PKI for medium scale network operations
Routers, IP phones, VPN, etc are starting to get reasonable support for certificates. So network operators may need some PKI as part of their infrastructure (rather than the traditional application-layer PKI such as Web/SSL). But there seems to be only two choices for Public Key Infrastructure. The do it yourself crowd which requires a lot of expertise just to keep running, and the we'll do everything for you crowd which is massive in scale and price. Have any network operators found something in between? Simple enough that after it is set up, an administrative person can handle the day to day operation. But not so expensive, you can justify the infrastructure for the relatively certificates being managed? Most network infrastructure is internal, so there is no need for a world-wide PKI for internal stuff. Microsoft is actually doing an impressive job building it into their systems. Is that the direction network operators are going?
Sean Donelan wrote:
Routers, IP phones, VPN, etc are starting to get reasonable support for certificates. So network operators may need some PKI as part of their infrastructure (rather than the traditional application-layer PKI such as Web/SSL).
But there seems to be only two choices for Public Key Infrastructure. The do it yourself crowd which requires a lot of expertise just to keep running, and the we'll do everything for you crowd which is massive in scale and price.
Have any network operators found something in between? Simple enough that after it is set up, an administrative person can handle the day to day operation. But not so expensive, you can justify the infrastructure for the relatively certificates being managed? Most network infrastructure is internal, so there is no need for a world-wide PKI for internal stuff.
Microsoft is actually doing an impressive job building it into their systems. Is that the direction network operators are going?
PKI is messy, yet necessary, business. I honestly believe that you need to run your own, but what does that mean? And first, do you need it? Do you need your own CA? Do you issue your own smart cards? How do you handle new employees, old employees or expirations? How do you handle integrating the technology and how the heck can you get it all to work? Now, I'm as far from being a PKI expert as one can be.. erm.. But still, I personally strongly believe in two half-conflicting issues: 1. DO-it-yourself for every organization on the planet is a waste of resources. 2. Allowing others to manage what your organization does is wrong. So what is the path in the middle? It comes down to size. How much are you willing to invest when considering your needs? I'd first look into if you are actually interested into going for this mess. And even if you want to run your own shop; don't re-invent the wheel, and don't pay someone to do everything for you. This is rather off-topic, but my inbox is open to anyone. Gadi.
Most people figured out I was not looking for a "public" CA solution. There is very little reason why internal certificates need to be recognized world-wide, or by anything outside of the internal organization. Also I didn't say it, but I'm not looking to identify natural people. Instead of using community names for SNMP or shared secrets for VPN, an alternative for a network operator is some form of public/private keys. 1. Cisco IOS CA server (http://www.cisco.com/) 2. Microsoft CA software (http://www.microsoft.com/) 3. roCA, based on TinyCA (http://www.intrusion-lab.net/roca/) 4. CATool (http://www.open.com.au/) The Cisco IOS CA and Microsoft CA have the advantage of being integrated with a lot of each vendor's products. Once set up, both try to simplfy on-going maintenance as long as you use their products. roCA and CATool are stand-alone. Several people pointed out certificates don't fix the compromised device problem. Public/private key pairs are only as secure as the private key. The length of the key doesn't matter if you can get a copy of the private key.
[snip]
organization. Also I didn't say it, but I'm not looking to identify natural people.
[snip]
The Cisco IOS CA and Microsoft CA have the advantage of being integrated with a lot of each vendor's products. Once set up, both try to simplfy on-going maintenance as long as you use their products. roCA and CATool are stand-alone.
Several people pointed out certificates don't fix the compromised device problem. Public/private key pairs are only as secure as the private key. The length of the key doesn't matter if you can get a copy of the private key.
It all sounds reasonable, except for one thing. PKI being the mess that it can be... it might be within reason to explore the general world of PKI, because building two separate infrastructures would potentially be a serious waste of resources. As to the security of the devices themselves, there is no easy solution (and believe me, I tried!). As long as the authentication mechanism is stored locally at the front lines, the risk will always be higher. You *could* use a third box to authenticate both, but I find that idea wasteful. You could use one third box to authenticate all devices, but I personally find that a risk by itself. I didn't figure this out yet. Gadi.
I, like Gadi, am certianly no PKI expert. I've seen folks get badly burned by this fire though... On Sat, 26 Mar 2005, Sean Donelan wrote:
Most people figured out I was not looking for a "public" CA solution. There is very little reason why internal certificates need to be recognized world-wide, or by anything outside of the internal organization. Also I didn't say it, but I'm not looking to identify natural people.
Kerb could also do this for you, routers (IOS atleast) already support Kerb for authentication... So does *nix, NT/XP/2K/2k3, MacOSX. Does this meet the need for authentication type things?
Instead of using community names for SNMP or shared secrets for VPN, an alternative for a network operator is some form of public/private keys.
You could, I'm fairly certain, hack in kerb auth to VPN clients and possibly to SNMP, though I admit to not being an ASN.1 expert either :( (kerb and snmp use this in their packing methods, rigth?)
Several people pointed out certificates don't fix the compromised device problem. Public/private key pairs are only as secure as the private key. The length of the key doesn't matter if you can get a copy of the private key.
It's the compromised device problem that was the white-hot-flame-of-love for the last PKI deployment I witnessed in action... Anwyay, Kerberos? Might it also be considered for your situation? -Chris
participants (3)
-
Christopher L. Morrow
-
Gadi Evron
-
Sean Donelan