background image

230

License Information

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE,
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT
PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE
STATED IN WRITING, THE COPYRIGHT HOLDERS AND/OR OTHER
PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO
THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE
COST OF ALL NECESSARY SERVICING, REPAIR, OR CORRECTION.

12. IN NO EVENT, UNLESS REQUIRED BY APPLICABLE LAW OR
AGREED TO IN WRITING, WILL ANY COPYRIGHT HOLDER, OR
ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL
OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF
THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN
IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS.

Apache Software License, Version 1.1

Copyright (c) 2000 The Apache Software Foundation. All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the preceding copyright
notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the preceding
copyright notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.

3. The end-user documentation included with the redistribution,
if any, must include the following acknowledgment: "This product
includes software developed by the Apache Software Foundation
(

http://www.apache.org/

)". Alternately, this acknowledgment may appear

in the software itself, if and wherever such third-party acknowledgments
normally appear.

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.

Содержание NN46120-104

Страница 1: ...Nortel VPN Gateway User Guide Release 7 1 Document Revision 02 01 www nortel com NN46120 104 216368 G...

Страница 2: ...rademarks of Nortel Networks Export This product software and related technology is subject to U S export control and may be subject to export or import regulations in other countries Purchaser must s...

Страница 3: ...ntroducing the VPN Gateway 15 SSL Acceleration 16 VPN 17 Hardware Platforms 18 Feature List 19 Introducing the ASA 310 FIPS 27 HSM Overview 28 Extended Mode vs FIPS Mode 29 The Concept of iKey Authent...

Страница 4: ...g the Virtual Desktop on Client Computers 132 Licensing vdesktop 132 Launch Vdesktop from Portal 133 Virtual Desktop Operations 134 The Command Line Interface 135 Connecting to the VPN Gateway 136 Acc...

Страница 5: ...209 222 License Information 223 HSM Security Policy 233 Definition of Key Codes 253 Syntax Description 254 SSH host keys 257 Methods for Protection 258 The VPN Gateway 259 Adding User Preferences Att...

Страница 6: ...6 Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 7: ...s User s Guide describes how to perform basic configuration and maintenance of the Nortel VPN Gateway NVG Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nor...

Страница 8: ...work installers and system administrators engaged in configuring and maintaining a network It assumes that you are familiar with Ethernet concepts and IP addressing Nortel VPN Gateway User Guide NN461...

Страница 9: ...ure VPN deployment through the BBI Browser Based Management Interface VPN Gateway 7 1 VPN Administrator Guide part number 217238 E April 2008 VPN management guide intended for end customers in a Secur...

Страница 10: ...M 1000 Nortel SSL Accelerator 310 FIPS ASA 310 FIPS The integrated SSL Accelerator SSL processor on the Nortel 2424 SSL switch Nortel VPN Gateway Universal Serial Bus Similarly all references to the o...

Страница 11: ...major release upgrade as well as upgrading from software versions earlier than 2 0 11 16 to version 3 0 7 Managing Users and Groups page 79 describes the management of users groups and passwords The c...

Страница 12: ...des information about the purpose of SSH host keys and how they are used to protect the connection between the SSH client and the VPN Gateway Adding User Preferences Attribute to Active Directory page...

Страница 13: ...exactly as shown Main sys AaBbCc123 This italicized type appears in command examples as a parameter placeholder Replace the indicated text with the appropriate real name or value when using the comman...

Страница 14: ...port web site and have a Nortel support contract you can also get help over the phone from a Nortel Solutions Center In North America call 1 800 4NORTEL 1 800 466 7835 Outside North America go to the...

Страница 15: ...oups SSL Acceleration VPN These features can be used separately or be combined This User s Guide covers the basic tasks that need to be completed irrespective of which feature you wish to deploy Norte...

Страница 16: ...tch and performs all the SSL encryption and decryption for the session Combined with the load balancing features of the Nortel Application Switch the VPN Gateway offloads SSL encryption decryption fun...

Страница 17: ...ugh a secure SSL connection through the web browser When successfully authenticated the user can access services and resources on the intranet from a Web Portal provided by the VPN Gateway Clientless...

Страница 18: ...hnical specification of the hardware platforms see the Specifications appendix in the VPN Gateway 3050 3070 Hardware Installation Guide and the Alteon SSL Accelerator Hardware Installation Guide respe...

Страница 19: ...able on the Portal s Advanced tab API provided for developing a custom application that automatically logs in the user to the desired VPN and executes a previously configured port forwarder link Suppo...

Страница 20: ...crosoft Active Directory NTLM Windows NT Domain including Microsoft Active Directory Secure Computing SafeWord RADIUS Netegrity SiteMinder RSA SecurID native or through RADIUS RSA ClearTrust ActivCard...

Страница 21: ...eating multiple interfaces within a cluster for example to separate client traffic and management traffic Not supported on the Nortel Application Switch 2424 SSL Support for clustering over multiple s...

Страница 22: ...anch office tunnels can be configured per hardware model NVG 3070 2500 NVG 3050 1000 Nortel 2424 SSL Application Switch 500 For example a cluster of two NVG 3070s support 5000 branch office tunnels Po...

Страница 23: ...k traffic Provides a single system image SSI all VPN Gateways in a given cluster are configured as a single system High level of redundancy in the master slave cluster design even if three master VPN...

Страница 24: ...agement Web User Interface HTTP or HTTPS Command Line Interface CLI access through Telnet SSH or serial port SNMP version 1 version 2c and version 3 RADIUS authentication of CLI BBI administrator user...

Страница 25: ...ironment for end users while accessing confidential information Secure Portable Office SPO Client The SPO client provides VPN access from portable storage such as USB compliant flash memory and CD ROM...

Страница 26: ...26 Introducing the VPN Gateway Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 27: ...requirements specified by the Federal Information Processing Standard FIPS 140 1 Level 3 standards Each ASA 310 FIPS device is equipped with two identical HSM cards Note When using the ASA 310 FIPS de...

Страница 28: ...ntruder Any sensitive information that is transferred between two HSM cards within the same ASA 310 FIPS or between any number of HSM cards within a cluster of ASA 310 FIPS devices is encrypted using...

Страница 29: ...d in RAM where it remains accessible for subsequent operations Also when the ASA 310 FIPS is initialized in FIPS mode all private keys must be generated on the ASA 310 FIPS device itself Importing pri...

Страница 30: ...SA 310 FIPS device After a HSM card has been initialized that card will only accept the HSM SO and HSM USER iKeys that were used when initializing that particular card You cannot create backup copies...

Страница 31: ...require the correct passwords for successful authentication CAUTION If you enter the wrong password for the HSM USER fifteen 15 times in a row the HSM USER iKey will be rendered unusable This is due t...

Страница 32: ...S ER CODE SO and CODE USER Changing the HSM SO iKey password Note To resume normal operations after having changed the HSM SO iKey password the HSM USER iKey is required to re login to the HSM card Ch...

Страница 33: ...r how to change an HSM SO or HSM USER iKey password see the Hardware Security Module Menu under the Maintenance Menu in the User s Guide For information about how to reset the HSM cards see Resetting...

Страница 34: ...34 Introducing the ASA 310 FIPS Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 35: ...for the Nortel VPN Gateway NVG It introduces the concept of clusters and provides detailed instructions for reinstalling the VPN Gateway software should it become necessary Nortel VPN Gateway User Gui...

Страница 36: ...g the VPN Gateways designated as masters in a cluster By default the first four VPN Gateways in a given cluster are set up as masters Additional NVGs are automatically set up as slaves which means the...

Страница 37: ...ter NVG Virtual IP Address VIP When the VPN Gateway is used in conjunction with a Nortel Application Switch e g for SSL acceleration the client connects to the VIP on the Nortel Application Switch The...

Страница 38: ...port NICs numbered as 1 4 One with two copper port NICs number as 1 2 and two fiber optic ports numbered as 3 4 The ASA 410 Copper NIC has two copper port NICs numbered as 1 2 The ASA 410 Fiber NIC ha...

Страница 39: ...traffic that is connecting the SSL VPN to internal resources and configuring the SSL VPN from a management station Figure 1 One Armed Configuration without Application Switch Two Armed Configuration...

Страница 40: ...ed Configuration without Application Switch Note Two armed configuration is not available for the Application Switch 2424 SSL Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Cop...

Страница 41: ...re information see Connecting to the VPN Gateway page 136 Press the power on button on the VPN Gateway Wait until you get a login prompt Log in as user admin password admin Note If you have the ASA 31...

Страница 42: ...l guide you through the initial configuration 2 Specify the port you want to use for network connectivity Enter port number for the management interface 1 4 1 This port will be assigned to Interface 1...

Страница 43: ...tag id or ENTER Specify the desired network mask or accept the suggested value by pressing ENTER If a connected router or switch attaches VLAN tag IDs to incoming packets specify the VLAN tag ID used...

Страница 44: ...gh the initial configuration of the iSD 2 Configure the management interface port number Enter port number for the management interface 1 4 1 Specify the port you want to use for NVG management and ot...

Страница 45: ...P address on the traffic public interface Enter IP address for this machine on traffic interface IP address This IP address will be assigned to Interface 2 on the VPN Gateway that is the public interf...

Страница 46: ...this item after the initial setup is completed See the NTP Servers Configuration section under Configuration menu System Configuration in the Command Reference new setup continued Enter a timezone or...

Страница 47: ...teps The VPN quick setup wizard creates all the settings required to enable a fully functional Portal for testing purposes You can later let your test Portal evolve to a fully operative Portal Run VPN...

Страница 48: ...ess in your VPN run the IPsec quick setup wizard With IPsec access enabled remote users can access the VPN through a secure IPsec tunnel using the Nortel IPsec VPN client formerly Contivity Setup IPse...

Страница 49: ...interface CLI log in as the admin user with the password you defined in and the Main menu is displayed For more information about the CLI see Step 2 If you rather configure the system through the Brow...

Страница 50: ...an additional server of the HTTP type was created to redirect requests made with HTTP to HTTPS because the portal server requires an SSL connection Default Network The wizard also creates a default n...

Страница 51: ...s Access Rules and Profiles chapter in the Application Guide for VPN for a full explanation of service definitions http Uses TCP port 80 https Uses TCP port 443 web Uses TCP ports 20 21 80 and 443 smt...

Страница 52: ...NVG to the Access list This must be done before joining the new VPN Gateway otherwise the devices will not be able to communicate Use the cfg sys accesslist command If the Access list is empty this s...

Страница 53: ...ort for existing VPN Gateways it is recommended for consistency that you configure port 1 for the NVG you are joining as well 3 Enter the VPN Gateway s host IP address Enter IP address for this machin...

Страница 54: ...g up a Two Armed Configuration If the currently installed VPN Gateway s in the cluster are set up for a two armed configuration you probably want the new VPN Gateway to be set up like the previously i...

Страница 55: ...host IP address on the management interface or accept the suggested value by pressing ENTER If a connected router or switch attaches VLAN tag IDs to incoming packets specify the VLAN tag ID used 5 En...

Страница 56: ...ce Enter default gateway IP address on the traffic interface IP addr The default gateway IP address should be within the same network address range as the host IP address on the traffic interface Comp...

Страница 57: ...is iSD master slave master ok 3 Wait until the Setup utility has finished Setup successful login The setup is now finished The VPN Gateway that has been joined to the cluster will automatically pick u...

Страница 58: ...el two of the black cluster specific iKeys CODE SO and CODE USER respectively in advance For more information about the concept of iKeys and the ASA 310 FIPS model in general see Introducing the ASA 3...

Страница 59: ...ds Step 4and Step 5 are related to initializing the HSM cards that your ASA 310 FIPS is equipped with The Setup utility will identify the first HSM card as card 0 and the second HSM card as card 1 Eac...

Страница 60: ...urple is inserted in card 0 with flashing LED Hit enter when done Enter a new HSM SO password for card 0 define an HSM SO password Re enter to confirm The HSM SO iKey has been updated Verify that HSM...

Страница 61: ...er wrap key onto another HSM card either within the same ASA 310 FIPS device as in Step 7 or to HSM cards in an ASA 310 FIPS device that is added to the current cluster Each ASA 310 FIPS device is shi...

Страница 62: ...FIPS units you need to take steps so that you can identify to which cluster a pair of CODE SO and CODE USER iKeys is associated 7 Transfer the cluster wrap key from the CODE SO and CODE USER iKeys on...

Страница 63: ...g the command line interface CLI For more information about the CLI see The Command Line Interface page 135 Note After successfully having initialized the HSM cards you are automatically logged in to...

Страница 64: ...rsion on the new ASA before joining it see Reinstalling the Software page 70 or upgrade the whole cluster to the same software version as the new ASA see Performing Minor Major Release Upgrades page 7...

Страница 65: ...iKeys used when initializing this particular HSM card Even if you choose to use the same HSM SO and HSM USER passwords when you initialize card 1 as the passwords you defined when initializing card 0...

Страница 66: ...iKeys and the HSM card to which each set of iKeys is associated during the initialization Because each ASA 310 FIPS device in the cluster will have two HSM cards you must also take steps to identify t...

Страница 67: ...pectively that you used when installing the first ASA 310 FIPS in the cluster If you have more than one cluster of ASA 310 FIPS units make sure that you can identify to which cluster the pair of CODE...

Страница 68: ...ret passphrase as given during initialization of the first iSD in the cluster 8 Wait until the Setup utility has finished join setup continued Setup successful login The setup utility is now finished...

Страница 69: ...f the ASA 310 FIPS units using the command line interface CLI Log in as the admin user and the Main menu is displayed For more information about the CLI see The Command Line Interface page 135 End Nor...

Страница 70: ...Using the ptcfg command installed keys and certificates are included in the configuration data and can later be restored by using the gtcfg command For more information about these commands see the C...

Страница 71: ...id or ENTER Enter IP address for this iSD 192 168 128 185 Press ENTER if the IP address displayed within square brackets is correct Enter network mask 255 255 255 0 Press ENTER if correct Enter gatew...

Страница 72: ...ogin is the default option 4 Log in to the VPN Gateway as the admin user after the device has rebooted on the newly installed boot image reinstall procedure continued Restarting Restarting system Alte...

Страница 73: ...jor release upgrade This kind of release may contain both bug fixes as well as feature enhancements The VPN Gateway may automatically reboot after a major upgrade because the operating system may have...

Страница 74: ...release upgrade you only need to be connected to the Management IP address of the cluster The upgrade will automatically be executed on all the VPN Gateways in operation at the time of the upgrade All...

Страница 75: ...mode Password password or press ENTER for default password in anonymous mode Received 28200364 bytes in 4 0 seconds Unpacking ok Software Management End Activating the Software Upgrade Package The VP...

Страница 76: ...us 7 0 1 SSL unpacked 5 1 5 SSL permanent The downloaded software upgrade package is indicated with the status unpacked The software versions can be marked with one out of four possible status values...

Страница 77: ...oftware cur Version Name Status 7 0 1 SSL permanent 5 1 5 SSL old In this example version 7 0 1 is now operational and will survive a reboot of the system while the software version previously indicat...

Страница 78: ...78 Upgrading the NVG Software Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 79: ...govern administrator operator user rights how to add or delete users from the system how to set or change group assignments and how to change login passwords Nortel VPN Gateway User Guide NN46120 104...

Страница 80: ...the same user rights as granted to members in the certadmin and oper group in addition to the specific user rights granted by the admin group membership The most permissive user rights become the eff...

Страница 81: ...rver Access to the System menu cfg sys is limited and entails access only to the User Access Control submenu cfg sys user Step Action 1 Log in to the NVG cluster as the admin user login admin Password...

Страница 82: ...n groups add Enter group name certadmin 5 Verify and apply the group assignment When typing the list command the current and pending group assignment of the user being edited is listed by index number...

Страница 83: ...t passphrase defined by the Certificate Administrator is used instead to encrypt private keys in the configuration backup The encryption of private keys using the export passphrase defined by the Cert...

Страница 84: ...embership When the admin user is removed from the certadmin group only the Certificate Administrator user can access the Certificate menu cfg cert User edit admin User admin groups list 1 tunnelguard...

Страница 85: ...ired access rights to the CLI BBI When the user logs in to the CLI BBI and is successfully authenticated the RADIUS server returns the groups to which the user belongs The groups are compared to the f...

Страница 86: ...ll add the admin user to the certadmin group The example assumes that the admin user previously removed himself or herself from the certadmin group to fully separate the Administrator user role from t...

Страница 87: ...group assignment you must therefore always first add the user to the desired new group then remove the user from the old group 4 Verify and apply the changes Groups list Old 1 tunnelguard 2 admin 3 op...

Страница 88: ...Change own password expire Set password expire time interval list List all users del Delete a user add Add a new user edit Edit a user caphrase Certadmin export passphrase 3 Type the passwd command t...

Страница 89: ...contain spaces Step Action 1 Log in to the NVG cluster as the admin user login admin Password admin user password 2 Access the User Menu Main cfg sys user User Menu passwd Change own password expire S...

Страница 90: ...r new password for cert_admin new password for user being edited Re enter to confirm confirm new password for user being edited 5 Apply the changes User cert_admin apply Changes applied successfully E...

Страница 91: ...e member of a group Step Action 1 Log in to the NVG cluster as the admin user login admin Password admin user password 2 Access the User Menu Main cfg sys user User Menu passwd Change own password exp...

Страница 92: ...pending configuration change by the minus sign To cancel a configuration change that has not yet been applied use the revert command User list oper root admin cert_admin User apply End Nortel VPN Gate...

Страница 93: ...teway supports using up to 1500 certificates The basic steps to create a new certificate using the command line interface of the VPN Gateway are Generate a Certificate Signing Request CSR and send it...

Страница 94: ...e Menu line such as Certificate Menu 1 Explanations for the requested units of information Note that you do not have to complete all fields Only one of Common Name and E mail Address is strictly requi...

Страница 95: ...mail address Example URI http www example com email john example com IP 10 1 2 3 Generate new key pair y In most cases you will want to generate a new key pair for a CSR However if a configured certi...

Страница 96: ...rtificate authority this step is only necessary if you want to create a backup copy of the private key When generating a CSR the private key is created and stored encrypted on the VPN Gateway using th...

Страница 97: ...rver on which the certificate and the corresponding private key is to be used Note When using an ASA 310 FIPS the private key is protected by the HSM card and cannot be exported After you have receive...

Страница 98: ...ite and follow the online instructions When prompted paste the CSR into the space provided on the CA s online request process If the CA requires that you specify a server software vendor whose softwar...

Страница 99: ...n these fromats PEM NET DER PKCS7 certificate only PKCS8 keys only used in WebLogic PKCS12 also known as PFX Besides these formats keys in the proprietary format used in MS IIS 4 can be imported by th...

Страница 100: ...umber as the certificate number you used when generating the CSR By doing so you do not have to add the private key because this key remains connected to the certificate number that you used when you...

Страница 101: ...f certificate the CA generates registered or chain your certificate may appear substantially different from the one shown before Be sure to copy and paste the entire contents of the certificate file 4...

Страница 102: ...you have received from a CA The public key in the certificate works in concert with the related private key when handling SSL transactions Open the key file in a text editor and copy the entire conte...

Страница 103: ...ver ssl cert command If the NVG software is used for deployment of a VPN solution the certificate should be mapped to the portal server of the desired VPN using the cfg vpn server ssl cert command To...

Страница 104: ...icate number not in use by an existing certificate To view basic information about all configured certificates use the info certs command Main cfg cert Enter certificate number 1 number of the certifi...

Страница 105: ...1 import Select protocol tftp ftp scp sftp tftp ftp Enter host name or IP address of server server host name or IP address Enter filename on server filename key Retrieving VIP_1 key from 192 168 128...

Страница 106: ...ired VPN using the cfg vpn server ssl cert command To view basic information about configured certificates use the cfg cur cert command End Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14...

Страница 107: ...tion cert Enter certificate number 1 1500 3 Creating Certificate 3 3 Add the new certificate according to the instructions in Adding Certificates to the NVG page 99 4 Map the new certificate to the de...

Страница 108: ...e clients private key and contains important information about the SSL session known to both the client and the server Upon receiving the CertificateVerify message the virtual SSL server will use the...

Страница 109: ...the virtual SSL server to use for authenticating client certificates Only those client certificates that are issued by a certificate authority whose CA certificate you specify will be accepted Note t...

Страница 110: ...te key corresponding with the public key in the certificate you specify is used for signing the client certificate Main cfg cert Enter certificate number 1 1 Certificate 1 gensigned Type of certificat...

Страница 111: ...state or province in which the subject resides Locality Name for example city The name of the city or town where the subject resides Organization Name for example company The registered name of the o...

Страница 112: ...ckets and will be used unless you specify a different number As you generate more client certificates the proposed serial number increments automatically Certificate 1 Valid for days 365 Key size 512...

Страница 113: ...is required to unlock the certificate 5 Verify that the certificate you used for generating the client certificate is specified as a CA certificate for the appropriate virtual SSL server Main cfg ssl...

Страница 114: ...ad the option to save it with a new certificate number In the previous example Step 4 the client certificate was saved as certificate number 2 Enter this certificate number when prompted then use the...

Страница 115: ...r Never send the password phrase in an e mail message The user will then need to import the received client certificate into his or her Web browser or e mail program For more information about importi...

Страница 116: ...hority by issuing your own client certificates you will also need to maintain your own certificate revocation lists This can be done by listing the serial numbers of the client certificates you want t...

Страница 117: ...Certificates Issued within your Own Organization Step Action 1 Specify the CA certificate to which you want to add a CRL Specify the certificate number that represents the CA certificate of the certi...

Страница 118: ...you have added serial numbers for particular client certificates by using the add command prior to using the import command you will be asked if you want to merge those serial numbers to the CRL in A...

Страница 119: ...u choose to add serial numbers in hexadecimal form add a paragraph in the text document that reads HEX ASCII revocation Note You can add comments to a CRL ASCII file by preceding your comments with th...

Страница 120: ...server for LDAP the server must support LDAP v3 When using LDAP a bind operation to the specified LDAP server is performed each time a CRL retrieval occurs The bind operation uses the specified disti...

Страница 121: ...ck your LDAP server documentation for details on binding authentication and access control Example cn Bill Smith o Your Organization By setting the cfg cert revoke automatic anonymous command to true...

Страница 122: ...ble certificates enter the info certs command When specifying more than one certificate use commas to separate the corresponding index numbers Example 1 2 5 To clear all specified CA certificates pres...

Страница 123: ...a message indicating client certificate is required to connect 2 Click Connect The MSCAPI window appears 3 Select the certificate in the MSCAPI window 4 If secondary authentication is not required th...

Страница 124: ...e entire contents including the text BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST Having pasted the CSR press ENTER to create a new line and type three periods Finally press ENTER once again...

Страница 125: ...rrent value Enter certificate numbers separated by comma 1 5 Apply the changes The CSR is signed using the private key associated with the currently selected certificate End Nortel VPN Gateway User Gu...

Страница 126: ...d information For a more detailed explanation of the requested information see Generating and Submitting a CSR Using the CLI page 94 The combined length of the following parameters may not exceed 225...

Страница 127: ...server using the cfg ssl server ssl cert command If the NVG software is used for deployment of a VPN solution the certificate should be mapped to the portal server of the desired VPN using the cfg vp...

Страница 128: ...ficate s subject information can be used extract to user name and password For usage examples see the Client Certificate Authentication section in the Authentication Methods chapter in the CLI BBI App...

Страница 129: ...protected For the VPN Gateways without the HSM card private keys are protected by the cluster For the ASA FIPS private keys are protected by the HSM card However when generating a client certificate t...

Страница 130: ...130 Certificates and Client Authentication Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 131: ...a Virtual Desktop environment to secure Web based applications and services Therefore you can access confidential information in a secure environment Nortel VPN Gateway User Guide NN46120 104 02 01 S...

Страница 132: ...ra 7 2 or later FireFox 1 0 and later Java Runtime Environment JRE version 1 4 2 or later or Microsoft Java Virtual Machine JVM version 5 0 and later Licensing vdesktop Your copy of Symantec On Demand...

Страница 133: ...ternet explorer 2 Enter the Protocol IP address and Port For example http 10 127 232 45 1234 3 Enter the user name and password 4 Click on Home 5 Click on the virtual desktop link 6 Click on the virtu...

Страница 134: ...e files rather than the real versions Enable File Separation The vdesktop session may get terminated when the browser session is terminated to ensure that the Virtual Desktop session does not remain a...

Страница 135: ...tion software or through a remote session using either a Telnet client or an SSH client When using a Telnet client or SSH client to connect to a cluster of VPN Gateways always connect to the IP addres...

Страница 136: ...CII terminal or a computer running terminal emulation software set to the parameters shown in the following table Table 4 Console Configuration Parameters Parameter Value Baud Rate 9600 Data Bits 8 Pa...

Страница 137: ...you must connect to the IP address of the particular VPN Gateway This also applies when using an SSH connection instead of a Telnet connection To view the IP addresses of all VPN Gateways in a cluste...

Страница 138: ...abled by default However depending on the severity of your security policy you may want to enable SSH access You may also restrict SSH access to one or more specific machines For more information abou...

Страница 139: ...recommended that you do so to maintain a high level of security when connecting to the VPN Gateway using a SSH client If you fear that your SSH host keys have been compromised you can create new host...

Страница 140: ...oup and then remove himself or herself from the certadmin group For more information see Adding a New User page 81 Boot user can only perform a reinstallation For security reasons it is only possible...

Страница 141: ...d read access to some of the menus and information available in the CLI oper admin admin oper certadmin The Administrator is allowed both read and write access to all menus information and configurati...

Страница 142: ...system will run Setup see Installing an NVG in a New Cluster page 42 a utility designed to help you through the first time configuration process If the VPN Gateway has already been configured the Main...

Страница 143: ...43 Command Line History and Editing For a description of global commands shortcuts and command line editing functions see the Command Reference Nortel VPN Gateway User Guide NN46120 104 02 01 Standard...

Страница 144: ...ve your configuration changes regularly by using the global apply command If you have unapplied configuration changes when using the global exit command to log out from the command line interface you...

Страница 145: ...setting the HSM cards on the ASA 310 FIPS on An ASA 310 FIPS Stops Processing Traffic page 153 An NVG cluster configuration needs to be reconstructed onto new devices on AnASA 310 FIPS Cluster Must be...

Страница 146: ...ble SSH access Apply your configuration changes cfg sys adm ssh Current value off Allow SSH CLI access on off on Administrative Applications apply Changes applied successfully Check the Access List If...

Страница 147: ...Gateways in the cluster If the IP address assigned to the VPN Gateway seems to be correct you may have a routing problem Try to run traceroute a global command available at any menu prompt or the tcp...

Страница 148: ...e NVG s already in the cluster You can verify software versions by typing the command boot software cur where the active version is indicated as permanent Adjusting the software version on the NVG dev...

Страница 149: ...ccess list cfg sys accesslist list 1 192 168 128 78 255 255 255 0 Add Interface 1 IP Addresses and MIP to Access List Use the cfg sys cluster cur command to view the Host Interface 1 IP address for th...

Страница 150: ...d the software version in the cluster log in to the VPN Gateway you want to add as the Administrator user and select join from the Setup menu Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 1...

Страница 151: ...again Console Connection If you are connected to a particular VPN Gateway through a console connection and that NVG stops responding you should first try pressing the key combination CTRL and press EN...

Страница 152: ...er can change the Root user password For more information see the edit command in the User Access Configuration section under Configuration Menu System Configuration in the Command Reference Boot User...

Страница 153: ...FIPS that has undergone a reboot as the admin or oper user login admin Password enter the admin user password Alteon iSD SSL Software version 7 1 When connecting to the ASA 310 FIPS you can use a con...

Страница 154: ...ogin on card 1 Note If you enter the wrong password for the HSM USER fifteen 15 times in a row the HSM USER iKey will be rendered unusable This is due to the strict security specifications placed on t...

Страница 155: ...h each HSM SO iKey Log in as the admin user to the particular ASA 310 FIPS device you want to delete If the ASA 310 FIPS device will be used in a different department or organization after it has been...

Страница 156: ...te the iSD y n y Do you want to clear the HSM card s as well y n y press ENTER to accept resetting the HSM cards 3 Insert the HSM SO iKey associated with HSM card 0 in the card with flashing LED and p...

Страница 157: ...isplayed after having logged in as the admin user through a console connection When selecting new or join in the Setup menu you will be prompted to insert the HSM SO iKey and HSM USER iKey associated...

Страница 158: ...ed to transfer the wrap key used in the former cluster onto the HSM cards in the new ASA 310 FIPS devices as well as for decrypting private key information in the backup configuration file The secret...

Страница 159: ...it enter when done Wrap key successfully combined to card 0 4 Transfer the cluster wrap key from the CODE SO and CODE USER iKeys to card 1 new setup continued Verify that CODE SO iKey black is inserte...

Страница 160: ...ter page 63 up to and including Step 4 8 Transfer the cluster wrap key from the CODE SO and CODE USER iKeys to card 0 When asked to insert the CODE SO and the CODE USER iKeys make sure to use the same...

Страница 161: ...g the HSM cards join setup continued Enter the secret passphrase as given during initialization of the first iSD in the cluster Enter the same secret passphrase as was used in the former cluster If yo...

Страница 162: ...s supported Password Received 4960 bytes in 0 1 seconds Password for importing private keys in cfg password as defined when saving the configuration file to an FTP TFTP SCP SFTP server Configuration l...

Страница 163: ...ftp sftp interactive Enter the desired tag s separated by comma for example aaa ssl to trace the user authorization and SSL handshake processes or press ENTER to trace all processes To limit tracing t...

Страница 164: ...Gateway This is also the order in which the groups will be applied base implies that the group s base profile will be used TTL for user shows the idle timeout 15m 15 minutes in the preceding example a...

Страница 165: ...P pool applies to Net Direct and IPsec ssl The ssl tag logs information related to the SSL handshake procedure e g used cipher tg The tg tag logs information related to a TunnelGuard check e g access...

Страница 166: ...Bookmarks in the chapter The Portal from an End User Perspective in the CLI BBI Application Guide for VPN smb The smb tag shows information related to SMB Windows file share sessions initiated through...

Страница 167: ...been accepted or rejected netdirect_packet The netdirect_packet tag logs information about packets being sent and received when the user has initiated a connection to a host Because of the large amoun...

Страница 168: ...Application Guide for VPN for instructions on how to enable Net Direct and how to configure an IP pool 3 Is the Net Direct link visible to the end user on the Portal s Home tab If not the user may bel...

Страница 169: ...9 Verify that the maximum number of users for the license currently loaded to the VPN Gateway has not been reached If required user s can be logged out from the VPN through the info kick command To a...

Страница 170: ...the system tray blink green Does it ever blink green Check using maint starttrace and the netdirect_packet tag that traffic is flowing from and to the client machine If no traffic flows verify on your...

Страница 171: ...m zip file in a folder named nortel_cacheable and zip the nortel _cacheable folder This is because after imported into the NVG the top directory will be unzipped in the NVG 4 Import the customized fil...

Страница 172: ...rtificate index number is used by each configured SSL server Network Diagnostics To check if the VPN Gateway is able to contact configured gateways routes DNS servers authentication servers and IP add...

Страница 173: ...istics for configured virtual SSL servers To check statistics for the local Ethernet network interface card type the following command info ethernet The screen output provides information about the to...

Страница 174: ...ided you have configured the VPN Gateway to use a Syslog server the VPN Gateway will send log messages to the specified Syslog server For more information about how to configure a UNIX Syslog daemon s...

Страница 175: ...s to load and produces an error To use the NetDirect with v5 1 3 4 or earlier release you need to manually remove the NetDirect and relaunch the portal and earlier NetDirect To remove the NetDirect fo...

Страница 176: ...176 Troubleshooting the NVG Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 177: ...A1 DES CBC3 SHA SSLv3 RSA RSA 3DES 168 SHA1 DES CBC3 MD5 SSLv2 RSA RSA 3DES 168 MD5 DHE RSA AES128 SHA SSLv3 DH RSA AES 128 SHA1 AES128 SHA SSLv3 RSA RSA AES 128 SHA1 RC4 SHA SSLv3 RSA RSA RC4 128 SHA...

Страница 178: ...40 MD5 EXPORT EXP RC4 MD5 SSLv3 RSA 512 RSA RC4 40 MD5 EXPORT EXP RC2 CBC MD5 SSLv2 RSA 512 RSA RC2 40 MD5 EXPORT EXP RC4 MD5 SSLv2 RSA 512 RSA RC4 40 MD5 EXPORT ADH AES256 SHA SSLv3 DH NONE AES 256 S...

Страница 179: ...ain by later options moves the ciphers to the end of the list This option doesn t add any new ciphers it just moves matching existing ones STRENGTH is placed at the end of the cipher list and sorts th...

Страница 180: ...hat all ciphers using either 40 or 56 bits symmetric ciphers are removed from the list This means that browsers running export controlled crypto software cannot access the server Using the OpenSSL com...

Страница 181: ...encryption only EXPORT56 Cipher suites using 56 bit export encryption only eNULL NULL Cipher suites that do not offer any encryption at all Because the use of such ciphers pose a security threat they...

Страница 182: ...lgorithms Cipher String Aliases Meaning DES Cipher suites using DES encryption algorithms but not triple DES RC4 Cipher suites using RC4 encryption algorithms RC2 Cipher suites using RC2 encryption al...

Страница 183: ...nds used to configure the SNMP agent in a cluster see the SNMP Management Configuration section under Configuration Menu System Configuration in the Command Reference For detailed information about th...

Страница 184: ...ROOT MIB S5 ETH MULTISEG TOPOLOGY MIB IF MIB IP MIB IP FORWARD MIB ENTITY MIB DISMAN EVENT MIB ALTEON ISD PLATFORM MIB ALTEON ISD SSL MIB ALTEON SSL VPN MIB ALTEON ROOT MIB IANAifType MIB SNMPv2 MIB...

Страница 185: ...target command The following groups are implemented snmpTargetCommandResponderGroup snmpTargetBasicGroup snmpTargetResponseGroup Write access to snmpTargetParamsTable is turned off in VACM SNMP NOTIF...

Страница 186: ...are products It is required by the S5 ETH MULTISEG TOPOLOGY MIB MIB S5 TCS MIB This MIB is used when the NVG participates in SONMP It is required by theS5 ETH MULTISEG TOPOLOGY MIB MIB S5 ROOT MIB Thi...

Страница 187: ...EVENT MIB The DISMAN EVENT MIB is a MIB module for defining event triggers and actions for network management purposes See the cfg sys adm snmp event command in the Command Reference for instructions...

Страница 188: ...llowing groups are implemented sslBasicGroup sslEventGroup ALTEON SSL VPN MIB The ALTEON SSL VPN MIB contains SSL IPsec user statistics and SSL IPsec license information for all VPNs It also contains...

Страница 189: ...dStart Sent when the VPN Gateway reboots Defined in SNMPv2 MIB isdAlarmCleared Sent when an alarm is cleared isdDown Signifies that a VPN Gateway in the cluster is down and out of service isdLicense S...

Страница 190: ...t one of the links interfaces has gone up Defined in IF MIB vpnLicenseExhau sted Sent when the VPN has run out of SSL or IPsec user licenses No more than one event per hour is sent for one VPN Defined...

Страница 191: ...pliant with the SYSLOG SRD specifications They can be stored locally on the hard disk or in a memory buffer Syslog servers are added to the system configuration by using the menu options in the Syslog...

Страница 192: ...Messages The OS system messages are divided into three categories EMERG CRITICAL ERROR EMERG Root filesystem corrupt The system cannot boot but stops with a single user prompt fsck failed Reinstall t...

Страница 193: ...filesystem re initialized reinstall required or Config filesystem restored from backup if software upgrade is in progress that is if failure at first boot on new OS version System Control Process Mess...

Страница 194: ...NVG cluster is down This alarm is only sent if the cluster contains more than one VPN Gateway Name single_master Sender system Cause down Extra Severity warning Only one master VPN Gateway in the clus...

Страница 195: ...icenses using the cfg sys cur command Name license Sender IP Cause license_expire_soon Extra Expires TIME Severity warning The demo license loaded to the local VPN Gateway expires within 7 days Check...

Страница 196: ...Tells that the MIP management IP address is now located at the VPN Gateway with the IP host IP address Name license_expire_soon Sender IP Indicates that the loaded demo license at the IP VPN Gateway e...

Страница 197: ...e loaded at host IP has expired Check the loaded licenses with cfg sys cur Name audit Sender CLI Extra Start session details Update session details Stop session details Sent when a CLI system administ...

Страница 198: ...o send traffic logging syslog messages Traffic syslogging was disabled as a result www_authenticate bad credentials The browser sent a malformed WWW Authenticate credentials header Most likely a broke...

Страница 199: ...id Reconfigure Unable to find client private key for server Key for doing sslconnect is not valid Reconfigure Unable to use client certificate for server Certificate for doing sslconnect is not valid...

Страница 200: ...failure Host Cert automatic retrieval of HTTP CRL failed parse error Cert auto crl over HTTP failed reason Reason Cert automatic retrieval of HTTP CRL failed Cert failed to create TFTP CRL temp file C...

Страница 201: ...Gateway IPSEC server id uses default interface interface n not configured A specific interface is configured to be used by the IPsec server but this interface is not configured on the VPN Gateway Cert...

Страница 202: ...is up again Backend health check detected backend ip port to be up Startup Messages The Traffic Processing Subsystem Startup messages only include the INFO category INFO HSM mode mode Hardware Securi...

Страница 203: ...tarting reloading of certificates reload cert config done Certificate reloading done reload configuration start Virtual server configuration reloading start reload configuration network down Accepting...

Страница 204: ...adv log is enabled If the log value contains login the following messages can be displayed VPN LoginSucceeded Vpn id Method ssl ipsec SrcIp ip User user Groups groups VPN LoginSucceeded Vpn id Method...

Страница 205: ...jected Vpn id User user SrcIP ip Request request IPsec Subsystem Messages The IPsec subsystem messages are divided into these categories ERROR WARNING NOTICE INFO ERROR There are several ERROR message...

Страница 206: ...not found Ignoring request to roam from s to s due to invalid source Expecting s Dropping roam request message because mismatch in source in payload and header Ignoring request to roam from s to s Dr...

Страница 207: ...The client certificate with serial number d was revoked and thus login failed Ike not started due No license If no licence can be found such as on old ASA 310 IKE is not started INFO Using new IKE IK...

Страница 208: ...ke Profile s Creating Loading a new IKE profile called s Updating Ike profile s A CLI BBI change in IKE profile s forces an update of the profile Deleting ike profile s IKE profile s has been deleted...

Страница 209: ...once it has finished processing its current sessions All credits are exhausted for IPSec SA WARNING IPsec Maximum number of outstanding IPsec SA create requests have exceeded the limit All credits ar...

Страница 210: ...p found script op ERROR Traffic Processing Bad script operation found in health check script Reconfigure This should normally be captured earlier by the CLI Bad string found string ERROR Traffic Proce...

Страница 211: ...the same version as all other VPN Gateway s in the cluster The failing VPN Gateway tries to catch up with the other cluster members as it was not up and running when the new software version was insta...

Страница 212: ...ping the clear text notify message Error in Diffie Hellman Setup group u WARNING IPsec Error in DH Setup Error while decoding certificate DER Id NOTICE IPsec A client sent a certificate where the X509...

Страница 213: ...ilesystem EMERG OS Probable hardware error Reinstall Found size meg of phys mem INFO Startup Amount of physical memory found on system gzip error reason INFO Traffic Processing Problem encountered whe...

Страница 214: ...fic Processing The server sent a bad HTTP header HTTP NotLoggedIn Vpn id Host host SrcIP ip Request method host path INFO AAA The remote user was not logged in to the specified web server requested fr...

Страница 215: ...c SA Established IPSEC server s uses default interface interface p not configured WARNING IPsec This indicates possible badly configured default gateways on some Secure Service Partitioning interface...

Страница 216: ...fg sys cur command license_expire_soon EVENT System Control Indicates that the loaded demo license at the IP VPN Gateway expires within 7 days license_expired EVENT System Control Indicates that the t...

Страница 217: ...nfig filesystem restored from backup No cert supplied by backend server INFO Traffic Processing No certificate supplied by backend server when doing SSL connect Session terminated to backend server No...

Страница 218: ...e Path path INFO AAA The remote user failed to access the specified folder directory on the specified file server requested from the Portal s Files tab PORTAL Vpn id User user Proto proto Host host Sh...

Страница 219: ...te length d INFO IPsec Loading certificate revocation list of length d Root filesystem corrupt EMERG OS The system cannot boot but stops with a single user prompt fsck failed Reinstall to recover Root...

Страница 220: ..._changed EVENT System Control Indicates that release VSN version has been Status unpacked installed permanent software_release_copying EVENT System Control Indicates that IP is copying the release VSN...

Страница 221: ...figure Unable to use the certificate for server nr ERROR Traffic Processing Unsuitable certificate configured for server unknown WWW Authenticate method closing ERROR Traffic Processing Backend server...

Страница 222: ...VPN LoginSucceeded Vpn id Method ssl ipsec SrcIp ip User user Groups groups TunIP inner tunnel ip INFO AAA Login to the VPN succeeded The remote user s access method client IP address user name and gr...

Страница 223: ...g disclaimer 2 Redistributions in binary form must reproduce the preceding copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided wi...

Страница 224: ...pyright 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Ne...

Страница 225: ...ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITU...

Страница 226: ...ublish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and give any other recipients o...

Страница 227: ...gregation of another work not based on the Program with the Program or with a work based on the Program on a volume of a storage or distribution medium does not bring the other work under the scope of...

Страница 228: ...not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if you do not accept this License Therefore by...

Страница 229: ...luding those countries so that distribution is permitted only in or among countries not thus excluded In such case this License incorporates the limitation as if written in the body of this License 9...

Страница 230: ...AINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CON...

Страница 231: ...AL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY TH...

Страница 232: ...232 License Information Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 233: ...rall validation and a level 4 validation in the area of Self Test The following table describes the compliance level for each section of the FIPS 140 1 specification Cryptographic Modules Level 3 Modu...

Страница 234: ...plications The board has two modes These are the non FIPS140 1 mode and the FIPS140 1 mode In the FIPS140 1 mode the board can be used in servers to improve the performance associated with high rate s...

Страница 235: ...is controlled through its PCI interface Commands are entered through the PCI bus and status is read from the PCI bus Also both plaintext and encrypted data is transmitted over the PCI interface The se...

Страница 236: ...SHA 1 Hashing of host provided data Hashing for the purpose of verifying the RSA digital signature of a firmware image Hashing a 3DES key for the purpose of checking its integrity after it is split a...

Страница 237: ...tain a pin used to authenticate the Security Officer One will contain a pin used to authenticate the User One will contain a key part to be controlled by the Security Officer One will contain a key pa...

Страница 238: ...ters Battery voltage is also monitored to determine when it is necessary to replace the battery 7 3 FastMap Processor This component contains a processor and internal SRAM The processor executes the s...

Страница 239: ...for user authentication or to store key parts for moving keys from one HSM to another HSM 7 9 Universal Asynchronous Receiver Transmitter UART This component is disabled in the production version of t...

Страница 240: ...user who created it cannot be used for any other purpose such as key exchanges or encryption decryption of data The user may specify through Boolean attributes whether the private key may be used for...

Страница 241: ...s identity based authentication to allow subjects to assume one of the two roles Usernames are transmitted to the HSM over the PCI interface to identify the user A corresponding personal identificatio...

Страница 242: ...ity Officer can create a User account Creating the User account generates a random PIN which is stored in the User s iKey token The SHA 1 hash of this random PIN is associated with the User account 9...

Страница 243: ...ata input interface Note 2 This is a PKCS 12 method for deriving a 3DES key from a password salt and iteration count Note 3 The Exponentiation Using CRT and Exponentiation functions are generic math f...

Страница 244: ...ing a 3DES key from a password salt and iteration count Note 3 The Exponentiation Using CRT and Exponentiation functions are generic math functions all parameters are input through the PCI interface d...

Страница 245: ...a 3DES key from a password salt and iteration count Note 3 The Exponentiation Using CRT and Exponentiation functions are generic math functions all parameters are input through the PCI interface data...

Страница 246: ...Using CRT and Exponentiation functions are generic math functions all parameters are input through the PCI interface data input interface Note 4 When operating in the FIPS140 1 mode it is not possibl...

Страница 247: ...count Note 3 The Exponentiation Using CRT and Exponentiation functions are generic math functions all parameters are input through the PCI interface data input interface Note 4 When operating in the F...

Страница 248: ...ed using the Key Wrapping Key Note 5 User Login is the process that takes the board from an unauthenticated state to the authenticated state Only one user may be authenticated at a particular time Con...

Страница 249: ...together generate the Key Wrapping Key The key splitting occurs when the Write Key Split command is first issued by the Security Officer This command will cause one of the key parts to be written to a...

Страница 250: ...ne so that keys may be stored on backup media such as tape or hard drives The Rainbow Technologies key management utility utilizes the Wrap Key command to perform key archival All archived keys are 3D...

Страница 251: ...certain operations e g DES RSA CRT exponentiation It is still possible to store keys on the board so that they cannot be extracted These non extractable keys will be erased if a tamper attempt is det...

Страница 252: ...ate Verify Firmware Image Service 13 0 Conclusion The HSM provides FIPS 140 1 Level 3 cryptographic processing acceleration and security for RSA signing and verifying functions In the non FIPS140 1 mo...

Страница 253: ...253 Appendix Definition of Key Codes Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 254: ...ou wish to redefine F1 PGUP and so on The new STRING to be sent when pressing the key should come after the equals character Hash marks in the file declare the line as a comment and will be ignored Th...

Страница 255: ...Vertical Tabulator Sends a vertical tabulator character a Bell Sends a terminal bell character which should make the terminal sound its bell number Inserts the character that is defined by this number...

Страница 256: ...T The Cursor Right key NUMPAD0 NUMPAD9 The numbered Numeric keypad keys ESCAPE The Escape key BACKSPACE The Backspace key TAB The Tab key Example of a Key Code Definition File Following is an example...

Страница 257: ...frastructure and no certificate authorities for the SSH host keys Instead the security of SSH sessions depends on SSH clients keeping track of the public keys that should be used to authenticate diffe...

Страница 258: ...ion with the server administrator OR Pre installing the remote host key previously transferred by some out of band means in the client s key storage i e effectively making the remote host known even b...

Страница 259: ...ands in the cfg sys adm sshkeys menu concern the former case while the knownhosts menu concerns the latter The VPN Gateway supports the use of three different SSH host key types SSH protocol version 1...

Страница 260: ...260 SSH host keys Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 261: ...ve Directory This attribute will contain an opaque data structure containing various information that the user may have saved during a Portal session This description is based on Windows 2000 Server a...

Страница 262: ...Action 1 Click Start and select Run 2 In the Open field enter regsvr32 schmmgmt dll Note that there is a space between regsvr32 and schmmgmt dll 3 Click OK This command will register schmmgmt dll on y...

Страница 263: ...ver 2003 263 4 On the File Console menu select Add Remove Snap in The Add Remove Snap in window is displayed 5 Click Add The Add Standalone Snap in window is displayed Nortel VPN Gateway User Guide NN...

Страница 264: ...e Schema snap in go to the File Console menu and select Save The Save As windows is displayed 10 Save the console in the Windows System 32 root folder 11 As file name enter schmmgmt msc 12 Click Save...

Страница 265: ...Schema 2 Select Operations Master 3 Select the check box The Schema may be modified on this Domain Controller 4 Click OK End Create a New Attribute Windows 2000 Server and Windows Server 2003 To crea...

Страница 266: ...on 1 In the Console window right click Classes point to New and select Class You will now receive a warning that creating schema classes is a permanent operation and cannot be undone 2 Click Continue...

Страница 267: ...ndow on the left pane expand Classes 2 Select the nortelSSLOffload class 3 Right click and select Properties The Properties window is displayed 4 Select the Attributes tab and click Add 5 Add the isdU...

Страница 268: ...SSLOffload Class to the User Class Step Action 1 In the Console window on the left pane expand Classes and select user 2 Right click and select Properties The Properties window is displayed 3 Select t...

Страница 269: ...and cfg vpn aaa auth ldap enauserpre or the BBI setting User Preferences under VPN Gateway VPN Authentication Auth Servers Ldap the remote user should now be able to store user preferences in Active D...

Страница 270: ...270 Adding User Preferences Attribute to Active Directory Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 271: ...271 Appendix Using the Port Forwarder API Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 272: ...ons are set by defining a port forwarder in the CLI BBI It is then referred to when setting up the Port Forwarder API Note Defined applications are only started automatically if the port forwarder API...

Страница 273: ...URL for the Portal login called loginUrl in the following examples Example http vpn example com login_post yaws user test password test authmethod default url The parameters are the same as if access...

Страница 274: ...le 1 linkset The number of the linkset in the VPN for example 1 link The number of the link in the linkset for example 1 When run as a regular application the arguments are simply passed on the comman...

Страница 275: ...rea to be cacheable by the client web browser it has to be put in a top directory called nortel_cacheable The demo project zip file has such a directory at it s top level When uploaded to the content...

Страница 276: ...arderAuthenti cator interface public PortForwarderCredentials getCredentials public java net PasswordAuthentication getProxyCredenti als Example Following is an example of the code for creating a Port...

Страница 277: ...Example 277 Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 278: ...null catch MalformedURLException e e printStackTrace catch IOException e e printStackTrace return null PortForwarderAuthenticator pfa new PortForwarderAuthenticator public PortForwarderCredentials get...

Страница 279: ...ger function Example Following is an example of the code for adding a Port Forwarder logger public class PortForwarderLoggerImpl implements PortForwarderLogger private final ResourceBundle messages pr...

Страница 280: ...f throwable null portForwarderGui appendInfo throwable getMessage System getProperty line se parator throwable printStackTrace public void log final int logLevel final String msg final Throwable throw...

Страница 281: ...Example 281 Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Страница 282: ...m nortel nvg portforwarder http proxyPort The proxy port for HTTP HTTPS accesses com nortel nvg portforwarder http proxyUserN ame The proxy username for HTTP HTTPS accesses com nortel nvg portforwarde...

Страница 283: ...Forwarder status gives you the ability to always know the state of the Port Forwarder for example if it is ready to receive connections Following is an example of the code for monitoring the status o...

Страница 284: ...ollowing is an example of the code for monitoring Port Forwarder statistics This will print current statistics every 3 seconds Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Co...

Страница 285: ...s with its physical hardware address Base Profile Refers to links and access rules specified for a user group directly under the Group level If extended profiles are used the base profile s links and...

Страница 286: ...line interface by using the request command DCE Data Communicatons Equipment A device that communicates with a Data Terminal Equipment DTE in RS 232C communications DER Distinguished Encoding Rules A...

Страница 287: ...ontrols data flowing to or from a computer The term is most often used in reference to serial communications defined by the RS 232C standard This standard defines the two ends of the communication cha...

Страница 288: ...of the MIP address should another master fail Configuration changes in the cluster are propagated to other members through the master VPN Gateways MIB Management Information Base An SNMP structure th...

Страница 289: ...s passphrases more secure PEM Privacy Enhanced Mail A standard for secure e mail on the Internet It supports encryption digital signatures and digital certificates as well as both private and public k...

Страница 290: ...ess an intranet application by connecting to localhost on the specified port number Real Server Group A group of real servers that are associated with a virtual server IP address VIP or filter on a No...

Страница 291: ...tions by easily integrating other security technologies e g SSL SOCKS includes two components the SOCKS server and the SOCKS client The SOCKS server is implemented at the application layer while the S...

Страница 292: ...redundant paths and makes only one of them active at any given time TLS Transport Layer Security The TLS protocol provides communications privacy over the Internet The protocol allows client server ap...

Страница 293: ...to split up groups of network users into manageable broadcast domains to create logical segmentation of workgroups and to enforce security policies among logical segments Up to 246 VLANs are supporte...

Страница 294: ...had moved in the network For a more detailed description refer to RFC 2338 X 509 A widely used specification for digital certificates that has been a recommendation of the ITU since 1988 Nortel VPN Ga...

Страница 295: ...ate 94 submit 94 certificates add using TFTP 103 client 110 managing 93 revoke client certificates 116 view installed certificates 172 ciphers list formats 179 meaning of string aliases 181 string ali...

Страница 296: ...IP 37 host keys SSH 257 HSM iKey authentication 30 the ASA 310 FIPS 27 wrap key 30 HSM SO iKey 30 HSM USER 30 I idle timeout command line interface 144 iKey 30 authentication 30 HSM CODE 30 HSM SO 30...

Страница 297: ...19 minor or major release upgrade 74 reinstall 70 version handling when upgrading 75 ssh host keys 257 SSH host keys 257 ssh known hosts 257 SSH see Secure Shell 138 146 SSL view configured servers 1...

Страница 298: ...te software package 76 handling software versions 75 minor or major release upgrade 74 user access levels 140 Boot user for reinstall 70 categories 140 passwords 141 user preferences 261 V virtual IP...

Страница 299: ......

Страница 300: ...el Networks Nortel Nortel Networks the Nortel logo and the Globemark are trademarks of Nortel Networks Export This product software and related technology is subject to U S export control and may be s...

Отзывы: