What is IPSec?

IPSec (Internet Protocol Security) is a framework of open standards for ensuring secure private communications over public networks like the internet. Data is encrypted between devices, routers and firewalls, making it much more general than a Secure Server certificate that only secures traffic between a browser and a server.

IPSec is designed for interoperability, which means an IPSec compliant device will be able to exchange certificates with other compliant products from multiple vendor

IPSec digital certificates are used to identify devices or desktops on a network enabling secure Virtual Private Networks (VPNs), Intranets, Extranets, and remote user access. The IPSec standard requires certificates to be installed on each device.

OnSite allows you to issue and manage customised corporate certificates using our world-class certificate technology and security infrastructure.

OnSite saves time and money by providing your organisation with easy to use tools to customise the enrolment, validation, and issuance of certificates. One or more individuals can be appointed to serve as an OnSite administrator, with full authority to approve, renew, reject, and administer certificates.

End-Users interact with customised, web-based enrolment forms to request certificates for the IPSec device* or client. Once an administrator approves the certificate request, Ignite Trust Services will instantly issue the certificates.

One of the main advantages of OnSite is that it lets you control your own CA (approving/rejecting/revoking certificates) from a simple set of web pages provided by Ignite Trust Services, without having to worry about the mundane and expensive aspects of being a CA (backups, maintenance of hardware and software, disaster recovery and many other items).

(* Cisco use the SCEP protocol for enrolling from the IOS command line) .

OnSite gives you the capability to issue IPSec digital certificates to your network devices (such as routers, firewalls and gateways), and client certificates to your end-Users. These certificates can be used to encrypt and authenticate data passing through a VPN network.

Key Benefits include :-

a) World Class PKI (Public Key Infrastructure) - Ignite Trust Services, with VeriSign, is the recognised leader in developing scalable public key certificate systems. OnSite customers leverage all of Ignite Trust Services technical and legal expertise in digital signatures and certificates to attain a proven and secure PKI instantly.

b) Ease of Use - IPSec certificates are required to be installed on each device. Using a CA means you will not be required to configure keys between all of the encrypting routers and firewalls. When all devices and clients are enabled, each will be able to authenticate all of the others. This makes the addition of new IPSec routers at a later date easier, because the need for multiple key configurations with other IPSec devices is eliminated.

c) Strong encryption at the Network Layer - for standardised network security, strong encryption ensures privacy and integrity of IPSec compliant products. Since the security is provided at the network layer, you will not need to configure individual applications or clients.

d) Up and running quickly - once Ignite Trust Services has activated your service you can have OnSite up and running overnight, much faster than ordering a software package, installing it, and learning to configure and use it.

e) No extensive training required - the customer uses simple web pages both for end user services and administrative functions. Ignite Trust Services extensive certificate expertise, infrastructure, and practices are leveraged behind the scenes, while the customer maintains full control over the actual CA functions.

f) No software or hardware required - All the customer is required to have is a Web browser supporting client certificates (Netscape Navigator or Internet Explorer 4.0 or later), Internet access, and IPSec compliant products.

g) Easily distributed - Multiple administrators can access the OnSite Control Centre to issue certificates at sites around the world, easily and with minimal incremental costs. All a branch office needs to obtain certificates is a browser with connection to the internet. h) Scalability - the service can be expanded as the business grows.

How do I purchase OnSite IPSec?

OnSite IPSec can be purchased via our web site-
Please click here

Enterprise solutions can be purchased by contacting your BT Account Manager or calling 0800 515 585.

The IPSec standard is used for creating private networks. The very nature of what is being deployed lends itself only to private certificates which are not signed in our public hierarchy, and therefore not recognised on the Internet

You will need one certificate for each IPSec device or client.

a) IPSec device generates a CSR.
b) User securely enrols via the web, pasting the CSR into the enrolment form*
c) Pending request appears in the OnSite Control Centre, that can be accessed by the Administrator.
d) Administrator validates the enrolment request.
e) Ignite Trust Services generates a certificate and sends it to the User via e-mail*
f) User securely downloads the digital certificate and installs on the IPSec device.

* CISCO users may be using CRS, a non-browser enrolment process. Management of the certificates within the OnSite Control Centre will be the same.

When a certificate is revoked, its operational period is considered terminated immediately. When an administrator revokes a certificate, the Ignite Trust Services repository is updated to reflect this status. OnSite provides a CRL (certificate revocation list) available for download, which is a list of the certificates reflecting revoked status.

Many vendors have implemented certificate lifecycle management components into their VPN gateways, firewalls, routers and desk top clients by employing industry standard protocols. These standards include SCEP, PKCS12, PKCS10, PKCS7, CRS, CSR, and CAPI. .

Due to the complex nature of network devices, Customers are strongly urged to employ the services of a qualified engineer in the application and installation of the OnSite service and certificates. Further guidance on installing digital certificates onto network devices should be available from the device supplier either through the product manual or a web site.

Support for Cisco products can be obtained from their Technical Assistance Centre web site at http://www.cisco.com/public/support/tac/home.shtml and conducting a search for the specific products together with PKI.

Technical assistance for CheckPoint products can only be found in the product manuals provided on a CD from the product supplier.