- DL manuals
- RadiSys
- Gateway
- SEG-100
- Administration Manual
RadiSys SEG-100 Administration Manual
Summary of SEG-100
Page 1
Administration guide security gateway seg-100 software release 1.1 february 2012 007-03416-0003.
Page 2
Revision history version date description -0000 august 2011 first edition. -0001 september 2011 second edition. Updated to include new authentication profiles, radius authentication, and i-wlan solution. Added information on local user databases, cli scripting, statistics, and log receivers. Made si...
Page 3: Table of Contents
Table of contents 3 preface ................................................................................................................................................ 6 about this manual...............................................................................................................
Page 4
4 chapter 6: firewall ........................................................................................................................... 96 ip rules .................................................................................................................................................
Page 5
5 support for multiple ggsns ....................................................................................................................184 i-wlan use case ....................................................................................................................................184...
Page 6: Preface
6 preface about this manual this manual describes the radisys seg, a highly scalable security gateway optimized for long term evolution (lte) deployments. This manual introduces seg software concepts and serves as a reference for procedural and usage information. The target audience for this manual ...
Page 7: Preface
Preface 7 related documents rfc 791, internet protocol, ietf, september 1981. Rfc 1191, path mtu discovery, ietf, november 1990. Rfc 1305, network time protocol (version 3), ietf, march 1992. Rfc 1321, the md5 message‐digest algorithm, ietf, april 1992. Rfc 1777, lightweight directory access protoco...
Page 8: Chapter
1 chapter 8 overview seg overview the radisys seg is a robust telecom security gateway based on network domain security (nds) standards that provides stateful firewalling and ipsec tunneling in a single platform. The seg can be used to secure any large ip based network. In its first release, the seg...
Page 9: Overview
1 overview 9 stateful inspection the seg employs a technique called stateful inspection which means that it inspects and forwards traffic on a per‐flow basis. The seg detects when a new flow between a source and destination is being established, and keeps information about the flow over its lifetime...
Page 10: Overview
1 overview 10 logical objects you can consider logical objects to be predefined building blocks for use in rule sets. For example, the address book contains named objects representing host and network addresses. Another example of logical objects are services that represent specific protocol and por...
Page 11: Overview
1 overview 11 6. The ip rules are now searched for a rule that matches the packet. The following parameters are part of the matching process: • source and destination interfaces • source and destination network • ip protocol (for example tcp, udp, icmp) • tcp/udp ports • icmp types • point in time i...
Page 12: Chapter
2 chapter 12 management management access this section provides details of how to work with the seg management interfaces. The following interfaces are available: • command line interface (cli) the command line interface (cli) is accessible either locally via a computer’s serial console port or remo...
Page 13: Management
2 management 13 displaying local user databases with the seg cli, the name of the predefined local user database can be displayed with the command: device:/> show localuserdatabase name ‐‐‐‐‐‐‐‐‐‐ adminusers the contents of this can be displayed by first changing the cli context to be the database: ...
Page 14: Management
2 management 14 a complete listing of this database will show the new account: device:/localuserdatabase/adminusers> show user name groups comments ‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ admin administrators + audit auditors device:/localuserdatabase/adminusers> cc device:/> here, the group name auditors is ...
Page 15: Management
2 management 15 command line interface the cli provides a comprehensive set of commands that allow the display and modification of a seg configuration. This section provides only a summary for using the cli. For a complete reference for all cli commands, see the seg‐100 command line interface refere...
Page 16: Management
2 management 16 to add back the original authentication: device:/> set remotemanagement remotemgmtssh ssh_mgmt authprofile=mgmtauthprofile the source property of the mgmtauthprofile will be assigned the name of the local user database to use for authentication. Troubleshooting ssh access problems i...
Page 17: Management
2 management 17 frequently used commands the following commands will probably be the most often used with the cli to manipulate different seg objects: • add: adds an object, such as an ip address or a rule, to a seg configuration along with a set of required properties for the object. • set: sets on...
Page 18: Management
2 management 18 tab completion displays allowed properties only there are some important principles to understand when using tab completion for object properties: • the properties of an object are either required or optional. When using tab completion, optional properties are not displayed until all...
Page 19: Management
2 management 19 tab completion remembering as well as typing commands and their options can be demanding. The seg provides a feature called tab completion, which means that pressing the tab key will cause automatic completion of the current part of the command. If completion is not possible, pressin...
Page 20: Management
2 management 20 selecting object categories with some categories, it is necessary to first choose a member of that category with the cc (change category or context) command before individual objects can be manipulated. This is the case, for example, with routes. There can be more than one routing ta...
Page 21: Management
2 management 21 ssh cli login after access to the cli has been established to the seg through ssh, you must log on to the system to execute any cli commands. This authentication step ensures that only trusted users can access the system, as well as provides user information for auditing purposes. Af...
Page 22: Management
2 management 22 activating and committing changes if any changes are made to the current configuration through the cli, those changes will not become active until you issue the following command: device:/> activate to make the changes permanent, this should be immediately followed by: device:/> comm...
Page 23: Management
2 management 23 viewing the configuration log major seg system events, such as new configuration deployments and system starts, are recorded in the configuration log. Use the cfglog command to view the configuration log, as shown in the following example: device:/> cfglog ‐all notice vsinit/configur...
Page 24: Management
2 management 24 multiple administration logins the seg allows more than one user from the administrators group to be logged in at the same time and change the configuration simultaneously. A change made by one such user is visible immediately to all others. For example, if one user deletes a configu...
Page 25: Management
2 management 25 troubleshooting with icmp ping for troubleshooting communication problems with external devices, one of the most useful tools is the cli ping command. This command sends an icmp ping message to an external ipv4 address and reports if the device replies. For example, to send an icmp p...
Page 26: Management
2 management 26 the cli script command is the tool used for script management and execution. The complete syntax of the command is described in the seg‐100 command line interface reference and specific examples of usage are detailed in the following sections. See also command line interface on page ...
Page 27: Management
2 management 27 script validation and command ordering cli scripts are not, by default, validated and the ordering of the commands does not matter. There can be a reference to a configuration object at the beginning of a script that is created only at the end of the script. Although this might seem ...
Page 28: Management
2 management 28 listing scripts the script command without any parameters lists all the scripts currently available and indicates the size of each script as well as the type of memory where it resides (residence in non‐volatile memory is indicated by the word “disk” in the memory column). Device:/> ...
Page 29: Management
2 management 29 the file new_script_sgs can then be downloaded with scp to the local management workstation computer and then uploaded and executed on the other segs. The end result is that all units will have the same ipaddress objects in their address book. Note: in the created script example abov...
Page 30: Management
2 management 30 secure copy to upload and download files to or from the seg, the secure copy (scp) protocol can be used. Scp is based on the ssh protocol and many freely available scp clients exist for almost all platforms. The command line examples below are based on the most common command format ...
Page 31: Management
2 management 31 uploading certificate files the following command lines show how a typical scp utility might upload a host certificate consisting of two files called cert‐1.Cer and cert‐1.Key to a security gateway that has the management ip address 192.168.3.1: > scp c:\cert‐1.Cer admin@192.168.3.1:...
Page 32: Management
2 management 32 these mib file should be transferred to the hard disk of the workstation that will run the snmp client so they can be imported by the client software. When the snmp client runs, the mib files are read and tell the client which values can be queried on an seg device. Each entry in the...
Page 33: Management
2 management 33 remote access encryption for snmp version 1 or 2c, the community string will be sent as plain text over a network. This is clearly not secure if a remote client is communicating over the public internet. If this is the case, it is recommended to have remote access take place over an ...
Page 34: Management
2 management 34 automatic time synchronization the seg supports the optional use of a time synchronization protocol. This protocol allows the current time to be automatically retrieved from a time server over the public internet. Updating the system clock in this way can be done automatically on seg...
Page 35: Management
2 management 35 time servers the hardware clock that the seg uses can sometimes become fast or slow after a period of operation. This is normal behavior in most network and computer equipment and is solved by using time servers. The seg is able to adjust the clock automatically based on information ...
Page 36: Management
2 management 36 manually triggering time synchronization if there is a need to manually force the system clock to be updated, use the time ‐sync cli command. Example: manually triggering time synchronization time synchronization can be triggered from the cli. Device:/> time ‐sync time synchronizatio...
Page 37: Management
2 management 37 licensing to use the seg in a live environment, a license file must be deployed to the seg and associated with the configuration. The purpose of the license file is to define the capabilities and limitations that the seg installation has. A license file is a plain text file that defi...
Page 38: Management
2 management 38 some typical output from this command is shown below: device:/> license property value ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ isvalid: yes os: 1 registeredto: radisys qa registrationkey: 1654‐5761‐8527‐1384 oemid: 0 displaymodel: generic registrationdate: 2011‐11‐12 00:00:00 lastmod...
Page 39: Management
2 management 39 backup and restore the administrator has the ability to take a snapshot of an seg system at a given point in time and restore it if necessary. The snapshot taken is known as a configuration backup. This is a backup of the entire current seg configuration but does not include a copy o...
Page 40: Management
2 management 40 step 2: to make the uploaded configuration the current configuration, the following cli command is used: device:/> backup ‐restore filename> where filename is the name of the file in the backup folder. To list all files in /storage, use the cli command: device:/> backup ‐list when a ...
Page 41: Management
2 management 41 the restore will be successful; however, the processors use different logical names for their ethernet interfaces. For example, the interface sfp1 on the dpb1 processor corresponds to the sfp4 interface on the dpb2 processor. The restored configuration will continue to use original i...
Page 42: Management
2 management 42 crashdumps in the event of a serious system malfunction, the seg generates a crashdump and stores it in non‐volatile system memory as a set of files. The files generated by a crashdump consist of critical data that can assist in troubleshooting the cause of the malfunction. Send cras...
Page 43: Management
2 management 43 crashdump file naming every crashdump file has a file type of .Dump. The complete filename follows the format: .Dump where identifies the seg module that is the source of the crashdump, preceded by the date and time of when the crash occurred. For example: 2011‐01‐01_00.00.36_rtbld.D...
Page 44: Management
2 management 44 deleting a single file the ‐rm option can be used to delete files from permanent storage. For example, to remove the file 2011‐01‐01_00.00.52_dpcore.Dump, the command would be: device:/> crashdump ‐rm=2011‐01‐01_00.00.52_dpcore.Dump deleting all files all crashdump files stored in me...
Page 45: Management
2 management 45 for example, the bytes_in statistic associated with the sfp1 interface is identified with the path: /ifaces/sfp1/bytes_in these variable references in paths are indicated in the statistics reference using the [..N] notation. Types of statistic not all statistics are pure counters. Th...
Page 46: Management
2 management 46 starting and stopping regular polling to begin polling all values in the list at a regular interval, an additional command is required: device:/> statistics ‐poll ‐interval=10 this turns on regular polling with the same output as before and it will appear every 10 seconds on the cons...
Page 47: Management
2 management 47 statistics and high availability statistics are not correctly mirrored in inactive unit of an ha cluster. This topic is discussed further in ha issues on page 166 . Events and logging the ability to log and analyze system activities is an essential feature of the seg. Logging enables...
Page 48: Management
2 management 48 event severity the severity of each event is predefined and it can be, in order of severity, one of: • emergency • alert • critical • error • warning • notice • info • debug by default, the seg sends all messages of level infoand above to configured log servers. The debugcategory is ...
Page 49: Management
2 management 49 real-time display in the cli log event messages can be displayed in real time on a cli console by entering the command: device:/> log ‐on all messages are then displayed as they are generated as well as being sent to any configured log servers. To switch off logging, use the command:...
Page 50: Management
2 management 50 logging to syslog servers syslog is a standardized protocol for sending log data although there is no standardized format for the log messages themselves. The format used by the seg is well suited to automated processing, filtering and searching. Although the exact format of each log...
Page 51: Management
2 management 51 filtering severity and message exceptions for each log receiver, it is possible to impose rules on what log message categories and severities are sent to that receiver. It also possible to lower or raise the severity of specific events. Filtering severity the severity filter is a mea...
Page 52: Management
2 management 52 example: adding a message exception in this example, it is assumed that a syslog server has already been configured in the seg with the logical name my_syslog. It is required to change the severity of the log message 161 (“failed to rekey ike sa”) in the category ike from the default...
Page 53: Management
2 management 53 snmp mib file the file clavister‐trap.Mib, which is included in the seg distribution, defines the snmp objects and data types that are used to describe an snmp trap message received from the seg. Snmp trap object all seg generated snmp traps, regardless of severity, use a common trap...
Page 54: Chapter
3 chapter 54 addressing interfaces an interface is an important logical building block in the seg. All network traffic that transits through, originates from or is terminated in a security gateway, does so through one or more interfaces. Source and destination interfaces an interface can be thought ...
Page 55: Addressing
3 addressing 55 all interfaces are logically equivalent even though the different types of interfaces may be very different in the way they function, the seg treats all interfaces as logically equivalent. This is an important and powerful concept and means that all types of interfaces can be used al...
Page 56: Addressing
3 addressing 56 ethernetinterface and ethernetdevice object types in the seg there are two types of configuration objects that are used to manage ethernet interface operation: ethernetinterface and ethernetdevice. The ethernetinterface object is used to configure the logical properties of ethernet o...
Page 57: Addressing
3 addressing 57 listing ethernet interfaces to list all ethernet interfaces, the cli command is: device:/> show interface ethernetinterface interface name ip addresses routing table ‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐ sfp1 10.1.50.102 main sfp2 10.6.58.100 main the listing shows there are two ...
Page 58: Addressing
3 addressing 58 arp address resolution protocol (arp) allows the mapping of a network layer protocol (osi layer 3) address to a data link layer hardware address (osi layer 2). In data networks it is used to resolve an ipv4 address into its corresponding ethernet address. Arp operates at the osi laye...
Page 59: Addressing
3 addressing 59 example: displaying the arp cache the contents of the arp cache can be displayed from within the cli. This example displays the entries of the sfp1 interface. Device:/> arp ‐show arp cache of iface sfp1: dynamic 10.4.0.1 = 1000:0000:4009 expire=196 dynamic 10.4.0.165 = 0002:a529:1f65...
Page 60: Addressing
3 addressing 60 after the arp entry expiration time, the seg will learn the new mac address of the host but sometimes it may be necessary to manually force the update. The easiest way to achieve this is by flushing the arp cache. This deletes all dynamic arp entries from the cache and forces the seg...
Page 61: Addressing
3 addressing 61 creating arp entries to change the way the seg handles arp on an interface, you can create seg arp objects, each of which has the following properties: • mode: the type of arp object. This can be one of: • static – create a fixed mapping in the local arp cache. • publish – publish an...
Page 62: Addressing
3 addressing 62 arp publish the seg supports publishing ip addresses on a particular interface. This can optionally be done along with a specific mac address instead of the actual interface mac address. The seg will then send out these as arp replies for any arp requests received on the interface re...
Page 63: Addressing
3 addressing 63 address books the seg address book contains named objects representing various types of ip addresses, including single ipv4 and ipv6 addresses and networks, as well as ranges of addresses. Ethernet mac addresses can also be defined in the address book. Note: in this guide, an ipv6 pr...
Page 64: Addressing
3 addressing 64 • ip ranges: a range of ipv4 addresses is represented with the form a.B.C.D ‐e.F.G.H. Note that ranges are not limited to ipv4 netmask boundaries. They may include any span of ip addresses. For example, 192.168.0.10‐192.168.0.15 represents six ipv4 hosts in consecutive order. A range...
Page 65: Addressing
3 addressing 65 example: adding an ethernet address the following example adds an ethernet address object named wwwsrv1_mac with the numerical mac address 08‐a3‐67‐bc‐2e‐f2. Device:/> add address ethernetaddress wwwsrv1_mac address=08‐a3‐67‐bc‐2e‐f2 auto-generated address objects to simplify the con...
Page 66: Addressing
3 addressing 66 ipv6 support the ip address standard ipv6 is designed as a successor to ipv4, with the principal advantage of providing a much larger 128 bit address space. Among many other advantages, the large number of available global ipv6 addresses means that nat is no longer required to share ...
Page 67: Addressing
3 addressing 67 enabling ipv6 on an interface predefined address book objects already exist for each ethernet interface. To enable ipv6 on an interface, an ipv6 address and network (prefix) must be added to the associated address book object. This is done specifying a comma‐separated list of the ipv...
Page 68: Addressing
3 addressing 68 grouping ip addresses since the ipaddress object can contain any number of explicit ipv4 or ipv6 addresses as well as references to other ipaddress objects, it can be used to create grouping of addresses. There is no special group object in the seg for ip addresses. The all-nets addr...
Page 69: Addressing
3 addressing 69 ipv6 neighbor discovery ipv6 neighbor discovery (nd) is the ipv6 equivalent of the arp protocol with ipv4 (see arp on page 58 ). When ipv6 is enabled for a given ethernet interface, the seg will respond to any ipv6 neighbor solicitations (ns) sent to that interface with ipv6 neighbor...
Page 70: Addressing
3 addressing 70 ipv6 and high availability seg high availability (ha) does not fully support ipv6. Any ipv6 configuration objects will be mirrored on both the ha master and slave units. However, if a failover occurs, state information will be lost when one unit takes over processing from the other a...
Page 71: Addressing
3 addressing 71 example: configuring dns servers in this example, the dns client is configured to use a single dns server with ipv4 address 10.0.0.1. Device:/> set dns dnsservers=10.0.0.1 to show the configured dns server: device:/> show dns property value ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐ dnsservers: 10.0....
Page 72: Addressing
3 addressing 72 to list the seg dns cache, the command is: device:/> dns ‐list name address type ttl ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ www.Google.Com 209.85.149.99 a 49 www.Google.Com 209.85.149.103 a 49 www.Google.Com 209.85.149.104 a 49 www.Google.Com 209.85.149.105 ...
Page 73: Chapter
4 chapter 73 address translation overview the ability of the seg to modify the source or the destination ip address of packets as they traverse a security gateway is known as address translation. The ability to transform one ip address to another can have many benefits. Two of the most important are...
Page 74: Address Translation
4 address translation 74 many-to-oneip address translation nat provides many‐to‐one translation. This means that each nat rule in the ip rule set will translate between several source ip addresses and a single source ip address. To maintain session state information, each nat flow is translated to a...
Page 75: Address Translation
4 address translation 75 limitations on the number of nat flows approximately 64,500 simultaneous nat flows are possible if a “flow” is considered to be a unique pair of ip addresses and different port numbers are not used or the same destination port is used. For example, if a remote server demands...
Page 76: Address Translation
4 address translation 76 4. The seg receives the packet and compares it to its list of open flows. Once it finds the flow in question, it restores the original address and forwards the packet. 195.55.66.77:80 => 192.168.1.5:1038 5. The original sender now receives the response. The sequence of these...
Page 77: Address Translation
4 address translation 77 specifying the nat ip address in the preceding example, the ip address used for nat is the ipv4 address of the destination interface. The alternative is to specify another ipv4 address that is to be used on the destination interface. This is done by specifying the setsourcea...
Page 78: Address Translation
4 address translation 78 protocols handled by nat dynamic address translation handles the tcp, udp, and icmp protocols with a good level of functionality, since the algorithm knows which values can be adjusted to become unique in the three protocols. For other ip level protocols, unique flows are id...
Page 79: Address Translation
4 address translation 79 using a dmz at this point, it is important to understand the role of networks designated as a dmz as sat ip rules are of often used with them. The dmz’s purpose is to act as a network where resources, such as servers, are placed for access by external, untrusted clients, typ...
Page 80: Address Translation
4 address translation 80 example: enabling traffic to a protected web server in a dmz (1:1) this example creates a sat ip rule that will translate and allow ipv4 flows from the internet to a web server located in a dmz. The seg is connected to the internet using the wan interface with address object...
Page 81: Address Translation
4 address translation 81 since the five public ipv4 addresses are being arp published so these addresses are not routed on core, the sat destination interface is wan and not core. 1. Create an address object for the public ipv4 addresses: device:/> add address ipaddress wwwsrv_pub address=195.55.66....
Page 82: Address Translation
4 address translation 82 the required sat rule is defined as follows: 1. Change the current cli context to be the main ip rule set: device:/> cc ipruleset main 2. Create a sat rule for the translation: device:/ipruleset/main> add iprule action=allow service=http sourceinterface=lan sourcenetwork...
Page 83: Address Translation
4 address translation 83 1. Create an address object for the public ip addresses: device:/> add address ipaddress wwwsrv_pub address=195.55.66.77‐195.55.66.81 2. Create another object for the base of the web server ip addresses: device:/> add address ipaddress wwwsrv_priv address=10.10.10.5 3. Publi...
Page 84: Address Translation
4 address translation 84 example: port translation with sat this example is very similar to the 1:1 example near the beginning of this section but the port number will also be changed by the translation. A server’s private ip address is wwwsrv_priv on the dmz interface. All incoming http connections...
Page 85: Address Translation
4 address translation 85 the required ip rule is defined as follows: 1. Change the current cli context to be the main ip rule set: device:/> cc ipruleset main 2. Create a sat rule for the translation: device:/ipruleset/main> add iprule action=allow service=http sourceinterface=lan sourcenetwork=...
Page 86: Chapter
5 chapter 86 routing principles of routing ip routing is one of the most fundamental functions of the seg. Any ip packet flowing through an seg will be subjected to at least one routing decision at some point, so properly setting up routing is crucial for the system to function as expected. Routers ...
Page 87: Routing
5 routing 87 components of a route when a route is defined, it consists of the following properties: • interface this is the interface to forward the packet on in order to reach the destination network. In other words, it is the interface to which the destination ip range is connected, either direct...
Page 88: Routing
5 routing 88 typical routing scenario the diagram below illustrates a typical seg usage scenario. Figure 5. A typical routing scenario in the above diagram, the lan interface is connected to the network 192.168.0.0/24 and the dmz interface is connected to the network 10.4.0.0/16. The wan interface i...
Page 89: Routing
5 routing 89 • route #3 all packets going to hosts on the 195.66.77.0/24 network will be sent out on the wan interface. No gateway is required to reach this network. • route #4 all packets going to any host (the all‐nets‐ip4 network will match all hosts) will be sent out on the wan interface and to ...
Page 90: Routing
5 routing 90 when the default gateway of the second network's clients is now set to the same value as the local ip address of the above route, the clients will be able to communicate successfully with the interface. The ip address chosen in the second network isn't significant, as long as it is the ...
Page 91: Routing
5 routing 91 example: adding a route with localip this example will show adding a route for the network 10.2.2.0/24 on the interface sfp1 with localip set as 10.2.2.1. Device:/> cc routingtable main device:/routingtable/main> add route interface=sfp1 network=10.2.2.0/24 localip=10.2.2.1 device:/rout...
Page 92: Routing
5 routing 92 when an ip packet is received on any of the interfaces, the list of active flows is consulted to see if there is an already a flow for which the received packet belongs. If an existing flow is found, the flow information includes where to route the packet so there is no need for lookups...
Page 93: Routing
5 routing 93 the corresponding routing table in the seg will be similar to the following: flags network iface gateway local ip metric ‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐ 192.168.0.0/24 sfp1 20 10.0.0.0/8 wan 1 0.0.0.0/0 wan 192.168.0.1 20 note that multicast routes have...
Page 94: Routing
5 routing 94 example 1: displaying the main routing table this example illustrates how to display the contents of the default main routing table. To display the configured routing table, enter: device:/> cc routingtable main device:/routingtable/main> show route # interface network gateway local ip ...
Page 95: Routing
5 routing 95 when the system receives an ip packet whose destination address is one of the interface ips, the packet will be routed to the core interface. In other words, it is processed by the seg itself. There is also a core route added for all multicast addresses: route interface destination gate...
Page 96: Chapter
6 chapter 96 firewall ip rules before examining ip rule sets in detail, it is useful to first look at the general concept of security polices to which ip rule sets belong. Security policies seg security policies are configured by the administrator to regulate the way in which traffic can flow throug...
Page 97: Firewall
6 firewall 97 ip rules and default main rule set ip rule sets are the most important of the seg’s security policy rule sets. They determine the critical packet filtering function of the seg, regulating what is allowed or not allowed to pass between different interfaces and between interfaces and the...
Page 98: Firewall
6 firewall 98 creating a deny all ip rule by default, traffic that does not match any rule in the ip rule set is dropped by the seg. For logging purposes, it is nevertheless recommended that you create an explicit ip rule with an action of deny for all source/destination networks/interfaces, with lo...
Page 99: Firewall
6 firewall 99 now, return to the default root context: device:/ipruleset/main> cc device:/> save the configuration changes by issuing the activate command followed by the commit command. Tip: there may be several ip rule sets in use. It is recommended to include the ip rule set name in the name of t...
Page 100: Firewall
6 firewall 100 before the route lookup is completed, the seg first checks that traffic from the source network should, in fact, be arriving on the interface where it was received. This is done by the seg performing a reverse route lookup, which means that the relevant routing table is searched for a...
Page 101: Firewall
6 firewall 101 if the ‐verbose option is used, the matching reverse flow for a connection is also shown. The command form is as follows: device:/> flow ‐show ‐verbose all options for the flow command can be found in the seg‐100 command line interface reference. These include filtering parameters to ...
Page 102: Firewall
6 firewall 102 when an ip rule is triggered by a match, one of the following actions can occur: • allow: the packet is allowed to pass from the specified source to the specified destination interface. As the rule is applied to only the opening of a flow, an entry in the “flow table” is made to recor...
Page 103: Firewall
6 firewall 103 example: adding an allow ip rule this example shows how to create a simple allow rule that will allow http flows to be opened from the sfp1net network on the sfp1 interface to any ip4 address (all‐nets‐ip4) on the wan interface. 1. Change the current context to be the main ip rule set...
Page 104: Firewall
6 firewall 104 specifying any protocol an important predefined service is all_services. This service covers all possible protocols and is used in the filtering criteria of a rule when the protocol is not relevant. This is an example of a service group that is discussed later in service groups on pag...
Page 105: Firewall
6 firewall 105 icmp services another type of custom service that can be created is an icmp service. The internet control message protocol (icmp) is a protocol that is integrated with ip for reporting errors and transmitting control information. For example, the icmp ping feature uses icmp to test in...
Page 106: Firewall
6 firewall 106 redirect the source is told that there is a better route for a particular packet. Codes assigned are as follows: • code 0: redirect datagrams for the network • code 1: redirect datagrams for the host • code 2: redirect datagrams for the type of service and the network • code 3: redire...
Page 107: Firewall
6 firewall 107 service groups a service group is an seg object that consists of a collection of services. Groups are useful when you want to construct security policies that contain multiple services. Advantage of groups for example, there may be a need for a set of ip rules that are identical to ea...
Page 108: Firewall
6 firewall 108 custom access rules are optional for most configurations, the default access rule is sufficient and you do not need to explicitly specify other rules. For example, the default rule can protect against ip spoofing, which is described in the next section. If access rules are explicitly ...
Page 109: Firewall
6 firewall 109 access rule actions the access rule actions that can be specified are: • drop: discard the packets that match the defined fields. • accept: accept the packets that match the defined fields for further inspection in the rule set. Note: logging can be enabled as required for these actio...
Page 110: Firewall
6 firewall 110 internet access this section describes setting up access to the public internet using the cli, with static ip addresses supplied by an isp. Assumptions the assumption for the examples and descriptions in this chapter is that the hardware platform has two ethernet interfaces available:...
Page 111: Firewall
6 firewall 111 4. Set the ip object sfp2_ip, which will be the ip address of the interface connected to the isp: device:/> set ipaddress sfp2_ip address=10.5.4.35 on initial startup, the seg automatically creates and fills the seg address book with the all interface related ip address objects. 5. Se...
Page 112: Firewall
6 firewall 112 3. To include the dns protocol to resolve urls into ip addresses, create a separate ip rule for dns: device:/main> add iprule name=lan_to_wan_dns action=nat sourceinterface=sfp1 sourcenetwork=sfp1_net destinationinterface=sfp2 destinationnetwork=all‐nets‐ip4 service=dns‐all ...
Page 113: Chapter
7 chapter 113 ipsec vpn overview this section takes a general look at vpns, what they are, what they can provide, and the typical scenarios where they are used. Vpn usage the internet is increasingly used as a means to connect computers together since it offers efficient and inexpensive communicatio...
Page 114: Ipsec Vpn
7 ipsec vpn 114 there are two common scenarios where vpn is used: 1. Lan to lan connection – where two internal networks need to be connected together over the internet. In this case, each network is protected by an individual security gateway and the vpn tunnel is set up between them. 2. Client to ...
Page 115: Ipsec Vpn
7 ipsec vpn 115 vpn encryption encryption of vpn traffic is done using the science of cryptography. Cryptography is an umbrella expression covering 3 techniques and benefits: confidentiality no one but the intended recipients is able to receive and understand the communication. Confidentiality is ac...
Page 116: Ipsec Vpn
7 ipsec vpn 116 it is becoming increasingly common for users on the move to connect directly to their company’s network via vpn from their laptops. However, the laptop itself is often not protected. In other words, an intruder can gain access to the protected network through an unprotected laptop an...
Page 117: Ipsec Vpn
7 ipsec vpn 117 ipsec components this section covers ipsec standards and describes in general terms the various components, techniques, and algorithms that are used in ipsec‐based vpns. Ipsec overview internet protocol security (ipsec) is a set of protocols defined by the internet engineering task f...
Page 118: Ipsec Vpn
7 ipsec vpn 118 an sa is unidirectional and relates to traffic flow in one direction only. For the bidirectional traffic that is usually found in a vpn, more than one sa is required per connection. Typically, when only esp or ah is used, two sas will be created for each connection, one describing th...
Page 119: Ipsec Vpn
7 ipsec vpn 119 authentication can be accomplished through using pre‐shared keys (psk) or certificates. Using pre‐shared keys is the most common authentication method. Both psk and certificates‐based vpns are supported by the seg. Ike phase 2: ipsec security negotiation in phase 2, another negotiati...
Page 120: Ipsec Vpn
7 ipsec vpn 120 remote endpoint the remote endpoint (sometimes also referred to as the remote gateway) is the remote device that performs vpn decryption/authentication and that passes the unencrypted data on to its final destination. The remote endpoint is not used in transport mode. Ipsec protocols...
Page 121: Ipsec Vpn
7 ipsec vpn 121 pfs with perfect forwarding secrecy (pfs) disabled, initial keying material is “created” during the key exchange in phase‐1 of the ike negotiation. In phase‐2 of the ike negotiation, encryption and authentication session keys will be extracted from this initial keying material. By us...
Page 122: Ipsec Vpn
7 ipsec vpn 122 diffie‐hellman is used to establish the shared secret keys for ike, ipsec and pfs. The diffie‐hellman group indicates the degree of security used for dh exchanges. The higher the group number, the greater the security but also the processing overhead. The dh groups supported by the s...
Page 123: Ipsec Vpn
7 ipsec vpn 123 ike authentication ike provides a way to securely establish communications between the two ends of an ipsec tunnel. Before examining ike in detail, the alternative of manually setting up a tunnel is discussed. Manual keying without ike without ike, the “simplest” way of configuring t...
Page 124: Ipsec Vpn
7 ipsec vpn 124 advantages of certificates the principal advantage of certificates is the added flexibility. Many vpn clients can be managed without having the same pre‐shared key configured on all of them, which is often the case when using pre‐shared keys and roaming clients. Instead, should a cli...
Page 125: Ipsec Vpn
7 ipsec vpn 125 esp (encapsulating security payload) the esp protocol inserts an esp header after the original ip header, in tunnel mode, the esp header is inserted after the outer header, but before the original, inner ip header. All data after the esp header is encrypted and/or authenticated. The ...
Page 126: Ipsec Vpn
7 ipsec vpn 126 supported algorithms the algorithms currently supported by the seg are: • encryption algorithms: aes128‐cbc aes192‐cbc aes256‐cbc 3des null • data integrity algorithms: sha1 md5 aes‐xcbc • pseudo‐random function algorithms: this is the same list as for data integrity algorithms abo...
Page 127: Ipsec Vpn
7 ipsec vpn 127 creating and using proposal lists there are two object types that define proposal lists and these make use of the high, low and all algorithm groupings described above: • ikeproposallist this type has three pre‐defined objects: • ike_high – the ipsec tunnel default. • ike_low • ike_a...
Page 128: Ipsec Vpn
7 ipsec vpn 128 pre-shared keys pre‐shared keys (psk) are one of the methods used to authenticate vpn tunnels. The other method is certificates. Psks are secrets that are shared by the communicating parties before communication takes place. To communicate, both parties prove that they know the secre...
Page 129: Ipsec Vpn
7 ipsec vpn 129 certificate components a certificate consists of the following: • a public key: the “identity” of the user, such as name and user id. • digital signatures: a statement that tells the information enclosed in the certificate has been vouched for by a certificate authority (ca). By bind...
Page 130: Ipsec Vpn
7 ipsec vpn 130 trusting certificates when using certificates, the seg can trust any party whose certificate is signed by a given ca. Before a certificate is accepted, the following steps are taken to verify the validity of the certificate: • construct a certification path up to the trusted root ca....
Page 131: Ipsec Vpn
7 ipsec vpn 131 association with tunnels the association between a tunnel and certificates is created using the localid property of the ipsec tunnel. The tunnel’s localauthmethod property should be set to certificate (by default, this also becomes the value for remoteauthmethod, although the two cou...
Page 132: Ipsec Vpn
7 ipsec vpn 132 5. Mark and copy into the system clipboard that line and everything under it, up to and including the line: ‐‐‐‐‐end rsa private key‐‐‐‐ 6. Now paste the copied text into the .Key file and save it. 7. Back in the .Pem file, locate the line that begins: ‐‐‐‐‐begin certificate‐‐‐‐ and ...
Page 133: Ipsec Vpn
7 ipsec vpn 133 however, the ipsec tunnel itself does not need any ip rules defined. These rules are hidden, and created automatically by the seg so that ike negotiations and tunnel establishment can take place. Dead peer detection after the establishment of an ipsec tunnel to a client, the seg uses...
Page 134: Ipsec Vpn
7 ipsec vpn 134 now consider the following sequence: 1. A client with ipv4 address 177.22.0.47 initiates an ipsec negotiation with an ike_init message. 2. Assuming that the client’s proposal list can match either tunnel, the ipsec tunnel object b is chosen for the connection because its remote endpo...
Page 135: Ipsec Vpn
7 ipsec vpn 135 setting up ipsec tunnels other sections explore ipsec components in detail. This section provides a summary of the essential steps needed for ipsec setup. It outlines the individual steps in setting up ipsec for the following scenarios: • ipsec lan to lan with pre‐shared keys • ipsec...
Page 136: Ipsec Vpn
7 ipsec vpn 136 ipsec lan to lan with pre-shared keys 1. Create a new ipsecpsk object. This will contain the key as well as a unique combination of localid and remoteid. It is this combination of local and remote id that is used to associate the key with the tunnel. Both local and remote id can take...
Page 137: Ipsec Vpn
7 ipsec vpn 137 • if not using the default ipsec_high list, set ipsecproposallist to the proposal list to be used for the tunnel. • specify a localid for the tunnel. The combination of this and the remoteid will identify the ipsecpsk object to use. • specify a remoteid for the tunnel. This can be sp...
Page 138: Ipsec Vpn
7 ipsec vpn 138 the setup steps are as follows: 1. Connect to the management interface for the seg at one end of the tunnel. 2. Upload the root certificate and host certificate into the seg using ssh. The root certificate needs to have 2 parts added: a certificate file and a private key file. The ga...
Page 139: Ipsec Vpn
7 ipsec vpn 139 nat detection mechanism to achieve nat detection, both ipsec peers send hashes of their own ip addresses along with the source udp port used in the ike negotiations. This information is used to see whether the ip address and source port each peer uses is the same as that which the ot...
Page 140: Ipsec Vpn
7 ipsec vpn 140 ca server access certificate validation can be performed by accessing a separate certificate server (ca) server. For example, the two sides of an ipsec tunnel exchange their certificates during the tunnel setup negotiation and either may then try to validate the received certificate....
Page 141: Ipsec Vpn
7 ipsec vpn 141 2. The ca server is a private server with tunnels set up over the public internet and with clients that will try to validate the certificate received from the seg. In this case, the following must be done: a. A private dns server must be configured so that the seg can locate the priv...
Page 142: Ipsec Vpn
7 ipsec vpn 142 placement of private ca servers the simplest solution for placement of a private ca server is to have it on the unprotected side of the seg. However, this is not recommended from a security viewpoint. It is better to place it on the inside (or preferably in the dmz if available) and ...
Page 143: Ipsec Vpn
7 ipsec vpn 143 turning off certificate validation one of the ways to troubleshoot problems with ca server access is to turn off the requirement to validate certificates. By default, checking is always enabled. Attempts to access ca servers by the seg can be disabled by setting the crl option for a ...
Page 144: Ipsec Vpn
7 ipsec vpn 144 • try and avoid duplication of ip addresses between the remote network being accessed by a client and the internal network to which a roaming client belongs. If a roaming client becomes temporarily part of a network such as a wi‐fi network at an airport, the client will get an ip add...
Page 145: Ipsec Vpn
7 ipsec vpn 145 the seg uses the certificate version that is in the cache if it is there. If there has been a change to a certificate either locally of remotely, the cache may need to be updated. The contents of the cache can be examined using only ‐cert option on its own. Some example output is giv...
Page 146: Ipsec Vpn
7 ipsec vpn 146 ipsec troubleshooting commands a number of commands can be used to diagnose ipsec tunnel issues: using the flow cli command seg ipsec traffic consists of esp flows. A flow is unidirectional and esp traffic consists of a single, unidirectional flow. Esp flows can be examined using the...
Page 147: Ipsec Vpn
7 ipsec vpn 147 the displayed list can be filtered using any of a number of filtering parameters. For example, all flows that have a destination of the ipsec tunnel called my_tunnel could be examined with the command: device:/> flow ‐show ‐destiface=my_tunnel all options for the flow command can be ...
Page 148: Ipsec Vpn
7 ipsec vpn 148 using ike -snoop vpn tunnel negotiation when setting up ipsec tunnels, problems can arise because the initial negotiation fails when the network devices at either end of a vpn tunnel try but fail to agree on which protocols and encryption methods will be used. The cli command ike ‐sn...
Page 149: Ipsec Vpn
7 ipsec vpn 149 consider the first part: 172.22.53.18:500 indicates that an initial request to set up a security association was made and originates from remote ipv4 address 172.22.53.23, port 500, which will be the remote tunnel endpoint. This was received at local ipv4 address 172.22.53.18, port 5...
Page 150: Ipsec Vpn
7 ipsec vpn 150 specific error messages this section will deal with specific error messages that can appear with vpn and what they indicate. The messages discussed are: • could not find acceptable proposal / no proposal chosen. • incorrect pre‐shared key. • ike_invalid_payload, ike_invalid_cookie. •...
Page 151: Ipsec Vpn
7 ipsec vpn 151 incorrect pre-shared key a problem with the pre‐shared key on either side has caused the tunnel negotiation to fail. This is perhaps the easiest of all the error messages to troubleshoot since it can be only one thing, and that is incorrect pre‐shared key. Double‐check that the pre‐s...
Page 152: Ipsec Vpn
7 ipsec vpn 152 the possible causes are as follows: • the certificate on either side is not signed by the same ca server. • the certificate's validity time has expired or it has not yet started to be valid. The latter can happen if the clock is set incorrectly on either the ca server or the seg or t...
Page 153: Chapter
8 chapter 153 authentication authentication profiles authentication refers to the process of checking and verifying credentials of external users before allowing them access to requested resources through the seg. The resources could be public internet access from an internal network, access to an i...
Page 154: Authentication
8 authentication 154 • timeouts a number of timeout values can be set for the profile: • idle timeout • session timeout • use timeouts sent by the authentication source • brute force attack prevention this option can be activated to control the following: • login attempts – this is the maximum numbe...
Page 155: Authentication
8 authentication 155 radius architecture the radius protocol is based on a client/server architecture. The seg acts as the client of the radius server, creating and sending requests to a dedicated server(s). In radius terminology the security gateway acts as the network access server (nas). For user...
Page 156: Authentication
8 authentication 156 the radius vendor id when configuring the radius server itself to receive requests from the seg, it is important to enter a value for the vendor id (vid). This value should be specified as 5089. Example: configuring a radius server in this example, a radius server will be config...
Page 157: Chapter
9 chapter 157 high availability overview ha clusters the seg high availability (ha) feature provides hardware redundancy for seg installations. Ha works by adding a backup slave security gateway to an existing master security gateway. The master and slave are connected together and make up a logical...
Page 158: High Availability
9 high availability 158 interfaces that are not set as critical in the configuration do not have heartbeats sent over them and will not cause an ha failover if they fail. Failure of a critical interface will cause a failover to occur once the cluster has identified the failed interface. The heartbea...
Page 159: High Availability
9 high availability 159 extending redundancy implementing an ha cluster will eliminate one of the points of failure in a network. Routers, switches, and internet connections can remain as potential points of failure, and redundancy for these should also be considered. Ha mechanisms this section disc...
Page 160: High Availability
9 high availability 160 increasing heartbeat frequency heartbeats are not sent at smaller intervals than a tenth of a second because such delays may occur during normal operation. An operation, for example, opening a file, could result in delays long enough to cause the inactive system to go active,...
Page 161: High Availability
9 high availability 161 setting up ha preconditions for creating an ha cluster when setting up an seg ha cluster, the following is required: 1. Two security gateways with identical hardware configurations running the same version of the seg. For module‐based platforms, these should be two separate m...
Page 162: High Availability
9 high availability 162 setup steps the steps necessary for cluster setup can be summarized as: 1. Ensure the ethernetdevice settings are correct. 2. Set the interface shared and private ip addresses of all interface pairs for both master and slave. 3. Set the interface type of all interface pairs f...
Page 163: High Availability
9 high availability 163 setting interface ip addresses each interface on both the master and slave units has two ip addresses associated with it: 1. The shared ip address the shared ip address is the address that is used during general operation of the ha cluster and is the address used in construct...
Page 164: High Availability
9 high availability 164 setting the interface type the hatype for each interface should be set to either critical, noncritical or sync, and this setting must agree between master/slave interface pairs. At least one interface must be set as sync. The default is critical. Setting the interface type ca...
Page 165: High Availability
9 high availability 165 verifying synchronization once the slave configuration is activated, synchronization between the cluster nodes will take place. The cli command ha will indicate that both systems are running in ha mode and that the nodes are alive. If a security gateway is not part of a ha cl...
Page 166: High Availability
9 high availability 166 ha issues the following points should be kept in mind when managing and configuring an ha cluster. All cluster interfaces need ip addresses all interfaces on both ha cluster units should have a valid private ip address object assigned to them. The predefined ip object local h...
Page 167: High Availability
9 high availability 167 ha limitations with statistics seg statistics are not mirrored in both the master and slave units of an ha cluster since they relate only to the individual cluster units. This means that some statistics will not reflect the values of the failed system after the failover..
Page 168: Chapter
10 chapter 168 advanced settings flow timeout settings the settings in this section specify how long a different types of flow can remain idle before being automatically closed. A flow is idle if no data being sent through it. Please note that each flow has two timeout values: one for each direction...
Page 169: Advanced Settings
10 advanced settings 169 other idle lifetime specifies in seconds how long flows using an unknown protocol can remain idle before they are closed. Device:/> set settings flowtimeoutsettings flowlifetimeother=130 default: 130 length limit settings this section contains information about the size limi...
Page 170: Advanced Settings
10 advanced settings 170 max gre length specifies in bytes the maximum size of a gre packet. Gre, generic routing encapsulation, has various uses, including the transportation of pptp, point to point tunneling protocol, data. This value should be set at the size of the largest packet allowed to pass...
Page 171: Advanced Settings
10 advanced settings 171 max ipip/fwz length specifies in bytes the maximum size of an ip‐in‐ip packet. Ip‐in‐ip is used by checkpoint firewall‐1 vpn connections when ipsec is not used. This value should be set at the size of the largest packet allowed to pass through the vpn connections, regardless...
Page 172: Advanced Settings
10 advanced settings 172 pseudo reass max concurrent maximum number of concurrent fragment reassemblies. To drop all fragmented packets, set pseudoreass_maxconcurrent to 0. Device:/> set settings fragsettings pseudoreass_maxconcurrent=1024 default: 1024 illegal fragments determines how the seg will ...
Page 173: Advanced Settings
10 advanced settings 173 failed fragment reassembly specifies logging for failed reassembly attempts. Device:/> set settings fragsettings fragreassemblyfail=logsuspectsubseq default: logsuspectsubseq reassemblies may fail due to one of the following causes: • some of the fragments did not arrive wit...
Page 174: Advanced Settings
10 advanced settings 174 duplicate fragments determines whether a fragment that arrives more than once should be logged. Device:/> set settings fragsettings duplicatefrags=logsuspect default: logsuspect if a duplicate fragment arrives, this can mean either that it has been duplicated at some point o...
Page 175: Advanced Settings
10 advanced settings 175 reassembly timeout the number of seconds after the previous fragment in which no further fragments arrive before a reassembly attempt will be interrupted. Device:/> set settings fragsettings reasstimeout=65 default: 65 max reassembly time limit the number of seconds after th...
Page 176: Advanced Settings
10 advanced settings 176 ipv6 nop fragments whether to ignore fragments when the packet is the first and last fragment at the same time (and by definition not a fragment, though it has a fragment header). Note that these packets are legal, and serves a purpose as an non‐ipv6 to ipv6 connection mecha...
Page 177: Chapter
11 chapter 177 i-wlan i-wlan overview an interworking wireless access network (i‐wlan) is a wireless data access solution that allows data traffic to flow between wlans and 3gpp systems. Clients accessing such a wlan might, for example, be mobile computing devices requiring public internet access. A...
Page 178: I-Wlan
11 i-wlan 178 authentication of the security gateway with certificates is done without referencing a crl on a ca server. The gateway sends the appropriate host certificate to the client which then validates it against its own, preinstalled ca signed root certificate. This may require the use of inte...
Page 179: I-Wlan
11 i-wlan 179 • responsetimeout this parameter is a timer that specifies how soon a response is expected to be received from a gtp peer before retransmission will take place over a path for a given gtp request. If a response is not received within the specified time for a given request, the t3 respo...
Page 180: I-Wlan
11 i-wlan 180 • seqnumbercheck this option enables the sequence number check method to determine if received pdus are valid. The default value is no. • ggsndynip this specifies whether an ip address will be passed to a ggsn when establishing gtp tunnels requesting an ip to be used for the client, or...
Page 181: I-Wlan
11 i-wlan 181 charging this is a set of 16 vendor‐specific flags that specify vendor‐specific triggers to send to a ggsn when establishing gtp tunnels. In practice, many of the above settings don’t need to be changed for many i‐wlan deployments since the default values are appropriate. Interface sel...
Page 182: I-Wlan
11 i-wlan 182 to set up a stitched interface pair, the stitchedinterface= property for each interface is set to the other interface in the pair. With i‐wlan for example, a gtp tunnel may be set up as follows: device:/> add interface gtpinterface gn localendpoint=gn_ip interceptdhcpinform=yes sti...
Page 183: I-Wlan
11 i-wlan 183 certificates with i-wlan in i‐wlan scenarios, certificates are used so that the roaming clients can authenticate the seg when communications are established. This can involve certificate chains so any intermediate certificates that are required to complete the validation chain should b...
Page 184: I-Wlan
11 i-wlan 184 sending the p-cscf address following completion of an ike negotiation, clients send a dhcp request to the seg through the now established ipsec tunnel. The seg will respond to this with the p‐cscf (sip server) address. The option exists for the seg to either intercept and respond to th...
Page 185: Appendix
A appendix 185 glossary of terms 10baset the ieee 802.3 specification for 10 mbps ethernet over two pairs of cat 3 or better utp (unshielded twisted‐pair) cable, up to 200 m. 100baset a set of media specifications, which include 100base‐tx, 100base‐t4 and 100base‐fx. Also known as fast ethernet. 100...
Page 186: Glossary of Terms
A glossary of terms 186 certificate a certificate is a digital proof of identity. Chap challenge handshake authentication protocol. Cipher cipher is a method of encrypting text (to produce cipher text) in which a cryptographic key and algorithm are applied to a block of data (for example, 64 contigu...
Page 187: Glossary of Terms
A glossary of terms 187 digital signature by encrypting a digest of a message with the private key, authentication can later be performed by applying the public key to an encrypted digest (digital signature) and comparing the result to the digest of the message. Digital signature algorithm (dsa) dsa...
Page 188: Glossary of Terms
A glossary of terms 188 eap/sim extensible authentication protocol/subscriber identity module; utilizing ikev2. Encryption a security mechanism used for the transformation of data from an intelligible form (plaintext) into an unintelligible form (ciphertext), to provide confidentiality. The inverse ...
Page 189: Glossary of Terms
A glossary of terms 189 hop in a packet‐switching network, a hop is the trip a data packet takes from one router or intermediate point to another in the network. On the internet (or a network that uses tcp/ip), the number of hops a packet has taken toward its destination (called the “hop count”) is ...
Page 190: Glossary of Terms
A glossary of terms 190 ipsec ip security. With ipsec the data traffic can be protected on ip level. Ipsec is a vendor independent security architecture from the standardization organization ietf. Ip sub‐network an ip sub‐network (or sub‐net is a division of network elements in a network, based on t...
Page 191: Glossary of Terms
A glossary of terms 191 md5 message digest 5. A message‐digest algorithm developed by ron rivest of rsa security. It computes a secure, irreversible, cryptographically strong 128‐bit hash value for a document. The algorithm is documented in rfc 1321. Ms‐chap v1 microsoft challenge handshake authenti...
Page 192: Glossary of Terms
A glossary of terms 192 pfs perfect forward secrecy refers to the notion that any single key being compromised will permit access to only data protected by that single key. In order for pfs to exist, the key used to protect transmission of data must not be used to derive any additional keys. If th...
Page 193: Glossary of Terms
A glossary of terms 193 psk pre‐shared key. With pre‐shared key authentication, an identical symmetric key must be manually configured on both systems. The shared key is a secret passphrase, normally a string of ascii characters or a set of random hexadecimal numbers. Both endpoints need to have the...
Page 194: Glossary of Terms
A glossary of terms 194 routing table a routing table is a set of rules, often viewed in table format, that is used to determine where data packets traveling over an internet protocol (ip) network will be directed. All ip‐enabled devices, including routers and switches, use routing tables. Rsa a pub...
Page 195: Glossary of Terms
A glossary of terms 195 spf sender policy framework (spf) is an anti‐spam approach in which the internet domain of an e‐mail sender can be authenticated for that sender, thereby discouraging spam mailers, who routinely disguise the origin of their e‐mail, a practice known as e‐mail spoofing. Spf and...
Page 196: Glossary of Terms
A glossary of terms 196 uma unlicensed mobile access. Unc uma network controller. Vpn virtual private network. Secure communication between multiple networks or network devices using insecure public networks, such as the internet. Vpn tunnel a connection over the internet between a user connected on...
Page 197: Appendix
B appendix 197 osi model overview the open systems interconnection (osi) model defines a framework for inter‐computer communications. It categorizes different protocols for a great variety of network applications into seven smaller, more manageable layers. The model describes how data from an applic...
Page 198: Osi Model
B osi model 198 layer 4 – transport layer controls data flow and provides error‐handling. Protocols: tcp, udp and similar. Layer 3 – network layer performs addressing and routing. Protocols: ip, ospf, icmp, igmp and similar. Layer 2 – data‐link layer creates frames of data for transmission over the ...