Network Security White Paper ver. G.1.2 1/24/2011 Technical Information: Network Security White Paper Document Version G.1.
Network Security White Paper ver. G.1.2 NOTICE: This document may not be reproduced or distributed in whole or in part, for any purpose or in any fashion without the prior written consent of Ricoh Company limited. Ricoh Company limited retains the sole discretion to grant or deny consent to any person or party. All product names, domain names or product illustrations, including desktop images, used in this document are trademarks, registered trademarks or the property of their respective companies.
Network Security White Paper ver. G.1.2 Terms: The following terms are used in this document. Please familiarize yourself with them. The products: This refers to the digital multifunction and printing devices covered by this document, as noted in the Model Cross Reference table. The term “the products” refers to all of these machines collectively. Host Interface: This refers to the physical interface of the Ethernet board on “the products”.
Network Security White Paper ver. G.1.2 Table of Contents: 1. Introduction ..................................................................................................................9 1-1 Port Based Network Services and Potential Security Issues ................................9 1-2 TELNET ..............................................................................................................10 1-3 1-4 1-5 1-2-1 Function Overview: .......................................................
Network Security White Paper ver. G.1.2 1-5-6 1-6 1-7 1-8 1-9 Recommended Precautions.....................................................................16 HTTPS ................................................................................................................16 1-6-1 Function Overview ...................................................................................16 1-6-2 Theft of Username and Password ............................................................
Network Security White Paper ver. G.1.2 1-13-1 Function Overview ...................................................................................24 1-13-2 Potential Threats and Recommended Precautions ..................................24 1-13-3 Visibility on the Network ...........................................................................25 1-13-4 Recommended Precautions.....................................................................25 1-14 MDNS ...............................................
Network Security White Paper ver. G.1.2 2-2 2-1-3 WEP.........................................................................................................30 2-1-4 WPA .........................................................................................................30 2-1-5 Potential Threats ......................................................................................31 2-1-6 WEP......................................................................................................
Network Security White Paper ver. G.1.2 3-9-1 Web Image Monitor ..................................................................................60 3-9-2 [IEEE802.11b Settings] ............................................................................61 3-9-3 WEP.........................................................................................................62 3-9-4 WPA .........................................................................................................
Network Security White Paper ver. G.1.2 1. Introduction This document describes potential network threats and recommended precautions for them. The products have built-in network services for providing a variety of features for wired and wireless network clients, such as network scanning, printing or faxing, and also client services for accessing network servers running outside the products, such as an LDAP server, Netware server, or Mail server.
Network Security White Paper ver. G.1.2 We also recommend using the Access Control function for added security. Access Control is a list of “safe” client host addresses. Once Access Control is setup for specific IP addresses, the products will receive print or scan requests from the specified hosts only. Access Control can be applied to LPR printing, RSH/RCP access, Bonjour access, HTTP/HTTPS access, FTP printing, TCP raw printing (DIPRINT), SMB printing, IPP printing, scanning from DeskTopBinder.
Network Security White Paper ver. G.1.2 1-2-5 Interception of network packets: When accessing the products using TELNET, the username and password are sent in clear text, because the TELNET protocol itself does not support encryption. So if the username and password are intercepted, the possibility of unauthorized access and changes being made does exist. 1-2-6 Brute force password crack: The RICOH network device can detect a high frequency of failed logins.
Network Security White Paper ver. G.1.2 1-3 FTP 1-3-1 Function Overview The FTP (File Transfer Protocol) service is compliant with RFC 959. TCP port 20 is used for the FTP-data service and TCP port 21 is used for the FTP-control service. In order to work with the products, FTP clients must be compliant with RFC 959. The following functions are provided by the FTP service.
Network Security White Paper ver. G.1.2 password that are disclosed only to Service Technicians is required to input firmware to the printer using the FTP service. In addition, firmware is verified by checking the header for a digital signature before being used. It would be extremely difficult to make fake firmware. A downgrade (ie installing old unsigned firmware) is not allowed by rfu. Possibility of Acting as a Server for Relaying Viruses This is unlikely, although the FTP service permits write-access.
Network Security White Paper ver. G.1.2 1-4-2 Destruction, Corruption and Modification of the File System or Kernel Although the SFTP service permits write-access, any files that are received by the printer are considered to be a print job or firmware. If the embedded SFTP server receives anything other than a digitally signed firmware file, the device will print a binary representation (garbage characters) of the data.
Network Security White Paper ver. G.1.2 1-5 HTTP 1-5-1 Function Overview The HTTP (Hypertext Transfer Protocol) service provides web services. This service is compliant with RFC 1945. TCP port 80 is used for the HTTP service. The following functions are provided by the HTTP server service. • Web Image Monitor • Document server access via DeskTopBinder.
Network Security White Paper ver. G.1.2 1-5-6 Recommended Precautions The following are suggested precautions against threats to HTTP service. Scenario 1: Basic security settings Change the username and password from the default value to something difficult to guess and change them regularly. The username and password are the same as those used for logging in to mshell; therefore, changing the username and password for Web Image Monitor’s Administrator mode means changing them for the mshell as well.
Network Security White Paper ver. G.1.2 1-6-3 Theft of Print Data Interception of network packets: Using HTTPS, all data sent over the connection is encrypted. Therefore, even if data is intercepted, it will be extremely difficult to use. 1-6-4 Recommended Precautions The following are suggested precautions against threats to the HTTPS service. Scenario 1: Basic security settings Change the user names and passwords from the default value to something difficult to guess and change them regularly.
Network Security White Paper ver. G.1.2 1-7-2 Potential Threats and Recommended Precautions Destruction, Corruption and Modification of the File System The possibility of destruction, corruption or modification of the file system is very low. SNMP permits write-access to network parameters only. Access to the file system or kernel is not permitted using SNMP. Theft of Community Name Community names are sent in clear text because of the specification of the protocol.
Network Security White Paper ver. G.1.2 NOTE1: Please refer to the Appendix section entitle “SNMP settings” for details about SNMP settings. NOTE2: We recommend using the maximum level of security possible. SNMP v3 should always be used in cases where SNMP v1/v2 is not absolutely necessary. Utilities that do not support SNMP v3 will not be able to get device status unless SNMP v1/v2 is enabled. Therefore, these utilities will not work correctly if SNMP v1/v2 has been disabled.
Network Security White Paper ver. G.1.2 1-8-3 Recommended precaution Scenario 1: Basic security settings - Change the usernames and password from the default value and the passwords for each user to something difficult to guess and change it regularly. Scenario 2: Standard security settings - Encrypt all data. Scenario 3: High security settings - Disable the SNMP v3 service. If it is not absolutely necessary, the SNMP v3 service should be disabled via Web Image Monitor or the mshell.
Network Security White Paper ver. G.1.2 Theft of Print Data Using RSH/RCP, print/scan data is sent as clear text. If intercepted by a third party it is easily read. 1-9-3 Recommended Precautions To maintain a strict security policy, the RSH/RCP service can be disabled and the port for this service can be completely closed using Web Image Monitor or the mshell. NOTE: This will prevent users from TWAIN scanning. We recommend using SFTP instead of RSH/RCP whenever possible.
Network Security White Paper ver. G.1.2 1-10-3 Recommended Precaution As stated above, there are not many threats that apply to the LPD port. However, if a strict security policy is to be maintained, the LPD service can be disabled and the port for this service can be completely closed using Web Image Monitor or the mshell. NOTE: The best way to reduce the possibility of print data being intercepted is to use IPP over HTTPS or SFTP instead of LPR as the printing protocol.
Network Security White Paper ver. G.1.2 1-11-3 Recommended Precaution In order to maintain a strict security policy, we recommend the following precautions. Scenario 1 Standard Security: IPP Authentication should be either “BASIC” or “DIGEST”. This can be configured in Web Image Monitor, the mshell or the operation panel “DIGEST” authentication is more secure than “BASIC” because the username and the password are not sent in clear text. Scenario 2 High Security: Close the IPP port (631/TCP).
Network Security White Paper ver. G.1.2 1-12-3 Recommended Precautions If a strict security policy is needed, the DIPRINT port can be changed or closed using Web Image Monitor or the mshell. NOTE: To reduce the possibility of print data being intercepted, please use HTTPS instead of DIPRINT to submit jobs. 1-13SMB 1-13-1 Function Overview The SMB service uses NBT (NetBIOS over TCP/IP) as its base layer. The NBT service provides the NetBIOS service over TCP/IP instead of NetBEUI.
Network Security White Paper ver. G.1.2 1-13-3 Visibility on the Network To protect the products from being browsed by unauthorized parties, NetBIOS-NS and NetBIOS-DGM services should be disabled using the mshell. 1-13-4 Recommended Precautions Scenario 1 Standard Security: Use Point and Print only with digitally signed drivers. Scenario 2 High Security: Disable SMB. Use only IPP (with ssl) to submit jobs.
Network Security White Paper ver. G.1.2 1-15-2 Potential Threats and Recommended Precautions Theft of Username and Password The SIP protocol has an authentication function. However, the products do not support authentication using the SIP protocol. Therefore, the username and password are not included with data sent over this protocol. Theft of Facsimile Data Interception of network packets: Using IP-Fax, facsimile data is formatted for an ISDN connection and is not encrypted.
Network Security White Paper ver. G.1.2 1-17 WS-Device 1-17-1 Function Overview WS-Device (‘Web Service’ Device) is a Windows Vista standard. This service is compliant with ‘Device Profile for Web Services (February 2006)’. The following functions are provided by the WS-Device service. • Advertising the existence of the printing service. (WS-Discovery) • Printing jobs to a WS-Device client. (WS-Printer) • Providing the printer status to other WS-Device clients.
Network Security White Paper ver. G.1.2 1-18 IPDS 1-18-1 Function Overview Intelligent Printer Data Stream (IPDS) is a structured field data stream. It allows both data and commands to be streamed to the printer via channels, controllers or any type of networking link, which supports the transparent transmission of data to print processes that are resident in the device. This service uses following TCP/UDP port: TCP 5001: Used for transmitting data and printer control commands.
Network Security White Paper ver. G.1.2 1-19 RHPP 1-19-1 Function Overview Though MFPs of all regions support RHPP, Ricoh has not released any RHPP servers outside of Japan. We do not foresee the need for this service in the near future. Please close the ports. This service uses the following TCP/UDP port: TCP 59100: Used for transmitting data and printer control commands. NOTE: As of 2008, there are no RHPP print servers on the market outside of Japan.
Network Security White Paper ver. G.1.2 2. Other Network Services The previous section dealt mainly with physical port based network services. This section will describe security related information for network services not based on physical ports. 2-1 Wireless LAN 2-1-1 Overview WLAN utilizes spread spectrum technology based on radio waves to enable communication between devices in a limited area.
Network Security White Paper ver. G.1.2 WPA employs four authentication modes: ‘WPA-PSK’, ‘WPA2-PSK’, ‘WPA (802.1X)’ and ‘WPA2 (802.1X)’. WPA-PSK and WPA2-PSK are similar to WEP in that a pre-shared key is used to join the network. However, a new encryption key is generated in handshake process, making WPA-PSK and WPA2-PSK more secure than WEP. WPA (802.1X) and WPA2 (802.1X) are more strict than the PSK protocols.
Network Security White Paper ver. G.1.2 Scenario 2: Standard security settings: WEP We recommend making regular changes to the PSK. Scenario 3: High security settings: WPA-PSK/WPA2-PSK Scenario 4: Very high security settings: WPA (802.1X)/WPA2 (802.1X) instead of WPA-PSK/WPA2-PSK. Please refer to the Appendix section entitled “Wireless LAN Settings” for an explanation of how to configure these settings.
Network Security White Paper ver. G.1.2 Encryption: Clear Text (No encryption) DES 3DES AES-128 AES-192 AES-256 Authentication: HMAC-MD5-96 HMAC-SHA1-96 The encryption or authentication keys can be set manually or generated automatically using IKE. NOTE: IPsec are disabled for DHCP, DNS, WINS, and HTTPS by default. IPsec can be applied to these protocols by enabling it in mshell. 2-2-2 Recommended Precautions The suggested precautions are as follows.
Network Security White Paper ver. G.1.2 Scenario 3 High: ESP+AH Very secure. Encryption of the payload and headers Data integrity Authentication Please refer to the Appendix section entitled “IPSEC Settings” for an explanation of how to configure these settings.
Network Security White Paper ver. G.1.2 3. Appendix 3-1 Services Requiring Open TCP/UDP Ports Protocol Port Num. Login Username Changeable Password Password Changeable Note This is the same username and TELNET 23/TCP Y Y Y Y password as used for Web Image Monitor. FTP-control 21/TCP Y N N N For RFU, administrator privilege is required. This is the same username and HTTP 80/TCP Y Y Y Y password as used for TELNET. The unauthorized users only have read access.
Network Security White Paper ver. G.1.2 Protocol Port Num. Login Username Changeable Password Password Changeable Note If the products are configured to use ‘gatekeeper’, this port is H323gatestat 1719/UDP N N N N opened so the products can register its information with gatekeeper. H323hostcall 1720/TCP N N N N SSH is only used for SFTP. For RFU, administrator privilege is SSH 22/TCP Y Y Y Y required. For SFTP, RFU is not available via Web Smart Device Monitor.
Network Security White Paper ver. G.1.2 3-2 Related Protocols Protocol Protocol Suite Commonly Used Port Description of the protocol’s function in the Products. Num. IP TCP/IP ICMP TCP/IP UDP TCP/IP TCP TCP/IP FTP-data TCP/IP 20/tcp, udp 1) Sending scan data to the FTP server. (Scan to FTP) FTP-control TCP/IP 21/tcp, udp 2) Sending scan data to ScanRouter 25/tcp, udp 1) Sending scan data to the SMTP server. (Scan to E-mail) 53/tcp, udp 1) Resolving IP addresses from the server name.
Network Security White Paper ver. G.1.2 Protocol RIP Protocol Suite IPX/SPX Commonly Used Port Description of the protocol’s function in the Products. Num. - 1) Broadcasts route information. APPLETALK APPLETALK - 1) Providing appletalk connections. PAP APPLETALK - 1) Providing appletalk printing services NETBEUI NETBEUI - 1) Providing netbeui connections. IKE IPsec 500/udp 1) Providing IKE connections. Commonly Used Port Number: This is meant to be general information.
Network Security White Paper ver. G.1.2 3-2-2 Access Control – Web Image Monitor Web Image Monitor can be used for accessing the products. A supported Browser such as Microsoft Internet Explorer and the product’s IP address is required.
Network Security White Paper ver. G.1.
Network Security White Paper ver. G.1.2 The four administrator types are identified as follows: : Machine Administrator : Network Administrator : User Administrator : File Administrator By default, all administrator privileges are merged into one administrator. If Admin Auth is enabled, then Network Administrator privileges are required in order to use Access Control.
Network Security White Paper ver. G.1.2 Input the range of IP addresses that you wish to permit communication. Click the ‘OK’ button to commit the changes.
Network Security White Paper ver. G.1.2 3-2-4 Access Control – mshell The following example is shown using the Windows XP telnet client. Telnet into the Maintenance Shell (mshell), a username and password will be required for this. Use the access command to input the access control range. E.g.1 Input the following command to permit only access from 172.16.1.0 to 172.16.2.0: msh> access 1 range 172.16.1.0 172.16.2.0 E.g.
Network Security White Paper ver. G.1.2 If changes have been made, the following question will appear when the user tries to logout. ‘Did you save configuration data?’ Input ‘yes’ to commit the changes, input ‘no’ to discard them. 3-2-5 Disabling Services The following table describes whether services or ports can be opened or closed using Web Image Monitor and/or mshell. See “Network Security Level Settings” for more information. NOTE: Some ports cannot be closed via the above settings.
Network Security White Paper ver. G.1.2 Setting FTP to down closes FTP port (21/tcp). The FTP FTP 21 Y Y Y Y server service will be down but the FTP client function is still available. Therefore, if this function is down, Scan to FTP is still available. SSH/SFTP 22 Y Y Y Y TELNET 23 Y Y - - If either of ssh or sftp is set to down, this port will be closed. Telnet cannot be disabled via mshell for obvious reasons.
Network Security White Paper ver. G.1.2 Use Web Image Monitor’ to close this port. Setting SNMP to down closes SNMP 161 Y Y Y Y SNMP port (161/udp). In addition when SNMP is down, the SNMP trap function and SNMP function over IPX/SPX is not available. HTTP and HTTPS cannot SSL 443 Y Y Y Y both be closed at the same time from Web Image Monitor. RSH/RCP 514 Y Y Y Y LPR/LPD 515 Y Y Y Y In order to close this port: Configuration > Fax > IP-Fax H.
Network Security White Paper ver. G.1.2 If this port is closed, remote firmware update will still be available via ftp. However, if RFU 10021 - - Y Y RFU is to be used, we recommend keeping this port open as the ftp password is sent in clear text. RHPP 59100 Y Y Y Y IPDS 5001 Y - Y - WS Discovery / 3702 WS Device 53000 Y Y Y Y WS Printer 53001 Y Y If this port is closed, RHPP is not available.
Network Security White Paper ver. G.1.
Network Security White Paper ver. G.1.2 3-3-1 Disabling Services – mshell Set up/down After saving, the user will be prompted to save or discard changes.
Network Security White Paper ver. G.1.2 3-3-2 HTTP/HTTPS settings Security > SSL/TLS 3-3-3 Permit SSL/TLS Communication • Ciphertext/Clear Text: Permit both HTTPS and HTTP connections. No forwarding of HTTP to HTTPS. • Ciphertext Priority: Any incoming HTTP request that can be forwarded to HTTPS will be forwarded. With this setting it will be possible to use HTTPS from Internet Explorer, Netscape Navigator, etc. (HTTP will be forwarded) but not using IPP from SmartDeviceMonitor for Client etc.
Network Security White Paper ver. G.1.2 HTTP/HTTPS settings Security > SSL/TLS In addition to the features described on the previous page, this feature is new. NOTE: The new features will only appear if specific versions of the firmware are applied: MFP Model Network Support Web Support D017/D018/D019/D020 7.34 or later 1.60 or later D084/D085 7.34 or later 1.04 or later D009/D011/D012/D013 7.16 or later 1.32.1 or later D091/D092 7.34 or later 1.54 or later D014/D015 7.34 or later 1.
Network Security White Paper ver. G.1.2 • The ability to enable/disable specific versions of SSL/TLS: • Support for certificate signing using an RSA key length of 2048 bits. • Support for RSA encryption with a key length of 2048 bits (used for SSL). • 512 bits (md5WithRSA) • 1024 bits (sha1WithRSA) • 2048 bits (sha1WithRSA) Support for 2048 bit RSA was implemented in response to the NIST SP 800-131 recommendations.
Network Security White Paper ver. G.1.2 3-4 SNMP settings: 3-4-1 Web Image Monitor To access the SNMP (v1/v2) settings, click Network > SNMP. • SNMP (This setting can be configured either from here or from the SNMPv3 settings.) Enable: Opens the SNMP port Disable: Closes the port completely. No SNMP communication of any version can be used. • SNMP v1/v2 Function Enable: Allows the use of SNMP v1/v2. Disable: Does not allow connections using SNMP v1/v2.
Network Security White Paper ver. G.1.2 3-5 Network > SNMP v3 • SNMP (This setting can be configured either from here or from the SNMPv1/v2 settings.) Enable: Opens the SNMP port Disable: Closes the port completely. No SNMP communication of any version can be used. • SNMP v3 Function Enable: Allows communication using SNMP v3. Disable: Does not allow communication via SNMP v3. • Authentication Algorithm SHA1: Hashes the username and password using the SHA1 hashing algorithm.
Network Security White Paper ver. G.1.2 There are 3 different types of accounts that can be used for SNMPv3 connections. Only the User account can be fully configured here. For information about fully configuring the Machine and Network Administrator accounts, please refer to the Appendix section entitled “Administrator Account Settings”. Account Name (User): This is the username that the user will use to login to SNMPv3.
Network Security White Paper ver. G.1.2 3-6 Mshell You can configure SNMP settings using snmp commands from mshell. These commands can be displayed by typing ‘help snmp’ in mshell.
Network Security White Paper ver. G.1.2 3-7 Administrator Account Settings 3-7-1 Web Image Monitor Device Settings > Program/Change Administrator MFP Administrator account settings can be changed from here. Administrator roles can be assigned to any or all of up to 4 Administrators. These settings affect the Administrator logins for TELNET, Web Image Monitor and SNMP v3.
Network Security White Paper ver. G.1.2 3-8 Network Security Level Settings 3-8-1 Configuration Network Security Levels are settings or files designed to meet different levels of security in customer environments. The advantage to the Network Security Level settings is that they make the task of configuration easier. Customers can use the Network Security levels as is, or modify them to suit their needs. There are 3 levels to choose from: [Level 2] – Maximum security.
Network Security White Paper ver. G.1.
Network Security White Paper ver. G.1.2 3-9 Wireless LAN settings WEP, WPA-PSK/WPA2-PSK, and WPA (802.1X)/WPA2 (802.1X) can be configured via the operation panel, telnet, or Web Image Monitor. However, the WPA (802.1X)/WPA2 (802.1X) certificate settings can only be configured in Web Image Monitor. 3-9-1 Web Image Monitor Click ‘Interface’ -> ‘Wireless LAN Settings’. • Change Interface Ethernet: Enable Ethernet IEEE802.11b: Enable IEEE802.
Network Security White Paper ver. G.1.2 3-9-2 • [IEEE802.11b Settings] Network Enable: IEEE802.11b is enabled Disable: IEEE802.11b is disabled • MAC Address Displays the MAC Address of the Wireless LAN board • Communication Mode 802.11 Ad-hoc Mode: Ad-hoc connection using SSID. Ad-hoc Mode: Ad-hoc connection without using SSID. Infrastructure Mode: Communicates using an access point and SSID. • Channel Sets the radio frequency used.
Network Security White Paper ver. G.1.2 3-9-3 WEP WEP settings can only be configured if ‘WEP’ is selected in ‘IEEE802.11b Settings’ -> ‘Security Type’. • WEP Authentication Open System: Anyone with the correct SSID can join the network. NOTE: As the system uses a WEP key, simply joining the network is not enough to be able to receive or send readable communications. Shared Key: WEP key required to join the network. • WEP Key Number Up to four WEP keys can be saved in the MFP. Select one of them.
Network Security White Paper ver. G.1.2 3-9-4 WPA WPA settings can only be configured if ‘WPA’ is selected in ‘IEEE802.11b Settings’ -> ‘Security Type’. • WPA Encryption Method TKIP: Uses TKIP. CCMP: Uses CCMP. • WPA Authentication Method • WPA: Uses WPA (802.1X). • WPA2: Uses WPA2 (802.1X) • WPA-PSK: Uses WPA-PSK. • WPA2-PSK: Uses WPA2-PSK. • WPA-PSK/WPA2-PSK PSK: Sets the pre-shared key used.
Network Security White Paper ver. G.1.2 WPA/WPA2 • User Name: This is the username used for EAP authentication on the Radius server. • Domain Name: This is the domain name used for the authentication on the Radius server. • EAP Type: EAP-TLS, LEAP, EAP-TTLS, or PEAP • WPA Client Certificate: WPA/WPA2 802.1X certificate. • Password: This is the password used for EAP authentication on the Radius server. • Phase 2 User Name: This is the user name used in phase 2 of EAP-TTLS and PEAP.
Network Security White Paper ver. G.1.2 3-9-5 mshell Configure Wireless LAN settings using ‘wiconfig’ commands from mshell. For a list of commands, type ‘help wiconfig’ in mshell.
Network Security White Paper ver. G.1.2 3-9-6 IPsec Settings IPsec settings can be configured via telnet, or Web Image Monitor. In order to establish IPsec connection in this section, we focus on MFP configuration only.
Network Security White Paper ver. G.1.2 IPsec: • IPsec Active: Activate IPsec Inactive: Deactivate IPsec • Exclude HTTPS Communication Active: Exclude HTTPS Communication for IPsec policy Inactive: Do not exclude HTTPS communication for IPsec policy • Encryption Key Manual Settings Active: When specifying SA parameters manually, select Active. Inactive: When specifying SA parameters automatically, select Inactive Encryption Key Manual Settings: To configure IPsec SA parameters manually, click ‘Edit’.
Network Security White Paper ver. G.1.2 Encryption Key Manual Settings: • Address Type Inactive: Do not use IPsec IPv4: Apply IPsec for IPv4 IPv6: Apply IPsec for IPv6 IPv4/IPv6: Apply IPsec for IPv4 and IPv6 (Only available for ‘Default Settings’) • Local Address: Enter (Select) the product’s IP address. • Remote Address: Enter the counterpart’s IP address or address range. • Encapsulation Mode Transport: IPsec is applied as Transport mode. Tunnel: IPsec is applied as Tunnel mode.
Network Security White Paper ver. G.1.2 • Security Protocol ESP: Uses ESP AH: Uses AH AH+ESP: Uses dual mode (AH + ESP) • Authentication Algorithm: Select from HMAC-MD5-96 or HMAC-SHA1-96 as hashing algorithm • Authentication Key: Set the Authentication key used for hashing. For HMAC-MD5-96, enter up to 32 in hexadecimal number, or up to 16 ASCII.
Network Security White Paper ver. G.1.2 Encryption Key Auto Exchange Settings: • Address Type Inactive: Do not use IPsec IPv4: Apply IPsec for IPv4 IPv6: Apply IPsec for IPv6 IPv4/IPv6: Apply IPsec for IPv4 and IPv6 (Only available for ‘Default Settings’) • Local Address: Enter (Select) the product’s IP address. • Remote Address: Enter the counterpart’s IP address or address range. • Security Level: User can select the IPsec security level from followings.
Network Security White Paper ver. G.1.2 Phase 2: • Security Protocol ESP: Uses ESP AH: Uses AH AH+ESP: Uses dual mode (AH + ESP) • Authentication Algorithm: Select from HMAC-MD5-96 and HMAC-SHA1-96. • Encryption Algorithm Permissions: Select from Cleartext, DES, 3DES, AES-128, AES-192, and AES-256. • PFS Inactive: Do not generate the encryption or authentication keys again. 1, 2, or 14: Diffie-Hellman Group for establishing IPsec SA in Phase 2.
Network Security White Paper ver. G.1.2 4. Reference List • RFC: HTTP://www.faqs.org/rfcs/ • CVE: HTTP://cve.mitre.org/ • CERT: HTTP://www.cert.org/ • CIAC: HTTP://www.ciac.org/ciac/ • Security Focus: HTTP://www.securityfocus.com/ • NESSUS: HTTP://www.nessus.org/index2.