Security is a very important element in today’s network. The number of people trying to penetrate and disrupt you network is growing by the day, both internally and externally. The consolidation of servers into the data center is especially bothersome, as it tends to place your high-priority targets into one location. It’s very important to find a way to keep that data secure from as many intruders as possible.
The trend recently has been to use virtual private networks (VPNs) to secure communications between users and critical data sources. Whether it be a remote access VPN for teleworkers or an internal VPN for HIPAA or PCI compliance, securing data with an encrypted tunnel is the fastest and easiest method of protection. However, in many cases the administrators use inherently insecure on non-scalable methods of VPN authentication, such as pre-shared keys (PSK). PSK works well with very small deployments or with very static equipment that requires few changes or little turnover/replacement. The main problem with using PSK is that it doesn’t scale very well, plus the method of distribution leaves a lot be desired. You write the PSK down in a file for someone to configure and it’s just as insecure as writing it down on a sticky note. In order to really have a secure and scalable design, you must involve a public key infrastructure (PKI) at some point. I was somewhat familiar with PKI from my security training, but my depth of knowledge at implementing it on Cisco equipment was rather shallow.
As luck would have it, Cisco Press asked for volunteers to review books and I jumped at the chance. Imagine my surprise when a shiny new book showed up on my desk. PKI Uncovered is a new book from Cisco Press that looks to give the average Cisco enginee….rock star a crash course in PKI and the many implementations it has in the networking space. What follows is my review of this book.
The first section is an overview of PKI basics for the non-security people. If you are a CISSP, CCSP, or any other conglomeration of security acronyms, these chapters will be review. The importance of using PKI, along with the differentiations between it and symmetric key encryption are laid out. As well, the hierarchy of certification authorities (CA) are laid out with great detail. Once we get past the review, it’s time to delve into the nuts and bolts of implementation.
The second section of the book looks at specific deployment scenarios where PKI would be useful. Chapter 5 is the generic model that the other chapters build on, so the most basic ideas of deployment and chaining CAs are presented. In the following chapters, more specific needs are addressed, from large scale implementations of PKI used with GETVPN in site-to-site design to remote access with ASAs and IOS VPN. As well, more application focused examples on 802.1x NAC and CUCM phone security are presented. These chapters give great examples to follow along with as well as detailed output of the process at each step. The troubleshooting sections at the end of each chapter are also well written, and could be very useful if you find yourself staring down a real head scratcher. The final two chapters are presented more as a case study where the previous examples are used to illustrate deployments with Cisco Virtual Office or Cisco Security Manager. They help tie everything together and allow you to see the building blocks in action.
Overall, I found this book a very quick and easy read. It clocks in at less than 250 pages, which is practically a white paper. It never assumes that you are a PKI expert and does a great job of letting you wade in before you get to the real meat of the example deployments.
The middle of the book will be the most used section, dog-eared and well-worn from hours of reference. I think this will be how I use it the most, as a quick reference guide for my future PKI deployments. It’s a simple matter to work through the configuration examples and make sure your output matches the generous output examples. The case studies at the end are less compelling, as I doubt I’ll find myself in those kinds of deployment scenarios any time soon.
Overall, I’d recommend this as one to pick up if you have any desire to learn about PKI and its implementation on Cisco devices or feel that you’ll be implementing it any time in the immediate future.
This book was provided to me by Cisco Press at no cost for evaluation. It came with no promise of consideration for a review. The ideas and opinions expressed in this review are mine and mine alone and provided freely for the use and consideration of my audience.