Front cover - IBM Redbooks

the receiving peer share the same secret key. A successful checksum
evaluation means the packet was originated by the expected peer and the
packet was not modified in transit.
2. Encapsulating Security Payload (ESP): Provides a confidentiality guarantee
for packets by encrypting packets with defined encryption algorithms. A
packet with ESP that is successfully decrypted means the packet was not
intercepted and modified.
3. IP payload compression (IPcomp): IPcomp provides a way to compress
packet before encryption by ESP. The purpose of this is to improve effective
data throughput, because once the packet has been encrypted by ESP its
potential for normal data compression is low or impossible.
4. Internet Key Exchange (IKE): AH and ESP need a shared secret key between
peers. IKE provides for secure key negotiation and exchange between
different locations.
The IPsec protocols provide security for transmission of sensitive information
over unprotected IP networks. IPsec acts at the network layer, protecting and
authenticating IP packets between participating peer devices. It is similar to
SOCKS in that it requires a client; however, it does not require a proxy server.
IPsec network gateways are used as the intermediary network proxy. It is
commonly implemented in network routers, since it is essentially a network-layer
proxy. As a result, it is generally more efficient than SOCKS because it is
operating within only the lower three OSI layers (physical, data, and network).
The primary popular use of IPsec has been as a means to provide VPN (virtual
private network) access from unprotected networks (such as the Internet) into a
trusted, protected network.
4.1.2 Firewall products
In our lab scenarios in this book, we were not necessarily concerned with the
firewall products themselves. Rather, we were more interested in what the Lotus
and WebSphere applications were doing, or were likely to do, across a firewall.
In describing the implementation of a multi-zone architecture, it should not matter
which firewall products are used. It is assumed that in each case the important
information for a firewall administrator is primarily the ports and protocols used. It
is up to the firewall administrator to use that information to establish the
appropriate firewall configuration and access control lists.
The following is a brief list of some common firewall products that provide at least
stateful filtering capability and beyond, but fall short of being a full-fledged
application-layer proxy. This is included only as a guide and the descriptions are
based on the vendor’s own marketing material.
Chapter 4. Security components and layers 121