© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

Slides:

Advertisements

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Digital Certificate Installation & User Guide For Class-2 Certificates.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Report on Attribute Certificates By Ganesh Godavari.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Chapter 11: Active Directory Certificate Services

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

APACHE SERVER By Innovationframes.com »

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

Configuring Active Directory Certificate Services Lesson 13.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

406 NW’98 1 © 1998, Cisco Systems, Inc. IPSec Loss of Privacy Security Threats Impersonation Loss of Integrity Denial of Service m-y-p-a-s-s-w-o-r-d.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

Module 9: Fundamentals of Securing Network Communication.

King Mongkut’s University of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv 6. Public Key Infrastructure Prof. R. Aviv,

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Integrating security services with the automatic processing of content TERENA 2001 Antalya, May 2001 Francesco Gennai, Marina Buzzi Istituto.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Academia Sinica Grid Computing Certification Authority (ASGCCA)

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 9 Virtual Trunking Protocol.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Creating and Managing Digital Certificates Chapter Eleven.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

Virtual Private Network Configuration

Sem 2v2 Chapter 5 Router Startup and Setup. A router initializes by loading the bootstrap, the operating system, and a configuration file. If the router.

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

SCEP Simple Certificate Enrollment Protocol.

Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.

1 Example security systems n Kerberos n Secure shell.

Key management issues in PGP

Cryptography and Network Security

Authentication Applications

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

Presentation transcript:

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates

© 2006 Cisco Systems, Inc. All rights reserved. Lesson 5.1 Configure CA Support on a Cisco Router Module 5 – Configure Site-to-Site VPNs Using Digital Certificates

© 2006 Cisco Systems, Inc. All rights reserved.

(Optional) Manage NVRAM Memory Usage Types of certificates stored on a router: The identity certificate of the router The root certificate of the CA Root certificates obtained from CA servers Two RA certificates, these are CA vendor-specific The number of CRLs stored on a router: One, if the CA does not support an RA Multiple, if the CA supports an RA Turn on query mode by using crypto ca certificate query

© 2006 Cisco Systems, Inc. All rights reserved. The clock must be accurately set before generating RSA key pairs and enrolling with the CA server because certificates are time-sensitive

© 2006 Cisco Systems, Inc. All rights reserved. Router assigns a fully qualified domain name to the keys and certificates, FQDN is based on the host name and IP domain name assigned.

© 2006 Cisco Systems, Inc. All rights reserved.

RSA key pairs are used to sign and encrypt IKE key management messages and are required before obtaining a certificate for the router.

© 2006 Cisco Systems, Inc. All rights reserved. Generating RSA Keys  Two mutually exclusive types of RSA key pairs  Special-usage Keys Two pairs of RSA keys are created. One for RSA signatures, and the other for RSA encrypted nonces as the authentication method.  Each key is not unnecessarily exposed  General-purpose Keys One pair of RSA keys is created. Used with IKE policies specifying either RSA signatures or RSA encrypted nonces.  A longer modulus could offer stronger security, but takes longer to generate and also takes longer to use.  Cisco recommends using a minimum modulus of 1024.

© 2006 Cisco Systems, Inc. All rights reserved.

Command will allow the router to re-enroll to the CA server automatically when its certificates expire

© 2006 Cisco Systems, Inc. All rights reserved.

Authenticate CA  The router needs to authenticate the CA to verify that it is valid.  Done by obtaining the self-signed certificate of the CA Contains the public key of the CA.  Because the CA certificate is self-signed the public key of the CA should be manually authenticated. Done by contacting the CA administrator to verify the fingerprint of the CA certificate.  To get the public key of the CA, use the crypto pki authenticatename command  Use the same name that was used when declaring the CA with the crypto pki trustpoint command.

© 2006 Cisco Systems, Inc. All rights reserved.

Request a certificate for the router  A signed certificate must be obtained from the CA for each RSA key pair on the router. crypto pki enroll name  During the enrollment process, a challenge password is created. Can be used by the CA administrator to validate the identity of the individual that is requesting the certificate.  If a certificate for the keys already exists, the administrator is prompted to remove the existing certificate first. no certificate command.

© 2006 Cisco Systems, Inc. All rights reserved.

Monitor and Maintain CA Interoperability (Optional)  The following steps are optional, depending on the particular requirements: Request a CRL Query a CRL Delete RSA Keys from the router Delete peer public keys Delete certificates from the configuration View keys and certificates

© 2006 Cisco Systems, Inc. All rights reserved. Request a Certificate Revocation List  When the router receives a certificate from a peer, the router will download a CRL from the CA.  Router then checks the CRL to make sure the certificate that the peer sent has not been revoked.  If the certificate appears on the CRL, the router will not accept the certificate and will not authenticate the peer.  A CRL can be reused with subsequent certificates until the CRL expires if query mode is off.  To request immediate download of the latest CRL, use the crypto pki crl request name

© 2006 Cisco Systems, Inc. All rights reserved. Delete RSA Keys from the Router  If the RSA keys are believed to be compromised  crypto key zeroize rsa  After the RSA keys are deleted, the CA administrator should be asked to revoke certificates for the router at the CA.  It will be necessary to supply the challenge password created when the certificated were obtained with the crypto pki enroll command.  The certificates should also be manually removed from the router configuration.

© 2006 Cisco Systems, Inc. All rights reserved. Delete Certificates from the Configuration  The router saves its own certificates, the certificate of the CA, and any RA certificates, unless the router is in query mode.

© 2006 Cisco Systems, Inc. All rights reserved. Delete Public Keys of Peer  If the integrity of a peer public key is doubted, the key should be deleted.  To delete the CA certificate, the entire CA trustpoint must be removed. Also removes all certificates associated with the CA, To remove a CA trustpoint, use the no crypto pki trustpoint name

© 2006 Cisco Systems, Inc. All rights reserved.

Q and A

© 2006 Cisco Systems, Inc. All rights reserved.