Netgear FVS336G-300NAS Specifications Page 517

  • Download
  • Add to my manuals
  • Print
  • Page
    / 693
  • Table of contents
  • BOOKMARKS
  • Rated. / 5. Based on customer reviews
Page view 516
Manage Users, Authentication, and VPN Certificates
517
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv3
VPN Certificates Overview
The VPN firewall uses digital certificates (also known as X509 certificates) during the Internet
Key Exchange (IKE) authentication phase to authenticate connecting IPSec VPN gateways
or clients, or to be authenticated by remote entities:
On the VPN firewall, you can enter a digital certificate when you manually configure an
IKE policy. For an IKE policy, the digital certificate is referred to as an RSA signature (see
Authentication Method on page 375).
On the VPN client, you can enter a digital certificate when you configure authentication.
Digital certificates are extended for secure web access connections over HTTPS (that is,
SSL connections). Digital certificates either can be self-signed or can be issued by
certification authorities (CAs) such as an internal Windows server or an external organization
such as Verisign or Thawte.
However, if the digital certificate contains the extKeyUsage extension, the certificate must be
used for one of the purposes defined by the extension. For example, if the digital certificate
contains the extKeyUsage extension that is defined for SNMPv2, the same certificate cannot
be used for secure web management. The extKeyUsage would govern the certificate
acceptance criteria on the VPN firewall when the same digital certificate is being used for
secure web management.
When you upload a digital certificate, the VPN firewall checks the validity and purpose of the
certificate. If the certificate passes the validity test and the purpose matches its use, the VPN
firewall accepts the certificate. The check for the purpose must correspond to its use for
IPSec VPN, SSL VPN, or both. If the defined purpose is for IPSec VPN and SSL VPN, the
digital certificate is uploaded to both the IPSec VPN certificate repository and the SSL VPN
certificate repository. However, if the defined purpose is for IPSec VPN only, the certificate is
uploaded only to the IPSec VPN certificate repository.
The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients
and to be authenticated by remote entities. A digital certificate that authenticates a server, for
example, is a file that contains the following elements:
A public encryption key to be used by clients for encrypting messages to the server.
Information identifying the operator of the server.
A digital signature confirming the identity of the operator of the server. Ideally, the
signature is from a trusted third party whose identity can be verified.
You can obtain a digital certificate from a well-known commercial certification authority (CA)
such as Verisign or Thawte or you can generate and sign your own digital certificate.
Because a commercial CA takes steps to verify the identity of an applicant, a digital
certificate from a commercial CA provides a strong assurance of the server’s identity. A
self-signed digital certificate triggers a warning from most browsers because it provides no
protection against identity theft of the server.
The VPN firewall contains a self-signed digital certificate from NETGEAR. However,
NETGEAR recommends that you replace this digital certificate with a digital certificate from a
well-known commercial CA before you deploy the VPN firewall in your network.
Page view 516
1 2 ... 512 513 514 515 516 517 518 519 520 521 522 ... 692 693

Comments to this Manuals

No comments