Identifying authentication requirements

Acloser look at CA-based certificates

A VPN implemented using CA-based certificates requires access to a private or public CA. Each end-point (client, firewall, etc.) in the VPN retains a private key file that is associated with a public certificate. In addition, each end-point in the VPN needs the CA root certificate on their system. Figure 2-3 shows the certificates involved in a VPN using CA-based certificates.

Figure 2-3. CA-based digital certificate summary

Protected Network

 

 

*.pem

4

Client

2

Firewall

Cert.

 

 

 

 

 

*.pk

Cert.

 

 

 

Sidewinder

Internet

 

Soft-PK

 

 

 

CA

 

3

CA

 

Cert.

*.pem

 

 

 

 

Cert.

1

 

 

 

 

CA

Private CA server (could be a public CA server not in the network)

1Admin requests CA root certificate

2Admin requests firewall certificate

3Admin provides CA root certificate to client (or instructions to obtain it)

4Admin provides client key/certificate to client (or instructions to obtain it)

Understanding pre-shared key authentication

A pre-shared key (referred to as shared password by Sidewinder) is an alphanumeric string—from eight to 54 characters—that can replace a digital certificate as the means of identifying a communicating party during a Phase 1 IKE negotiation. This key/password is called "pre- shared" because you have to share it with another party before you can communicate with them over a secure connection. Once you both have this key/password, you would both have to enter it into your respective IPSec-compliant devices (e.g., firewall and software client). Using a pre-shared key/password for authentication is the easiest type of VPN association to configure.

IMPORTANT: You should only use this method along with Extended Authentication.

Planning Your VPN Configuration

2-5

 

 

Page 25
Image 25
Secure Computing Sidewinder Version 5.1.0.02, SafeNet manual Understanding pre-shared key authentication