Search /
Docfinder:

RESEARCH CENTERS

Applications
Careers
Convergence
Data Center
LANs
Net/Systems Mgmt.
NOSes
Outsourcing
Routers/Switches
Security
Service Providers
Small/Med.Business
Storage
WAN Services
Web/e-commerce
Wireless/Mobile

SITE RESOURCES

Daily News
Newsletters
This Week in NW
Tests/Reviews
Buyer's Guides
Opinion
Forums
Special Issues
How to/Primers
Case Studies
Network Life
Encyclopedia
IT Briefings

TODAY'S NEWS

•	Cisco's free iPhone app grabs security feeds
•	Global warming research exposed after hack
•	Verizon suit a 'gamble worth taking' for AT&T, says IP lawyer
•	Google adding IPv6 to YouTube
•	Broadband stimulus grants delayed
•	Palm Pixi smartphones now just $25
•	Google goes for speed, security in Chrome OS
•	Hurricane Electric's IPv6 network doubles
•	The 5 best, and 5 worst, features of Google Chrome OS
•	Listen up: Rock and roll artifacts under surveillance
•	Why Chrome OS will fail -- big time
•	Microsoft Windows chief decries standards grandstanding
•	Al Gore: Supercomputers can reverse climate change
•	Atlantis astronauts get rude awakening
•	FAA fixes computer glitch, delays remain
•	More breaking news

/

PKI, firewalls and VPNs

By David Newman
Network World, 12/10/01

Two common criticisms of public-key infrastructure are that digital certificates authenticate only the holder's identity, not the holder's access rights, and that PKI does nothing to encrypt communications.

Although work is underway to develop access control using PKI attribute authorities, firewalls remain the conventional means of access control, while VPNs remain the standard means of ensuring privacy through encryption.

Actually, VPNs and PKI are complementary; one doesn't replace the other. The Internet Key Exchange elements of the IP Security standard recommend the use of digital certificates for authenticating requests to set up secure sessions. This is preferable to static authentication methods, such as using preshared keys, because session partners don't require prior knowledge of one another's secret keys to set up a tunnel.

PKI and firewalls are less complementary when it comes to access control. While few seriously advocate eliminating firewalls from the security arsenal, PKI offers three benefits over firewalls.

First, digital certificates record the identity of every user of a given service. The implications for capacity planning, marketing and security auditing are obvious.

Second, certificates have the advantage of portability, in that a user can come from anywhere. In contrast, firewalls typically grant access only to specific IP addresses, networks or domains.

Finally, revocation can be distributed much more quickly with certificates. In the firewall case, updating access policies requires changes to the rule sets of dozens or even hundreds of devices. In contrast, PKI relies on certificate revocation lists stored on centralized certificate authorities. Revoking one certificate or even 1 million certificates only needs to be done once.

On the downside, using digital certificates requires PKI-awareness by every resource a user wants to reach. And integrating PKI into mission-critical applications and network equipment is a daunting task. A number of service bureaus focus specifically on this problem, but the current low rate of PKI adoption is attributable mainly to the complecxity of integration issues.

Back to the main article

RELATED LINKS

Newman is president of Network Test, an independent benchmarking and network design consultancy in Westlake Village, Calif. He can be reached at dnewman@networktest.com.

Global Test Alliance

Newman is also a member of the Network World Global Test Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Test Alliance information, including what it takes to become a member, go to www.nwfusion.com/alliance.

PKI: Build, buy or bust?
Options abound for digital certificates, but so do security concerns and design headaches.

What is PKI anyway?
Any PKI design is only as secure as its weakest component. Therefore, good PKI design requires a thorough understanding of all the components.

Whom do you trust?
Questions to ask potential PKI vendors

The ABCs of PKI
Decrypting the complex task of setting up a public-key infrastructure.
Network World, 01/17/2000.

Wanted: PKI interoperability
Adoption of digital certificates by organizations for widespread e-commerce use remains clouded for several reasons, including a lack of interoperability among vendors' public-key infrastructure (PKI) offerings.
Network World, 04/16/01.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!

New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE

Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.

Click Here

alt text

Click Here

HOME

RESEARCH CENTERS

NEWS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.