Identification Lists; Using An Identity List - D-Link NetDefend DFL-210 User Manual

Network security firewall ver 2.26.01
Hide thumbs Also See for NetDefend DFL-210:
Table of Contents

Advertisement

9.3.8. Identification Lists

9.3.8. Identification Lists
When certificates are used as authentication method for IPsec tunnels, the NetDefend Firewall will
accept all remote devices or VPN clients that are capable of presenting a certificate signed by any of
the trusted Certificate Authorities. This can be a potential problem, especially when using roaming
clients.
A Typical Scenario
Consider the scenario of travelling employees being given access to the internal corporate networks
using VPN clients. The organization administers their own Certificate Authority, and certificates
have been issued to the employees. Different groups of employees are likely to have access to
different parts of the internal networks. For example, members of the sales force need access to
servers running the order system, while technical engineers need access to technical databases.
The Problem
Since the IP addresses of the travelling employees VPN clients cannot be known beforehand, the
incoming VPN connections from the clients cannot be differentiated. This means that the firewall is
unable to control the access to various parts of the internal networks.
The ID List Solution
The concept of Identification Lists presents a solution to this problem. An identification list contains
one or more identities (IDs), where each identity corresponds to the subject field in a certificate.
Identification lists can thus be used to regulate what certificates that are given access to what IPsec
tunnels.
Example 9.3. Using an Identity List
This example shows how to create and use an Identification List for use in the VPN tunnel. This Identification List
will contain one ID with the type DN, distinguished name, as the primary identifier. Note that this example does
not illustrate how to add the specific IPsec tunnel object.
Command-Line Interface
First create an Identification List:
gw-world:/> add IDList MyIDList
Then, create an ID:
gw-world:/> cc IDList MyIDList
gw-world:/MyIDList> add ID JohnDoe Type=DistinguishedName
gw-world:/MyIDList> cc
Finally, apply the Identification List to the IPsec tunnel:
gw-world:/> set Interface IPsecTunnel MyIPsecTunnel
CommonName="John Doe"
OrganizationName=D-Link
OrganizationalUnit=Support
Country=Sweden
EmailAddress=john.doe@D-Link.com
AuthMethod=Certificate IDList=MyIDList
RootCertificates=AdminCert
GatewayCertificate=AdminCert
363
Chapter 9. VPN

Advertisement

Table of Contents
loading

Table of Contents