Scale PIX Firewall VPNs

The use of pre-shared keys for IKE authentication only works when you have a few IPSec peers. Certificate Authorities enable scaling to a large number of IPSec peers.

CA Server Fulfilling Requests — from IPSec Peers -

|a»|j ¡

-► -

CA Server

Each IPSec peer individually enrolls with the CA server.

© 2000, Cisco Systems, Inc.

CSPFA 1.01-7-34

Using a CA server is the most scalable solution. Other IKE authentication methods require manual intervention to generate and distribute the keys on a perpeer basis. The CA server enrollment process can be largely automated so that it scales well to large deployments. Each IPSec peer individually enrolls with the CA server and obtains public and private encryption keys compatible with other peers enrolled with the server.

PIX Firewall with CA Enrollment

The following section describes how to utilize a Certificate Authority to enroll a PIX Firewall.

Enroll a PIX Firewall With a CA

CA server

CA server

• Configure CA support.

• Generate public or private keys.

• Authenticate the CA.

• Request signed certificates from the CA.

• CA administrator verifies request and sends signed certificates.

©2000, Cisco Systems, Inc. CSPFA 1.01-7-35

Peers enroll with a CA server in a series of steps in which specific keys are generated and then exchanged by the PIX Firewall and the CA server to ultimately form a signed certificate. The enrollment steps can be summarized as follows:

Step 1 The PIX Firewall generates an RSA key pair.

Step 2 The PIX Firewall obtains a public key and its certificate from the CA server.

Step 3 The PIX Firewall requests signed certificate from the CA using the generated RSA keys and the public key/certificate from the CA server.

Step 4 The CA administrator verifies the request and sends a signed certificate.

Note See the "About CA" and "Configuring CA" sections in the "Configuring IPSec" chapter of the Configuration Guide for the Cisco Secure PIX Firewall for more details on how CA servers work and how to configure the PIX Firewall for CA support.

0 0

Post a comment