Terms you'll need to understand:
Techniques you'll need to master:
Chapter 4 examined the steps involved in utilizing a preshared key as the authentication methodology when configuring remote access tunnels. As mentioned before, this implementation is not very scalable in larger networks, especially if the keys are somehow compromised. Specifically, additions to the existing network or key compromises result in reconfiguration of all devices utilizing preshared keys as a means of authentication. Because a preshared key can be distributed to any device you see fit, there are no means of validating the data's true source. With digital certificates, you can verify remote peers by authenticating their identity credentials, as opposed to using a key. Digital certificates are created by a trusted third-party authority who binds these credentials to the device's public key (and indirectly its private key because the public key is derived from the private key). By establishing a complete trust to this third-party authority, any identity credentials it validates are likewise to be considered valid by other devices that form a trust relationship with the key. In addition, digital certificates address preshared keys' scalability problem: Added IPSec clients need to enroll for only their own certificate, as opposed to installing an additional key pair for every IPSec peer on the network. This chapter looks into the benefits that digital certificates provide for authentication. In addition, it looks at the additional steps required to configure the VPN 3000 Concentrator to enroll and implement the digital certificates. |