SafeNet HA4000 User Manual Download

Page: 10 / 97

Management

Chapter 1. Product Overview

In a branch-to-central office application, data is secured between each branch and

the central office. Additionally, a secure tunnel is established between the two

branch sites. This configuration can be used to transfer sensitive data between

remote sites or to back up remote servers to central storage devices.

Tunnels

A security tunnel is the network path inside which data is encrypted. Tunnels can

begin and terminate at various points in the network:

Client workstation, either the desktop or remote access, such as dial-in

Edge device, such as a router or an edge switch

Switch or router inside the service provider network, typically at the

point-of-presence (POP)

The HA4000 can be deployed in a variety of locations and topologies, depending

on the application. Several examples are a geographically remote Storage Area

Network (SAN) environment, a site-to-site VPN, a gigabit Ethernet Metropolitan

Area Network (MAN), or a campus building-to-building environment.
In an IPSec deployment, identify the communication endpoints and the secure

tunnel endpoints. A communication endpoint is the entity that is being protected

by the HA4000. This can be a host, a server, or a subnet. The secure tunnel

endpoints are the HA4000 gateways or other IPSec peer.

Management

The HA4000 gateway is managed from the SafeEnterprise Security Management

Center (SMC). It also has a command line interface (CLI) to configure the HA4000

operating parameters. CLI sessions are managed through a direct serial link to the

HA4000.
For information on configuring and working with the HA4000 from the SMC, refer

to the

SafeEnterprise Security Management Center User’s Guide

Software Requirements

Make sure that these customer-provided software products are installed on the

management workstation:

VT-100 terminal emulation utility, such as HyperTerminal, to connect to the CLI

through a serial link.

Optional

. Telnet client to remotely configure the HA4000 through the

gateway’s 10/100 Ethernet management port.

FIPS 140-2 Level 2 Operation

The National Institute of Standards and Technology (NIST) validated the HA4000

gateway as FIPS 140-2 Level 2 compliant. To meet FIPS 140-2 Level 2

requirements, configure the HA4000 using these guidelines:

DES, 3DES, or AES encryption

Summary of Contents for HA4000

Page 1: ...HighAssuranceTM 4000 Gateway The Foundation of Internet Security User s Guide...

Page 2: ...k and SafeEnterprise and HighAssurance are trademarks of SafeNet Inc All other product and company names may be the property of their respective owners SafeNet Inc 800 533 3958 Sales 800 545 6608 Cust...

Page 3: ...Management Port 17 Log On to the CLI 17 Assign IP Addresses 18 Prepare the Device for Operation 19 Configure the Remote Interface 19 Assign the Remote Port IP Address 20 Set the Remote Port Auto Negot...

Page 4: ...and Reference 63 CLI Overview 63 Command Hierarchy 63 Syntax Conventions 63 Examples 64 Command Usage Tips 64 User Types 65 Command Shortcuts 65 Commands 66 Appendix A MIB Support 85 Appendix B Produc...

Page 5: ...r Between Two HA4000 Gateways 22 Figure 3 4 HA4000 Gateways Connected Back to Back Transparent 27 Figure 3 5 ARP Used to Resolve Layer 2 MAC Addresses 28 Figure 3 6 Packets Forwarded to a Gateway 28 F...

Page 6: ...Table 5 1 HA4000 Troubleshooting 52 Table 5 2 CLI IPSec Diagnostic Commands 56 Table 5 3 AES Messages 56 Table 5 4 HA4000 Security Association Fields 58 Table 5 5 SPD Selectors 59 Table 6 1 CLI Comma...

Page 7: ...the HA4000 can be seamlessly deployed into Gigabit Ethernet environments including IP site to site VPNs and storage over IP networks Its high speed Triple DES 3DES IPSec processing capabilities elimi...

Page 8: ...1 8 Gbps 3DES encryption and decryption z Comprehensive security standards support z Key management Internet Key Exchange IKE RFC 2409 NIST FIPS PUB 186 Manual keys Diffie Hellman key exchange groups...

Page 9: ...Unit is powered off On Unit is powered on Remote Yellow link status Off Loss of signal on the remote interface On Normal operation Remote Green traffic status Off No traffic is passing over the remote...

Page 10: ...he communication endpoints and the secure tunnel endpoints A communication endpoint is the entity that is being protected by the HA4000 This can be a host a server or a subnet The secure tunnel endpoi...

Page 11: ...Overview 11 z HMAC SHA1 06 authentication z Manual keys or IKE key management Caution MD5 is not a FIPS approved authentication algorithm Therefore using MD5 authentication in a security policy remove...

Page 12: ...o multimode Gigabit Ethernet Interface transceivers and two 3 meter multimode fiber cables GBIC SM Kit Contains two single mode Gigabit Ethernet Interface transceivers and two 3 meter single mode fibe...

Page 13: ...vercurrent protection and supply wiring Consult the voltage and amperage ratings on the UL label affixed to the unit s rear panel when addressing this concern z Grounding Maintain reliable grounding o...

Page 14: ...eway s local port and then connect it to the local device such as a server or switch Warning Warning Warning Warning When the dust covers are removed and no cable is connected radiation can be emitted...

Page 15: ...Installation 15 Notes z If you experience a problem during system initialization go to Chapter 5 Troubleshooting z Until you configure your security policies the HA4000 gateway s default mode of opera...

Page 16: ...he settings If the HA4000 device is rebooted or the power is recycled unsaved configurations are lost z To save the running configuration enter this command copy system running nvram config z Some com...

Page 17: ...t be configured to connect the device to the SMC Log On to the CLI The HA4000 gateway s CLI is accessible through a serial link connected to the HA4000 RS 232 craft port Typically the craft port is us...

Page 18: ...and SNMP based performance monitoring z The subnet mask is the portion of the IP address that identifies the network or subnetwork for routing purposes z The default gateway assigned only when the HA...

Page 19: ...55 255 255 0 192 168 10 1 config ifMan exit config exit admin copy system running nvram config Prepare the Device for Operation Configure the Remote Interface Follow the procedures described in this s...

Page 20: ...arameter descriptions go to ip address on page 74 Example This example sets the remote port IP address during initial HA4000 configuration admin config terminal config interface remote config ifRemote...

Page 21: ...he default gateway on the HA4000 gateway s remote port z Negotiated IPSec IKE policies will be used z The HA4000 gateways IPSec peers are in a routed network Where the gateways are deployed on a singl...

Page 22: ...e the ikeDefaultGateway command on HA4000 1 see Figure 3 3 to specify Router R2 s local router port IP address 192 168 144 100 HA4000 1 uses the router network to forward packets to its peer HA4000 2...

Page 23: ...nhanced level of certificate validation You may also control which IKE ID is sent to the peer gateway by setting the IKE ID type used for the remote port Both of these commands affect the remote port...

Page 24: ...e specifically when using the Default command if the Subject Alt Name exists in the certificate then the first field in the Subject Alt Name is used for the IKE ID If the Subject Alt Name does not exi...

Page 25: ...ed to the LAN through a switch the local port IP address is the address the server uses to identify the HA4000 Previously configured policies will not recognize a new local port IP address until the H...

Page 26: ...tiation specify whether to enable flow control To have the HA4000 to use flow control specify enable otherwise specify disable These are the possible configurations and the associated command 3 Go to...

Page 27: ...rts are on the same subnet The routers are able to resolve the Layer 2 MAC address of the destination stations and traffic flows through the HA4000 gateways In this scenario use the macAddressResoluti...

Page 28: ...ation S2 is on a different subnet than HA4000 2 s local port To send packets to Station S2 HA4000 2 uses the macAddrResolutionMechanism command with the gateway attribute to identify the IP address of...

Page 29: ...the PMTU size must be set to a number smaller than the smallest MTU in the path Older Layer 2 devices are more likely to require frames of a certain size than are newer Layer 3 devices Check with your...

Page 30: ...nd jumbo frame handling is not required set the PMTU to 2944 or less Configure the PMTU At the config prompt enter this command pmtu size_in_bytes For size in bytes type a number from 128 through 12 1...

Page 31: ...are created as well as certificate expirations Certificate expirations are important only if you plan to replace the HA4000 gateway s default self signed certificate with one of your own Note If the c...

Page 32: ...and another for read write rw access At the config prompt enter this command snmp server community word ro rw where word is a text string of alphanumeric characters Any printable character is valid E...

Page 33: ...server trap enable all z Send logon traps to host 192 168 10 10 and all traps to host 192 168 10 15 config snmp server trap host 192 168 1 10 login config snmp server trap host 192 168 1 15 all Table...

Page 34: ...criticalError fanStatus generic IPSecPeer login host ip address all criticalError fanStatus generic IPSecPeer login Example This example disables the fanStatus trap and disables logon traps to host 1...

Page 35: ...ive Tasks There are only two administrator configuration tasks setting passwords and limiting the number of unsuccessful logon attempts Set Passwords Administrators can change the Administrator and Ne...

Page 36: ...n as Administrator 2 Go into configuration mode enter this command configure terminal 3 At the config prompt enter this command netman password password where password is the new password Example In t...

Page 37: ...fig netman login disable 5 z The Administrator enables the Network Manager s logon config netman login enable Save the Configuration When you complete configuring the HA4000 save the configuration to...

Page 38: ...he reboot process the device LEDs indicate progress z The power LED illuminates z About a minute after rebooting the alarm LED begins to blink z When the boot process completes the alarm LED turns off...

Page 39: ...nfiguration and version information Caution If you make configuration changes and don t save them the running configuration Note will not be the same as the saved configuration To view the running con...

Page 40: ...255 0 ikeDefaultGateway 192 168 144 100 autoNegotiationFlowControl enabled enabled txEnable always interface local ip address 192 168 10 150 255 255 255 0 autoNegotiationFlowControl disabled enabled...

Page 41: ...files created to configure the unit and security policies In addition to the current file system the HA4000 gateway stores a backup copy of the file system which is created using the procedure describ...

Page 42: ...an FTP server to transfer files to or from the HA4000 Note The FTP client must be configured before any copy ftp commands can be used 1 Log on as Network Manager 2 To enter configuration mode enter th...

Page 43: ...bed in Configure the FTP Client on page 42 3 At the admin prompt enter this command copy nvram fs nvram fs backup 4 Download new software enter this command copy ftp fs nvram fs The CLI is disabled wh...

Page 44: ...plan to replace the HA4000 certificate contact a CA to obtain a certificate in PKCS 12 format The pass phrase that is provided to encrypt the file when it is created is also used to decrypt it when d...

Page 45: ...tter z Check fans for reduced airflow caused by dust build up and clean as necessary z Examine cables and fiber for damage z Ensure that airflow requirements are met No special maintenance is required...

Page 46: ...to log file on page 77 Example This example sets the number of log files to 6 and the file size to 300 KB admin configure terminal config log file 6 300 Configure Log File Events The log command defin...

Page 47: ...a new security policy This setting allows you to track the progress of events at a high level Verbose displays the quiet and normal messages plus a significant number of trace messages for debugging p...

Page 48: ...he response config log list Terminal Output Log file output Level Setting snmp trap disabled disabled quiet snmp event disabled disabled quiet snmp packets disabled disabled quiet cmbSsh disabled enab...

Page 49: ...sabled enabled quiet Ssh enabled disabled normal Upload Log Files On occasion you may need to send log files to a central office or SafeNet Customer Support for analysis or troubleshooting assistance...

Page 50: ...0 terminal z Send log file 1 to the FTP host filename View log CoLog 1 admin copy nvram logs 1 ftp Restore Factory Settings With the clear command you can restore some or all of the HA4000 factory se...

Page 51: ...ample This example clears the HA4000 s saved configuration replaces it with the factory default configuration and then reboots the device admin clear configuration This will replace your nvram configu...

Page 52: ...e network cable Verify correct transmit and receive cable polarity Check the operational status of the equipment being connected Verify that the auto negotiation and flow control settings on the local...

Page 53: ...on The HA4000 does not recognize its new remote port IP address Verify the IP address using the show ip addresses command For instructions go to View Configurations on page 39 Correct the IP address i...

Page 54: ...running nvram config command Unsaved configuration changes are lost when the unit is rebooted For more information go to Save the Configuration on page 37 Can t establish a link Check physical connec...

Page 55: ...ess If the HA4000 gateways are installed in a routed network make sure that a default gateway is defined on the remote interface For details go to Assign IKE Default Gateway on page 21 Manual key IPSe...

Page 56: ...your Security Gateway hardware supports these features Syntax show ipSec aesSupport Table 5 2 CLI IPSec Diagnostic Commands Command Displays show ipSec aesSupport Displays whether the installed hardw...

Page 57: ...ly OFF 304 packets 0 0135 of total packets were dropped CODE 29 It is assumed that IKE is being initiated for this connection Packets are dropped until the IKE negotiation finishes This is normal oper...

Page 58: ...security policy database SPD Each entry in the database represents a policy Syntax show ipSec spd all Table 5 4 HA4000 Security Association Fields Field Description SPI Security parameter index unique...

Page 59: ...ors SPD Selector Description Direction Inbound packets enter the remote port from the untrusted network Outbound packets enter the local port from the trusted network Policy The policy type is display...

Page 60: ...ntax show ipSec statistics Direction Policy Encap Source Address Mask Dest Address Mask Src Port Dest Port Protocol INBOUND IPSEC YES 10 10 0 0 255 255 0 0 40 40 0 0 255 255 0 0 OUTBOUND IPSEC 40 40 0...

Page 61: ...kts w o error 0 0 Multicast pkts w o error 0 0 Broadcast pkts w o error 0 0 Flow control pkts w o error 0 0 Good control pkts dropped due to unknown opcode 0 0 Good pkts received 64 byte length 0 0 Ba...

Page 62: ...pd all z ipSec statistics z logging z nvram config z system running z version The show all command also lists information about the internal tasks running on the HA4000 gateway Note Issue this command...

Page 63: ...The exit command leaves the current CLI mode and returns to the previous hierarchy level Syntax Conventions Command references listed in this chapter are presented using the following format conventi...

Page 64: ...r displays context sensitive help When you enter at the start of a line or after a space character two columns of text display The left column lists the keywords that can be entered next N N N N type...

Page 65: ...s a shortcut for the snmp server command When enough characters are typed to uniquely identify the command the Tab key isn t necessary For example a shortcut for the copy system running nvram config c...

Page 66: ...e 20 and Layer 2 MAC Address Resolution on page 27 Syntax clear configuration policies all Shortcut None User Type Network Manager Hierarchy Level Configuration Description Restores the HA4000 factory...

Page 67: ...s nvram fs Shortcut None User Type Network Manager Hierarchy Level Command Description Downloads a new file system from an FTP server to the HA4000 Reboot Required Yes Usage Guidelines See Load Softwa...

Page 68: ...the backup file system as the HA4000 gateway s running image Reboot Required Yes Usage Guidelines See Restore the Backup on page 42 Syntax copy nvram logs n ftp terminal Shortcut None User Type Netwo...

Page 69: ...o create on the FTP host If unspecified the file name is root xml Reboot Required No Usage Guidelines None Syntax copy system running nvram config Shortcut copy s n User Type Network Manager and Admin...

Page 70: ...led between the HA4000 gateway s local and remote ports The default setting is to copy the DF bit from the original packet to the encapsulating header and process ICMP PMTU messages Parameters and Att...

Page 71: ...ess specifies the IP address of the FTP host ftp_userid specifies the user ID of a user on the FTP host ftp_password specifies the user ID s password ftp_directory specifies the directory containing t...

Page 72: ...tGateway none ipAddress Shortcut ike User Type Network Manager Hierarchy Level Remote interface configuration Description Defines how IKE negotiation traffic is routed to the appropriate network when...

Page 73: ...ect Alt Name is used for the IKE ID If the Subject Alt Name does not exist the Subject Distinguished Name is used This setting allows the HA4000 to send an IKE ID of type other than IP Address by inst...

Page 74: ...ss subnet_mask gateway none Shortcut None User Type Network Manager Hierarchy Level Interface configuration Description Assigns the IP address and subnet mask for the interface being configured On the...

Page 75: ...s non IPSec traffic to the management port disable disallows IPSec on the HA4000 management port dpd configures dead peer detection on the management port phase1 configures the Phase 1 IKE security as...

Page 76: ...nfiguration errors Case sensitive ike specifies IKE negotiation messages For technical support diagnostic use Case sensitive Ssh specifies Secure Shell messages For technical support diagnostic use Ca...

Page 77: ...hrough 99 of log files size_in_kbytes specifies the log file size in kilobytes The total amount of space reserved for logging cannot exceed 64 MB number of files multiplied by file size Reboot Require...

Page 78: ...nes See Layer 2 MAC Address Resolution on page 27 Syntax netman password password login enable disable value Shortcut None User Type Administrator Hierarchy Level Configuration Description Configures...

Page 79: ...Parameters password character string with at least one alphanumeric character Passwords are case sensitive they are suppressed from displaying when typed A password can include these special characte...

Page 80: ...Reboot Required Yes when changing the PMTU from jumbo to normal modes Usage Guidelines See Configure the PMTU on page 29 Syntax reboot Shortcut None User Type Network Manager and Administrator Hierarc...

Page 81: ...nd Attributes cli sets the session timer for the CLI number specifies the number of minutes Default is 15 minutes for the CLI Reboot Required No Usage Guidelines See Set Session Timer on page 32 Synta...

Page 82: ...ounts and discards The clear attribute resets counters to zero after they are displayed ipSec sa displays the details of the active security associations ipSec spd all displays a summary of the securi...

Page 83: ...the MIB2 system group Enclose multi word strings in quotation marks name_arg specifies a logical name to the HA4000 The value is defined by sysName in the MIB2 system group Enclose multi word strings...

Page 84: ...arameters and Attributes enable allows the management port to accept a telnet session to remotely configure the HA4000 Telnet access is enabled by default disable disallows telnet access to the unit W...

Page 85: ...e proprietary MIBs which are included on the HA4000 Gateway CD z co smi mib Management Information Structure z co tc mib Textual conventions used in HA4000 MIBs z co gigif mib Objects related to the g...

Page 86: ...9 inch rack mount design 4 H x 17 W x 15 D 10 16 cm H x 43 18 cm W x 38 1 cm D 10 pounds 4 55 kg 115 VAC 10 amps 50 60 Hz 200 240 VAC 5 amps 50 60 Hz 120 watts power dissipation typical Environmental...

Page 87: ...tions 87 Appendix C Cable Specifications DB 9 Null Modem Cable Figure C 1 DB 9 Null Model Cable Specifications Table C 1 Null Model Pin Connections Pin Pin 2 RD Receive Data 3 TD 3 TD Transmit Data 2...

Page 88: ...88 RJ 45 Ethernet Straight Through Cable Figure C 2 RF 45 Ethernet Straight Through Cable RJ 45 Ethernet Crossover Cable Figure C 3 RJ 45 Ethernet Crossover Cable Table C 2 Straight Through Cable Con...

Page 89: ...RJ 45 Ethernet Crossover Cable Appendix C Cable Specifications 89 Table C 3 Crossover Cable Connections RJ 45 Pin RJ 45 Pin 1 Rx 3 TX 2 Rc 6 Tx 3 Tx 1 Rc 6 Tx 2 Rc...

Page 90: ...d can result in complete or intermittent failures Always follow ESD prevention procedures when removing and replacing components To prevent ESD damage follow these guidelines z Always use an ESD wrist...

Page 91: ...otice Canada This Class B digital apparatus meets all requirements of the Canadian interference causing Regulations Cet appareil num rique de la classe B est respecte toutes les exigencies du Reglemen...

Page 92: ...ppendix E Regulatory Information 92 European Notice Products with the CE Marking comply with both the EMC Directive 89 336 EEC and the Low Voltage Directive 73 23 EEC issued by the Commission of the E...

Page 93: ...n SA four block cipher Type of symmetric secret key encryption algorithm that encrypts a fixed length block of plaintext at a time With a block cipher the same plaintext block always encrypts to the s...

Page 94: ...the message Digital Signature Standard DSS Standard for digital signatures using the DSA public key algorithm and the SHA 1 hash algorithm DSS See Digital Signature Standard E encryption Scrambles an...

Page 95: ...ber of seconds the SA can be used or as the maximum number of kilobytes that can be transmitted using the SA Lightweight Directory Access Protocol LDAP Online directory service protocol defined by IET...

Page 96: ...key is public but the private key is known only to its owner Any entity that possesses the public key can encrypt a message so that only a single recipient the owner of the private key can decrypt it...

Page 97: ...to map traffic to a policy which ultimately maps to an SA that is maintained in the security association database SHA See Secret Hash Algorithm Simple Certificate Enrollment Protocol SCEP A PKI commu...

Search results

Summary of Contents for HA4000

Reviews:

Related manuals for HA4000

Brands by name

Popular brands

SafeNet HA4000, User Manual

Search results

Summary of Contents for HA4000

Reviews:

Related manuals for HA4000

Brands by name

Popular brands