Secure Computing ADMINGUIDEREVA, Manual

Page 1: ...VPN Administration Guide Revision A SafeNet Soft PK Version 5 1 3 Build 4 Sidewinder Version 5 1 0 02 ...

Page 2: ......

Page 3: ...i any updates or revisions of the Software or Documentation that you may receive the Update Under no circumstances will you receive any source code of the Software Software Products provided for use as backup in the event of failure of a primary unit may be used only to replace the primary unit after a failure in fact occurs They may not be used to provide any capability in addition to the functio...

Page 4: ...gree to comply with all applicable United States export control laws and regulations including without limitation the laws and regulations administered by the United States Department of Commerce and the United States Department of State 9 U S Government Rights Software Products furnished to the U S Government are provided on these commercial terms and conditions as set forth in DFARS 227 7202 1 a...

Page 5: ...ntication 2 3 Understanding pre shared key authentication 2 5 Extended authentication 2 6 Determining where you will terminate your VPNs 2 7 More about virtual burbs and VPNs 2 8 Defining a virtual burb 2 8 Understanding Sidewinder client address pools 2 9 Chapter 3 Configuring Sidewinder for Soft PK Clients 3 1 Enabling the VPN servers 3 2 Configuring ACL proxies entries for VPN connections 3 3 M...

Page 6: ... based certificates 4 7 Requesting a personal certificate from a CA on user s behalf 4 8 Importing certificate in Soft PK 4 9 Configuring a security policy on the Soft PK 4 13 Chapter 5 Deploying Soft PK to Your End Users 5 1 Overview 5 2 Customizing the user worksheet 5 4 Specifying dial up network instructions 5 4 Specifying installation instructions 5 4 Specifying certificate import request ins...

Page 7: ...ng com for the latest documentation select Downloads Activations Product Documentation Who should read this guide This guide is written for the person assigned to administer Sidewinder based VPN connections involving a Soft PK VPN client Setting up VPN connections involves procedures done on Sidewinder and procedures done using Soft PK to pre configure the VPN client security policy for each remot...

Page 8: ...involved in a VPN connection Chapter 3 Configuring Sidewinder for Soft PK Clients Provides a summary of Sidewinder procedures associated with setting up and configuring Soft PK connections in your network Note Perform these procedures before you configure your Soft PK clients Chapter 4 Installing and Working with Soft PK Includes Soft PK installation notes and describes the basic Soft PK procedure...

Page 9: ...his option and then try printing Print specific page s at a time rather than sending the entire document to the printer Where to find additional information Refer to the following for related information About Soft PK For additional information about configuring and troubleshooting Soft PK software refer to the online help that is integrated into the program s user interface Soft PK online help pr...

Page 10: ...e To contact Secure Computing directly or inquire about obtaining a support contract refer to our Web site at www securecomputing com and select Contact Us Or if you prefer send us email at support securecomputing com be sure to include your customer ID in the email ...

Page 11: ...and Sidewinder Virtual Private Network VPN environment and describes the requirements It includes a checklist to guide you through the basic steps to setup and deploy a VPN This chapter addresses the following topics About Soft PK Sidewinder VPNs on page 1 2 Requirements on page 1 3 Roadmap to deploying your VPNs on page 1 5 ...

Page 12: ...ity Figure 1 1 Sidewinder VPN connection providing secure data transmission between a remote system running Soft PK and your internal network s Note In a VPN connection keep in mind that the definition of remote depends on perspective From the Sidewinder s point of view the remote end is a system connecting from the Internet From the Soft PK system s point of view the remote end is the Sidewinder ...

Page 13: ...e requirements listed in this section Sidewinder and other network requirements The network over which Soft PK and Sidewinder will be used must meet the basic requirements listed in Table 1 1 Table 1 1 Network requirements for using Soft PK with Sidewinder Category Requirement Network A network infrastructure with at least one installed and operational Sidewinder Note You can protect more than one...

Page 14: ...nt A non encrypting modem for use with dial up networking or an Ethernet interface At least 10 MB of free hard disk space The recommended system RAM size Windows 95 16 MB Windows 98 NT 32 MB Windows 2000 Me 64 MB Software Microsoft Windows 95 98 Me NT 4 0 or 2000 Professional Dial up Networking component of Microsoft Windows and or Ethernet LAN interface If the remote system uses a modem the end u...

Page 15: ...urity profile that you include with Soft PK s installation files Users then simply need to install Soft PK and import a few files TIP A separate Soft PK User s Guide is NOT provided for end users of Soft PK As an administrator you should use the worksheet provided on the SafeNet Soft PK CD ROM in MS Word format as the basis for providing the remote Soft PK users with the appropriate installation a...

Page 16: ...ssigned certificates If using Sidewinder self signed certificates 4a1 Create export a firewall certificate 4a2 Create export remote certificates 4a3 Convert key file certificate pair to pkcs12 format 4b1 Request export the CA root certificate 4b2 Request a firewall certificate 4b3 Determine the identifying information DN your clients use 4b4 Define remote certificate identities within Sidewinder 4...

Page 17: ... as described on page 1 4 2 Plan your VPN configuration Review Chapter 2 to become familiar with key concepts and options that are available when setting up VPNs Review Chapter 11 in the Sidewinder Administration Guide for additional background on VPN configuration Review the readme txt file located on the Soft PK CD for additional information from Secure Computing 3 Enable appropriate Sidewinder ...

Page 18: ...3 6 for details Use a command line utility on Sidewinder to convert the key file certificate pair to pkcs12 format See Converting the certificate file private key file pair to pkcs12 format on page 3 8 for details If using a CA assigned certificates Use Cobra to define a CA and obtain the CA root certificate and export it for sending to client s See Defining a CA to use and obtaining the CA root c...

Page 19: ...age 5 2 Create Soft PK installation and configuration instructions for your end users For details see Customizing the user worksheet on page 5 4 If necessary define configuration steps for the Windows Dial Up Networking feature on each machine on which you are installing and using Soft PK For details see Specifying dial up network instructions on page 5 4 Specify the Soft PK installation instructi...

Page 20: ...ion problems Use the Soft PK Log Viewer See Soft PK Log Viewer on page A 1 Use the Soft PK Connection Monitor See Soft PK Connection Monitor on page A 2 Use Sidewinder commands See Sidewinder troubleshooting commands on page A 4 and the Sidewinder Administration Guide for details ...

Page 21: ...n to help you understand key concepts and options that are involved in a VPN connection It addresses the following topics Identifying basic VPN connection needs on page 2 2 Identifying authentication requirements on page 2 3 Determining where you will terminate your VPNs on page 2 7 Understanding Sidewinder client address pools on page 2 9 ...

Page 22: ...ich users need access Identify the important IP addresses It may help to start a sketch that defines your basic requirements Depending on your organization and network this could be somewhat more complex than the diagram shown in Figure 2 1 Figure 2 1 Identify remote users and the target internal systems in a sample diagram Sales Sidewinder Internet Protected Network Support group Mike Bryan 4 roa...

Page 23: ...ignatures and depending upon the algorithm to decrypt data encrypted with the corresponding public key The certificate file with public key Certificates contain informational values such as the identity of the public key s owner a copy of the public key itself so others can encrypt messages or verify digital signatures an expiration date and the digital signature of creating entity CA or firewall ...

Page 24: ... self signed certificate summary Scenario Profile Using self signed certificates for a small number of VPN clients No CA needed Requires one VPN association for each client Using CA based certificates for a medium to large number of VPN clients Uses a private or public CA Single VPN association for all clients Can make VPN deployment and management more efficient Soft PK Internet Protected Network...

Page 25: ... identifying a communicating party during a Phase 1 IKE negotiation This key password is called pre shared because you have to share it with another party before you can communicate with them over a secure connection Once you both have this key password you would both have to enter it into your respective IPSec compliant devices e g firewall and software client Using a pre shared key password for ...

Page 26: ... perform the standard VPN negotiations but in addition will issue a request for the proper password The person initiating the VPN connection request must then enter the proper password at their workstation before the connection will be made The Extended Authentication option is most useful if you have travelling employees that connect remotely to your network using laptop computers If a laptop com...

Page 27: ...N association Figure 2 5 VPN tunnel terminating on a virtual burb Terminating a VPN association in a virtual burb accomplishes two important goals Separation of VPN traffic from non VPN traffic Enforce a security policy that applies strictly to your VPN users By terminating the VPN in a virtual burb you effectively isolate the VPN traffic from non VPN traffic Plus you are able to configure a uniqu...

Page 28: ... One question that might come to mind when using a virtual burb is How does VPN traffic get to the virtual burb if it doesn t have a network card The answer is found in the way that a VPN security association is defined on the Sidewinder All VPN traffic originating from the Internet initially arrives in the Internet burb A VPN security association however can terminate VPN traffic in any burb on t...

Page 29: ... address pool One of the reasons for using client address pools is that they simplify the management of VPN clients They allow the firewall to manage certain configuration details on behalf of the client This enables a remote client to initiate a VPN connection even if the client has not preconfigured itself for the connection When using client address pool all the Soft PK client needs to initiate...

Page 30: ...om pool A might be granted access to cer tain networks that are off limits to clients from pool B You can allow or restrict access on a client basis This is done by assigning a specific IP address within a client address pool to a specific user By creating a network object for that IP address you can then use the network object in an ACL entry to allow or restrict the client s access to additional...

Page 31: ...onnections in your network IMPORTANT Perform these procedures before you configure your Soft PK clients This chapter addresses the following topics Enabling the VPN servers on page 3 2 Configuring ACL proxies entries for VPN connections on page 3 3 Managing Sidewinder self signed certs on page 3 4 Managing CA based certificates on page 3 9 Managing pre shared keys passwords on page 3 14 Configurin...

Page 32: ...d isakmp servers a Select Services Configuration Servers Control Figure 3 1 Services Configuration Servers Control b To enable a server select it from the Server Name list and click Enable c Click Apply 2 Configure the ISAKMP server a Select VPN Configuration ISAKMP Server Figure 3 2 VPN Configuration ISAKMP Server b In the Burbs to Listen on list column click the burb name associated with the Int...

Page 33: ... Enable Source burb Internet all source addresses Destination burb Internet burb external IP of Sidewinder Note 1 Ensure you have defined appropriate network objects groups To view the current network object configuration select Shortcut to Network Objects from the Source Destination tab Note 2 For details about configuring and managing network objects see Chapter 4 in the Sidewinder Administratio...

Page 34: ...certificate created on Sidewinder remains valid for one year beginning from the date it is created Creating exporting a firewall certificate Use the following procedure on Sidewinder to create and export a firewall self signed certificate that identifies the firewall The firewall certificate file with its embedded public key will reside on the Sidewinder and must eventually be imported by each Sof...

Page 35: ...or distribution to each remote Soft PK client You can do this using the mcopy command For example mcopy t filename a filename Field Setting Certificate Name Specify a name for the firewall certificate Distinguished Name Specify a set of data that identifies the firewall Use the following format cn ou o l st c where cn common name ou organizational unit o organization l locality st state c country ...

Page 36: ...key files are created for a unique client you must use Sidewinder s pkcs12_util command to combine each file pair into a PKCS12 formatted object Each PKCS12 formatted object must be distributed to the respective Soft PK client From the Sidewinder Cobra interface Note Do this from the local Sidewinder console not a remote Cobra interface 1 Select Services Configuration Certificate Management 2 Sele...

Page 37: ...as and contain no spaces In addition the order of the specified distinguished name fields must match the desired order to be listed in the certificate E Mail Address Domain Name IP Address Optional fields to identify information in addition to DN Submit to CA Select Self Signed Signature Type Select RSA GeneratedPrivate Key File Click Browse and specify where you want to save the private key assoc...

Page 38: ... the associated certificate file The following message appears Enter the name of the output PKCS12 object p12 9 Type the full path name of the object file that will be created by the utility Be sure to use a p12 extension on the file name The following message appears pkcs12 encryption password for public key it WILL be clear screen text 10 Type a password for this PKCS12 object You apply a passwo...

Page 39: ...efining a CA to use and obtaining the CA root cert To request a CA certificate for Sidewinder do the following from Cobra 1 Select Services Configuration Certificate Management and click the Certificates Authorities tab Click New Figure 3 5 Create New Certificate Authority window 2 In the New Certificate Authority window specify the name type and location of the CA 3 Click Add then click Close 4 C...

Page 40: ...ate you obtained for them Note You can have the user request the CA certificate from the CA using Soft PK You must provide the necessary CA information instructions to do so Requesting a certificate for the firewall To request a firewall certificate from a CA do the following 1 Select Services Configuration Certificate Management and click the Firewall Certificates tab Click New Figure 3 6 Create ...

Page 41: ...eld Setting Certificate Name Specify a name for the firewall certificate Distinguished Name Specify a set of data that identifies the firewall Use the following format cn ou o l st c where cn common name ou organizational unit o organization l locality st state c country IMPORTANT The syntax for this field is very important The above entries must be separated by commas and contain no spaces In add...

Page 42: ... needed in either of the following scenarios If you plan to direct remote users to request a remote certificate from the CA or If you plan to request remote certificates from the CA on behalf of the end user Use Table 3 1 as a template for defining this information Table 3 1 Client Distinguished Name DN information Distinguished Name fields Setting cn common name ou organizational unit Note Soft P...

Page 43: ...r VPN To define remote certificate identities on Sidewinder do the following 1 Select Services Configuration Certificate Management and click the Certificate Identities tab Click New Figure 3 7 Certificate Identities defined on the firewall 2 Specify an identify name and the Distinguished Name fields Note An asterisk can be used as a wildcard when defining the fields on this window Other special c...

Page 44: ...emplate in Sidewinder that matches all possible client identities used by the remote entities in your VPN To define remote certificate identities on Sidewinder use the same procedure as defined in Defining remote client identities in Sidewinder on page 3 13 IMPORTANT Be sure to specify Extended Authentication as described in the next section when configuring the VPN on the Sidewinder ...

Page 45: ... the name of this VPN association Encapsulation Select Tunnel This is the more popular form of VPN encapsulation Both the data and the source and destination IP addresses are encrypted within the encapsulated payload Mode Select either Dynamic IP Client or Dynamic IP Restricted Client the remote end is a device whose IP address is not fixed Example A salesperson that gains Internet access from a l...

Page 46: ... to the VPN If you selected Dynamic IP Restricted Client in the Mode field you will need to define one of the following mutually exclusive options Client Address Pool Determine if you want remote clients to be assigned only the IP addresses contained within one of the available client address pools If so use the dropdown list to select the client address pool you want to use With this option Sidew...

Page 47: ...ptions Table 3 2 Single Certificate self signed options The view changes depending upon the Authentication Method you select from the dropdown list Field Setting Firewall Certificate Select the certificate used to authenticate the key exchange Remote Certificate Select the certificate used on the remote end of the VPN from the list provided Firewall Identity Type Select the type of identity to use...

Page 48: ...irewall Certificate Select the certificate used to authenticate the key exchange Firewall Identity Type Select the type of identity to use when identifying the firewall to the remote client Value Contains the actual value used as the firewall identity This field cannot be edited Require Extended Authentication Enable this checkbox Remote Credentials tab Certificate Authorities Select the certifica...

Page 49: ...figure settings in the Crypto tab or Advanced tab windows For details about those settings refer toChapter 11 in the Sidewinder Administration Guide Field Setting General Enter Password Renter password Select the certificate used to authenticate the key exchange Require Extended Authentication Enable this checkbox Identities Firewall Identity Specify the identity to use when identifying the firewa...

Page 50: ...Configuring the VPN on the Sidewinder 3 20 Configuring Sidewinder for Soft PK Clients ...

Page 51: ...all your own copy of Soft PK and become familiar with the software before you deploy setup instructions and the Soft PK software to each end user This chapter addresses the following topics Soft PK installation notes on page 4 2 Starting Soft PK on page 4 3 Managing certificates on Soft PK on page 4 6 Configuring a security policy on the Soft PK on page 4 13 TIP Chapter 5 Deploying Soft PK to Your...

Page 52: ...he Soft PK CD If Autorun is disabled you can also run the setup exe program in the SoftPK directory For Windows NT or 2000 be sure to log in as Administrator or equivalent TIP When setting up remote installations you may elect to provide the installation Autorun setup exe program to your end users via other means for example provide a zip distribution or network based installation Note Soft PK may...

Page 53: ...e communications Both red and green means that the computer is transmitting both secure and unsecure data simultaneously on different channels Icon Description Grey Indicates Windows did not start the Soft PK service properly Red Indicates Soft PK is installed correctly no connection is established Red box Indicates a non secure connection established transmitting non secure communications Yellow ...

Page 54: ...o deactivate the Soft PK security policy right click on the Soft PK icon in the taskbar and toggle the Activate Deactivate Security Policy menu option When deactivated the option shows Activate Security Policy If you deactivate the security policy you must toggle this setting to reactivate Figure 4 3 shows the program options that are available when you launch the Soft PK user interface from the S...

Page 55: ...te Security Policy Editor The Security Policy Editor allows you to create connection policies and their associated proposals and list them in a hierarchical order that defines an IP data communications security policy Log Viewer The Log Viewer displays the communications log a diagnostic tool that lists the IKE negotiations that occur during the authentication phase Connection Monitor The Connecti...

Page 56: ...ollowing 1 If not already done create and export a firewall certificate See Creating exporting a firewall certificate on page 3 4 for details Note You must have the firewall certificate configured in the Soft PK system before you import the personal certificate 2 If not already done for each end user create and export a remote certificate and convert to PKCS12 See Creating exporting remote certifi...

Page 57: ...icate online 2 If not already done for each end user create and export a remote certificate See Requesting a personal certificate from a CA on user s behalf on page 4 8 for details 3 Provide instructions for importing the CA root certificate A copy of this procedure is provided in this chapter see Importing a CA root or self signed firewall certificate into Soft PK on page 4 9 and included in the ...

Page 58: ...rate before you are finished 8 Under Online Request Information enter or select these options a In the Challenge Phrase box enter any combination of numbers or letters you choose For security reasons only asterisks appear here b In the Confirm Challenge box enter the same phrase from the last step c From the Issuing CA list select a CA certificate 9 Click OK Certificate Manager now generates a pub...

Page 59: ...into their copy of Soft PK Importing certificate in Soft PK Use the following procedures to import certificates into the Soft PK system Note These procedures are summarized on the UserWorksheet doc file customize as needed for your end users Importing a CA root or self signed firewall certificate into Soft PK Use the following procedure to import a self signed firewall or CA root certificate into ...

Page 60: ... From the Files of type field select All Files and then navigate to display the files located on the diskette 6 Select the appropriate certname pem file and click Open The following window appears prompting you to confirm you want to import the selected certificate Figure 4 5 Verification window 7 Click Yes 8 Optional From the CA Certificates tab click View to see the information in the certificat...

Page 61: ...ect Certificate Manager 2 Click the My Certificates tab 3 Click Import Certificate Figure 4 7 My Certificates tab Import Certificate and private Key window 4 Insert the diskette containing the remote key certificate object file 5 From the Files of type field select All Files and then navigate to display the files located on the diskette 6 Select the appropriate filename p12 file and click Open The...

Page 62: ... user so they can later import this certificate file 8 Click Import A prompt appears to confirm you want to import the selected Personal Certificate Figure 4 9 Verification window 9 Click Yes 10 Optional From the My Certificates tab click View to see the information in the certificate Figure 4 10 Viewing the certificate ...

Page 63: ...tion configuration called Other Connections that controls traffic not covered by prior connection rules Setting up an Other Connections policy The remainder of this section describes the setup of a single connection policy under the Specified Connections scenario The connection settings you configure must coincide with configured settings capabilities on the Sidewinder VPN Gateway Note This proced...

Page 64: ...te Party Identity and Addressing fields Change the ID Type to IP Subnet Specify the Subnet and Mask of the trusted network 8 Specify the Sidewinder connection information a Enable the Connect using Secure Gateway Tunnel box b Specify the interface information If using shared password Specify set the ID Type to IP Address and enter the IP Address of the Sidewinder s internet interface If using digi...

Page 65: ...re 4 12 Soft PK Edit Distinguished Name window to specify Firewall public certificate 9 Select Security Policy and select the Phase 1 Negotiation Mode Figure 4 13 Soft PK Security Policy fields 10 Specify how the user will be identified to the Sidewinder Select My Identify Figure 4 14 Soft PK My Identity fields This is case sensitive make sure it matches the certificate exactly Use Main Mode for c...

Page 66: ...1 Proposal 1 Figure 4 15 Soft PK Authentication Phase 1 Proposal 1 fields a In Authentication Method field specify the method appropriate for your configuration For example use RSA Signatures if using only digital certificate authentication use RSA Signatures Extended Authentication if using digital certificate authentication and extended authentication b In Encryption and Data Integrity Algorithm...

Page 67: ...nel Encapsulation Do not use the Authentication Protocol AH This does not encrypt traffic 13 Optional Click Save to save the policy on this system IMPORTANT You can export a policy without saving it but the policy will then not be saved on the system on which it was configured 14 Select File Export a You will be prompted to protect your security policy Your end users will then not be able to chang...

Page 68: ...Configuring a security policy on the Soft PK 4 18 Installing and Working with Soft PK ...

Page 69: ...e Soft PK software digital certificate files and security policy to your end users It is based on a worksheet that you edit and send to each remote end user IMPORTANT This chapter assumes you have obtained the required certificates and have configured and saved a security policy This chapter addresses the following topics Overview on page 5 2 Customizing the user worksheet on page 5 4 ...

Page 70: ...nagement of corporate security policies for your end users and simplifies what the end user must do The Soft PK product CD provided by Secure Computing includes a file userworksheet doc in MS Word format that you can customize and send to users Figure 5 1 Sample userworksheet doc file contained on Soft PK product CD This worksheet contains five main sections that you should edit and save before di...

Page 71: ...t PK software Deployment item Notes Soft PK software program Soft PK setup exe file and supporting files Digital certificate files If deploying Sidewinder self signed certificates firewall certificate pem personal certificate with private key p12 If deploying CA based certificates CA root certificate pem personal certificate with private key pk IMPORTANT Personal certificates must be unique to eac...

Page 72: ...p dial up networking Delete or change this text as needed for your end user s particular environment Figure 5 2 Sample text for specifying dial up networking setup Specifying installation instructions Figure 5 3 shows the text in the initial UserWorksheet doc file that pertains to Soft PK installation instructions The default text covers basic installation one that installs only the Soft PK Change...

Page 73: ...tial UserWorksheet doc file that pertains to digital certificates The default text covers a basic instructions for importing certificate files from a disk you provide Change this text according to how you want users to set up digital certificates or delete if not using certificates Figure 5 4 Sample text for specifying certificate instructions if applicable ...

Page 74: ...ic instructions for importing a security policy from a disk you provide Change this text according to how you want users to set up the security policy Figure 5 5 Sample text for importing the security policy Specifying basic connection information Figure 5 6 shows the text in the initial UserWorksheet doc file that pertains to starting the VPN The default text covers basic activation of a security...

Page 75: ... diagnostic tool that lists the IKE negotiations that occur during the authentication phase This is a very useful tool when you cannot correctly establish a VPN connection However a good log viewer does not replace a carefully set up VPN security association Note The Log Viewer shows only ISAKMP and IKE messages it does not show audit messages for all traffic flow through the VPN To start the Log ...

Page 76: ...from the Start menu Figure A 2 Connection Monitor window Button Summary Clear Clears the communications log IMPORTANT You cannot retrieve this information once you clear it Freeze Freezes Unfreezes the communications log Because the communications log scrolls through IKE negotiations as they occur you may need to freeze the log in order to save or print specific messages Since this button acts as ...

Page 77: ...establish or has not been established yet A black mark moving beneath the key icon indicates that the client is processing secure IP traffic for that connection More about the Connection Monitor Global Statistics are not real time operations they are updated every five seconds Dropped Packets includes packets from connections that are configured as blocked Remote Modifier is either the remote part...

Page 78: ...der also performs auditing of certain system events which allows you to generate information on VPN connections Table A 1 shows some useful commands you can use to track VPN connections in real time mode and check VPN settings configuration Table A 1 Basic Sidewinder VPN troubleshooting commands Commands tcpdump npi ext_interface port 500 proto 50 To show IPSEC and ESP traffic arriving at the fire...

Page 79: ......

Page 80: ...er 86 0935037 A Software Version Soft PK 5 1 3 Build 4 and Sideiwnder 5 1 0 02 Product names used within are trademarks of their respective owners Copyright 2001 Secure Computing Corporation All rights reserved ...