Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
/

Reviews /

Public keys

Today's breaking news
Send to a friendFeedback

Advertisement:

By Joel Snyder
Network World, 05/10/99

An integral part of any virtual private network (VPN) is key management. IP Security, with its Internet Key Exchange (IKE) protocol, keeps the keys updated between any two tunnel points. However, getting the whole tunnel readied, or bootstrapped, is a difficult problem. Bootstrapping a tunnel involves moving the initial keys between cooperating tunnel partners so that they can start with secure communications. Once a secure channel is up, IKE keeps things safe. The more tunnels you have - either branch offices or, more likely, remote access users - the more difficult it is to get started.

There are three ways to approach this bootstrap process. The first and least attractive is manual keying. No one manually enters all aspects of all keys, except the military. The second uses pre-shared secrets entered by network managers at both ends. Pre-shared secrets work well but scale poorly. The third approach uses a third party, usually referred to as a public-key infrastructure (PKI), to distribute and manage keys.

We worked closely with Entrust Technologies, one of the leading PKI vendors, to check interoperability of the VPN products with third-party PKIs.

We discovered three levels of PKI support in these VPN products. At the top of our list are products from TimeStep and Check Point Software. These two vendors let us go online with our PKI, fetch keys and keep in contact with the PKI. In a large network, this is the only way to go. Without continuous online access, the software can't check certificates against revocation lists to uncover compromised connections. Cisco also has a protocol called certificate enrollment protocol (CEP) that Cisco routers use and some VPN and PKI vendors support.

A step below this level are products that connect to a PKI manually - generally by moving diskettes between a management station and PKI certification authority. This technique is okay to get you up and running but has its own scalability problem because there's no easy way to send key updates from the PKI to the VPN devices. We worked with Data Fellows and Radguard to see how keys could be moved back and forth, and we were able to make Data Fellows and Radguard VPNs talk to each other without having pre-shared secrets.

At the bottom of the list are companies that could connect to the PKI manually but wouldn't work with products from other vendors. Intel, Nortel and VPNet all have products that successfully enrolled their keys with the PKI but wouldn't work with other vendors' implementations.

RELATED LINKS


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.