If company sites are to be networked via Virtual Private Networks (VPNs), Funkwerk Enterprise Communications (FEC) recommends the use of IPsec connections with certificates, ensuring vital parameters such as confidentiality of the information transferred, authenticity of the communication partners, and integrity of the data, are all secured.
IPsec connections with certificates are safer and easier to implement than the commonly used method of using pre-shared keys (PSK), i.e. keys which are previously exchanged between the communications partners. Certificate-based IPsec is very frequently used for the networking of several company sites with VPNs (Virtual Private Networks). The entire bintec IP Access (router) product rang from Funkwerk Enterprise Communications GmbH, a company of Funkwerk AG, permit the setup of VPN-IPsec connections on the basis of certificates.
In the case of certificate-based authentication, the system determines the identity of a subscriber via inquiries sent to so-called “Certification Authorities” (CAs). The exchange of pre-shared keys is, thus, not required, as the authenticity of the opposite end is established by the certification authorities. Subscribers are also able to exchange data with “unknown persons” whose keys are not available. A further advantage is the fact that key handling is no longer necessary: If a key has to be exchanged, for instance because its encryption depth does not suffice, the distribution of the new key will cause a lot of effort, depending on the network size.
In the case of certificate-based IPsec, the distribution of keys to all subscribers is no longer required. Instead, certificates can be revoked—as a rule, by the CAs which provide this data to be queried by routers and other connection devices. With bintec routers, a company can additionally classify a certificate individually in its router as invalid and terminate the data connection accordingly. Particularly in networks with many communication partners, the maintenance effort is consequently reduced for the secure data transfer in comparison to the PSK procedure.