VPN 3000 REMOTE ACCESS DIGITAL CERTIFICATE CONFIGURATION

  1. Digital certificates bind identities to devices and clients' private/public key pairs. This is helpful to provide device-level authentication and avoid man-in-the-middle attacks during IKE authentication.

  2. Certificate authorities (CAs) issue separate certificates and digitally sign them with their private keys. The CA must certify the authenticity of user. When peers authenticate to each other during IKE negotiations, the device only needs to ensure that the certificate is valid and signed from a trusted CA.

  3. A public key infrastructure (PKI) is a set of security services that entail the certificate authorities and all their client applications communicating securely in a unified framework.

  4. A central CA structure is a network with a flat design and a single root CA server. A tiered CA structure is hierarchical by design and comprises a root CA and several subordinate CAs. Root CA servers sign subordinate CA certificates and subordinate CAs sign requesters' identity certificates, forming a certificate chain.

  5. You can maintain compromised certificates via CRLs. These contain a list of digital certificate serial numbers that have been revoked because of an organization change, service removal, name change, or security compromise. CRLs can be accessed via HTTP and LDAP.

  6. Digital certificates are validated by a local device, which compares the validity dates to the system's clock, verifies the digital signature of the certificate with the issuing CA's public key, and optionally checks the CRL.

  7. To enroll for an identity certificate, the VPN 3000 Concentrator and the VPN 3002 Hardware Client must generate a PKCS#10 certificate request to the issuing CA. This can be a manual process in which you cut and paste file contents from the management workstation, or it can be automated over the network if you use the Simple Certificate Enrollment Protocol (SCEP).

  8. Identity digital certificates contain the requestor's identification information, public key, and some information of the issuing CA. They are typically in X.509 v3 format and encoded in either Privacy Enhanced Mail (PEM) Base 64 or Distinguished Encoding Rules (DER) format.

  9. The OU field in the identity certificate must coincide with the group name in the VPN 3000 Concentrator if you want to implement digital certificates for IKE authentication.

  10. Know the process to generate a manual and automatic certificate enrollment and the parameters involved in the Administration | Certificate Management screens.

  11. Root certificates are used to validate identity certificates that are sent during IKE authentication. The receiving device uses the CA or subordinate CA's public key to verify whether the digital signature on the a certificate is valid.

  12. When installing the certificate, it is imperative that you install the CA root certificate first, followed by the X.509 identity certificate of the concentrator or hardware client.

  13. You must modify IKE and IPSec SA parameters to include digital certificates during IKE negotiations. The concentrator must have an RSA or DSA IKE proposal active. The IKE proposal and requested digital certificate must then be associated with an IPSec SA.



CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net