Using An Identity List - D-Link NetDefend DFL-210 User Manual

Network security firewall ver. 1.05
Hide thumbs Also See for NetDefend DFL-210:
Table of Contents

Advertisement

9.2.4. Identification Lists
roaming clients.
Consider the scenario of travelling employees being given access to the internal corporate networks
using VPN clients. The organization administers their own Certificate Authority, and certificates
have been issued to the employees. Different groups of employees are likely to have access to dif-
ferent parts of the internal networks. For instance, members of the sales force need access to servers
running the order system, while technical engineers need access to technical databases.
Since the IP addresses of the travelling employees VPN clients cannot be known beforehand, the in-
coming VPN connections from the clients cannot be differentiated. This means that the firewall is
unable to control the access to various parts of the internal networks.
The concept of Identification Lists presents a solution to this problem. An identification list contains
one or more identities (IDs), where each identity corresponds to the subject field in an X.509 certi-
ficate. Identification lists can thus be used to regulate what X.509 certificates that are given access
to what IPsec tunnels.
Example 9.3. Using an Identity List
This example shows how to create and use an Identification List for use in the VPN tunnel. This Identification List
will contain one ID with the type DN, distinguished name, as the primary identifier. Note that this example does
not illustrate how to add the specific IPsec tunnel object.
CLI
First create an Identification List:
gw-world:/> add IDList MyIDList
Then, create an ID:
gw-world:/> cc IDList MyIDList
gw-world:/MyIDList> add ID JohnDoe Type=DistinguishedName
gw-world:/MyIDList> cc
Finally, apply the Identification List to the IPsec tunnel:
gw-world:/> set Interface IPsecTunnel MyIPsecTunnel AuthMethod=Certificate
Web Interface
First create an Identification List:
1.
Go to Objects > VPN Objects > ID List > Add > ID List
2.
Enter a name for the identification list eg. MyIDList
3.
Click OK
Then, create an ID:
1.
Go to Objects > VPN Objects > ID List
2.
In the grid control, click on MyIDList
3.
Enter a name for the ID eg. JohnDoe.
4.
Select Distinguished name in the Type control
5.
Now enter:
CommonName="John Doe" OrganizationName=D-Link
OrganizationalUnit=Support Country=Sweden
EmailAddress=john.doe@D-Link.com
IDList=MyIDList RootCertificates=AdminCert GatewayCertificate=AdminCert
Chapter 9. Virtual Private Networks
194

Advertisement

Table of Contents
loading

Table of Contents