RadiSys SEG-100, Administration Manual

Page 1: ...Administration Guide SECURITY GATEWAY SEG 100 SOFTWARE RELEASE 1 1 February 2012 007 03416 0003 ...

Page 2: ...software release Added information to the SCP licensing and backup and restore sections Added IPv6 information Made other corrections and clarifications 0003 February 2012 Fourth edition Updated for the 1 1 2 software release See What s new in this manual on page 6 for a description of changes in this edition 2011 2012 by RadiSys Corporation All rights reserved Radisys is a registered trademark of...

Page 3: ...EG overview 8 SEG architecture 8 Chapter 2 Management 12 Management access 12 Date and time 33 Licensing 37 Backup and restore 39 Crashdumps 42 Statistics 44 Events and logging 47 Chapter 3 Addressing 54 Interfaces 54 ARP 58 Address books 63 IPv6 support 66 DNS 70 Chapter 4 Address Translation 73 Overview 73 NAT 73 SAT 78 Chapter 5 Routing 86 Principles of routing 86 Static routing 91 ...

Page 4: ...ication profiles 153 RADIUS authentication 154 The radiussnoop command 156 Chapter 9 High Availability 157 Overview 157 HA mechanisms 159 Setting up HA 161 HA issues 166 Chapter 10 Advanced Settings 168 Flow timeout settings 168 Length limit settings 169 Fragmentation settings 171 Local fragment reassembly settings 176 Chapter 11 I WLAN 177 I WLAN overview 177 GTP tunnels 178 Interface stitching 1...

Page 5: ...5 Support for multiple GGSNs 184 I WLAN use case 184 Appendix A Glossary of Terms 185 Appendix B OSI Model 197 Overview 197 ...

Page 6: ...re product information Visit the Radisys web site at www radisys com for product information and other resources Downloads manuals release notes software etc are available at www radisys com downloads See the following resources for information on the SEG not described in this manual The SEG 100 Getting Started Guide describes how to set up the SEG 100 modules and the SEG 11002 system and how to c...

Page 7: ...1997 RFC 2401 Security Architecture for the Internet Protocol IETF November 1998 RFC 2406 IP Encapsulating Security Payload ESP IETF November 1998 RFC 2460 Internet Protocol Version 6 IPv6 Specification IETF December 1998 RFC 3947 Negotiation of NAT Traversal in the IKE IETF January 2005 RFC 4306 Internet Key Exchange IKEv2 Protocol IETF December 2005 RFC 5905 Network Time Protocol Version 4 Proto...

Page 8: ...ork elements Both standalone and integrated configurations support carrier grade high availability with redundant hardware and sophisticated fault tolerant software The SEG 11002 is a 2U 2 slot ATCA system ideally suited for initial trials and small to medium size deployments It contains one or two SEG 100 modules and can be configured as a high availability system with active and passive SEG 100s...

Page 9: ...Address objects can be defined in the Address Book to give logical names to IP and other types of addresses Rule sets that make up the security policies that you want to implement These include IP rules These three types of building blocks are discussed next Interfaces Interfaces are the doorways through which network traffic enters or leaves the security gateway Without interfaces an SEG system h...

Page 10: ...nsistency checker The checker performs a number of consistency checks on the packet including validation of checksums protocol flags packet length and so on If the consistency checks fail the packet gets dropped and the event is logged 3 The SEG now tries to look up an existing flow by matching parameters from the incoming packet A number of parameters are used in the match attempt including the s...

Page 11: ...et is dropped and the event is logged according to the log settings for the rule 7 If the action is Allow the packet is allowed through the system A corresponding flow will be noted by the SEG for matching subsequent packets belonging to the same flow The allowed traffic is also bidirectional so that the same IP rule also permits packets to return from the destination network Finally the opening o...

Page 12: ...es a secure means of file transfer between the administrator s external management workstation and the SEG Various files used by the SEG such as configuration backups can be both uploaded and downloaded using SCP No specific SCP client is provided with SEG distributions However there is a wide selection of third party SCP clients for nearly all workstation platforms This feature is described furth...

Page 13: ...is significant since this determines the privileges that a user has Finally return to the default context Device LocalUserDatabase AdminUsers cc Device Creating Auditor accounts Extra user accounts in the local user database can be created as required with arbitrary usernames and passwords If the group is specified as Administrators it has full access privileges If however the group is specified a...

Page 14: ...to the configuration Linking logins to the database The local user database is referred to during a login because the relevant access object points to an AuthenticationProfile which then points to the database that stores the credentials For example SSH logins are controlled by a RemoteMgmtSSH object This object refers to an AuthenticationProfile object that then refers to the database to be used ...

Page 15: ... SSH is a protocol primarily used for secure communication over insecure networks providing strong authentication and data integrity SSH clients are freely available for almost all hardware platforms The SEG supports version 2 of the SSH protocol A predefined RemoteMgmtSSH object controls initial SSH access on the default management interface A single RemoteMgmtSSH object exists by default in a SE...

Page 16: ...emoteMgmtSSH is enabled and that a valid authentication profile has been specified and that the profile points to a valid database containing a user with the login credentials expected A RemoteMgmtSSH object with an example name of ssh_allnets can be displayed with the command Device show RemoteManagement RemoteMgmtSSH ssh_allnets Controlling console access to the CLI The CLI can also be accessed ...

Page 17: ...ter Device show Address IPAddress my_address The object category in this case is Address and the type within this category is IPAddress If the object type is unique its category can be omitted The same example as above could be shortened to Device show IPAddress my_address In this case the object category Address is omitted since IPAddress is a unique object type Note Tab completion will not work ...

Page 18: ... property only if the AddRouteToRemoteNetwork property has been already been assigned a value of Yes CLI help The CLI help command will show all available command options Typing help followed by a command name will show help information for that command providing details about the command s function and its options For example Device help time COMMAND time t Display and set current system time Typ...

Page 19: ...eriod character before a tab is to automatically fill in the current value of an object property in a command line For example you might type the unfinished command set Address IPAddress InterfaceAddresses sfp1_ip If you now type followed by a tab the SEG will display the current value for the Address property For example if the value is 10 6 58 10 the unfinished command line will automatically be...

Page 20: ...lists Rule lists such as the IP rule set have an ordering that is important With the add command the default is to add a new rule to the end of a list When placement at a particular position is crucial the add command can include the Index property as an option Inserting at the first position in a list is specified with Index 1 in an add command the second position with Index 2 and so on Referenci...

Page 21: ... removed with the CLI command Device set RemoteManagement RemoteMgmtSSH ssh Banner Where ssh is the name of the RemoteMgmtSSH object To reset the message enter Device set RemoteManagement RemoteMgmtSSH ssh Banner Welcome SSH connection timeout When connecting to the SEG with SSH there is a default inactivity timeout of 30 minutes To increase this timeout to a higher value use the following CLI com...

Page 22: ...bol to the left of the object s output indicates a change of status that has not yet been committed Two symbols are mentioned above The complete list is means the object has been deleted o means the object has been disabled means the object has errors means the object has been newly created means the object has been modified Checking configuration integrity After changing an SEG configuration and ...

Page 23: ...art or reconfigure are shown The output from this command also shows if the SEG is running in demonstration mode without a valid license System performance commands The following commands give a real time snapshot of overall system performance The top command for CPU utilization Device top Load avg 0 94 0 51 0 35 CPU usage 24 8 CPUs 1 Name Time CPU statd 14 04 6 3 mdpd 12 52 5 1 vsinit 07 17 2 7 T...

Page 24: ...efault Advanced Debug All In normal operation the Default view is sufficient However some situations may require the use of commands that should be used cautiously and for that reason they are hidden in alternate command views For example to turn on the Advanced view enter the command Device cmdview ADVANCED Entering the Help command will now show that an additional set of commands are available t...

Page 25: ...m the IPv4 address 192 168 0 5 the command would be Device ping 10 4 0 2 srcip 192 168 0 5 When the srcip option is used the source IP address must be one of the IP addresses configured on the sending interface When ICMP ping messages are sent by external devices to SEG interfaces both IPv4 and IPv6 messages will be responded to CLI scripting To allow the administrator to easily store and execute ...

Page 26: ...1 2 3 4 n The values substituted for these variable names are specified as a list at the end of the script run command line The number n in the variable name indicates the variable value s position in this list 1 comes first 2 comes second and so on Note The name of the first variable is 1 The variable 0 is reserved and is always replaced before execution by the name of the script file itself For ...

Page 27: ...pt2 sgs force If force is used the script will continue to execute even if errors are returned by a command in the script file Script output Any output from script execution will appear at the CLI console Normally this output consists only of any error messages that occur during execution To see the confirmation of each command completing the verbose option should be used Device script run name my...

Page 28: ...ady has the objects configured that need to be copied running the script create command on that installation provides a way to automatically create the required script file This script file can then be downloaded to the local management workstation and then uploaded to and executed on other SEGs to duplicate the objects For example suppose the requirement is to create the same set of IPAddress obj...

Page 29: ...ll always include the object category Objects excluded from script files Certain aspects of a configuration that are hardware dependent cannot have a script file entry created when using the create option This is true when the CLI node object type in the script create command is one of COMPortDevice EthernetDevice These node types are skipped when the script file is created and the SEG displays th...

Page 30: ...ilepath For example admin 10 62 11 10 config bak The user_name must be a defined SEG user belonging to the administrator user group Note SCP will normally prompt for the user password after the command line but that prompt is not shown in the examples in this manual Examples of SCP uploading and downloading In some cases a file is located in the SEG root In other cases it is located within a parti...

Page 31: ...oadable files scp admin 192 168 3 1 Wildcards can also be used when uploading For example to upload all the backup files in the current directory scp bak admin 192 168 3 1 backup SNMP monitoring Simple Network Management Protocol SNMP is a standardized protocol for management of network devices An SNMP compliant client can connect to a network device that supports the SNMP protocol in order to que...

Page 32: ...statistic involves constructing a path which is also described in the Statistics Reference Defining SNMP access SNMP access is defined through the definition of an SEG Remote object with a Mode value of SNMP The Remote object requires the entry of Source interface The SEG interface on which SNMP requests will arrive Source network The IP address or network from which SNMP requests will come Destin...

Page 33: ...through the internal lan interface from the network mgmt net using the community string Mg1RQqR Device add RemoteManagement RemoteMgmtSNMP my_snmp SourceInterface lan SourceNetwork mgmt net SNMPGetCommunity Mg1RQqR Date and time Correctly setting the date and time is important for the SEG to operate properly For example certificates used in certificate based VPN tunnels depend on the system clock ...

Page 34: ...the morning on April 27th 2011 the command would be Device time set 2011 04 27 09 25 00 Note A new date and time will be applied by the SEG as soon as it is set There is no requirement to reconfigure or restart the system Time zones The world is divided up into a number of time zones with Greenwich Mean Time GMT in London at zero longitude the base time zone All other time zones going east and wes...

Page 35: ...Configuring time servers More than one time server can be configured to query for time information Using more than a single server prevents the time synchronization process from failing due to an unreachable server The SEG always queries all configured servers and then computes an average time based on all responses To configure servers the steps are 1 Set the TimeSyncEnable option on the DateTime...

Page 36: ...e is 63 seconds This is greater than the maximum adjustment value so no update occurs for this response The default value for the maximum adjustment is 600 seconds ten minutes Example 1 Modifying the maximum adjustment value Sometimes it might be necessary to override the maximum adjustment parameter For example you may want to manually force a synchronization and disregard the maximum adjustment ...

Page 37: ...n addition to access using the CLI access is also possible using SCP and SNMP Log event and console messages indicate when lockdown mode goes into effect and when it ends Managing license files A number of license files can be present in local SEG temporary storage however only one can be active at any time The SEG CLI provides the license command to manage the active license The options for this ...

Page 38: ... WLAN deployments Licenses do not expire There is no expiration date for SEG licenses Instead there is a Upgrades Valid Until date When this date has passed the SEG will continue to function as usual but software upgrades will not be available Binding to a MAC address When a license file is created it is bound to the MAC address specified in the license This means that the license is valid only if...

Page 39: ... backup create filename Step 2 Once created backup files are transferred to an external computer by downloading the files from the security gateway using SCP Secure Copy As stated above all backup files are saved in an SEG logical folder called backup and this folder needs to be specified in SCP commands It is important to note which SEG hardware the backup file came from so that it can be restore...

Page 40: ...rt A revert operation always uses the configuration in effect previous to the last restore if there was one If no restore has been performed a revert operation will have no effect Restoring the default configuration A special case of backup command usage for configuration restoration is Device backup reset This restores the default configuration for the security gateway The current configuration i...

Page 41: ...reset option should be issued only from an SSH client that is connected to the default management interface using the default management IP address or from a console that is connected to the RS232 serial console interface Otherwise the connection to the CLI will be lost after the command is issued The current SEG configuration will be lost after a reset and cannot be recovered For this reason this...

Page 42: ...n the storage folder called crashdumps A typical SCP command to download a single file would take the form scp user seg address crashdumps crashdump file To download all files in one operation a typical SCP command would be scp r user seg address crashdumps Listing crashdump files The SEG command line interface provides the command crashdump to manage the crashdump files stored in non volatile mem...

Page 43: ... list the readable contents of the file 2011 01 01_00 00 52_dpcore dump use the CLI command Device crashdump cat 2011 01 01_00 00 52_dpcore dump Date 2011 01 01 00 00 52 Version 1 0 0 3 1095 TP Uptime 50s Dump Record 022 Event Exception Reason Unhandled exception TLB exception load instruction fetch CPU core 0 state r0 00 0x0000000000000000 s0 16 0x00000000163ffe70 at 01 0x0000000000ffff80 s1 17 0...

Page 44: ... system The counters are collectively known as SEG statistics A separate document called the SEG 100 Statistics Reference provides a detailed listing of all available statistical values This section is designed to give a short introduction to their structure and use Accessing statistics There are two methods for the administrator to view SEG statistics By using the statistics command in a CLI cons...

Page 45: ...et between system restarts so that statistics are not carried over Using the statistics command The CLI command statistics is used to display the value of one or more statistics at a moment in time or at a regular interval Entering this command without options will initially give the following response Device statistics The list of polled values is empty The command maintains a list of statistics ...

Page 46: ...be polled with the command Device statistics add ifaces sfp1 bytes_in To poll all interfaces the command would be Device statistics add ifaces bytes_in Also notice that the interface name is specified as part of the path and this can vary from platform to platform Removing polled statistics The remove option can remove individual statistics from the polled list Device statistics add authentication...

Page 47: ... can be enabled as needed Event types The SEG defines several hundred events for which log messages can be generated The events range from high level customizable user events to low level and mandatory system events For example the flow_open event is a typical high level event that generates an event message whenever a new flow is established given that a matching security policy rule exists that ...

Page 48: ... SEG can be configured to distribute log event messages in different ways Real time display in the CLI console The CLI can act as a log receiver displaying new log messages as they are generated in real time The feature can be turned on using the CLI log command This receiver type is discussed further in Real time display in the CLI Syslog receivers Syslog is the de facto standard for logging even...

Page 49: ...og message is preceded by the text LOG Limiting message display With large numbers of log messages being generated it can be useful to limit the number of messages displayed The rate option of the log command restricts the number of messages per second that are displayed with the excess being discarded For example to limit the displayed rate to one message per second enter the command Device log o...

Page 50: ...ly find the values they are looking for without assuming that a specific piece of data is in a specific location in the log entry Note The Prio field in SysLog messages contains the same information as the Severity field for SEG Logger messages However the ordering of the numbering is reversed Example Enable logging to a Syslog host In this example logging will be enabled for all events with a sev...

Page 51: ... Device set LogReceiver LogReceiverSyslog My_Syslog Severity Emergency Alert Log message exceptions After the severity filter is applied any Log Message Exceptions are applied to generated messages There can be more than one message exception for a log receiver and each consists of the following Category and ID This specifies the log messages that will be affected by the exception If the ID number...

Page 52: ...IKE 161 INCLUDE Alert 1 Alert empty Notice the exception gets a unique index number to identify it In this case it is 1 3 Change the context back to the default Device LogReceiverSyslog My_Syslog cc Device SNMP traps SNMP protocol Simple Network Management Protocol SNMP is a means for communicating between a Network Management System NMS and a managed device SNMP defines 3 types of messages a Read...

Page 53: ...e severity of the message Category The SEG subsystem that is generating the message ID A unique identifier for the message Description A short textual description of the condition Action The action that is being taken by the SEG if any This trap information can be cross referenced in the SEG 100 Log Reference Example Sending SNMP traps to a trap receiver In this example the generation of SNMP trap...

Page 54: ...er the special logical interface core is used when the SEG itself is the source or destination for traffic Interface types The SEG supports a number of interface types which can be divided into the following groups Ethernet interfaces Each Ethernet interface represents a physical Ethernet port on an SEG based product All network traffic that originates from or enters a security gateway will pass t...

Page 55: ...mes that are possible to modify if required any and core interfaces In addition the SEG provides two special logical interfaces that are named any and core The meaning of these are any represents all possible interfaces including the core interface core indicates that the SEG itself will deal with traffic to and from this interface An example of the use of core is when the SEG responds to ICMP Pin...

Page 56: ...less LAN you might change the interface name to wireless For maintenance and troubleshooting it is recommended to tag the corresponding physical port with the new name IP addresses Each Ethernet interface is required to have an Interface IP Address The interface IP address is used as the primary address for communicating with the system through the specific Ethernet interface More than one IP addr...

Page 57: ...he IP address directly on the interface For example to change the IP address of the sfp1_ip interface use the CLI command Device set Interface EthernetInterface sfp1 IPaddress 10 1 1 2 Assigning multiple IP addresses to an Ethernet interface Multiple IP addresses can be assigned to a single Ethernet interface by adding addresses to the Ethernet interface object The addresses can be a mixture of IP...

Page 58: ...ess Each host in the local network receives this packet The host with the specified destination address sends an ARP reply packet to the originating host with its MAC address SEG ARP cache The ARP cache in network equipment such as switches and security gateways is an important component in the implementation of ARP It consists of a dynamic table that stores the mappings between IPv4 addresses and...

Page 59: ...e advanced setting ARPExpire Example 1 Changing the ARPExpire setting This example shows how to change the number of seconds for the ARPExpire setting Device set Settings ARPTableSettings ARPExpire 1800 Modified ARPTableSettings The advanced setting ARPExpireUnknown specifies how long the SEG will remember addresses that cannot be reached This limit is needed to ensure that the SEG does not contin...

Page 60: ...large LANs directly connected to the security gateway it may be necessary to increase this value This can be done by modifying the setting ARPCacheSize property in the ARPTableSettings object Example 1 Changing the ARP cache size This example shows how to change the size of the SEG ARP cache to hold 8192 entries Device set Settings ARPTableSettings ARPCacheSize 8192 Modified ARPTableSettings Hash ...

Page 61: ...ies allow the administrator to tell the SEG how to reach external devices The entry tells the SEG that a specific IPv4 address can be reached through a specific interface using a specific MAC address This means that when the SEG needs to communicate with the address it consults the ARP table static entries and can determine it can be reached at a specific MAC address on a specific interface This f...

Page 62: ...n when these gateway addresses are published on the corresponding SEG interface To publish multiple addresses on an external interface enabling the SEG to use Static Address Translation SAT for traffic to these addresses and send it onwards to internal servers with private IPv4 addresses A less common purpose is to aid nearby network equipment responding to ARP in an incorrect manner Example Publi...

Page 63: ...described next IP addresses IP address objects are used to define symbolic names for various types of IP addresses Depending on how the address is specified an IP address object can represent a single IP address a specific host a network a range of IP addresses and even a DNS name The following list describes the various types of addresses an IP address object can hold along with what format that ...

Page 64: ...ess wwwservers Address 192 168 10 16 192 168 10 21 Example 4 Deleting an address object This example deletes an object named wwwsrv1 from the address book Device delete Address IPAddress wwwsrv1 Deleting referenced IP address objects If an IP address object that is in use by another object is deleted the deletion will appear to be successful However the SEG will not allow the configuration to be s...

Page 65: ...ave an associated interface IP object named sfp1_ip and a network object named sfp1_net all nets ip4 The all nets ip4 IPv4 address object is initialized to the IPv4 address 0 0 0 0 0 which represents all possible IP4 addresses The all nets ip4 IP object is used extensively in the configuration of the SEG and it is important to understand its significance all nets ip6 The all nets ip6 object perfor...

Page 66: ...llows both IPv4 and IPv6 packets to be recognized If all IPv6 traffic is to be ignored the setting is Device set Settings IPSettings BlockIPVersions IPv6DropSilent This is the default and causes all IPv6 packets to be ignored Adding an IPv6 address IPv6 address objects are created in the SEG address book in the same way as for IPv4 For IPv6 only the all nets ip6 object IPv6 address 0 exists by def...

Page 67: ...IPv6 address 2001 DB8 1 from the network 2001 DB8 32 to the address object Device set Address IPAddress sfp1_net Address 10 15 0 0 24 2001 DB8 32 Device set Address IPAddress sfp1_ip Address 10 15 0 50 2001 DB8 1 Tip When using the CLI set Address IPAddress command you can append a new IP address value to any existing values All the existing values can be displayed by typing a period followed by a...

Page 68: ...e can solicit and receive IPv6 messages to allow it to perform Stateless Address Auto Configuration SLAAC The SLAAC process allows the client to create its own unique global IPv6 address based on the MAC address of its interface and the prefix of the IPv6 address for the SEG interface it is connected to Enabling router advertisement in the SEG is not done directly on the Ethernet Interface object ...

Page 69: ...dress my_ipv6 on the sfp3 interface 1 Change the context to be NDEntries Device cc NDEntries 2 Add an NDEntry object to NDEntries Device NDEntries add NDEntry Interface sfp3 IP my_ipv6_net Note that the default value for the Mode property is Publish 3 Return to the default root context Device NDEntries cc Device IPv6 usage restrictions The following is a summary of IPv6 restrictions in the current...

Page 70: ...pecified http for world wide web pages DNS servers can exist both on the public Internet for resolution of public IP addresses as well as private servers for the resolution of private IP addresses FQDNs are used in many aspects of an SEG configuration where IP addresses are unknown or where it makes more sense to use DNS resolution instead of static IP addresses DNS with the SEG To accomplish DNS ...

Page 71: ...Time 5 RepeatCount 3 Comments empty If the IPv4 address 10 0 0 1 is defined in the SEG address book with the name dns1_ip the command is Device set DNS DNSServers dns_ip1 With three multiple alternate DNS servers called dns_ip1 dns_ip2 and dns_ip3 the command is Device set DNS DNSServers dns_ip1 dns_ip2 dns_ip3 To test the DNS lookup assuming a public Internet DNS is configured the command is Devi...

Page 72: ...mand is Device dns list Name Address Type TTL www google com 209 85 149 99 A 49 www google com 209 85 149 103 A 49 www google com 209 85 149 104 A 49 www google com 209 85 149 105 A 49 www google com 209 85 149 106 A 49 www google com 198 41 0 4 A 49 ...

Page 73: ...ic based on the source or destination network or interface as well as based on the type of protocol the service Two types of SEG IP rules NAT rules and SAT rules are used to configure address translation This section describes how to configure NAT and SAT rules and provides examples NAT Dynamic Network Address Translation NAT provides a mechanism for translating original source IP addresses to a d...

Page 74: ...of NAT Figure 2 NAT IP address translation In the illustration above three flows from IP addresses A B and C are dynamically translated through a single source IP address N The original port numbers are also changed The next source port number allocated for a new NAT flow will be the first free port selected randomly by the SEG Ports are allocated randomly to increase security from external attack...

Page 75: ...ation This is the default way that the IP address is determined Define a specific IP address A specific IP address can be defined as the new source IP address The specified IP address needs to have a matching ARP Publish entry configured for the outbound interface Otherwise the return traffic will not be received by the SEG This technique might be used when the source IP is different based on the ...

Page 76: ...ss translation for all HTTP traffic originating from the internal network sfp1 as it flows out to the public Internet on the wan interface The IPv4 address of the wan interface will be used as the NATing address for all connections 1 Change the current category to be the main IP rule set Device cc IPRuleSet main 2 Create the IP rule Device IPRuleSet main add IPRule Action Allow SourceInterface sfp...

Page 77: ...turn to the default CLI context if no more rules are needed Device IPRuleSet main cc Device The IPv4 address 10 0 0 1 must also be explicitly ARP published on the wan interface if it is not already one of the addresses assigned to that interface IPv4 and IPv6 NAT addresses In the example above the option NewSourceIP6 could be used to specify an IPv6 address as the NAT address Either or both of New...

Page 78: ...and ICMP such as telnet FTP HTTP and SMTP The SEG can alter port number information in the TCP and UDP headers to make each flow unique even though such flows have had their sender addresses translated to the same IP Some protocols regardless of the method of transportation used can cause problems during address translation SAT The SEG can translate entire ranges of IP addresses and port numbers T...

Page 79: ...herefore has the maximum exposure to external threats By isolating the DMZ network a clear security separation is created from sensitive internal networks SEG security policies can then control traffic flows between the DMZ and internal networks isolating any security problems occurring in the DMZ The illustration below shows a typical network arrangement with a SEG mediating communications betwee...

Page 80: ...o translate an entire range of IP addresses a many to many translation This results in a transposition where the first original IP address will be translated to the first IP address in the translation address list and so on Port numbers are not changed Example 1 Translating traffic to multiple protected Web servers M N In this simple example a SAT IP rule will translate from five IPv4 public IP ad...

Page 81: ...ace since the SEG supports multiple IP addresses on interfaces 4 Change the current CLI context to be the main IP rule set Device cc IPRuleSet main 5 Create a SAT rule for the translation Device IPRuleSet main add IPRule Action Allow Service http SourceInterface any SourceNetwork all nets ip4 DestinationInterface wan DestinationNetwork wwwsrv_pub DestinationTranslation SAT SetDestinationAddress Of...

Page 82: ...uired Many to one translation N 1 The SEG can be used to translate ranges and groups into just one IP address Example Translating traffic to a single Web server N 1 This example is similar to the previous many to many M N example but this time a SAT IP will translate from five public IPv4 addresses to a single Web server located on a DMZ network The SEG is connected to the Internet via the wan int...

Page 83: ...evice IPRuleSet main cc In the above example the option NewDestinationIP6 could be used with or instead of NewDestinationIP4 to perform the same function with IPv6 addresses Note When all nets all nets ip4 or all nets ip6 is the destination in a SAT rule an All to One mapping is always done Port translation with SAT Port Translation also known as Port Address Translation PAT can be defined in a SA...

Page 84: ... 3 Return to the default CLI context with the command Device IPRuleSet main cc Device Combining SAT with NAT in the same rule Both SAT and NAT translation can be combined into the same Allow IP rule by using the options SourceTranslation SAT and DestinationTranslation SAT together Example Combining NAT and SAT Assume a number of clients on the internal protected lan_net network are surfing the pub...

Page 85: ...an be translated only in special cases and some protocols that cannot be translated at all Protocols that cannot be translated using SAT usually cannot be translated using NAT The reasons for this can include The protocol requires that the IP addresses are cryptographically unaltered This applies to many VPN protocols The protocol embeds its IP addresses inside TCP or UDP level data and requires t...

Page 86: ... which interface to send a packet so it can reach its intended destination In the SEG there can be one or more routing tables At minimum there is a single default routing table called main The interfaces of routes in these tables may be a physical Ethernet interface or it might be a configuration object that behaves like an interface such as a VPN tunnel Example Listing the routing table main cont...

Page 87: ...me suggests all nets ip4 corresponds to all IP4 Internet addresses and the route for this address is sometimes referred to as the default route since it is chosen when no other match can be found Gateway This is the IP address of the gateway that is the next router in the path to the destination network This is optional If the destination network is connected directly to the interface this is not ...

Page 88: ... follows The above routing table provides the following information Route 1 All packets going to hosts on the 192 168 0 0 24 network should be sent out on the sfp1 interface As no gateway is specified for the route entry the host is assumed to be located on the network segment directly reachable from the sfp1 interface Route 2 All packets going to hosts on the 10 4 0 0 16 network are to be sent ou...

Page 89: ...st one However the first route entry is a narrower more specific match so the evaluation will end there and the packet will be routed according to that entry Although routing table ordering is not important it is still recommended for troubleshooting purposes to try and place narrower routes first and the default route last Local IP Address property The correct usage of the Local IP Address proper...

Page 90: ... diagram illustrates a scenario where this feature could be used The network 10 1 1 0 24 is bound to a physical interface that has an IPv4 address within the network of 10 1 1 1 If a second network 10 2 2 0 24 is attached to the interface via the switch it is unbound since the interface s IP address doesn t belong to it Figure 6 Using Local IP address with an unbound network This feature is normal...

Page 91: ...with it In this case the interface of one of the routes is specified as Core Static routing The most basic form of routing is known as Static Routing The term static is used because most entries in a routing table are part of the SEG system s static configuration They usually remain unchanged during long periods of system operation Due to this manual approach static routing is most appropriate to ...

Page 92: ...and makes errors less likely Many other products do not use the specific interface in the routing table but specify the IP address of the interface instead The routing table below is from a Microsoft Windows XP workstation Interface List 0x1 MS TCP Loopback interface 0x10003 00 13 d4 51 8d dd Intel R PRO 1000 CT Network 0x20004 00 53 45 00 00 00 WAN PPP SLIP Interface Active Routes Network Destina...

Page 93: ...the SEG approach to route definition is that it allows you to specify routes for destinations that are not aligned with traditional subnet masks For example it is perfectly legal to define one route for the destination IPv4 address range 192 168 0 5 to 192 168 0 17 and another route for IP addresses 192 168 0 18 to 192 168 0 254 This is a feature that makes SEG highly suitable for routing in highl...

Page 94: ...e category or change context before manipulating individual routes This is necessary for any category that could contain more than one named group of objects all nets route The most important route that should be defined is the route to all nets which usually corresponds to your ISP for public Internet access Throughout this manual the all nets ip4 address object is used in most cases which is a s...

Page 95: ...estination address is one of the interface IPs the packet will be routed to the core interface In other words it is processed by the SEG itself There is also a core route added for all multicast addresses Route Interface Destination Gateway 1 core 224 0 0 0 4 ...

Page 96: ...nel Source network The network that contains the source IP address of the packet This is usually an SEG IP address object which defines a single IP address a range of addresses or a network Destination interface An interface from which the packet would leave the SEG This could also be a physical Ethernet interface or a configuration object that acts as an interface such as a VPN tunnel Destination...

Page 97: ...tion Interface From what network to what network the traffic flows the Source Network and Destination Network What kind of protocol is affected the Service What action the rule will take when a match on all the criteria is triggered the Action Specifying any interface or network When specifying the filtering criteria in any of the rule sets specified above there are a number of useful predefined f...

Page 98: ...ge the current context to be the main IP rule set Device cc IPRuleSet main Now create the IP rule Device IPRuleSet main add IPRule Action Deny Service all_services SourceInterface any SourceNetwork all nets DestinationInterface any DestinationNetwork all nets Name main_da After the rule is added to an empty rule set the entire rule set can be displayed Device IPRuleSet main show IPRule IPRuleFolde...

Page 99: ...an SEG routing table that specifies on which interface packets should leave in order to reach their destination A second route must also exist that indicates the source of the traffic is found on the interface where the packets enter This satisfies the reverse route lookup check performed by the SEG when a new flow is established An IP rule in an SEG IP rule set that specifies the security policy ...

Page 100: ... It is important to remember that the SEG searches the IP rules from top to bottom looking for the first matching rule If an IP rule seems to be ignored check that some other rule above it isn t being triggered first Stateful inspection After initial rule evaluation of the opening flow subsequent packets belonging to that flow will not need to be evaluated individually against the rule set Instead...

Page 101: ...ng traffic Incoming packets that do not match any rule in the rule set and do not have an already opened matching flow will automatically be subject to a Deny action To have more precise control over such non matching traffic it is recommended to create an explicit rule called Deny All as the final rule in the rule set with an action of Deny for source and destination network all nets source and d...

Page 102: ... rule is set to SendReject This setting means the rule returns a TCP RST or ICMP Unreachable message for denied traffic informing the sender that the packet was dropped Using this option can help to speed up applications that must wait for a reply timeout period The impolite default setting for a Deny rule is OnDeny DropSilent Bi directional connections A common mistake when setting up IP Rules is...

Page 103: ...defined as using the TCP protocol with the associated destination port 80 and any source port However service objects are not restricted to just the TCP or UDP protocols They can be used to encompass ICMP messages as well as a user definable IP protocol A service is passive Service objects are passive SEG objects in that they do not themselves carry out any action in a configuration Instead they a...

Page 104: ... in the system enter Device show Service The output will look similar to the following listing with the services grouped by type and the service groups appearing first ServiceGroup ServiceGroup Name Comments all_tcpudpicmp All ICMP TCP and UDP services ServiceICMP Name Comments all_icmp All ICMP services ping inbound Inbound ping does not allow tracerouting Example 2 Viewing a specific service To ...

Page 105: ...ible types or it is possible to filter the types Specifying codes If a type is selected the codes for that type can be specified in the same way that port numbers are specified For example if the Destination Unreachable type is selected with the comma delimited code list 0 1 2 3 this will filter Network unreachable Host unreachable Protocol unreachable and Port unreachable When a message type is s...

Page 106: ... or transport layer functions can be uniquely identified by IP protocol numbers IP can carry data for a number of different protocols These protocols are each identified by a unique IP protocol number specified in a field of the IP header For example ICMP IGMP and EGP have protocol numbers 1 2 and 8 respectively Similar to the TCP UDP port ranges described previously a range of IP protocol numbers...

Page 107: ... primarily addressed by the SEG IP rule set in which a range of protected LAN addresses are treated as trusted hosts and traffic flow from untrusted sources is restricted from entering trusted areas Before a new connection is checked against the IP rule set the SEG checks the connection source against a set of access rules Access rules can be used to specify what traffic source is expected on a gi...

Page 108: ...rk congestion to be created and a potential Denial of Service DoS condition could occur Even if the security gateway is able to detect a DoS condition it is hard to trace or stop because of its nature VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution the access rules can provide an anti spoofing capability by providing an extra filter for verifying the sour...

Page 109: ...blems can appear because of this It is always recommended to check access rules when troubleshooting to see if a rule is preventing some other function such as VPN tunnel establishment from working properly Example Setting up an access rule Define a rule that ensures no traffic with a source address within the network bad_net is accepted on the sfp1 interface 1 Create a new access rule set called ...

Page 110: ...ferent from these IP addresses but they are used here only to illustrate how setup is done Also these addresses are private IPv4 addresses and in reality an ISP would use public IP addresses instead In addition you must add the gateway IP address object which in this example is called wan_gw Device add Address IPAddress wan_gw Address 10 5 4 1 This is the address of the ISP s gateway which is the ...

Page 111: ... empty RTBMembership main Comments empty Defining IP rules Even though an all nets ip4 route is automatically added no traffic can flow without the addition of an IP rule that explicitly allows the flow For example to allow web surfing from the protected network sfp1_net on the interface sfp2 define a rule with an Action of Allow 1 Change the current CLI context to the default IPRuleSet called mai...

Page 112: ...ommand will not be received and the SEG will revert back to the original configuration after the 30 second time period This time period is a setting that can be changed as shown next Example Changing the activation revert timeout This example shows how to change the default revert timeout after a configuration is activated to 120 seconds Device set Settings RemoteMgmtSettings BiDirTimeout 120 Allo...

Page 113: ...thout another party being able to read confidentiality or alter it integrity It is equally important that the recipient can verify that no one is falsifying data or pretending to be someone else Virtual Private Networks VPNs meet this need providing a highly cost effective means of establishing secure links between two co operating computers so that data can be exchanged in a secure manner VPN all...

Page 114: ...ternet In this case each network is protected by an individual security gateway and the VPN tunnel is set up between them 2 Client to LAN connection Where many remote clients need to connect to an internal network over the Internet In this case the internal network is protected by the SEG to which the client connects and the VPN tunnel is set up between them ...

Page 115: ...level VPN planning An attacker targeting a VPN connection typically views VPN traffic as an indication that there is something worth targeting at the other end of the connection In most cases mobile clients and branch offices are far more attractive targets than the main corporate network Once inside those getting to the corporate network then becomes easier In designing a VPN there are many issue...

Page 116: ...ecurity key distribution schemes are best planned in advance Issues that need to be addressed include How will keys be distributed E mail is not a good solution Phone conversations might be secure enough How many different keys should be used One key per user One per group of users One per LAN to LAN connection One key for all users and one key for all LAN to LAN connections It is probably better ...

Page 117: ...protocols ESP or AH or a combination of both Currently only ESP is supported in the SEG The flow of events can be briefly described as follows IKE negotiates how IKE should be protected IKE negotiates how IPsec should be protected IPsec moves data in the VPN The following sections will describe each of these stages in detail Internet Key Exchange IKE Encrypting and authenticating data is fairly st...

Page 118: ...le algorithm combination is done not just to find the best way to protect the IPsec connection but also to find the best way to protect the IKE negotiation itself Algorithm proposal lists also contain other IKE related parameters Further details of the IKE negotiation and the other IKE parameters are described next IKE negotiation An IKE negotiation consists of two phases IKE Phase 1 Negotiate how...

Page 119: ...nce the phase 2 negotiation is finished the VPN connection is established and ready for traffic to pass through it IKE parameters There are a number of parameters used in the IKE negotiation process These are summarized next Local endpoint identification This is a piece of data representing the identity of the local VPN tunnel endpoint Local and remote networks hosts These are the subnets or hosts...

Page 120: ...nd destination addresses making certain that the packet really came from who the IP header claims it is from Since AH protects the outer IP addresses it does not work with NAT Note The SEG does not currently support AH IKE encryption This specifies the encryption algorithm used in the IKE negotiation and depending on the algorithm the size of the encryption key used IKE authentication This specifi...

Page 121: ...tected IPsec traffic This is not needed when AH is used or when ESP is used without encryption IPsec authentication This specifies the authentication algorithm used on the protected traffic This is not used when ESP is used without authentication although it is not recommended to use ESP without authentication IPsec lifetime This is the lifetime of the VPN connection It is specified in both time s...

Page 122: ...groups 2 and 5 are used IKE and IPsec lifetimes Both the IKE and the IPsec connections have limited lifetimes described in terms of time These lifetimes prevent a connection from being used for too long which is undesirable from a security perspective The IPsec lifetime must be shorter than the IKE lifetime The difference between the two must be a minimum of 5 minutes This allows for the IPsec con...

Page 123: ...is vulnerability PSK based authentication Using a Pre shared Key PSK is a method where the endpoints of the VPN share a secret key This is a service provided by IKE and thus has all the advantages that come with it making it far more flexible than manual keying PSK advantages Pre Shared Keying has a lot of advantages over manual keying These include endpoint authentication which is what the PSKs a...

Page 124: ...ficates IPsec protocols ESP AH The IPsec protocols are the protocols used to protect the actual traffic being passed through the VPN The actual protocols used and the keys used with those protocols are negotiated by IKE There are two protocols associated with IPsec AH and ESP These are covered in the sections below AH Authentication Header AH is a protocol used for authenticating a data stream AH ...

Page 125: ...either encryption only or authentication only Figure 9 The ESP protocol Creating and using proposal lists To agree on the VPN flow parameters a negotiation between tunnel peers is performed As a result of these negotiations the IKE and IPsec security associations SAs are established A proposal list of supported algorithms is the starting point for a negotiation Each entry in the list defines param...

Page 126: ...sets according to the level of security they provide These sets called high low and all are then used in the pre defined IKE and IPsec proposal lists The sets are as follows High This consists of a set of algorithms to give higher security This is the default algorithm set for an IPsec tunnel if no proposal lists are explicitly set The complete list is 1 3DES and AES256 CBC for encryption 2 MD5 an...

Page 127: ...ithms Example Creating and using IKE proposal lists This example looks at creating a new IKE proposal list called my_list and adding to an existing IPsecTunnel object called my_tunnel 1 Create the IKE proposal list Device add IKEProposalList my_list 2 Change the current context to be the created list Device cc my_list 3 Add at least one proposal to the list Device IKEProposalList my_list add IKEPr...

Page 128: ... 8 Even though the same PSK appears to be used at either end of the tunnel there can be a mismatch because two platforms are encoding differently For example this can cause problems when setting up a Windows L2TP client that connects to the SEG Certificates The SEG supports digital certificates that comply with the ITU T X 509 standard This involves the use of an X 509 certificate hierarchy with p...

Page 129: ... a chain like certificate hierarchy The highest certificate is called the Root Certificate and it is signed by the Root CA Each certificate in the chain is signed by the CA of the certificate directly above it in the chain However the root certificate is signed by itself it is self signed Any certificates in the chain between the root certificate and the end certificate are called Intermediate Cer...

Page 130: ...cure copy on page 30 Self signed certificates cannot be used with the SEG Creating certificate configuration objects Once the certificate files are uploaded using SCP Certificate SEG configuration objects have to be created which are associated with these files Assume that the CA signed certificate file has the filename myfile cer and the host certificate files have the filenames anotherfile cer a...

Page 131: ...ant parts of the pem file to form the required cer and key files The detailed steps for the above stages are as follows 1 Create the gateway certificate on the Windows CA server and export it to a pfx file on the local SEG management workstation disk 2 Now convert the local pfx file to a pem file This can be done with the OpenSSL utility using the CLI openssl pkcs12 in gateway pfx out gateway pem ...

Page 132: ...c tunnels in the SEG configuration is examined If a matching tunnel definition is found that tunnel is opened The associated IKE and IPsec negotiations then take place resulting in the tunnel becoming established to the remote endpoint IP rules control decrypted traffic Note that an established IPsec tunnel does not automatically mean that all the traffic flowing from the tunnel is trusted On the ...

Page 133: ...unnel objects As discussed in IPsec troubleshooting on page 143 a potential problem can occur when a single IPsec VPN tunnel is set up referencing two IPsec tunnel objects Consider the situation of an IPsec client sending a request to open a tunnel to the SEG The client begins by sending an IKE_INIT request that includes a proposal list key information and a notification payload The SEG then scans...

Page 134: ...ith tunnel B and the authentication established with tunnel A This may not be the intended result so the administrator should take care when defining IPsec tunnel objects IPsec rekeying The SEG supports IPsec rekeying This means that a rekey of the IKE and IPsec Security Associations SAs will be initiated based upon the configured values in the proposal lists for IKE and IPsec The lifetimes of the...

Page 135: ...etwork can be found at the other end of the tunnel so it knows which traffic to send into the tunnel In most cases this route is created automatically when the tunnel is defined and this can be checked by examining the routing tables If a route is defined manually the tunnel is treated exactly like a physical interface in the route properties as it is in other aspects of the SEG In other words the...

Page 136: ...salList object must contain at least one IPsecProposal object If PFS is required the IPsec proposal must have DH groups specified otherwise PFS is disabled the default 3 In the Address Book create IP objects for The remote VPN gateway that is the IP address of the network device at the other end of the tunnel remote_gw The remote network which lies behind the remote VPN gateway remote_net The loca...

Page 137: ...r routing packets bound for the remote network at the other end of the tunnel IPsec LAN to LAN with certificates LAN to LAN security is often provided with pre shared keys but sometimes it may be desirable to use X 509 certificates instead If this is the case Certificate Authority CA signed certificates may be used and these come from an internal CA server or from a commercial supplier of certific...

Page 138: ...tes have an expiration date and time Review CA server access on page 140 which describes important considerations for certificate validation NAT traversal Both IKE and IPsec protocols present a problem in the functioning of NAT Both protocols were not designed to work through NATs and because of this a technique called NAT traversal NAT T has evolved This is an add on to the IKE and IPsec protocol...

Page 139: ...CP and UDP which makes it impossible to have more than one NAT client connected to the same remote gateway at the same time Because of this ESP packets are encapsulated in UDP ESP UDP traffic is sent on port 4500 the same port as IKE when NAT traversal is used Once the port has been changed all following IKE communication is done over port 4500 Keep alive packets are also sent periodically to keep...

Page 140: ...tered It also will not be known to an internal network unless it is registered on an internal DNS server For LTE scenarios in a telecom environment a private CA server is most often used with server requests sent using the LDAP protocol However the protocol used is determined by the settings within the certificate Access considerations Consider the following when planning for successful CA server ...

Page 141: ...t one public DNS server address configured to resolve the FQDNs in the certificates it receives It must be also possible for a server request to pass from the validation request source either the SEG or a client to the CA server and the reply to be received If the request is going to pass through the SEG the appropriate rules in the SEG IP rule set need to be defined to allow this traffic through ...

Page 142: ...dress of the private CA server must be resolvable through public DNS servers for certificate validation requests coming from the public Internet If the certificate queries are coming only from the SEG and the CA server is on the internal side of the security gateway the IP address of the internal DNS server must be configured in the SEG so that these requests can be resolved and this is the case i...

Page 143: ...oblems that are found with VPN General troubleshooting In all types of VPNs some basic troubleshooting checks can be made Check that all IP addresses have been specified correctly Check that all pre shared keys and usernames passwords are correctly entered Use ICMP Ping to confirm that the tunnel is working With roaming clients this is best done by Pinging the internal IP address of the local netw...

Page 144: ...ming connection However the tunnel object selected in the initial exchange between client and the SEG may have to change because a mismatch is discovered in a later phase This can result for example in a situation where the proposal list matches one IPsec tunnel object but authentication matches another tunnel object The administrator should be aware this can happen so that unexpected behavior can...

Page 145: ...ST State or province L Locality Usually a city O Organization Usually a company name OU The organization unit Typically the certificate type CN The common name Typically a product name DC The domain component The verbose option with the cert option can provide more detailed information about the cache contents Device ike cert verbose IKEv2 Certificates Subject Issuer Valid From Valid To Status 1 C...

Page 146: ...the values displayed are SPI numbers and these are specified using hexadecimal The reverse flows for the above can be displayed using the verbose option Device flow show verbose Proto Source Destination Timeout ESP core 0 53 0 0 1 ext 53 0 1 2 0x757d8003 126 rev core 0 53 0 0 1 ext 53 0 1 2 0x757d8003 126 ICMP ipsec 1 33 192 100 1 9 2048 gtp 1 192 200 0 1 17683 7 rev ipsec 1 33 192 100 1 9 17683 g...

Page 147: ...how that IPsec tunnels have correctly established A typical example of output from this command is shown below Device ike stat IKEv2 Statistics Statistic Value IKE SAs active 2 IKE SA negotiations active 0 IKE SA negotiations done 3 IKE SA negotiations failed 1 IKE SA rekeys active 0 IKE SA rekeys done 0 IKE SA rekeys failed 0 IPsec SAs active 2 IPsec SA negotiations active 0 IPsec SA negotiations...

Page 148: ... monitoring the command is Device ike snoop off Presented below is some typical ike snoop output the formatting has been changed slightly to fit the page The tunnel negotiation considered is based on pre shared Keys A negotiation based on certificates is not discussed here but the principles are the same SNOOP IKEv2 2010 05 31 12 30 09 172 22 53 18 500 172 22 53 23 500 IKE_SA_INIT request 0 SA KE ...

Page 149: ...ut IKE_AUTH request 1 is a request from the remote tunnel endpoint172 22 53 23 to try and agree algorithms IDi AUTH SA TSi TSr N INIT_CONTACT N ESP_TFC_PAD_N N NON_FIRST_FRAG The actual algorithms in the proposal lists sent by each tunnel peer are not shown in this summary version of the ike command However the sequence of steps leading to success or failure are shown Complete ike command options ...

Page 150: ...ll be able to then see what proposals the remote side is sending and then compare the results with your own IKE proposal list At least one proposal has to match in order for it to pass phase 1 Don t forget that the lifetimes are also important If the negotiation fails during phase 2 IPsec The IPsec proposal list does not match Double check that the IPsec proposal list matches that of the remote si...

Page 151: ...s through the tunnel but when they arrive at the initiator it will drop them since no matching tunnel can be found Simply remove the tunnel from the side that believes it is still up to solve the immediate problem An investigation as to why the tunnel only went down from one side is recommended It could be that DPD and or Keep Alive is only used on one side Another possible cause could be that eve...

Page 152: ...e to a mismatch of the size in local or remote network and or the lifetime settings on the proposal list s To troubleshoot this the settings for the local network remote network IKE proposal list and IPsec proposal list on both sides need to be examined to try to identify a miss match For example suppose there are the following IPsec settings at either end of a tunnel Side A Local Network 192 168 ...

Page 153: ...ming clients that connect through the IPsec tunnel trigger the authentication described by the profile An authentication profile has the following properties Agent Type This is the type of authentication that will be used The choices are BASIC This is the default and indicates standard username password authentication For example the profile associated with the RemoteMgmtSSH object to allow admini...

Page 154: ...uthentication profile with RADIUS servers This example creates an authentication profile called ext_auth that will reference two RADIUS servers called rad1_server and rad2_server Device add AuthenticationProfile ext_auth AuthSource RADIUS RadiusServer rad1_server rad2_server RADIUS authentication Centralizing authentication In a larger network topology with a larger administration workload it is o...

Page 155: ...default value is 1812 RetryTimeout This is the length of time in milliseconds after which a RADIUS request will have assumed to fail and a retry is attempted This value cannot be less that 500 with no upper limit The default value is 2000 NumRetries When a RADIUS request times out the request is retried This happens for NumRetries times The retry minimum is 1 and the maximum is 10 The default is 3...

Page 156: ...reate a RADIUS server object as described above 2 Create an Authentication Profile object that uses the RADIUS server as its Authentication Source 3 Associate the profile with an IP rule When the IP rule triggers authentication of user credentials will then be required to set up the traffic flow The radiussnoop command To troubleshoot problems the SEG provides the ability to examine the interactio...

Page 157: ...d be kept in mind that the master unit in a cluster is not always the same as the active unit in a cluster The active unit is the security gateway that is actually processing all traffic at a given point in time This could be the slave if a failover has occurred Interconnection of cluster peers In a cluster the master and slave must be directly connected to each other by one or more synchronizatio...

Page 158: ...nd the slave can exist in a single cluster The only processing role that the inactive unit plays is to replicate the state of the active unit and to take over all traffic processing after a failover if it determines the active unit has experienced a failure Hardware duplication SEG HA will operate only between two security gateways As the internal operation of different security gateway manufactur...

Page 159: ...ats cannot be forwarded by a router since they do not contain an IP header The Ethernet source and destination address is based on the cluster ID and the role of the sending and receiving unit The Ethernet frame type is set as 0xC14B Heartbeat frequency The SEG sends 10 heartbeats per second every tenth of a second on each critical interface Both peers send these to each other and both monitor any...

Page 160: ...er IP address published via ARP configuration or through Proxy ARP are answered by the active unit only The hardware address of the shared IP address and other published addresses are not related to the actual MAC addresses of the Ethernet interfaces Instead a new MAC address is constructed by the SEG The first part of the constructed address is always 10 00 00 The second part is based on the conf...

Page 161: ...these should be two separate modules in the same or different shelf One should be designated the master node the other designated the slave node 2 The interfaces of both cluster nodes are connected via a common switch as shown in the illustration below The interface names on both security gateways must be identical The sync interfaces do not need to be connected via a switch since shelf based plat...

Page 162: ...hould be the same and set to the Ethernet device name of the interface The current values of these settings can be checked with the command Device show Interface EthernetInterface sfp1 Property Value Name sfp1 EthernetAddress empty PrivateIP 0 empty 1 empty HAType Critical EthernetDevice 0 sfp1 1 empty MTU 1500 IPAddress sfp1_ip IP4Broadcast empty RTBMembership main Comments empty In the example a...

Page 163: ... address of the master interface in an interface pair and PrivateIP 1 is the private address of the corresponding slave interface in a pair For example if 10 6 12 10 is the private IPv4 address of the interface sfp1 on the master and 10 6 12 11 is the private IP of interface sfp1 on the slave the following command should be issued Device set Interface EthernetInterface sfp1 PrivateIP 0 10 6 12 10 ...

Page 164: ...e set Role Master ClusterID A unique ID between 1 and 63 AutoSyncCfg Yes No depending on if resynchronization should be automatic after reconfiguration Enabled Yes This is done using the CLI command Device set HighAvailability Role Master ClusterID 1 AutoSyncCfg Yes Enabled Yes The changed master configuration should finally be activated and committed Activating HA on the Slave node To activate HA...

Page 165: ...changes this time counter is reset to zero The HA object sync percentage indicates whether the system objects are fully synchronized between the peers Similarly when the same CLI command is applied to the slave the output could be something similar to Device ha This device is a HA SLAVE This device is currently Inactive for 47s HA cluster peer is ALIVE HA object sync 100 When setting up HA between...

Page 166: ...rom a single security gateway Using private individual IP addresses The unique individual IP addresses of the master and slave cannot safely be used for anything but management Using them for anything else such as for source IPs in dynamically address translated connections or publishing services on them will inevitably cause problems since unique IPs will disappear when the security gateway they ...

Page 167: ...atistics SEG statistics are not mirrored in both the master and slave units of an HA cluster since they relate only to the individual cluster units This means that some statistics will not reflect the values of the failed system after the failover ...

Page 168: ...y established once packets with their SYN flags off have travelled in both directions Device set Settings FlowTimeoutSettings FlowLifetimeEstablished 262144 Default 262 144 Idle Closing TCP Flow Lifetime Specifies in seconds how long a closing TCP flow may remain idle before finally being closed Flows reach this state when a packet with its FIN flag on has passed in any direction Device set Settin...

Page 169: ...es with the amount of IP data that can be accommodated in an unfragmented packet since TCP usually adapts the segments it sends to fit the maximum packet size However this value may need to be increased by 20 50 bytes on some less common VPN systems Device set Settings LengthLimSettings MaxTCPLen 1480 Default 1 480 Max UDP Length Specifies in bytes the maximum size of a UDP packet including the he...

Page 170: ...owed to pass through the VPN connections regardless of its original protocol plus approximately 50 bytes Device set Settings LengthLimSettings MaxESPLen 2000 Default 2 000 Max AH Length Specifies in bytes the maximum size of an AH packet AH Authentication Header is used by IPsec where only authentication is applied This value should be set at the size of the largest packet allowed to pass through ...

Page 171: ...Default 2 000 Max Other Length Specifies in bytes the maximum size of packets belonging to protocols that are not specified above Device set Settings LengthLimSettings MaxOtherSubIPLen Default 1 480 Log Oversized Packets Specifies if the SEG will log occurrences of oversized packets Device set Settings LengthLimSettings LogOversizedPackets Yes Default Yes Fragmentation settings IP is able to trans...

Page 172: ...LogPacket As DropPacket but also logs the event DropLogAll As DropLogPacket but also logs additional fragments belonging to this packet that arrive during ReassIllegalLinger seconds The choice of whether to discard individual fragments or disallow the entire packet is governed by two factors It is safer to discard the whole packet If as the result of receiving an illegal fragment you choose to dis...

Page 173: ...to log failures involving suspect fragments Such failures may arise if for example the IllegalFrags setting has been set to Drop rather than DropPacket The following settings are available for FragReassemblyFail NoLog No logging is done when a reassembly attempt fails LogSuspect Logs failed reassembly attempts only if suspect fragments have been involved LogSuspectSubseq As LogSuspect but also log...

Page 174: ...tings FragmentedICMP DropLog Default DropLog Other than ICMP ECHO Ping ICMP messages should not normally be fragmented as they contain so little data that fragmentation should never be necessary Minimum Fragment Length Determines how small all fragments with the exception of the final fragment of a packet can be expressed in bytes Device set Settings FragSettings MinimumFragLength 8 Default 8 Alth...

Page 175: ...l fragments of that packet from arriving for example old duplicate fragments Device set Settings FragSettings ReassDoneLinger 20 Default 20 Reassembly Illegal Linger Limit The number of seconds the SEG is able to remember that a whole packet has been marked as illegal This prevents additional fragments of that packet from arriving Device set Settings FragSettings ReassIllegalLinger 60 Default 60 R...

Page 176: ...etails Device set Settings FragSettings IPv6NopFrags Ignore Default Ignore Local fragment reassembly settings Max Concurrent Maximum number of concurrent local reassemblies Device set Settings LocalReassSettings LocalReass_MaxConcurrent 256 Default 256 Max Size Maximum size of a locally reassembled packet Device set Settings LocalReassSettings LocalReass_MaxSize 10000 Default 10 000 Large Buffers ...

Page 177: ... its support for VPN tunneling on the client side and the GPRS Tunneling Protocol GTP on the GPRS backbone side GTP is used by the SEG to communicate with a GPRS Service Support Node GGSN within the GPRS backbone network GTP handles both signalling and data transfer in the network and is implemented as a layer on top of the UDP protocol SEG GTP support means that the security gateway behaves like ...

Page 178: ... one DNS server IP address must be configured in the SEG for DNS lookup This may be located in the GPRS backbone network GTP tunnels The principal properties for defining a GTP tunnel are listed below Not all the available properties are included The ones that are omitted are usually rarely changed from their defaults but can be if required General settings LocalEndpoint The logical IP address of ...

Page 179: ... timer frequency that specifies when GTP interface paths should be checked to verify the functioning of GTP peers The default value is 60 UsePreferredIP Negotiate the end user address using the IP address proposed by the client The default value is No ResolveAPN This parameter specifies how often an APN is resolved in seconds If this parameter is set the GTP interface will resend DNS queries for t...

Page 180: ...SCF address received during the PDP context activation process SelectionMode This option indicates the origin of the APN The possible settings are 0 MS or network provided APN subscription verified 1 MS provided APN subscription not verified the default 2 Network provided APN subscription not verified Quality of Service QoS settings TrafficClass This option specifies the requested Traffic Class to...

Page 181: ...ified in the tunnel definition the IDr sent by the client is instead resolved on its own by the DNS server to obtain the GGSN IP address If both are available the logical intersection of the two is used Interface stitching The SEG feature of Interface Stitching is important to implementing I WLAN It involves tightly coupling together a pair of SEG interfaces so that they have the following charact...

Page 182: ...ients 2 Allow DNS lookup to be performed by clients 3 Allow HTTP traffic to flow from clients to the public Internet Adding client routing As clients connect in a I WLAN solution there has to be a route for the client in the relevant SEG routing table usually the main table This routes the IP address handed out to the client by the GGSN through the IPsec tunnel to the client There are two ways thi...

Page 183: ...e client then authenticates the sender by creating a signing chain to its own CA signed root certificate The use of intermediate certificates in these steps means that it will always be possible for a client to authenticate the host certificate even though the clients root certificate cannot be changed Two cryptographic suites must be specified For proposal lists for IKE and IPsec with I WLAN the ...

Page 184: ...e DHCP Server address It will be sent by the SEG in the response packet when responding to a client DHCPINFORM message If the GGSN does not supply a P CSCF address then it responds with a 0 0 0 0 address Support for multiple GGSNs It is possible to use multiple GGSNs networked through a single SEG This can be implemented in the following ways Using DNS Round robin It is possible to have a differen...

Page 185: ...ncryption Standard A 128 block size with key lengths of 128 256 bits ALG Application Layer Gateway ARP Address Resolution Protocol A protocol for mapping an IP address to a physical machine address e g MAC addresses AS Autonomous System ASBRs Autonomous System Boundary Routers BDR Backup Designated Router Blowfish 40 448 bits A 64 bit block cipher with key length variable between 32 and 448 bits B...

Page 186: ...r an insecure medium The method has many variants A well known attack called the man in the middle attack forces the use of digital signatures or other means of authentication with the Diffie Hellman protocol Dictionary attack A dictionary attack is a method of breaking into a password protected computer or server by systematically entering every word in a dictionary as a password A dictionary att...

Page 187: ...ructure DMZ Demilitarized zone In computer networks a DMZ demilitarized zone is a computer host or small network inserted as a neutral zone between a company s private network and the outside public network It prevents outside users from getting direct access to a server that has company data Distinguished Name DN A distinguished name belongs to the X 500 Directory terminology It declares a name t...

Page 188: ...one not possessing information about the transformation and SA needed to recover the protected data An ESP may also contain integrity protection The ESP protocol is defined in RFC 2406 Firewall A node located on the perimeter of an administrative domain that implements the security policy of the domain A firewall usually performs address and port based packet filtering and usually has proxy server...

Page 189: ...s CAs IDS Intrusion Detection System Intrusion detection is a type of security managementsystemfor computers and networks An ID system gathers and analyzes information from various areas within a computer or a network to identify possible security breaches which include both intrusions attacks from outside the organization and misuse attacks from within the organization IKE Internet Key Exchange T...

Page 190: ...lobal private network L2TP Layer Two Tunneling Protocol L2TP is an extension of the Point to Point Tunneling Protocol PPTP used by an Internet service provider ISP to enable the operation of a virtual private network VPN over the Internet LCP In the Point to Point Protocol PPP the Link Control Protocol LCP establishes configures and tests data link Internet connections LDAP Lightweight Directory A...

Page 191: ...work together as IPsec consider the packet processing of NAT as a violation of communications integrity NAT Traversal works by encapsulating the IPsec packets into UDP envelopes that contain information on recreating the IPsec packet The UDP traffic follows the same route as the IKE negotiation NCP Network Control Protocols NCPs can be used to transport traffic for a particular protocol suite so t...

Page 192: ...rioritizing is done by Pipe Rules covered in the next section PKCS Public Key Cryptography Standards The PKCS standards are a document series from RSA Laboratories Some of the most important PKCS standards include PKCS 1 for RSA encryption and signature formats PKCS 7 for cryptographic message encapsulation PKCS 10 for certification requests and PKCS 11 for a cryptographic token interface commonly...

Page 193: ...a trusted channels to anyone RADIUS Remote Authentication for Dial in User Service An Internet protocol providing authentication authorization and accounting It is primarily used for dial access RADIUS is defined in RFC 2138 and RFC 2139 Rijndael Designed by Joan Daemen and Vincent Rijmen Rijndael is a symmetric block cipher with a variable block size of 128 192 or 256 bits and a variable key leng...

Page 194: ...in RFC 2401 SAT Static Address Translation SAT SAT is a type of address translation in which a public IP address is statically mapped to a private IP address Dynamic NAT is normally used for outgoing traffic while SAT is used for incoming traffic SEG Security Gateway An intermediate system that acts as the communications interface between two networks The internal sub networks and hosts served by ...

Page 195: ...ostile client repeatedly sends SYN synchronization packets to every port on the server using fake IP addresses Transport Layer Security TLS Transport Layer Security is a protocol providing confidentiality authentication and integrity for stream like connections It is typically used to secure HTTP connections The protocol is being standardized by a working group of the IETF Transparent mode In Tran...

Page 196: ...crypted and sometimes encapsulated into another IP packet VLink Virtual Link X 500 The family of joint ITU T ISO standards defining the X 500 Directory The directory can be used for many applications such as storing certificates or information about people LDAP is often used to access the X 500 Directory X 509 The ITU T X 509 recommendation defines the formats for X 509 certificates and X 509 CRLs...

Page 197: ...at the tasks for achieving an application can be distributed to different layers and be implemented independently The model is relevant to understanding many aspects of the SEG such as ARP and services Layer functions The different layers perform the following functions Layer 7 Application Layer Defines the user interface that supports applications directly Protocols HTTP FTP TFTP DNS SMTP Telnet ...

Page 198: ...k Layer Performs addressing and routing Protocols IP OSPF ICMP IGMP and similar Layer 2 Data Link Layer Creates frames of data for transmission over the physical layer and includes error checking correction Protocols Ethernet PPP and similar ARP operates at this level Layer 1 Physical Layer Defines the physical hardware connection ...