Secure Computing Soft-PK Version 5.1.3 Build 4, SafeNet Identifying authentication requirements

Page 23

Identifying authentication requirements

Identifying authentication requirements

Determine how you will identify and authenticate the partners in your VPN. Sidewinder and Soft-PK both support using digital certificates and pre-shared key VPN configurations. In addition, when you use Sidewinder version 5.1.0.02 or later, you can set up Extended Authentication to provide increased security to your VPN network. The following summarizes VPN authentication methods.

Using digital certificate authentication

When using digital certificates (or "public key authentication"), each system in the VPN requires a unique private key file and a corresponding public key certificate file.

The private key file

A private key file is unique to each system in the network and kept secret by the holder (VPN client, firewall, etc.). It is used to create digital signatures and, depending upon the algorithm, to decrypt data encrypted with the corresponding public key.

The certificate file (with public key)

Certificates contain informational values such as the identity of the public key’s owner, a copy of the public key itself (so others can encrypt messages or verify digital signatures), an expiration date, and the digital signature of creating entity (CA or firewall).

When using Sidewinder, the trusted source for authorizing key/ certificate pairs can be Sidewinder itself through "self-signed" certificates, or a public or private Certificate Authority (CA) server (for example; Netscape, Baltimore, Entrust, etc.). Digital certificate implementations using Sidewinder/Soft-PK follow the X.509 standard.

IMPORTANT: You must configure the necessary certificates before you configure the VPN

connection parameters on Sidewinder or Soft-PK.

In addition, digital certificates have an "effective" date and an "expiration date." Before certificates expire, they must be retrieved and updated in the VPN gateway (i.e., Sidewinder firewall) to continue using them in a VPN.

Planning Your VPN Configuration	2-3

Image 23

Contents VPN Administration Guide Page Copyright Notice Printing History B L E O F C O N T E N T S Installing and Working with Soft-PK Who should read this guide? About this GuideOrganized How this guide isViewing and printing this document online About Soft-PKAbout Sidewinder About digital certificatesViii About this chapter Getting StartedAbout Soft-PK & Sidewinder VPNs Sidewinder and other network requirements RequirementsSoft-PK requirements Roadmap to deploying your VPNs 4c1 Define remote identities within Sidewinder Sidewinder systemSatisfy Sidewinder, network, & system requirements Plan your VPN configurationCreate/Request the digital certificates If using pre-shared keys passwordsConfigure the VPN connections on the Sidewinder Troubleshoot any connection problems Planning Your VPN Configuration Identifying basic VPN connection needs Certificate file with public key Identifying authentication requirementsUsing digital certificate authentication Private key fileClients Closer look at self-signed certificatesNo CA needed For a small number of VPNCloser look at CA-based certificates Understanding pre-shared key authenticationExtended authentication VPN tunnel terminating on trusted burb Determining where you will terminate your VPNsDefining a virtual burb Select Firewall Administration Burb ConfigurationMore about virtual burbs and VPNs Sidewinder Understanding Sidewinder client address poolsUnderstanding Sidewinder client address pools Configuring Sidewinder for Soft-PK Clients Select VPN Configuration Isakmp Server Enable the cmd, egd, and isakmp serversClick Apply Configure the Isakmp server EnableConfiguring ACL & proxies entries for VPN connections Creating & exporting a firewall certificate Managing Sidewinder self- signed certsMail Address Specify the following Firewall Certificate settingsClick OK when done Select the Remote Certificates tab. Click New Select Services Configuration Certificate ManagementCreating & exporting remote certificates Generated Specify the following Remote Certificate settingsClick Add to add the certificate to the Certificates list Key FileReturn to for each remote client Defining a CA to use and obtaining the CA root cert Managing CA- based certificatesRequesting a certificate for the firewall Retrieve the key, revoke, etc Specify the firewall certificate informationClick Add to send the enrollment request Determining identifying information for client certificates Certificate Identities defined on the firewall Defining remote client identities in SidewinderManaging pre- shared keys passwords Configuring the VPN on the Sidewinder Example, if you specify 24 with an IP address Field Setting Local Network/IPEnabled Select Yes Burb New button to specify the IP Address / HostnameThis field cannot be edited Require Extended Enable this checkbox AuthenticationCertificate VPN from the list provided Firewall Identity Type Firewall to the remote client ValueEdited TypeClient Remote Identity Save your settings!4. Click Add to save the settingsClick Close Page Installing and Working with Soft-PK Soft-PK installation notes Determining Soft-PK status from icon variations Starting Soft-PKMeans Soft-PK security policy is currently active Right-click the Soft-PK tray icon to access menuActivating/Deactivating Soft-PK Log Viewer About the Soft-PK program optionsCertificate Manager Security Policy EditorManaging certificates on Soft-PK Setting up Sidewinder self-signed certificatesSetting up CA-based certificates Select the Generate Exportable Key check box Click Advanced to select a certificate service providerGet your CA administrator to approve your request Importing certificate in Soft-PK Verification window Importing a personal certificate into Soft-PK Import Certificate Password WindowCertificate file Select Options Secure Specified Connections Configuring a security policy on the Soft-PKNew connection Named SecureVPN If using digital certificatesEnable the Connect using Secure Gateway Tunnel box Specify the interface informationConfiguring a security policy on the Soft-PK Encryption and Data Integrity/Algorithms fields Optional Click Save to save the policy on this system SA Life Select Unspecified to default to Sidewinder settingsPage Deploying Soft-PK to Your End Users Format OverviewWord Cannot modify Soft-PK setup.exe file and supporting filesSecurity policy Specifying dial-up network instructions Specifying installation instructionsCustomizing the user worksheet Specifying certificate import/request instructions Specifying basic connection information Specifying security policy instructionsAbout this appendix Soft-PK Log ViewerSoft-PK Connection Monitor To view the details More about the Connection MonitorSidewinder troubleshooting commands Page Part Number 86-0935037-A