“IPSec is beginning to support key business and technology
objectives such as B2B extranet backbones and dial access VPN’s for
remote computing. Despite the security and operational benefits of
a VPN, the problem of authenticating client entities for access
control decisions remains a risk management issue. Providing
needed protection in specific situations, many system designers
have recommended authorization services be placed at the
application layer. This approach using security specific API’s to
shunt security services into existing application code can be a
lengthy process. Conducting identity authentication and
authorization of client entities (a person or program) within the
encrypted network tunnel, similar to the (SSL) Secure Sockets Layer
model has widespread application and works to protect specialized
content (such as a login dialogue box) on Web servers.”
“But safeguarding access to critical infrastructure such as B2B
extranet gateways requires a finer grain solution. Enter the role
of digital certificates for securing and controlling access to
enterprise resources.”
“As Network engineers are gaining experience in securing
point-to-point IPSec tunnels with “pre-shared secrets”, a number of
security and operational gaps remain. One is the need for a
certificate management protocol that Public Key Infrastructure
(PKI) clients and Certificate Authorities can use to support
digital certificate life cycle. Critical operations include
certificate enrollment and distribution. Also processing data and
queries for certificate revocation lists (CRL) will be required as
VPN’s are positioned to secure an increasing array of key
enterprise level business initiatives. The arrival of Cisco’s
Simple Certificate Enrollment Protocol (SCEP) is a good first step
to achieving this goal.”