HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 4

However, to utilize SSL/TLS

Get HP 635n - JetDirect IPv6/IPsec Print Server PDF manuals and user guides
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals

Page 4 highlights

• The user provides credit card information • The user clicks "purchase" The first three items, or the items in red, send data "in the clear" or without being authenticated, confidential, and with limited integrity (i.e., non cryptographic). The last four items, or the items in blue, send data using HTTPS, which in its most popular form is providing one-way authentication, confidentiality, and integrity. Wait a minute - did we say one-way authentication and not mutual authentication? Yes. More importantly, it only provides one-way authentication if you do not get any "Certificate Warning" dialogs, as shown in Figure 1. These dialogs, when appearing in today's HTTPS Internet use-model, are indicative of an authentication problem. If an HTTPS web site on the Internet results in one of these certificate warning dialogs appearing, close the browser and do your shopping elsewhere! You are not able to authenticate the web site and should not be sending over any personal information of any kind. Figure 1 - Authentication Problem with HTTPS Let's assume the web site that you are shopping at is determined to be authentic (i.e., the website is who it says it is). The web site doesn't really care who is using HTTPS via the web browser, therefore client authentication via digital certificates, which would result in mutual authentication, is not done. Imagine a web site that asked you for your digital certificate before you could buy anything. Many people do not have their own digital certificate. How long would that company be in business? The web site does care about providing authentication, confidentiality, and integrity to the data that is being sent to purchase items. This data includes the credit card information. This credit card information provides the company running the web site with the ability to determine if the credit card holder is able to make a purchase - the issuer of the credit card approves or denies the purchase. Once the purchase is approved, the issuer of the credit card is providing protection to both the website and the user regarding fraud. Mutual authentication is provided to the transaction, but only one-way authentication is provided to the communications channel. The HTTPS use model for the Internet has been tremendously successful. However, to utilize SSL/TLS like HTTPS does, the application needs to be modified (e.g., web browser must support HTTPS, certificates, certificate verification, etc...). For many legacy applications in the corporate environment, this modification is not possible. What is needed is for a security protocol to provide authentication, confidentiality, and integrity without the application having to be modified. Here is where IPsec really shines because it can provide just that. Let's take a closer look at what some of the drivers for IPsec were and how this application transparency allowed Virtual Private Networks to appear. 4

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
4
The user provides credit card information
The user clicks “purchase”
The first three items, or the items in
red
, send data “in the clear” or without being authenticated,
confidential, and with limited integrity (i.e., non cryptographic).
The last four items, or the items in
blue, send data using HTTPS, which in its most popular form is providing
one-way authentication
,
confidentiality
, and
integrity
.
Wait a minute – did we say
one-way authentication
and not
mutual
authentication
?
Yes. More importantly, it only provides
one-way authentication
if you do not get any
“Certificate Warning” dialogs, as shown in Figure 1.
These dialogs, when appearing in today’s
HTTPS Internet use-model, are indicative of an
authentication
problem. If an HTTPS web site on the
Internet results in one of these certificate warning dialogs appearing, close the browser and do your
shopping elsewhere!
You are not able to
authenticate
the web site and should not be sending over
any personal information of any kind.
Figure 1 – Authentication Problem with HTTPS
Let’s assume the web site that you are shopping at is determined to be
authentic
(i.e., the website is
who it says it is).
The web site doesn’t really care who
is using HTTPS via the web browser, therefore
client authentication via digital certificates, which would result in
mutual authentication
, is not
done.
Imagine a web site that asked you for your digital certificate before you could buy anything.
Many
people do not have their own digital certificate. How long would that company be in business?
The
web site does care about providing
authentication
,
confidentiality
, and
integrity
to the data that is
being sent to purchase items.
This data includes the credit card information.
This credit card
information provides the company running the web site with the ability to determine if the credit card
holder is able to make a purchase - the issuer of the credit card approves or denies the purchase.
Once the purchase is approved, the issuer of the credit card is providing protection to both the
website and the user regarding fraud.
Mutual authentication
is provided to the transaction, but only
one-way authentication is provided to the communications channel.
The HTTPS use model for the Internet has been tremendously successful.
However, to utilize SSL/TLS
like HTTPS does, the application needs to be modified (e.g., web browser must support HTTPS,
certificates, certificate verification, etc…).
For many legacy applications in the corporate
environment, this modification is not possible.
What is needed is for a security protocol to provide
authentication
,
confidentiality
, and
integrity
without the application having to be modified.
Here is
where IPsec really shines because it can provide just that.
Let’s take a closer look at what some of the
drivers for IPsec were and how this application transparency allowed Virtual Private Networks to
appear.