Black Box ET0010A manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation Black Box ET0010A. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel Black Box ET0010A ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation Black Box ET0010A décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation Black Box ET0010A devrait contenir:
- informations sur les caractéristiques techniques du dispositif Black Box ET0010A
- nom du fabricant et année de fabrication Black Box ET0010A
- instructions d'utilisation, de réglage et d’entretien de l'équipement Black Box ET0010A
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage Black Box ET0010A ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles Black Box ET0010A et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service Black Box en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées Black Box ET0010A, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif Black Box ET0010A, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation Black Box ET0010A. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    B L A C K B O X ® E n c ryp T ig h t a cts as a t r a ns pa re n t o v e r l a y t h a t i n t eg r a t es e as i l y i n t o an y e x i s ti n g n etw o r k arc hitec ture, p ro vidin g enc r ypt ion rule s and k eys to Enc r yp T ig ht E nforc em ent Point s . E nc r yp Tigh t con si sts of a s ui te o f t ools t ha t perfo rms v ar iou s tas k [...]

  • Page 2

    EncrypTight User Guide 3 T able of Content s Preface ................................................... ..................................................................... ............... 13 About This Document.... ...................... ....................... .......................... ...................... ........... .............. 13 Conta[...]

  • Page 3

    4 EncrypTight User Guide Table of Contents Uninstalling EncrypTight Software ....... ................ ... ....................... ...................... ....................... ... 40 Starting EncrypTight ............ ...................... .......................... ....................... ........................ ..... ...... 40 Exiting EncrypTig[...]

  • Page 4

    Table of Contents EncrypTight User Guide 5 Step 2: Prepare ETPM Status and Renew Keys .............. .......................... ...................... ............. 74 Step 3: Upgrade the EncrypTight Software ................... ......................... .......................... ............. 74 Step 4: Verify ETKMS Stat us and Deploy Policies . [...]

  • Page 5

    6 EncrypTight User Guide Table of Contents Provisioning Large Numbers of Appliances ............ ................ ...................... ....................... .............. 111 Creating a Configuration Templa te ...... ...................... ....................... ....................... .................... 112 Importing Configurations from a [...]

  • Page 6

    Table of Contents EncrypTight User Guide 7 Editing PEPs ............. ....................... ....................... ...................... .......................... ........ ................... 1 51 Editing PEPs From ETEMS .......................... ....... ................ ....................... ...................... .......... .1 5 1 Editing[...]

  • Page 7

    8 EncrypTight User Guide Table of Contents Adding a Multicast Policy ........... ....................... ...................... ....................... ....................... ...... . 199 Adding a Point-to-point Policy ................... ....................... ...................... ....................... .......... .... 203 Adding Layer 4 Poli[...]

  • Page 8

    Table of Contents EncrypTight User Guide 9 ETKMS Log Files ............. ...................... .......................... ....................... .......................... .. .. 241 PEP Log Files ............... ................................................ ....................................... ............ .... . 242 ETKMS Troubleshooting T[...]

  • Page 9

    10 EncrypTight User Guide Table of Contents Changing the EncrypTight Keystore Password ...... ....... ...................... ....................... ................. 266 Changing the ETKMS Keystore Pa ssword ................ ....................... ....................... .................... 266 Changing the Keystore Password on a ETKMS .........[...]

  • Page 10

    Table of Contents EncrypTight User Guide 11 Interface Configuration .................. .......................... ...................... .......................... ............ ............... 301 Management Port Addressing ................ ....................... ......................... .......................... ........... 302 IPv4 Addressing [...]

  • Page 11

    12 EncrypTight User Guide Table of Contents Factory Defaults ............ ...................... ....................... ....................... ...................... ......... .................. 339 Interfaces ......... ....................... ...................... ....................... .......................... .............. ...............[...]

  • Page 12

    EncrypTight User Guide 13 Preface About This Document Purpose The EncrypT ight User Guide provides detailed info rmation on how to install, configure, and trou bleshoot EncrypT ight components: E TEMS, Policy Manager (ETPM), and Ke y Management System (ETKMS). It also contains information about configuring EncrypTight Enforcement Points (ETEPs) usi[...]

  • Page 13

    Preface 14 EncrypTight User Guide Cont acting Black Box T echnical Support Contact our FREE technical support, 24 ho urs a day , 7 days a week: Phone 724-746-5500 Fax 724-746-0746 e-mail info@blackbox.com Web site www.blackb ox.com[...]

  • Page 14

    Part I EncrypT ight Inst allation and Maintenance[...]

  • Page 15

    16 EncrypTight User Guide[...]

  • Page 16

    EncrypTight User Guide 17 1 EncrypT ight Overview EncrypT ight™ Pol icy and Key Manager is an innovative approach to netwo rk-wide encryption. EncrypT ight acts as a transparent over lay that inte grates easily into any existing netw ork architecture, providing encryption rules and keys to EncrypT ight encryption appli ances. EncrypT ight con sis[...]

  • Page 17

    EncrypTight Overview 18 EncrypTight User Guide multiple Policy Enforcement Points (PEPs) can use common keys, while a centralized platform assumes the function of renewing k eys at pre-determined intervals. In this system, you use ETEMS to configure the PEPs, Policy Manager ( ETPM) to create and manage policies, and Key Management System ( ETKMS) t[...]

  • Page 18

    Distributed Key Topologies EncrypTight User Guide 19 Regardless of topology , PEPs are typi cally located at the point in the ne twork where traffic is being s ent to an untrusted ne twork or coming from an untrusted net work. As an example, Figure 2 shows a hub and spoke network secured with Encryp T ight. Figure 2 PEPs in a H ub and Spoke network[...]

  • Page 19

    EncrypTight Overview 20 EncrypTight User Guide EncrypTight Element Management System The EncrypT ight Element Manageme nt System (ETEMS) is the devi ce management component of the EncrypT ight software, al lowing you to provision and manage m ultiple encryption appliances from a central location. It provides capab ilities for applian ce configurati[...]

  • Page 20

    Distributed Key Topologies EncrypTight User Guide 21 Figure 3 Single ETKMS for multiple sites Figure 4 illustrates an EncrypTight deployment using multiple ETK MSs. W i th lar ge, compl ex networks that have hundreds of PEPs, you might want to use multiple ETK MSs. Each ETKMS distributes keys for the PEPs it controls. For example: ETKMS 1 distribu [...]

  • Page 21

    EncrypTight Overview 22 EncrypTight User Guide T o securely transfer data between two PEPs over an untrusted network, both PEPs must share a key . One PEP uses the shared key to encrypt the data for transmission over the untru sted network, while the second PEP uses the same shared key to decrypt the data. Figure 5 illustrates the shared key concep[...]

  • Page 22

    Security within EncrypTight EncrypTight User Guide 23 Figure 6 Layer 2 Point-to-P oint Deployment Use the Policy Manager (ETPM) and K ey Management System (ETKMS) to cr eate a Layer 3 point-to- point distributed key policy as one of several policies in a lar ger, m ore complex EncrypT ight deploym ent. The ETEP’ s variable speed feature is contro[...]

  • Page 23

    EncrypTight Overview 24 EncrypTight User Guide Secure Communications Between Devices Each node in the distributed key system, the EncrypT ight managemen t station, the ETKMSs, and the PEPs, communicate policy an d status information with other nodes. Given t he distributed nature of networks, much of this com munication occurs across public network[...]

  • Page 24

    EncrypTight User Guide 25 2 EncrypT ight Deployment Planning When deploying EncrypTight, you must plan the following: ● EncrypT ight Co mponent Connections ● Network Clock Synchroni zation ● IPv6 Address Support ● Certificate Support ● Network Addressing for IP Networks EncrypT ight Component Connections EncrypT ight can b e managed in-li[...]

  • Page 25

    EncrypTight Deployment Planning 26 EncrypTight User Guide ● “Management Station Connections” on page 26 The EncrypT ight software includes ETEMS fo r appliance configuration, ETPM for policy management, and a local ETKMS. The local ETKMS depl oys k eys and policies to all of the PEPs that it manages and checks the PEPs’ stat us. The managem[...]

  • Page 26

    EncrypTight Component Connection s EncrypTight User Guide 27 This section describes the planning for the fol lowing connections: ● “ETPM and ETKMS on the Sam e Subnetwork” on page 27 ● “ETPM and ETKMS on Different Su bnetworks” on page 27 ETPM and ETKMS on the Same Subnetwork When the ETPM is located on the same subnetwor k as the exter[...]

  • Page 27

    EncrypTight Deployment Planning 28 EncrypTight User Guide Figure 8 In-line ETKMS management in a n IP network ETPM and ETKMS in Layer 2 Ethernet Polic ies W ith Ethernet netw orks, you use Layer 2 PEPs. As with IP networks, when managing the ETPM an d external ETKMS in-line the communicati ons path between the devices must pass through one or more [...]

  • Page 28

    EncrypTight Component Connection s EncrypTight User Guide 29 External ETKMS to ETKMS Connections ETKMSs must be able to communicat e with each other in two situations: ● Backup ETKMSs are used for redundancy ● Multiple ETKMSs share policy i nformation and keys to distribute to the PEPs that they control This section addresses the connectio ns b[...]

  • Page 29

    EncrypTight Deployment Planning 30 EncrypTight User Guide Connecting Multiple ETKMSs in an IP Network Figure 10 shows two external ETKMSs lo cated on differ ent IP networks. Both ETKMSs are used as primary ETKMSs in a large, dispersed network. When the ETKMSs are managed in-lin e, the communications path between the devices m ust pass through one o[...]

  • Page 30

    EncrypTight Component Connection s EncrypTight User Guide 31 Figure 1 1 Out-of-band manage ment of ETKMSs located on different Ether net networks ETKMS to PEP Connections The communications between the ETKMSs and the PEPs require a connection betw een the Ethernet ports on each ETKMS and the management port on each PEP. The ETKMS to PEP connections[...]

  • Page 31

    EncrypTight Deployment Planning 32 EncrypTight User Guide Figure 12 In-line ETKMS to PEP communications in IP networks ETKMS to PEP Connections in Ethernet Networks If the ETKMS and the PEP are located on the same subnetwork, the ETKMS to PEP interconnection is straightforward. For i n-line management when the ET KM S and the PEP are located on dif[...]

  • Page 32

    Network Clock Synchronization EncrypTight User Guide 33 Network Clock Synchronization CAUTION Failure to synchroni ze the time of all EncrypTight components can result in a loss of packets or compromised security . EncrypT ight requires that the clocks on all the system ’ s components be synchronized. If the clocks are not synchronized, communica[...]

  • Page 33

    EncrypTight Deployment Planning 34 EncrypTight User Guide IPv6 addresses are 128-bit addresses consisting of eight hexadecimal groups that are separated by colons, followed by an indicati on of the prefix length. Each group is a 4-digit hexadecim al number . The hexadecimal letters in IPv6 ad dresses are not case sensitive. The prefix length is a d[...]

  • Page 34

    Network Addressing for IP Networks EncrypTight User Guide 35 Another factor to consider if you plan to use certificates is the si ze of your Encry pT ight deployment. Generating requests and installing cer tificates for a lar ge number of a ppliances can take a considerable amount of time. Therefore, you n eed to plan for sufficient time to accompl[...]

  • Page 35

    EncrypTight Deployment Planning 36 EncrypTight User Guide Figure 14 Using remote IP and virtual IP addr esses to obscure the source add ress of the origin al packet ETEP PEPs operate in transparent mode by default and no IP address is assigned to the local or remote ports. T o use a remote port IP address or a virtual IP address, you need to di sab[...]

  • Page 36

    EncrypTight User Guide 37 3 Inst allation and Configuration This section describes how to install and co nfigure EncrypT ight for the first time, i ncluding: ● Before Y ou Start ● EncrypT ight Software Installation ● Management Station Configuration ● Installing ETKMSs ● Configuring ETKMSs ● Policy Enfo rcement Point Configuration ● D[...]

  • Page 37

    Installation and Configuration 38 EncrypTight User Guide ● “Software Requir ements” on page 38 ● “Firewall Ports” on page 39 Hardware Requirement s EncrypT ight software can be i nstalled on a W indows PC or laptop . Sof tware Requirement s The third party softw are listed in T able 5 is u sed in conjunction with EncrypTight to manage E[...]

  • Page 38

    EncrypTight Software Installation EncrypTight User Guide 39 Firewall Port s In order for EncrypTight components to commun icate, you need to make sure that any firewalls in your system are configured to allow the following protocols. EncrypT ight Sof tware Inst allation EncrypT ight in stallation tasks are described in the followin g topics: ● ?[...]

  • Page 39

    Installation and Configuration 40 EncrypTight User Guide NOTE It is strongly recommended that yo u synchronize the wo rkstation hosting the EncrypTight sof tware with an NTP server either on your network or on the Inter net. For EncrypTight to function properly , all o f the elements of EncrypTight need to synchronize with NTP servers. Related topi[...]

  • Page 40

    Management Station Configuration EncrypTight User Guide 41 T o st art ETEMS: 1F r o m t h e S tart menu, select All Programs > EncrypTight . 2 In the Login screen, enter the UserId admin and Password admin . Note that the userId and password are case sensitive. 3C l i c k Login . NOTE EncrypTigh t allows a maximum of th ree login atte mpts. Af t[...]

  • Page 41

    Installation and Configuration 42 EncrypTight User Guide Securing the Management Interface EncrypT ight provi des the methods listed in T able 7 for encrypted and unenc rypted communications between the management PC and the appliance’ s management port. Consider the following items before choosing a me thod for securing management communicati on[...]

  • Page 42

    Installing ETKMSs EncrypTight User Guide 43 Configuring the Syslog Server The EncrypT ight appliance can be conf igured to send log messages and ev ents to a syslog server on the management PC or other device. Fi rst, install the Kiwi Syslog Daemon as an application and follow the documentation provided w ith the prod uct for initial configuration.[...]

  • Page 43

    Installation and Configuration 44 EncrypTight User Guide This section includes the fo llowing topics: ● “Basic Configuration for Local ETKMSs” on p age 44 ● “Configuring External ETK MSs” on page 46 ● “Configuring Syslog Reporting o n the ETKMSs” on page 54 Basic Configuration for Local ETKMSs The basic configuration of a local ET[...]

  • Page 44

    Configuring ETKMSs EncrypTight User Guide 45 T o add a local ETKMS: 1 In the Appliance Manager, click File > New . 2 In the New Applian ce editor , from the Product Fam ily box, select ETKMS LM. 3F r o m t h e Softwar e V ersion box, select the approp riate software version. 4I n t h e Appliance Name box, enter a name for this local ETKMS. 5I n [...]

  • Page 45

    Installation and Configuration 46 EncrypTight User Guide Changes to the local ETKMS configur ation or EncrypT ight software may necessitate changes to the batch file, as des cribed in T able 9 . Prior to configuring the b atch file do the following: 1 Add a ETKMS LM in ETEMS (s ee “Addin g a Local ETKMS” on page 44 ). 2 Launch the local ETKMS ([...]

  • Page 46

    Configuring ETKMSs EncrypTight User Guide 47 This section includes the fo llowing topics: ● “Logging Into the ETKMS” on page 47 ● “Changing the Admin Passw ord” on page 47 ● “Changing the Root Password” on page 48 ● “Configure the Network Connection” on page 49 ● “Configure T ime and Date Properties” on page 51 ● “[...]

  • Page 47

    Installation and Configuration 48 EncrypTight User Guide 6T y p e exit to log out from the admin accoun t. For example: Localhost login: admin Password: [admin@localhost ~] $ passwd (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [admin@localhost ~] exit Related topics: ?[...]

  • Page 48

    Configuring ETKMSs EncrypTight User Guide 49 Configure the Network Connection The eth0 connection is the netwo rk connection with a path to the managem ent workstation running ETPM and to the PEPs’ management port. The eth1 connection is inactive and unavailable. Set the network connection as req uired by your network configur atio n, but it is r[...]

  • Page 49

    Installation and Configuration 50 EncrypTight User Guide IPv6 Setting up the network con nections to use IP v6 addresses re quires modifying sever al files. T o configure the net work interface: 1 Using a text ed itor of y our choice, edit the file: /etc/sysconfig/network-scripts/ifcfg -eth0 2 T o add an IPv6 address, add the fol lowing lines: IPV6[...]

  • Page 50

    Configuring ETKMSs EncrypTight User Guide 51 8 At the command line, restart th e ETKMS service by typing service etkms rest art and press Enter . V erify the IP address and hostname changes (see “V erify th e IP Address and Hostname Changes” on page 49 ). NOTE ● Make a note of the eth0 IP address and the host name. Y ou will n eed this inform[...]

  • Page 51

    Installation and Configuration 52 EncrypTight User Guide 2 Replace the defaults with your preferred time serv er . Y ou can specify multiple time servers and use either IPv4 or IPv6 addresses. Fo r example, the new section should look similar to the following: # Use public servers from the pool.ntp.org project. # Please consider joini ng the pool ([...]

  • Page 52

    Configuring ETKMSs EncrypTight User Guide 53 Related topics: ● “Configure the Network Connection” on page 49 ● “Check the Status of the Hardwa re Security Mod ule” on page 53 ● “Starting and S topping the ETKMS Service” on page 53 Check the St atus of the Hardware Security Module A Hardware Security Module (HSM) for the ETKMS is a[...]

  • Page 53

    Installation and Configuration 54 EncrypTight User Guide Checking the St atus of the ETKMS Y ou should check th at the ETKMS service is r unning before you proceed to use EncrypTight. T o check the s tatus of t he ETKMS service: 1 At the command line, typ e: service etkms status Secure the Server with the Front Bezel The bezel prevents access to th[...]

  • Page 54

    Policy Enforcement Point Configuration EncrypTight User Guide 55 Replace x.x.x.x with the IP address or the ho stname of the syslog server . 7 Save and close the file. 8 Shut down and restart the ETKMS: ● On external ETKMSs, restart the ETKMS service by typing: service etkms restart ● On local ETKMSs, close the command line wi ndow for the ETKM[...]

  • Page 55

    Installation and Configuration 56 EncrypTight User Guide Default User Account s and Passwords Changing the default passwords for all of the EncrypTight components is an important step in maintaining the secu rity of your network. This l ist is a reminder o f the default passwords that you should change. For instructions on how to change the passwor[...]

  • Page 56

    Managing Licenses EncrypTight User Guide 57 Before you begin adding PEPs and u sing the EncrypT ight software, contact Custom er Support to acquire your license key (see “Contacting Black Box T ech nical Support” on page 14 ). Y ou need to provide the EncrypT ight ID. T o view the Encryp T ight ID, choose Edit > License . If you upgrade from[...]

  • Page 57

    Installation and Configuration 58 EncrypTight User Guide Upgrading Licenses When your needs change, you can eas ily upgrade the number of ETEPs that EncrypTight can manage and you can also upgrade your ETEPs to run at faster throughput speeds. This section includes the fo llowing topics: ● “Upgrading the EncrypT ight License” on page 58 ● ?[...]

  • Page 58

    Next Steps EncrypTight User Guide 59 6 In ETPM, create your policies. 7 In ETPM, deploy the policies to the ETKMSs and PEPs.[...]

  • Page 59

    Installation and Configuration 60 EncrypTight User Guide[...]

  • Page 60

    EncrypTight User Guide 61 4 Managing EncrypT ight Users This section includes the fo llowing topics: ● W orking with EncrypT ight User Accounts ● Configuring EncrypTight User Authentication ● Managing EncrypT ight Accounts ● Changing an EncrypT ight User Password ● How EncrypTight Users W ork w ith ETEP Users W orking with EncrypT ight Us[...]

  • Page 61

    Managing EncrypTight Users 62 EncrypTight User Guide NOTE If EncrypTight is managing ETEP 1.4 and later ap p liances, we recommend creating a user account in EncrypTight that matches the user na me and passwor d that you plan to use on the ETEP appliances. See “How EncrypTight Users Work with ETEP Users” on page 67 fo r more inform ation. Relat[...]

  • Page 62

    Configuring EncrypTight User Authentication EncrypTight User Guide 63 Figure 15 Login preferenc es T o set login prefer ences: 1 From the Edit menu, click Prefer ences . 2 In the Preferences window , expa nd the ETEMS tree an d click Login . 3 In the Login area, configure the pr eferences. The options are describe d i n the rest of this section. 4C[...]

  • Page 63

    Managing EncrypTight Users 64 EncrypTight User Guide ■ If your EncrypT ight deployment includes ETEPs runn ing software version 1.6 or later , entering a password is optional. ■ If your deployment includes ETEPs with software pr evious to 1. 6, or other models of PEPs, you must enter a valid password. ● If user authentication is no t enabled,[...]

  • Page 64

    Managing EncrypTight Accounts EncrypTight User Guide 65 Although the Login preferences are not saved, user da ta is preserved through an upgrade (user ID and password). If user authentication was disabled p rior to the upgrade, it will be enabled in the new software version. Y ou will b e required to enter a user ID and password when starting Encry[...]

  • Page 65

    Managing EncrypTight Users 66 EncrypTight User Guide T o add an EncrypT ight user account: 1 From the Edit menu, click User Accounts . 2 In the User Accounts editor , click Add . 3 In the User dialog box, enter the user name, passwor d, and select a group ID (admin or user). If Common Access Card Authentication is enabled, you also need to enter th[...]

  • Page 66

    How EncrypTight Users Work with ETEP Users EncrypTight User Guide 67 How EncrypT ight Users W ork with ETEP Users EncrypT ight manages ETEP user accounts. In order fo r EncrypT ight to commun icate with the ETEP, it needs to know the ETEP’ s user name and password. It will try to use the credential s that you used to log in to EncrypT ight. If th[...]

  • Page 67

    Managing EncrypTight Users 68 EncrypTight User Guide 3 In EncrypT ight, add a new ETEP appliance and re fresh its status. Because EncrypT ight and the ETEP are both using their default user names and passwords of admin/admi n , EncrypTight can successfully contact the ETEP. 4 From EncrypT ight, select the new ETEP and add a new appliance user with [...]

  • Page 68

    EncrypTight User Guide 69 5 Maintenance T asks This section includes the fo llowing topics: ● W orking with the EncrypT ight W orkspace ● Installing Software Updates ● Upgrading External ETKMSs W orking with the EncrypTi ght Worksp ace The EncrypT ight workspace contains all the elements that EncrypT ight is mana ging, such as appliance confi[...]

  • Page 69

    Maintenance Tasks 70 EncrypTight User Guide CAUTION Appliance configurations and po licy f iles are stored as .xml files. These files are not encrypted or password protected. They can be opened and ed ited using a basic text editor. T ake preca utions to protect these files from unauthorized access. EncrypT ight allows you to save more than one wor[...]

  • Page 70

    Working with the EncrypT ight Workspace EncrypTight User Guide 71 Figure 18 Saving one works pace to anot her Loading an Existing W orksp ace Reasons for loading an existing workspace are: ● T o load a saved workspace on a new management station ● T o restore a backup copy if the active workspace is damaged ● T o revert to previous ap pliance[...]

  • Page 71

    Maintenance Tasks 72 EncrypTight User Guide 4 Refresh the appliances’ status. From the Edit menu click Select All , then click . Related topic: “Moving a W orkspace to a New PC” on page 72 Moving a W orksp ace to a New PC T o transfer your workspace to a new management PC, save the data folder to an interim l ocation and then load it into the[...]

  • Page 72

    Installing Software Updates EncrypTight User Guide 73 Inst alling Sof tware Up dates Software updates for Encryp T ight are available sepa rately from the PEP software. Y ou might need to update all of the components in you r system, or only specific componen ts. This procedure assumes that you are updating all of the co mponents of EncrypT ight. I[...]

  • Page 73

    Maintenance Tasks 74 EncrypTight User Guide Y ou can schedule the upgrade for each PEP at differen t time, depending on the rekey settings and data traffic requirements. Because a reboot is required, the upgrade of each PEP interrupts traffic through that PEP for several minutes. S tep 2: Prep are ETPM St atus and Renew Keys T o prep are ETPM st at[...]

  • Page 74

    Installing Software Updates EncrypTight User Guide 75 T o deploy policies: 1C l i c k T ools > Deploy to synchronize the Encryp T ight components with the current po licies. Note that this will interrupt traffic on the PEP briefly . S tep 5: Upgrade PEP Sof tware After you upgrade the ETKMSs and ETPM, you can upgrade the PEPs to a new software v[...]

  • Page 75

    Maintenance Tasks 76 EncrypTight User Guide CAUTION Software upgrades require a rebo ot to t ake effect. Rebooting the PEP interrupts data traffic for approximately two minutes. During this ti me all packet s are discarded . T o upgrade sof tware on the PEPs: 1 From the EncrypT ight Enforcement Po int CD for the PEPs that you wan t to upgrade, copy[...]

  • Page 76

    Installing Software Updates EncrypTight User Guide 77 NOTE ● Y ou must reboot the ETEP PEPs after you upgrade. If you make any configuration chang es to the ETEP PEPs after you upgrade and before you reboo t, those changes will be lost when the PEP reboots. ● If you decide later to u ndo the upgrade and restor e a previous file system to the PE[...]

  • Page 77

    Maintenance Tasks 78 EncrypTight User Guide S tep 7: Return St atus Refresh and Key Renewal to Original Settings T o return st atus refresh and k ey renewal to their original se ttings: 1 If you disabled the automati c status refresh in ETPM in “Step 2: Prepare ETPM Status and Renew Keys” on page 74 , select Edit > Pr eferences and select ET[...]

  • Page 78

    Upgrading External ETKMSs EncrypTight User Guide 79 T o mount the CDROM drive: 1 Insert the disk in the drive and close it. 2 If it doesn’t already exist, create the directory /media/cdrom . mkdir /media/cdrom 3 Enter the following command: mount -t iso9660 /dev/scd0 /media/cdro m T o inst all the new ETKMS sof tware: 1 Install ETKMS RPM with the[...]

  • Page 79

    Maintenance Tasks 80 EncrypTight User Guide[...]

  • Page 80

    Part II W orking with Appliances using ETEMS[...]

  • Page 81

    82 EncrypTight User Guide[...]

  • Page 82

    EncrypTight User Guide 83 6 Getting S t arted with ETEMS This section includes the fo llowing topics: ● ETEMS Quick T our ● Understanding the ETEMS W o rkbench ● Understanding Roles ● Modifying Communi cation Preferences ETEMS Quick T our ETEMS is the appliance management feature of Encr ypTight. ETEMS provides the ability to pro vision and[...]

  • Page 83

    Getting Started with ETEMS 84 EncrypTight User Guide the factory default configurations o r define your own template for these common values ( Edit > Defaul t Configurations ). Figure 20 Interface configur ation for a new ET1000A appliance Pushing Configurations to Appliances Use the Put Config urations window to push the configurat ions defined[...]

  • Page 84

    ETEMS Quick Tour EncrypTight User Guide 85 Upgrading Appliance Sof tware New revisions of appliance software can be loaded on the appliances from an FTP server . Simp ly copy the new software to an FTP server , select the tar get appliances, and p oint to the FTP server site. Results for each appliance are displayed as they are upgraded. The new so[...]

  • Page 85

    Getting Started with ETEMS 86 EncrypTight User Guide Figure 23 Comp are the ETEMS configuration to the a ppliance to discover discrep ancies Maintenance and T roubleshooting ETEMS includes tools for monito ring and maintaining EncrypTight appliances. Some of ETEMS’ s capabilities include: ● Retrieving appliance log fil es ● Displaying perform[...]

  • Page 86

    Understanding the ETEMS Workbench EncrypTight User Guide 87 Figure 24 St atistics view disp lays a snap shot of performance dat a on the ET0100A Policy and Certificate Support ETEMS’ s po licy feature is limited to the creation of po int-to-point policies. For larger , more complex deployments use the Management and Pol icy Server (ETPM) to creat[...]

  • Page 87

    Getting Started with ETEMS 88 EncrypTight User Guide Figure 25 Appliance Manager perspect ive Vie ws V iews display information about items that ETEMS manages, such as appliance configurations or certificates. When you start ETEMS, the Appliance Manag er opens and displays the Appliances view . Initially the Appli ances view is empty . After you ad[...]

  • Page 88

    Understanding the ETEMS Workbench EncrypTight User Guide 89 ● Y ou can open multiple appliance editors at the same time. The editors are stacked in a tabbed panel. T abbed editor windows allow you to work on more than one appl iance or switch to editors from add- on features. ● Editors can be stacked on top of oth er editors or positioned left [...]

  • Page 89

    Getting Started with ETEMS 90 EncrypTight User Guide The Appliance Manager has its own toolb ar that lets you minimize and maximize the vi ew , and filter the appliances that are displayed. The Certificate Manager toolb ar has buttons for gene rati ng, installing, and ma naging certificates. Mouse over each button to see a tool tip indicating its f[...]

  • Page 90

    Understanding Roles EncrypTight User Guide 91 Underst anding Roles EncrypT ight and the EncrypTight appliances each have unique roles that control different aspects of the product. The following sections describe t he roles and how they differ: ● “EncrypT ight User T ypes” on page 91 ● “ETEP Appliance Roles” on page 91 EncrypT ight User[...]

  • Page 91

    Getting Started with ETEMS 92 EncrypTight User Guide deploying policies. ETEMS uses the Administrator user to log in to the appliance. T he Administrator also has access to all of the CLI commands. ● The Ops user logs in to the appliance only through the CLI and has access to a su bset of the CLI commands. T o learn more about using ETEMS for ETE[...]

  • Page 92

    Modifying Communication Preferences EncrypTight User Guide 93 3 In the Communicatio ns window , modify a ny of the communication preferences (see Ta b l e 2 4 and T able 25 ). 4 Do one of the following: ● Click Apply to set the new value. ● Click Resto r e Defaults to reset the timeout to the factory setting. 5C l i c k OK . T able 24 General c[...]

  • Page 93

    Getting Started with ETEMS 94 EncrypTight User Guide Ignore CRL acces s failure When enabled, allows EncrypTigh t to set up communication with a component even when it cannot access the certificate revocation list (CRL) associated with the certifica te presen ted by the component. This opti on is enabled by default. N ote that if OCSP is enabled, t[...]

  • Page 94

    EncrypTight User Guide 95 7 Provisioning Appliances This section includes the fo llowing topics: ● Provisioning Basi cs ● Appliance User Management ● W orking with Default Configurations ● Provisioning Large Numbers of Appliances ● Shutting Down Applian ces Provisioning Basics ETEMS is the appliance management co mponent of th e EncrypT i[...]

  • Page 95

    Provisioning Appliances 96 EncrypTight User Guide ● “Pushing Configurations t o Appliances” on page 97 ● “W orking with Default Configurati ons” on page 1 10 ● “Provisioning Large Numbers of Appliances” on page 1 1 1 Adding a New Appliance Adding a new appliance in ETEMS is the first step in being able to manage it remotely . Conf[...]

  • Page 96

    Provisioning Basics EncrypTight User Guide 97 ● “Provisioning Large Numbers of Appliances” on page 1 1 1 ● “Provisioning PEPs” on page 147 Saving an Appliance Configuration Y ou can save an appliance configuration at any time during the co nfigura tion process. Appliance configurations are saved as part of the EncrypT ight workspace. Un[...]

  • Page 97

    Provisioning Appliances 98 EncrypTight User Guide 3 Optionally , for ETEP appliances with software version 1.6 and later, click Put Thr oughput License to install a license as part of the operation. Y ou can also install a license separately from the Pu t Configuration operation. T o learn more about licenses and throughput speeds, see “Managing [...]

  • Page 98

    Provisioning Basics EncrypTight User Guide 99 Figure 27 Appliances view By default, automatic status refresh is disabled. Y o u can refresh the status manually by selecting the target appliances and clicking the Re fresh St atus button . If you prefer , you can have ETEMS automatically poll th e status of th e appliances. If the appliance stat us i[...]

  • Page 99

    Provisioning Appliances 100 EncrypTight User Guide Related topics: ● “Comparing Configurations” on page 100 ● “Filtering Appliances Based on Address” on page 101 Comp aring Configurations When the ETEMS configuratio n differs f rom the appliance configur ation, the appliance status is . ETEMS provides a side-by-side comparison so you ca[...]

  • Page 100

    Provisioning Basics EncrypTight User Guide 101 Figure 28 Comp are the ETEMS and appliance configurat ions T o comp are and up date configuratio ns: 1 In the Appliance Manager , select an appliance in the Appliances view . 2I n t h e To o l s menu, click Compare Config to Appliance to see a comparison of the ETEMS and appliance configurations. The i[...]

  • Page 101

    Provisioning Appliances 102 EncrypTight User Guide . 3 T o restore all appliances in the Appliances view , enter a single as terisk in the Filter Appliances window and then click OK . Rebooting Appliances Appliances must be rebo oted for some configuration ch anges to take ef fect, and after installing a software update. Because rebooting interrupt[...]

  • Page 102

    Appliance User Management EncrypTight User Guide 103 appliance that is available to that role. The ETEP can track appliance events based on user name, such as user account activity and policy deployments. The ETEP has two roles: Administrator and Ops. The Administrator manages the appliance u sing the EncrypT ight software. The Administra tor confi[...]

  • Page 103

    Provisioning Appliances 104 EncrypTight User Guide User Name Conventions Follow the guide lines below when creating user names. These conv entions apply regardless of the password strength policy . ● User names can range fr om 1-32 characters. ● V alid characters are alpha and numeric characters (a-z, 0-9), _ (underscore), and - (dash). ● Use[...]

  • Page 104

    Appliance User Management EncrypTight User Guide 105 ● Do not use dictionary words. ETEMS do es prevent the use of dictionary words, but a password containing a dictionary word will be rejected by the ETEP. In addition, the Admin istrator can place limits on the following: ● Password expiration period, expiration warning notifi cation, and grac[...]

  • Page 105

    Provisioning Appliances 106 EncrypTight User Guide Managing Appliance Users Y ou can add, modify , and delete appliance users di rectly from ETEMS. Y o u can update user accounts for a single appliance or for a group of appliances. When managing users, changes take ef fect immediately . There is no need to push the user data to the ETEP. Changing a[...]

  • Page 106

    Appliance User Management EncrypTight User Guide 107 7 On appliances that are enforcing stron g passwords , configure the password expiration settings as described in T abl e 32 . 8C l i c k Apply to send the user credentials to the selected appliances. The change takes ef fect immediately . Figure 29 Adding a user to the ETEP u sing strong passwor[...]

  • Page 107

    Provisioning Appliances 108 EncrypTight User Guide Related t opics: ● “ETEP User Roles” on page 102 ● “User Name Conve ntions” on page 104 ● “Default Password Policy Conventi ons” on page 104 ● “Strong Password Policy Conven tions” on page 104 ● “Using a Common Access Card” on page 294 ● “Password Strength Policy?[...]

  • Page 108

    Appliance User Management EncrypTight User Guide 109 T o delete a user from the ETEP: 1 In the Appliance Manager , select the targ et appliances in the Appliances view . 2O n t h e T ools menu, cl ick Appl iance User > Delete User . 3 In the Delete Appliance User w indow , enter the user name that you wish to delete. 4C l i c k Apply . The user [...]

  • Page 109

    Provisioning Appliances 110 EncrypTight User Guide W orking with Default Configurations Each appliance requires a unique name and man agement port IP address, but many other settings will be the same across all appliances. ETEMS lets you define y our own set of defau lt settings to be used in all appliances of particular model and software vers ion[...]

  • Page 110

    Provisioning Large Numbers of Appliances EncrypTight User Guide 111 4C l i c k OK. NOTE ETEMS will not save a default configur ation that contai ns an error or an invalid entry . Th e OK button is disabled if an error is detected. ETEMS indicates the tab and the field that contains the error with . Restoring the ETEMS Default Configurations For eac[...]

  • Page 111

    Provisioning Appliances 112 EncrypTight User Guide Related topics: ● “Creating a Configuration T emplate” on page 112 ● “Importing Configuratio ns from a CSV File” on page 112 ● “Changing Configuration Import Preferences” on page 115 ● “Checking the Time on New Appliances” on page 116 Creating a Configuration T emplate A def[...]

  • Page 112

    Provisioning Large Numbers of Appliances EncrypTight User Guide 113 specifies the document type, which ETEMS needs to successfully import the file. The pound symbol (#) indicates a comment line, and i s ignored by ETEMS during the import op eration. In the CSV file, commas are used to delineate one field from the another . Figure 32 Import document[...]

  • Page 113

    Provisioning Appliances 114 EncrypTight User Guide Figure 34 Put configurations an d reboot appliances Related topics: ● “Importing Remote and Local In terface Addresses” on page 114 ● “Changing Configuration Import Preferences” on page 115 ● “T ransparent Mode” o n page 306 Importing Remote and Loc al Interface Addresses For ETEP[...]

  • Page 114

    Provisioning Large Numbers of Appliances EncrypTight User Guide 115 Figure 35 CSV import examples with remote a nd local interface attributes When importing a conf iguration to a new ETEP appliance, sp ecifying the remote and local interface automatically disables Transparent mode. If you are importin g a configuration to an exi sting appliance on [...]

  • Page 115

    Provisioning Appliances 116 EncrypTight User Guide Figure 36 Set the preference for importing configurations Checking the T ime on New Appliances After importing configurations to ETEMS and pushin g them to the appliances, refresh the appliance status. In the Appliances V iew check the date a nd time o f the new appliances. If any of the new applia[...]

  • Page 116

    EncrypTight User Guide 117 8 Managing Appliances This section includes the fo llowing topics: ● Editing Configurations ● Deleting Appliances ● Connecting Directly to an Appliance ● Upgrading Appliance Software ● Restoring the Backup File System Editing Configurations When modifying configurat ions, the following settings have their own un[...]

  • Page 117

    Managing Appliances 118 EncrypTight User Guide Changing the Management IP Address ETEMS uses the appliance’ s 10/100 Ethernet manage ment port to communicate with the appliance. The management IP address in ETEMS mu st match the address of the applia nce for successful communication. T o keep the two conf igurations in sync yo u can make either o[...]

  • Page 118

    Editing Configurations EncrypTight User Guide 119 Figure 37 Change Management IP window Related topics: ● “Changing the Address in ETEMS” on page 1 19 ● “Management Port Addressing” on page 302 ● “IPv6 Addressing” on page 304 Changing the Address in ETEMS If the management IP address has been changed direc tly on the appliance, yo[...]

  • Page 119

    Managing Appliances 120 EncrypTight User Guide Figure 38 Operation failed message in response to management IP change Changing the Date and T ime ETEMS can change the date and time on a single a ppliance or a group of appliances. On appliance models where the time zone cannot be configured (ETEP or a mix of appliance models), enter the date and tim[...]

  • Page 120

    Editing Configurations EncrypTight User Guide 121 NOTE The SNTP client mu st be disabled on an appl iance in order to change its date or time manually . If SNTP is enabled, the date and time cha nge operation will fail. T o change the date and time: 1 Make sure that the SNTP client is disabled on the tar get appliances. There ar e two ways to disab[...]

  • Page 121

    Managing Appliances 122 EncrypTight User Guide ● SNTP client ● Software version ● Syslog servers Other settings that can be edit ed on multiple applia nces are date and time, and p assword. These settings do not use the multiple configurat ions editor: they have their own unique editors, which are accessed from the Edit menu. The multiple con[...]

  • Page 122

    Connecting Directly to an Appliance EncrypTight User Guide 123 T o delete applian ces: 1 In the Appliance Manager , select the applia nces to delete in the Appliances view . 2O n t h e Edit menu , click Delete . A con firmation message displ ays. 3C l i c k OK to confirm the selection and delet e the selected appliances. Connecting Directly to an A[...]

  • Page 123

    Managing Appliances 124 EncrypTight User Guide The amount of time it takes to complete a softwar e upgrade depends o n the appliance model and speed of the link. The upgrade time increases proportionately to the decrease in the link speed . If software is not successfully loaded to any particular appliance in a predefined time frame, th e connectio[...]

  • Page 124

    Upgrading Appliance Software EncrypTight User Guide 125 Figure 41 Upgrade sof tware on multiple appliances from a central location CAUTION Appliances must be rebo oted for the new soft ware to t a ke effect. Rebooting an appliance interrupts traffic on the data ports for several minutes. During the reboot operation all packets are discarded. CAUTIO[...]

  • Page 125

    Managing Appliances 126 EncrypTight User Guide 6C l i c k Upgrade . ETEMS confirms that the FTP site is reachable before it begins the upgrade operation. Upgrade results for each appliance are displayed in the Result column of th e Upgrade Appliances table. 7 Upgrading the software version on the ap pliance does not automatically update the ETEMS c[...]

  • Page 126

    Restoring the Backup File System EncrypTight User Guide 127 Canceling an Upgrade T o cancel a software upgrade that is underway for a se ries of appliances, click Cancel . Appliance upgrades that are in progress will com plete their up grades but no additional upgrades will be initiated. The upgraded appliances will reboo t if you selected Reboot a[...]

  • Page 127

    Managing Appliances 128 EncrypTight User Guide Review the following recommenda tions and cautions prior to restoring t he file system: ● Make sure that you know the passw ords used in th e backup configuratio n. On ce the backup image is restored on the appliance, you must use the pa sswords from t he backup configuration to log in. ● After res[...]

  • Page 128

    Part III Using ETPM to Create Distributed Key Policies[...]

  • Page 129

    130 EncrypTight User Guide[...]

  • Page 130

    EncrypTight User Guide 131 9 Getting S t arted with ETPM The Policy Manager (ETPM) is the security policy man agement component of the EncrypTight. Y ou use ETPM to create and manage distri buted key policies that you send to the K ey Management System (ETKMS) The ETKMS generates the keys and distributes the keys and policies to the PEPs. This sect[...]

  • Page 131

    Getting Started with ETPM 132 EncrypTight User Guide ● Editors are used to add and modify En crypT ight components and policies. ● Policy vi ew is used to view and add policies. Related topics: ● “EncrypT ight Com ponents V iew” on page 133 ● “Editors” on page 134 ● “Policy V iew” on page 135 ● “ETPM T oolbar” on page 13[...]

  • Page 132

    About the ETPM User Interface EncrypTight User Guide 133 EncrypT ight Component s View The EncrypT ight Co mponents view lets you configure the netw ork components used to create a policy . Figure 43 En crypT i ght Components view EncrypT ight components are the buildi ng blocks used to con struct a policy . Layer 3 IP policy components are: ● PE[...]

  • Page 133

    Getting Started with ETPM 134 EncrypTight User Guide Editors Editors allow you to add or change EncrypT ight comp onents and policies. When you first start ETPM, no editors are open. T o open an edi tor , dou ble-click a component or policy , or right-cli ck and select Add Element or Edit in the EncrypT ight Components view . Y ou can open multiple[...]

  • Page 134

    About the ETPM User Interface EncrypTight User Guide 135 Policy V iew The Policy view allows you to v iew , add, and edit policies. Figure 45 Policy view The Policy view lists the policies in an exp andable tree structure. Y ou can use the Policy view to add a new policy , edit a policy , and edit or remove any co mponent in a policy . Y ou can exp[...]

  • Page 135

    Getting Started with ETPM 136 EncrypTight User Guide NOTE The status indicators displayed in the ETPM Policy view change only af ter yo u click Deploy policies, Renew keys, or Refresh Status. The status indicators displayed in the ETEMS Appliance Manager change only after you click Refresh Status or Reload Policies from the Applian ce Manager , and[...]

  • Page 136

    About the ETPM User Interface EncrypTight User Guide 137 ETPM T o olbar The ETPM toolbar provides shortcuts to frequ ently performed tasks. ETPM S t atus Refresh Interval By default, automatic status refresh is disabled. Y ou can refresh the status manually by clicking the Refresh S tatus button. If you prefer , you can have ETPM automatically chec[...]

  • Page 137

    Getting Started with ETPM 138 EncrypTight User Guide About ETPM Policies A policy specifies what traffic to protect and how to protect it. Each packe t or frame is inspected by the PEP and processed based on the filtering criteria specified in the policy . Each policy specifies: ● The PEPs to be used ● The ETKMSs to be used ● The networks the[...]

  • Page 138

    Policy Generation and Distribution EncrypTight User Guide 139 ● ETKMSs distribute the k eys and policies to the PEPs ● VLAN ID ranges enable filtering based on VLAN ID tags (optional) NOTE If you do not include a VL AN ID or range in the polic y , all Ethernet traffic is selected for enforcement. Policy Generation and Distribution This section [...]

  • Page 139

    Getting Started with ETPM 140 EncrypTight User Guide Figure 48 Key generation with one ETKMS In this scenario, you could use e ither a local ETKMS or an extern al ETKMS. The ETKMS generates and sends the same shared key to the PEP encrypting t he outbound data and the PEP decrypting the inbound data. Each PEP needs a unique key to encrypt outbound [...]

  • Page 140

    Creating a Policy: An Overview EncrypTight User Guide 141 Figure 49 Key generation with multiple ETKMSs The ETKMS generating the k ey for a PEP’ s o utbound data shares the key with the ETKM Ss that control the PEPs that decrypt the data. In Fig ure 49 , ETKMS 1 controls PEP A and is responsibl e for generating Shared Key 2. ETKMS 2 controls PEP [...]

  • Page 141

    Getting Started with ETPM 142 EncrypTight User Guide Figure 50 Sample point-to-point IP po licy Figure 50 illustrat es an EncrypT ight dep loyment with two networks. This example dem onstrates how to create a point-to-point policy to encr ypt the traffic sent between the two networks over the untrusted network. T o create a policy , the general ste[...]

  • Page 142

    Creating a Policy: An Overview EncrypTight User Guide 143 T o create a policy: 1 In the ETEMS Appliance Manager , add PEP A and PEP B ( File > New Appliance ). In the sample illustrated in Fi gure 50 , the management port of PEP A has the IP address 192.168.1 1.69 and th e management port of PEP B has the IP address 19 2.168.1 1.224. T o use an [...]

  • Page 143

    Getting Started with ETPM 144 EncrypTight User Guide 3 In the Appliance Manager, add and configure ETKMS 1 ( File > New Appliance ). In the sample ill ustrated in Figure 50 , ETKMS 1 has the IP address 192.168.1.33 and does not have a backup ETKMS. 4 In the Appliances view , select ETKM S 1 and click Refr esh S tatus . For more info rmation, see[...]

  • Page 144

    Creating a Policy: An Overview EncrypTight User Guide 145 7 Click the Netwo rk Sets tab and in the editor, add Network Set A and Network Set B. In the sample illustrated in Fi gure 50 , Network Set A includes Network A an d PEP A, and uses ETKMS 1. Network Set B includes Network B and PE P B, and uses ETKMS 1. For more information about Network Set[...]

  • Page 145

    Getting Started with ETPM 146 EncrypTight User Guide 9 Click the New P oint-to-Point Policy edit or and configure a point-to-point IPSec policy u sing the components you created in the preceding steps. See “Adding Layer 3 IP Policies” on page 191 for more inform ation. T o create a policy for the sample illustrated in Figure 50 , click and drag[...]

  • Page 146

    EncrypTight User Guide 147 10 Managing Policy Enforcement Points Policy Enforcement Point s (PEPs) en force the policies created in ETPM and distributed by the ETKMSs. EncrypT ight Policy Enforcem ent Points (ETEP PEPs) include: ● ET0010A ● ET0100A ● ET1000A This section includes the fo llowing topics: ● Provisioning PEPs ● Editing PEPs ?[...]

  • Page 147

    Managing Policy Enforcement Points 148 EncrypTight User Guide network sets in Layer 3 IP policies. L2 PEPs can be used i n Layer 2 Ethernet policies. Y ou can sort the list of PEPs by type or name by clickin g the column header (SG or Name). When ETEMS communicates with a PEP , it verifies that its hardware and software configuration is valid. PEPs[...]

  • Page 148

    Provisioning PEPs EncrypTight User Guide 149 NOTE ● For more information abou t PEP configuration options, see the ch apter for the PEP model that you are using. ● Although you can create networks and other elements in ETPM, no ETPM data is saved until you add at least one PEP in the ETEMS Appl iance Manager . ● If you reprovision a PEP that [...]

  • Page 149

    Managing Policy Enforcement Points 150 EncrypTight User Guide Adding a New PEP Using ETPM Normally , yo u should add PEPs using the ETEMS Appliance Manager; however , it is possible to add PEPs from ETPM. Keep in mind that you wi ll have to use ETEMS to push the configurations to th e PEPs. T o add a new PEP using ETPM: 1 From the EncrypTight Compo[...]

  • Page 150

    Editing PEPs EncrypTight User Guide 151 Pushing the Configuration After you define the PEP co nfigurations , push the configurations from ETEMS to the tar geted PEPs. T o push ETEMS configurations to PEPs: 1 In the ETEMS Appliances view , select the target PEPs. 2O n t h e T ools menu, cl ick Put Configurations . 3 Some appliance models must be reb[...]

  • Page 151

    Managing Policy Enforcement Points 152 EncrypTight User Guide If you changed the PEP’ s Appliance name in ETEMS, redeploy your policies. If yo u don’ t redep loy , the renamed PEP will issue an error message after every key refresh. Related topic: ● “Pushing Configurations t o Appliances” on page 97 Editing Multiple PEPs Changing the conf[...]

  • Page 152

    Deleting PEPs EncrypTight User Guide 153 Changing the IP Address of a PEP Occasionally , you might need to change the IP address on a PEP. Fo r example, you might need to move a PEP from one location in your network to another . This could require th at you change the management IP address of the PEP. Although you can edit the IP address of a PEP i[...]

  • Page 153

    Managing Policy Enforcement Points 154 EncrypTight User Guide T o delete PEPs: 1 In the Appliances view in ETEMS, select the PEPs to delete. 2O n t h e Edit menu , click Delete . A con firmation message displ ays. 3C l i c k OK . 4 From ETPM, click Deploy .[...]

  • Page 154

    EncrypTight User Guide 155 11 Managing Key Management Systems Based on the policies received from the ETPM, the Key Management Systems (ETKMSs) generate and distribute the keys along with the policies to the Policy Enforcem ent Points (PEPs). Y ou must use the ETEMS Appliance Manager to add, edit, and delete ETKMSs. This section includes the fo llo[...]

  • Page 155

    Managing Key Management Systems 156 EncrypTight User Guide In order to ensure network resiliency , some Encr ypT ight configurat ions may have external E TKMSs installed in pairs: a primary ETKMS and a backup ETKMS. The ETPM distributes the policies to both the primary ETKMS and backup ETKMS. Only the prim ary ETKMS distributes th e keys and polici[...]

  • Page 156

    Editing ETKMSs EncrypTight User Guide 157 4C l i c k Save when complete. Editing ETKMSs If you change the name or the IP address of a lo cal ETKMS, stop the local ET KMS software and restart it for the changes to take ef fect (see “Launching and Stopping a Local ETKMS” on page 45 ). For external ETKMSs, stop and restart the ETKMS service (see ?[...]

  • Page 157

    Managing Key Management Systems 158 EncrypTight User Guide CAUTION Do not delete any ETKMSs currently used by any netw ork sets or policies. Before you delete a ETKMS, modify any network sets and policies using that ET KMS to use another ETKMS. If you delete a ETKMS that is currently used in a policy or a network set, yo u can create configuration [...]

  • Page 158

    EncrypTight User Guide 159 12 Managing IP Networks In EncrypTight, networks are the IP networks that you want to pro tect. One or more of these networks are combined with one or more PEPs to make a netw ork set. Network sets are treated as a single network entity within IP poli cies. Networks are added, modified, and deleted using the netwo rks tab[...]

  • Page 159

    Managing IP Networks 160 EncrypTight User Guide T o add a network: 1 From the EncrypTight Com ponents view , click the Networks tab. The Networks tab lists all of the networks that have been added. Y ou can sort of the list of netw orks by IP address or network mask by clicki ng a column header . 2 Right-click anywh ere in the Networks tab and clic[...]

  • Page 160

    Advanced Uses for Networks in Policies EncrypTight User Guide 161 clear . ETPM accepts non-contiguous network masks, which allow you to create polici es between particular addresses in your network. For example, a netwo rk of 10.0.0.1 with a mask of 255.0.0.255 allows all devices with an IP address of 10.x.x.1 to be managed by a particular policy .[...]

  • Page 161

    Managing IP Networks 162 EncrypTight User Guide Figure 56 T wo networks with cont iguous addressing defined as a supernet If you group the two ne tworks into a supernet and th e policy encrypts traf fic between these two networks and five other networks, the PEP for this network set would contain only five SAs and keys for each direction, instead o[...]

  • Page 162

    Advanced Uses for Networks in Policies EncrypTight User Guide 163 Figure 57 Networks with non-cont iguous network masks are used in a byp ass policy that encomp asses all the x.x.x.1 and x.x.x.129 addresses Defining networks with non-conti guous masks allows you to create a single bypass policy that encompasses all the .1 and .129 ad dresses, enabl[...]

  • Page 163

    Managing IP Networks 164 EncrypTight User Guide Editing Networks T o edit an existing network : 1 In the EncrypT ight Com ponents view , click the Networks tab. 2 Right-click the desired network, click Edit. 3 Change the entries of the de sired fields in the editor . T able 41 on page 160 describes the entries on the network editor . 4C l i c k Sav[...]

  • Page 164

    Deleting Networks EncrypTight User Guide 165 T o delete a network : 1 In the EncrypT ight Com ponents view , click the Networks tab. 2 Right-click the desired Network and click Delete. 3C l i c k OK on the Permanently Delete an Element Wi ndow .[...]

  • Page 165

    Managing IP Networks 166 EncrypTight User Guide[...]

  • Page 166

    EncrypTight User Guide 167 13 Managing Network Set s A network set is a collection of IP networks, the associ ated PEPs, and a default ETKMS. A network set is treated as a single entity in a policy . This section includes the fo llowing topics: ● T ypes of Netwo rk Sets ● Adding a Ne twork Set ● Importing Networks and Netwo rk Sets ● Editin[...]

  • Page 167

    Managing Network Sets 168 EncrypTight User Guide T ypes of Network Set s The following examples illustrate th e dif ferent types of netw ork sets: ● Subnet ● Load balanced network ● Collection of networks ● A network set that does not co ntain any PEPs Figure 59 Network set for a subnet Figure 59 illustrat es a network set consisting of a s[...]

  • Page 168

    Types of Network Sets EncrypTight User Guide 169 Figure 61 Network set for a collection of networks Figure 61 illustrat es a network set comprised of two networks and two PEPs. In ETPM, this network set includes both PEP 1 and PEP 2, and bo th network IP addresses and masks. Figure 62 Network set th at does not include a PEP A network set does not [...]

  • Page 169

    Managing Network Sets 170 EncrypTight User Guide Adding a Network Set T o add a Network Set: 1 In the EncrypT ight Com ponents view , click the Network Sets tab. The Network Sets view lists the netw ork sets added previously . Y ou can sort the list of network sets by clicking the Network Name column header . 2 Right-click anywh ere in the Network [...]

  • Page 170

    Adding a Network Set EncrypTight User Guide 171 Key Management System Select the desired Key M anagement Syste m from the Default ETKMS list. You must select a ETKMS even if the network set does not include a PEP. If you create a po licy that includes a netwo rk set that does not have a ETKMS, you will not be ab le to deploy that policy. Network Ad[...]

  • Page 171

    Managing Network Sets 172 EncrypTight User Guide Figure 63 Network Set edit or Importing Networks and Network Set s If you need to work with a lar ge number of n etworks and network sets, you can save time by importing the data into ETPM. Y ou can create a CSV file that li sts the n etworks and network sets that you need and import the file. Th e d[...]

  • Page 172

    Importing Networks and Network Sets EncrypTight User Guide 173 line and is ignored by ETPM d uring the import operatio n. In the CSV file, commas are used to delineate one field or item from the next. The format of the CSV file is as follows: Ve r s i o n 1 . 0 network,<networkid>,<ip add ress>,<mask> networkSet,<name>,<e[...]

  • Page 173

    Managing Network Sets 174 EncrypTight User Guide T o import networks and network set s into ETPM: 1 Create a CSV file that iden tifies the networks and network sets. 2 In ETPM, choose File > Import Networks , select the CSV file and click OK . If ETPM detects an error in the CSV file, none of the networks or network sets are imported. ETPM displ[...]

  • Page 174

    Deleting a Network Set EncrypTight User Guide 175 CAUTION Prior to deleting a network se t, modify any policies us ing that network set to use another network set. If you delete a network set that is currently used in a p olicy , you can create configuration errors that migh t prevent you from deploying your policie s. In this case , check the Poli[...]

  • Page 175

    Managing Network Sets 176 EncrypTight User Guide[...]

  • Page 176

    EncrypTight User Guide 177 14 Creating VLAN ID Ranges for Layer 2 Networks If the network uses VLAN ID tags, you have the op tion of creating policies that select traf fic with specific VLAN ID tags or within a rang e of VLAN ID tags. If you do not inclu de VLAN ID tags in a new Layer 2 policy , the policy is applied to all network traffic. VLAN ID[...]

  • Page 177

    Creating VLAN ID Ranges for Layer 2 Ne tworks 178 EncrypTight User Guide 2 Right-click anywh ere in the VLAN Ranges view and th en click Add new Element . 3 Create the VLAN range in the editor as described in T abl e 45 . 4C l i c k Save when complete. NOTE VLAN ranges are not suppo rted on ETEP PEPs. If you enter a range, the ETEP uses only the lo[...]

  • Page 178

    Editing a VLAN ID Range EncrypTight User Guide 179 Editing a VLAN ID Range T o edit a VLAN ID range: 1 In the EncrypT ight Com ponents view , click the VLAN Ranges tab. 2 Right-click the desired VLAN ID range and click Edit . 3 Change the entries of the de sired fields in the editor . T able 45 on page 178 describes the entries on the VLAN Range ed[...]

  • Page 179

    Creating VLAN ID Ranges for Layer 2 Ne tworks 180 EncrypTight User Guide 3C l i c k OK .[...]

  • Page 180

    EncrypTight User Guide 181 15 Creating Distributed Key Policies From the Policy view , yo u can add, modify , and delete po licies for Layer 3/Layer 4 IP networks and Layer 2 Ethernet networks. This section includes the fo llowing topics: ● Policy Concepts ● Adding Layer 2 Ethernet Policies ● Adding Layer 3 IP Policies ● Adding Layer 4 Poli[...]

  • Page 181

    Creating Distributed Key Policies 182 EncrypTight User Guide ● “Key Generation and ETKMSs” on pag e 185 ● “Addressing Mode” on page 185 ● “Using Encrypt All Policies with Exceptions” on pag e 18 5 ● “Policy Size and ETEP Op erational Limits” on page 186 ● “Minimizing Policy Size” on page 187 Policy Priority Y ou can as[...]

  • Page 182

    Policy Concepts EncrypTight User Guide 183 TIP Network connectivity problems can prevent new keys from being distributed to the PEPs before the old keys expire. If you experience prob lems of this nature, see “Solvi ng Network Connectivity Problems” on page 248 for suggested workarounds to prevent interruptions. Policy T ypes and Encryption Met[...]

  • Page 183

    Creating Distributed Key Policies 184 EncrypTight User Guide Figure 69 Dat a payload e ncryption Encryption and Authe ntication Algorithms For Layer 3 IP policies, you can sp ecify the encryption and authentication algorithm s that you want to use. The encryption algorithms in clude the Advanced Encryption Standard (AES) and Triple Data Encryption [...]

  • Page 184

    Policy Concepts EncrypTight User Guide 185 Key Generation and ETKMSs W ith multicast IP poli cies and Layer 2 Ethernet policies, you choose a single ETKMS to generate and distribute the keys. W ith p oint-to-point, hub and spoke, and mesh IP po licies there are two options for specifying which ETKMSs generate and d istribute keys. ● By Network Se[...]

  • Page 185

    Creating Distributed Key Policies 186 EncrypTight User Guide 1 Create a policy to encrypt all data to and from all networks. Assign thi s policy a relatively low priority to ensure that any missed data will at least pass encrypted. 2 Design a pass in the clear policy and a drop policy with a higher priorities. T able 46 illustrates policies for a m[...]

  • Page 186

    Policy Concepts EncrypTight User Guide 187 Minimizing Policy Size Using EncrypTight with lar ge, compl ex networks with multiple subnets protected by separate PEPs can result in a large number of SAs on each PEP. The increased management traf fic for renewing keys and refreshing policy lifetimes could adv e rsely affect the performance of EncrypT i[...]

  • Page 187

    Creating Distributed Key Policies 188 EncrypTight User Guide Adding Layer 2 Ethernet Policies For Layer 2 Ethernet networks, policies can be created for mesh network s. In a mesh network, any network or network set can send or receive data from any other network or network set. Figure 70 Mesh network example The PEP for each network in Figure 70 en[...]

  • Page 188

    Adding Layer 2 Ethernet Policies EncrypTight User Guide 189 4C l i c k Save when complete. T able 47 Layer 2 Mesh policy e ntries Field Description Name Enter a unique name to i dentify the poli cy. Names can be 1 - 40 characters in length. Alphanumeric cha racters and spaces are valid. The special characters <, >, &, ,“ *, ?, /, , : a[...]

  • Page 189

    Creating Distributed Key Policies 190 EncrypTight User Guide Figure 71 Layer 2 Mesh polic y editor NOTE If you need to encrypt or pass in the clear specifi c routing protocols, consider also creating local site policies. Local site policie s allow you to create lo cally configured p olicies using CLI commands, without requiring an EncrypTight ETKMS[...]

  • Page 190

    Adding Layer 3 IP Policies EncrypTight User Guide 191 Adding Layer 3 IP Policies An IP policy can be created for hub and sp oke, mesh, multicast, and point-to-point networks. ● Adding a Hub and Spoke Po licy ● Adding a Mesh Policy ● Adding a Multicast Policy ● Adding a Point-to-po int Policy Adding a Hub and Spoke Policy In a hub and spoke [...]

  • Page 191

    Creating Distributed Key Policies 192 EncrypTight User Guide T o add a new hub and s poke policy: 1 In the Policy view , right-click anywhere in the view and click Add Hub and Spoke Policy . 2 Double click the new policy nam e added to the policy list. 3 Create the policy in the Hub and Sp oke Policy editor described in Ta b l e 4 8 . The policy ed[...]

  • Page 192

    Adding Layer 3 IP Policies EncrypTight User Guide 193 IPSec Specifies the encryption and authen tication algorithms used in an IPSec po licy. Select the encryption algorithm from the Encryption Algo rithms list: •A E S - Advanced Encryption Standard (defa ult) •3 D E S - a more secure variant of Data Encryption Standard Select the authenticatio[...]

  • Page 193

    Creating Distributed Key Policies 194 EncrypTight User Guide Figure 73 Hub and spoke policy editor[...]

  • Page 194

    Adding Layer 3 IP Policies EncrypTight User Guide 195 Adding a Mesh Policy In a mesh network, any network or network set can send or receive data from any other network or network set. Figure 74 Mesh network example The PEP for each network in Figure 74 encrypts dat a sent to networks A, B, C, or D and decrypts data from networks A, B, C, or D. Whe[...]

  • Page 195

    Creating Distributed Key Policies 196 EncrypTight User Guide T able 49 Mesh policy entries Field Description Name Enter a unique name to i dentify the poli cy. Names can be 1 - 40 characters in length. Alphanumeric cha racters and spaces are valid. The special characters <, >, &, “ *, ?, /, , : and | cannot be use d in the policy name.[...]

  • Page 196

    Adding Layer 3 IP Policies EncrypTight User Guide 197 Addressing Mode Override Overrides the Network ad dressing setting for the network sets. • Preserve in ternal network addresses - This setting overrides the network set’s network addressing mod e and preserves the network addressing of the protected networks. The IP hea der co ntains the sou[...]

  • Page 197

    Creating Distributed Key Policies 198 EncrypTight User Guide Figure 75 Mesh policy edi tor[...]

  • Page 198

    Adding Layer 3 IP Policies EncrypTight User Guide 199 Adding a Multicast Policy In a multicast network, one or more net works send unidirectional streams t o multiple destination networks. The multicast routers det ect the multicast transmission, determ ine which nodes have joined th e multicast network as destination ne tworks and duplic ate the p[...]

  • Page 199

    Creating Distributed Key Policies 200 EncrypTight User Guide T o add a multicast p olicy: 1 In the Policy view , right-click anywhere in the view and click Add Multicast Policy . 2 Double click the new policy nam e added to the policy list. 3 Create the policy in the Multicast Policy edit or as described in Ta b l e 5 0 . The policy editor is shown[...]

  • Page 200

    Adding Layer 3 IP Policies EncrypTight User Guide 201 IPSec Specifies the encryption and authen tication algorithms used in an IPSec po licy. Select the encryption algorithm from the Encryption Algo rithms list: •A E S - Advanced Encryption Standard (defa ult) •3 D E S - a more secure variant of Data Encryption Standard Select the authenticatio[...]

  • Page 201

    Creating Distributed Key Policies 202 EncrypTight User Guide Figure 77 Multicast policy editor[...]

  • Page 202

    Adding Layer 3 IP Policies EncrypTight User Guide 203 Adding a Point-to-point Policy In a point-to-point network, one n etwork or network set sends and receives data to and from one other network or network set . Figure 78 Point-to-point network ex ample In Figure 78 , the end-points are Networks A and B. PEP 1 en cryp ts the traffic sent from Netw[...]

  • Page 203

    Creating Distributed Key Policies 204 EncrypTight User Guide 4C l i c k Save when complete. T able 51 Point-to-point policy entries Field Description Name Enter a unique name to i dentify the poli cy. Names can be 1 - 40 characters in length. Alphanumeric cha racters and spaces are valid. The special characters <, >, &, ,“ *, ?, /, , :[...]

  • Page 204

    Adding Layer 3 IP Policies EncrypTight User Guide 205 Addressing Mode Override Overrides the Network ad dressing setting for the network sets. • Preserve in ternal network addresses - This setting overrides the network set’s network addressing mod e and preserves the network addressing of the protected networks. The IP hea der co ntains the sou[...]

  • Page 205

    Creating Distributed Key Policies 206 EncrypTight User Guide Figure 79 Point-to-point policy e ditor Adding Layer 4 Policies Layer 4 policies encrypt only the paylo ad of the pack et. The source and destination addresses, protocol, and port in the IP header are sent in the clear . With Layer 4 policies, the Layer 4 header information is sent in the[...]

  • Page 206

    Policy Deployment EncrypTight User Guide 207 Y ou create Layer 4 pol icies using ETEPs that are co nfigured to operate as Layer 3 PEPs. Create the networks, network sets, and poli cies as you would for Layer 3 IP policies. In the poli cy editor , select the option to preserve the address, protocol, and port. This option encrypts only th e payload d[...]

  • Page 207

    Creating Distributed Key Policies 208 EncrypTight User Guide T o verify policies: 1C l i c k T ools > V erify policies . ETPM displays a confirmation messa ge indicating the results of the rules check. 2 If the policies contain errors, go to the Policy V iew to locate them. Expand the policy tree to find the component with the con figuration err[...]

  • Page 208

    Editing a Policy EncrypTight User Guide 209 Figure 81 ETPM Preferences 3 Select or clear the Ask for confirmation before deploying a metapolicy checkbox. 4C l i c k Apply . Editing a Policy T o edit an existing p olicy: 1 From the Policy view , do uble click the desired policy name on t he policy list. 2 Modify the desi red entries in the Policy ed[...]

  • Page 209

    Creating Distributed Key Policies 210 EncrypTight User Guide T o delete an existi ng policy: 1 From the Policy view , right-click the desired policy name and click Remove element . 2C l i c k OK on the Permanently Delete an Element window . In addition to delet ing specific policies, you can delete all of the policies on the ETEP. This can b e usef[...]

  • Page 210

    EncrypTight User Guide 211 16 Policy Design Examples This section provides two examples of creating policies with EncrypTight: ● Basic Layer 2 Point-to-Point Policy Example ● Layer 2 Ethernet Policy Using VLAN IDs ● Complex La yer 3 Policy Example Basic Layer 2 Point-to-P oint Policy Example In this example, we secure a single point-to-poi nt[...]

  • Page 211

    Policy Design Examples 212 EncrypTight User Guide In ETEMS, configure the interfaces for both PEPs, then click the F eatures tab and do the following: 1 Select Layer 2:Ethernet for th e Encryption Policy Settings. 2 Clear the Enable EncrypTight checkbox. T o set up the encryption policy between the two PEPs, click the Policy tab for each PEP and ma[...]

  • Page 212

    Layer 2 Ethernet Policy Using VLAN IDs EncrypTight User Guide 213 Figure 83 Using VLAN IDs Policy Det ails Policy 1: Headquarters and Branches Name: HQ/Branch Communications Priority: 60000 Renew: Once every 24 Hours Ty p e : Encrypt PEPs: Headquarters, Branch 1, Branch 2 VLAN ID: 10 ETKMS: ETKMS1 Policy 2: Partner and Partner Port al Server Name: [...]

  • Page 213

    Policy Design Examples 214 EncrypTight User Guide T o create the policies: 1 In ETEMS, add and configure the ETEPs to operate as Layer 2 PEPs. 2 Add the ETKMS for the policies. 3 Push the configurations to the ETEPs. 4 In ETPM, add the VLAN ID tags. 5 Create the policies using the sett ings described in “Policy Details” on page 21 3 . 6 Deploy [...]

  • Page 214

    Complex Layer 3 Policy Example EncrypTight User Guide 215 The network sets required for this po licy are: Using the four network sets, create the mesh polic y as shown in the following table: Encrypt T raffic Between Regional Centers and Branches In order to encrypt traffic between each reg ional center and its branches, four hub and spoke policies[...]

  • Page 215

    Policy Design Examples 216 EncrypTight User Guide These hub and spoke policies require the four network sets created in “Encrypt T raffic Between Regional Centers” on page 214 an d twelve network sets for the branch networks. The next three tables show the four regi onal hub and spoke policies. Using Network Sets A, A 1, A2, and A3, create a hu[...]

  • Page 216

    Complex Layer 3 Policy Example EncrypTight User Guide 217 Using Network Sets B, B1 , B2, and B3, create a hub and spoke policy for region B as shown in the following table: Using Network Sets C, C1 , C2, and C3, create a hub and spoke policy for region C as shown in the following table: Using Network Sets D, D 1, D2, and D3, create a hub and spoke [...]

  • Page 217

    Policy Design Examples 218 EncrypTight User Guide Passing Routing Protocols W ith Layer 3 routed networks, y ou might need to pa ss routing protocols in t he clear . This is normally true when routers are placed behind the PEPs and when your W AN us es a private routed infrastructure. W ith a public routed infrastructure, the ISP handles the routin[...]

  • Page 218

    Complex Layer 3 Policy Example EncrypTight User Guide 219 This policy must be set to a hig her priority than the mesh policy created in “Encrypt T raffic Between Regional Ce nters” on page 214 . If this policy is set to a lo wer priority , the mesh en cryption policy will override the bypass policy and the routing protocol will be encrypt ed. A[...]

  • Page 219

    Policy Design Examples 220 EncrypTight User Guide[...]

  • Page 220

    Part IV T roubleshooting[...]

  • Page 221

    222 EncrypTight User Guide[...]

  • Page 222

    EncrypTight User Guide 223 17 ETEMS T roubleshooting This section includes the fo llowing topics: ● Possible Problems and Solu tions ● Pinging the Manageme nt Port ● Retrieving Appliance Log Files ● V iewing Diagnostic Data ● W orking with the Application Log Possible Problems and Solutions The troubleshooting information in this section [...]

  • Page 223

    ETEMS Troubleshooting 224 EncrypTight User Guide Appliance Unreachable Symptom Explanation and possib le solutions Symptoms of ETEMS’s inability to communicate with an a ppliance are: • Status indicator of ? . • “Operation failed” resu lt when putting a configura tion to an appliance, refreshing status, or comparing configur ations. • U[...]

  • Page 224

    Possible Problems and Solutions EncrypTight User Guide 225 Appliance Configuration The ETEP cannot ping the management workstation. The request times out or returns an “Operation not permitted” message. Check whether the trusted host feature is enable d on the ETEP. • Check the configuration for t he trusted workstation. Pings are not allowed[...]

  • Page 225

    ETEMS Troubleshooting 226 EncrypTight User Guide Pushing Configurations S t atus Indicators Symptom Explanation and possible solutions New configuration isn’t active on the appliance. • In the Appliances view, select the appliance a nd refresh its status. • Some configuration change s require an appliance reboot to take effect. If the appli a[...]

  • Page 226

    Pinging the Management Port EncrypTight User Guide 227 Sof tware Upgrades Pinging the Management Port If ETEMS is having trouble communicating with an appliance’ s mana gement port, try pinging the port to determine if the port is reachable from the mana gement workstation. T o ping the management p ort: 1 In the Appliance Manager , select an app[...]

  • Page 227

    ETEMS Troubleshooting 228 EncrypTight User Guide Figure 88 T ools preferences T o change the defa ult ping tool: 1 In the Edit menu, click Preferences . 2C l i c k ETEMS to expand the tree, and then click To o l s ( Figure 88 ). 3 In the T ools windo w , browse to the location of the ping executable that you want to use. 4 Optional . Enter argument[...]

  • Page 228

    Retrieving Appliance Log Files EncrypTight User Guide 229 T o retrieve log files fr om an appliance: 1 V erify that an FTP server is running on the ETEMS workstation. 2 In the Appliance Manager , select the tar get appliances in the Appliances view . ETEM S can retrieve logs from multiple appl iance in a single operation. 3O n t h e T ools menu, cl[...]

  • Page 229

    ETEMS Troubleshooting 230 EncrypTight User Guide V iewing Diagnostic Dat a ETEMS retrieves the following perfo rmance and diagnostic data from an appliance: ● Encryption statistics and a collection of frame and packet counters are di splayed in the Statistics V iew . ● Local and remote port status an d discarded packet information is disp layed[...]

  • Page 230

    Viewing Diagnostic Data EncrypTight User Guide 231 Figure 89 Encryption st atistics and packet cou nters displayed for two ETEPs T o display st atistics: 1 In the Appliance Manager , select the targ et appliances in the Appliances view . 2O n t h e Vi e w menu, click St a t i s t i c s . See Ta b l e 6 3 for a description o f ETEP statistics. 3 Cli[...]

  • Page 231

    ETEMS Troubleshooting 232 EncrypTight User Guide V iewing Port and Discard St atus The Status view displays informa tion about local and remote port st atus, and discarded packets. Port status is available only for ETEPs. The details displaye d for discarded packets vari es by appliance model. See the user manuals for your appliance for more inform[...]

  • Page 232

    Viewing Diagnostic Data EncrypTight User Guide 233 Figure 91 Export the SAD or SPD to a CSV file T o export the SAD or SPD from the ETEP: 1 In the Appliance Manager , select the ta rget appliance in the Appliances view . 2O n t h e Vi e w menu, click St a t i s t i c s . 3 In the upper right corner of the Statistics view , c lick the Export men u b[...]

  • Page 233

    ETEMS Troubleshooting 234 EncrypTight User Guide W orking with the Application Log The application log provides in formation about significant events and failures wi th EncrypT ight. The application log captures events sp ecific to ETEMS and ETPM and their interaction with appliances. The user ID associated with an event is recorded in the log. The[...]

  • Page 234

    Working with the Application Log EncrypTight User Guide 235 a On the application log tool bar , click . b In the application log menu, click Activate on new ev ents . A check mark appears next to this menu item when the feature is active. Click the menu item to toggle t he feature on and off. Sending Application Log Event s to a Syslog Server Encry[...]

  • Page 235

    ETEMS Troubleshooting 236 EncrypTight User Guide Figure 94 Application log filters NOTE Increasing the visible event limit to a l arge number (more than 200) can noticeably slow the speed at which ETEMS updates appliance status. If you notice th at st atus refresh es are abnormally slow , clear application log file a nd reset the visible events lim[...]

  • Page 236

    EncrypTight User Guide 237 18 ETPM and ETKMS T roubleshooting This section provides i nformation to help you with ETPM and ETKMS problem resolutio n, including: ● Learning About Problems ● ETKMS T roublesh ooting T ools ● PEP T roubleshoo ting T ools ● T roubleshoo ting Policies ● Solving Network Conn ectivity Problems ● Modifying Encry[...]

  • Page 237

    ETPM and ETKMS Troubleshooting 238 EncrypTight User Guide T able 65 ETPM st atus problems and solu tions TIP After you deploy policies, i f the indicators are anything other than green, click Refresh S tatus before you take other troublesh ooting actions. Symptoms and Solutions This section discusses some sym ptoms that you might encounter whil e u[...]

  • Page 238

    Learning About Problems EncrypTight User Guide 239 NOTE Always check the status of the PEPs in the Policy View after deploying policies, refreshing status, or renewing keys. All PEPs should s how a Consistent indicator . This section includes the fo llowing topics: ● “Policy Errors” on page 239 ● “Stat us Errors” on page 240 ● “Rene[...]

  • Page 239

    ETPM and ETKMS Troubleshooting 240 EncrypTight User Guide St atus Errors Renew Key Errors Symptom Explanation and possib le solutions ETEMS cannot veri fy that the software version installed on th e ETKMS matches the version selected in the Appliance Manager. In the Appliance Ma nager in ETEMS, when you refresh status for a ETKMS, the ETKMS does no[...]

  • Page 240

    Learning About Problems EncrypTight User Guide 241 V iewing Log Files Each component in the EncrypT ight system creates and maintains log file s that you can use to troubleshoot issues. This section includes the following topics: ● “ETPM Log Files” on page 2 41 ● “ETKMS Log Files” on page 241 ● “PEP Log Files” on page 242 ETPM Log[...]

  • Page 241

    ETPM and ETKMS Troubleshooting 242 EncrypTight User Guide PEP Log Files Y ou can retrieve and vi ew log files from any PEP using ETEMS. When a PEP re ceives a command from ETEMS, it sends it s log files to the desi gnated FTP serv er . T o use this feature you must have FTP server software running on the ETEMS wo rkstation. If a PEP contains severa[...]

  • Page 242

    PEP Troubleshooting Tools EncrypTight User Guide 243 Optimizing T ime Synchronization W ith NTP , time synchronization does not always happen instantaneously . If the time di f ference between the ETKMS (or any system component) and the NTP server is lar ge enou gh, it can take a significant amount of time to syn chronize. If this occurs, you can u[...]

  • Page 243

    ETPM and ETKMS Troubleshooting 244 EncrypTight User Guide Stat i st i cs For ETEP PEPs, you can use the S tatistics view in the ETEMS Appliance Manager to display encryption statistics and packet counters. Th is includes information about packet encryptions a nd decryptions. The exact statistics displayed vary depending on the model of the PEP that[...]

  • Page 244

    Troubleshooting Policies EncrypTight User Guide 245 deployed to the PEP, including the dest ination and source IP addresses, priority , and the policy typ e. The SAD includes information on every security associ ation (SA) established betwe en the ETEP PEP and another appliance. Y ou can use this i nformation to help you troubles ho ot policy probl[...]

  • Page 245

    ETPM and ETKMS Troubleshooting 246 EncrypTight User Guide 3 In the MAC Statistics section (for ETEP PEPs), note the values in the T ransmit and Receive packet entries for the Local and Remote interf aces (Local Port and Remote Port). ● If packets are being received on the Local interface and transm itted on the Remote interface, traffic is being [...]

  • Page 246

    Troubleshooting Policies EncrypTight User Guide 247 Do one of the following: ● In the Appliance Manager vi ew , select the ETEP and choose T ools > Clear Po licies . ● In ETPM, create a bypass policy and deploy i t to the PEPs. ● For distributed key poli cies: In ETEMS, change th e Encryption Policy setting on the Features tab from Layer 2[...]

  • Page 247

    ETPM and ETKMS Troubleshooting 248 EncrypTight User Guide T o fix these issues, redeploy you r po licies from ETPM to make sure that your PEPs have current policies and keys. Cannot Add a Network Set to a Policy Non-contiguous subnet masks are sup ported on ETEP PEPs version 1.4 and later . When you use non- contiguous network mask s, the network s[...]

  • Page 248

    Modifying EncrypTight Timing Parameter s EncrypTight User Guide 249 ● For ETPM to ETKMS communications errors, check the ETEMS or ETPM applicatio n log for an error entry as described in “ETPM Log Files” on page 241 . ● For ETKMS to PEP communicati ons errors, check the ETKMS log files as described in “ETKMS Log Files” on page 241 . Mod[...]

  • Page 249

    ETPM and ETKMS Troubleshooting 250 EncrypTight User Guide T o add a new PEP in a system configured to use strict authentication: 1 In the ETEMS preferences, temporaril y dis able strict authentication. 2 Add and configure the PEP. 3 Install certificates on the PEP and the re-enable strict authentication in ETEMS. 4 Refresh status. 5 If the status i[...]

  • Page 250

    Certificate Implementation Errors EncrypTight User Guide 251 T o disable strict authentica tion on ETEPs: 1 Connect to the serial port of the appliance and open a terminal session. 2 Log in and type configure to enter co nfiguration mode. 3T y p e management-interface to enter management interface configuration mode. 4 Enter strict-client-authentic[...]

  • Page 251

    ETPM and ETKMS Troubleshooting 252 EncrypTight User Guide[...]

  • Page 252

    Part V Reference[...]

  • Page 253

    254 EncrypTight User Guide[...]

  • Page 254

    EncrypTight User Guide 255 19 Modifying the ETKMS Properties File This section provides information about settings in th e ETKMS properties file th at you can use to control and optimize the perform ance of the ETKMS, including: ● About the ETKMS Properties File ● Hardware Security Module Confi guration ● Digital Certificate Con figuration ?[...]

  • Page 255

    Modifying the ETKMS Properties File 256 EncrypTight User Guide Hardware Security Module Configuration The following entries contro l whether the encryption keys are stored in a Hardw are Security Module (HSM). # Hardware Security Module Configuration hardwareModuleInUse=false vaultBaseDir=../keys T o store the encryption keys in an HSM, set the har[...]

  • Page 256

    Base Directory for Storing Operational State Data EncrypTight User Guide 257 log4j.appender.R.layout=org.apache.l og4j.PatternLayout log4j.appender.R.layout.ConversionPa ttern=%d [%t] %-5p %c - %m%n ## Console logging #log4j.rootLogger=ALL,stdout #log4j.appender.stdout.Threshold=INF O #log4j.appender.stdout=org.apache.lo g4j.ConsoleAppender #log4j.[...]

  • Page 257

    Modifying the ETKMS Properties File 258 EncrypTight User Guide Policy Refresh T iming The policy refresh timing controls the t iming between the initiation of a renew key s and policy lifetime and the deletion of the expired keys. The followin g entries specify the timing for the policy refresh. #### Policy refresh tim ing # Policy refresh delete d[...]

  • Page 258

    PEP Communications Timing EncrypTight User Guide 259 Once the n th retry (defined by retryCount ) is unsuccess ful, the ETKMS wa its a period of time defined by initialPEPRetryWa itTime when it then repeats the communicat ion attempts as defined by the general timing parameters. This rep eats for n times as define d by initialPEPRetryCount . If the[...]

  • Page 259

    Modifying the ETKMS Properties File 260 EncrypTight User Guide[...]

  • Page 260

    EncrypTight User Guide 261 20 Using Enhanced Security Features This section includes the fo llowing topics: ● About Enhanced Security Features ● About Strict Authentication ● Using Certificates in an EncrypT ight System ● Changing the Keystore Password ● Configuring the Certifi cate Policies Extension ● W orking with Certificates fo r E[...]

  • Page 261

    Using Enhanced Security Features 262 EncrypTight User Guide ● Strong password enforcement ETEPs with software versio n 1.6 or later can be c onfigured to use strong password enforcement. The conventions used with st rong password enforcement are far more stringent than those used with the default password managemen t. T o learn m ore about strong[...]

  • Page 262

    About Strict Authentication EncrypTight User Guide 263 Related topics: ● “Prerequisites” on page 263 ● “Order of Operations” on page 263 ● “Certificate Information” on page 264 ● “Changing the EncrypTight Keystore Password” on page 2 66 ● “Configuring the Certificate Policies Ex tension” on page 269 ● “V alidating [...]

  • Page 263

    Using Enhanced Security Features 264 EncrypTight User Guide 4 T emporarily enable strict authen tication in ETEMS and m ake sure that you can still communicate with the PEPs (refresh status for th e PEPs that you used in step 3. If the PEPs respond appropriat ely , continue with the ne xt step. If you cannot communicate wi th the PEPs, troubleshoot[...]

  • Page 264

    Using Certificates in an EncrypTight System EncrypTight User Guide 265 In usage, you type this string as fol lows: -dname “cn=<common name>, ou=<organization unit>, o=<or ganization name>, l=<location>, s=<state/province> , c=<country>” The information must be ent ered in the order shown. For exampl e: -dname[...]

  • Page 265

    Using Enhanced Security Features 266 EncrypTight User Guide Changing the Keystore Password Before you begin using certificates, you need t o change the default passwords for the EncrypTight keystore and the ETKMS keystore. This section inclu des the following topics: ● “Changing the EncrypTight Keystore Password” on page 2 66 ● “Changing [...]

  • Page 266

    Changing the Keystore Password EncrypTight User Guide 267 Changing the Keystore Password on a ETKMS Changing the password on a ETKMS involves multiple steps, including: 1 Stop the ETKMS service 2 Use keytool to change the password 3 Change the password for each individual key stored 4 Change the password listed in the ETKMS properties file 5 Restar[...]

  • Page 267

    Using Enhanced Security Features 268 EncrypTight User Guide Changing the Password Used in t he ETKMS Properties File The ETKMS properties file includes an entry for the keystore passwor d that the ETKMS software uses for functions that access the keystore. T o change the p assword listed in the ETKMS propert ies file: 1 Use a text editor to edit th[...]

  • Page 268

    Configuring the Certificate Policies Extension EncrypTight User Guide 269 ./HSMPwdChg.sh The script will print out th e new value of the password. Make not e of this value. 5 Change the password for the Security Officer role by typing: ctkmu p -O Y ou will be pro mpted for the value of the old password and t hen for the value of the new password. 6[...]

  • Page 269

    Using Enhanced Security Features 270 EncrypTight User Guide TIP If you are deploying numerous ET EPs, you can save ti me by modi fying the defaul t configurations for the ETEP models that you use. For more informati on about modifying d efault configurations, see “Worki ng with Default Configurations ” on page 1 10 . Y ou configure the certific[...]

  • Page 270

    Configuring the Certificate Policies Extension EncrypTight User Guide 271 Figure 95 Communications Preference s About the Policy Constraint s Extension The certificate policies extension can be used in conjunction with the po licy constraint extension. This extension is configured by your CA and requires no setup in EncrypT ight components. It plac[...]

  • Page 271

    Using Enhanced Security Features 272 EncrypTight User Guide W orking with Certificates for EncrypT ight and the ETKMSs For both the workst ation running the EncrypTight software and the ETKMS, use the keytool utility to request and install certificates. Th e keytool utility is a Jav a-based utility for key and certificate management. A complete dis[...]

  • Page 272

    Working with Certificates for EncrypTight and the ET KMSs EncrypTight User Guide 273 T o generate a key pair: 1 From the command line, use the fo llowing command to generate a public/ private key pair: keytool -genkeypair -dname {“cn=<Entity Name>, ou=<Organizational Unit>, o=<Organization>, c=<Country>”} -alias <a li[...]

  • Page 273

    Using Enhanced Security Features 274 EncrypTight User Guide Importing a CA Certificate Depending on the CA that you use, you could receive a single certificate or a certificate chain. If the reply is a single certificate and it is not a copy of a CA trusted root certificate, you need acquire the certificate for a trusted root . If the reply from th[...]

  • Page 274

    Working with Certificates and an HSM EncrypTight User Guide 275 Exporting a Certificate For other devices to authenticate th e identity of an entity , they mi ght need a copy of the entity’ s certificate. Y ou can use the keytool export command to export certifi cates for this purpose. T o export a certifica te: 1 From the command line, use th e [...]

  • Page 275

    Using Enhanced Security Features 276 EncrypTight User Guide Importing CA Certificates into the HSM T o import CA certificates into the HSM: 1 T o import a CA certificate, at the command line type: ctcert i -f <filename> -l <alias> 2 T o set the certificate as trusted, type: ctcert t -l <alias> 3 If prompted, enter the HSM password[...]

  • Page 276

    Working with Certificates for the ETEPs EncrypTight User Guide 277 Generating a Certificate Si gning Request for the HSM T o generate a certifica te signing request: 1 At the command line, typ e: keytool -keystore NONE -storetype PKCS 11 -certreq -keyalg RSA -providername SunPKCS11-psie -alias <alias> -storepass <password> -file <csr[...]

  • Page 277

    Using Enhanced Security Features 278 EncrypTight User Guide T o st art the Certificate Manager do one of the following: ● In the W indows m enu, click Open . In the list of perspectives, click Certificate Manager . ● On the Perspective tab in the upper right corner of the screen, click the Open Perspective button . In the list of perspectives, [...]

  • Page 278

    Working with Certificates for the ETEPs EncrypTight User Guide 279 The Certificate Requests view displays pend ing cer tificate requests for sel ected appliances. Y ou can manage certificate requests from the shortcut menu (vie w , delete, or install). Sel ect a request from this view to see its contents in detail, i ncluding the PEM-formatted cert[...]

  • Page 279

    Using Enhanced Security Features 280 EncrypTight User Guide NOTE The procedure for obtaining a CA certi ficate varies with each CA. These are the typical ste p s. T o obt ain a CA certificate from a CA: 1 On the CA's website, complete the registration process. 2 Download the CA certificate from the CA's website. 3 In the Certificate Manag[...]

  • Page 280

    Working with Certificates for the ETEPs EncrypTight User Guide 281 Figure 97 Certificates view show s in st alled certificates and t heir usage W orking with Certificate Request s The workflow for requesting and inst alling an identity certificate on an EncrypT ight appliance is as follows: 1 Generate a certificat e signing r equest. 2 Send the req[...]

  • Page 281

    Using Enhanced Security Features 282 EncrypTight User Guide Figure 98 Generate a certifica te signing request T o generate a certifica te signing request: 1 In the Appliances view , right-click the target appliance and click Generate Certif icate Signing Request in the shortcut menu. 2 Complete the Subject Name fields (see T able 68 ). 3 From the R[...]

  • Page 282

    Working with Certificates for the ETEPs EncrypTight User Guide 283 Inst alling a Signed Certificate When a certificate authority accepts a certificate reques t, it issues a digitally signed identity certificate and returns it electronically . The certificate must be a PEM-formatted X.509 cer tificate. The certificate can be used to validate managem[...]

  • Page 283

    Using Enhanced Security Features 284 EncrypTight User Guide Figure 100 View pending certificate signing req uests Canceling a Pending Certificate Request The EncrypT ight appliance allows for only one pend ing certificate request. In order to replace the pending request wit h a new one, you must cancel the pending requ est. T o cancel a pending cer[...]

  • Page 284

    Working with Certificates for the ETEPs EncrypTight User Guide 285 The Common Name (CN) d efaults to the applianc e name; it cannot be set as a preference. For information about other distinguished name fields, see Ta b l e 6 8 . Other certificate requests preferences are described in Ta b l e 7 8 . NOTE The larger the key size, the long er it t ak[...]

  • Page 285

    Using Enhanced Security Features 286 EncrypTight User Guide ● “Deleting a Certificate” on page 287 Viewing a Certificate The Certificate Details view of a selected installed certificate displa ys the certificate contents and the PEM formatted certificate. From the Certificate De tails view you can export the certificate using the Export Certi[...]

  • Page 286

    Validating Certificates EncrypTight User Guide 287 Deleting a Certificate Delete external certificates if they have expired or are no longer used . External certificates are the only type of certificate that you can delete from the EncrypT ight appliance. Y ou can overwrite existing management ID certificates to replace them , but you cannot explic[...]

  • Page 287

    Using Enhanced Security Features 288 EncrypTight User Guide you must remember to periodically retrieve a copy of the CRL a nd install it on each of the EncrypT ight components. NOTE CRLs are only supported in ETEPs with software ve rsion 1.6 or late r . Y o u must upgrade ETEPs with earlier software versions in order to use this feat ure. T o learn[...]

  • Page 288

    Validating Certificates EncrypTight User Guide 289 T o inst all a CRL on the ETEP: 1 Switch to the Certificate Manager perspective. 2 In the Appliances view , right-click on the target ETEP and choose Install CRL . 3 Navigate to the ap propriate directory and sel ect the CRL file that you w ant to install. 4C l i c k Open . 5 Push the modified con [...]

  • Page 289

    Using Enhanced Security Features 290 EncrypTight User Guide In order to use OCSP , you must enab le it on each Encr ypT ight component. ETEPs can read the URL from the certificate itself, but you can sp ecify a URL to use if needed. The EncrypT ight software and the ETKMSs p rovide additional options that allow you to specify t he default action if[...]

  • Page 290

    Validating Certificates EncrypTight User Guide 291 NOTE For enhanced security , if you want to validate certificates u sing OCSP only , disable the options to Ignore Failure to Resp ond and Revert to CRL on OC SP Respon der Failure . T o set up OCSP in the ETKMS: 1 Log in directly on the ETKMS as root, or open an SSH session and su to root. 2 Using[...]

  • Page 291

    Using Enhanced Security Features 292 EncrypTight User Guide Enabling and Disabling S trict Authentication After you have installed certificates on each EncrypT ight com ponent, you can ena ble strict authentication. Strict authentication is a setting that af fects comm unications between all EncrypT ight components. Once you enable strict authentic[...]

  • Page 292

    Removing Certificates EncrypTight User Guide 293 8C l i c k Put to push the configurations. 9C l i c k Close to return to the Appl iances view , a nd then refresh the appliance status ( To o l s > R e f r e s h St a t u s ). NOTE S tri ct authentication is available for ETEPs with software version 1.6 and later. If you need to remove the ETEP fr[...]

  • Page 293

    Using Enhanced Security Features 294 EncrypTight User Guide T o remove certificate s: 1 If necessary , switch to the Certificate Manager a nd select the ETEPs whose cer tificates you want to remove. 2 Select T ools > Clear Certificates . 3C l i c k OK when you are prompt ed for confirmation. 4C l i c k OK at the message informing you that the co[...]

  • Page 294

    Using a Common Access Card EncrypTight User Guide 295 5 Add the authorized common name s to the cnAuth .cfg file on th e ETKMS. For instructions, see “Configuring User Accounts for Use With Common Access Cards” on page 295 6 Enable strict authentication a nd Common Access Card Authentication on th e ETKMS. For more information, see “Enabling [...]

  • Page 295

    Using Enhanced Security Features 296 EncrypTight User Guide T o enable CAC Authentication on the ETEP: 1 V erify that strict authentication is enabled on the ETEP. If strict authentication is not enabled when you enable Common Access Card Authentication, y ou can lose the ability to communicate with the ETEP. 2 In the Appliance Manager , right-clic[...]

  • Page 296

    Using a Common Access Card EncrypTight User Guide 297 NOTE When Common Access Card Authe ntication is enabled , users of the EncrypTight software can log in without using passwords if the deployment includes o nly ETEPs running software version 1.6 or later. However , passwords are still required when administrative users log into the ETEPs using t[...]

  • Page 297

    Using Enhanced Security Features 298 EncrypTight User Guide[...]

  • Page 298

    EncrypTight User Guide 299 21 ETEP Configuration This chapter provides procedures and referen ce information for configuring ETEP appliances. T o prepare the ETEP for operation in your network, do the following: ● In the ETEMS Appliance Manager , click File > New Appliance to open the Appliance editor . Select the ETEP appliance model from the[...]

  • Page 299

    ETEP Configuration 300 EncrypTight User Guide This section includes the fo llowing topics: ● Identifying an Appliance ● Interface Configuration ● T ruste d Hosts ● SNMP Configuration ● Logging Configuration ● Advanced Configuration ● Features Configuration ● W orking with Policies ● Factory Defaults Identifying an Appliance In ord[...]

  • Page 300

    Interface Configuration EncrypTight User Guide 301 ● Alphanumeric characters are valid (upper and lower case alpha charact ers and numbers 0-9) ● Spaces are allowed within a name ● The following special characters cannot be used: < > & “ * ? / : | ● Names are not case sensitive Because the appliance name is also the SNMP syste[...]

  • Page 301

    ETEP Configuration 302 EncrypTight User Guide Figure 103 ET0100A in terfaces configuration Related topics: ● “Management Port Addressing” on page 302 ● “Auto-negotiation - All Ports” on page 305 ● “Remote and Local Port Settings” on page 306 ● “T ransparent Mode” o n page 306 ● “T rusted Hosts” on page 31 1 Management [...]

  • Page 302

    Interface Configuration EncrypTight User Guide 303 ETEPs running software version 1.6 an d later include support for IPv4 and IPv6 addresses on the management port. Related topics: ● “IPv4 Addressing” on page 303 ● “IPv6 Addressing” on page 304 IPv4 Addressing The ETEP requires an IPv4 address for proper operation, ev en when it is depl[...]

  • Page 303

    ETEP Configuration 304 EncrypTight User Guide Figure 104 Management port d efault gateway on the ETEP IPv6 Addressing The use of IPv6 addressing is optional. If you select Use IPv 6 , ETEMS and other EncrypT ight components will use IPv6 to comm unicate with the ETEP. When usin g IPv6, you must configure the ETEP for dual-homed op eration by assign[...]

  • Page 304

    Interface Configuration EncrypTight User Guide 305 IPv6 addresses often contain consecutive grou ps of zer os. T o further simp lify address entry , you can use two colons (::) to rep resent the consecutive groups of zeros when t yping the IPv6 address. Y ou can use two colons (::) only once in an IPv6 address. Related t opics: ● T o learn how to[...]

  • Page 305

    ETEP Configuration 306 EncrypTight User Guide On the local and remote p orts, the ETEPs support the speeds shown in Ta b l e 8 6 . NOTE If you are using copper SFP tran sceivers, auto-negotiation must be enabled on the ET1000A and on the device that the ET1000 A is connecting to. The re commended co pper SFP transceivers negotiate only to 1 Gbps, e[...]

  • Page 306

    Interface Configuration EncrypTight User Guide 307 preserves the network addressing of the prot ected network by copyin g the original source IP and MAC addresses from the inco ming packet to the outb ound packet header . In transparent mode the ETEP’ s re mote an d local ports are not viewable from a network standp oint. The local and remote por[...]

  • Page 307

    ETEP Configuration 308 EncrypTight User Guide IP Address and Subnet Ma sk Enter the IP address and subnet mask that y ou want to assign to the port, in dotted decimal notation. Default Gate way The default gateway identifies the router ’ s local access port, which is used to forward packets to their destination. The gateway IP add ress must be on[...]

  • Page 308

    Interface Configuration EncrypTight User Guide 309 The transmitter behavior configuration should be th e same on both the local and remote ports. DHCP Relay IP Address The DHCP Relay feature allows DHCP clients on the local port su bnet to access a DHCP server that is on a different subnet. The DHCP relay feature is applicable in Layer 3 IP network[...]

  • Page 309

    ETEP Configuration 310 EncrypTight User Guide Ignore DF Bit When the ETEP is configured for use in Layer 3 IP en c ryption policies, its defaul t behavior is to enable DF Bit handling on the local port. This tells the ETEP to ignore the “do not f ragment” (DF) bit in the IP header , and fragment outbound packets that exceed the MTU of the syst [...]

  • Page 310

    Trusted Hosts EncrypTight User Guide 311 Related topic: ● “Ignore DF Bit” on page 31 0 ● “Path Maximum Transmission Unit” on page 326 ● “Features Configuration” on page 330 T rusted Host s In its default state the ETEP mana gement port accepts all packets from any host. The tr usted host feature lets you restrict access by specify[...]

  • Page 311

    ETEP Configuration 312 EncrypTight User Guide Inbound host proto cols (HTTPS, ICMP , and SNMP) are enabled and disabled in the Edit Trusted Host window . Inbound protocols are en abled by default for each host. Use caution when disabling these protocols as it can affec t the management station’ s ability to comm unicate with the ETEP. Y ou cannot[...]

  • Page 312

    SNMP Configuration EncrypTight User Guide 313 Figure 108 T rusted host editor Related topics: ● “Appliance Unreachable” on page 224 ● “IPv6 Addressing” on page 304 ● “T raps” on page 315 ● “Defining Syslog Servers” on page 323 ● “SNTP Client Settings” on page 329 SNMP Configuration The ETEP includes an SNMP agent. When[...]

  • Page 313

    ETEP Configuration 314 EncrypTight User Guide Figure 109 SNMP configuration fo r system information, community strings , and traps T ake note of the follow ing requirements when defining SNMP system information: ● T o set the system informatio n on an appliance, the community string mu st be defined as read/write, as described in “Communit y S [...]

  • Page 314

    SNMP Configuration EncrypTight User Guide 315 Tr a p s T o configure SNMP traps, first select the trap types to be ge nerated. All of the selected trap ty pes will be sent to the configured hosts. T raps ca nnot be configured on a per -host basi s. T able 94 T rap s reported on the ETEP Trap Description Critical error The following criti cal errors[...]

  • Page 315

    ETEP Configuration 316 EncrypTight User Guide NOTE The coldSt art a nd notifyShutdown traps are always generated, even when Generic traps are disabled. Related topics: ● “SNMPv2 Trap Hosts” on page 316 ● “SNMPv3” on page 316 SNMPv2 T rap Host s After selecting the traps that the ETEP will gen erate, specify the IP address of the trap ho[...]

  • Page 316

    SNMP Configuration EncrypTight User Guide 317 ● The engine ID identifies the E TEP as a unique SNMP entity . The ETEP’ s engine ID must be configured on every trap recipient before traps can be authenticated and processed by the trap host. ● Three security levels are availabl e to control access to the management information: no authenticatio[...]

  • Page 317

    ETEP Configuration 318 EncrypTight User Guide ● “Configuring the SNMPv3 Trap Host Users” on page 319 ● “FIPS Mode” on page 331 Generating the Engine ID The engine ID is a unique local identifier for th e SNMP agent in the ETEP . The ETEP automatically generates its own engine ID upon startu p, or you can manually enter an engine ID seed[...]

  • Page 318

    SNMP Configuration EncrypTight User Guide 319 Figure 1 1 1 Viewing SNMPv3 Eng ine IDs Related topics: ● “Generating the Engine ID” on page 318 Configuring the SNMPv3 T rap Host Users T rap host users define the destin ation that receives the traps, plus security information about communication between SNMPv3 entitie s. T rap host users are de[...]

  • Page 319

    ETEP Configuration 320 EncrypTight User Guide Figure 1 12 SNMPv3 T rap Host configuration T o configure a trap ho st user: 1 If you haven’t already done so, select the traps that the ETEP will generate (see “T raps” on pag e 31 5 ). 2 Under SNMPv3 T rap Ho sts, click Add . 3 In the V3 T rap Host dialog box, confi gure the trap host users as d[...]

  • Page 320

    Logging Configuration EncrypTight User Guide 321 Related topics: ● “FIPS Mode” on page 331 ● ETEP CLI User Guide , ‘Securing Management Port T raffic with IPsec” Logging Configuration The ETEP log keeps track of messag es and events generated by various processes, such as encry ption, certificates, rekeys, and SNMP . All log messages ar[...]

  • Page 321

    ETEP Configuration 322 EncrypTight User Guide Related topics: ● “Log Event Settings” on page 322 ● “Defining Syslog Servers” on page 323 ● “Log File Management” on page 324 ● “Retrieving Appliance Log Files” on page 228 Log Event Settings Categories of log messages are re ferred to as facilities, and they typically indicate [...]

  • Page 322

    Logging Configuration EncrypTight User Guide 323 means “error + critical + alert + em ergency .” The priorities shown i n T able 97 are listed from lowest (debug) to highest (emergency). Related topics: ● “Logging Configuration” on page 321 ● “Defining Syslog Servers” on page 323 Defining Syslog Servers The ETEP can send log message[...]

  • Page 323

    ETEP Configuration 324 EncrypTight User Guide Related topics: ● “IPv6 Addressing” on page 304 ● “Logging Configuration” on page 321 ● “Log Event Settings” on page 322 Log File Management Each log file is a fixed length li st of entries, as shown in T able 98 . The log fi les rotate as they fill; they do not wrap. The most recent e[...]

  • Page 324

    Advanced Configuration EncrypTight User Guide 325 Figure 1 14 Log files extracted from t he ETEP Related topics: ● “Retrieving Appliance Log Files” on page 228 ● “Logging Configuration” on page 321 ● “Log Event Settings” on page 322 Advanced Configuration The items on the Advanced tab define various management and network fu nctio[...]

  • Page 325

    ETEP Configuration 326 EncrypTight User Guide Path Maximum T ransmission Unit The PMTU specifies the maximum payl oad size of a packet that can be transmitted by the ETEP. The PMTU value ex cludes the Ethernet header , which is 14-18 bytes l ong, and the CRC. The PMTU setting applies to the local and re mote ports, as shown in Ta b l e 9 9 . On the[...]

  • Page 326

    Advanced Configuration EncrypTight User Guide 327 ● “Reassembly Mode” on page 310 ● “Features Configuration” on page 330 Non IP T raffic Handling The non IP traffic handling setting is available wh en the ETEP is configured for use in Layer 3 encryption policies. This settin g provides options for how to handle Layer 2 packets that are [...]

  • Page 327

    ETEP Configuration 328 EncrypTight User Guide ● Maximum number of concurrent lo gin sessions allowed per user ● The number of login failures allowed be fore locking an account The strong password pol icy enforces more stringent password rules and conventions than the default password policy . The de fault password policy is enforced unless you [...]

  • Page 328

    Advanced Configuration EncrypTight User Guide 329 SSH Access to the ETEP SSH is used for secure remote CLI managem ent se ssions through the Ethernet management port. SSH access to the appliance is enabled by default. T o prevent remote access to the CLI, clear the Enable SSH checkbox. When SSH is disabled, CLI access is limited to the serial port [...]

  • Page 329

    ETEP Configuration 330 EncrypTight User Guide 3 On the Advanced tab, select Enable IKE VLAN T ag . OCSP Settings Online Certificate Status Protocol (OCSP) provi des a wa y for devices that use certi ficates to verify that a received certificate is currently valid. OCSP is an alternative to using Certificate Revocation Lists (CRLs). If your organiza[...]

  • Page 330

    Features Configuration EncrypTight User Guide 331 FIPS Mode When operating in FIPS mode, the ETEP must be configured to use FIPS-approved encryption and authentication algorith ms. FIPS approved algorithms are listed in T ab le 103 . Not e that some of the FIPS- approved algorithms are available for use only on the management port. EncrypT ight pre[...]

  • Page 331

    ETEP Configuration 332 EncrypTight User Guide ● Performs a softwa re integrity test ● Clears pre-existing polices an d keys, as described in T able 104 . ● Generates a new self-signed certificate on t he management interface ● Removes all externally signed certi ficates ● Resets passwords to the factory defaults ● Closes remote SSH clie[...]

  • Page 332

    Features Configuration EncrypTight User Guide 333 ● “EncrypT ight Setti ngs” on page 333 ● “Encryption Policy Settings” on page 334 ● “Creating Layer 2 Point-to-Po int Policies” on page 335 ● ETEP CLI User Guide, “FIPS 140-2 Level 2 Operation” EncrypT ight Settings The EncrypT ight setti ngs define whether the ET EP is to be[...]

  • Page 333

    ETEP Configuration 334 EncrypTight User Guide ● “Encryption Policy Settings” on page 334 ● “W orking with Policies” on page 334 Encryption Policy Settings The Encryption Policy Setting determines the type of policies that the ETEP can be used in: Layer 2 Ethernet policies or Layer 3 IP poli cies. Appliances that are configured for Layer[...]

  • Page 334

    Working with Policies EncrypTight User Guide 335 Related topics: ● “Using EncrypTight Distributed Key Policies” on page 335 ● “Creating Layer 2 Point-to-Po int Policies” on page 335 Using EncrypT ight Distributed Key Policies After you have configured the ETEPs for network op eration, use the P olicy Manager (ETPM) to create and deploy [...]

  • Page 335

    ETEP Configuration 336 EncrypTight User Guide Figure 1 15 ETEP Policy t ab When ETEPs are first installed they pass all traffic in the clear until th ey receive policies. After you push the Layer 2 point-to-point policy configuration to the ETEPs they will begin ne gotiations to encrypt traffic. Y ou can change the way in which the ETEP processes t[...]

  • Page 336

    Working with Policies EncrypTight User Guide 337 deploy management port IPsec polices while in La yer 2 point-to-poi nt mode, use manual key policies to encrypt management p ort traf fic. ● W e recommend setting the time on the ETEPs before setting up th e Layer 2 point-to-point policy . Changing the clocks after the pol icy is established may ca[...]

  • Page 337

    ETEP Configuration 338 EncrypTight User Guide Selecting the T raffic Handling Mode The ETEP has three options for processing packets: ● Encrypt all packets ● Discard all packets ● Pass all packets in the clear Under normal operation, the ETEP is configured to en crypt all traffic that is exchanged between two peer appliances. This is the ETEP[...]

  • Page 338

    Factory Default s EncrypTight User Guide 339 Factory Default s ETEMS’ s factory set tings are listed by appliance mode l and software version for the following categories: ● Interfaces ● T ruste d Hosts ● SNMP ● Logging ● Policy ● Advanced ● Features ● Hard-coded Settings Interfaces Hash algorithm HMAC-SHA-1 PFS Diffie-Hellman gro[...]

  • Page 339

    ETEP Configuration 340 EncrypTight User Guide T rusted Host s SNMP Default gateway None Flow control Negotiated Link speed Negotiated Transmitter enable Follo wRx Local IP address Undefined Subnet mask 255.255.255.0 Default gateway None Flow control Negotiated Link speed Negotiated DHCP Relay IP Address Undefined Ignore DF Bit Enabled Reassembly mo[...]

  • Page 340

    Factory Default s EncrypTight User Guide 341 Logging Policy Advanced T able 1 12 Logging d efaults Logging Default Setting Local 0 / System Informational Local 1 / Dataplane Informational Local 2 / DistKey In formational Local 3 / PKI Informatio nal Local 4 / SNMP Informational Internal Informational Syslog server None T able 1 13 Policy default s [...]

  • Page 341

    ETEP Configuration 342 EncrypTight User Guide Features Hard-coded Settings The following settings are h ard-coded in the ETEP: ● Management port PMTU is 1400 bytes ● Syslog server port is 514 ● T ime zone is set to UT C 0 T able 1 15 Fe atures default s Features Default Setting Enable FIPS Mode Not available Enable EncrypTight Enabled (user c[...]

  • Page 342

    EncrypTight User Guide 343 Index Numerics 3DES, 184 A addressing mode, 17 1, 185 advanced configuration ETEP, 325–329 Advanced Encry ption Standard, 18 4 AES, 184 appliance configuration customizing default configur ations, 110 ETEP, 299–342 importing from a CSV file, 112 overview, 95 restoring factory defaults, 111 appliance users See user acc[...]

  • Page 343

    Index 344 EncrypTight User Guide certificate revocation lists (CRLs), see CRLs, 287 certificates See also Certificate Manager about, 262 and common access cards, 294 certificate policy extensions, 269 certificate revocation lists (CRLs), 287 configuring CRL usage, 287 configuring CRL usage in EncrypTight, 288 configuring CRL usage on the ETKMS, 288[...]

  • Page 344

    EncrypTight User Guide 345 Index D database See workspace date and time about clock synchronization, 33 changing o n an appliance, 12 1 configuring on the ETKMS, 51 default configurations, 110 modifying defaults, 110 restoring, 121 using factor y settings, 111 default ETKMS, 185 default gateway config uration ETEP managem ent port, 302 ETEP remote [...]

  • Page 345

    Index 346 EncrypTight User Guide defining appliance configurations, 83 maintenance and tro ubleshooting, 86 policy and certificate support, 87 pushing configurations , 84 upgrading software, 85 ETEP license, 56 replacing license, 24 5 throughput, 301 ETEP configurat ion, 299–342 Ethernet policies at La yer 2, adding, 188 ETKMS configuration chang[...]

  • Page 346

    EncrypTight User Guide 347 Index firewall ports, 39 flow control configuration ETEP, 305 fragmentation ETEP choosing the reas sembly mode, 310 setting the PMTU, 326 FTP server configuring for software upgrades, 125 enabling on the management station, 42 G global ETKMS, 185 group ID ETEP, 337 grouping networks, 161 H hardware r equirements, 38 hardw[...]

  • Page 347

    Index 348 EncrypTight User Guide hub and spoke policy addr essing mode override, 193 mesh policy addressing mode override, 1 97 multicast policy addressing mod e override, 201 payload encryption policy, 185 point-to-point policy add ressing mode override, 205 license, 56 EncrypTight, 57 ETEP, 57 replacing ETEPs, 245 upgrading, 58 link speed configu[...]

  • Page 348

    EncrypTight User Guide 349 Index NTP, 149 O OCSP about, 289 communication preference s, 94 enabling in EncrypTight, 290 enabling in ETEPs, 291 enabling on ETKMSs, 291 open perspe ctive, 131 out-of-band ma nagement ETKMS to ETKMS connections, 30 ETKMS to PEP connections, 32 ETPM to ETKMS connections, 28 P passing TL S traffic in the clear, 149 passw[...]

  • Page 349

    Index 350 EncrypTight User Guide See also ETPM introduction, 20 log file, 241 monitoring status, 237 port config uration See interface configuration port status , viewing, 232 ports, configurin g your firewall for EncrypTight, 39 preference s certificate policy extensions, 270 certificate requests, 284 communication timeouts, 92 importing appliance[...]

  • Page 350

    EncrypTight User Guide 351 Index editing on multiple appliances, 152 ETEP, 329 ETKMS, 51 for EncrypTight PEPs, 149 software requ irements, 38 software upda tes appliance software cancelling, 127 checking status, 127 logging upgrade status, 322 overview, 12 3 procedure, 125 for EncrypTight, 73 SPD, exporting from the ETEP, 232 SSH troubleshooting, 2[...]

  • Page 351

    Index 352 EncrypTight User Guide Triple Data Encr yption Standard, 184 troubleshooting See also diagnostic tools application log, 234 certificate implementation errors, 249 clearing policies on the ETEP, 33 4 CLI diagnostic commands, 2 33 ETEMS appliance configuration, 225 appliance software upgrad es, 227 appliance unreachable, 224 pinging the man[...]

  • Page 352

    72 4 - 7 4 6 -5 500 | blackbo x.c om About Bl ack Bo x Bl ac k Box Networ k Servic es i s yo ur so ur ce f or mo re t han 1 1 8, 00 0 ne twor ki ng an d in fr ast ruct ur e pr odu c ts. Y ou ’l l fi nd ev erythi ng from cabinet s and racks and power and surge pro tec tion produc ts to media con ver ters and Ethernet sw it ches all suppor ted by f[...]