| Foreword | p. xvii |
| Acknowledgments | p. xix |
| Preface | p. xxi |
| Broadband Network Security Fundamentals | |
| An Overview of Broadband Communication | p. 3 |
| A Brief History of Telecommunication | p. 4 |
| That Was Then | p. 6 |
| This Is Now | p. 6 |
| What is Broadband Access? | p. 7 |
| Existing Broadband Access Technologies | p. 7 |
| Cable | p. 8 |
| DSL | p. 9 |
| Fixed Wireless | p. 9 |
| Two-Way Satellite | p. 10 |
| The Future of Broadband | p. 10 |
| Fiber Optics | p. 11 |
| The Importance of Security in Broadband Networks | p. 12 |
| Security and the Average User | p. 12 |
| Securing the Network Infrastructure | p. 15 |
| References | p. 16 |
| Choosing the Right Tools: Security Services and Cryptography | p. 17 |
| Security Services and Mechanisms | p. 17 |
| Confidentiality | p. 18 |
| Integrity | p. 19 |
| Authentication | p. 19 |
| Nonrepudiation | p. 19 |
| Authorization and Access Control | p. 20 |
| Availability | p. 21 |
| The Basics of Cryptography | p. 21 |
| Random Number Generation | p. 23 |
| Symmetric-Key Cryptography | p. 25 |
| Message Digests | p. 36 |
| Public-Key Cryptography | p. 40 |
| Public-Key Cryptography Standards | p. 48 |
| Federal Information Processing Standards and Certification | p. 51 |
| Store-and-Forward vs. Session-Based Encryption | p. 52 |
| Choosing the Appropriate Cryptographic Tools | p. 53 |
| Using Stream Ciphers | p. 53 |
| Using Block Ciphers | p. 54 |
| Using Message Digests | p. 56 |
| Using Public-Key Algorithms | p. 56 |
| Interoperability Notes | p. 57 |
| How Secure Is Too Secure? | p. 57 |
| References | p. 58 |
| The Need for Security: Network Threats and Countermeasures | p. 61 |
| Who, What, and Why? Attackers and Their Motivations | p. 62 |
| When? "The Network Administrator Went Home Hours Ago..." | p. 66 |
| Where? The Internet's a Big Place! | p. 67 |
| Broadband Access vs. Dial-up Access | p. 67 |
| Categorizing Common Attacks | p. 68 |
| Passive Attacks vs. Active Attacks | p. 69 |
| Eavesdropping | p. 69 |
| Impersonation | p. 73 |
| Denial of Service | p. 75 |
| Data Modification | p. 77 |
| Packet Replay | p. 79 |
| Routing Attacks | p. 80 |
| TCP/IP-Specific Attacks | p. 83 |
| Address Spoofing | p. 83 |
| Session Hijacking | p. 86 |
| Countermeasures for Address-Spoofing and Session-Hijacking Attacks | p. 89 |
| TCP/IP Denial of Service | p. 90 |
| IP and ICMP Fragmentation | p. 92 |
| Attacks on Cryptography | p. 95 |
| Cryptanalysis | p. 95 |
| Testing for Weak Keys | p. 97 |
| Block Replay | p. 97 |
| Man-in-the-Middle Attacks | p. 97 |
| Countermeasures for Attacks Against Cryptographic Mechanisms | p. 98 |
| Social Engineering and Dumpster Diving | p. 100 |
| References | p. 100 |
| Broadband Networking Technologies | p. 103 |
| The Origins of Broadband | p. 104 |
| The ISO/OSI Reference Model | p. 106 |
| Layer 7--Application | p. 107 |
| Layer 6--Presentation | p. 107 |
| Layer 5--Session | p. 107 |
| Layer 4--Transport | p. 107 |
| Layer 3--Network | p. 108 |
| Layer 2--Data Link | p. 108 |
| Layer 1--Physical | p. 109 |
| The TCP/IP Reference Model | p. 110 |
| Data Encapsulation | p. 111 |
| Communication Protocol Characteristics | p. 113 |
| Service Provider Networks | p. 114 |
| Cable | p. 115 |
| Digital Subscriber Line | p. 120 |
| Fixed Wireless Technology | p. 123 |
| Two-Way Satellite Communication | p. 126 |
| Quality of Service | p. 129 |
| QoS Parameters | p. 130 |
| Degrees of QoS | p. 136 |
| The Great Debate: Cell-Relay vs. Standard Packet Switching | p. 136 |
| Models for QoS over IP Networks | p. 139 |
| References | p. 143 |
| A Survey of Existing Broadband Security Standards and Specifications | p. 145 |
| Standards Bodies and the Role of Standardization | p. 146 |
| ANSI (American National Standards Institute) | p. 146 |
| The BWIF (Broadband Wireless Internet Forum) | p. 146 |
| Cable Television Laboratories | p. 147 |
| The DVB (Digital Video Broadcasting) Project | p. 147 |
| The DSL Forum | p. 147 |
| ETSI (European Telecommunications Standards Institute) | p. 147 |
| The IETF (Internet Engineering Task Force) | p. 148 |
| The ITU (International Telecommunication Union) | p. 148 |
| The IEEE (Institute of Electrical and Electronics Engineers) | p. 148 |
| The ISO (International Standards Organization) | p. 148 |
| Current Broadband Security Standards and Specifications | p. 149 |
| The DOCSIS 1.0 Baseline Privacy Interface | p. 149 |
| The DOCSIS 1.1 Baseline Privacy Plus Interface | p. 151 |
| The PacketCable Security Specification | p. 154 |
| The H.235 Security Standard | p. 154 |
| The DVB Multimedia Home Platform | p. 160 |
| The OpenCable Copy Protection System | p. 161 |
| Security Gone Wrong--A Case Study of 802.11 WEP Encryption | p. 165 |
| References | p. 168 |
| Broadband Security Design Considerations | |
| Existing Network Security Protocols | p. 171 |
| IPSec | p. 172 |
| Transport and Tunnel Modes | p. 174 |
| Security Associations | p. 177 |
| Security Policy Database | p. 179 |
| Security Associations Database | p. 180 |
| Authentication Header | p. 181 |
| Encapsulating Security Payload | p. 186 |
| Internet Key Exchange | p. 191 |
| SSL and TLS | p. 197 |
| A Brief History of SSL | p. 198 |
| SSL in Detail | p. 198 |
| Application Layer--Kerberos | p. 216 |
| Kerberos Authentication | p. 217 |
| Cross-Realm Authentication | p. 219 |
| Public-Key Authentication with Kerberos | p. 220 |
| References | p. 220 |
| Placing Security Services and Mechanisms | p. 223 |
| Binding Security Services and Mechanisms to Data | p. 223 |
| Which Network Layer? | p. 225 |
| Application Transparency | p. 225 |
| Extent of Coverage | p. 230 |
| Performance | p. 232 |
| Comparing Existing Security Protocols | p. 233 |
| Security Protocol Implementation | p. 234 |
| Host-Based Security vs. Security Gateways | p. 237 |
| Extent of Coverage | p. 238 |
| Implementation, Configuration, and Maintenance | p. 241 |
| Securing Traffic Between a Large Number of Hosts or Applications | p. 242 |
| Distinct Traffic Flows | p. 243 |
| User Contexts | p. 243 |
| Coordination with Existing Security Policy | p. 244 |
| A Final Word on Encryption and Protocol Headers | p. 245 |
| References | p. 245 |
| Security Side Effects | p. 247 |
| Network Performance and QoS | p. 248 |
| Embedded Device Constraints | p. 249 |
| Cryptography and Performance | p. 250 |
| General Considerations for Choosing Cryptographic Algorithms | p. 251 |
| Dedicated Cryptographic Hardware | p. 262 |
| Encryption and Compression | p. 263 |
| Security Protocol Tuning | p. 264 |
| Additional Tips for Improving Security in Real-Time Multimedia Applications | p. 265 |
| Manageability | p. 266 |
| References | p. 269 |
| Case Studies | |
| Securing Broadband Internet Access: DOCSIS BPI+ | p. 273 |
| An Overview of the Baseline Privacy Plus Interface | p. 275 |
| DOCSIS MAC Layer Frame Formats | p. 277 |
| Baseline Privacy Key Management Protocol | p. 279 |
| Authorization State Machine | p. 280 |
| TEK State Machine | p. 285 |
| BPI+ Key Encryption, Traffic Encryption, and Authentication Algorithms | p. 289 |
| DOCSIS 1.1 BPI+ X.509 Certificate Usage and PKI Hierarchies | p. 292 |
| BPI+ Cable Modem Certificate Hierarchy | p. 292 |
| BPI+ Certificate Formats | p. 297 |
| Certificate Validation on the CMTS | p. 301 |
| Certificate Revocation and Hot Lists | p. 303 |
| TFTP Configuration Files | p. 303 |
| Signed Software Upgrade Verification | p. 304 |
| Generation and Verification of Signed Software Upgrade Files | p. 307 |
| References | p. 309 |
| Securing Real-Time Multimedia: PacketCable Security | p. 311 |
| Overview of PacketCable Security | p. 319 |
| IPSec | p. 322 |
| Internet Key Exchange | p. 325 |
| SNMPv3 Security | p. 326 |
| PacketCable's Use of kerberos | p. 327 |
| Kerberized Key Management for IPSec and SNMPv3 | p. 330 |
| Cross-Realm Operation | p. 336 |
| Securing RTP and RTCP | p. 337 |
| Key Management for RTP and RTCP | p. 341 |
| PacketCable Security Certificate Usage and PKI Hierarchies | p. 345 |
| PacketCable Certificate Validation | p. 356 |
| Physical Protection of Keying Material | p. 357 |
| Secure Software Upgrades | p. 358 |
| References | p. 358 |
| Securing Interactive Television: DVB MHP Security | p. 359 |
| The Multimedia Home Platform | p. 360 |
| MHP Security Overview | p. 362 |
| Authentication Messages | p. 363 |
| Hash Files | p. 365 |
| Signature Files | p. 366 |
| Certificate Files | p. 368 |
| The Object Authentication Process | p. 369 |
| MHP X.509 Certificate Usage and PKI Hierarchy | p. 372 |
| Storage and Management of Root Certificates | p. 373 |
| Certificate Revocation | p. 374 |
| Application Security Policy | p. 375 |
| Permission Request File | p. 375 |
| Return Channel Security | p. 379 |
| Supported Java Security Classes | p. 380 |
| References | p. 381 |
| Design Scenarios | p. 383 |
| Initial Design Steps | p. 383 |
| Identify Your Assets and Assess Their Value | p. 384 |
| Identifying the Threats | p. 385 |
| Selecting the Appropriate Security Services | p. 386 |
| Choosing Suitable Security Mechanisms | p. 388 |
| Identifying the Need for Persistent Security Services and Mechanisms | p. 390 |
| Choosing a Network Layer | p. 391 |
| Choosing Between Host-Based Security and Security Gateways | p. 391 |
| Identifying Existing Security Protocols That Meet Your Needs | p. 392 |
| Designing a New Protocol | p. 393 |
| Sample Design Scenarios | p. 394 |
| A Flawed Design | p. 394 |
| Designing Security from the Ground Up | p. 403 |
| TCP/IP Primer | p. 415 |
| Encapsulation | p. 416 |
| Internet Protocol | p. 417 |
| IP Headers | p. 419 |
| IP Routing | p. 423 |
| Address Resolution Protocol and Reverse Address Resolution Protocol | p. 425 |
| Internet Control Message Protocol | p. 426 |
| Transmission Control Protocol | p. 429 |
| TCP Headers | p. 430 |
| Windowing | p. 432 |
| User Datagram Protocol | p. 433 |
| UDP Headers | p. 434 |
| Resources | p. 435 |
| Digital Certificates and Public-Key Infrastructure | p. 437 |
| Digital Certificates | p. 437 |
| Certificate Types and Classes | p. 439 |
| Contents of a Digital Certificate | p. 440 |
| Validating a Digital Certificate | p. 443 |
| Certificate Revocation | p. 445 |
| Public-Key Infrastructure | p. 448 |
| CA Operations | p. 448 |
| Trust Models | p. 450 |
| Path Discovery and Validation | p. 454 |
| References | p. 455 |
| Index | p. 457 |
| Table of Contents provided by Syndetics. All Rights Reserved. |
