The main usage of certificates in NetDefendOS is with VPN tunnels. The simplest and fastest way
to provide security between the ends of a tunnel is to use Pre-shared Keys (PSKs). As a VPN
network grows so does the complexity of using PSKs. Certificates provide a means to better
manage security in much larger networks.
Certificate Authorities
A
certificate authority
(CA) is a trusted entity that issues certificates to other entities. The CA
digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of
the certificate holder, and guarantees that the certificate has not been tampered with by any
third party.
A CA is responsible for making sure that the information in every certificate it issues is correct. It
also has to make sure that the identity of the certificate matches the identity of the certificate
holder.
Root Certificates and Host Certificates
If a certificate is used for authentication, then it can be referred to as a
Host Certificate
but is
sometimes referred to in NetDefendOS as a
Gateway Certificate
. The certificate will consist
physically of two files, a
.cer
file containing the public key and a
.key
file containing the private
key. Both files must be loaded into NetDefendOS.
If the host certificate is CA signed then the
Root Certificate
provided by the signing CA will also
need to be loaded into NetDefendOS. This is just a single
.cer
file containing the public key of the
CA. Self-signed certificates will not have a corresponding root certificate.
Certificate Chains
A CA can also issue certificates to other CAs. This can lead to a chain-like certificate hierarchy.
Each certificate in the chain is signed by the CA of the certificate directly above it in the chain.
The certificates between the root and host certificates are called
Intermediate Certificates
and
consist physically of a single
.cer
file containing a public key.
The
Certification Path
refers to the path of certificates leading from one certificate to another.
When verifying the validity of a host certificate, the entire path from the host certificate up to the
trusted root certificate has to be available. For this reason, all intermediate certificates between
the root certificate and the host certificate must be loaded into NetDefendOS.
Chained certificates are supported in the following NetDefendOS features:
•
Access with HTTPS to the Web Interface.
•
IPsec VPN.
•
SSL VPN.
•
The TLS ALG.
In NetDefendOS IPsec VPN, the maximum length of a certificate chain is 4. In VPN scenarios with
roaming clients, the client's certificate will be the bottom of the certificate chain.
Validity Time
A certificate is not valid forever. Each certificate contains values for two points in time between
which the certificate is valid. When this validity period expires, the certificate can no longer be
used and a new certificate must be issued.
Chapter 3: Fundamentals
271
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...