 |
We recommend that you become familiar with PKI and digital certificates before implementing this feature on a Services Router. For white papers about digital certificates and additional information about PKI, go to the following Web sites: |
Each IPSec tunnel is defined by a local tunnel endpoint and a remote tunnel endpoint. Packets with a destination address matching the private network prefix are encrypted and encapsulated in a tunnel packet that is routable through the outside network. The source address of the tunnel packet is the local gateway, and the destination address is the remote gateway. Once the encapsulation packet reaches the other side, the remote end determines how to route the packet.
An IPSec security association (SA) is a set of rules used by IPSec tunnel gateways by which traffic is transported. IPSec security associations are established either manually, through configuration statements, or by Internet Key Exchange (IKE). In the case of manually configured security associations, the connection is established when both ends of the tunnel are configured, and the connections last until one of the endpoints is taken offline. For IKE security associations, connections are established only when traffic is sent through the tunnel, and they dissolve after a preset amount of time or traffic.
Outgoing (egress) traffic across the tunnel must be marked with the outbound tunnel endpoint address so that it can be filtered by the stateful firewall filter on the opposite side of the tunnel. Packet tagging is performed by Network Address Translation (NAT). The source address for outbound packets is translated to the local gateway address so that, to the remote gateway, all packets appear to originate from the local endpoint. Address translation enables the remote gateway to filter packets based on source address to determine which packets are to be transported through the tunnel.
Typically, cryptography uses a private or secret key shared by individuals over the same transmission of data. The key is a mathematical entity that a sender uses to encrypt a message and the receiver uses to decrypt the message. This process is called symmetric cryptography. However, the main problem is key management: how to create and store the key, and transmit the key to those who need it to decrypt messages sent to them.
Key management is solved by public cryptography, which creates two different keys for anyone who needs to transmit encrypted information. Using a precise mathematical relationship between two keys, called a key pair, both keys are produced at the same time by a mathematical algorithm such as RSA. As a result, when either key of the pair is used to encrypt the message, the other is used to decrypt it.
Once a key pair is generated, it can be used to encrypt data and to digitally sign messages so the recipient is sure of the sender of the data or message.
Digital certificates are issued by certificate authorities (CAs), which are public or private organizations that manage a public key infrastructure (PKI). The main function of a digital certificate is to associate a device or user with a public/private key pair. Digital certificates also verify the authenticity of data and indicate privileges and roles within secure communication.
A digital certificate consists of data that definitively identifies an individual, system, company, or organization. In addition to identification data, the digital certificate contains a serial number, a copy of the certificate holder's public key, the identity and digital signature of the issuing CA, and an expiration date.
|
We recommend that you become familiar with PKI and digital certificates before implementing this feature on a Services Router. For white papers about digital certificates and additional information about PKI, go to the following Web sites: |