Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Ex-Bay Networks CEO: Nortel's enterprise group could do well on its own
Net neutrality advocates score big win with broadband stimulus rules
Security guard charged with hacking hospital systems
Cisco looks to accelerate virtualization deployments
Apple patching serious SMS vulnerability on iPhone
Could Cisco take on Microsoft with office app service?
Nortel enterprise data chief wants to bring back Bay Networks
Government releases $4 billion in broadband stimulus funds
Why the iPhone can't be 'killed'
IBM bundles x86 servers with VMware, offers special financing
Users note virtualization foot-dragging among app vendors
Five slick search engines you should know about
FTC opens all out assault on economic cyber-scammers
Happy birthday! The Walkman turns 30
Cisco won't take on Amazon in cloud


Enterprise Networks / Product tests/info /
Send to a friend Feedback

Simplify PKI with Hybrid Auth, XAuth

Related linksToday's breaking news
Send to a friendFeedback

By LORI SILVIA
Network World, 08/28/00

Companies deploying VPNs are turning to digital certificates to achieve the security essential to an effective VPN. Digital certificates, which must be managed by a public-key infrastructure (PKI), provide a level of privacy and security to VPNs unequalled by any other authentication method.

Deploying a full-blown PKI is highly complex and potentially disruptive to a network and its users. Two new protocols - Hybrid Auth and XAuth - are being developed by the Internet Engineering Task Force (IETF). They will enable companies to employ a more manageable, phased approach to PKI deployment.

Hybrid Auth and XAuth are extensions to the Internet Key Exchange (IKE) protocol. IKE is an important element of PKI that defines how security credentials are exchanged over the IP Security (IPSec) tunneling protocol. Using IPSec with IKE, one of two types of authentication to access the network can be employed: preshared keys or digital certificates. While preshared keys, which are unique to each user, are fine when employed by a small number of users, deploying a unique key for each remote user in situations where there may be hundreds or thousands of remote users can be an administrative burden and a management nightmare.

For simplicity, some companies deploy one key that is shared among all users. However, if the password is compromised, every user name must be associated with the new key.

When deploying IPSec with IKE to many users, digital certificates are the most scalable option for enterprise security. However, a full PKI environment, which can be costly to implement and complex to deploy, is required. In addition, remote users must "enroll" in the PKI. Enrollment can be disruptive and add many opportunities for error.

Certain VPN implementations of Hybrid Auth are enabling companies to solve some of these issues by leveraging legacy authentication systems and by allowing the use of a PKI to be centrally deployed and managed in practical implementation phases, rather than all at once. In this approach, a digital certificate is deployed on the VPN server at the central site, while remote users continue to utilize such legacy authentication methods as RADIUS or SecurID to access the corporate network. Because there's no change in how remote users authenticate, this Hybrid Authentication environment simplifies initial digital certificate deployment, controls operational expenses, and minimizes end-user impact.

The Hybrid Auth extension allows the asymmetric use of digital certificates between client and server. The client verifies the authenticity of the server's credentials (certificate), and the server verifies the authenticity of the client's credentials. Companies benefit from the interoperability of standards-based IPSec with IKE as well as the increased security of the PKI at the central site, with no disruption to remote users.

The XAuth standard may be seen as the next phase of PKI migration. As organizations move to a full PKI, digital certificates are used at the central site and on remote users' desktops. Certain implementations of the XAuth protocol give companies the option to combine use of legacy authentication methods and digital certificates. The XAuth extension to the IKE protocol allows two-factor authentication for remote users: The digital certificate authenticates the user's machine or desktop, while the use of passwords or tokens binds that user to his digital ID and authorizes him for network access. VPN implementation using XAuth allows network managers to centrally control authentication policy on a group-level basis, remotely synchronizing and enforcing authentication policy changes out to remote users' desktops as the organization moves from passwords to digital certificates.

The Hybrid Auth and XAuth protocols are especially beneficial when utilizing digital certificates as the authentication method for VPNs. The many benefits these protocols promise - greater manageability, stronger security, greater protection of legacy system investments and a more practical approach to PKI - suggest that they will become IETF standards. Companies would do well to ensure that the VPNs they are deploying support Hybrid Auth and XAuth.


Related Links

Silvia is senior product manager at Indus River Networks, a developer of remote access products. She can be reached at lsilvia@indusriver.com

Policy creates bridge to digital certificates
Federal Computer Week, 07/12/00.

The ABCs of PKI
Decrypting the complex task of setting up a public-key infrastructure.
Network World, 01/17/00.

Don't wait until PKI has grown up to put it to use
Network World, 10/25/99.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.