North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: PKI for medium scale network operations
- From: Gadi Evron
- Date: Sat Mar 26 04:37:47 2005
organization. Also I didn't say it, but I'm not looking to identify
It all sounds reasonable, except for one thing.
The Cisco IOS CA and Microsoft CA have the advantage of being
integrated with a lot of each vendor's products. Once set up,
both try to simplfy on-going maintenance as long as you use
their products. roCA and CATool are stand-alone.
Several people pointed out certificates don't fix the compromised
device problem. Public/private key pairs are only as secure as the
private key. The length of the key doesn't matter if you can get
a copy of the private key.
PKI being the mess that it can be... it might be within reason to
explore the general world of PKI, because building two separate
infrastructures would potentially be a serious waste of resources.
As to the security of the devices themselves, there is no easy solution
(and believe me, I tried!).
As long as the authentication mechanism is stored locally at the front
lines, the risk will always be higher.
You *could* use a third box to authenticate both, but I find that idea
wasteful. You could use one third box to authenticate all devices, but I
personally find that a risk by itself.
I didn't figure this out yet.