Certificates
Each VPN firewall has its own certificate, and one or more trusted root certificates.
The authentication is based on several things:
•
That each endpoint has the private key corresponding to the public key found in its certificate,
and that nobody else has access to the private key.
•
That the certificate has been signed by someone that the remote endpoint trusts.
Advantages of Certificates
A principal advantage of certificates is added flexibility. Many VPN clients, for instance, can be
managed without having the same pre-shared key configured on all of them, which is often the case
when using pre-shared keys and roaming clients. Instead, should a client be compromised, the
client's certificate can simply be revoked. No need to reconfigure every client.
Disadvantages of Certificates
The principal disadvantage of certificates is the added complexity. Certificate-based authentication
may be used as part of a larger public key infrastructure, making all VPN clients and firewalls
dependent on third parties. In other words, there are more aspects that have to be configured, and
there is more that can go wrong.
9.3.4. IPsec Protocols (ESP/AH)
The IPsec protocols are the protocols used to protect the actual traffic being passed through the
VPN. The actual protocols used and the keys used with those protocols are negotiated by IKE.
There are two protocols associated with IPsec, AH and ESP. These are covered in the sections
below.
AH (Authentication Header)
AH is a protocol used for authenticating a data stream.
Figure 9.1. The AH protocol
AH uses a cryptographic hash function to produce a MAC from the data in the IP packet. This MAC
is then transmitted with the packet, allowing the remote gateway to verify the integrity of the
original IP packet, making sure the data has not been tampered with on its way through the Internet.
9.3.4. IPsec Protocols (ESP/AH)
Chapter 9. VPN
339
Содержание 800 - DFL 800 - Security Appliance
Страница 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Страница 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Страница 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Страница 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166 ...
Страница 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Страница 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Страница 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Страница 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Страница 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Страница 303: ... Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303 ...
Страница 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Страница 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Страница 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Страница 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Страница 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Страница 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Страница 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...