manualshive.com logo in svg

Johnson Controls P2000, Руководство по установке

Поделиться
Скачать
Johnson Controls P2000 Скачать руководство пользователя страница 36

Glossary

VPN/DSL Security Option

A-4

 

24-10618-155 Rev. A

This document contains confidential and proprietary information of Johnson Controls, Inc.

© 2012 Johnson Controls, Inc.

Perfect Forward Secrecy (PFS)

 – A method for deriving Phase 2 keys independent from and 

unrelated to the preceding keys. Alternatively, the Phase 1 proposal creates the key (the 
SKEYID_d key) from which all Phase 2 keys are derived. The SKEYID_d key can generate 
Phase 2 keys with a minimum of CPU processing. Unfortunately, if an unauthorized party 
gains access to the SKEYID_d key, all your encryption keys are compromised. PFS 
addresses this security risk by forcing a new Diffie-Hellman key exchange to occur for each 
Phase 2 tunnel. Using PFS is thus more secure, although the re-keying procedure in Phase 2 
might take slightly longer with PFS enabled.

Point-to-Point Tunneling Protocol (PPTP)

 – PPTP is an extension of the Point-to-Point Protocol 

that is used for communication on the Internet. It was developed by Microsoft to support 
virtual private networks (VPNs), which allow individuals and organizations to use the 
Internet as a secure means of communication. PPTP supports encapsulation of encrypted 
packets in secure wrappers that can be transmitted over a TCP/IP connection.

Replay Protection

 – A replay attack occurs when somebody intercepts a series of packets and 

uses them later either to flood the system, causing a denial-of-service (DoS), or to gain entry 
to the trusted network. The replay protection feature enables devices to check every IPSec 
packet to see if it has been received before.

Security Association

 – An SA is a unidirectional agreement between the VPN participants 

regarding the methods and parameters to use in securing a communication channel. For 
bidirectional communication, there must be at least two SAs, one for each direction. The 
VPN participants negotiate and agree to Phase 1 and Phase 2 SAs during an AutoKey IKE 
negotiation. See also 

Security Parameters Index.

Security Parameters Index

 – (SPI) is a hexadecimal value which uniquely identifies each tunnel. 

It also tells the NetScreen device which key to use to decrypt packets.

SHA-1

 – Secure Hash Algorithm-1, an algorithm that produces a 160-bit hash from a message 

of arbitrary length. (It is generally regarded as more secure than MD5 because of the larger 
hashes it produces.)

Tunneling

 – A method of data encapsulation. With VPN tunneling, a mobile professional dials 

into a local Internet Service Provider’s Point of Presence (POP) instead of dialing directly 
into their corporate network. This means that no matter where mobile professionals are 
located, they can dial a local Internet Service Provider that supports VPN tunneling 
technology and gain access to their corporate network, incurring only the cost of a local 
telephone call. When remote users dial into their corporate network using an Internet Service 
Provider that supports VPN tunneling, the remote user as well as the organization knows that 
it is a secure connection. All remote dial-in users are authenticated by an authenticating 
server at the Internet Service Provider’s site and then again by another authenticating server 
on the corporate network. This means that only authorized remote users can access their 
corporate network, and can access only the hosts that they are authorized to use.

Virtual Private Network (VPN)

 – A VPN is an easy, cost-effective and secure way for 

corporations to provide telecommuters and mobile professionals local dial-up access to their 
corporate network or to another Internet Service Provider (ISP). Secure private connections 
over the Internet are more cost-effective than dedicated private lines. VPNs are possible 
because of technologies and standards such as tunneling, screening, encryption, and IPSec.

Содержание P2000

Страница 1: ...VPN DSL Security Option Installation Manual P2000 Security Management System April 2012 24 10618 155 Revision A ...

Страница 2: ......

Страница 3: ...P2000 Security Management System VPN DSL Security Option Installation Manual April 2012 24 10618 155 Revision A Security Solutions 805 522 5555 www johnsoncontrols com ...

Страница 4: ...Copyright 2012 Johnson Controls Inc All Rights Reserved No part of this document may be reproduced without the prior permission of Johnson Controls Inc ...

Страница 5: ...nson Controls Inc shall not be liable for errors contained herein or for incidental or consequential damages in connection with furnishing or use of this material Contents of this publication may be preliminary and or may be changed at any time without any obligation to notify anyone of such revision or change and shall not be regarded as a warranty Declaration of Conformity This product complies ...

Страница 6: ...rwarded away from the host computer Central Station using the feature Message Forwarding 9 The Panel Poll Interval must not exceed 90 seconds 10 The Host Poll Delay must not exceed 200 seconds 11 P2000 or P2K server must use transient suppression devices on the LAN interfaces at the computers The table below specifies the devices that must be used for the various types of LAN interfaces LAN Interf...

Страница 7: ...ified 19 For Line Security over the Internet between the P2000 or P2K server and the controllers D620 D6AP and S320 the following equipment shall be used NetScreen Model NS 5XT X0X where X is any number 0 to 9 4 Port VPN router and Digi International Model EtherLite2 serial port server The P2000 or P2K server and router shall be configured to use an encryption method including an Authentication He...

Страница 8: ...ough the Web Access feature are supplementary 30 P2000 or P2K systems use the PC232 S4 1 Protocol Converter to communicate to D620 D6AP and or S320 controllers a controller must be connected to the port defined as Loop 1 at the P2000 or P2K for Protocol Converter s tamper switch to report as an alarm 31 The communication medium between the protected property and communications service provider sha...

Страница 9: ...ver to Back End Router Connection 2 4 NetScreen 5XT Router Installation and Configuration 2 5 NetScreen 5XT Installation 2 5 NetScreen 5XT Configuration 2 6 Resetting the NetScreen 5XT Router 2 13 Linksys BEFVP41 Router Installation and Configuration 2 13 Linksys BEFVP41 Installation 2 13 Linksys BEFVP41 Configuration 2 14 Linksys BEFSX41 Router Installation and Configuration 2 15 Linksys BEFSX41 ...

Страница 10: ...Table of Contents VPN DSL Security Option viii 24 10618 155 Rev A This document contains confidential and proprietary information of Johnson Controls Inc 2012 Johnson Controls Inc ...

Страница 11: ... The traffic that flows between these points passes through shared resources such as routers switches and other network equipment that make up the public WAN To secure communication while passing through the WAN the two participants create an IP Security IPSec tunnel CHAPTER SUMMARIES Chapter 1 Introduction describes the purpose of this document and the manual conventions Chapter 2 Configuration c...

Страница 12: ...Introduction VPN DSL Security Option 1 2 24 10618 155 Rev A This document contains confidential and proprietary information of Johnson Controls Inc 2012 Johnson Controls Inc ...

Страница 13: ...ecurity Payload employed Table 2 1 IPSEC Parameters Mode Tunnel Protocol Encapsulating Security Payload ESP Authentication Protocol AH Authentication SH1 Secure Hash Algorithm 1 SHA 1 ESP Encryption Triple DES 3DES 168 bit Key Key Management AutoKey IKE with a preshared key Diffie Hellman Exchange Group 2 1024 bit modulus Perfect Forward Secrecy PFS Enabled Phase 1 3DES Main Mode six message excha...

Страница 14: ...nksys and or NetScreen routers listed below Linksys routers are less expensive but are not National Institute of Standards and Technology NIST certified or Underwriters Laboratories UL compliant Select the routers according to your site requirements Table 2 2 Required Hardware Make Model Description Combination of two of the following see router combination information below NetScreen 5XT NIST Cer...

Страница 15: ...roller 192 168 1 x 255 255 255 0 OR 192 168 1 x 255 255 255 0 Workstation 201 0 0 x 255 255 255 0 Wide Area Network WAN 201 0 0 x 255 255 255 0 Wide Area Network WAN 200 0 0 x 255 255 255 0 200 0 0 x 255 255 255 0 NetScreen VPN Router Model 5XT Linksys VPN Router Model BEFVP41 OR FRONT END ROUTER BACK END ROUTER Wide Area Network WAN VPN DSL Security Option Configuration 24 10618 155 Rev A 2 3 Thi...

Страница 16: ...ption 2 4 24 10618 155 Rev A This document contains confidential and proprietary information of Johnson Controls Inc 2012 Johnson Controls Inc P2000 Server to Back End Router Connection To connect the P2000 Server to the back end router connect a network cable from one of the Router s Trusted or available LAN ports to the P2000 Server P2000 Server Rear View Ethernet UNTRUSTED NetScreen 5XT Router ...

Страница 17: ...adapter to the rear panel of the NetScreen 5XT The NetScreen 5XT device runs a 100 240 VAC 10 and 12 watts When properly connected to an AC power source the power LED on the faceplate illuminates solid green When power fails the power LED turns off 2 Connect a network cable from a laptop or PC to one of the NetScreen 5XT s available Trusted ports This connection will be used to configure the NetSc...

Страница 18: ...able Trusted port on the NetScreen 5XT to the Controller or Workstation Laptop or PC UNTRUSTED NetScreen 5XT Front End Router Ethernet TRUSTED 4 3 2 1 DC POWER CONSOLE MODEM Used for Configuration Purposes Only Controller or Workstation WAN NetScreen 5XT Configuration This section provides instructions for configuring the NetScreen 5XT s parameters using the WebUI To access the NetScreen using the...

Страница 19: ...x can be between 2 and 254 and change the subnet mask to 255 255 255 0 3 Open your browser and enter the NetScreen s default LAN IP address of 192 168 1 1 in the Address bar Example http 192 168 1 1 The Enter Network Password dialog box appears 4 Enter netscreen in the User Name and Password fields Use lowercase letters only The User Name and Password fields are both case sensitive 5 Click OK The ...

Страница 20: ...etScreen with the Initial Configuration Wizard 1 Select NAT Mode and click Next 2 Enter master into the Password and Confirm Password fields click Next 3 Select Static IP enter the following and click Next Untrusted Zone Interface IP 200 0 0 2 Netmask 255 255 255 0 Gateway 200 0 0 1 4 Enter the following and click Next Front End Router Trust Zone Interface IP 192 168 1 1 Netmask 255 255 255 0 ...

Страница 21: ... 3 Netmask 255 255 255 0 5 Click Next 6 Click Next 7 Select No to DHCP and click Next 8 Review and confirm the settings Trust Interface in NAT mode Admin Login Name netscreen Password Trust Interface IP 192 168 1 1 Front End Router or 200 0 0 3 Back End Router Trust Interface Netmask 255 255 255 0 Untrust Interface 200 0 0 2 Management Service Telnet enabled Management Service Web enabled Manageme...

Страница 22: ...sword field Click OK The NetScreen Administration Tools window appears 11 Continue with the following configuration instructions To configure the date and time 1 On the NetScreen Administration Tools window select Configuration Date Time in the left hand frame 2 Configure the date and time accordingly Refer to the NetScreen documentation for details 3 Click Apply To verify the network interface se...

Страница 23: ...ect Network Routing Routing Table in the left hand frame 2 Verify the displayed settings To configure the VPN settings with the VPN Wizard 1 Select Wizards VPN in the left hand frame to launch the VPN Wizard 2 Select LAN to LAN and click Next 3 Ensure Local Static IP Remote Static IP is selected and click Next 4 Enter 200 0 0 xxx where xxx can be between 2 and 254 in the Remote Gateway IP Address ...

Страница 24: ...g remote IP address into the IP field according to the router you are configuring Front End Router 200 0 0 0 Back End Router 192 168 1 0 7 Change the Netmask to 255 255 255 0 and click Next 8 Enter the following local IP address into the IP field according to the router you are configuring Front End Router 192 168 1 0 Back End Router 200 0 0 0 9 Change the Netmask to 255 255 255 0 and click Next 1...

Страница 25: ... and configure the Linksys BEFVP41 router Figure 2 6 Linksys BEFVP41 Back End Router Installation Linksys BEFVP41 Installation The Linksys BEFVP41 router may only be used as the back end router All connections to the Linksys BEFVP41 router are made to the device s rear panel To install the BEFVP41 router 1 Connect the power adapter to the rear panel of the Linksys BEFVP41 2 Connect a network cable...

Страница 26: ...ys BEFVP41 router To access the Linksys device 1 Change the IP address of your PC or laptop to 192 168 1 xxx where xxx can be between 2 and 254 and the subnet mask to 255 255 255 0 2 Open your web browser and enter 192 168 1 1 in the Address bar press Enter Example http 192 168 1 1 The Enter Network Password dialog box appears 3 Enter admin in the Password field and leave the User Name field blank...

Страница 27: ...DES for Encryption and SHA for Authentication 9 Select the PFS Perfect Forward Secrecy check box and verify that master is entered in the Pre shared Key field 10 Click the Connect button to establish a connection 11 Verify that the Status indicates that the Router is Connected Linksys BEFSX41 Router Installation and Configuration This section describes how to install and configure the Linksys BEFS...

Страница 28: ...PC Ethernet Used for Configuration Purposes Only Controller or Workstation WAN Linksys BEFSX41 Router 1 2 3 4 POWER Reset WAN Linksys BEFSX41 Configuration This section describes how to configure the Linksys BEFSX41 router To access the Linksys device 1 Change the IP address of your PC or laptop to 192 168 1 xxx where xxx can be between 2 and 254 and the subnet mask to 255 255 255 0 2 Open your we...

Страница 29: ...on selected from the Local Secure Group field Verify also that the IP Address is 192 168 1 0 4 Select Subnet from the Remote Secure Group field 5 Enter the IP Address Subnet ID in the IP field This would be the IP Address of the remote endpoint on the other side of the tunnel for example 200 0 0 0 6 Select IP Address from the Remote Security Gateway field and enter 201 0 0 1 as the IP address 7 Se...

Страница 30: ...eshooting measures press the Reset button and hold it down until the red Diag LED on the front panel turns on and off completely Figure 2 8 Digi EtherLite Device Connections Installing the Digi EtherLite Device S320 Connection Only Installation of the Digi EtherLite is required only if connecting to an S320 controller The Digi EtherLite is a shared serial device that enables serial ports to share ...

Страница 31: ... OFF 3 Up ON 4 Down OFF Installing the Digi One SP S321 Connection Only Installation of the Digi One SP is required only if connecting to an S321 controller The Digi One SP device enables an S321 controller to connect to the router via the controller s serial port To install the Digi One SP converter 1 Change the DIP switch settings on the bottom of the Digi One SP converter according to Figure 2 ...

Страница 32: ...ls Inc 2012 Johnson Controls Inc 3 Connect the DB 9F connector to the Digi One SP s DB 9M connector 4 Run an Ethernet cable from the Digi One SP to one of the available Trusted LAN Ports on the front end VPN router 5 Connect the power cable to the Digi One SP and run to an appropriate 110 240 VAC power source NOTE To install the driver for the Digi One SP and configure the device download the driv...

Страница 33: ...ts of data which are transformed and combined with the first 64 bits of the message to be sent To apply the encryption the message is broken up into 64 bit blocks so that each can be combined with the key using a complex 16 step process Although DES is fairly weak with only one iteration repeating it using slightly different keys can provide excellent security Diffie Hellman An exchange that allow...

Страница 34: ...th ESP you can encrypt and authenticate encrypt only or authenticate only For encryption you can choose either of the following encryption algorithms Data Encryption Standard DES A cryptographic block algorithm with a 56 bit key Triple DES 3DES A more powerful version of DES in which the original DES algorithm is applied in three rounds using a 168 bit key DES provides a significant performance sa...

Страница 35: ...agement MD5 Message Digest version 5 an algorithm that produces a 128 bit message digest or hash from a message of arbitrary length The resulting hash is used like a fingerprint of the input to verify authenticity Netmask A netmask indicates which part of an IP address indicates network identification and which part indicates the host identification For example the IP address and netmask 10 20 30 ...

Страница 36: ... must be at least two SAs one for each direction The VPN participants negotiate and agree to Phase 1 and Phase 2 SAs during an AutoKey IKE negotiation See also Security Parameters Index Security Parameters Index SPI is a hexadecimal value which uniquely identifies each tunnel It also tells the NetScreen device which key to use to decrypt packets SHA 1 Secure Hash Algorithm 1 an algorithm that prod...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды