【導讀】Printedin:.Cupertino,California95014.©copyright1983-20xxHewlett-PackardCompany,allrightsreserved.ONC+?

　　

【正文】 12 ? It simplifies the system administration and troubleshooting effort at each node. 2. Provides both preshared keys and public key certificates for authentication IPSec/9000 supports preshared keys as well as Entrust and VeriSign certificates. The Baltimore PKI will be supported in the future. The IPSec/9000 administrator can obtain certificates through the GUI automatically without any cutting and pasting between different applications. 3. Allows interoperability with over twentyfive other IPSec implementations, including those of Microsoft and Cisco 4. Provides highspeed encryption in DES and Triple DES for faster performance Using an enhanced assemblylanguage implementation of DES and TripleDES for PARISC that take advantage of 64bit registers, IPSec/9000 achieves almost twice the encryption speed of other leading software implementations. 5. Integrates with HP’s VirtualVault secure web server in HPUX 11i to provide a secure channel to backend servers 6. Supports HP 9000 workstations (series 700 systems) Packet filtering IPSec/9000 can be configured to establish authenticated security associations with selected hosts and to discard all packets that do not belong to a security association. Likewise, a system firewall can provide filtering functionality specifically configured for the protection of that particular host. A system firewall is a packet filtering mechanism built into the TCP/IP stack of a host and provides filtering functionality. A corporate intra must be protected against intrusion and denialofservice attacks by one or more perimeter firewalls. Application proxy firewalls, such as the HP Praesidium eFirewall, provide highly effective protection by inspecting data at multiple levels of the work stack, including the application level. Multihomed HPUX systems can be configured to discard ining packets received through one work interface, but whose destination address is that of a different interface of the same host. Also, multihomed HPUX systems can use IP filter to Network Security Features of HPUX 11i 13 block the sending of outgoing packets whose source address is not that of the interface through which they are originally sent. This packetfiltering feature characterizes the Strong EndSystem (ES) functionality described in RFC 1122 of the IETF. An HPUX ACE version of IP Filter, a stateful inspection firewall, is available to download from the publicdomain web site. It is not yet available for HPUX 11i. To download the IP Filter or for availability information, access the web site: SOCKS The SOCKS protocol provides a generic proxy for applications using TCP or UDP as a transport. It can be used in a perimeter firewall to relay TCP or UDP traffic between internal and external hosts, avoiding the need to route such traffic, thereby insulating the intra from the Inter. Moreover, for traffic that originates on the Inter side of the firewall, SOCKS version 5 allows the user to authenticate the originator of the traffic and establish a secure connection between the originator and the firewall. An HP implementation of SOCKS version 5 on HPUX will soon be available under the GNU Public License. Secure Sockets Layer ─ SSL Secure Sockets Layer (SSL), or Transport Layer Security (TLS) as it is now called in the Inter Engineering Task Force (IETF), secures connections between web browsers and servers. It is monly used to protect confidential information such as credit card numbers for webbased transactions over the Inter. An HTTP connection secured by SSL is indicated by the use of the HTTPS protocol identifier in a URL. As shown in the Figure 1, SSL occupies a position in the protocol stack between TCP and HTTP. Legacy applications, however, have to be made webaccessible before they can benefit from the protection that SSL affords to web traffic. To provide extra secure web server security, the HP Praesidium Virtual Vault secure web server bines the connection security provided by SSL with the platform security provided by a special version of HPUX. This HPUX version adapts a militarygrade, B1version of the operating system to mercial use. Network Security Features of HPUX 11i 14 In most cases, SSL uses RSA to authenticate the server and, at times, the client, RC4, DES or TripleDES to encrypt and decrypt the traffic, and HMACMD5 or HMACSHA1 to verify the origin and integrity of the data. SSL with SpeedCard for Faster Performance The SSL protocol begins with a handshake that uses publickey cryptography for authentication and key exchange. In the simplest and most frequently used variation of this handshake, the server performs a single RSA operation, using its private key, to decrypt a secret value which the client has encrypted using the server’s public key. This allows the server to demonstrate its identity and establish a shared secret with the client, from which session keys can be derived to protect the subsequent connection. Although the server performs only one RSA operation, this operation is putationally so demanding that a bottleneck may occ