Internet & Intranet Security

In this chapter, we focus on some security protocols that have been proposed, specified, implemented, and deployed for the transport layer of the Internet model. More specifically, we have a look at previous work in Section 15.1, overview and discuss the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols in Section 15.2 and 15.3, address firewall traversal in Section 15.4, and draw some conclusions in Section 15.5. Note that some parts of this chapter are taken from Chapter 6 of [1]. Also note that all transport layer security protocols we look at in this chapter (i.e., the SSL and TLS protocols) are layered on top of TCP and its connection-oriented transport layer service. Consequently, these protocols could also be named session layer security protocols. This term, however, would not match the Internet model and its four layers. Consequently, we do not use the term in this book.

15.1 PREVIOUS WORK

The promoters of transport layer security protocols generally have an application developer in mind. For such a developer it would be nice to have a possibility to establish secure network connections (instead of insecure network connections). Consequently, the application developer needs a development environment and a library that allows him or her to establish secure network connections. Having this idea in mind, several transport layer security protocols have been proposed in the past (in addition to the SSL and TLS protocols):

• Similar to the SP3, the Security Protocol 4 (SP4) is a transport layer security protocol that was jointly developed by the NSA and NIST as part of the SDNS suite of security protocols [2].

• The Transport Layer Security Protocol (TLSP) was developed and standardized by the ISO [3].

• Steven Bellovin and Matt Blaze from AT&T Bell Laboratories developed and prototyped a transport layer security protocol in a software package called Encrypted Session Manager (ESM) [4].

The SP4 and the TLSP are full-fledged transport layer security protocols, whereas the ESM—similar to the SSL and TLS protocols—only runs on top of a connection-oriented and reliable transport layer service, such as provided by TCP. Consequently, these protocols could also be named "session layer security protocols." As previously mentioned, however, this term does not match the four layers of the Internet model and is therefore not used in this book.

As of this writing, the SSL and TLS protocols are still the major examples of transport layer security protocols. They are overviewed and briefly discussed next.