WatchGuard Technologies Firebox X manual Managing Certificates Certificate Authority

Page 65

CHAPTER 7 Managing Certificates and the

Certificate Authority

When you create a VPN tunnel, you can select from two types of tunnel authentication: shared secrets or certificates. A certificate is an electronic document that contains a public key. The public key verifies that the certificate is legitimate. A Certificate Authority (CA) is a trusted third-party that gives certificates to clients. In WatchGuard® System Manager, the workstation that is configured as the Management Server also operates as a CA. The CA on the Management Server can give certificates to managed Firebox clients when the Management Server creates VPN tunnels.

Certificate Authorities are a component of a system of key creation, key management and certification with the name Public Key Infrastructure (PKI). The PKI supplies certificate and directory services that can create, supply, keep, and when necessary revoke the certificates.

Certificates usually give more security than shared secrets during the authentication procedure.

Public Key Cryptography and Digital Certificates

Public key cryptography is a central component of a PKI. This cryptographic system includes two mathe- matically related keys, known as an asymmetric key pair. The user keeps one key, the private key, secret. The user can supply the other key, known as the public key, to other users.

The keys in the key pair go together. Only the owner of the private key can decrypt data encrypted with the public key. Any person with the public key can decrypt data encrypted with the private key.

Certificates are used to make sure public keys are valid. Certificates contain a digital signature created with the public key of a CA certificate. The validity of a certificate can be verified by looking at its digital signature.

Certificates have a lifetime that is set when they are created. But certificates are occasionally revoked before the end date and time that was set for their lifetime. The CA keeps an online, current list of revoked certificates. This list is the certificate revocation list (CRL).

PKI in a WatchGuard VPN

To authenticate VPN tunnels with certificates, you must first configure a Management Server. When you configure the Management Server, the CA is automatically activated. Each managed Firebox client

User Guide

59

Image 65

Contents WatchGuardSystem Manager User Guide Address Contents Copy the online help system to more computers Setting Up Logging and NotificationImporting Certificates Microsoft Internet Explorer 5.5 LogViewer SettingsApache Software License, Version 2.0, January About WatchGuard System Manager Getting StartedWatchGuard Management Server Log ServerAbout Hardware and Appliance Software Installing WatchGuard System ManagerNetwork addresses License KeysExternal interface 1Network IP Addresses Without the FireboxTrusted interface Optional interfacesBase Software encryption levelsUses 40-bit encryption StrongPutting the Firebox into operation on your network Setting Up Your Management ServerAdmin password Master passwordInstallation Topics After Your InstallationRouted configuration WFS appliance software configuration modesDrop-in configuration To add a secondary networks, do one of these procedures Adding secondary networks to your configurationUse the Quick Setup Wizard during installation Dynamic IP support on the external interfaceAbout slash notation Entering IP addressesInstalling the Firebox cables Installation Topics LiveSecurity Service Solutions Service and SupportThreat responses, alerts, and expert advice Easy software updatesLiveSecurity Service Broadcasts New from WatchGuard LiveSecurity Service Self Help ToolsBasic FAQs Known Issues Advanced FAQsInteractive Support Forum Online TrainingWatchGuard Users Forum Using the WatchGuard Users ForumWatchGuard Users Group Online HelpTechnical Support Product DocumentationCopy the online help system to more computers Software requirementsWe try to supply a solution in a maximum time of four hours Web Site Service TimeType of Service HoursTraining and Certification Starting WatchGuard System Manager Monitoring Your NetworkAbout the WatchGuard System Manager Window From the Windows DesktopDisconnecting from a Firebox Connecting to a FireboxDevice LogType the password for the Management Server Connecting to a ServerDisconnecting from a Server Seeing Information about DevicesBranch Office VPN Tunnels Firebox StatusCertificates Mobile user VPN tunnels Seeing Information on Log ServersPptp user VPN tunnels No exclamation pointMonitoring VPNs Starting Security Applications About the WatchGuard ToolbarPolicy Manager Firebox ManagerHostWatch Quick Setup WizardLog Viewer Historical ReportsLog Server collects logs from each WatchGuard Firebox Setting Up Logging and NotificationSetting Up the Log Server Configuration Guide for your version of appliance software WatchGuard Log Server Configuration dialog box appearsType the new log encryption key two times Click OK Setting Global Logging and Notification PreferencesClick Save Changes or Close Click Save Changes Setting Global Logging and Notification Preferences Reviewing and Working with Log Files Traffic Alarm Event DiagnosticTypes of Log Messages Traffic log messagesDiagnostic log messages Alarm log messagesLog File Names and Locations Starting LogViewerBrowse to find the log file and click Open LogViewer Settings Click to set the format of the logs to the default colors Changing LogViewer settings with WFS appliance softwareSelect Edit Find Using LogViewerPaste the data into any text editor Click Browse to find the files to put together Click Merge Click File Merge log filesUsing LogViewer Using LogViewer Creating and Editing Reports Generating Reports of Network ActivitySelect the filter From Historical Reports, click AddType the report name Change the report definition Specifying a Report Time IntervalType the Firebox IP address or host name. Click Add Specifying Report Sections Type the number of items to put in the table Setting Report PropertiesTo consolidate report sections Exporting Reports Complete the Filter tabs Using Report FiltersRunning Reports When finished, click OKReport Sections and Consolidated Sections Change the filter propertiesReport Sections and Consolidated Sections Session Summary Proxied Traffic Consolidated sections Report Sections and Consolidated Sections PKI in a WatchGuard VPN Managing Certificates Certificate AuthorityPublic Key Cryptography and Digital Certificates Certificate Authority CA Certificate Managing the Certificate AuthorityFrom the menu, select the correct Generate a New Certificate Management Server CA CertificateGWvpn gateway name Find and Manage CertificatesReinstate RevokePuts back a certificate that was revoked before DestroyImporting Certificates Managing the Firebox X Edge Firebox SohoNetscape Netscape CommunicatorAdministration Troubleshooting ideasManaging the Firebox X Edge or Soho Device System StatusSystem security and remote management Removing CertificatesFirewall LoggingSelect File Soho Management Clean up on PC Removing Certificates WatchGuard Firebox Software End-User License Agreement Appendix a Copyright and LicensingWatchGuard System Manager Copyright and Trademarks OpenSSL License LicensesOriginal SSLeay License Apache Software License, Version 2.0, January Licenses Pcre License GNU Lesser General Public License Licenses Licenses Licenses GNU General Public License Licenses Licenses Licenses Sleepycat License Licenses General File Locations Appendix B WatchGuard File LocationsQuick Setup Wizard Default File LocationsPolicy Manager for Fireware Appliance Software Firebox System Manager for Fireware Appliance SoftwareHostWatch for Fireware Appliance Software Policy Manager for WFS Appliance Software WatchGuard System ManagerHostWatch for WFS Appliance Software Firebox System Manager for WFS Appliance SoftwareFlash Disk Management for WFS Appliance Software LogViewerLog Server User Interface Management ServerWebBlocker Server Historical Reports Log Server for Fireware Appliance SoftwareLog Server for WFS Appliance Software Management Server User Interface Management Server Setup WizardLog Merge WatchGuard Certificate Authority Default File Locations Index Muvpn Wctp 100