Diffie-Hellman (Dh) Key Groups; Perfect Forward Secrecy (Pfs); X-Auth (Extended Authentication); Authentication Server - ZyXEL Communications Internet Security Appliance ZyWALL5UTM 4.0 User Manual

ZyWALL 5/35/70 Series User's Guide

19.8.3 Diffie-Hellman (DH) Key Groups

Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish
a shared secret over an unsecured communications channel. Diffie-Hellman is used within
IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 –
DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman
exchange, the two peers have a shared secret, but the IKE SA is not authenticated. For
authentication, use pre-shared keys.

19.8.4 Perfect Forward Secrecy (PFS)

Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand
new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS
enabled, if one key is compromised, previous and subsequent keys are not compromised,
because subsequent keys are not derived from previous keys. The (time-consuming) Diffie-
Hellman exchange is the trade-off for this extra security.
This may be unnecessary for data that does not require such security, so PFS is disabled
(None) by default in the ZyWALL. Disabling PFS means new authentication and encryption
keys are derived from the same root secret (which may have security implications in the long
run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).

19.9 X-Auth (Extended Authentication)

Extended authentication provides added security by allowing you to use usernames and
passwords for VPN connections. This is especially helpful when multiple ZyWALLs use one
VPN rule to connect to a single ZyWALL. An attacker cannot make a VPN connection
without a valid username and password.
The extended authentication server checks the user names and passwords of the extended
authentication clients before completing the IPSec connection (see
A ZyWALL can be an extended authentication server for some VPN connections and an
extended authentication client for other VPN connections.

19.9.1 Authentication Server

A ZyWALL set to be a VPN extended authentication server can use either the local user
database internal to the ZyWALL or an external RADIUS server for an unlimited number of
users. The ZyWALL uses the same local user database for VPN extended authentication and
wireless LAN security.
311
Chapter 21 on page 366).
Chapter 19 VPN Screens