© 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.06-1 Lesson 6 Configure the Cisco VPN 3000 Series Concentrator for Remote Access Using Digital.

Презентация:



Advertisements
Похожие презентации
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 17 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN.
Advertisements

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 11 Configure the Cisco Virtual Private Network 3002 Hardware Client for Unit and.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 7 Configure the Cisco VPN Firewall Feature for IPSec Software Client.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 10 Configure the Cisco VPN 3002 Hardware Client for Remote Access Using Pre-Shared.
Option_W_3
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 13 Configure the Cisco Virtual Private Network 3002 Hardware Client for Software.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 15 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 12 Configure the Cisco Virtual Private Network Client Backup Server, and Load Balancing.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 14 Configuring the Cisco Virtual Private Network 3000 Series Concentrator for IPSec.
© 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 7-1 © 2002, Cisco Systems, Inc. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 8 Configure the Cisco VPN Client Auto-Initiation Feature.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Implementing the Cisco VPN Client.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Cisco Secure Virtual Private Networks 4.0.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.
1. Определить последовательность проезда перекрестка
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Administering Events and Generating Reports Managing Events.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Using CSA Analysis Generating Application Deployment Reports.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Site-to-Site IPsec VPN Operation.

Транксрипт:

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 6 Configure the Cisco VPN 3000 Series Concentrator for Remote Access Using Digital Certificates

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Objectives Upon completion of this lesson, you will be able to perform the following tasks: Explain the purpose of digital certificates. Generate a PKCS #10 for the Cisco VPN Client and Concentrator. Install certificates in the Cisco VPN Client and Concentrator. Explain how digital certificates are validated and maintained. Configure the Cisco VPN Client and Concentrator for certificate-based remote access.

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CA Support Overview

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CA Server Fulfilling Requests from IPSec Peers Each IPSec peer individually enrolls with the CA server. CA server

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Digital Signature Remote Internet Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9 Hash algorithm Hash algorithm Encryption algorithm Encryption algorithm Hash Private key Local Decryption algorithm Decryption algorithm Hash Public key 4ehIDx67NMop9 Hash Match Pay to Terry Smith $ One Hundred and xx/100 Dollars

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Why Digital Certificates

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate-Based Authentication CA trusted third party Request certificate Request certificate Issue certificates Digital certificates AlexTerry Alex Terry

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CA CA responsibilities: Create certificates Administer certificates Revoke invalid certificates

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN PKI Root CA Subordinate CA Hierarchical Root CA Central Terry Pat Terry Pat Alex

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Generation

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Generation Process CA Generate certificate request MS CA Process request Generate certificate Install certificate Boston3 Training K Root Boston3 Generate certificate request Paris12 Training F Root Paris12 Install certificate

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Generating a Certificate Request Concentrator or PC CA PKCS #10 Digital certificate Hash algorithm Hash algorithm Encryption algorithm Encryption algorithm Hash CA private key PKCS #10 4ehIDx67NMop9 Lynn K Certificate: CA Inform- ation +

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Request Message PKCS #10

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Generating an Identity Certificate CA Hash algorithm Hash algorithm Encryption algorithm Encryption algorithm Hash CA private key 4ehIDx67NMop9 Lynn K Certificate: Concentrator or PC PKCS #10 Digital certificate PKCS #10 CA inform- ation

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Digital Certificates Digital certificates contain: Serial number Validity dates Issuer name Subject name Subject public key information CA signature

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Digital Certificate Encoding Digital certificate CA PC or Concentrator

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Install the Certificate CA Hash algorithm Hash algorithm Hash CAs private key PKCS#10 4ehIDx67NMop9 Lynn K Certificate: CA info + Concentrator or PC PKCS#10 Digital certificate Encryption algorithm Encryption algorithm

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Validating Certificates

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Validation Certificate validation: Is signed by a trusted CA Has not expired Has not been revoked

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Signature Validation Concentrator Internet Decryption algorithm Decryption algorithm Hash CA public key 4ehIDx67NMop9 Hash Match Root certificate Identity certificate 4ehIDx67NMop9 Encryption algorithm Encryption algorithm Hash CA private key CA Identity certificate Identity certificate 1 2

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certification Chain Root certificate Subordinate CA certificate Hierarchical Terry Pat Alex Central Terry Pat Identity certificate Root certificate Identity certificate

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Validity Period

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CRL List of revoked certificates signed by the CA Stored on the CA or CRL Distribution Point No requirement on devices to ensure that CRL is current Revoked Cert Cert Cert 22333

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CRLGeneral

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CRLRevocation List

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CRL Distribution Point Location

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Authentication Process Load and validate identity certificate Exchange the identity certificates during IKE negotiations. Verify the identity certificate signature via the stored root certificate. Verify that the certificate validity period has not expired. Verify that the identity certificate has not been revoked. Home Entrust LDAP server Headquarters Entrust Hdqtrs3 Entrust K Hdqtrs3 Entrust K Entrust Root D134TA30 Boston3 Entrust K Boston3 Entrust K Entrust Root D134TA30 Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring the Cisco VPN 3000 Series Concentrator for CA Support

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator Enrollment Support Generate PKCS #10 Certificate server File (manual) Network (automated) SCEP Upload/ download PKCS #10 Generate PKCS #10 Certificate server

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator Certificate Manual Loading Process Certificate server Download root and identity certificate Generate PKCS #10 Upload PKCS #10 Certificate server Load root certificate Certificate server Load identity certificate Generate root and identity certificate

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Manual EnrollmentGenerate a Certificate Request

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Group Matching Policy Identity certificate Group matching policy

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Group Matching Rules

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Upload the PKCS#10 Upload PKCS #10

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Download Certificates Download root certificate Certificate server Download root and identity certificate Download identity certificate

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Install Root Certificate Certificate server Install root certificate

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Root Installed

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN View Root Certificate

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Install Identity Certificate Certificate server Install identity certificate

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Identity Certificate Installed

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN View Identity Certificate

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Renewal

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configure CACRL Caching, Backup, and HTTP Support Site A Client Internet Site B CRL DP LDAP support CRL DP HTTP support CRL caching CRL caching Primary Backup

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring CA Certificates CRL retrieval policy CRL caching CRL Distribution Points

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring CRL Retrieval Policy Certificate CRL DP Static CRL DP

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring CRL Caching

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring CRL DPs Site A LDAP support HTTP support Primary Backup

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Step 1Check the Active IKE Proposal List

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Step 2Check the IKE Proposal

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Step 3Modify or Add an SA

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec SA

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Types of VPN Client Enrollment File (manual) Network (automated) Upload PKCS #10 Generate PKCS #10 Certificate server Download identity and root certificate Certificate server SCEP

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Tab Certificate tab used to enroll and manage personal certificates

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Store A certificate store is a location in your local file system that contains personal certificates. Cisco Store

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN File Enrollment

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Enrollment Form

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Paste Certificate Request Generate PKCS #10 Certificate server Upload PKCS #10

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Download Root and Identity Certificates Certificate server Download a root and identity certificate

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Import Certificates

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Viewing Certificates

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Network-Based Enrollment Network (automated) Certificate server SCEP

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN SCEP Process request - If approved, generate identitycertificate Store certificate Verify CA or RA certificate generation keys Generate certificate request Send request Request pending Send polling request Store certificate Return CA or RA certificate - If pending approval Request CA or RA certificate (Approved) – or – Certificate server SCEP Certificate manager

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Network Enrollment

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Enrollment Form

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary Digital certificates bind a person or entity to a private key. The Cisco VPN Client and Concentrator create PKCS #10s. PKCS #10s are sent to the CA to be verified. The CA issues VPN Client and Concentrator X.509 certificates. Certificates are loaded on the VPN Client and Concentrator. Certificates are exchanged during IKE negotiations. Certificates are validated by the receiving device.

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lab Exercise

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lab Visual Objective CA server P.0 Cisco PC VPN Client P 10.0.P.0 RTS Cisco VPN 3000 Web FTP