Secure Computing SafeNet manual Closer look at self-signed certificates, No CA needed, Clients

Page 24

Identifying authentication requirements

A closer look at self-signed certificates

Figure 2-2. Sidewinder self-signed certificate summary

If not already done, decide if you will use self-signed certificates generated by Sidewinder or a public/private CA server.

Table 2-1. Sidewinder self-signed certificates versus CA-based certificates

Scenario

Profile

 

 

Using self-signed certificates

￿ No CA needed

(for a small number of VPN

￿ Requires one VPN association for each client

clients)

 

 

 

Using CA-based certificates

￿ Uses a private or public CA

(for a medium to large

￿ Single VPN association for all clients

number of VPN clients)

￿ Can make VPN deployment and management

 

more efficient

 

 

A VPN implemented using Sidewinder self-signed certificates does not require an external certificate authority and is relatively easy to configure for a small number of (less than 10) clients. However, one VPN association must be configured on Sidewinder for each client. As the number of configured clients grows, so does the administrative time. Figure 2-2 shows the certificates involved in a VPN using Sidewinder self-signed certificates.

 

1

Firewall

 

Firewall

 

Cert.

4

Cert.

 

 

 

 

 

 

 

*.pem

 

 

Protected Network

Sidewinder

Internet

Soft-PK

 

 

 

Client

 

Client

 

 

Cert.

5

Cert.

 

 

2 *.pem

 

 

 

 

 

 

 

3

1

Admin creates firewall private key and

*.pk1

 

 

PK12 object for

 

certificate

 

importing to

2

Admin creates client private key/

 

Soft-PK

 

 

 

certificate pair(s)

 

 

3Admin converts client private key & exports certificate files to PK12 object

 

 

Note: A self-signed certificate created

4

Firewall certificate imported to Soft-PK,

on Sidewinder remains valid for one

year beginning from the date it is

 

(private key remains on Sidewinder)

created.

5Client private key and certificate file (PKCS12) imported into Soft-PK

2-4

Planning Your VPN Configuration

Page 23 Page 25
Image 24
Page 23 Page 25
Contents VPN Administration Guide Page Copyright Notice Printing History B L E O F C O N T E N T S Installing and Working with Soft-PK About this Guide Who should read this guide?How this guide is OrganizedAbout Soft-PK About SidewinderAbout digital certificates Viewing and printing this document onlineViii Getting Started About this chapterAbout Soft-PK & Sidewinder VPNs Requirements Sidewinder and other network requirementsSoft-PK requirements Roadmap to deploying your VPNs Sidewinder system 4c1 Define remote identities within SidewinderPlan your VPN configuration Satisfy Sidewinder, network, & system requirementsIf using pre-shared keys passwords Create/Request the digital certificatesConfigure the VPN connections on the Sidewinder Troubleshoot any connection problems Planning Your VPN Configuration Identifying basic VPN connection needs Identifying authentication requirements Using digital certificate authenticationPrivate key file Certificate file with public keyCloser look at self-signed certificates No CA neededFor a small number of VPN ClientsUnderstanding pre-shared key authentication Closer look at CA-based certificatesExtended authentication Determining where you will terminate your VPNs VPN tunnel terminating on trusted burbSelect Firewall Administration Burb Configuration More about virtual burbs and VPNsDefining a virtual burb Understanding Sidewinder client address pools SidewinderUnderstanding Sidewinder client address pools Configuring Sidewinder for Soft-PK Clients Enable the cmd, egd, and isakmp servers Click Apply Configure the Isakmp serverEnable Select VPN Configuration Isakmp ServerConfiguring ACL & proxies entries for VPN connections Managing Sidewinder self- signed certs Creating & exporting a firewall certificateSpecify the following Firewall Certificate settings Click OK when doneMail Address Select Services Configuration Certificate Management Creating & exporting remote certificatesSelect the Remote Certificates tab. Click New Specify the following Remote Certificate settings Click Add to add the certificate to the Certificates listKey File GeneratedReturn to for each remote client Managing CA- based certificates Defining a CA to use and obtaining the CA root certRequesting a certificate for the firewall Specify the firewall certificate information Click Add to send the enrollment requestRetrieve the key, revoke, etc Determining identifying information for client certificates Defining remote client identities in Sidewinder Certificate Identities defined on the firewallManaging pre- shared keys passwords Configuring the VPN on the Sidewinder Field Setting Local Network/IP Enabled Select Yes BurbNew button to specify the IP Address / Hostname Example, if you specify 24 with an IP addressRequire Extended Enable this checkbox Authentication Certificate VPN from the list provided Firewall IdentityType Firewall to the remote client Value This field cannot be editedType ClientEdited Save your settings!4. Click Add to save the settings Click CloseRemote Identity Page Installing and Working with Soft-PK Soft-PK installation notes Starting Soft-PK Determining Soft-PK status from icon variationsRight-click the Soft-PK tray icon to access menu Activating/Deactivating Soft-PKMeans Soft-PK security policy is currently active About the Soft-PK program options Certificate ManagerSecurity Policy Editor Log ViewerSetting up Sidewinder self-signed certificates Managing certificates on Soft-PKSetting up CA-based certificates Click Advanced to select a certificate service provider Get your CA administrator to approve your requestSelect the Generate Exportable Key check box Importing certificate in Soft-PK Verification window Import Certificate Password Window Importing a personal certificate into Soft-PKCertificate file Configuring a security policy on the Soft-PK Select Options Secure Specified ConnectionsIf using digital certificates Enable the Connect using Secure Gateway Tunnel boxSpecify the interface information New connection Named SecureVPNConfiguring a security policy on the Soft-PK Encryption and Data Integrity/Algorithms fields SA Life Select Unspecified to default to Sidewinder settings Optional Click Save to save the policy on this systemPage Deploying Soft-PK to Your End Users Overview WordFormat Soft-PK setup.exe file and supporting files Security policyCannot modify Specifying installation instructions Customizing the user worksheetSpecifying dial-up network instructions Specifying certificate import/request instructions Specifying security policy instructions Specifying basic connection informationSoft-PK Log Viewer About this appendixSoft-PK Connection Monitor More about the Connection Monitor To view the detailsSidewinder troubleshooting commands Page Part Number 86-0935037-A
Top Page Image Contents