Digital certificates for VPN

[kunz12]

Hello folks -

I've always used PSK to configure any site to site or remote user VPN's. In the past VPN stuff has always been configured manually.

I know a lot of folks out there use certificates for VPN. Can anyone explain what are the benefits of using certificates for VPN access?

I have a client that has several site-2-site VPN's configured with PSK's, and I am wondering how to sell the idea of certificates to the client.

Any help would be appreciated!

Thanks guys!

 

[NetworkGhost]

Certificate based authentication comes in handy when you have a large scale VPN solution. It can be cumbersome to have to maintain preshare keys for each site. Digital certs spoke to have a "cookie" cutter config. Each site would request a cert from the CA server. The CA server would be used to manage these certs. If you have VPNs to outside companies this can be useful. If the connection is no longer needed the cert can be revoked and the remote end would no longer be able to establish a tunnel if CRL checking is enabled. Authentication using certs is much more secure than Preshare keys also. Certs can also have a expiration date forcing the cert to be renewed. This is more convenient than changing a presehare key every year or 2if the security policy calls for it.

The downfall is the additional cost. If you use your own CA Server than cost is lower but if you with someone like Verisign you will be paying money for each cert.


If your client is constantly adding new VPN sites than I would suggest using EZVPN or even Switching to a DMVPN platform.

http://www.wr-mem.com

 

[kunz12]

Thanks for your message.

A quick question as a follow up.

Why would certs be more secure than PSK's? Assume I have 10 sites to build tunnels with (all branch offices, no vendor tunnels), then I can use the same PSK for all 10 tunnels. Even if a hacker finds out what PSK I am using, how does it matter? It's not that he will be able to build a tunnel to my ASA if he knew my PSK.

And also, why would I want to change PSK's every year?

I know client will ask these same questions that I am asking you.

Thanks again!

 

[NetworkGhost]

The Preshared Key is used for authentication. Kind of like your social security number. If someone got your social security number they shouldnt be able to do anything with it right?

What if they started pretending like they were you?

This is the risk. The only way the remote gateway knows the device it is talking to is indeed it is by using the preshared key. Of course there are other pieces of IPSEC that may stop them from complete the phases but in Security you should assume nothing and expect everything.

Does this mean that everyone whos used preshared keys are insecure? No, there are just ways to ensure a higher level of security. Bobs Lawn Care may not car if Preshared Keys are Used. The Department of Defense probably does.

Why is a digital certificate better that a preshared key for authentication? The digital cert has several layers of security.

Host A generates priv key and public key. Host sends pub key to CA server. CA Server Makes a digital fingerprint using its key and approves the cert and includes the Public Key of the Host A in the cert. Sends this back to Host A.

When Host B wants to est VPN with Host A. Public Key Certs are exchanged. The CRL is checked to make sure the other guy is valid (Not revoked or expired). Then they use the CAs Root Cert to check the Fingerprint. They know the Cert is authentic if all hashes out ..

They then use the remotes Public Keys to encrypt \ for a secure Diffie Helman exchange.

http://www.wr-mem.com