Device authentication is the process of verifying the identity and security posture of a device before allowing it to access network resources. Device authentication is implemented using digital certificates in Cato. It is part of the zero-trust security framework to ensure that only trusted devices are allowed to access the network and to specific network resources.
The core principle of zero trust security is that no device or user should be automatically trusted. Zero trust assumes that every access request, whether from inside or outside the network, is potentially coming from a malicious actor or compromised device.
Device authentication ensures that only authorized devices are allowed access to network resources. By verifying the identity and security posture of each device before granting access, zero-trust limits the risk of a potential breach caused by a compromised or unauthorized device.
Cato implements device authentication using the Client Connectivity policy to enforce certificate-based validation. This ensures that only devices with a valid and trusted certificate can access the network.
When a device attempts to connect to the network (via a Cato PoP) and the certificate Device Check is configured in a Client Connectivity rule, the Cato Client checks that a valid certificate is installed on the device. Otherwise, the Client blocks the device from connecting to the network.
This is the configuration flow to implement device authentication.
-
Prepare devices to use Device Check for the signing certificate.
-
Distribute the certificate to the managed devices. See articles in Distributing and Installing Device Certificates.
-
Upload the signing certificate to the CMA. See Managing Signing Certificates for Remote Access.
-
-
Configure a Device Check for the signing certificate and assign it to a Device Profile. See Creating Device Posture Profiles and Device Checks.
-
Create a Client Connectivity policy rule that allows connections for devices that have the signing certificate installed.
The final ANY ANY Block rule in the policy is applied to devices that don't have the certificate installed.
The Device Certificate check is based on asymmetric key encryption. Asymmetric key encryption, also known as public key cryptography, is a cryptographic technique that uses a pair of mathematically related keys to secure information. The two keys are called the public key and the private key. Cato doesn’t generate the certificates or manage its lifecycle.
Data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. The public key can be shared openly, while the private key is kept secret.
This method of encryption is secure because even though the public key can be openly shared, it cannot be used to decrypt messages that were encrypted with it. Only the corresponding private key can decrypt the message.
-
Upload the root signing certificate to the Cato Management Application (Access > Client Access > Signing Certificates). The certificate also contains the public key. The public key can be shared openly.
-
Upload the device certificate and private key to the device. The device should keep the private key secret. The Cato Client must be installed on the device. When the device connects to the Cato PoP (Point of Presence), the Client verifies the certificate's authenticity and checks that the certificate is valid and matches the signing certificate.
-
To verify the authenticity of the device, Cato sends an encrypted challenge. The encrypted challenge is a random message that is generated by Cato and encrypted with the public key obtained from the root certificate uploaded to Cato in step 1.
-
The device uses its private key to decrypt the encrypted challenge and sends the decrypted challenge to Cato.
-
If the decrypted challenge matches the original, the device is authenticated and granted access to the defined resources.
0 comments
Please sign in to leave a comment.