手工密钥 IPSec VPN

IPSec VPN

 

 

IPSec 提供了两种控制密钥交换和管理的方法:手工密钥和 IKE 自动密钥管理。

·手工密钥

·使用预置密钥或证书的自动互联网密钥交换 ( 自动 IKE)

手工密钥

当选择了手工密钥之后,通道两端的安全参数必须互相匹配。包括加密和认证密钥 在内的这些设置必须保密,从而避免未经授权的人员对数据解密,哪他们知道加密 所使用的算法。

使用预置密钥或证书的自动互联网密钥交换 ( 自动 IKE)

为了便于部署多个通道,自动密钥管理系统是必须的。IPSec 支持使用互联网密钥 交换协议进行自动密钥生成和协商。这种密钥管理方法通常被称做自动 IKE。Fortinet 支持预置密钥的 IKE 和证书 IKE。

预置密钥的自动 IKE

通过在会话的两端配置相同的预置密钥,可以使他们通过这一方法彼此验证对方。 对等的双方不必正把密钥发送给对方。取而代之的是,作为安全协商过程的一部分, 他们可以将密钥和 Diffie-Hellman 组结合起来创建一个会话密钥。这个会话密钥可以 用于加密和认证的目的,并且在通讯会话的过程中通过 IKE 自动重建。

预置密钥与手工设置密钥相似的地方在于他们都需要网络管理员去分配和管理 VPN 通道两端的匹配信息。当一个预置密钥改变时,系统管理员必须更新通道两端的设置。

使用证书的 自动 IKE

这种密钥管理方法需要一个受信任的第三方,证书发布中心 (CA)的参与。在一 个 VPN 中对等的双方首先请求生成一系列密钥,通常被称做公钥 / 私钥对。CA 为每一 方的公钥签名,创建一个签名的数字证书。对等的双方可以联系 CA 以找回他们自己的 证书,加上 CA 自己的。一旦证书被上载到 FortiGate 设备,并配置好了适当的策略和 IPSec 通道,那么双方就可以发起通讯了。在通讯中,IKE 负责管理证书交换,从一方 将签名的数字证书传送到另一方。这个签名的数字证书的有效性由每一端的 CA 证书验 证。当认证完成时,IPSec 通道就建立起来了。

在某些方面,证书类似于手工密钥管理或预置密钥。因此,证书最适合部署大型网 络。

手工密钥 IPSec VPN

使用手工密钥时,必须在通道的两端输入补充的安全参数。除了加密和认证用的算 法和密钥之外,还需要输入安全参数索引 (SPI)。SPI 是一个任意值,它定义了双方 之间的通讯的结构。在其他的方式中 SPI 是自动生成的,但是在手工密钥配置中它必 须作为 VPN 设置的一部分事先输入。

182

美国飞塔有限公司

Page 194
Image 194
Fortinet 500 manual 手工密钥 IPSec VPN, 使用预置密钥或证书的自动互联网密钥交换 自动 Ike, 预置密钥的自动 Ike, 使用证书的 自动 Ike

500 specifications

Fortinet 500 is a next-generation firewall (NGFW) that is part of Fortinet's acclaimed FortiGate family, designed to provide advanced security for medium to large enterprises. This appliance is known for its high performance, flexibility, and ability to protect networks from a variety of cyber threats through its robust features and technologies.

One of the main features of the Fortinet 500 is its integrated security capabilities. It combines multiple security functions into a single device, allowing organizations to manage everything from intrusion prevention and antivirus to web filtering and application control. This integration leads to simplified management and increased efficiency, as users can address multiple security needs without deploying multiple devices.

The Fortinet 500 runs on the FortiOS operating system, which is known for its simplicity and user-friendliness. FortiOS provides a centralized management interface that allows for the easy configuration and monitoring of security policies across the entire network. Additionally, the Fortinet management tools, such as FortiManager and FortiAnalyzer, enable detailed insights and reporting capabilities, helping organizations stay compliant with their security mandates.

Another characteristic that sets Fortinet 500 apart is its advanced threat intelligence, powered by the FortiGuard Labs. This global threat intelligence system continuously updates the firewall with the latest threat signatures and attack vectors, ensuring that organizations stay ahead of emerging threats. The firewall also employs machine learning and artificial intelligence to detect and mitigate sophisticated attacks in real-time.

Performance is crucial in any security appliance, and the Fortinet 500 does not disappoint. With hardware acceleration and purpose-built security processors, it delivers high throughput levels, enabling organizations to maintain productivity without sacrificing security. This level of performance is particularly beneficial in environments with heavy traffic and bandwidth demands.

In addition to these core features, the Fortinet 500 supports seamless integration with other security solutions within the Fortinet Security Fabric. This comprehensive approach allows for greater visibility and control over the entire security posture of an organization.

Overall, the Fortinet 500 is a powerful NGFW that offers a blend of advanced security features, ease of management, top-notch performance, and robust threat intelligence. Its ability to adapt to the ever-evolving landscape of cybersecurity makes it a valuable asset for businesses seeking to safeguard their digital assets and ensure seamless network operation.