfigurationsofremainingservices............153 8.3.1DomainNameSystem(DNS)..........................153 8.3.2NetworkFileSystemandNetworkInformationService.......168 8.3.3SimpleMailTransferProtocol(SMTP)...................175 8.3.4 Simple Network Management Protocol (SNMP) . ..........180 8.3.5TrivialFileTransferProtocol(TFTP).....................181 8.3.6SecuringX11......................................182 8.3.7FileTransferProtocol(ftp)............................184 8.3.8ProtectingTCPservicesusingSOCKS...................186 8.4 Step 3: Set proper network (no) options . .....................186 8.4.1SYNattackprotection................................187 8.4.2 Broadcast protection. ................................187 8.4.3IProutingoptions...................................188 v 8.5 Step 4: Tighten up user accounts . ..........................189 8.5.1 Removing unnecessary default accounts . ...............189 8.5.2Settinguserattributes...............................190 8.5.3Securingroot......................................192 8.5.4Otherattributes....................................193 8.6Step5:Setupstrongpasswordpolicy.......................194 8.6.1Modifyinguserpasswordattributes......................194 8.6.2Passwordcrackerutility..............................197 8.7 Step 6: Install additional security tools . .....................197 8.8 Step 7: Monitor logs, audit trails, and system behavior . ..........200 8.8.1Monitorsystemlogs.................................201 8.8.2 Enable auditing.....................................201 8.8.3Monitorfilesanddirectories...........................202 8.8.4Monitorcronandatjobs..............................203
Load more

Recommended publications
  • Red Hat Enterprise Linux 3 Security Guide
    Red Hat Enterprise Linux 3 Security Guide Red Hat Enterprise Linux 3: Security Guide Copyright © 2003 by Red Hat, Inc. Red Hat, Inc. 1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park NC 27709 USA rhel-sg(EN)-3-Print-RHI (2003-07-25T17:12) Copyright © 2003 by Red Hat, Inc. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder. Red Hat, Red Hat Network, the Red Hat "Shadow Man" logo, RPM, Maximum RPM, the RPM logo, Linux Library, PowerTools, Linux Undercover, RHmember, RHmember More, Rough Cuts, Rawhide and all Red Hat-based trademarks and logos are trademarks or registered trademarks of Red Hat, Inc. in the United States and other countries. Linux is a registered trademark of Linus Torvalds. Motif and UNIX are registered trademarks of The Open Group. XFree86 is a trademark of The XFree86 Project, Inc, and is pending registration. Intel and Pentium are registered trademarks of Intel Corporation. Itanium and Celeron are trademarks of Intel Corporation. AMD, Opteron, Athlon, Duron, and K6 are registered trademarks of Advanced Micro Devices, Inc.
    [Show full text]
  • Abstract Introduction Methodology
    Kajetan Hinner (2000): Statistics of major IRC networks: methods and summary of user count. M/C: A Journal of Media and Culture 3(4). <originally: http://www.api-network.com/mc/0008/count.html> now: http://www.media-culture.org.au/0008/count.html - Actual figures and updates: www.hinner.com/ircstat/ Abstract The article explains a successful approach to monitor the major worldwide Internet Relay Chat (IRC) networks. It introduces a new research tool capable of producing detailed and accurate statistics of IRC network’s user count. Several obsolete methods are discussed before the still ongoing Socip.perl program is explained. Finally some IRC statistics are described, like development of user figures, their maximum count, IRC channel figures, etc. Introduction Internet Relay Chat (IRC) is a text-based service, where people can meet online and chat. All chat is organized in channels which a specific topic, like #usa or #linux. A user can be taking part in several channels when connected to an IRC network. For a long time the only IRC network has been EFnet (Eris-Free Network, named after its server eris.berkeley.edu), founded in 1990. The other three major IRC networks are Undernet (1993), DALnet (1994) and IRCnet, which split off EFnet in June 1996. All persons connecting to an IRC network at one time create that IRC network’s user space. People are constantly signing on and off, the total number of users ever been to a specific IRC network could be called social space of that IRC network. It is obvious, that the IRC network’s social space by far outnumbers its user space.
    [Show full text]
  • A Ballista Retrospective
    Software Robustness Testing A Ballista Retrospective Phil Koopman [email protected] http://ballista.org With contributions from: Dan Siewiorek, Kobey DeVale John DeVale, Kim Fernsler, Dave Guttendorf, Nathan Kropp, Jiantao Pan, Charles Shelton, Ying Shi Institute for Complex Engineered Systems Overview Introduction • APIs aren’t robust (and people act as if they don’t want them to be robust!) Top 4 Reasons people give for ignoring robustness improvement • “My API is already robust, especially for easy problems” (it’s probably not) • “Robustness is impractical” (it is practical) • “Robust code will be too slow” (it need not be) • “We already know how to do it, thank you very much” (perhaps they don’t) Conclusions • The big future problem for “near-stationary” robustness isn’t technology -- it is awareness & training 2 Ballista Software Testing Overview SPECIFIED INPUT RESPONSE BEHAVIOR SPACE SPACE ROBUST SHOULD VAL I D OPERATION WORK INPUTS MO DULE REPRODUCIBLE UNDEFINED UNDER FAILURE TEST SHOULD INVALID INPUTS UNREPRODUCIBLE RETURN FAILURE ERROR Abstracts testing to the API/Data type level • Most test cases are exceptional • Test cases based on best-practice SW testing methodology 3 Ballista: Test Generation (fine grain testing) Tests developed per data type/subtype; scalable via composition 4 Initial Results: Most APIs Weren’t Robust Unix & Windows systems had poor robustness scores: • 24% to 48% of intentionally exceptional Unix tests yielded non-robust results • Found simple “system killer” programs in Unix, Win 95/98/ME, and WinCE
    [Show full text]
  • Porte TCP/IP 19/09/2021
    1 MarkOne Tools Porte TCP/IP 19/09/2021 1 PORTS 0F TCP/IP Protocols and Services Introduction The port numbers are divided into three ranges: the Well Known Ports: are those from 0 through 1023. DCCP Well Known ports SHOULD NOT be used without IANA registration. The registration procedure is defined in [RFC4340], Section 19.9. the Registered Ports: are those from 1024 through 49151. DCCP Registered ports SHOULD NOT be used without IANA registration. The registration procedure is defined in [RFC4340], Section 19.9. the Dynamic and/or Private Ports: are those from 49152 through 65535 PLEASE NOTE THE FOLLOWING: 1. UNASSIGNED PORT NUMBERS SHOULD NOT BE USED. THE IANA WILL ASSIGN THE NUMBER FOR THE PORT AFTER YOUR APPLICATION HAS BEEN APPROVED. 2. ASSIGNMENT OF A PORT NUMBER DOES NOT IN ANY WAY IMPLY AN ENDORSEMENT OF AN APPLICATION OR PRODUCT, AND THE FACT THAT NETWORK TRAFFIC IS FLOW- ING TO OR FROM A REGISTERED PORT DOES NOT MEAN THAT IT IS "GOOD" TRAFFIC. FIREWALL AND SYSTEM ADMINISTRATORS SHOULD CHOOSE HOW TO CONFIGURE THEIR SYSTEMS BASED ON THEIR KNOWLEDGE OF THE TRAFFIC IN QUESTION, NOT WHETHER THERE IS A PORT NUMBER REGISTERED OR NOT. Socket: è costituito dal concatenamento di un indirizzo IP con il numero di porta di una specifica applicazione (p.es. 10.65.10.13:2001) TCP/IP protocols Port Name Alias 0 IP IP 1 icmp ICMP 3 ggp GGP 6 tcp TCP 8 egp EGP 12 pup PUP 17 udp UDP 20 hmp HMP 22 xns-idp XNS-IDP 27 rdp RDP 66 rvd RVD 1 last updated 2007-01-24 2 MarkOne Tools Porte TCP/IP 19/09/2021 WELL KNOWN PORT NUMBERS The Well Known Ports are assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users.
    [Show full text]
  • Introduction to UNIX What Is UNIX? Why UNIX? Brief History of UNIX Early UNIX History UNIX Variants
    What is UNIX? A modern computer operating system Introduction to UNIX Operating system: “a program that acts as an intermediary between a user of the computer and the computer hardware” CS 2204 Software that manages your computer’s resources (files, programs, disks, network, …) Class meeting 1 e.g. Windows, MacOS Modern: features for stability, flexibility, multiple users and programs, configurability, etc. *Notes by Doug Bowman and other members of the CS faculty at Virginia Tech. Copyright 2001-2003. (C) Doug Bowman, Virginia Tech, 2001- 2 Why UNIX? Brief history of UNIX Used in many scientific and industrial settings Ken Thompson & Dennis Richie Huge number of free and well-written originally developed the earliest software programs versions of UNIX at Bell Labs for Open-source OS internal use in 1970s Internet servers and services run on UNIX Borrowed best ideas from other Oss Largely hardware-independent Meant for programmers and computer Based on standards experts Meant to run on “mini computers” (C) Doug Bowman, Virginia Tech, 2001- 3 (C) Doug Bowman, Virginia Tech, 2001- 4 Early UNIX History UNIX variants Thompson also rewrote the operating system Two main threads of development: in high level language of his own design Berkeley software distribution (BSD) which he called B. Unix System Laboratories System V Sun: SunOS, Solaris The B language lacked many features and Ritchie decided to design a successor to B GNU: Linux (many flavors) which he called C. SGI: Irix They then rewrote UNIX in the C FreeBSD programming language to aid in portability. Hewlett-Packard: HP-UX Apple: OS X (Darwin) … (C) Doug Bowman, Virginia Tech, 2001- 5 (C) Doug Bowman, Virginia Tech, 2001- 6 1 Layers in the UNIX System UNIX Structure User Interface The kernel is the core of the UNIX Library Interface Users system, controlling the system Standard Utility Programs hardware and performing various low- (shell, editors, compilers, etc.) System Interface calls User Mode level functions.
    [Show full text]
  • Absolute BSD—The Ultimate Guide to Freebsd Table of Contents Absolute BSD—The Ultimate Guide to Freebsd
    Absolute BSD—The Ultimate Guide to FreeBSD Table of Contents Absolute BSD—The Ultimate Guide to FreeBSD............................................................................1 Dedication..........................................................................................................................................3 Foreword............................................................................................................................................4 Introduction........................................................................................................................................5 What Is FreeBSD?...................................................................................................................5 How Did FreeBSD Get Here?..................................................................................................5 The BSD License: BSD Goes Public.......................................................................................6 The Birth of Modern FreeBSD.................................................................................................6 FreeBSD Development............................................................................................................7 Committers.........................................................................................................................7 Contributors........................................................................................................................8 Users..................................................................................................................................8
    [Show full text]
  • Prosafe Gigabit Quad WAN SSL VPN Firewall SRX5308 CLI Reference Manual
    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 CLI Reference Manual 350 East Plumeria Drive San Jose, CA 95134 USA August 2012 202-11138-01 v1.0 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 © 2012 NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc. NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice. Other brand and product names are registered trademarks or trademarks of their respective holders. © 2012 All rights reserved. Technical Support Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at http://support.netgear.com. Phone (US & Canada only): 1-888-NETGEAR Phone (Other Countries): Check the list of phone numbers at http://support.netgear.com/app/answers/detail/a_id/984. Statement of Conditions To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use, or application of, the product(s) or circuit layout(s) described herein. Revision History Publication Part Number Version Publish Date Comments 202-11138-01 1.0 August 2012 First publication 2 Contents Chapter 1 Introduction Command Syntax and Conventions.
    [Show full text]
  • Introduction
    CS307 Operating Systems Introduction Fan Wu Department of Computer Science and Engineering Shanghai Jiao Tong University Spring 2020 Operating Systems Operating Systems 2 Operating Systems UNIX-family: BSD(Berkeley Software Distribution), System-V, GNU/Linux, MINIX, Nachos, OS X, iOS BSD-family: FreeBSD, NetBSD, OpenBSD System-V-family: AIX, HP-UX, IRIX, Solaris Linux-family: Red Hat, Debian, Ubuntu, Fedora, openSUSE, Linux Mint, Google's Android, WebOS, Meego MS-DOS, Microsoft Windows, Windows Mobile, Win-CE, WP8 AmigaOS Symbian, MeeGo Google Chrome OS OS/2 XrossMediaBar(XMB) for PS3, Orbis OS for PS4 Input Output System for Wii Tiny-OS, LynxOS, QNX, VxWorks Operating Systems 3 Four Components of a Computer System People, machines, other computers Application programs define the ways in which theSystem system programs resources are arecomputer used to software solve the computingdesigned to problems operate theof thecomputer users hardware and toControls provide and a platformcoordinates for runninguse of hardware application among programsvarious applications and users provides basic computing resources Operating Systems 4 Computer System Structure Hardware – provides basic computing resources CPU, memory, I/O devices Operating system – Controls and coordinates use of hardware among various applications and users System programs – are computer software designed to operate the computer hardware and to provide a platform for running application programs BIOS and device drivers Application programs – define the ways in
    [Show full text]
  • Honeydv6 a Low-Interaction Ipv6 Honeypot
    HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for Computer Science Operating Systems and Distributed Systems Reykjavík, July 29, 2013 Outline 1 Introduction 2 An IPv6 darknet experiment 3 HoneydV6 - Development and Performance Measurements 4 Conclusion and Future work Sven Schindler (Potsdam University) HoneydV6 Frame 2 of 26 Introduction Outline 1 Introduction 2 An IPv6 darknet experiment 3 HoneydV6 - Development and Performance Measurements 4 Conclusion and Future work Sven Schindler (Potsdam University) HoneydV6 Frame 3 of 26 Introduction Why do we need IPv6 dark- and honeynets? huge IPv6 address space makes brute-force network scanning impossible new scanning approaches in the wild? attacks aiming at IPv6 design weaknesses how to analyse IPv6 related attacks? Sven Schindler (Potsdam University) HoneydV6 Frame 4 of 26 Introduction THC and si6 - IPv6 Attack Toolkits IPv6 attack tools like THC toolkit [3] and si6 [8] available fragment6 (THC) - duplicate fragments fake_router6 (THC) - become the default router rsmurf6 (THC) - remote smurf attack tool dos-new-ip6 (THC) - block new hosts from joining a network scan6 (si6) - intelligent scan approaches Sven Schindler (Potsdam University) HoneydV6 Frame 5 of 26 An IPv6 darknet experiment Outline 1 Introduction 2 An IPv6 darknet experiment 3 HoneydV6 - Development and Performance Measurements 4 Conclusion and Future work Sven Schindler (Potsdam University) HoneydV6 Frame 6 of 26 An IPv6 darknet experiment Prior darknet experiments Why another IPv6 Darknet
    [Show full text]
  • Annex Communications Server Network Administrator's Guide 166
    1\N"l:X COMMUNICATIONS SERVER Network Administrator's Guide )xy1og1ca] Copyright @ 1990 Xylogics, Inc. 166- 024- 000 Revision E November 1991 1\N-41:X COMMUNICATIONS SERVER Network Administrator's Guide 166-024-000 Revision E November 1991 Notice The information in this manual is subject to change without notice, and should not be construed as a commitment by Xylogics, Inc. Xylogics assumes no responsibility for any errors that may appear in this document. Annex, Annex II, Annex lie, Annexthree, and Annex 3 are trademarks of Xylogics, Inc. UNIX is a registered trademark of AT&T. Ethernet is a registered trademark of Xerox Corporation. IBM is a registered trademark of the International Business Machines Corporation. XENIX Is a trademark of Microsoft Corporation. LAT is a trademark of Digital Equipment Corporation. Postscript is a registered trademark of Adobe Systems Incorporated. Copyright© 1990 Xylogics, Inc. Printed in the USA. Contents Preface .................................................. xiii General . xiii Supported Version . xiv Printing Conventions . xiv Related Documents . xv Book A: Overview Chapter 1: Introduction to the Annex ....................... A-1 General . A-1 Annex Capabilities . A-2 Network Administrator (na) Utility . A-2 Command Line Interpreter (CLI) . A-3 Customizing the User Interface . A-3 Expedited Remote Procedure Call Daemon (erpcd) . A-3 Extensive Security System . A-3 Port Servers and Rotaries . A-4 UNIX Host-originated Connections.................................. A-5 Name Server Support . A-5 Network Management . A-6 Full Routing . A-6 Multi-protocol Support . A-7 Applications for the Annex . A-7 Connecting Terminals . A-7 Connecting Remote Hosts, Networks, and Annexes.................... A-8 Connecting PCs to the Network .
    [Show full text]
  • Ipsec Overhead in Wireline and Wireless Networks for Web and Email Applications
    IPSec Overhead in Wireline and Wireless Networks for Web and Email Applications George C. Hadjichristofi Nathaniel J. Davis, IV Scott F. Midkiff Bradley Department of Electrical and Computer Engineering Virginia Polytechnic Institute and State University Blacksburg, Virginia 2406 1 USA Abstract inserted in a system model to calculate the overall This paper focuses on characterizing the overhead of speedup when compression was used in different types of IP Security (IPSec)for email and web applications using networks. The research did not involve deploying test a set of test bed configurations. The different beds for “live” experimental measurements. confligurations are implemented using both wireline and Chappell, et al. did additional work [2]. The purpose wireless netwrk links. ne testing considers different of their research was to determine the suitability of IPSec combinations of authentication algorithms and for a Multiple Level Security environment. The research authentication protocols. Authentication algorithms used an experimental version of IPSec that was not include Hashed Message Authentication Code-Message optimized for performance. A simple IPSec wireline test Digest 5 (HMAC-MD5) and Hashed Message bed was deployed and various measurements were made. Authentication Code-Secure Hash Algorithm 1 (HMAC- The research did not investigate the overhead of using SHAl). Authentication protocols include Encapsulating authentication and encryption and the IPSec Security Payload (ESP) and Authentication Header (AH) implementation used only DES for confidentiality. protocols. Triple Digital Enclyption Standard (3DEq is The results presented in this paper are derived from used for encryption. Overhead is examined for scenarios actual measurements taken on wired and wireless test using no enclyption and no authentication, authentication beds and provide an expanded testing environment when and no encryption, and authentication and enclyption.
    [Show full text]
  • Appendix a Protocol Filters
    APPENDIX A Protocol Filters The tables in this appendix list some of the protocols that you can filter on the access point. In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol. Cisco IOS Software Configuration Guide for Cisco Aironet Access Points A-1 Appendix A Protocol Filters Table A-1 EtherType Protocols Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.25 0x0805 Banyan — 0x0BAD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk — 0x809B Appletalk ARP Appletalk 0x80F3 AARP IPX 802.2 — 0x00E0 IPX 802.3 — 0x00FF Novell IPX (old) — 0x8137 Novell IPX (new) IPX 0x8138 EAPOL (old) — 0x8180 EAPOL (new) — 0x888E Telxon TXP TXP 0x8729 Aironet DDP DDP 0x872D Enet Config Test — 0x9000 NetBUI — 0xF0F0 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points A-2 Appendix A Protocol Filters Table A-2 IP Protocols Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP 119 Spectralink raw
    [Show full text]