manualshive.com logo in svg

Black Box ET0010A, Руководство пользователя CLI, Страница: 78 / 212

Поделиться
Скачать
Black Box ET0010A Скачать руководство пользователя страница 78

Securing Management Port Traffic with IPsec

ETEP CLI User Guide

79

Configuring Global Settings for IKE Negotiations

All IKE encryption policies on the ETEP management port use the same set of IKE parameters. The 
default IKE parameter settings are shown in 

Table 41

 and 

Table 42

. To enhance security, you may want 

to change the preshared key from its default value. 

The following IKE SA and IPsec SA settings are either hardcoded or configured on a per-policy basis: 

Authentication method is always preshared key. Certificates are not supported in this release of ETEP 
software.  

Negotiation mode is Main mode.

Encryption and authentication algorithms are not configurable for IKE Phase 1. The ETEP uses the 
Phase 2 algorithms in Phase 1 negotiations. Phase 2 algorithms are configured on a per-policy basis. 
See 

“Configuring an IKE Encryption Policy” on page 84

 for more information about selecting Phase 2 

algorithms.

Related topics:

“Changing the IKE Parameters” on page 79

“Viewing the Current IKE Parameter Settings” on page 81

“Configuring an IKE Encryption Policy” on page 84

Changing the IKE Parameters

Before modifying the IKE parameters, you may want to view the current settings using the 

show-ike-

params

 command. 

After making any changes to the IKE parameters, there are two ways to apply the changes to the ETEP:

Restart the IKE server, which changes the IKE parameters without deploying policies. You may 
choose to do this when changing the pre-shared keys used in IKE negotiations. 

Deploy policies, which restarts the IKE server and updates the policy databases (SAD and SPD).

Restarting the IKE server tears down existing IKE connections and updates the keys. Traffic is dropped 
until the new Phase 1 SAs are established. 

Table 41

 IKE SA negotiation parameters (Phase 1)

Parameter

Default

Preshared key value

01234567

SA lifetime in seconds

86,400 

Diffie-Hellman groups

2

Table 42

 IPsec SA negotiation parameters (Phase 2)

Parameter

Default

SA lifetime in seconds

28,800 

Perfect forward secrecy (PFS) groups

2

Содержание ET0010A

Страница 1: ...t including Policy Manager PM Key Management System KMS and EncrypTight Enforcement Points ETEPs ETEP Command Line Interface CLI User Guide ET0010A ET0100A ET1000A Order toll free in the U S Call 877...

Страница 2: ...ord Enforcement 19 Upgrading Software 20 Removing ETEPs From Service 20 Adding Users 20 Understanding User Roles 21 User Name Conventions 22 Creating a New User Default Password Enforcement Policy 22...

Страница 3: ...er 2 Point to Point Policy 58 Configuring the Policy Mode 59 Layer 2 Policy Example 60 Verifying the Policy 62 How the ETEP Encrypts and Authenticates Layer 2 Traffic 63 Creating Local Site Policies 6...

Страница 4: ...Maintenance 99 Installing ETEP Software Updates 99 File System Backup and Restore 99 Restoring the Factory Configuration 100 Changing the Port Status 101 Chapter 6 Troubleshooting 103 Symptoms and Sol...

Страница 5: ...35 date 135 debug shell 136 deploy policy set 137 dfbit ignore 138 dhcprelay 139 disable trusted hosts 140 exit 141 filesystem download 141 filesystem reset 143 fips mode enable 144 help 145 ike param...

Страница 6: ...ority 178 policy selector 179 port enable 181 reassembly 181 reboot 182 remote interface 183 remote user cert auth mode 183 restart ike 184 restore filesystem 185 restore policy set 186 show 187 show...

Страница 7: ...8 ETEP CLI User Guide Contents...

Страница 8: ...ng up and maintaining network equipment Assumptions This document assumes that its readers have an understanding of the following Basic principles of TCP IP networking including IP addressing switchin...

Страница 9: ...ETEP CLI User Guide Contacting Black Box Technical Support Contact our FREE technical support 24 hours a day 7 days a week Phone 724 746 5500 Fax 724 746 0746 e mail info blackbox com Web site www bl...

Страница 10: ...s while it travels over untrusted networks With straightforward setup and configuration the ETEP has the flexibility to provide Ethernet frame encryption for Layer 2 networks IP packet encryption for...

Страница 11: ...unctions of policy management key generation and distribution and policy enforcement As a result multiple ETEPs can use common keys This works for complex mesh hub and spoke and multicast networks as...

Страница 12: ...llation tasks are complete before configuring the ETEP Install the required user supplied software on the management workstation as described in the Installation Guide Make sure that the firewalls in...

Страница 13: ...lly logged in the command line prompt displays as shown below password text is not displayed pep login admin Password Last login Tue Jan 29 19 18 59 2008 on ttyS0 Welcome admin it is Tue Jan 29 19 37...

Страница 14: ...ds are entered to configure the appliance Enter configuration mode by typing configure From this level you can access several additional configuration modes for interface settings policies and user ad...

Страница 15: ...Getting Started 16 ETEP CLI User Guide...

Страница 16: ...nto operation in the network Select the password enforcement policy Add users including assigning a user name and role to each user Change the default passwords In addition the Administrator can enabl...

Страница 17: ...ings depend on the ETEP s password enforcement policy as shown in Table 3 Related topics Setting the Password Enforcement Policy on page 18 Creating a New User Default Password Enforcement Policy on p...

Страница 18: ...password enforcement command Attributes are described in Table 4 password enforcement default strong Example This example enables strong password controls user config password enforcement strong Rela...

Страница 19: ...rator accounts while the ETEP is out of service all users will be locked out and the ETEP must be returned to the factory Adding Users At a minimum adding a user involves creating a user name and asso...

Страница 20: ...gnostics Default user names are shown in Table 5 The Administrator can manage the ETEP using the CLI or the EncrypTight software The Ops user is able to log in only to the CLI and has access to a limi...

Страница 21: ...iate a common name with the ETEP user These names must match the common names used on the identity certificates included on the CACs See the EncrypTight User Guide to learn how to enable this feature...

Страница 22: ...ficates included on the CACs See the EncrypTight User Guide to learn how to enable this feature across the components of your EncrypTight system To add a new user when strong password enforcement is e...

Страница 23: ...last time the a user s password was changed exceeds the password expiration days the ETEP will require the password to be reset before allowing you to modify other user settings To modify a user 1 En...

Страница 24: ...assword reset 1 3 Password expiration warning days 10 3 Expiration grace period days 10 Maximum login sessions 2 The following example removes a common name from an Ops user named tech1 admin configur...

Страница 25: ...not yet have a password assigned An existing account that the Administrator manually disabled Accounts that are disabled because of a login failure are not flagged in the show command output Example...

Страница 26: ...ited number of failed login attempts without locking the user out of the appliance Strong Password Conventions Passwords must be at least 15 characters long Standard alphanumeric characters are allowe...

Страница 27: ...e terminal admin configure config user config user config password modify ops Password Retype new password Related topics Password Enforcement Options on page 17 Setting the Password Enforcement Polic...

Страница 28: ...account the Administrator must first add a new user and then assign a password to the account To restore a locked account 1 Enter user configuration mode admin configure config user config user config...

Страница 29: ...t with the user enable command To determine whether an account has been disabled due to login failures issue the show audit log command and review the log file for a series of login failures An accoun...

Страница 30: ...access controls to protect USG interests not for your personal benefit or privacy Notwithstanding the above using this IS does not constitute consent to PM LE or CI investigative searching or monitori...

Страница 31: ...vides user authorization in addition to certificate based authentication When you use a CAC EncrypTight components use the certificates installed on the card to determine if a user is authorized to pe...

Страница 32: ...p the ETEP to use a CAC involves several tasks 1 Install certificates on the ETEPs This task is performed using the EncrypTight software 2 Enable strict authentication on the ETEPs 3 Enable remote use...

Страница 33: ...User Administration 34 ETEP CLI User Guide...

Страница 34: ...Describes commands that are common to Layer 2 and Layer 3 operation such as management port configuration date and time auto negotiation session inactivity timer and loss of signal pass through Layer...

Страница 35: ...These settings can be configured by the Admin and Ops users About the management port IP address mask and gateway The management port must have an assigned IP address in order to be managed remotely...

Страница 36: ...s 192 168 10 10 To send packets between the two devices the local port on Router 1 is specified as the default gateway 192 168 10 1 The gateway address must match the subnet of the management port Fig...

Страница 37: ...ig prompt or type top to return to the command prompt 1000 Mbps Full duplex 3 1000 Mbps Half duplex 3 ip address Management port IP address entered in dotted decimal notation subnet mask IP subnet mas...

Страница 38: ...an if exit The following example sets an IPv6 address prefix length and default gateway on the management port admin configure config management interface man if ip6 2001 DB8 211 11FF FE58 743 64 2001...

Страница 39: ...k City United States UTC 5 07 00 New Delhi India UTC 5 30 17 30 To set the date and time 1 At the command prompt type configure to enter configuration mode 2 At the config prompt type date year month...

Страница 40: ...ghput speed 1 At the command prompt type show throughput speed The throughput speed is also displayed in the output of the show running config command Examples The following example adds a 25 Mbps lic...

Страница 41: ...in Table 16 autoneg enable disable speed flow control Table 15 Link speeds on the local and remote ports Link speed Auto negotiate Fixed Speed Fixed Speed All ETEPs ET0010A ET0100A ET1000A 10 Mbps Ha...

Страница 42: ...en a loss of signal is detected on the local port the remote port transmitter is disabled Alternatively the ETEP port transmitter can be configured to always remain enabled regardless of the other por...

Страница 43: ...and prompt enter the cli inactivity timer command where n is the number of minutes ranging from 0 1440 minutes 24 hours admin cli inactivity timer n Related topic cli inactivity timer on page 134 Conf...

Страница 44: ...2 point to point policies the two ETEPs must be able to communicate with each other to exchange key information In some Layer 2 networks all frames must have a VLAN tag to traverse the network The ETE...

Страница 45: ...icies In non transparent mode the local and remote ports have user assigned IP addresses Non transparency settings apply when the ETEP is configured for Layer 3 operation and being used in a distribut...

Страница 46: ...Transparent Mode for Layer 3 Policies on page 52 Transparent mode is the ETEP s default mode of operation and is appropriate for most Layer 3 distributed key policies To use the ETEP in a Layer 3 vir...

Страница 47: ...butes are described in Table 22 reassembly host gateway Table 20 Commands that control network interoperability Command Description Default Setting reassembly Specifies who performs the reassembly of...

Страница 48: ...turned on You can override the default behavior by disabling the DF Bit handling on the local port The ETEP will then discard packets in which the DF bit is set and the packet length including the en...

Страница 49: ...ipv6Traffic clear discard Example This example configures the ETEP to discard IPv6 traffic admin configure config policies policies ipv6Traffic discard Related topic ipv6Traffic on page 153 Using DHCP...

Страница 50: ...tion mode admin configure config local interface 2 Configure the dhcprelay command Attributes are described in Table 24 dhcprelay enable ipAddress disable Example The following example assigns local a...

Страница 51: ...sses To configure the ETEP for non transparent mode do the following Assign IP addresses to the local and remote ports on page 52 Disable transparent mode thereby allowing the ETEP to use the data por...

Страница 52: ...pond to ARPs In non transparent mode the original source IP address in the outbound packet header is replaced with either an IP address for the remote port The ETEP port MAC address is used as the pac...

Страница 53: ...is important that a proper system shutdown is performed prior to powering off the appliance The shutdown command halts all running tasks on the ETEP and prepares it for being powered off Failure to pe...

Страница 54: ...the following message is displayed on the terminal Power cycle required to reboot appliance 3 Unplug the power cable from the back of the unit or from the power outlet Example In the following exampl...

Страница 55: ...Configuring the ETEP 56 ETEP CLI User Guide...

Страница 56: ...s Changing the clocks after the policy is established may cause traffic to be dropped Creating Layer 2 Point to Point Policies It takes only a few minutes to configure the ETEP for Layer 2 point to po...

Страница 57: ...nion ETEP must be assigned the opposite role of its peer primary or secondary Table 28 layer2 p2p command description Attribute Description Traffic handling encrypt clear discard The ETEP has three op...

Страница 58: ...ent is enabled and TLS traffic passes in the clear Several of these settings need to be modified for Layer 2 point to point operation Preshared key We recommend that you change the key from its defaul...

Страница 59: ...rator logs in and configures the management port and then sets the date and time After entering policy configuration mode the next two commands configure the Layer 2 policy and the policy mode specify...

Страница 60: ...t to the primary role as shown in Figure 7 and the local site ETEP is assigned the secondary role as shown in Figure 8 Both ETEPs are configured with the same preshared key value and group ID Figure 6...

Страница 61: ...w encrypt policy Encryption policy Layer 3 EncrypTight policy management enabled true TLS is traffic in clear enabled A Layer 2 point to point policy is shown in the next example policies show Encrypt...

Страница 62: ...is being exchanged The SA is a unidirectional secure tunnel through which data passes between the two appliances Each secure connection has two SAs one for each direction SAs are identified by a valu...

Страница 63: ...protected using EncrypTight The local site ETEP 1 is on the same subnet as the EncrypTight management devices 2 and 3 The management devices communicate with the remote site ETEPs 4 over the same link...

Страница 64: ...traffic based on Ethertype or VLAN ID At Layer 3 policies can be configured with fairly coarse traffic filters allowing access to an entire subnet or to all destinations 0 0 0 0 0 Or you can create m...

Страница 65: ...d in the order in which you intend Policy keying protect policies only Encryption policies are manually keyed These keys are static and refreshed only when the policy is updated Related topics Assigni...

Страница 66: ...efine a bypass or discard policy 1 Enter local site policy configuration mode admin configure config policies policies local site policies local site policy 2 Enter policy config mode As part of the c...

Страница 67: ...as a hexadecimal or decimal value Hexadecimal values must be preceded by 0x VLAN ID vlanID any Enter a VLAN ID in the range of 1 4094 or enter any to accept any VLAN ID policy selector remote ip loca...

Страница 68: ...inbound and outbound SAs individually or use the any attribute to create both SAs with a single command Encryption behavior is dependent on the ETEP s mode of operation as summarized in Table 36 When...

Страница 69: ...nd SA You can configure the inbound and outbound SAs individually or use the any attribute to create both SAs from a single command See Table 37 for a description of the command parameters policy manu...

Страница 70: ...olicy manual key direction spi encryptionAlgorithm authenticationAlgorithm encryptionKey authenticationKey direction in out any Specifies the direction of the SA The any attribute creates two bidirect...

Страница 71: ...ecimal number for encryption key 1234567890123456789012345678901212345678901234567890123456789012 Please enter 40 character hexadecimal number for authentication key 1234567890123456789012345678901234...

Страница 72: ...pt type backup policy set and press ENTER Related topics Viewing the Local Site Policy Set on page 72 Restoring the Local Site Policy Set on page 75 Deploying Local Site Policies The deploy policy set...

Страница 73: ...nagement Policies on page 92 Deleting a Local Site Policy To delete a local site policy first issue the policy delete command using the policy name that you want to remove and then deploy the policy s...

Страница 74: ...set The backup copy of the policy set is retained after a restore operation A subsequent backup overwrites the previous backup copy of the policy set To restore the backup file 1 From the local site...

Страница 75: ...umber for OSPF is 89 The BypassOSPF policy uses wild carded addresses meaning that it applies to traffic from any source and to any destination The first command in the example makes a backup copy of...

Страница 76: ...012345678901234567890 policy config policy priority 65400 policy config exit local site policy show policy set local site policy deploy policy set Securing Management Port Traffic with IPsec Most mana...

Страница 77: ...es that will be communicating with the ETEP you will need to Configure IPsec policies on the ETEP management port see ETEP Task Summary on page 78 Configure the IPsec client See your IPsec client docu...

Страница 78: ...algorithms Related topics Changing the IKE Parameters on page 79 Viewing the Current IKE Parameter Settings on page 81 Configuring an IKE Encryption Policy on page 84 Changing the IKE Parameters Befo...

Страница 79: ...st be entered in the ETEP and its peer Note the following conventions when creating a preshared key The key is a case sensitive alphanumeric string from 1 255 characters in length A minimum of 8 chara...

Страница 80: ...the ETEP To apply the saved settings issue the restart ike command To view the IKE parameters 1 Enter ipsec config mode admin configure config management interface man if ipsec config ipsec config 2...

Страница 81: ...policy priority specifies the order in which policies are processed on the ETEP For each incoming packet the ETEP searches through the list of policies starting with the policy that has the highest p...

Страница 82: ...topics Assigning Policy Names on page 83 Configuring an IKE Encryption Policy on page 84 Configuring a Manual Key Encryption Policy on page 86 Configuring a Bypass or Discard Policy on the Management...

Страница 83: ...the name of a policy that has been added ipsec config policy config name 4 Set the policy action command to protect to indicate that this is an encryption policy policy action protect 5 Set the policy...

Страница 84: ...t on the far side of the untrusted network in CIDR notation IP address prefix The default is set to 0 0 0 0 0 which means process all packets coming from any address local ip IPv4 or IPv6 address of t...

Страница 85: ...f the two peers that form the secure tunnel endpoints such as the ETEP and management workstation The encryption and authentication keys must be entered identically on each peer Each IPSec connection...

Страница 86: ...ust be different than in the inbound SA The encryption and authentication algorithms and their associated keys can be the same 9 Assign a unique priority to the policy Policies are enforced in descend...

Страница 87: ...a unique SPI The SPI is a decimal value between 256 and 4096 protocol esp ah AH provides data authentication ESP provides encryption and authentication encryptionAlgorithm 3des cbc aes128 cbc aes256...

Страница 88: ...low priority If a packet fails to meet the criteria of any bypass or protect policies that apply to specific subnets then it gets discarded To define a bypass policy 1 Enter IPsec configuration mode...

Страница 89: ...active management policies and pending changes Make a backup copy of the active policies running on the ETEP Deploy the new policy set to the ETEP Table 48 Policy selector command Command Description...

Страница 90: ...Backing Up the Policy Set Before making any changes to the management port policies it is a good practice to make a backup copy of the active policies In the event you want to return to the last known...

Страница 91: ...tiating to establish SAs when policies are deployed to each peer Manual key policies should take effect upon boot up If a manual key policy is not automatically re established after a power cycle init...

Страница 92: ...actory state Clearing the current policies removes all the active policies that are running on the ETEP pending policies and the backup copy of the policy set Clearing the management port policies rem...

Страница 93: ...reate the following policies IKE encryption policy to encrypt all traffic between the ETEP management port and the management workstation Manual key encryption policy to encrypt all traffic between th...

Страница 94: ...s two encryption algorithms and two authentication algorithms The last set of commands displays the pending policy changes and then deploys the new policy Deploying the policy automatically restarts t...

Страница 95: ...er hexadecimal number for authentication key 11223344556677889900aabbccddeeff87654321 policy config policy priority 60000 Bypass Policy Example The following example defines the selectors for a policy...

Страница 96: ...affic with IPsec ETEP CLI User Guide 97 policy config exit ipsec config show policy set ipsec config backup policy set ipsec config deploy policy set Figure 18 The show policy set commands lists the a...

Страница 97: ...Creating Policies 98 ETEP CLI User Guide...

Страница 98: ...ot authenticate the new software the upgrade process is terminated and the new software is not installed on the appliance The show upgrade status and show system log CLI commands provide status on the...

Страница 99: ...on Two CLI commands are available for restoring factory settings on the ETEP The filesystem download command installs a new software image and removes the previous appliance configuration files The fi...

Страница 100: ...he Admin user Related topic port enable on page 181 update filesystem on page 198 Table 51 Backup and factory image commands Command Factory Image Backup Image Running Image New appliance no command F...

Страница 101: ...Maintenance 102 ETEP CLI User Guide...

Страница 102: ...ions Diagnostic Commands Additional Diagnostic Tools Symptoms and Solutions The following tables provide some solutions to common problems that may occur with your ETEP Management Troubleshooting on p...

Страница 103: ...g policy settings have been configured on each If you stop securing the management port with IPsec be sure to disable the IPSec client on the workstation Changing the management port IP address invali...

Страница 104: ...d for Layer 2 IKE operation on the data ports you cannot deploy an IKE policy on the management port Workarounds Deploy an manual key policy on the management port or take the ETEP out of Layer 2 IKE...

Страница 105: ...7 Check for a mismatch between the date and time of the policy shown in the SAD and the date and time on the appliance show date command If the dates and times don t match you may have a time sync pro...

Страница 106: ...TEPs The policy mode command must be configured for Layer 2 IKE operation for the policies to take effect Layer 2 IKE traffic is being discarded If you use a time service to set the time forward on th...

Страница 107: ...ssing mode is remote IP or virtual IP In the policy editor clear the check boxes for all Addressing Mode Overrides In the router Add a static route entry and static ARP entry to the WAN router to ensu...

Страница 108: ...ate the Alarm LED illuminates and the appliance discards all packets it receives Depending on the error other notifications may be sent traps status messages to the ETEMS or the terminal To recover fr...

Страница 109: ...15 show distkey log Displays log messages about EncrypTight distributed key functionality such as rekeys and policy deployments show dual power status Displays the operational status of the ET1000A po...

Страница 110: ...s on page 111 for links to the command reference and additional examples Examples The following example pings host 192 168 1 1 from the ETEP management port The count specifies the ping operation will...

Страница 111: ...d packets isn t obvious and cannot be explained by the discard counters the policy packet counters let you compare packet counts between the sending and receiving ETEPs to determine the source of the...

Страница 112: ...other area to check when you are experiencing packet loss The policy packet count feature is disabled by default To minimize the impact on performance we recommend enabling the feature for troubleshoo...

Страница 113: ...a concatenated file of all log messages SNMP traps To monitor ETEP events system status and warning and error conditions ETEMS lets you set up SNMP trap reporting Table 61 Tools available from the CL...

Страница 114: ...rds command or click View Status in ETEMS Discard reasons are listed in Table 62 Table 62 Discard packet descriptions Reason Reason continued Fragmentation error Remote port non IP ICMP non zero fragm...

Страница 115: ...ll over after reaching their maximum value To view MAC statistics From the CLI enter the show all command In ETEMS click View Statistics Counters Counters are displayed for transmitted and received pa...

Страница 116: ...transmitted and received packets on each port grouped by frame size 64 byte frames 65 to 127 byte frames 128 to 255 byte frames 256 to 511 byte frames 512 to 1023 byte frames 1024 to 1518 byte frames...

Страница 117: ...categorized as inbound or outbound Inbound packets arrive at the remote port from the untrusted network Outbound packets are sent from the remote port to the untrusted network Policy Type The policy t...

Страница 118: ...fies the length of time that the keys and policies will be active before the EncrypTight sends new keys The lifetime specified in the distributed key policy is stored on the EncrypTight key server not...

Страница 119: ...Troubleshooting 120 ETEP CLI User Guide...

Страница 120: ...lowing conditions are true EncrypTight distributed key policies are installed that use non FIPS approved algorithms IKE policies are configured on the management port interface that use non FIPS appro...

Страница 121: ...lays when communicating with the ETEP When the ETEP is rebooted with FIPS mode enabled the ETEP does not become operational until 30 60 seconds after the login prompt is displayed In the interim attem...

Страница 122: ...the EncrypTight User Guide ETEP appliances are shipped with all encryption mechanisms disabled to allow installation test and acceptance Prior to operation encryption mechanisms should be enabled The...

Страница 123: ...FIPS 140 2 Level 2 Operation 124 ETEP CLI User Guide...

Страница 124: ...e the Ops user has access to a limited subset of the commands The default user names and passwords are listed in Table 67 Most commands take effect when they are issued Commands that affect the file s...

Страница 125: ...onfigured the appliance will use its default value ip ip address subnet mask gateway The ip command with the optional gateway attribute might look like this ip 10 168 224 1 255 255 0 0 10 168 1 1 The...

Страница 126: ...ted as the same command Table 68 Cursor movement keys Key Description CTRL A Move to the start of the line CTRL E Move to the end of the line up Move to the previous command line held in history down...

Страница 127: ...full 10m full 100m half 10m half When auto negotiation is disabled the speed attribute specifies the link speed and duplex setting On the management port the speed defaults to 100m full On the local...

Страница 128: ...f the other device On the management port the ETEPs support the speeds shown in Table 72 On the local and remote ports the ETEPs support the speeds shown in Table 73 NOTE If you are using copper SFP t...

Страница 129: ...nterface ipsec config local site configuration mode config policies local site policies Syntax backup policy set Usage Guidelines The backup policy set command makes a backup copy of the deployed poli...

Страница 130: ...moves all certificates from the appliance and generates a self signed certificate User Type Administrator Hierarchy Level Management interface configuration mode config management interface Syntax cle...

Страница 131: ...s Hierarchy Level Management interface configuration mode config management interface Syntax clear known hosts ip Attributes ip IP address of the SFTP server The ETEP accepts IPv4 and IPv6 addresses U...

Страница 132: ...ncrypt and drop policies currently installed on the ETEP All traffic is sent in the clear until you create and deploy new policies or until the policies are rekeyed You will be prompted for confirmati...

Страница 133: ...s Clearing the current policies removes the active policies that are running on the ETEP pending policies and the backup copy of the policy set Clearing the management port policies removes the polici...

Страница 134: ...ault Setting the inactivity timer does not affect the current CLI session The change is effective on all subsequent CLI sessions Example admin configure config cli inactivity timer 250 configure Descr...

Страница 135: ...the appliance after changing the date and time under other circumstances If you are setting the date because of a certificate problem and cannot communicate with the appliance using ETEMS Issue the da...

Страница 136: ...ll deploy policy set Description The deploy policy set command deploys policies to the ETEP This command is available when working with IPsec policies on the ETEP management interface and local site p...

Страница 137: ...in the IP header or acts in accordance the DF bit setting User Type Administrator Hierarchy Level Local interface configuration mode config local interface Syntax dfbit ignore on off Attributes on The...

Страница 138: ...server that is on a different subnet The DHCP relay feature is applicable in Layer 3 IP networks User Type Administrator Hierarchy Level Local interface configuration mode config local interface Synt...

Страница 139: ...e 148 transparent mode enable on page 196 Example The following example assigns local and remote port IP addresses to the ETEP disables transparent mode and then enables the dhcprelay command specifyi...

Страница 140: ...e ETEP The disable trusted hosts command disables the trusted hosts on the ETEP allowing it to be managed from ETEMS again Example admin configure config disable trusted hosts exit Description The exi...

Страница 141: ...P user name or password After issuing the command you will be prompted to confirm that you want to continue Type yes to continue or no to cancel This command automatically reboots the appliance Upon r...

Страница 142: ...you will be prompted to confirm that you want to continue Type yes to continue or no to cancel This command automatically reboots the appliance Upon reboot you will need to reset the management IP add...

Страница 143: ...Psec policy has been configured to protect the SNMP traffic for each specific trap host The debug shell is in use Strict client authentication is enabled on the management port Placing the ETEP in a F...

Страница 144: ...mode on the management interface From here you can define the global Phase 1 and Phase 2 negotiation settings used in IKE encryption policies These settings are applied to all IKE encryption policies...

Страница 145: ...ation for the later creation of keys by the peers Group 1 is the least secure and least computationally demanding Group 18 provides the highest level of security and also involves the most processing...

Страница 146: ...ess frequent renegotiations and result in fewer dropped packets The IKE SA lifetime is a global setting that will be used in all IKE encryption policies on the ETEP management port Related topic Confi...

Страница 147: ...pha characters and numbers 0 9 are allowed The following special characters are not allowed The IKE preshared key is a global setting that will be used in all IKE encryption policies on the ETEP manag...

Страница 148: ...address is on a different subnet the ETEP sends the packet to the designated default gateway Usage Guidelines The management port must have an assigned IP address in order to be managed remotely and c...

Страница 149: ...network portion of the address The decimal value is preceded by a forward slash gateway IPv6 address of the router port that is on the same local network as the ETEP management port Usage Guidelines...

Страница 150: ...6 2001 DB8 211 11FF FE58 743 64 2001 DB8 20F F7FF FE84 BFC2 man if top admin ipsec config Description The ipsec config command enters IPsec configuration mode from management interface configuration m...

Страница 151: ...SA lifetime is the interval after which an SA must be replaced with a new SA or terminated This is a global setting that will be used in all IKE encryption policies on the ETEP management port Relate...

Страница 152: ...he highest level of security and also involves the most processing Setting the PFS group ID to none disables perfect forward secrecy This is a global setting that will be used in all IKE encryption po...

Страница 153: ...This example configures the ETEP to discard IPv6 traffic admin configure config policies policies ipv6Traffic discard layer2 p2p Description The layer2 p2p command defines a Layer 2 point to point pol...

Страница 154: ...used in the process of establishing security associations SAs between a pair of ETEPs Both ETEPs must use the same preshared key and group ID The policy does not take effect until the policy mode com...

Страница 155: ...ge of speeds that varies by model When you install the license you purchased ETEPs transmit traffic at the speed specified by the license You need to install a license on each ETEP that you use Licens...

Страница 156: ...ype Administrator Hierarchy Level Policies mode config policies Syntax local site policies Usage Guidelines Local site policies cannot be created or deployed when the ETEP is configured for Layer 2 st...

Страница 157: ...the logon banner admin configure config banner config banner config logon banner enable true management interface Description The management interface command allows configuration of the management in...

Страница 158: ...password is going to expire The password command resets a user s password in compliance with the password policy enabled by the Administrator default or strong password controls After entering the pa...

Страница 159: ...s Strong password controls enforce more stringent password rules and conventions than the default password controls The strong controls affect the following items Password conventions Password history...

Страница 160: ...ng password controls Related topics Default Password Conventions on page 27 Enabling and Disabling Accounts on page 29 Example In this example the Administrator changes the password for a user named t...

Страница 161: ...rface v Verbose output V Show version a Audible ping A Adaptive ping c count Stop after sending count ECHO_REQUEST packets With deadline option ping waits for count ECHO_REPLY packets until the timeou...

Страница 162: ...ment interface to host 192 168 1 124 admin network tools network tools ping c4 192 168 1 124 PING 192 168 1 124 192 168 1 124 from 192 168 1 69 eth2 56 84 bytes of data 64 bytes from 192 168 1 124 icm...

Страница 163: ...ample The following example sends 4 ICMP ECHO REQUEST packets from the ETEP management interface to host 2003 a8 124 waiting 2 seconds between sending each packet Informational options h help Display...

Страница 164: ...ands which include defining a Layer 2 point to point policy defining local site policies and setting the policy mode The policy mode configures the ETEP for Layer 2 or Layer 3 operation sets its keyin...

Страница 165: ...ect in a management port policy The example assumes that MyPolicy has already been added to the ETEP admin configure config management interface man if ipsec config ipsec config policy config MyPolicy...

Страница 166: ...characters Valid characters are upper and lower case alpha characters a z numeric characters 0 9 _ underscore and dash Policy names must start with an alpha character or an underscore The first chara...

Страница 167: ...d requires that you enter an existing policy name The policy name is entered using the policy add command Example The following example adds a management port policy named Test and enters policy confi...

Страница 168: ...g ipsec config policy delete MyPolicy ipsec config deploy policy set policy ike ipsec Description The policy ike ipsec command defines the IPsec transform set which includes the IPsec protocol and enc...

Страница 169: ...Level 2 Operation on page 121 Example This example defines a transform set for an IKE policy on the management port named MyPolicy The policy uses ESP AES 256 CBC as the encryption algorithm and HMAC...

Страница 170: ...automatically using IKE or entered manually This command is used in IPsec encryption policies on the ETEP management interface User Type Administrator Hierarchy Level IPsec policy config mode config m...

Страница 171: ...yer2 selector Description The policy layer2 selector command defines the traffic filters for a Layer 2 local site policy User Type Administrator Hierarchy Level local site policy config mode config po...

Страница 172: ...ig mode config policies local site policies policy config Syntax policy manual key direction spi encryptionAlgorithm authenticationAlgorithm encryptionKey authenticationKey Attributes direction out in...

Страница 173: ...tPolicy has already been added Encryption and authentication keys are displayed only until the ENTER key is pressed The example below shows the keys for demonstration purposes even though they are not...

Страница 174: ...ate length according to the selected algorithm In FIPS mode you have to enter the encryption and authentication keys twice Usage Guidelines This command is valid for manually keyed encryption policies...

Страница 175: ...ETEP for use in Layer 2 or Layer 3 policies Enable or disable EncrypTight policy and key generation distribution and management Enable or disable passing TLS traffic in the clear which allows TLS bas...

Страница 176: ...of an in service ETEP all encrypt and drop policies currently installed on the ETEP are removed Traffic is sent in the clear until you create and deploy new policies Example The first example configur...

Страница 177: ...l operation To clear the counters issue the show policy packet count clear command Related topics Determining the Cause of Dropped Packets on page 112 show on page 187 Example The following example en...

Страница 178: ...the show policy set command to do this The local site policies are assigned a higher priority than the priorities available to EncrypTight distributed key policies This ensures that the local site po...

Страница 179: ...all destinations 0 0 0 0 0 Or you can create more granular policies using selectors based on partial subnets individual destinations protocol types or source and destination ports Management policies...

Страница 180: ...ement local and remote configuration mode Syntax port enable true false Usage Guidelines Each port is configured independently of the others This port setting is persistent after a reboot Example The...

Страница 181: ...ies only when the ETEP s policy mode is set to Layer 3 When the policy mode is set to Layer 2 packets that are subject to fragmentation are encrypted prior to fragmentation Layer 2 jumbo packets that...

Страница 182: ...configuration of the remote interface User Type Administrator Hierarchy Level Configuration mode Syntax remote interface Example config remote interface rem if remote user cert auth mode Description...

Страница 183: ...list of authorized users EncrypTight software ETKMS and ETEP Communications that do not use an authorized common name and a valid certificate are rejected Setting up the ETEP to use a CAC involves se...

Страница 184: ...ic Changing the IKE Parameters on page 79 Deploying Management Policies on page 92 Example admin restart ike restore filesystem Description The restore filesystem command restores the appliance file s...

Страница 185: ...restore filesystem ATTENTION You have issued a service affecting restore command WARNING This command restores the backup copy of the appliance file system including the software image configuration f...

Страница 186: ...nner config User Type Administrator and Ops have access to the show command from command mode Only the Administrator can access the config mode show commands Hierarchy Level Command mode banner config...

Страница 187: ...Displays the contents of the SNMP log file spd Displays the security policy database entries system log Displays the contents of the system log file throughput speed Displays the throughput speed conf...

Страница 188: ...n the ETEP The saved settings are parameters that have been edited but not yet applied on the ETEP To apply the changes issue the restart ike command or deploy the policy set Related topics Viewing th...

Страница 189: ...ble 77 Related topic Viewing the Local Site Policy Set on page 72 Viewing the Policy Set on page 91 Example In the following example the Administrator displays the local site policies admin configure...

Страница 190: ...id seed seed Attributes seed The engine ID seed is a string from 1 256 characters Valid values in include upper and lower case alpha characters a z numbers 0 9 spaces and most printable keyboard chara...

Страница 191: ...ble Description The ssh enable command enables and disables SSH access to the management port User Type Administrator Hierarchy Level Configuration mode Syntax ssh enable true false Attributes true En...

Страница 192: ...thentication from the EncrypTight software but there can be situations where you cannot communicate with the appliance from the management workstation In this case you can connect to the appliance thr...

Страница 193: ...LI The syntax of the command follows Linux conventions Linux commands are case sensitive User Type Administrator and Ops Hierarchy Level Network tools mode config network tools Syntax traceroute dFInr...

Страница 194: ...e default is 5 seconds z pausemsecs Minimal time interval between probes default is 0 host IP address of the network host It can be followed by the size of the probing packet that is sent to the host...

Страница 195: ...arent in Ethernet networks when configured as a Layer 2 encryptor If you want to conceal the original source IP address when sending encrypted traffic configure the ETEP to operate in non transparent...

Страница 196: ...port The ETEP performs this function by monitoring for loss of signal at the port s receiver For example when the loss of signal is detected on the ETEP s remote port the local port transmitter is dis...

Страница 197: ...ry listing relative to the root FTP directory do not enter the entire path ftpUser User ID of a user on an FTP host ftpPassword FTP user s password ftpSecure ftp sftp Defines the file transfer protoco...

Страница 198: ...rd warning password grace period maximum login sessions Attributes name Specifies the user name role admin ops Associates a user role with the user name common name The common name from the Common Acc...

Страница 199: ...entity certificates included on the CACs The common name identifies an authorized user on the ETEP Passwords are optional when using common names Users without assigned passwords can access the ETEP t...

Страница 200: ...t admin configure config user config user config user add dallas admin name domain com user config Description The user config command enters user configuration mode from configuration mode From here...

Страница 201: ...cription The user enable command enables and disables a user account User Type Administrator Hierarchy Level User config mode config user config Syntax user enable name true false Attributes name Spec...

Страница 202: ...es the user name role admin ops Associates a user role with the user name common name The common name from the Common Access Card s identity certificate By default a common name is not used password e...

Страница 203: ...d Enforcement Options on page 17 Modifying Users on page 24 Enabling and Disabling Accounts on page 29 Examples This example changes the tech1 user s role from ops to admin Default password enforcemen...

Страница 204: ...fault value is 0 tag id Sets the VLAN ID Valid values range from 0 4094 The default value is 1 Usage Guidelines The vlan tag command is needed when the following two conditions are met The ETEP is dep...

Страница 205: ...Command Reference 206 ETEP CLI User Guide...

Страница 206: ...usage tips 126 commands autoneg 128 backup policy set 130 banner config 131 clear certificates 131 clear known hosts 132 clear policies 133 clear policy set 133 cli inactivity timer 134 configure 135...

Страница 207: ...ort 10 D date command 135 date changing 40 debug shell command 136 default gateway configuration management port 36 default password conventions 27 deploy policy set command 137 DF bit handling config...

Страница 208: ...rough the serial port 14 logging using the audit log 32 login banner See banners 30 login failures limits and recovery 30 logon banner enable command 157 loss of signal pass through configuring 43 M M...

Страница 209: ...how policy set 189 policy mode Layer 2 Layer 3 configuring 60 policy troubleshooting 107 port status enabling and disabling 101 monitoring 106 port enable command 181 R reassembly command 181 reassemb...

Страница 210: ...9 MAC statistics 116 management communications 105 non transparent mode traffic 108 packet counters 116 policies 107 policy tracking tool 112 port status 115 SPD and SAD files 117 time synchronization...

Страница 211: ...Index 212 ETEP CLI User Guide...

Страница 212: ...ted by free live 24 7 Tech support available in 30 seconds or less Copyright 2011 All rights reserved Black Box and the Double Diamond logo are registered trademarks of BB Technologies Inc Any third p...

Отзывы:

Нет отзывов