CHAPTER 11: Using Virtual Private Networks (VPN)
302 Vcontroller
ensuring identity are password authentication (also called
shared secrets) and digital certificates. A shared secret is a
password that is the same on both ends of a given tunnel.
The data is encrypted using a session key, which is derived
from the shared secret. The gateways can encrypt and
decrypt the data correctly only if they share the same
secret. Digital certificates use public key-based cryptogra-
phy to provide identification and authentication of end
gateways.
For more information on certificates, see Chapter 10, “Cre-
ating a Remote User VPN Policy” on page 327.
In addition to identifying the user, authentication also
defines the resources a user can access. A user must
present specified credentials before they can access certain
network locations.
Authentication can either take place through a firewall or
through an external authentication server such as Remote
Authentication Dial-In User Service (RADIUS). An authen-
tication server is a trusted third party that provides
authentication services to other systems on a network.
Internet Key Exchange (IKE)
As the number of VPN tunnels between WatchGuard
appliances and other IPSec compliant devices grow, main-
taining the large number of session keys used by tunnels
becomes a challenge. Keys must also change frequently to
ensure the security of each VPN connection.
Internet Key Exchange (IKE)–the key management proto-
col used with IPSec–automates the process of negotiating
and changing keys. IKE implements a security protocol
called Internet Security Association and Key Management
Protocol (ISAKMP), which uses a two-phase process for
establishing an IPSec tunnel. During Phase 1, two gateways
establish a secure, authenticated channel for communica-
To Next Page
Loading...
