Technical

 View Only

Using enrollment over secure transport (EST) to validate network devices

By dannyjump posted Dec 03, 2024 01:31 PM

  

Using enrollment over secure transport (EST) to validate network devices

By Danny Jump

Adding a new network device to your infrastructure? How confident are you that it actually is a device from your selected vendor, and that it has not been modified since its manufacture?

One of the unique challenges that network admins have is validating network devices and their underlying identity, then managing and integrating device identity into an internal Identity Store, such as a Public Key Infrastructure, or PKI.

This should be easy, yet many organizations still struggle with cumbersome, potentially risky processes.

EST: A potential cure for infrastructure headaches

Enrollment over secure transport (EST) is a protocol that has been developed to solve the process of automating X.509 certificate issuance for public key infrastructure (PKI) clients, like web servers, endpoint devices, and network equipment i.e., network access points, gateways, switches, etc., and for any other place PKI certificates are used. 

The EST protocol is defined in RFC 7030 and standardizes an authenticated request and response exchange process with the CA via the EST server, making the process of deploying certificates on systems and devices more secure, faster, and easier for IT teams, compared to manually installing the required information. EST is recognized for its ease of use and security features, including the use of HTTPS for secure transport and transport layer security (TLS) for client and server security and its built-in automation to rekey/renew certificate.

How does EST work? The EST enrollment service standardizes the interoperability and secure information exchange between a client and a CA required for provisioning RSA or ECC certificates. EST uses HTTPS as a transport protocol and leverages TLS ciphers to establish a secure TLS channel from an EST client to the EST server, which is used to send EST operations. EST is commonly applied to the enrollment of numerous certificate use cases, including web servers, networking infrastructure (e.g., switches, APs, gateways, etc.), DevOps, endpoint devices, IoT devices, user identities, email services, and any other place PKI certificates are used.

Outlining a basic EST process

In a PKI architecture, the EST service is located between a client and the CA and performs several functions traditionally assigned to the Registration Authority (RA) role. The EST server’s job is to provide validation of whether EST clients should receive the certificate they have requested, passing the request on to the CA, and returning the resulting certificate to the client, all within the process of the enrollment API. The client communicates with an EST server, which listens for requests on a wellknown URL path. Clients just need to know the IP address/FQDN of the server to make requests. The EST enrollment process is developed to be easy, e.g., API driven, for the establishment of automatic certificate issuance and renewal from a trusted CA.

The general client/server interaction process for EST generally proceeds in this basic sequence:

1.         Configure URI.

2.         Distribute CA certificates.

3.         Verify trust.

4.         Retrieve attributes.

5.         Generate enrollment certificate.

6.         Request and receive certificate.

7.         Renew certificate.

 

Why use EST?

While there is no stronger, easiertouse authentication and encryption solution than the digital identity provided by PKI, there are many potential pitfalls inherent in manual management of PKI certificates. EST can address these concerns by providing:

·       Greater accuracy. Certificate management automation standards help to ensure certificates are correctly configured and deployed without the requirement of human intervention. This can help avoid errors from mistakes from mistyping, misspelling, monotony, etc.

·       Time savings. Whether an organization deploys a single TLS certificate for a web server or manages millions of certificates across all networked endpoints, mobile devices, and user identities in an organization, the provisioning process from issuance to configuration and then deployment can take a significant amount of time.

·       Risk reduction. Manually managing certificates puts enterprises at significant risk of certificates being forgotten until after expiration, resulting in sudden and unwanted outage of critical business systems and potential exposure to attacks.

Using EST with HPE Aruba Networking solutions

The HPE Aruba Networking implementation and use of EST includes switches, gateways and controllers, and access points that run the EST client services. An EST server logically sits between a CA and a client requesting services such as certificate enrollment.

Currently, no CAs support EST directly. In a solution that is completely powered by HPE Aruba Networking, ClearPass Policy Manager (CPPM) will typically act as the EST server as well as the root/subordinate/issuing CA depending on how you build your PKI. In this role, CPPM can issue certificates from an internal CA, or the requests can be relayed to a separate supported backend CA, such as Microsoft Active Directory Certificate Services.

For organizations that already have a CA environment deployed and running, an EST service plus orchestration between the EST client and the CA to utilize that existing PKI may be deployed.

Dive into EST

Secure network infrastructure is a key component of many cybersecurity and compliance mandates. Several methods for validating network devices and their identity exist, but using enrollment over secure transport (EST) offers several advantages for organizations, especially those with large network estates. HPE Aruba Networking features enable organizations to experience the benefits of EST without the headaches.

Interested in learning more about EST? Check out the technical paper, “Solve infrastructure security headaches.” In this paper, you’ll learn more about methods for ensuring device validity, discover the pros/cons of common methods, and get the specifics on how to use HPE Aruba Networking Central to help you implement EST within your organization.

0 comments
40 views

Permalink