D-Link DFL-1600 User Manual page 241

Network security firewall
Hide thumbs Also See for DFL-1600:
Table of Contents

Advertisement

22.1. IPsec
221
X.509 Certificate
The other option for primary authentication is to use X.509 Certificate
within each VPN gateway. To prove the identity, each gateway owns a
certificate signed by a trusted CA. The certificate proves that the public
key attached to it truly belongs to the gateway holder, and every gateway
also keeps a copy of CA's public key to be able to trust the CA and
validate the certificates of other gateways issued from that CA.
Compared to the use of PSK, certificates are more flexible. Many VPN
clients, for instance, can be managed without having the same pre-shared
key configured on all of them, which is often the case when using pre-shared
keys and roaming clients. Instead, should a client be compromised, the
client's certificate can simply be revoked. No need to reconfigure every
client. But complexity is also added by this method. Certificate-based
authentication may be used as part of a larger infrastructure, making all
VPN clients and gateways dependent on third parties. In other words,
there are more things that have to be configured, and there are more things
that can go wrong.
Identification Lists (ID Lists)
When X.509 certificates are used as authentication method, the firewall will
accept all remote gateways or VPN clients that are capable of presenting a
certificate signed by any of the trusted Certificate Authorities(CAs). This
can be a potential problem, especially when using roaming clients.
Consider a scenario where employees on the road shall be given access to
the internal corporate networks using VPN clients. The organization
administers their own CA, and certificates have been issued to the
employees. Different groups of employees are likely to have access to
different parts of the internal networks. For instance, members of the sales
force need access to servers running the order system, while technical
engineers need access to technical databases.
As the IP addresses of the travelling employees VPN clients cannot be
foreseen, the incoming VPN connections from the clients cannot be
differentiated. This means that the firewall is unable to control the access
to various parts of the internal networks.
The concept of Identification Lists(ID Lists) presents a solution to this
problem. An identification list contains one or more configurable
D-Link Firewalls User's Guide

Advertisement

Table of Contents
loading

Table of Contents