Ipsec Protocols (Esp/Ah) - D-Link NetDefendOS User Manual

This type of connection is also vulnerable for something called "replay attacks", meaning a
malicious entity which has access to the encrypted traffic can record some packets, store them,
and send them to its destination at a later time. The destination VPN endpoint will have no way
of telling if this packet is a "replayed" packet or not. Using IKE eliminates this vulnerability.
PSK
Using a Pre-shared Key (PSK) is a method where the endpoints of the VPN "share" a secret key.
This is a service provided by IKE, and thus has all the advantages that come with it, making it far
more flexible than manual keying.
PSK Advantages
Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint
authentication, which is what the PSKs are really for. It also includes all the benefits of using IKE.
Instead of using a fixed set of encryption keys, session keys will be used for a limited period of
time, where after a new set of session keys are used.
PSK Disadvantages
One thing that has to be considered when using Pre-Shared Keys is key distribution. How are the
Pre-Shared Keys distributed to remote VPN clients and firewalls? This is a major issue, since the
security of a PSK system is based on the PSKs being secret. Should one PSK be compromised, the
configuration will need to be changed to use a new PSK.
Certificates
Each VPN firewall has its own certificate, and one or more trusted root certificates.
The authentication is based on several things:
• That each endpoint has the private key corresponding to the public key found in its
certificate, and that nobody else has access to the private key.
• That the certificate has been signed by someone that the remote endpoint trusts.
Advantages of Certificates
A principal advantage of certificates is added flexibility. Many VPN clients, for instance, can be
managed without having the same pre-shared key configured on all of them, which is often the
case when using pre-shared keys and roaming clients. Instead, should a client be compromised,
the client's certificate can simply be revoked. No need to reconfigure every client.
Disadvantages of Certificates
The principal disadvantage of certificates is the added complexity. Certificate-based
authentication may be used as part of a larger public key infrastructure, making all VPN clients
and firewalls dependent on third parties. In other words, there are more aspects that have to be
configured, and there is more that can go wrong.

9.3.4. IPsec Protocols (ESP/AH)

The IPsec protocols are the protocols used to protect the actual traffic being passed through the
691
Chapter 9: VPN