Digital certificates scale better than unique preshared keys because they allow any device to authenticate to any other device
but do not have the security properties of wildcard keys. Digital certificates are not tied to IP addresses but to unique, signed
information on the device that is validated by the enterprise's CA. If a hacker compromises or steals a device with a digital
certificate, the administrator will revoke the digital certificate and notify all other devices by publishing a new certificate
revocation list (CRL). The CRL contains a CA-signed list of revoked certificates. When a device receives a request for tunnel
establishment and uses a digital certificate for proof of identity, the device checks the peer certificate against the CRL. Devices
generating digital certificates or validating received certificates during tunnel authentication and establishment must know
the correct time of day (preferably Coordinated Universal Time [UTC]). Time is also used to determine when the CRL expires
so that a new one can be retrieved. Although checking CRLs can be configured as optional, it should always be enabled on
remote and headend devices when digital certificates are deployed. This is the only revocation scheme for digital certificates
compared to preshared keys that are simply removed from the uncompromised devices.
Digital certificates also provide more key entropy (more bits for seeding functions), public/private key pair aging, and
nonrepudiation. Digital certificates do, however, require additional administrative resources to deploy and manage, given
their feature complexity. Using a third-party-managed CA versus an enterprise-managed CA may help to facilitate deploying
an extranet VPN. Consider using digital certificates if the size of the VPN grows beyond 20 devices—or even sooner if there
are requirements for strong device authentication. Today, the administrator burden for deploying digital certificates to
remote-access clients is significant.
Typically wildcard or group preshared keys are used with remote-access clients for device authentication since the remote IP
address is dynamic. As mentioned previously, this form of authentication does not provide a strong device authentication.
However, because remote-access clients receive dynamic IP addresses frequently, this option is the only one for preshared
keys. By using a strong user-authentication scheme such as one-time passwords (OTPs), the lack of strong device
authentication is not as significant. In remote-access VPN, users who cannot successfully authenticate are not granted access
to the network.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.