beautypg.com

Public key infrastructure (pki) authentication, Peers, Users – Fortinet FortiGate v3.0 MR7 User Manual

Page 9: User groups, Public key infrastructure (pki)

background image

Introduction

FortiGate administrator’s view of authentication

FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828

9

Public Key Infrastructure (PKI) authentication

A Public Key Infrastructure (PKI) is a comprehensive system of policies,
processes, and technologies working together to enable users of the Internet to
exchange information in a secure and confidential manner. PKIs are based on the
use of cryptography - the scrambling of information by a mathematical formula
and a virtual key so that it can only be decoded by an authorized party using a
related key. The public and private cryptographic key pair is obtained and shared
through a trusted authority. The public key infrastructure enables the creation of a
digital certificate that can identify an individual or organization, and directory
services that can store and also revoke the certificates.

Public Key Infrastructure (PKI) authentication utilizes a certificate authentication
library that takes a list of ‘peers’, ‘peer’ groups, and/or user groups and returns
authentication ‘successful’ or ‘denied’ notifications. Users only need a valid
certificate for successful authentication - no username or password are
necessary.

Peers

A peer is a user that is a digital certificate holder used in PKI authentication. To
use PKI authentication, you must define peers to include in the authentication
user group. See

“Users/peers” on page 33

.

Users

Although it is simpler to define passwords locally, when there are many users the
administrative effort to maintain the database is considerable. Users cannot
change their own passwords on the FortiGate unit. When a remote or external
remote authentication server is part of an enterprise network authentication
system, users can change their own passwords. See

“Users/peers” on page 33

.

User groups

A user group can contain individual users/peers and authentication servers. A
user/peer or authentication server can belong to more than one group.

Authentication is group-based. Firewall policies can allow multiple groups access,
but authentication for a VPN allows access to only one group. These
considerations affect how you define the groups for your organization. Usually you
need a user group for each VPN. For firewall policies, you can create user groups
that reflect how you manage network privileges in your organization. For example,
you might create a user group for each department or create user groups based
on functions such as customer support or account management.

You select a protection profile for each user group. Protection profiles determine
the level of web filtering, antivirus protection, and spam filtering applied to traffic
controlled by the firewall policy to which members of this user group authenticate.
For more information about protection profiles, see the

FortiGate Administration

Guide

.

Note: Frequent changing of passwords is a good security practice.