Netgear FVS328 참조 매뉴얼
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
7-14
Virtual Private Networking
May 2004, 202-10031-01
Using Digital Certificates for IKE Auto-Policy Authentication
Digital certificates are character strings generated using encryption and authentication schemes
which cannot be duplicated by anyone without access to the different values used in the production
of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a
workstation uniquely. The CAs are authorized to issue these certificates by Policy Certification
Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA).
The FVS328 is able to use certificates to authenticate users at the endpoints during the IKE key
exchange process.
which cannot be duplicated by anyone without access to the different values used in the production
of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a
workstation uniquely. The CAs are authorized to issue these certificates by Policy Certification
Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA).
The FVS328 is able to use certificates to authenticate users at the endpoints during the IKE key
exchange process.
The certificates can be obtained from a certificate server an organization might maintain internally
or from the established public CAs. The certificates are produced by providing the particulars of
the user being identified to the CA. The information provided may include the user's name, e-mail
ID, domain name, etc.
or from the established public CAs. The certificates are produced by providing the particulars of
the user being identified to the CA. The information provided may include the user's name, e-mail
ID, domain name, etc.
A CA is part of a trust chain. A CA has a public key which is signed. The combination of the
signed public key and the private key enables the CA process to eliminate ‘man in the middle’
security threats. A ‘self’ certificate has your public key and the name of your CA, and relies on the
CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added
to the FVS328 and can then be used to form IKE policies for the user. Once a CA certificate is
added to the FVS328 and a certificate is created for a user, the corresponding IKE policy is added
to the FVS328. Whenever the user tries to send traffic through the FVS328, the certificates are
used in place of pre-shared keys during initial key exchange as the authentication and key
generation mechanism. Once the keys are established and the tunnel is set up the connection
proceeds according to the VPN policy.
signed public key and the private key enables the CA process to eliminate ‘man in the middle’
security threats. A ‘self’ certificate has your public key and the name of your CA, and relies on the
CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added
to the FVS328 and can then be used to form IKE policies for the user. Once a CA certificate is
added to the FVS328 and a certificate is created for a user, the corresponding IKE policy is added
to the FVS328. Whenever the user tries to send traffic through the FVS328, the certificates are
used in place of pre-shared keys during initial key exchange as the authentication and key
generation mechanism. Once the keys are established and the tunnel is set up the connection
proceeds according to the VPN policy.
Certificate Revocation List (CRL)
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).
revoked certificates is known as the Certificate Revocation List (CRL).
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FVS328 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
CRL on the FVS328 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
You must manually update the FVS328 CRL regularly in order for the CA-based authentication
process to remain valid.
process to remain valid.