Identifying authentication requirements

A closer look at self-signed certificates

Figure 2-2. Sidewinder self-signed certificate summary

If not already done, decide if you will use self-signed certificates generated by Sidewinder or a public/private CA server.

Table 2-1. Sidewinder self-signed certificates versus CA-based certificates

Scenario

Profile

 

 

Using self-signed certificates

￿ No CA needed

(for a small number of VPN

￿ Requires one VPN association for each client

clients)

 

 

 

Using CA-based certificates

￿ Uses a private or public CA

(for a medium to large

￿ Single VPN association for all clients

number of VPN clients)

￿ Can make VPN deployment and management

 

more efficient

 

 

A VPN implemented using Sidewinder self-signed certificates does not require an external certificate authority and is relatively easy to configure for a small number of (less than 10) clients. However, one VPN association must be configured on Sidewinder for each client. As the number of configured clients grows, so does the administrative time. Figure 2-2 shows the certificates involved in a VPN using Sidewinder self-signed certificates.

 

1

Firewall

 

Firewall

 

Cert.

4

Cert.

 

 

 

 

 

 

 

*.pem

 

 

Protected Network

Sidewinder

Internet

Soft-PK

 

 

 

Client

 

Client

 

 

Cert.

5

Cert.

 

 

2 *.pem

 

 

 

 

 

 

 

3

1

Admin creates firewall private key and

*.pk1

 

 

PK12 object for

 

certificate

 

importing to

2

Admin creates client private key/

 

Soft-PK

 

 

 

certificate pair(s)

 

 

3Admin converts client private key & exports certificate files to PK12 object

 

 

Note: A self-signed certificate created

4

Firewall certificate imported to Soft-PK,

on Sidewinder remains valid for one

year beginning from the date it is

 

(private key remains on Sidewinder)

created.

5Client private key and certificate file (PKCS12) imported into Soft-PK

2-4

Planning Your VPN Configuration

Page 24
Image 24
Secure Computing SafeNet manual Closer look at self-signed certificates, No CA needed, For a small number of VPN, Clients