manualshive.com logo in svg

HP Sa3110 - VPN Server Appliance, Manual, Page: 70 / 99

Share
Download
HP Sa3110 - VPN Server Appliance Manual Download Page 70

Firewalls and Tunnels

5-14

Hewlett-Packard Company Virtual Private Networking Concepts Guide

through VPN device B, a tunnel is defined for the user to the 
black (untrusted) side of the VPN device and a firewall rule is 
created to allow the traffic from the black (untrusted) network 
to the red (trusted) network. In this case a Client IP is used to 
assign the remote user a known IP address on the red (trusted) 
network. This address is needed in order to identify the remote 
user in the firewall rule.

Firewall Rule

Firewall Rule

Firewall Rule

Firewall Rule

The following table describes the firewall rule.

Tunnel Definition 

Tunnel Definition 

Tunnel Definition 

Tunnel Definition 
Parameters

Parameters

Parameters

Parameters

VPN Device A

VPN Device A

VPN Device A

VPN Device A

VPN Device B

VPN Device B

VPN Device B

VPN Device B

Remote user name

leslie

No access

Secure profile (must 
be previously 
defined)

dialup

Not applicable

Tunnel mode

Black

Not applicable

IP route

Not required

Not applicable

Client IP

10.1.1.193

Not applicable

Parameter 

Parameter 

Parameter 

Parameter 
Description

Description

Description

Description

Parameter Value

Parameter Value

Parameter Value

Parameter Value

Comments

Comments

Comments

Comments

From IP address

10.1.1.193

User leslie is being 
assigned Client IP 
10.1.1.193. 

From subnet mask

255.255.255.255

From application 
port

ALL

The application port 
used to make the 
HTTP (www) 
request is usually 
unknown.

Summary of Contents for Sa3110 - VPN Server Appliance

Page 1: ...hewlett packard company virtual private networking concepts guide Hewlett Packard Company HP 5971 3009 P N A55310 001 March 2001 ...

Page 2: ...ii ...

Page 3: ... saving or life sustaining applications Hewlett Packard Company may make changes to specifications and product descriptions at any time without notice This Hewlett Packard Company Virtual Private Networking Concepts Guide as well as the software described in it is furnished under license and may only be used or copied in accordance with the terms of the license The information in this manual is fu...

Page 4: ...iv ...

Page 5: ...5 3DES 2 7 Outer Cipher Block Chaining CBC 2 8 Asymmetric Cryptographic Systems 2 9 Symmetric Vs Asymmetric Cryptography 2 10 Diffie Hellman Session Key Exchange 2 11 Key Space and Brute Force Attacks 2 13 Encapsulation and Packet Handling Encapsulation and Packet Handling Encapsulation and Packet Handling Encapsulation and Packet Handling Encapsulation Overview 3 1 Secure Profiles 3 2 ESP Encapsu...

Page 6: ...5 12 Multiuser Tunnels 5 16 Tunnel Modes 5 20 One Way In Firewall Rules 5 22 One Way Out Firewall Rules 5 24 Outbound Proxy 5 26 Inbound Proxy 5 28 Tunnel Termination and Firewall Rules 5 31 Load Balancing and Redundancy Load Balancing and Redundancy Load Balancing and Redundancy Load Balancing and Redundancy Load Balancing 6 1 Redundancy 6 2 ...

Page 7: ...t t t t s s s s G G G G u u u u i i i i d d d d e e e e O O O O v v v v e e e e r r r r v v v v i i i i e e e e w w w w HP VPN Concepts Guide Overview HP VPN Concepts Guide Overview HP VPN Concepts Guide Overview HP VPN Concepts Guide Overview HP VPN Concepts Guide Overview 1 1 HP VPN Suite Overview 1 2 Operational Overview 1 5 TCP IP Basics Overview 1 6 ...

Page 8: ...ate Networking Concepts Guide H H H H P P P P V V V V P P P P N N N N C C C C o o o o n n n n c c c c e e e e p p p p t t t t s s s s G G G G u u u u i i i i d d d d e e e e O O O O v v v v e e e e r r r r v v v v i i i i e e e e w w w w ...

Page 9: ...sed in this document to refer to the HP VPN Server Appliance SA3110 SA3150 SA3400 SA3450 devices In addition the Hewlett Packard Company Virtual Private Networking Concepts Guide provides background information and theory on topics ranging from firewall functions and cryptographic systems to authentication types and encapsulation Contents Contents Contents Contents HP VPN Suite Overview page1 2 Op...

Page 10: ...ted and clear data using the same infrastructure without compromising your centrally managed security policy As a firewall the VPN device can be used as a packet filter and a stateful inspection proxy The VPN device goes further than tradi tional firewalls however by adding authentication to the firewall function which allows the creation of truly secure virtual private networks The VPN device inc...

Page 11: ... in equipment and toll charges HP VPN Server HP VPN Server HP VPN Server HP VPN Server Appliance Appliance Appliance Appliance SA3110 SA3150 SA3110 SA3150 SA3110 SA3150 SA3110 SA3150 SA3400 SA3450 SA3400 SA3450 SA3400 SA3450 SA3400 SA3450 Product Suite Product Suite Product Suite Product Suite The VPN suite supports the use of secure tokens These tokens are a tamper resistant PCMCIA card designed ...

Page 12: ... Related Related Related Information Information Information Information Operational Overview page 1 5 TCP IP Basics Overview page 1 6 HP VPN Concepts Guide Overview page1 1 Internet VPN Device Server Router VPN Manager Servers Mail Web Office PCs Router VPN Client Branch or Supplier s Office Laptop Computers With modems VPN Client Office PCs Office PCs Branch or Supplier s Office Existing Firewal...

Page 13: ...through the VPN device for processing The VPN Client software package runs on PCs either directly connected to a LAN or remotely located and connect to the WAN by means of a dial up connection VPN devices are configured by using the VPN Manager which runs on a Windows 95 or Windows NT workstation a command line interface from a console or through a Telnet session from a computer on the VPN s trust...

Page 14: ... referred to as the packet header A simplified packet example is shown in the following diagram Figure Figure Figure Figure Simple Packet Diagram Simple Packet Diagram Simple Packet Diagram Simple Packet Diagram IP Address IP Address IP Address IP Address All devices on a TCP IP network must have at least one address called an IP address This address uniquely identifies the device on a network act...

Page 15: ... 2 boundary addresses reserved for broadcasts Every subnet requires 2 addresses for broadcasts When you split your class C into 2 parts you must still have broadcast addresses in each subnet The first subnet uses 205 250 128 0 and 205 250 128 127 for broadcasts while the second uses 205 250 128 128 and 205 250 128 255 When you have the full class C there are 254 addresses you can use Once the clas...

Page 16: ... a packet destined for a certain network the packet should be sent to a specific gateway The gateway can be any device such as a router or a switch that can send the packet out of the local subnet Static routes are entries in the routing table that do not change They are often defined on routers and switches when network topologies become complex and the network administrator wants to force packet...

Page 17: ... the computer decides what to do with it The computer may have many different programs running simultaneously for example a mail server and a Web server Each program expecting to receive or send packets from or to a network opens something called a socket If you look at an IP address as a street address that identifies a building then an open socket can be compared to a room number within the buil...

Page 18: ... Hewlett Packard Company Virtual Private Networking Concepts Guide Related Related Related Related Information Information Information Information HP VPN Concepts Guide Overview page1 1 Operational Overview page 1 5 The Template Concept ...

Page 19: ... o l l l l o o o o g g g g y y y y Cryptographic Systems and Encryption Terminology Cryptographic Systems and Encryption Terminology Cryptographic Systems and Encryption Terminology Cryptographic Systems and Encryption Terminology Cryptographic Systems and Encryption Terminology Overview 2 1 Symmetric Cryptographic Systems 2 3 Data Encryption Standard DES 2 4 Triple Pass DES 2 5 3DES 2 7 Outer Cip...

Page 20: ...o o o g g g g r r r r a a a a p p p p h h h h i i i i c c c c S S S S y y y y s s s s t t t t e e e e m m m m s s s s a a a a n n n n d d d d E E E E n n n n c c c c r r r r y y y y p p p p t t t t i i i i o o o o n n n n T T T T e e e e r r r r m m m m i i i i n n n n o o o o l l l l o o o o g g g g y y y y ...

Page 21: ...s any procedure to convert plaintext into ciphertext Decryption means any procedure to convert ciphertext into plaintext The term cryptographic system refers to a set of encryption and decryption algorithms The algorithms are labeled and the labels are called keys For example Caesar probably used shift by n encryption for several different values of n It is natural to say that n is the key here Tw...

Page 22: ...ormula g represents a mathematical operation which undoes the steps performed by the algorithm f and Kd represents a key Related Related Related Related Information Information Information Information Symmetric Cryptographic Systems page 2 3 Asymmetric Cryptographic Systems page 2 9 Symmetric Vs Asymmetric Cryptography page 2 10 ...

Page 23: ...t used when the data was encrypted Therefore your decryption formula would look like this AT shift left DW 3 Note that the key used to encrypt the data is the same key used to decrypt the data Ke Kd This algorithm is therefore referred to as symmetric In this case the person encrypting the data and the person decrypting the data must both know the same key The strength of the system relies on the ...

Page 24: ...simple cryptographic systems A recent report by a group of scientists from AT T Research Sun Microsystems the MIT Laboratory for Computer Science the San Diego Supercomputer Center Bell Northern Research and others entitled Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security Blaze Diffie Rivest Schneier Shimomura Thompson and Wiener found that a pedestrian hacker with...

Page 25: ...pted data for about 20 years Go back to the simple Symmetric Cryptographic Systems page 2 3 to illustrate the EDE technique Assuming that the clear text is AT the following steps are involved 1 Encrypt with the key set to 3 DW shift right AT K1 3 2 Decrypt the result DW with a different key for example 5 YR shift left DW K2 5 Note that the result in this case is not the original clear text Now enc...

Page 26: ...ng CBC page 2 8 Algorithm Algorithm Algorithm Algorithm Clear Clear Clear Clear Text Text Text Text After After After After First First First First Encrypt Encrypt Encrypt Encrypt E E E E After After After After First First First First Decrypt Decrypt Decrypt Decrypt D D D D After After After After Second Second Second Second Encrypt Encrypt Encrypt Encrypt E E E E Triple Pass DES Key Space 2 26 5...

Page 27: ...e triple pass DES technique and the 3DES technique are illustrated with the simple symmetric cryptographic system in the following table Related Related Related Related Information Information Information Information Data Encryption Standard DES page 2 4 Outer Cipher Block Chaining CBC page 2 8 Algorithm Algorithm Algorithm Algorithm Clear Clear Clear Clear Text Text Text Text After After After Af...

Page 28: ... involves injecting random spoiler data into the encryption algorithm so that identical blocks of clear text does not result in the same cipher text even if the same key is used repeatedly Therefore if the clear text string AT is encrypted a thousand times with the same key the resulting cipher text would be different each time This is important since most file structures and application protocols...

Page 29: ...t you need a different key to arrive back at the clear text AT shift right DW 3 Note that the key used to decrypt the cipher text in this case is different from the key used to encrypt the clear text The keys however are related The relationship between the keys in the simple asymmetric algorithm can be expressed Ke 1 Kd When asymmetric cryptography is used the person doing the encrypting does not...

Page 30: ...2 parties are not known to each other Asymmetric cryptography is often used during authentication processes Another significant difference between the 2 types of cryptographic systems is the length of the keys required by the algorithms The keys used in symmetric algorithms are usually much smaller than those used in asymmetric algorithms as described in the following table Related Related Related...

Page 31: ...xchanging the key In general when two devices exchange some data using an asymmetric cryptographic system each device first requests the public key of the other device They then use the public key of the other device to encrypt the data When the other device receives the data it can then use its private key to decrypt the data As the name suggests public keys are not secret and are made known to a...

Page 32: ...ditionally the more data that is secured with a given key the greater the loss if the key is compromised Long crypto periods key lives also provide more ammunition for an adversary to break the key since the adversary potentially has access to significantly more data to work with Finally the longer a key is in use the greater the temptation to break the keys since breaking the key provides the adv...

Page 33: ...ibilities for common key length Source FreeMarket Net Policy Spotlight October November 1997 Brute Force Brute Force Brute Force Brute Force Attacks Attacks Attacks Attacks A brute force attack captures some cipher text and then tries all 26 different possible keys Given enough cipher text a brute force attack could be quite effective Obviously if you can increase the number of different keys avai...

Page 34: ...Cryptographic Systems and Encryption Terminology 2 14 Hewlett Packard Company Virtual Private Networking Concepts Guide Symmetric Vs Asymmetric Cryptography page 2 10 ...

Page 35: ... n d d d d P P P P a a a a c c c c k k k k e e e e t t t t H H H H a a a a n n n n d d d d l l l l i i i i n n n n g g g g Encapsulation and Packet Handling Encapsulation and Packet Handling Encapsulation and Packet Handling Encapsulation and Packet Handling Encapsulation Overview 3 1 Secure Profiles 3 2 ESP Encapsulation 3 4 SST Encapsulation 3 6 Packet Handling 3 7 Packet Keys 3 8 ...

Page 36: ...oncepts Guide E E E E n n n n c c c c a a a a p p p p s s s s u u u u l l l l a a a a t t t t i i i i o o o o n n n n a a a a n n n n d d d d P P P P a a a a c c c c k k k k e e e e t t t t H H H H a a a a n n n n d d d d l l l l i i i i n n n n g g g g ...

Page 37: ...rsions should be used when you communicate with another non HP VPN device such as a firewall or router that has implemented the ESP portion of the IPSec standard Encapsulation works in the following manner when a packet is encrypted a brand new packet is created This new packet contains the entire original packet including the header which has been encrypted a new header and some information requi...

Page 38: ...12 hours Algorithm Algorithm Algorithm Algorithm The algorithm can be set to Data Encryption Standard DES Triple Pass DES 3DES or 40 bit DES for ESPv2 IPSec tunnels Keepalive Keepalive Keepalive Keepalive The keepalive interval can be set between 1 and 299 seconds or disabled 0 The keepalive feature is usually specified in profiles that are applied to remote links and has two main uses The first i...

Page 39: ... ESP encapsulation ESP either version should be used when you communicate with another non HP VPN device such as a firewall or router that has implemented the ESP portion of the IPSec standard The ESP implementation in all HP VPN devices is tunnel mode However you can use transport mode by selecting ESP either version setting the ESP authentication to none and selecting a value for the Authenticat...

Page 40: ...set to keyed MD5 HMAC MD5 keyed SHA1 HMAC SHA1 or none An authentication header AH is added to an ESP encapsulated packet either version to ensure that the packet is not altered during transmission and is constructed by hashing the entire encrypted packet Setting the AH type specifies which algorithm to use for hashing The SHA1 hashing algorithm is slightly more secure than MD5 but also slightly s...

Page 41: ...ewlett Packard Company Virtual Private Networking Concepts Guide 3 5 Related Related Related Related Information Information Information Information SST Encapsulation page 3 6 Packet Handling page 3 7 Packet Keys page 3 8 ...

Page 42: ...ic Key Length Length Length Length The public key length must be set to 512 bits 1024 bits or 2048 bits Note that public keys are used during the authentication and session key exchange processes The longer the public key length the more secure the session negotiation will be Crypto Period Crypto Period Crypto Period Crypto Period Length Length Length Length The crypto period length defines how lo...

Page 43: ...he destination computer for example port 25 indicates that a SMTP mail server should be the application listening at the destination address The source address of the sender the IP address of the computer where the e mail client is running The application port that the sending machine used usually randomly assigned The protocol used for SMTP mail the protocol is TCP The maximum size of these packe...

Page 44: ...AN interfaces of the VPN device that secure the communication In a typical network configuration a packet traveling from the Web server at the main office to a PC on the Branch office network has the IP addresses set to the WAN side IP addresses of the VPN devices at the gateways to these networks The IP address of the Web server and the PC are hidden from anyone intercepting the packet and the in...

Page 45: ... and 3DES are symmetric algorithms Therefore both the device encrypting the packet and the device decrypting the packet must know the same keys The packet keys however are randomly generated for each packet Assuming that both the encryptor and the decryptor know the same session keys this technique makes the encryption more secure in 2 ways Attempts to break the packet keys are not practical since...

Page 46: ...Encapsulation and Packet Handling 3 10 Hewlett Packard Company Virtual Private Networking Concepts Guide ...

Page 47: ... i i i i o o o o n n n n M M M M e e e e t t t t h h h h o o o o d d d d s s s s Authentication Methods Authentication Methods Authentication Methods Authentication Methods Authentication Methods Overview 4 1 Certificate Authentication 4 2 Challenge Phrase Authentication 4 3 SecurID Authentication 4 4 RADIUS Authentication 4 5 Entrust Authentication 4 6 ...

Page 48: ...Company Virtual Private Networking Concepts Guide A A A A u u u u t t t t h h h h e e e e n n n n t t t t i i i i c c c c a a a a t t t t i i i i o o o o n n n n M M M M e e e e t t t t h h h h o o o o d d d d s s s s ...

Page 49: ...f a device includes its name its IP address and its public key When the packet encapsulation type is set to Shiva Smart Tunneling SST there are five possible authentication methods Certificates by means of the certificate authority Challenge Phrase SecurID RADIUS Entrust by means of the Entrust Certificate Authority Related Related Related Related Information Information Information Information Ch...

Page 50: ...e result is the MD5 digest or summary of the identifying information that was generated by the certificate authority when the certificate was created The new MD5 digest and the digest extracted from the digital signature are then compared If they are exactly the same the device is sure that the certificate is valid Note that the certificate authority is not involved in the authentication process O...

Page 51: ...icate is essentially the same as a certificate generated by a certificate authority except that the digital signature is encrypted with a challenge phrase rather than with the private key of the certificate authority The implication is that when two devices attempt to authenticate each other for the first time they must both know the challenge phrase of the other device Therefore the challenge phr...

Page 52: ...ity server however the ACE Server must be available whenever a secure tunnel is being established Whenever a remote user attempts to establish a secure tunnel with a VPN device the user must provide a user name and a time dependent pass code that the VPN device then verifies with the ACE Server before allowing the tunnel to be established Typically the pass code is composed of two parts a PIN numb...

Page 53: ...the VPN Client to provide its RADIUS user name and password The VPN device then uses its own secret key to contact the RADIUS Authentication Server to verify the VPN Client s identity There is a second type of RADIUS server supported by the HP VPN suite a RADIUS Accounting Server This server keeps track of those remote users who have established connections to VPN devices and the amount of time ea...

Page 54: ...ing SST protocol Entrust enlists a trusted third party to positively identify a device using X 509 certificates and performs key and certificate functions The Entrust Server maintains a list of all of the public keys that have been created and also issues revokes recovers certificates and maintains a revocation list The VPN device acts as an Entrust client using Entrust services has its own certif...

Page 55: ... s s Firewalls and Tunnels Firewalls and Tunnels Firewalls and Tunnels Firewalls and Tunnels Firewall and Tunnels Overview 5 1 Firewall Functions 5 2 Filters 5 6 Tunnel Types 5 8 Site to Site Tunnels 5 9 Single User Tunnels 5 12 Multiuser Tunnels 5 16 Tunnel Modes 5 20 One Way In Firewall Rules 5 22 One Way Out Firewall Rules 5 24 Outbound Proxy 5 26 Inbound Proxy 5 28 Tunnel Termination and Firew...

Page 56: ...Packard Company Virtual Private Networking Concepts Guide F F F F i i i i r r r r e e e e w w w w a a a a l l l l l l l l s s s s a a a a n n n n d d d d T T T T u u u u n n n n n n n n e e e e l l l l s s s s ...

Page 57: ...ving the network but it has some fundamental flaws First the data packets can be captured as they move through the firewall connecting the networks Data could be extracted from the packets or a new packet could take the place of the original packet All a hacker needs to do is replace the original packet with a new packet to gain access to the destination network Tunnels Tunnels Tunnels Tunnels The...

Page 58: ...re Figure Figure Figure VPN Device as a Firewall VPN Device as a Firewall VPN Device as a Firewall VPN Device as a Firewall Stateless Stateless Stateless Stateless The VPN device is instructed to allow or disallow all packets traveling between the red trusted and black untrusted network The VPN device checks each packet as it arrives to ensure it is valid If the packet matches the filter rule show...

Page 59: ...net mask 255 255 255 224 A maximum of 30 users with addresses starting from 10 1 1 193 are allowed through the firewall From application port ALL The application port used to make the HTTP www request is usually unknown To IP address 10 1 1 2 The Web Server s IP address To subnet mask 255 255 255 255 Access Web Server only To application port 80 Web servers usually listen on this port Action State...

Page 60: ...uter sending the data packets from the black untrusted network so if the link is dropped and tries to reestablish the VPN device remembers the IP address of the computer that created the initial link This type of stateful connection is known as an inbound proxy or one way in firewall rule The only difference between an inbound proxy and a one way in firewall rule is the point at which a data packe...

Page 61: ...N A Firewalled LAN A Firewalled LAN A Firewalled LAN Related Related Related Related Information Information Information Information One Way Out Firewall Rules page 5 24 One Way In Firewall Rules page 5 22 Tunnel Types page 5 8 Red trusted LAN Gate through firewall protected by guard Comm link to untrusted network internet Firewall ...

Page 62: ...t modified in any way and no state information is maintained Figure Figure Figure Figure Example of a Filter Example of a Filter Example of a Filter Example of a Filter If you want a public domain name server DNS to execute on a machine on a red network define a filter as described in the following table Internet yyyy yyyy Other Network Devices on 198 53 144 xxx IP 198 53 144 2 DNS and Mail Server...

Page 63: ...rewall Rules page 5 31 To IP address 0 0 0 0 Do not limit which addresses can access or be accessed by the DNS To subnet 0 0 0 0 To port 53 DNS updates are requested on this port From IP address 198 53 144 2 You allow only the DNS machine to be addressed on the red trusted network From subnet 255 255 255 255 From port 53 Make DNS requests on this port Protocol TCP Make DNS requests and refreshes o...

Page 64: ...d inside a firewall then the packets entering or leaving the tunnel do not need to pass through the gateway and are not subject to the firewall rules that the gateway is configured to follow If a tunnel is started outside the firewall then packets entering or leaving the tunnel must pass through the gateway They are then subjected to the firewall rules before passing through the gateway The VPN de...

Page 65: ...both ends of the tunnel are available through VPN devices A site to site tunnel is fully defined with the following devices IP address of the opposing VPN device Secure profile to be applied to the communication Color mode of the tunnel IP route pushing packets into the tunnel The IP address of the opposing VPN device highlights the fact that a tunnel cannot exist without a VPN device on the other...

Page 66: ...ck IP 205 250 128 240 yyy yyy Other Network Devices on 192 168 10 xxx IP 192 168 10 15 Web Server Red IP 192 168 10 1 Black IP 205 250 128 240 Tunnel Definition Tunnel Definition Tunnel Definition Tunnel Definition Parameters Parameters Parameters Parameters VPN Device A VPN Device A VPN Device A VPN Device A VPN Device B VPN Device B VPN Device B VPN Device B Opposing device 198 53 144 120 205 25...

Page 67: ...re profile on both VPN devices The tunnel mode however can be different on each VPN device Finally the route statements tell the VPN devices which packets should enter the tunnel Related Related Related Related Information Information Information Information Single User Tunnels page 5 12 Multiuser Tunnels page 5 16 Tunnel Types page 5 8 ...

Page 68: ...Network Address Translation Network Address Translation Network Address Translation Network Address Translation A single user tunnel is fully defined with the following devices User name of the opposing HP VPN Client Secure profile to be applied to the communication Color mode of the tunnel Client IP if NAT is being used Identify the opposing HP VPN device by a user name instead of an IP address T...

Page 69: ... access to the Web server available through VPN device A while not allowing access to the rest of that network or to the network available Tunnel Definition Tunnel Definition Tunnel Definition Tunnel Definition Parameters Parameters Parameters Parameters VPN Device A VPN Device A VPN Device A VPN Device A HP VPN Client HP VPN Client HP VPN Client HP VPN Client Remote user name chris the VPN s name...

Page 70: ...tion Tunnel Definition Tunnel Definition Tunnel Definition Parameters Parameters Parameters Parameters VPN Device A VPN Device A VPN Device A VPN Device A VPN Device B VPN Device B VPN Device B VPN Device B Remote user name leslie No access Secure profile must be previously defined dialup Not applicable Tunnel mode Black Not applicable IP route Not required Not applicable Client IP 10 1 1 193 Not ...

Page 71: ...ription Description Description Description Parameter Value Parameter Value Parameter Value Parameter Value Comments Comments Comments Comments To IP address 10 1 1 2 The Web Server s IP address To subnet mask 255 255 255 255 Access Web Server only To application port 80 Web servers usually listen on this port Action Stateful Direction Inbound The group comes from the black untrusted network and c...

Page 72: ...portant tunnel requests are refused because all 1024 available sessions are in use Any remote device that connects successfully is given one of a preset group of IP addresses with which it appears on the network accessible through the Gateway Hence all connections using multiuser tunnels use network address translation NAT A multiuser tunnel is fully defined with the following devices Group name N...

Page 73: ...ble through VPN device A while not allowing access to the rest of that network or to the network available through VPN device B a tunnel is defined for the group to the black side of the VPN device and a firewall rule is created to allow the traffic from the black untrusted network to the red trusted network Tunnel Definition Tunnel Definition Tunnel Definition Tunnel Definition Parameters Paramet...

Page 74: ...n Description Description Parameter Value Parameter Value Parameter Value Parameter Value Comments Comments Comments Comments From IP address 10 1 1 192 From subnet mask 255 255 255 224 A maximum of 30 users with addresses starting from 10 1 1 193 are allowed through the firewall From application port ALL The application port used to make the HTTP www request is usually unknown To IP address 10 1 ...

Page 75: ...rmation Information Site to Site Tunnels page 5 9 Single User Tunnels page 5 12 Tunnel Types page 5 8 To application port 80 Web servers usually listen on this port Action Stateful Direction Inbound The group comes from the black untrusted network and crosses to the red trusted network NAT No Protocol TCP HTTP is transported by means of TCP not UDP ...

Page 76: ... are not trusted This is known as a black tunnel In both cases the data packets can travel between the two networks safely There are three possible ways exist to build a tunnel depending on where the two ends terminate If both ends of the tunnel terminate inside the trusted network then the tunnel is called a red red network In this case the two networks trust each other If both ends of the tunnel...

Page 77: ...ure Firewalled LANs With Encrypted Tunnels Figure Firewalled LANs With Encrypted Tunnels Figure Firewalled LANs With Encrypted Tunnels Related Related Related Related Information Information Information Information Tunnel Types page 5 8 Tunnel Termination and Firewall Rules page 5 31 Black Red Tunnel Red Red Tunnel Black Black Tunnel ...

Page 78: ...IP addresses If you want to allow SMTP mail from people on the Internet to be sent into the mail server define a one way in rule as described in the following table Parameter Parameter Parameter Parameter Description Description Description Description Parameter Value Parameter Value Parameter Value Parameter Value Comments Comments Comments Comments From IP address 0 0 0 0 The mail can come from ...

Page 79: ...Private Networking Concepts Guide 5 23 Related Related Related Related Information Information Information Information Inbound Proxy page 5 28 Outbound Proxy page 5 26 One Way Out Firewall Rules page 5 24 Protocol TCP SMTP istransported by means of TCP not UDP ...

Page 80: ...ork must be routable on the black untrusted network Routable means that the devices on the black untrusted network know how to send packets to the source address If you want to allow people on the red trusted network to browse the World Wide Web on the Internet define a oneway out firewall rule as described in the following table Parameter Parameter Parameter Parameter Description Description Desc...

Page 81: ... 5 28 Outbound Proxy page 5 26 One Way In Firewall Rules page 5 22 To subnet mask 0 0 0 0 Parameter Parameter Parameter Parameter Description Description Description Description Parameter Value Parameter Value Parameter Value Parameter Value Comments Comments Comments Comments To application port 80 Web servers usually listen on this port Protocol TCP HTTP is transported by means of TCP not UDP ...

Page 82: ...e World Wide Web on the Internet define an outbound proxy as described in the following table Parameter Parameter Parameter Parameter Description Description Description Description Parameter Value Parameter Value Parameter Value Parameter Value Comments Comments Comments Comments Outbound proxy IP 205 250 128 240 The address the packets take on as they exit the red trusted network From IP address...

Page 83: ...y Out Firewall Rules page 5 24 One Way In Firewall Rules page 5 22 To subnet mask 0 0 0 0 Parameter Parameter Parameter Parameter Description Description Description Description Parameter Value Parameter Value Parameter Value Parameter Value Comments Comments Comments Comments To application port 80 Web servers usually listen on this port Protocol TCP HTTP is transported by means of TCP not UDP ...

Page 84: ... packets to the black untrusted interface of the VPN device The VPN device then looks at where the packet originated what the destination address is what the destination port is and decides to which address on the red trusted network to send the packet Figure Figure Figure Figure Inbound and Outbound Proxies Inbound and Outbound Proxies Inbound and Outbound Proxies Inbound and Outbound Proxies If ...

Page 85: ...nts Comments Inbound proxy IP 10 1 1 2 This is where the packets should end up From IP address 0 0 0 0 The mail could come from any IP address From subnet mask 0 0 0 0 From application port ALL The application port used to send the mail is usually unknown To IP address 205 250 128 21 Assumes that the mail record associated with your domain name points to this address To subnet mask 255 255 255 255...

Page 86: ...Firewalls and Tunnels 5 30 Hewlett Packard Company Virtual Private Networking Concepts Guide One Way Out Firewall Rules page 5 24 One Way In Firewall Rules page 5 22 ...

Page 87: ...ork or interface but the traffic is destined for the red trusted network or interface The tunnel terminates on the red trusted network or interface but the traffic is destined for the black untrusted network or interface The tunnel terminates on the black untrusted network or interface and the traffic is destined for the black untrusted network or interface Note Note Note Note The terms network an...

Page 88: ...ork Network Network A tunnel that terminates in the black untrusted network but where the traffic is destined for the red trusted network gets the traffic to the VPN Gateway safely and then blocks it at the firewall A firewall rule must be in place to allow the traffic through Figure Tunnel Terminates in the Black Untrusted Network Figure Tunnel Terminates in the Black Untrusted Network Figure Tun...

Page 89: ...he black untrusted interface Figure Tunnel Terminates on the Red Trusted Network Figure Tunnel Terminates on the Red Trusted Network Figure Tunnel Terminates on the Red Trusted Network Figure Tunnel Terminates on the Red Trusted Network Destined for the Black Untrusted Network Destined for the Black Untrusted Network Destined for the Black Untrusted Network Destined for the Black Untrusted Network...

Page 90: ...ork Destined for the Black Untrusted Network Network Destined for the Black Untrusted Network Network Destined for the Black Untrusted Network Network Destined for the Black Untrusted Network Related Related Related Related Information Information Information Information Tunnel Modes page 5 20 One Way Out Firewall Rules page 5 24 One Way In Firewall Rules page 5 22 The Template Concept Tunnel term...

Page 91: ... l l l l a a a a n n n n c c c c i i i i n n n n g g g g a a a a n n n n d d d d R R R R e e e e d d d d u u u u n n n n d d d d a a a a n n n n c c c c y y y y Load Balancing and Redundancy Load Balancing and Redundancy Load Balancing and Redundancy Load Balancing and Redundancy Load Balancing 6 1 Redundancy 6 2 ...

Page 92: ...ate Networking Concepts Guide L L L L o o o o a a a a d d d d B B B B a a a a l l l l a a a a n n n n c c c c i i i i n n n n g g g g a a a a n n n n d d d d R R R R e e e e d d d d u u u u n n n n d d d d a a a a n n n n c c c c y y y y ...

Page 93: ...the total load among the VPN device devices As shown in the following example if the total number of clients desired is 60 and there are two VPN devices the number of clients on each VPN device should be set to 30 In this way a maximum of 30 clients could establish tunnels with each VPN device Related Related Related Related Information Information Information Information Redundancy page 6 2 Tunne...

Page 94: ...one VPN device in parallel is to handle more than 1024 active sessions which is the maximum for a single VPN device Redundancy can be implemented for single user tunnels and for multiuser tunnels only You cannot apply redundancy to site to site tunnels The reason for this is that redundancy relies on the Client IP address which only exists for remote user tunnels You need the Client IP for the dev...

Page 95: ...N device when the mail server uses the Client IP as the destination address on its replies only the VPN device on which the tunnel has been established accepts the packets for processing The tunnel definitions for the two VPN device devices appear as shown in the following table Related Related Related Related Information Information Information Information Load Balancing page 6 1 Tunnel Modes pag...

Page 96: ...Load Balancing and Redundancy 6 4 Hewlett Packard Company Virtual Private Networking Concepts Guide ...

Page 97: ...e pass DES 2 5 D D D D Data Encryption Standard DES 2 4 default gateways 1 8 DES Data Encryption Standard 2 4 Diffie Hellman key exchange protocol 2 11 E E E E Encapsulating Security Payload ESP AH key length 3 4 authentication headers 3 4 iv length 3 4 See also encapsulation encapsulation 3 3 Encapsulating Security Payload ESP 3 1 Shiva Smart Tunneling SST 3 1 See also secure profiles encryption ...

Page 98: ...IUS authentication 4 5 red networks 5 2 red tunnels 5 20 redundancy 6 2 routing tables 1 8 S S S S secure profiles 3 2 3 3 algorithms 3 2 encapsulation 3 3 keepalive 3 2 names 3 2 timeout 3 2 secure tokens 1 3 SecurID authentication 4 4 Shiva Smart Tunneling SST authentication methods 3 6 crypto period length 3 6 public key length 3 6 See also encapsulation single user tunnels 5 12 5 15 firewall r...

Page 99: ...access with single user 5 13 modes 5 20 multiuser 5 16 5 19 single user 5 12 5 15 site to site 5 9 trusted 5 20 untrusted 5 20 U U U U untrusted networks 5 20 untrusted tunnels 5 20 V V V V virtual private networking suite 1 1 VPN Client functions of 1 3 VPN device firewall functions 5 2 VPN Manager functions of 1 2 ...

Reviews:

No comments