PKI for medium scale network operations

Sean_Donelan · March 25, 2005, 12:43pm

Routers, IP phones, VPN, etc are starting to get reasonable support
for certificates. So network operators may need some PKI as part
of their infrastructure (rather than the traditional application-layer
PKI such as Web/SSL).

But there seems to be only two choices for Public Key Infrastructure. The
do it yourself crowd which requires a lot of expertise just to keep
running, and the we'll do everything for you crowd which is massive
in scale and price.

Have any network operators found something in between? Simple enough
that after it is set up, an administrative person can handle the day
to day operation. But not so expensive, you can justify the
infrastructure for the relatively certificates being managed?
Most network infrastructure is internal, so there is no need for
a world-wide PKI for internal stuff.

Microsoft is actually doing an impressive job building it into
their systems. Is that the direction network operators are going?

Gadi_Evron1 · March 25, 2005, 11:00pm

Sean Donelan wrote:

Routers, IP phones, VPN, etc are starting to get reasonable support
for certificates. So network operators may need some PKI as part
of their infrastructure (rather than the traditional application-layer
PKI such as Web/SSL).

But there seems to be only two choices for Public Key Infrastructure. The
do it yourself crowd which requires a lot of expertise just to keep
running, and the we'll do everything for you crowd which is massive
in scale and price.

Have any network operators found something in between? Simple enough
that after it is set up, an administrative person can handle the day
to day operation. But not so expensive, you can justify the
infrastructure for the relatively certificates being managed?
Most network infrastructure is internal, so there is no need for
a world-wide PKI for internal stuff.

Microsoft is actually doing an impressive job building it into
their systems. Is that the direction network operators are going?

PKI is messy, yet necessary, business. I honestly believe that you need to run your own, but what does that mean? And first, do you need it?

Do you need your own CA? Do you issue your own smart cards? How do you handle new employees, old employees or expirations? How do you handle integrating the technology and how the heck can you get it all to work?

Now, I'm as far from being a PKI expert as one can be.. erm..
But still, I personally strongly believe in two half-conflicting issues:
1. DO-it-yourself for every organization on the planet is a waste of resources.
2. Allowing others to manage what your organization does is wrong.

So what is the path in the middle?

It comes down to size. How much are you willing to invest when considering your needs? I'd first look into if you are actually interested into going for this mess. And even if you want to run your own shop; don't re-invent the wheel, and don't pay someone to do everything for you.

This is rather off-topic, but my inbox is open to anyone.

Gadi.

Sean_Donelan · March 26, 2005, 7:19am

Most people figured out I was not looking for a "public" CA solution.
There is very little reason why internal certificates need to be
recognized world-wide, or by anything outside of the internal
organization. Also I didn't say it, but I'm not looking to identify
natural people.

Instead of using community names for SNMP or shared secrets for VPN,
an alternative for a network operator is some form of public/private
keys.

1. Cisco IOS CA server (http://www.cisco.com/)
2. Microsoft CA software (http://www.microsoft.com/)
3. roCA, based on TinyCA (http://www.intrusion-lab.net/roca/)
4. CATool (http://www.open.com.au/)

The Cisco IOS CA and Microsoft CA have the advantage of being
integrated with a lot of each vendor's products. Once set up,
both try to simplfy on-going maintenance as long as you use
their products. roCA and CATool are stand-alone.

Several people pointed out certificates don't fix the compromised
device problem. Public/private key pairs are only as secure as the
private key. The length of the key doesn't matter if you can get
a copy of the private key.

Gadi_Evron1 · March 26, 2005, 9:38am

[snip]

organization. Also I didn't say it, but I'm not looking to identify
natural people.

[snip]

The Cisco IOS CA and Microsoft CA have the advantage of being
integrated with a lot of each vendor's products. Once set up,
both try to simplfy on-going maintenance as long as you use
their products. roCA and CATool are stand-alone.

Several people pointed out certificates don't fix the compromised
device problem. Public/private key pairs are only as secure as the
private key. The length of the key doesn't matter if you can get
a copy of the private key.

It all sounds reasonable, except for one thing.
PKI being the mess that it can be... it might be within reason to explore the general world of PKI, because building two separate infrastructures would potentially be a serious waste of resources.

As to the security of the devices themselves, there is no easy solution (and believe me, I tried!).
As long as the authentication mechanism is stored locally at the front lines, the risk will always be higher.

You *could* use a third box to authenticate both, but I find that idea wasteful. You could use one third box to authenticate all devices, but I personally find that a risk by itself.
I didn't figure this out yet.

Gadi.

Christopher_L_Morro1 · March 26, 2005, 10:55pm

I, like Gadi, am certianly no PKI expert. I've seen folks get badly burned
by this fire though...

Most people figured out I was not looking for a "public" CA solution.
There is very little reason why internal certificates need to be
recognized world-wide, or by anything outside of the internal
organization. Also I didn't say it, but I'm not looking to identify
natural people.

Kerb could also do this for you, routers (IOS atleast) already support
Kerb for authentication... So does *nix, NT/XP/2K/2k3, MacOSX. Does this
meet the need for authentication type things?

Instead of using community names for SNMP or shared secrets for VPN,
an alternative for a network operator is some form of public/private
keys.

You could, I'm fairly certain, hack in kerb auth to VPN clients and
possibly to SNMP, though I admit to not being an ASN.1 expert either
(kerb and snmp use this in their packing methods, rigth?)

Several people pointed out certificates don't fix the compromised
device problem. Public/private key pairs are only as secure as the
private key. The length of the key doesn't matter if you can get
a copy of the private key.

It's the compromised device problem that was the white-hot-flame-of-love
for the last PKI deployment I witnessed in action... Anwyay, Kerberos?
Might it also be considered for your situation?

-Chris