Introduction
With the increasing focus on IT Security comes a higher demand for identity management in the modern business. This requires a flexible, scalable, and secure authentication method. Identity control is made mandatory by many public standards, such as PCI, and PKI is an essential component to set up authentication in many technologies, such as VPN. Public Key Infrastructure (PKI) plays a key role in achieving the required degree of security and scalability. Other approaches have been either scalable but not secure, or secure but not scalable. Not only does PKI provide the framework for security and scalability, it also is a standard adaptable for the coming years. This book’s unique approach illustrates the techniques to practically apply PKI into solutions while developing the foundational concepts of the technology. Consequently, this book makes deploying this complex and essential technology simple.
Goals and Methods
This book is tailored to enable you to deploy PKI-based solutions in a simple, efficient, and manageable way. The book achieves this goal by taking a layered approach. First, it presents the foundations of PKI to ensure that you have the required theoretical background to properly understand the mechanisms. Then the book modularly takes those foundations into generic design considerations: The goal is to help you to perform the choices most suitable for the targeted environment; guidance is provided through sharing best practices and experiences acquired in production customer deployments. Those design modules are pieced together into hierarchical models, which are then applied to comprehensive solutions. Through the book, troubleshooting sections are included to ensure smooth implementations and enable you to gain a deep understanding of the internals.
Who Should Read This Book?
This book has been written primarily for enterprise network security designers, planners, architects, operators, and support personnel. These are the people responsible for the design, deployment, and support; and they can find the topic, scope, and level of detail beneficial. The book’s structure is layered, starting from foundational topics, moving toward high-level architectures, and finally into detailed designs. This layered and modular approach can benefit both the intermediate reader and the advanced reader or individuals seeking a practical view of PKI. They can read the modules of interest or start from the beginning and learn the solutions throughout.
This book is also of interest to the user and purchaser of enterprise networks, including IT directors and CIOs or CTOs in small, medium-sized, and large enterprises and network engineers and support staff. Technical sales personnel both at network vendors and their integration partners can also greatly benefit from this book.
How This Book Is Organized
Although this book could be read cover-to-cover, it is designed to be flexible and enable you to easily move between chapters and sections of chapters to cover just the material that you need more work with. Chapter 1, “Crypto Refresh,” provides an overview of the encryption-related technologies to provide a foundation and review of core concepts. Chapters 2 through 11 can be covered out of order; however, they are designed to build on each other. If you intend to read them all, the order; in the book is an excellent sequence to use.
The book is broken out into three major sections. The first section provides theoretical knowledge and background. The second section covers design principals and solutions. The third section discusses case studies for PKI and specific use cases. Chapters 2 through 11 cover the following topics:
• Chapter 2, “Understanding PKI Building Blocks”—Discusses analyzing criteria for placing the foundational pieces used to build a PKI and certificates and certificate authorities.
• Chapter 3, “PKI Processes and Procedures”—Discusses the basic processes required for a PKI to function, including enrollment, expiration, renewal, verification, and enforcement.
• Chapter 4, “Troubleshooting”—Covers how to troubleshoot basic PKI deployments, specifically key generation problems, enrollment problems and certificate verification problems.
• Chapter 5, “Generic PKI Designs”—Starts by covering a basic, small-style PKI design. It then covers a more involved hierarchical design, which is common among complex and larger deployments.
• Chapter 6, “Integration in Large-Scale Site-to-Site VPN Solutions”—Covers the two most popular large scale VPN deployments using certificates and examines how to deploy GET-VPN and DMVPN using PKI.
• Chapter 7, “Integration in Remote Access VPN Solutions”—Covers remote access VPN solutions. It covers ASA-based IPsec VPN remote access connections, ASA SSL VPN, and the Cisco VPN client.
• Chapter 8, “Using 802.1x Certificates in Identity-Based Networking”—Covers the basics of how to deploy certificates to control access at the switchport level.
• Chapter 9, “PKI in Unified Communications”—Covers the use of certificates in IPT-based systems to drive identity. This chapter covers Call Manager and IP phones’ implementation of certificates.
• Chapter 10, “Understanding Cisco Virtual Office Overview”—Builds upon previous chapters’ topics and weaves together a variety of certificate-based solutions. This topic uses 802.1x, DMVPN, and PKI architecture to build a cohesive virtual office solution.
• Chapter 11, “Deploying VPNs with PKI Using Cisco Security Manager”—Covers the use of Cisco Security Manager for PKI-based systems. It also covers how to migrate from preshared keys for IKE authentication to PKI.