I have been working with various PKI implementations since 2000, and I have two bits of advice for any new PKI deployment:
- PKI is not an end in itself, it is just a tool: before designing a PKI solution, you really need to know exactly what end solution you're trying to put in place: Windows Logon? VPN Access? Device authentication in your infrastructure? Email encryption/signature ? Web authentication? Once you know the requirements of your end solution, the choice of a PKI as a security layer for that solution will be far easier.
- The technical solution is the easy part: as can be seen on the other posts, there are plenty of Certificate Authorities around, all with their technical strenghts and weaknesses. What they do not address is the process part around PKI - the CP/CPS and others -, in other words how the PKI shall be used, who is allowed to do what, how the various components shall be protected, procedures defined to address various scenarios (administrator run over by a bus, role separation, administration procedures, key ceremony, key escrow, revocation policy, etc.). This is really the tricky part because it is what will make your PKI a really strong solution or just a gimmick...
As a conclusion, in some cases the Microsoft CA will be fine (say you mainly want to do smart card logon on a 'standard' Windows network), in other cases other solutions will be more suitable, but in every case, the hardest part (as in 'the most expensive part') will be the creation of the policies revolving around your PKI. If after analysis you find out a strong PKI policy does not seem that important in your particular case, chances are you don't really need a PKI but another form of strong authentication. For instance, 2 factor Auth based on one time password tokens or similar, which are much lighter to put in place from an admin point of view, though not quite as strong as PKI, of course...
I completely agree: cramming for the exam does not bring any useable knowledge.
In my case it was a case of welcome-to-the-firm-btw-get-this-exam-before-this- date-or-you're-out kind
of thing so the bit of paper was all I was after.
On the other hand, once you're working with Ciscos,the learning curve is pretty steep and you can always refer to your training books...
I'm a software engineer who recently (one year ago) moved to networks and security. I had basic knowledge of networks and routing, like anyone who does programming for a living and is interested in what goes on beyond their machine's boundaries...
My company wanted me to get my CCNA and CCNP, so I read the Cisco books and did a bit of online training (the company also gave us a subscription to www.xtremelearning.com, but we gotta pay the books with our own money).
I got my CCNA and I'm about to finish the CCNP and have not touched a single router or switch, and honestly, there's no real need to, as long as you read the books and learn the commands by heart.
All these Cisco exams are more a memory exercise than anything else, in my opinion: you give the "official Cisco(tm) answer" to each of the multiple choice questions (usually a sentence from the Cisco(tm) book, almost word for word) and eliminate the answers that don't make sense, and you're sorted...
My 2p.
Ed
PS: I heard that the CCIE is a bit more complicated...
Slashdot Mirror
I have been working with various PKI implementations since 2000, and I have two bits of advice for any new PKI deployment:
- PKI is not an end in itself, it is just a tool: before designing a PKI solution, you really need to know exactly what end solution you're trying to put in place: Windows Logon? VPN Access? Device authentication in your infrastructure? Email encryption/signature ? Web authentication? Once you know the requirements of your end solution, the choice of a PKI as a security layer for that solution will be far easier.
- The technical solution is the easy part: as can be seen on the other posts, there are plenty of Certificate Authorities around, all with their technical strenghts and weaknesses. What they do not address is the process part around PKI - the CP/CPS and others -, in other words how the PKI shall be used, who is allowed to do what, how the various components shall be protected, procedures defined to address various scenarios (administrator run over by a bus, role separation, administration procedures, key ceremony, key escrow, revocation policy, etc.). This is really the tricky part because it is what will make your PKI a really strong solution or just a gimmick...
As a conclusion, in some cases the Microsoft CA will be fine (say you mainly want to do smart card logon on a 'standard' Windows network), in other cases other solutions will be more suitable, but in every case, the hardest part (as in 'the most expensive part') will be the creation of the policies revolving around your PKI. If after analysis you find out a strong PKI policy does not seem that important in your particular case, chances are you don't really need a PKI but another form of strong authentication. For instance, 2 factor Auth based on one time password tokens or similar, which are much lighter to put in place from an admin point of view, though not quite as strong as PKI, of course...
Just my 2 cents,
Edouard
I completely agree: cramming for the exam does not bring any useable knowledge.
- date-or-you're-out kind
In my case it was a case of welcome-to-the-firm-btw-get-this-exam-before-this
of thing so the bit of paper was all I was after.
On the other hand, once you're working with Ciscos,the learning curve is pretty steep and you can always refer to your training books...
I'm a software engineer who recently (one year ago) moved to networks and security. I had basic knowledge of networks and routing, like anyone who does programming for a living and is interested in what goes on beyond their machine's boundaries...
My company wanted me to get my CCNA and CCNP, so I read the Cisco books and did a bit of online training (the company also gave us a subscription to www.xtremelearning.com, but we gotta pay the books with our own money).
I got my CCNA and I'm about to finish the CCNP and have not touched a single router or switch, and honestly, there's no real need to, as long as you read the books and learn the commands by heart.
All these Cisco exams are more a memory exercise than anything else, in my opinion: you give the "official Cisco(tm) answer" to each of the multiple choice questions (usually a sentence from the Cisco(tm) book, almost word for word) and eliminate the answers that don't make sense, and you're sorted...
My 2p.
Ed
PS: I heard that the CCIE is a bit more complicated...