D-Link DFL-260 Product Manual - Page 398
IPsec Protocols (ESP/AH)
UPC - 790069296802
View all D-Link DFL-260 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 398 highlights
9.3.4. IPsec Protocols (ESP/AH) Chapter 9. VPN Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint authentication, which is what the PSKs are really for. It also includes all the benefits of using IKE. Instead of using a fixed set of encryption keys, session keys will be used for a limited period of time, where after a new set of session keys are used. PSK Disadvantages One thing that has to be considered when using Pre-Shared Keys is key distribution. How are the Pre-Shared Keys distributed to remote VPN clients and firewalls? This is a major issue, since the security of a PSK system is based on the PSKs being secret. Should one PSK be compromised, the configuration will need to be changed to use a new PSK. Certificates Each VPN firewall has its own certificate, and one or more trusted root certificates. The authentication is based on several things: • That each endpoint has the private key corresponding to the public key found in its certificate, and that nobody else has access to the private key. • That the certificate has been signed by someone that the remote endpoint trusts. Advantages of Certificates A principal advantage of certificates is added flexibility. Many VPN clients, for instance, can be managed without having the same pre-shared key configured on all of them, which is often the case when using pre-shared keys and roaming clients. Instead, should a client be compromised, the client's certificate can simply be revoked. No need to reconfigure every client. Disadvantages of Certificates The principal disadvantage of certificates is the added complexity. Certificate-based authentication may be used as part of a larger public key infrastructure, making all VPN clients and firewalls dependent on third parties. In other words, there are more aspects that have to be configured, and there is more that can go wrong. 9.3.4. IPsec Protocols (ESP/AH) The IPsec protocols are the protocols used to protect the actual traffic being passed through the VPN. The actual protocols used and the keys used with those protocols are negotiated by IKE. There are two protocols associated with IPsec, AH and ESP. These are covered in the sections below. AH (Authentication Header) AH is a protocol used for authenticating a data stream. 398