D-Link NetDefend DFL-210 User Manual page 202

9.2.1. IPsec Basics
cryption/authentication key always, no anti-replay services, and it is not very flexible. There is also
no way of assuring that the remote host/firewall really is the one it says it is.
This type of connection is also vulnerable for something called "replay attacks", meaning a mali-
cious entity which has access to the encrypted traffic can record some packets, store them, and send
them to its destination at a later time. The destination VPN endpoint will have no way of telling if
this packet is a "replayed" packet or not. Using IKE eliminates this vulnerability.
Pre-Shared Keys
Using a Pre-shared Key (PSK) is a method where the endpoints of the VPN "share" a secret key.
This is a service provided by IKE, and thus has all the advantages that come with it, making it far
more flexible than manual keying.
Advantages
Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint authentica-
tion, which is what the PSKs are really for. It also includes all the benefits of using IKE. Instead of
using a fixed set of encryption keys, session keys will be used for a limited period of time, where
after a new set of session keys are used.
Disadvantages
One thing that has to be considered when using Pre-Shared Keys is key distribution. How are the
Pre-Shared Keys distributed to remote VPN clients and firewalls? This is a major issue, since the se-
curity of a PSK system is based on the PSKs being secret. Should one PSK be compromised, the
configuration will need to be changed to use a new PSK.
Certificates
Each VPN firewall has its own certificate, and one or more trusted root certificates.
The authentication is based on several things:
• That each endpoint has the private key corresponding to the public key found in its certificate,
and that nobody else has access to the private key.
• That the certificate has been signed by someone that the remote gateway trusts.
Advantages
Added flexibility. Many VPN clients, for instance, can be managed without having the same pre-
shared key configured on all of them, which is often the case when using pre-shared keys and roam-
ing clients. Instead, should a client be compromised, the client's certificate can simply be revoked.
No need to reconfigure every client.
Disadvantages
Added complexity. Certificate-based authentication may be used as part of a larger public key infra-
structure, making all VPN clients and firewalls dependent on third parties. In other words, there are
more things that have to be configured, and there are more things that can go wrong.
9.2.1.4. IPsec Protocols (ESP/AH)
The IPsec protocols are the protocols used to protect the actual traffic being passed through the
VPN. The actual protocols used and the keys used with those protocols are negotiated by IKE.
Chapter 9. Virtual Private Networks
189