Fraunhofer-Institut für Digitale Medientechnologie IDMT
IDMT VPN Remote Access
Ives Steglich
Munich, 12. Oct 2004
Seite 2
Overview
Current Situation and Architecture
Goals and Requirements for Improvement
Proposed Soft- and Hardware
Pro...
Seite 3
Current Situation and Network Architecture
Architecture
Remote User
CISCO VPN Client
Firewall and VPN Gateway
CISC...
Seite 4
Goals and Requirements for new Solution
Main Goals
1. remove the shared secret for remote users
2. keep the availa...
Seite 5
Proposed Soft- and Hardware
Software for PKI
OpenCA
Reasons:
- understands SCEP
- can publish certs in LDAP
- open...
Seite 6
Proposed Architecture
Remote
User
OpenCA-Setup
One Server with RA, PUB and SCEP Interfaces
One Server with the CA ...
Seite 7
How does the USB-Token work?
General
- uses proprietary format from Aladdin
- therefore needs specific drivers
- n...
Seite 8
Usageprocess
Token Initialization
- has to be done at Linux
- key generation with Linux+Windows
- certificate Iist...
Seite 9
Conclusions
• Authentication for Remote-VPN-Access
• Option to skip one step during VPN-Login
• Transparent usage ...
Seite 10
Usage Examples
Seite 11
Seite 12
Thanks for your attention!
Questions?
Upcoming SlideShare
Loading in...5
×

Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI

928

Published on

This slides show a more complex rollout real world scenario in combination of usb-based crypto keys used in parallel under linux and windows and cross-browser on windows too! Good thing is - no passwords must be stored on any of the authentication systems - no passwords can be stolen! ;-)

Slides just give an overview over the overall architecture but was really working - see pictures on last slides - where the same certificate from the usb key is shown under linux and windows - still neat.

Somehow not much seems to have changed since 2004 if one looks around - could still be applied in todays environments - the basics and it's still not wide spread nowadays.

Note: Slides are historical versions from 2004, so not all shown hardware, protocols and/or drivers/software may be available or recommended for usage anymore.

Today I would prefere OpenXPKI which forked of OpenCA and is an fully independent version by now close to 1.0 release this or next year! Check it out!

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
928
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI"

  1. 1. Fraunhofer-Institut für Digitale Medientechnologie IDMT IDMT VPN Remote Access Ives Steglich Munich, 12. Oct 2004
  2. 2. Seite 2 Overview Current Situation and Architecture Goals and Requirements for Improvement Proposed Soft- and Hardware Proposed Architecture How does the USB-Token work? Usageprocess Conclusions
  3. 3. Seite 3 Current Situation and Network Architecture Architecture Remote User CISCO VPN Client Firewall and VPN Gateway CISCO PIX Steps to establish an connection 1. VPN Tunnel initialization authenticated by shared secret 2. Access to internal Network authenticated by XAUTH trough tacacs+ Internet Internal LAN Remote User VPN Tunnel Firewall and VPN-Gateway Tacacs+ Server
  4. 4. Seite 4 Goals and Requirements for new Solution Main Goals 1. remove the shared secret for remote users 2. keep the available infrastructure 3. use smartcards 4. be open for other usages 5. integration into the local LDAP 6. use open source whenever possible Requirements from Goals and Architecture - introduce certificates and administration - setup an in-house pki - pki must speak SCEP - smartcards must be operable with linux and windows
  5. 5. Seite 5 Proposed Soft- and Hardware Software for PKI OpenCA Reasons: - understands SCEP - can publish certs in LDAP - open source - good cooperation with development team Hardware for Smartcards Aladdin eToken Pro Reasons: - works with Microsoft Crypto API - PKCS#11 library for linux available (but hard to get, not offically distributed) - enables OpenCA administration from Linux and Windows (Mozilla, IE)
  6. 6. Seite 6 Proposed Architecture Remote User OpenCA-Setup One Server with RA, PUB and SCEP Interfaces One Server with the CA (offline) Access to RA-Interface certificatebased stored at Smartcards PIX-Setup Remote Users Authentication with RSA Certs Client Setup VPN-Gateway identification with Certs Own Authentication with RSA Certs Internet Internal LAN Firewall and VPN-Gateway In-house PKI VPN Tunnel Tacacs+ Server RA/SCEP/PUB Interfaces Offline CA
  7. 7. Seite 7 How does the USB-Token work? General - uses proprietary format from Aladdin - therefore needs specific drivers - not PKCS#15 compatible (but can be used parallel if space is left on token PKCS#15 doesn’t works with Microsoft Crypto API) Linux - based on PC/SC-Lite - works with Mozilla through PKCS#11 - doesn’t work right now with OpenSSL engine - hotplugable Windows - works with Mozilla through PKCS#11 - works with Microsoft Crypto API - hotplugable PKCS#11 PC/SC Lite Mozilla Aladdin RTE OpenSSL ? Linux Linux USB-Hotplugsystem Windows CSP PKCS#11 MozillaIE VPN Client Aladdin RTE Windows USB-Subsystem
  8. 8. Seite 8 Usageprocess Token Initialization - has to be done at Linux - key generation with Linux+Windows - certificate Iistallation with Linux+Windows - only one Login for User and Admin possible Process - Two Options: - batch-orientied serverside-key-generation (p12 files import through Mozilla or Win-System) - token-based-key-generation (through users themselves) - Administration: - requests initiated through users - granted at RA through ‘Groupleaders’ - certs issued through CA-Operator
  9. 9. Seite 9 Conclusions • Authentication for Remote-VPN-Access • Option to skip one step during VPN-Login • Transparent usage with Linux and Windows • Encrypt, Decrypt and Sign E-Mails • Authentication for webbased services (PKI-Access and Administration) • Dezentralized Management • LDAP Storage and Access to Certificates • Still not perfect • Overview about smartcards providing PKCS#11 libs: http://jce.iaik.tugraz.at/products/14_PKCS11_Wrapper/ tested_products/index.php
  10. 10. Seite 10 Usage Examples
  11. 11. Seite 11
  12. 12. Seite 12 Thanks for your attention! Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×