 |
|
As you stroll the book aisles, Virtual Private Networks: Technologies and Solutions, by Ruixi Yuan and W. Timothy Strayer, might lead you to grab for a VPN-How-To volume. After all, isn't every organization going to need VPNs if they haven't got them already?
Early in Chapter 1 the authors state "Virtual private networking is the collection of technologies applied to a public network -- the Internet -- to provide solutions for private networking needs." That said, they go on to deliver page after page of what could have been dry and tedious protocols and bitmaps in a style that I found fun to read. Consider:
"The essence of creating a VPN is to assemble the technological components according to a cohesive architecture in order to create practical solutions for organizational communications needs. These components make possible both the 'virtual' and the 'private' aspects of a VPN."
"Part I: VPN Fundamentals" is a must read for anyone with any involvement with contemporary networks and their security. Yuan and Strayer present topic by topic and layer by layer in a systematic manner. There is a consistent flow from situation, through candidate approaches and available protocols, to implementation. At no time do they coerce you into a conclusion. Instead, after reading each section, I found some approach obviously better than others. Later reading would reveal that I had chosen the approach that the authors preferred.
Even for those who simply use their computer from their homes or from the enclosure of their workplace surroundings, this book explains much of what happens behind the scenes to connect the several distributed offices and facilities of a modern organization.
Each of the chapters in "Part II: VPN Technologies" covers frame and packet level details of topics such as Tunnels, IPsec, Authentication, Public Key Infrastructure, and Access Control. as separate chapters. The authors begin by discussing the concept of network Tunnels independently from how they might be implemented. This lays a foundation for the several issues that must be resolved while deciding tunnel deployment configuration. While there are several alternatives, Yuan and Strayer make clear their preference for IPsec to enable delivery of network layer security services. They devote an entire chapter to the IPsec topic. Given a secure method to make connections, a network must be able to Authenticate connection requests -- is the requester who they claim to be? -- and the Public Key services available to carry the various forms of authentication information. Once the requested connection exists, a network uses various Access Control mechanisms to grant or deny use.
Every chapter presents a thorough definition of the topic, a discussion of the issues and concerns relating to this topic, and then describes the various protocols and techniques that exist to address each concern. Consider the following discussion of Authentication:
"The difference between various two-party authentication schemes lies in how the authentication information, the authentication function, and the expected results are created, stored, and transmitted between the two authenticating parties."
The authors proceed to present discussion of passwords, challenge-and-response, token cards, and smartcards as basic technologies. They follow the technology discussions with the details about PAP, CHAP, EAP, RADIUS and other protocols that implement the features of the basic technologies.
"Part III: VPN Solutions" was both a surprise and a disappointment. Given the word "solutions" in the section title, I expected to find system administrator level command-line configuration details used to deploy a VPN on some reference platform. Failing to find pages of cryptic parameter settings, I was at first disappointed. However, as I read on, I realized that the treatment used by Yuan and Strayer fell into the "teach a man to fish" category. For example, while reading about Site-to-Site VPN deployment, I found a bulleted list naming the requirement for a type of tunneling mechanism. The discussion that followed presented IPsec, and L2TP as candidates for this mechanism. The discussion of IPsec revealed that I needed to use an encryption algorithm (3DES, for example), a message integrity algorithm (such as SHA-1), and a type of authentication (shared secret, certificate authority, and the like). At the conclusion, I was left with a thorough understanding of the deployment of a VPN.
Lest you think I fell besotted by the material, there are some things that, while primarily editorial, might result in a better book were they corrected in a second printing or follow-up edition. As you might expect in a networking volume, there are plenty of graphs and diagrams. Things might be better were these diagrams located in better locations, typically before the prose that discusses them. Once, a Windows protocol layer diagram appears bracketed by UNIX specific prose -- completely outside of the nearby Microsoft Windows section title.
Another annoyance involved the huge number of references to Internet Request For Comments (RFC) documents -- only to find additional details tucked away in an appendix. It might have been better to warn readers and arm them with access to supporting materials, either in the Preface or preferably as a footnote to the first RFC reference.
Lastly, I expected to find a detailed case study that either ran throughout the material or as a chapter unto itself toward the end of the book. This case study might have used one of the Linux distributions to provide you a platform for self-directed study. Any of the Linux kits currently available contains most of the recommended parts and the rest are readily available online. A Windows-based implementation might be problematic due to the licensing and fee-for-software nature of that environment. The book contains a case study, but it is far too lightweight for a serious student. In defense of this omission, I suspect that any attempt to present a cookbook deployment might result in a sofa-sized volume or might offer such superficial treatment as to be practically useless. There were only a few instances when the authors resorted to lines of code-level discussions. These were brief, on topic, and might be skipped without any loss.
When the time came, the book equipped me with good understanding of what to do during VPN deployment without the droll reprinting of configuration files, command lines, or screens from some user interface. Add this book to your networking library. You won't regret it.
-- Daniel M. St.André (grillongroup@Mindspring.com)
|
Explanation of ERCB rating scale:
|
