through a series of plain text exchanges. Even though the exchanges between the parties might be
monitored by a third party, Diffie-Hellman makes it extremely difficult for the third party to
determine what the agreed shared secret key is and to decrypt data that is encrypted using the key.
Diffie-Hellman is used to establish the shared secret keys for IKE, IPsec and PFS.
The Diffie-Hellman group indicates the degree of security used for DH exchanges. The higher the
group number, the greater the security but also the processing overhead. The DH groups supported
by NetDefendOS are as follows:
•
DH group 1 (768-bit)
•
DH group 2 (1024-bit)
•
DH group 5 (1536-bit)
All these HA groups are available for use with IKE, IPsec and PFS.
9.3.3. IKE Authentication
Manual Keying
The "simplest" way of configuring a VPN is by using a method called manual keying. This is a
method where IKE is not used at all; the encryption and authentication keys as well as some other
parameters are directly configured on both sides of the VPN tunnel.
Note
NetDefendOS does not support manual keying.
Manual Keying Advantages
Since it is very straightforward it will be quite interoperable. Most interoperability problems
encountered today are in IKE. Manual keying completely bypasses IKE and sets up its own set of
IPsec SAs.
Manual Keying Disadvantages
It is an old method, which was used before IKE came into use, and is thus lacking all the
functionality of IKE. This method therefore has a number of limitations, such as having to use the
same encryption/authentication key always, no anti-replay services, and it is not very flexible. There
is also no way of assuring that the remote host/firewall really is the one it says it is.
This type of connection is also vulnerable for something called "replay attacks", meaning a
malicious entity which has access to the encrypted traffic can record some packets, store them, and
send them to its destination at a later time. The destination VPN endpoint will have no way of
telling if this packet is a "replayed" packet or not. Using IKE eliminates this vulnerability.
PSK
Using a Pre-shared Key (PSK) is a method where the endpoints of the VPN "share" a secret key.
This is a service provided by IKE, and thus has all the advantages that come with it, making it far
more flexible than manual keying.
PSK Advantages
9.3.3. IKE Authentication
Chapter 9. VPN
403
Содержание DFL-1600 - Security Appliance
Страница 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...
Страница 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79 ...
Страница 146: ...3 9 DNS Chapter 3 Fundamentals 146 ...
Страница 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227 ...
Страница 241: ...5 4 IP Pools Chapter 5 DHCP Services 241 ...
Страница 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339 ...
Страница 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360 ...
Страница 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382 ...
Страница 386: ... The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386 ...
Страница 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439 ...
Страница 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450 ...
Страница 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488 ...
Страница 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503 ...
Страница 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510 ...
Страница 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533 ...