Identifying authentication requirements
Planning Your VPN Configuration
2-3
Identifying
authentication
requirements
Determine how you will identify and authenticate the partners in your
VPN. Sidewinder and Soft-PK both support using digital certificates
and pre-shared key VPN configurations. In addition, when you use
Sidewinder version 5.1.0.02 or later, you can set up Extended
Authentication to provide increased security to your VPN network.
The following summarizes VPN authentication methods.
Using digital certificate authentication
When using digital certificates (or "public key authentication"), each
system in the VPN requires a unique
private key file
and
a
corresponding public key
certificate file
.
The private key file
A private key file is unique to each system in the network and kept
secret by the holder (VPN client, firewall, etc.). It is used to create
digital signatures and, depending upon the algorithm, to decrypt
data encrypted with the corresponding public key.
The certificate file (with public key)
Certificates contain informational values such as the identity of the
public key’s owner, a copy of the public key itself (so others can
encrypt messages or verify digital signatures), an expiration date,
and the digital signature of creating entity (CA or firewall).
When using Sidewinder, the trusted source for authorizing key/
certificate pairs can be Sidewinder itself through "self-signed"
certificates, or a public or private Certificate Authority (CA) server (for
example; Netscape, Baltimore, Entrust, etc.). Digital certificate
implementations using Sidewinder/Soft-PK follow the X.509 standard.
IMPORTANT:
You must configure the necessary certificates before you configure the VPN
connection parameters on Sidewinder or Soft-PK.
In addition, digital certificates have an "effective" date and an
"expiration date." Before certificates expire, they must be retrieved
and updated in the VPN gateway (i.e., Sidewinder firewall) to
continue using them in a VPN.