PKI and DMVPN

Mikael Gustafsson · ‎11-07-2012

Hi all,

Im trying to get a general idea on what best practices there is for securing Internet-facing Sub-CA servers in a DMVPN.

For example:

What is done to control that only the Spokes are allowed to request a certificate?

What should be considered if the Sub-CA is a Microsoft CA server instead of a Cisco router? Pros and Cons here?

General tips. :-)

Thanks.

Marcin Latosiewicz · ‎11-07-2012

Mikael,

In general:

- Host CDP/CRL externally not on CA/subCA (make sure CA/subCA writes it to external location and make sure this location has some fault tollerance!!).

Like this temporary failure of CA/SubCA or CDP location will not cause a meltdown.

- Protect CA/subCAs, you can use RA

- Staged approach. For example: Use one set of CA/subCAs to establish initial management tunnel, enroll to PROTECTED CA/SubCA over management tunnel. Form data tunnel protected by authentication using the protected CA/subCA.

- Use DNS and not IP addresses.

- edit: Use SCEP, and make sure you CA/subCA supports enrollment and re-enrollment via SCEP. It saves a lot of time managing.

- MS CA is a good one and getting better, but used to allow some flexability where it should not (in structuring of certificates).

- Explot RSA keys and certificates from CAs and subCAs (and RAs?) and store them somewhere secure (possibly one shut down PC somewhere in PC with disc encryption) Repeat the process every time they change. Make it easier to recover from certain failures.

Plan on deploying FlexVPN rather then DMVPN, unless you have some compelling arguments for DMVPN (like old platform support).

A few tips form top my head,

M.

Mikael Gustafsson · ‎11-15-2012