Manualshelf

Network Security Features of HP-UX 11i v1 and 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
11121314151617181920
Page 10
Internet Protocol Security Protocol Suite—HP-UX IPSec
The Internet Engineering Task Force (IETF) IP Security Protocol (IPsec) working group has defined a set
of specifications for cryptographically based authentication, integrity, and confidentiality services at the
IP layer of the network stack. HP-UX IPSec is the HP implementation of IPsec. HP-UX IPSec
implements rule-based policy management.
As shown in Figure 2, IPsec technology can be deployed to provide secure tunnels through the public
Internet. These tunnels protect packet transfer from a remote workstation to a corporate intranet or link
geographically disjointed portions of an intranet without using expensive leased lines. Tunnels can also be
used to link the computing facilities of business partners and to secure mobile and wireless node
communications. In all of these cases, IPsec technology creates, in effect, a Virtual Private Network
(VPN)—that is, a private network within the global Internet. It is “virtual” because it uses tunnels to
effectively create a separate logical network within a physical network. It is “private” because outside
users cannot see or modify the data being transmitted.
Mail
Servers
Directory
Servers
Access
Control
(RADIUS)
Backend servers
with
system firewall
capability
Secure Corporate Intranet
•IPSec//L2TP
Internet
DMZ
Secure
mail
gateway
(S/MIME)
Secure
DNS
servers
(DNSSec)
Secure
e-commerce
web
server
(SSL)
Firewall,
NAT,
VPN gateway
Corporate
network
Mobile user
HR Secure subnet
End-to-end IPSec
Bastion hosts
Remote
access
VPN
Corporate A
Branch Office
•IPSEC
•SSL
Business partner
Site-to-site VPN
Extranet VPN
DMZ
IPSEC
•SSL
Figure 2: A Secure Network Environment
Due to the rapid growth of electronic commerce, more enterprises are putting application servers in a
“demilitarized zone” (DMZ)—that is, outside corporate firewalls—for business partners or public access.
Since inbound connections from the Internet are allowed to these servers, they are vulnerable to attack.
Moreover, application servers in the DMZ may need to funnel customer requests to back-end servers
within the internal network. Additionally, attacks can originate within an organization. Therefore, a