WHITE PAPER. VeriSign Architecture for Securing Your VPN Go Secure! For Check Point Overview

Transcription

1 WHITE PAPER VeriSign Architecture for Securing Your VPN Go Secure! For Check Point Overview

2 CONTENTS Architecture for Securing Your VPN Virtually Overnight!1 Key Features & Functionality 1 How Does It Work?3

3 Architecture for Securing Your VPN Virtually Overnight! By enabling enterprises to rapidly turn a firewall into a VPN,VeriSign s Go Secure! for Check Point provides the integrated application security necessary for enterprises to engage in secure business-to-business e-commerce, site-to-site communication, and trading exchanges. Unlike other remote access alternatives that require installation of additional and proprietary client software, this revolutionary service plugs into the existing Check Point architecture and is specifically designed for Check Point s VPN-1 (NG),VPN-1 SecuRemote (NG) and VPN-1 SecureClient (NG).The service enables Check Point client users to easily acquire and use VeriSign digital certificates to establish a scalable, manageable and secure VPN. KEY FEATURES & FUNCTIONALITY Automated integration with Check Point: Go Secure! for Check Point is tightly integrated with Check Point s VPN-1 SecuRemote (NG) and VPN-1 SecureClient (NG) software.the integration includes the components to automate user certificate enrollment, authentication, certificate lifecycle management, firewall updating, certificate installation, and revocation. Automated certificate acquisition and installation: Go Secure! for Check Point includes client agent controls that automate end user certificate acquisition and installation. Applying for a certificate is as simple as filling out a Web enrollment form.this form can contain any information the administrator wishes such as a field for a passcode allowing the end user to be pre-authenticated allowing the digital certificate to be issued instantly. Upon issuance, the digital certificate is transparently installed in the appropriate Check Point client software file.the remote user is now ready to securely connect and establish an encrypted/authenticated tunnel to the enterprise s firewall. Easy-to-use tools let network administrators control the approval, enrollment, validation, issuance, and renewal of Digital IDs while relying on VeriSign s certificate processing, back up, and customer support services. End users interact with customized,web-based enrollment forms to request IDs for IPSec devices. Passcode authentication module: Using the passcode feature in the Go Secure! service facilitates the authentication of a remote user community. Passcodes are unique identifiers that are generated by VeriSign Managed Public Key Infrastructure (OnSite) and are associated with each remote user. During enrollment, the user provides this unique passcode to identify themselves. If the passcode entered by the user matches the passcode in the authentication database within managed PKI, the user is automatically issued their digital certificate. Directory Object Module (DOM): The DOM will automatically update your LDAP server whenever a certificate is approved or revoked.the firewall administrator does not need to be manually involved in the certificate approval process. 1

4 Manuals and implementation guide: Go Secure! includes an easy-to-use administrator handbook, implementation guide and tailored support services to successfully deploy and manage the integrated Check Point and VeriSign solution. Automated network administration: VeriSign s Go Secure! for Check Point service frees network administrators from the timeconsuming burden of manually generating, distributing, renewing, and publishing digital certificates or shared secrets and certificate revocation lists.this service seamlessly integrates with VPN-1 (NG) and desktop clients to provide automated certificate lifecycle management services. It also includes the ability to upload the certificates to an LDAP directory or firewall user database for easier integration with VPN-1 (NG).With the optional Directory Object Manager, the administrator can completely automate the LDAP and firewall user database update process. IPSec & digital certificates the standard for secure VPNs: Internet Protocol Security Standard (IPSec) secures private communications on the Internet at the network level between firewalls, routers, and remote access devices. IPSec authenticates the identities of communicating parties, protects data from alteration, and safeguards information from interception using confidentiality services. IPSec is transparent to intermediary network layer devices because it is based on standard IP traffic.the Internet Key Exchange (IKE), part of the information transmission process, authenticates each side of an IPSec transaction and creates a secure path for encrypted data packets to travel to their destination on the network. In order for identity authentication to take place, every VPN device requires a unique identifier like a digital certificate.the digital certificates issued by VeriSign comply with the IPSec standard. 2

5 HOW DOES IT WORK? Manual Authentication: Manual authentication provides a means for authenticating network devices including firewalls, gateways and desktop clients.the process allows the registration authority to control the certificate lifecycle including approval and renewal of certificates. a. The network/firewall administrator sends an to all remote users that they need to download a copy of SecuRemote or SecureClient from and request a certificate by filling out the form at b. The user downloads and installs the Check Point software and completes the certificate request form. c. The administrator receives an that John Doe has requested a certificate. d. The administrator connects securely to the OnSite Control Center and approves or rejects the certificate. If the certificate is approved, OnSite will send an telling the user to pick up his certificate. [not necessary with passcode] e. After the certificate has been approved, the administrator downloads the current directory list (LDIF file) and either imports it into FireWall-1 s user database or an LDAP directory. [DOM can be used to automate this process]. f. The user picks up their certificate with their browser. g. The user can now securely connect to your corporate network from anywhere on the Internet. h. When the user tries to authenticate with the firewall, the firewall will compare the certificate against the current Certificate Revocation List (CRL). If the cert is not on the CRL and the user is on the valid access control list, then a secure connection is created. 3

6 Corporate Resource IPSec Tunnel 5. SecuRemote user is authenticated via user database/ LDAP directory User Database or LDAP Directory Passcode Authentication: Passcode authentication provides the simplest means for bootstrapping a secure authentication process of a remote user community without the burden of requiring personal presence or other out-of-band methods.this method allows each remote user to be automatically authenticated while they are enrolling for their digital certificate. a. The network/firewall administrator creates and uploads a CSV file containing user information and passcodes to the OnSite Control Center. b. The administrator also passes the CSV file to the DOM, which imports it into VPN-1 (NG) s user database or your LDAP directory. c. The administrator sends an to all remote users that they need to download a copy of SecuRemote or SecureClient from and request a certificate by filling out the form at administrator also supplies each user with their unique passcode to pickup their pre-approved certificate. Each passcode should be securely delivered to the end user, not included in the s. For example, sealed envelopes in inter-departmental mail, calling users voic , etc., are all possibilities, depending on the security level you wish to enforce. d. The user downloads and installs the desktop software. e. After the user has installed the software, they 1. Subscriber enrolls for digital ID simply fill out the certificate request form, providing their personal information and passcode. 3. VeriSign notifies the subscriber via 4. Subscriber picks up the VeriSign digital ID DOM generates the appropriate data format and populate the user database. Optionally, DOM can remove a user entry if the certificate is revoked. Internet Directory Object Manager (DOM) Periodically DOM retrieves VeriSign OnSite ControlCenter subscriber LDIF via HTTPS with cleint auth 2) Administrator authenticates the subscriber and approves the certificate request Administrator f. The certificate request is sent to VeriSign, where it is automatically checked against the passcode (CSV) file already uploaded by your administrator. g. If the information matches properly, the certificate is automatically issued. h. The user can now securely connect to your network from anywhere on the Internet. i. When the user connects to your network, the firewall automatically checks to see if the user s certificate has been cancelled. If it has, the user is rejected, otherwise the user seamlessly connects to your corporate network. 4

7 Automatic Authentication: If the Passcode authentication method is not achievable, then an alternate automated process for obtaining and using a certificate is as follows: a. The administrator sends an to all remote users that they need to download a copy of SecuRemote or SecureClient from are and request a certificate by filling out the form at b. After the user has installed the software, they will complete the certificate request form providing the information requested. c. The Web server then uses CGI to contact a registration authority server.this server compares the information provided against a pre-configured company database. If the information matches, it then approves the request and sends it to VeriSign for instant validation, approval, signing and issuance. d. The certificate is then automatically approved, exported into an EPF file, and inserted into the user s client software. e. The DOM then downloads the current directory list (LDIF file) and either imports it into VPN-1 (NG) s user database or an LDAP server. f. The user can now create a VPN with the firewall. g. When the user tries to authenticate with the firewall, the firewall will compare the certificate against the current CRL. If the cert is not on the CRL and the user is on the valid access control list, then a VPN will be created. Corporate Resource IPSec Tunnel 5. SecuRemote user is authenticated via user database/ LDAP directory 3. DOM generates the appropriate data format and populate the user database or LDAP directory 4. Subscriber uses the passcode to enroll for VeriSign digital ID Internet 2. Run DOM to parse the passcode csv file 1) Administrator uploads a passcode csv file to VeriSign OnSite ControlCenter to pre-authenitcate subscribers User Database or LDAP Directory Directory Object Manager (DOM) Administrator 5

8 VeriSign Managed PKI VeriSign s integrated, managed service approach to securing enterprise and e-commerce applications makes it easy for enterprises to simply plug digital certificate-based security into their existing application infrastructure and quickly realize the benefits of secure e-commerce.verisign s Go Secure! Services further extend the value of VeriSign Managed PKI, the unique, fully integrated, state-of-the-art service platform for the enterprise. Managed PKI provides the fastest time to market and lowest cost of ownership when compared to proprietary PKI software alternatives and meets all of the requirements of today s enterprise networks. 1. Subscriber enrolls for VeriSign digital ID IPSec Tunnel Web server Internet 3) Registration server signs the request and sends it to VeriSign to be issued immediately Corporate Resource 5. SecuRemote user is authenticated via LDAP directory 2. cgi passes the enrollment info to the authentication server Registration/Authentication Server with Key Manager (optionally) LDAP Directory 4) Authenitcation server uses directory integration module (DIM) to insert the digital ID into the LDAP directory Administrator 6

9 2001 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, OnSite, and NetSure are trademarks and service marks or registered trademarks and service marks of VeriSign, Inc. All other trademarks are the properties of their respective owners. 12/01