ET0010A ET0100A ET1000A EncrypTight User Guide EncrypTight acts as a transparent overlay that BLACK BOX integrates easily into any existing network architecture, providing encryption rules and keys to EncrypTight Enforcement Points. ® EncrypTight consists of a suite of tools that performs various tasks of appliance and policy management, including Policy Manager (PM), Key Management System (KMS), and EncrypTight Enforcement Points (ETEPs). Customer Support Information Order toll-free in the U.S.
Table of Contents Preface ....................................................................................................................................... 13 About This Document.......................................................................................................................... 13 Contacting Black Box Technical Support ............................................................................................
Table of Contents Uninstalling EncrypTight Software................................................................................................. 40 Starting EncrypTight ...................................................................................................................... 40 Exiting EncrypTight........................................................................................................................ 41 Management Station Configuration.........................................
Table of Contents Step 2: Prepare ETPM Status and Renew Keys ........................................................................... 74 Step 3: Upgrade the EncrypTight Software ................................................................................... 74 Step 4: Verify ETKMS Status and Deploy Policies ........................................................................ 74 Step 5: Upgrade PEP Software ..........................................................................................
Table of Contents Provisioning Large Numbers of Appliances .......................................................................................111 Creating a Configuration Template..............................................................................................112 Importing Configurations from a CSV File ...................................................................................112 Importing Remote and Local Interface Addresses .......................................................
Table of Contents Editing PEPs ......................................................................................................................................151 Editing PEPs From ETEMS .........................................................................................................151 Editing Multiple PEPs ..................................................................................................................152 Editing PEPs From ETPM ..............................................
Table of Contents Adding a Multicast Policy.............................................................................................................199 Adding a Point-to-point Policy .....................................................................................................203 Adding Layer 4 Policies......................................................................................................................206 Policy Deployment ........................................................
Table of Contents ETKMS Log Files ..................................................................................................................241 PEP Log Files .......................................................................................................................242 ETKMS Troubleshooting Tools ..........................................................................................................242 ETKMS Server Operation .............................................................
Table of Contents Changing the EncrypTight Keystore Password ...........................................................................266 Changing the ETKMS Keystore Password ..................................................................................266 Changing the Keystore Password on a ETKMS ...................................................................267 Changing the Keystore Password on a ETKMS with an HSM ..............................................
Table of Contents Interface Configuration.......................................................................................................................301 Management Port Addressing .....................................................................................................302 IPv4 Addressing ....................................................................................................................303 IPv6 Addressing ...............................................................
Table of Contents Factory Defaults .................................................................................................................................339 Interfaces.....................................................................................................................................339 Trusted Hosts ..............................................................................................................................340 SNMP ...............................................
Preface About This Document Purpose The EncrypTight User Guide provides detailed information on how to install, configure, and troubleshoot EncrypTight components: ETEMS, Policy Manager (ETPM), and Key Management System (ETKMS). It also contains information about configuring EncrypTight Enforcement Points (ETEPs) using ETEMS. Intended Audience This document is intended for network managers and security administrators who are familiar with setting up and maintaining network equipment.
Preface Contacting Black Box Technical Support Contact our FREE technical support, 24 hours a day, 7 days a week: 14 Phone 724-746-5500 Fax 724-746-0746 e-mail info@blackbox.com Web site www.blackbox.
Part I EncrypTight Installation and Maintenance
16 EncrypTight User Guide
1 EncrypTight Overview EncrypTight™ Policy and Key Manager is an innovative approach to network-wide encryption. EncrypTight acts as a transparent overlay that integrates easily into any existing network architecture, providing encryption rules and keys to EncrypTight encryption appliances. EncrypTight consists of a suite of tools that perform various tasks of appliance and policy management: ● EncrypTight Element Management System (ETEMS) is the network management component of the EncrypTight software.
EncrypTight Overview multiple Policy Enforcement Points (PEPs) can use common keys, while a centralized platform assumes the function of renewing keys at pre-determined intervals. In this system, you use ETEMS to configure the PEPs, Policy Manager (ETPM) to create and manage policies, and Key Management System (ETKMS) to generate keys and distribute keys and policies to the appropriate PEPs. The PEPs encrypt traffic according to the policies and keys that they receive.
Distributed Key Topologies Regardless of topology, PEPs are typically located at the point in the network where traffic is being sent to an untrusted network or coming from an untrusted network. As an example, Figure 2 shows a hub and spoke network secured with EncrypTight. Figure 2 PEPs in a Hub and Spoke network PEP A encrypts data traffic from Network A that goes to Networks B or C. PEP A also decrypts data that originates from Networks B and C.
EncrypTight Overview EncrypTight Element Management System The EncrypTight Element Management System (ETEMS) is the device management component of the EncrypTight software, allowing you to provision and manage multiple encryption appliances from a central location. It provides capabilities for appliance configuration, software updates, and maintenance and troubleshooting for your EncrypTight encryption appliances.
Distributed Key Topologies Figure 3 Single ETKMS for multiple sites Figure 4 illustrates an EncrypTight deployment using multiple ETKMSs. With large, complex networks that have hundreds of PEPs, you might want to use multiple ETKMSs. Each ETKMS distributes keys for the PEPs it controls. For example: ETKMS 1 distributes the policies and keys to PEPs A, B, and C. ETKMS 2 distributes the policies and keys to PEPs D and E. ETKMS 3 distributes the policies and keys to PEPs F and G.
EncrypTight Overview To securely transfer data between two PEPs over an untrusted network, both PEPs must share a key. One PEP uses the shared key to encrypt the data for transmission over the untrusted network, while the second PEP uses the same shared key to decrypt the data. Figure 5 illustrates the shared key concepts between two PEPs. Figure 5 Shared keys In this example, traffic moves between two trusted networks: Network A and Network B.
Security within EncrypTight Figure 6 Layer 2 Point-to-Point Deployment Use the Policy Manager (ETPM) and Key Management System (ETKMS) to create a Layer 3 point-topoint distributed key policy as one of several policies in a larger, more complex EncrypTight deployment. The ETEP’s variable speed feature is controlled by the installation of a license. Note that you cannot install a license on the ETEP until you first enter a license for EncrypTight.
EncrypTight Overview Secure Communications Between Devices Each node in the distributed key system, the EncrypTight management station, the ETKMSs, and the PEPs, communicate policy and status information with other nodes. Given the distributed nature of networks, much of this communication occurs across public networks. EncrypTight uses Transport Layer Security (TLS) to encrypt management traffic between EncrypTight components.
2 EncrypTight Deployment Planning When deploying EncrypTight, you must plan the following: ● EncrypTight Component Connections ● Network Clock Synchronization ● IPv6 Address Support ● Certificate Support ● Network Addressing for IP Networks EncrypTight Component Connections EncrypTight can be managed in-line or out-of-band. When managing in-line, management traffic flows through the data path.
EncrypTight Deployment Planning ● “Management Station Connections” on page 26 The EncrypTight software includes ETEMS for appliance configuration, ETPM for policy management, and a local ETKMS. The local ETKMS deploys keys and policies to all of the PEPs that it manages and checks the PEPs’ status. The management station also uses other services such as NTP, syslog, and SNMP.
EncrypTight Component Connections This section describes the planning for the following connections: ● “ETPM and ETKMS on the Same Subnetwork” on page 27 ● “ETPM and ETKMS on Different Subnetworks” on page 27 ETPM and ETKMS on the Same Subnetwork When the ETPM is located on the same subnetwork as the external ETKMS, the ETPM communicates with the ETKMS over the internal protected network using Ethernet connections as shown in Figure 7.
EncrypTight Deployment Planning Figure 8 In-line ETKMS management in an IP network ETPM and ETKMS in Layer 2 Ethernet Policies With Ethernet networks, you use Layer 2 PEPs. As with IP networks, when managing the ETPM and external ETKMS in-line the communications path between the devices must pass through one or more PEPs and potentially one or more firewalls.
EncrypTight Component Connections External ETKMS to ETKMS Connections ETKMSs must be able to communicate with each other in two situations: ● Backup ETKMSs are used for redundancy ● Multiple ETKMSs share policy information and keys to distribute to the PEPs that they control This section addresses the connections between two or more external ETKMSs. If you also use a local ETKMS, the basic principles discussed here still apply.
EncrypTight Deployment Planning Connecting Multiple ETKMSs in an IP Network Figure 10 shows two external ETKMSs located on different IP networks. Both ETKMSs are used as primary ETKMSs in a large, dispersed network. When the ETKMSs are managed in-line, the communications path between the devices must pass through one or more PEPs and potentially one or more firewalls. By default, the Layer 3 PEPs pass all TLS traffic (port 443) in the clear.
EncrypTight Component Connections Figure 11 Out-of-band management of ETKMSs located on different Ethernet networks ETKMS to PEP Connections The communications between the ETKMSs and the PEPs require a connection between the Ethernet ports on each ETKMS and the management port on each PEP. The ETKMS to PEP connections depend on the network type: IP network or Ethernet network. This section addresses connections between external ETKMSs and the PEPs.
EncrypTight Deployment Planning Figure 12 In-line ETKMS to PEP communications in IP networks ETKMS to PEP Connections in Ethernet Networks If the ETKMS and the PEP are located on the same subnetwork, the ETKMS to PEP interconnection is straightforward. For in-line management when the ETKMS and the PEP are located on different Ethernet networks, make sure that the Enable passing TLS traffic in the clear feature is enabled on the Layer 2 PEPs.
Network Clock Synchronization Network Clock Synchronization CAUTION Failure to synchronize the time of all EncrypTight components can result in a loss of packets or compromised security. EncrypTight requires that the clocks on all the system’s components be synchronized. If the clocks are not synchronized, communications between the components can be delayed, which can prevent the system from working as planned. For example, the keys on the PEPs all have an expiration time.
EncrypTight Deployment Planning IPv6 addresses are 128-bit addresses consisting of eight hexadecimal groups that are separated by colons, followed by an indication of the prefix length. Each group is a 4-digit hexadecimal number. The hexadecimal letters in IPv6 addresses are not case sensitive. The prefix length is a decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address. The decimal value is preceded by a forward slash (/).
Network Addressing for IP Networks Another factor to consider if you plan to use certificates is the size of your EncrypTight deployment. Generating requests and installing certificates for a large number of appliances can take a considerable amount of time. Therefore, you need to plan for sufficient time to accomplish the necessary tasks.
EncrypTight Deployment Planning Figure 14 Using remote IP and virtual IP addresses to obscure the source address of the original packet ETEP PEPs operate in transparent mode by default and no IP address is assigned to the local or remote ports. To use a remote port IP address or a virtual IP address, you need to disable transparent mode and assign the needed IP addresses when you add and configure the ETEP in ETEMS. With a virtual IP address, you also need to change the routing tables in the routers.
3 Installation and Configuration This section describes how to install and configure EncrypTight for the first time, including: ● Before You Start ● EncrypTight Software Installation ● Management Station Configuration ● Installing ETKMSs ● Configuring ETKMSs ● Policy Enforcement Point Configuration ● Default User Accounts and Passwords ● Managing Licenses ● Next Steps Before You Start EncrypTight is a system that uses dedicated encryption devices referred to as Policy Enforcement Points
Installation and Configuration ● “Software Requirements” on page 38 ● “Firewall Ports” on page 39 Hardware Requirements EncrypTight software can be installed on a Windows PC or laptop. Table 4 EncrypTight management station requirements Component Requirements for the EncrypTight software Operating System Windows XP with SP3 CPU 3.
EncrypTight Software Installation Firewall Ports In order for EncrypTight components to communicate, you need to make sure that any firewalls in your system are configured to allow the following protocols. Table 6 Firewall ports Protocol Port Comments FTP TCP 20, 21 Used for upgrading the software on a PEP. HTTP TCP 80 Used to communicate management information to EncrypTight appliances when TLS is disabled. ICMP/Ping Used to check connectivity with a device.
Installation and Configuration NOTE It is strongly recommended that you synchronize the workstation hosting the EncrypTight software with an NTP server either on your network or on the Internet. For EncrypTight to function properly, all of the elements of EncrypTight need to synchronize with NTP servers.
Management Station Configuration To start ETEMS: 1 From the Start menu, select All Programs > EncrypTight. 2 In the Login screen, enter the UserId admin and Password admin. Note that the userId and password are case sensitive. 3 Click Login. NOTE EncrypTight allows a maximum of three login attempts. After three unsuccessful login attempts, the EncrypTight software closes and must be restarted.
Installation and Configuration Securing the Management Interface EncrypTight provides the methods listed in Table 7 for encrypted and unencrypted communications between the management PC and the appliance’s management port. Table 7 ETEMS communications options Option Description TLS TLS (HTTPS) is used to encrypt communications between ETEMS and the appliance. TLS is enabled by default in EncrypTight. No additional software or configuration is required.
Installing ETKMSs Configuring the Syslog Server The EncrypTight appliance can be configured to send log messages and events to a syslog server on the management PC or other device. First, install the Kiwi Syslog Daemon as an application and follow the documentation provided with the product for initial configuration. After you have installed the syslog daemon, use ETEMS to configure the appliances to send log messages to the syslog server.
Installation and Configuration This section includes the following topics: ● “Basic Configuration for Local ETKMSs” on page 44 ● “Configuring External ETKMSs” on page 46 ● “Configuring Syslog Reporting on the ETKMSs” on page 54 Basic Configuration for Local ETKMSs The basic configuration of a local ETKMS includes assigning an IP address and launching the ETKMS software.
Configuring ETKMSs To add a local ETKMS: 1 In the Appliance Manager, click File > New. 2 In the New Appliance editor, from the Product Family box, select ETKMS LM. 3 From the Software Version box, select the appropriate software version. 4 In the Appliance Name box, enter a name for this local ETKMS. 5 In the IP Address box, enter the IP address of the workstation on which EncrypTight is installed. The address can be either an IPv4 address or an IPv6 address. 6 Click Save.
Installation and Configuration Changes to the local ETKMS configuration or EncrypTight software may necessitate changes to the batch file, as described in Table 9. Table 9 Maintaining the start.bat file Type of change Action Upgrade to a new version of EncrypTight No action required. Change the ETKMS LM name or IP address in ETEMS Modify the batch file variables to match the new ETKMS configuration. Permanently uninstall EncrypTight Manually delete start.bat from the PC.
Configuring ETKMSs This section includes the following topics: ● “Logging Into the ETKMS” on page 47 ● “Changing the Admin Password” on page 47 ● “Changing the Root Password” on page 48 ● “Configure the Network Connection” on page 49 ● “Configure Time and Date Properties” on page 51 ● “Starting and Stopping the ETKMS Service” on page 53 ● “Checking the Status of the ETKMS” on page 54 ● “Secure the Server with the Front Bezel” on page 54 Logging Into the ETKMS To configure the ETKMS, you mus
Installation and Configuration 6 Type exit to log out from the admin account. For example: Localhost login: admin Password: [admin@localhost ~] $ passwd (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
Configuring ETKMSs Configure the Network Connection The eth0 connection is the network connection with a path to the management workstation running ETPM and to the PEPs’ management port. The eth1 connection is inactive and unavailable. Set the network connection as required by your network configuration, but it is recommended that you set a static IP address. You can assign both an IPv4 address and IPv6 address, if needed.
Installation and Configuration IPv6 Setting up the network connections to use IPv6 addresses requires modifying several files. To configure the network interface: 1 Using a text editor of your choice, edit the file: /etc/sysconfig/network-scripts/ifcfg-eth0 2 To add an IPv6 address, add the following lines: IPV6INIT=yes IPV6ADDR= Where is the IPv6 address that you want to assign to the ETKMS. If you are using an IPv6 address, you also need to edit the etkmsParams.
Configuring ETKMSs 8 At the command line, restart the ETKMS service by typing service etkms restart and press Enter. Verify the IP address and hostname changes (see “Verify the IP Address and Hostname Changes” on page 49). NOTE ● Make a note of the eth0 IP address and the hostname. You will need this information in order to add the ETKMS in ETEMS. ● It is strongly recommended that you set a static IP address and turn off DHCP. Do not use DHCP to obtain an IP address.
Installation and Configuration 2 Replace the defaults with your preferred time server. You can specify multiple time servers and use either IPv4 or IPv6 addresses. For example, the new section should look similar to the following: # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 192.168.2.22 3 Save and close the file.
Configuring ETKMSs Related topics: ● “Configure the Network Connection” on page 49 ● “Check the Status of the Hardware Security Module” on page 53 ● “Starting and Stopping the ETKMS Service” on page 53 Check the Status of the Hardware Security Module A Hardware Security Module (HSM) for the ETKMS is available. The HSM physically secures the encryption keys used for communications between EncrypTight components.
Installation and Configuration Checking the Status of the ETKMS You should check that the ETKMS service is running before you proceed to use EncrypTight. To check the status of the ETKMS service: 1 At the command line, type: service etkms status Secure the Server with the Front Bezel The bezel prevents access to the CD ROM drive, front panel USB ports, and power switch.
Policy Enforcement Point Configuration Replace x.x.x.x with the IP address or the hostname of the syslog server. 7 Save and close the file. 8 Shut down and restart the ETKMS: ● On external ETKMSs, restart the ETKMS service by typing: service etkms restart ● On local ETKMSs, close the command line window for the ETKMS software and in the EncrypTight window, select Tools > Launch ETKMS LM.
Installation and Configuration Default User Accounts and Passwords Changing the default passwords for all of the EncrypTight components is an important step in maintaining the security of your network. This list is a reminder of the default passwords that you should change.
Managing Licenses Before you begin adding PEPs and using the EncrypTight software, contact Customer Support to acquire your license key (see “Contacting Black Box Technical Support” on page 14). You need to provide the EncrypTight ID. To view the EncrypTight ID, choose Edit > License. If you upgrade from a command line-only installation to a full EncrypTight deployment, you can no longer use the command line-only license and must acquire an EncrypTight license.
Installation and Configuration Upgrading Licenses When your needs change, you can easily upgrade the number of ETEPs that EncrypTight can manage and you can also upgrade your ETEPs to run at faster throughput speeds. This section includes the following topics: ● “Upgrading the EncrypTight License” on page 58 ● “Upgrading ETEP Licenses” on page 58 Upgrading the EncrypTight License When you upgrade the EncrypTight license, a new license replaces the old one.
Next Steps 6 In ETPM, create your policies. 7 In ETPM, deploy the policies to the ETKMSs and PEPs.
Installation and Configuration 60 EncrypTight User Guide
4 Managing EncrypTight Users This section includes the following topics: ● Working with EncrypTight User Accounts ● Configuring EncrypTight User Authentication ● Managing EncrypTight Accounts ● Changing an EncrypTight User Password ● How EncrypTight Users Work with ETEP Users Working with EncrypTight User Accounts This chapter discusses user accounts for the EncrypTight software.
Managing EncrypTight Users Table 14 EncrypTight account types and privileges Task Administrator User Enable user ID/password authentication Yes No Set password expiration period Yes No Create EncrypTight users Yes No Modify EncrypTight user names and passwords Yes No Delete EncrypTight users Yes No Change own password Yes Yes Configure appliances and policies Yes Yes View logs and performance statistics Yes Yes NOTE If EncrypTight is managing ETEP 1.
Configuring EncrypTight User Authentication Figure 15 Login preferences To set login preferences: 1 From the Edit menu, click Preferences. 2 In the Preferences window, expand the ETEMS tree and click Login. 3 In the Login area, configure the preferences. The options are described in the rest of this section. 4 Click Apply and then click OK. Password Authentication and Expiration User authentication is enabled by default.
Managing EncrypTight Users ● ■ If your EncrypTight deployment includes ETEPs running software version 1.6 or later, entering a password is optional. ■ If your deployment includes ETEPs with software previous to 1.6, or other models of PEPs, you must enter a valid password. If user authentication is not enabled, you are logged into the system immediately. This feature is used in conjunction with strict authentication in your EncrypTight deployment.
Managing EncrypTight Accounts Table 15 Login preferences default settings Preference Setting User ID / Password Authentication Enabled Password Expiration 0 Login Session Inactivity Timer 0 Common Access Card Authentication Disabled U.S. DoD Login Banner Disabled Although the Login preferences are not saved, user data is preserved through an upgrade (user ID and password). If user authentication was disabled prior to the upgrade, it will be enabled in the new software version.
Managing EncrypTight Users To add an EncrypTight user account: 1 From the Edit menu, click User Accounts. 2 In the User Accounts editor, click Add. 3 In the User dialog box, enter the user name, password, and select a group ID (admin or user). If Common Access Card Authentication is enabled, you also need to enter the common name from the user’s certificate. 4 Click OK. To modify an EncrypTight user account: 1 From the Edit menu, click User Accounts.
How EncrypTight Users Work with ETEP Users How EncrypTight Users Work with ETEP Users EncrypTight manages ETEP user accounts. In order for EncrypTight to communicate with the ETEP, it needs to know the ETEP’s user name and password. It will try to use the credentials that you used to log in to EncrypTight. If that doesn’t match the credentials that are configured on the ETEP, EncrypTight will ask you to enter the appliance user name and password.
Managing EncrypTight Users 3 In EncrypTight, add a new ETEP appliance and refresh its status. Because EncrypTight and the ETEP are both using their default user names and passwords of admin/admin, EncrypTight can successfully contact the ETEP. 4 From EncrypTight, select the new ETEP and add a new appliance user with the name beacon, password lighthouse, and role admin. The next time you start EncrypTight, log in with the User ID beacon to manage the new ETEPs.
5 Maintenance Tasks This section includes the following topics: ● Working with the EncrypTight Workspace ● Installing Software Updates ● Upgrading External ETKMSs Working with the EncrypTight Workspace The EncrypTight workspace contains all the elements that EncrypTight is managing, such as appliance configurations, data associated with ETPM and certificate information.
Maintenance Tasks CAUTION Appliance configurations and policy files are stored as .xml files. These files are not encrypted or password protected. They can be opened and edited using a basic text editor. Take precautions to protect these files from unauthorized access. EncrypTight allows you to save more than one workspace. This can be useful for backup purposes, or to segregate your work in a complex deployment.
Working with the EncrypTight Workspace Figure 18 Saving one workspace to another Loading an Existing Workspace Reasons for loading an existing workspace are: ● To load a saved workspace on a new management station ● To restore a backup copy if the active workspace is damaged ● To revert to previous appliance configurations and policies ● To work on a different group of appliances in a network that has been segmented into several workspaces.
Maintenance Tasks 4 Refresh the appliances’ status. From the Edit menu click Select All, then click . Related topic: “Moving a Workspace to a New PC” on page 72 Moving a Workspace to a New PC To transfer your workspace to a new management PC, save the data folder to an interim location and then load it into the application on the new PC. To move a workspace to a new PC: 1 On the old PC, click File > Save Workspace To and browse to an interim storage location such as a network drive or USB drive.
Installing Software Updates Installing Software Updates Software updates for EncrypTight are available separately from the PEP software. You might need to update all of the components in your system, or only specific components. This procedure assumes that you are updating all of the components of EncrypTight. If you are upgrading from software versions that are several years old, contact customer support for assistance with your upgrade path.
Maintenance Tasks You can schedule the upgrade for each PEP at different time, depending on the rekey settings and data traffic requirements. Because a reboot is required, the upgrade of each PEP interrupts traffic through that PEP for several minutes. Step 2: Prepare ETPM Status and Renew Keys To prepare ETPM status and renew keys: 1 To ensure that status information is not communicated during the upgrade, disable the ETPM automatic status refresh. a From the ETPM main menu bar, click Edit > Preferences.
Installing Software Updates To deploy policies: 1 Click Tools > Deploy to synchronize the EncrypTight components with the current policies. Note that this will interrupt traffic on the PEP briefly. Step 5: Upgrade PEP Software After you upgrade the ETKMSs and ETPM, you can upgrade the PEPs to a new software version. Using ETEMS, you can download new software from an FTP server to one or many PEPs of the same product family.
Maintenance Tasks CAUTION Software upgrades require a reboot to take effect. Rebooting the PEP interrupts data traffic for approximately two minutes. During this time all packets are discarded. To upgrade software on the PEPs: 1 From the EncrypTight Enforcement Point CD for the PEPs that you want to upgrade, copy the folder for your appliance model to your default FTP directory. For example, if you are upgrading ETEP PEPs, copy the ETEP folder to your FTP directory.
Installing Software Updates NOTE ● You must reboot the ETEP PEPs after you upgrade. If you make any configuration changes to the ETEP PEPs after you upgrade and before you reboot, those changes will be lost when the PEP reboots. ● If you decide later to undo the upgrade and restore a previous file system to the PEPs, you could inadvertently restore expired policies and out of date keys. You should redeploy your policies from ETPM to make sure that all of your PEPs have current policies and keys.
Maintenance Tasks Step 7: Return Status Refresh and Key Renewal to Original Settings To return status refresh and key renewal to their original settings: 1 If you disabled the automatic status refresh in ETPM in “Step 2: Prepare ETPM Status and Renew Keys” on page 74, select Edit > Preferences and select ETPM Status. Click the Enable automatic status refresh check box and set the Refresh interval (in minutes).
Upgrading External ETKMSs To mount the CDROM drive: 1 Insert the disk in the drive and close it. 2 If it doesn’t already exist, create the directory /media/cdrom. mkdir /media/cdrom 3 Enter the following command: mount -t iso9660 /dev/scd0 /media/cdrom To install the new ETKMS software: 1 Install ETKMS RPM with the following commands: cd /media/cdrom rpm -ivh etkms.
Maintenance Tasks 80 EncrypTight User Guide
Part II Working with Appliances using ETEMS
82 EncrypTight User Guide
6 Getting Started with ETEMS This section includes the following topics: ● ETEMS Quick Tour ● Understanding the ETEMS Workbench ● Understanding Roles ● Modifying Communication Preferences ETEMS Quick Tour ETEMS is the appliance management feature of EncrypTight. ETEMS provides the ability to provision and manage multiple EncrypTight appliances from a central location.
Getting Started with ETEMS the factory default configurations or define your own template for these common values (Edit > Default Configurations). Figure 20 Interface configuration for a new ET1000A appliance Pushing Configurations to Appliances Use the Put Configurations window to push the configurations defined in ETEMS to the appliances. In the Appliance Manager, select the target appliances in the Appliances view. Then in the Tools menu, choose Put Configurations.
ETEMS Quick Tour Upgrading Appliance Software New revisions of appliance software can be loaded on the appliances from an FTP server. Simply copy the new software to an FTP server, select the target appliances, and point to the FTP server site. Results for each appliance are displayed as they are upgraded. The new software takes effect upon appliance reboot.
Getting Started with ETEMS Figure 23 Compare the ETEMS configuration to the appliance to discover discrepancies Maintenance and Troubleshooting ETEMS includes tools for monitoring and maintaining EncrypTight appliances. Some of ETEMS’s capabilities include: 86 ● Retrieving appliance log files ● Displaying performance and diagnostic statistics (Figure 24) ● Accessing the appliance CLI to perform administrative tasks and issue diagnostic commands.
Understanding the ETEMS Workbench Figure 24 Statistics view displays a snapshot of performance data on the ET0100A Policy and Certificate Support ETEMS’s policy feature is limited to the creation of point-to-point policies. For larger, more complex deployments use the Management and Policy Server (ETPM) to create, manage and deploy distributed key policies. ETEMS’s policy and certificate management capabilities vary by appliance model.
Getting Started with ETEMS Figure 25 Appliance Manager perspective Views Views display information about items that ETEMS manages, such as appliance configurations or certificates. When you start ETEMS, the Appliance Manager opens and displays the Appliances view. Initially the Appliances view is empty.
Understanding the ETEMS Workbench ● You can open multiple appliance editors at the same time. The editors are stacked in a tabbed panel. Tabbed editor windows allow you to work on more than one appliance or switch to editors from addon features. ● Editors can be stacked on top of other editors or positioned left to right. When multiple appliance editors are open, you can drag one editor next to another for a side-by-side or top-to-bottom comparison. ● Click and drag a view or editor tab to move it.
Getting Started with ETEMS Table 19 Button ETEMS toolbar Description Launch the web interface for an appliance. The Appliance Manager has its own toolbar that lets you minimize and maximize the view, and filter the appliances that are displayed. Table 20 Button Appliance Manager toolbar Description Filter appliances based on management IP address. Only those matching the filter pattern are shown in the Appliances view. Display the menu of Appliance toolbar actions.
Understanding Roles Table 22 Appliance status indicators Status Indicator Description Appliance reboot required. Reload policies required. Status unknown. The appliance is not responding to ETEMS’s attempts to communicate with it or ETEMS hasn’t yet queried the appliance status. Appliance unmanageable due to an incompatible hardware/software combination or runtime exception error. The appliance is in an error state.
Getting Started with ETEMS deploying policies. ETEMS uses the Administrator user to log in to the appliance. The Administrator also has access to all of the CLI commands. ● The Ops user logs in to the appliance only through the CLI and has access to a subset of the CLI commands.
Modifying Communication Preferences 3 In the Communications window, modify any of the communication preferences (see Table 24 and Table 25). 4 Do one of the following: ● Click Apply to set the new value. ● Click Restore Defaults to reset the timeout to the factory setting. 5 Click OK.
Getting Started with ETEMS Table 25 94 Strict authentication communication preferences Ignore CRL access failure When enabled, allows EncrypTight to set up communication with a component even when it cannot access the certificate revocation list (CRL) associated with the certificate presented by the component. This option is enabled by default. Note that if OCSP is enabled, this option is invalid and not available. For more information about CRLs, see “Validating Certificates Using CRLs” on page 287.
7 Provisioning Appliances This section includes the following topics: ● Provisioning Basics ● Appliance User Management ● Working with Default Configurations ● Provisioning Large Numbers of Appliances ● Shutting Down Appliances Provisioning Basics ETEMS is the appliance management component of the EncrypTight software. It is a configuration and management tool that lets you provision all of your EncrypTight appliances from a central location.
Provisioning Appliances ● “Pushing Configurations to Appliances” on page 97 ● “Working with Default Configurations” on page 110 ● “Provisioning Large Numbers of Appliances” on page 111 Adding a New Appliance Adding a new appliance in ETEMS is the first step in being able to manage it remotely. Configuration screens are tailored to a particular combination of hardware and software, so it is important to select the correct product family and software version when adding a new appliance.
Provisioning Basics ● “Provisioning Large Numbers of Appliances” on page 111 ● “Provisioning PEPs” on page 147 Saving an Appliance Configuration You can save an appliance configuration at any time during the configuration process. Appliance configurations are saved as part of the EncrypTight workspace. Unsaved changes are indicated with an asterisk on the editor tab. ETEMS provides several ways to save appliance configurations.
Provisioning Appliances 3 Optionally, for ETEP appliances with software version 1.6 and later, click Put Throughput License to install a license as part of the operation. You can also install a license separately from the Put Configuration operation. To learn more about licenses and throughput speeds, see “Managing Licenses” on page 56. 4 In the Put Configurations window, click Put to push configurations, and policies if applicable. The results are shown in the Result column.
Provisioning Basics Figure 27 Appliances view By default, automatic status refresh is disabled. You can refresh the status manually by selecting the target appliances and clicking the Refresh Status button . If you prefer, you can have ETEMS automatically poll the status of the appliances. If the appliance status is anything other than , take action as described in Table 28. To configure automatic status checking: 1 On the Edit menu, click Preferences.
Provisioning Appliances Table 29 The Appliances view summarizes the appliance configurations stored in ETEMS Field Description Name A unique name that identifies an appliance to ETEMS. Management IP The IP address assigned to the appliance’s management port. This is the address that ETEMS uses to manage the appliance. Remote IP The IP address assigned to the appliance’s remote port, which connects the appliance to an untrusted network.
Provisioning Basics Figure 28 Compare the ETEMS and appliance configurations To compare and update configurations: 1 In the Appliance Manager, select an appliance in the Appliances view. 2 In the Tools menu, click Compare Config to Appliance to see a comparison of the ETEMS and appliance configurations. The items that differ are listed first. Click to toggle between a display of all settings and only those that are different.
Provisioning Appliances . 3 To restore all appliances in the Appliances view, enter a single asterisk in the Filter Appliances window and then click OK. Rebooting Appliances Appliances must be rebooted for some configuration changes to take effect, and after installing a software update. Because rebooting interrupts the security policies running on the appliance, carefully consider the best time to reboot the appliances.
Appliance User Management appliance that is available to that role. The ETEP can track appliance events based on user name, such as user account activity and policy deployments. The ETEP has two roles: Administrator and Ops. The Administrator manages the appliance using the EncrypTight software. The Administrator configures the appliance, and creates and deploys policies. The Ops users is only able to log in to the CLI and has access to a limited set of commands. Table 30 Appliance roles for ETEPs v 1.
Provisioning Appliances User Name Conventions Follow the guidelines below when creating user names. These conventions apply regardless of the password strength policy. ● User names can range from 1-32 characters. ● Valid characters are alpha and numeric characters (a-z, 0-9), _ (underscore), and - (dash). ● User names must start with an alpha character or an underscore. The first character cannot be a numeric digit or a dash. ● Only lower case alpha characters are accepted.
Appliance User Management ● Do not use dictionary words. ETEMS does prevent the use of dictionary words, but a password containing a dictionary word will be rejected by the ETEP. In addition, the Administrator can place limits on the following: ● Password expiration period, expiration warning notification, and grace period. ● Maximum number of login sessions allowed per user The ETEP allows three consecutive failed login attempts in a 15 minute period prior to locking an account.
Provisioning Appliances Managing Appliance Users You can add, modify, and delete appliance users directly from ETEMS. You can update user accounts for a single appliance or for a group of appliances. When managing users, changes take effect immediately. There is no need to push the user data to the ETEP. Changing appliance user names and passwords can affect EncrypTight’s ability to communicate directly with the ETEP.
Appliance User Management 7 On appliances that are enforcing strong passwords, configure the password expiration settings as described in Table 32. 8 Click Apply to send the user credentials to the selected appliances. The change takes effect immediately. Table 32 Password policy values Parameter Default password policy Strong password policy Password expiration 99999 days Default is 60. Range is 1-60. Notify before expiration 7 days Default is 10. Range is 1-30.
Provisioning Appliances Related topics: ● “ETEP User Roles” on page 102 ● “User Name Conventions” on page 104 ● “Default Password Policy Conventions” on page 104 ● “Strong Password Policy Conventions” on page 104 ● “Using a Common Access Card” on page 294 ● “Password Strength Policy” on page 327 Modifying ETEP User Credentials From the Appliance Manager, you can modify the password or role associated with an ETEP user.
Appliance User Management To delete a user from the ETEP: 1 In the Appliance Manager, select the target appliances in the Appliances view. 2 On the Tools menu, click Appliance User > Delete User. 3 In the Delete Appliance User window, enter the user name that you wish to delete. 4 Click Apply. The user is immediately removed from the target ETEPs.
Provisioning Appliances Working with Default Configurations Each appliance requires a unique name and management port IP address, but many other settings will be the same across all appliances. ETEMS lets you define your own set of default settings to be used in all appliances of particular model and software version level. See the configuration chapter for your appliance model for more information about each configuration option.
Provisioning Large Numbers of Appliances 4 Click OK. NOTE ETEMS will not save a default configuration that contains an error or an invalid entry. The OK button is . disabled if an error is detected. ETEMS indicates the tab and the field that contains the error with Restoring the ETEMS Default Configurations For each product family/software version combination, you can replace a custom default configuration with the ETEMS factory default configuration.
Provisioning Appliances Related topics: ● “Creating a Configuration Template” on page 112 ● “Importing Configurations from a CSV File” on page 112 ● “Changing Configuration Import Preferences” on page 115 ● “Checking the Time on New Appliances” on page 116 Creating a Configuration Template A default configuration is like a template that contains common settings to be used on all appliances of a particular hardware model and software version.
Provisioning Large Numbers of Appliances specifies the document type, which ETEMS needs to successfully import the file. The pound symbol (#) indicates a comment line, and is ignored by ETEMS during the import operation. In the CSV file, commas are used to delineate one field from the another.
Provisioning Appliances Figure 34 Put configurations and reboot appliances Related topics: ● “Importing Remote and Local Interface Addresses” on page 114 ● “Changing Configuration Import Preferences” on page 115 ● “Transparent Mode” on page 306 Importing Remote and Local Interface Addresses For ETEPs, remote and local interface addresses are optional configuration items. They are needed when operating the ETEP in non-transparent mode.
Provisioning Large Numbers of Appliances Table 34 Remote and local keywords and attributes local ip address Local port IP address in dotted decimal notation local subnet Local port subnet address in dotted decimal notation local default gateway Local port default gateway. If you do not use a default gateway, enter 0.0.0.0.
Provisioning Appliances Figure 36 Set the preference for importing configurations Checking the Time on New Appliances After importing configurations to ETEMS and pushing them to the appliances, refresh the appliance status. In the Appliances View check the date and time of the new appliances. If any of the new appliances’ timestamps differ from the management station’s time by more than five minutes, edit the appliance to correct the date and time (Edit > Date).
8 Managing Appliances This section includes the following topics: ● Editing Configurations ● Deleting Appliances ● Connecting Directly to an Appliance ● Upgrading Appliance Software ● Restoring the Backup File System Editing Configurations When modifying configurations, the following settings have their own unique editors: management IP address, date and time, and password.
Managing Appliances Changing the Management IP Address ETEMS uses the appliance’s 10/100 Ethernet management port to communicate with the appliance. The management IP address in ETEMS must match the address of the appliance for successful communication. To keep the two configurations in sync you can make either of the following changes: ● Push a new IP address to the appliance from ETEMS (see “Changing the Address on the Appliance” on page 118) ● Update ETEMS with the appliance’s new IP address.
Editing Configurations Figure 37 Change Management IP window Related topics: ● “Changing the Address in ETEMS” on page 119 ● “Management Port Addressing” on page 302 ● “IPv6 Addressing” on page 304 Changing the Address in ETEMS If the management IP address has been changed directly on the appliance, you need to update the address in the ETEMS configuration. For ETEP 1.6 and later appliances, you can edit the management port IP address directly in the appliance editor.
Managing Appliances Figure 38 Operation failed message in response to management IP change Changing the Date and Time ETEMS can change the date and time on a single appliance or a group of appliances. On appliance models where the time zone cannot be configured (ETEP or a mix of appliance models), enter the date and time relative to UTC.
Editing Configurations NOTE The SNTP client must be disabled on an appliance in order to change its date or time manually. If SNTP is enabled, the date and time change operation will fail. To change the date and time: 1 Make sure that the SNTP client is disabled on the target appliances. There are two ways to disable the SNTP client setting: from the Appliance editor’s Advanced tab, or from the Edit menu, Multiple Configurations > SNTP Client.
Managing Appliances ● SNTP client ● Software version ● Syslog servers Other settings that can be edited on multiple appliances are date and time, and password. These settings do not use the multiple configurations editor: they have their own unique editors, which are accessed from the Edit menu. The multiple configuration editor changes the appliance’s configuration in the EncrypTight workspace.
Connecting Directly to an Appliance To delete appliances: 1 In the Appliance Manager, select the appliances to delete in the Appliances view. 2 On the Edit menu, click Delete. A confirmation message displays. 3 Click OK to confirm the selection and delete the selected appliances. Connecting Directly to an Appliance ETEMS supports appliance-level tasks on appliances managed by ETEMS.
Managing Appliances The amount of time it takes to complete a software upgrade depends on the appliance model and speed of the link. The upgrade time increases proportionately to the decrease in the link speed. If software is not successfully loaded to any particular appliance in a predefined time frame, the connection times out. The software upgrade timeout is user-configurable (Edit > Preferences > ETEMS > Communications).
Upgrading Appliance Software Figure 41 Upgrade software on multiple appliances from a central location CAUTION Appliances must be rebooted for the new software to take effect. Rebooting an appliance interrupts traffic on the data ports for several minutes. During the reboot operation all packets are discarded. CAUTION For ETEPs, we recommend rebooting immediately after upgrading. Any configuration changes that are made between the upgrade and subsequent reboot will be lost when the appliance reboots.
Managing Appliances 6 Click Upgrade. ETEMS confirms that the FTP site is reachable before it begins the upgrade operation. Upgrade results for each appliance are displayed in the Result column of the Upgrade Appliances table. 7 Upgrading the software version on the appliance does not automatically update the ETEMS configuration.
Restoring the Backup File System Canceling an Upgrade To cancel a software upgrade that is underway for a series of appliances, click Cancel. Appliance upgrades that are in progress will complete their upgrades but no additional upgrades will be initiated. The upgraded appliances will reboot if you selected Reboot appliances after operations complete. For ETEP appliances, the result for the upgrades in progress is listed as “in operation.
Managing Appliances Review the following recommendations and cautions prior to restoring the file system: ● Make sure that you know the passwords used in the backup configuration. Once the backup image is restored on the appliance, you must use the passwords from the backup configuration to log in. ● After restoring the file system, redeploy policies to the ETEP using ETPM to ensure that the appliance is using the current set of policies and keys.
Part III Using ETPM to Create Distributed Key Policies
130 EncrypTight User Guide
9 Getting Started with ETPM The Policy Manager (ETPM) is the security policy management component of the EncrypTight. You use ETPM to create and manage distributed key policies that you send to the Key Management System (ETKMS) The ETKMS generates the keys and distributes the keys and policies to the PEPs.
Getting Started with ETPM ● Editors are used to add and modify EncrypTight components and policies. ● Policy view is used to view and add policies. Related topics: ● “EncrypTight Components View” on page 133 ● “Editors” on page 134 ● “Policy View” on page 135 ● “ETPM Toolbar” on page 137 ● “ETPM Status Refresh Interval” on page 137 Each of the views can be individually sized by dragging the borders of that area.
About the ETPM User Interface EncrypTight Components View The EncrypTight Components view lets you configure the network components used to create a policy. Figure 43 EncrypTight Components view EncrypTight components are the building blocks used to construct a policy. Layer 3 IP policy components are: ● PEPs ● Networks ● Network sets Layer 2 Ethernet policy components are: ● PEPs ● VLAN ranges You can sort each of the network component views by clicking column headers.
Getting Started with ETPM Editors Editors allow you to add or change EncrypTight components and policies. When you first start ETPM, no editors are open. To open an editor, double-click a component or policy, or right-click and select Add Element or Edit in the EncrypTight Components view. You can open multiple editors at any time. Each opened editor appears as a tab in the Editors view. Figure 44 Editors Some ETPM editors require a drag and drop operation.
About the ETPM User Interface Policy View The Policy view allows you to view, add, and edit policies. Figure 45 Policy view The Policy view lists the policies in an expandable tree structure. You can use the Policy view to add a new policy, edit a policy, and edit or remove any component in a policy. You can expand each policy to view the network sets by clicking the icon. You can further expand the networks sets to view the PEPs and networks included in each network set within that policy.
Getting Started with ETPM Table 37 Indication Status indicators (continued) Legend Description Consistent ETPM performed an action and the responses from the ETKMSs indicate that the PEPs are consistent with the settings in ETPM. Inconsistent Deployed policies in a PEP do not match the policies in ETPM or no policy is present. Communication error A communication error or timeout has occurred with one or more PEPs included in the policy.
About the ETPM User Interface ETPM Toolbar The ETPM toolbar provides shortcuts to frequently performed tasks. Table 38 ETPM toolbar Button Description Saves the configuration in the active editor. imports networks and network sets from a CSV file. For more information on using this feature, see “Importing Networks and Network Sets” on page 172. Refreshes the status of all ETPM components. Deploys the ETPM policies. Sends the policy information to the Key Management System for distribution to the PEPs.
Getting Started with ETPM About ETPM Policies A policy specifies what traffic to protect and how to protect it. Each packet or frame is inspected by the PEP and processed based on the filtering criteria specified in the policy.
Policy Generation and Distribution ● ETKMSs distribute the keys and policies to the PEPs ● VLAN ID ranges enable filtering based on VLAN ID tags (optional) NOTE If you do not include a VLAN ID or range in the policy, all Ethernet traffic is selected for enforcement. Policy Generation and Distribution This section outlines how the elements of EncrypTight work together to generate and distribute policies and keys.
Getting Started with ETPM Figure 48 Key generation with one ETKMS In this scenario, you could use either a local ETKMS or an external ETKMS. The ETKMS generates and sends the same shared key to the PEP encrypting the outbound data and the PEP decrypting the inbound data. Each PEP needs a unique key to encrypt outbound data, and in turn this key must be shared with the PEP’s peers.
Creating a Policy: An Overview Figure 49 Key generation with multiple ETKMSs The ETKMS generating the key for a PEP’s outbound data shares the key with the ETKMSs that control the PEPs that decrypt the data. In Figure 49, ETKMS 1 controls PEP A and is responsible for generating Shared Key 2. ETKMS 2 controls PEP B and is responsible for generating Shared Key 1. ● Shared Key 2 is used to encrypt the outbound data in PEP A and it is used by PEP B to decrypt the data received from Network A.
Getting Started with ETPM Figure 50 Sample point-to-point IP policy Elements of Figure 50: 1) ETKMS 1, IP address 192.168.1.33 A, B) PEP A, IP address 192.168.11.69 PEP B, IP address 192.168.11.224 Network A IP address 192.168.144.0 Network B IP address 192.168.154.0 Network Set A Includes Network A and PEP A, using ETKMS 1 Network Set B Includes Network B and PEP B, using ETKMS 1 Figure 50 illustrates an EncrypTight deployment with two networks.
Creating a Policy: An Overview To create a policy: 1 In the ETEMS Appliance Manager, add PEP A and PEP B (File > New Appliance). In the sample illustrated in Figure 50, the management port of PEP A has the IP address 192.168.11.69 and the management port of PEP B has the IP address 192.168.11.224. To use an appliance as an EncrypTight PEP, you need to click the Enable EncrypTight setting on the Features tab of the New Appliance editor.
Getting Started with ETPM 3 In the Appliance Manager, add and configure ETKMS 1 (File > New Appliance). In the sample illustrated in Figure 50, ETKMS 1 has the IP address 192.168.1.33 and does not have a backup ETKMS. 4 In the Appliances view, select ETKMS 1 and click Refresh Status . For more information, see “Adding ETKMSs” on page 156. This helps you determine that the ETKMS is accessible and operating properly. 5 Start ETPM. Click the Open Perspective button on the perspective tab and select Other.
Creating a Policy: An Overview 7 Click the Network Sets tab and in the editor, add Network Set A and Network Set B. In the sample illustrated in Figure 50, Network Set A includes Network A and PEP A, and uses ETKMS 1. Network Set B includes Network B and PEP B, and uses ETKMS 1. For more information about Network Sets, see “Adding a Network Set” on page 170. 8 Right-click in the Policy view tab and select Add Point-to-Point Policy. A New Point-to-Point Policy editor opens.
Getting Started with ETPM 9 Click the New Point-to-Point Policy editor and configure a point-to-point IPSec policy using the components you created in the preceding steps. See “Adding Layer 3 IP Policies” on page 191 for more information. To create a policy for the sample illustrated in Figure 50, click and drag Network Set A to the Point A box and Network Set B to the Point B box. For information on other settings you can specify for policies, see “Policy Concepts” on page 181.
10 Managing Policy Enforcement Points Policy Enforcement Points (PEPs) enforce the policies created in ETPM and distributed by the ETKMSs. EncrypTight Policy Enforcement Points (ETEP PEPs) include: ● ET0010A ● ET0100A ● ET1000A This section includes the following topics: ● Provisioning PEPs ● Editing PEPs ● Deleting PEPs Provisioning PEPs Provisioning PEPs requires adding and configuring an appliance and then pushing the configuration to the appliance.
Managing Policy Enforcement Points network sets in Layer 3 IP policies. L2 PEPs can be used in Layer 2 Ethernet policies. You can sort the list of PEPs by type or name by clicking the column header (SG or Name). When ETEMS communicates with a PEP, it verifies that its hardware and software configuration is valid. PEPs that ETEMS has not yet communicated with are marked with a ? symbol beside the IP or L2 designation.
Provisioning PEPs Table 39 EncrypTight PEP configuration (continued) Configuration Description Enable EncrypTight On the Features tab, select Enable EncrypTight. EncrypTight is enabled by default on ETEP PEPs. After you enable EncrypTight, the default behavior of all PEPs is to send all packets in the clear until you deploy new policies. Once you deploy policies, the PEPs process traffic as directed by the policies.
Managing Policy Enforcement Points Adding a New PEP Using ETPM Normally, you should add PEPs using the ETEMS Appliance Manager; however, it is possible to add PEPs from ETPM. Keep in mind that you will have to use ETEMS to push the configurations to the PEPs. To add a new PEP using ETPM: 1 From the EncrypTight Components view on ETPM, click the PEPs tab. The PEP tab displays a list of all configured PEPs. 2 Right-click anywhere in the PEP view and then click Add new Element.
Editing PEPs Pushing the Configuration After you define the PEP configurations, push the configurations from ETEMS to the targeted PEPs. To push ETEMS configurations to PEPs: 1 In the ETEMS Appliances view, select the target PEPs. 2 On the Tools menu, click Put Configurations. 3 Some appliance models must be rebooted for configuration changes to take effect. Rebooting interrupts the data traffic on the PEP’s remote and local ports for several minutes.
Managing Policy Enforcement Points If you changed the PEP’s Appliance name in ETEMS, redeploy your policies. If you don’t redeploy, the renamed PEP will issue an error message after every key refresh. Related topic: ● “Pushing Configurations to Appliances” on page 97 Editing Multiple PEPs Changing the configurations of a large number of PEPs can be time-consuming. However, there are specific settings that you can change for a selection of multiple PEPs.
Deleting PEPs Changing the IP Address of a PEP Occasionally, you might need to change the IP address on a PEP. For example, you might need to move a PEP from one location in your network to another. This could require that you change the management IP address of the PEP. Although you can edit the IP address of a PEP in ETEMS, ETPM and the ETKMSs will not immediately be aware of the change. Any policies currently on the PEP will eventually expire and will not get new keys or be renewed.
Managing Policy Enforcement Points To delete PEPs: 1 In the Appliances view in ETEMS, select the PEPs to delete. 2 On the Edit menu, click Delete. A confirmation message displays. 3 Click OK. 4 From ETPM, click Deploy 154 .
11 Managing Key Management Systems Based on the policies received from the ETPM, the Key Management Systems (ETKMSs) generate and distribute the keys along with the policies to the Policy Enforcement Points (PEPs). You must use the ETEMS Appliance Manager to add, edit, and delete ETKMSs.
Managing Key Management Systems In order to ensure network resiliency, some EncrypTight configurations may have external ETKMSs installed in pairs: a primary ETKMS and a backup ETKMS. The ETPM distributes the policies to both the primary ETKMS and backup ETKMS. Only the primary ETKMS distributes the keys and policies to the PEPs.
Editing ETKMSs 4 Click Save when complete. Table 40 ETKMS entries Field Description Appliance Name Enter a unique name to identify this particular ETKMS in the Appliance Name edit box. With external ETKMSs, this name must match the short hostname that was set when the ETKMS was installed and configured. For example, if the hostname was etkms1.mycompany.com, the short hostname is etkms1. Names can be 1 - 40 characters in length. Alphanumeric characters and spaces are valid.
Managing Key Management Systems CAUTION Do not delete any ETKMSs currently used by any network sets or policies. Before you delete a ETKMS, modify any network sets and policies using that ETKMS to use another ETKMS. If you delete a ETKMS that is currently used in a policy or a network set, you can create configuration errors that might prevent you from deploying your policies. In this case, check the Policy view to find the components with configuration errors. Correct the errors and then click Deploy.
12 Managing IP Networks In EncrypTight, networks are the IP networks that you want to protect. One or more of these networks are combined with one or more PEPs to make a network set. Network sets are treated as a single network entity within IP policies. Networks are added, modified, and deleted using the networks tab in the EncrypTight Components view.
Managing IP Networks To add a network: 1 From the EncrypTight Components view, click the Networks tab. The Networks tab lists all of the networks that have been added. You can sort of the list of networks by IP address or network mask by clicking a column header. 2 Right-click anywhere in the Networks tab and click Add new Element. 3 Create the network in the Network editor as described in Table 41. Enter the IP address and subnet mask to select the traffic of interest.
Advanced Uses for Networks in Policies clear. ETPM accepts non-contiguous network masks, which allow you to create policies between particular addresses in your network. For example, a network of 10.0.0.1 with a mask of 255.0.0.255 allows all devices with an IP address of 10.x.x.1 to be managed by a particular policy. This feature is available only with ETEP PEPs. See “Using Non-contiguous Network Masks” on page 162 for more information.
Managing IP Networks Figure 56 Two networks with contiguous addressing defined as a supernet If you group the two networks into a supernet and the policy encrypts traffic between these two networks and five other networks, the PEP for this network set would contain only five SAs and keys for each direction, instead of 10. NOTE Where the subnetwork addresses are not completely contiguous, grouping these networks can result in the inclusion of an unintended subnetwork.
Advanced Uses for Networks in Policies Figure 57 Networks with non-contiguous network masks are used in a bypass policy that encompasses all the x.x.x.1 and x.x.x.129 addresses Defining networks with non-contiguous masks allows you to create a single bypass policy that encompasses all the .1 and .129 addresses, enabling the local sites on the 172.16.x.x network to manage the devices on the remote port side of the PEP.
Managing IP Networks Editing Networks To edit an existing network: 1 In the EncrypTight Components view, click the Networks tab. 2 Right-click the desired network, click Edit. 3 Change the entries of the desired fields in the editor. Table 41 on page 160 describes the entries on the network editor. 4 Click Save when all entries are modified as desired. Deleting Networks Occasionally, you might want to delete a network.
Deleting Networks To delete a network: 1 In the EncrypTight Components view, click the Networks tab. 2 Right-click the desired Network and click Delete. 3 Click OK on the Permanently Delete an Element Window.
Managing IP Networks 166 EncrypTight User Guide
13 Managing Network Sets A network set is a collection of IP networks, the associated PEPs, and a default ETKMS. A network set is treated as a single entity in a policy. This section includes the following topics: ● Types of Network Sets ● Adding a Network Set ● Importing Networks and Network Sets ● Editing a Network Set ● Deleting a Network Set Figure 58 shows two network sets.
Managing Network Sets Types of Network Sets The following examples illustrate the different types of network sets: ● Subnet ● Load balanced network ● Collection of networks ● A network set that does not contain any PEPs Figure 59 Network set for a subnet Figure 59 illustrates a network set consisting of a single network and a single PEP. In ETPM, this network set would include PEP 1 and the network IP address and mask: IP address 40.32.21.0 Figure 60 Mask 255.255.255.
Types of Network Sets Figure 61 Network set for a collection of networks Figure 61 illustrates a network set comprised of two networks and two PEPs. In ETPM, this network set includes both PEP 1 and PEP 2, and both network IP addresses and masks. IP address 30.25.11.0 30.24.3.0 Figure 62 Mask 255.255.255.0 255.255.255.0 Network set that does not include a PEP A network set does not have to include any PEPs.
Managing Network Sets Adding a Network Set To add a Network Set: 1 In the EncrypTight Components view, click the Network Sets tab. The Network Sets view lists the network sets added previously. You can sort the list of network sets by clicking the Network Name column header. 2 Right-click anywhere in the Network Set view and click Add new Element. 3 Create the network set in the Network Set editor as described in Table 43. The Network Set editor is shown in Figure 63. 4 Click Save when complete.
Adding a Network Set Table 43 Network Set fields (continued) Field Description Key Management System Select the desired Key Management System from the Default ETKMS list. You must select a ETKMS even if the network set does not include a PEP. If you create a policy that includes a network set that does not have a ETKMS, you will not be able to deploy that policy. Network Addressing Mode Select the desired network addressing mode.
Managing Network Sets Figure 63 Network Set editor Importing Networks and Network Sets If you need to work with a large number of networks and network sets, you can save time by importing the data into ETPM. You can create a CSV file that lists the networks and network sets that you need and import the file. The default ETKMS and the PEPs used in the network sets must have been added to ETEMS previously or the import will fail.
Importing Networks and Network Sets line and is ignored by ETPM during the import operation. In the CSV file, commas are used to delineate one field or item from the next. The format of the CSV file is as follows: Version1.
Managing Network Sets Table 44 Networks and network sets import format description Attribute Description peps Keyword that indicates a list of one or more PEP names follows. list of PEP names In the CSV file, each PEP name must be separated by a comma. In a spreadsheet, place each PEP name in a cell by itself. Each PEP must have been added to ETEMS previously. To import networks and network sets into ETPM: 1 Create a CSV file that identifies the networks and network sets.
Deleting a Network Set CAUTION Prior to deleting a network set, modify any policies using that network set to use another network set. If you delete a network set that is currently used in a policy, you can create configuration errors that might prevent you from deploying your policies. In this case, check the Policy view to find the components with configuration errors. Correct the errors and then click Deploy.
Managing Network Sets 176 EncrypTight User Guide
14 Creating VLAN ID Ranges for Layer 2 Networks If the network uses VLAN ID tags, you have the option of creating policies that select traffic with specific VLAN ID tags or within a range of VLAN ID tags. If you do not include VLAN ID tags in a new Layer 2 policy, the policy is applied to all network traffic. VLAN ID tags are used to create logical networks within a larger physical network. This is often used to separate network traffic by departments, such as Finance or Human Resources.
Creating VLAN ID Ranges for Layer 2 Networks 2 Right-click anywhere in the VLAN Ranges view and then click Add new Element. 3 Create the VLAN range in the editor as described in Table 45. 4 Click Save when complete. NOTE VLAN ranges are not supported on ETEP PEPs. If you enter a range, the ETEP uses only the lower VLAN ID. We recommend entering the same value for the upper and lower VLAN ID when working with ETEP PEPs.
Editing a VLAN ID Range Editing a VLAN ID Range To edit a VLAN ID range: 1 In the EncrypTight Components view, click the VLAN Ranges tab. 2 Right-click the desired VLAN ID range and click Edit. 3 Change the entries of the desired fields in the editor. Table 45 on page 178 describes the entries on the VLAN Range editor. 4 Click Save when all entries are modified as desired. Deleting a VLAN ID Range If changes are made to a network or VLAN, you might need to delete VLAN ID ranges.
Creating VLAN ID Ranges for Layer 2 Networks 3 Click OK.
15 Creating Distributed Key Policies From the Policy view, you can add, modify, and delete policies for Layer 3/Layer 4 IP networks and Layer 2 Ethernet networks. This section includes the following topics: ● Policy Concepts ● Adding Layer 2 Ethernet Policies ● Adding Layer 3 IP Policies ● Adding Layer 4 Policies ● Policy Deployment ● Editing a Policy ● Deleting Policies Policy Concepts A policy specifies what traffic to act on and what action to take.
Creating Distributed Key Policies ● “Key Generation and ETKMSs” on page 185 ● “Addressing Mode” on page 185 ● “Using Encrypt All Policies with Exceptions” on page 185 ● “Policy Size and ETEP Operational Limits” on page 186 ● “Minimizing Policy Size” on page 187 Policy Priority You can assign a priority from 1 to 65000 to each policy that you create. The policy priority specifies the order in which policies are processed on the PEP.
Policy Concepts TIP Network connectivity problems can prevent new keys from being distributed to the PEPs before the old keys expire. If you experience problems of this nature, see “Solving Network Connectivity Problems” on page 248 for suggested workarounds to prevent interruptions. Policy Types and Encryption Methods The type of policy specifies the action applied to packets that match the protocol and networks included in this policy.
Creating Distributed Key Policies Figure 69 Data payload encryption Encryption and Authentication Algorithms For Layer 3 IP policies, you can specify the encryption and authentication algorithms that you want to use. The encryption algorithms include the Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES). AES is a symmetric block cipher capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.
Policy Concepts Key Generation and ETKMSs With multicast IP policies and Layer 2 Ethernet policies, you choose a single ETKMS to generate and distribute the keys. With point-to-point, hub and spoke, and mesh IP policies there are two options for specifying which ETKMSs generate and distribute keys. ● By Network Set - The default ETKMS within each network set generates and distributes the keys to the PEPs included in those network sets.
Creating Distributed Key Policies 1 Create a policy to encrypt all data to and from all networks. Assign this policy a relatively low priority to ensure that any missed data will at least pass encrypted. 2 Design a pass in the clear policy and a drop policy with a higher priorities. Table 46 illustrates policies for a mesh network that will pass Protocol 17 (UDP) traffic in the clear, drop all protocol 55 (IP mobile) traffic, and encrypt all other traffic.
Policy Concepts Minimizing Policy Size Using EncrypTight with large, complex networks with multiple subnets protected by separate PEPs can result in a large number of SAs on each PEP. The increased management traffic for renewing keys and refreshing policy lifetimes could adversely affect the performance of EncrypTight. If you do not require policy filtering based on subnets located with each PEP, use the minimize policy size feature to avoid this.
Creating Distributed Key Policies Adding Layer 2 Ethernet Policies For Layer 2 Ethernet networks, policies can be created for mesh networks. In a mesh network, any network or network set can send or receive data from any other network or network set. Figure 70 Mesh network example The PEP for each network in Figure 70 encrypts data sent to networks A, B, C, or D and decrypts data from networks A, B, C, or D.
Adding Layer 2 Ethernet Policies 4 Click Save when complete. Table 47 Layer 2 Mesh policy entries Field Description Name Enter a unique name to identify the policy. Names can be 1 - 40 characters in length. Alphanumeric characters and spaces are valid. The special characters <, >, &, ,“ *, ?, /, \, : and | cannot be used in the policy name. Names are not case sensitive. Priority Specifies the order in which policies are processed in the PEPs. Enter the priority for this policy from 1 to 65000.
Creating Distributed Key Policies Figure 71 Layer 2 Mesh policy editor NOTE If you need to encrypt or pass in the clear specific routing protocols, consider also creating local site policies. Local site policies allow you to create locally configured policies using CLI commands, without requiring an EncrypTight ETKMS for key distribution. The primary use for local site policies is to facilitate in-line management in Layer 2 encrypted networks.
Adding Layer 3 IP Policies Adding Layer 3 IP Policies An IP policy can be created for hub and spoke, mesh, multicast, and point-to-point networks. ● Adding a Hub and Spoke Policy ● Adding a Mesh Policy ● Adding a Multicast Policy ● Adding a Point-to-point Policy Adding a Hub and Spoke Policy In a hub and spoke network, all transmissions either originate from a hub network and are received by a spoke network or originate from one of the spoke networks and are received by the hub network.
Creating Distributed Key Policies To add a new hub and spoke policy: 1 In the Policy view, right-click anywhere in the view and click Add Hub and Spoke Policy. 2 Double click the new policy name added to the policy list. 3 Create the policy in the Hub and Spoke Policy editor described in Table 48. The policy editor is shown in Figure 73. 4 Click Save when complete. Table 48 Field Description Name Enter a unique name to identify the policy. Names can be 1 - 40 characters in length.
Adding Layer 3 IP Policies Table 48 Hub and spoke policy entries (continued) Field Description IPSec Specifies the encryption and authentication algorithms used in an IPSec policy.
Creating Distributed Key Policies Figure 73 194 Hub and spoke policy editor EncrypTight User Guide
Adding Layer 3 IP Policies Adding a Mesh Policy In a mesh network, any network or network set can send or receive data from any other network or network set. Figure 74 Mesh network example The PEP for each network in Figure 74 encrypts data sent to networks A, B, C, or D and decrypts data from networks A, B, C, or D. When you create a policy for a Mesh network, you must select at least two network sets.
Creating Distributed Key Policies Table 49 Mesh policy entries Field Description Name Enter a unique name to identify the policy. Names can be 1 - 40 characters in length. Alphanumeric characters and spaces are valid. The special characters <, >, &, “ *, ?, /, \, : and | cannot be used in the policy name. Names are not case sensitive. Priority Enter the priority for this policy from 1 to 65000. PEPs enforce policies in descending priority order with the highest priority number processed first.
Adding Layer 3 IP Policies Table 49 Mesh policy entries (continued) Field Description Addressing Mode Override Overrides the Network addressing setting for the network sets. • Preserve internal network addresses - This setting overrides the network set’s network addressing mode and preserves the network addressing of the protected networks. The IP header contains the source address of the originating network.
Creating Distributed Key Policies Figure 75 198 Mesh policy editor EncrypTight User Guide
Adding Layer 3 IP Policies Adding a Multicast Policy In a multicast network, one or more networks send unidirectional streams to multiple destination networks. The multicast routers detect the multicast transmission, determine which nodes have joined the multicast network as destination networks and duplicate the packet as needed to reach all multicast destination networks. Figure 76 Multicast network example The policy for the example in Figure 76 specifies Network A as the send network.
Creating Distributed Key Policies To add a multicast policy: 1 In the Policy view, right-click anywhere in the view and click Add Multicast Policy. 2 Double click the new policy name added to the policy list. 3 Create the policy in the Multicast Policy editor as described in Table 50. The policy editor is shown in Figure 77. 4 Click Save when complete. Table 50 Field Description Name Enter a unique name to identify the policy. Names can be 1 - 40 characters in length.
Adding Layer 3 IP Policies Table 50 Multicast policy entries (continued) Field Description IPSec Specifies the encryption and authentication algorithms used in an IPSec policy.
Creating Distributed Key Policies Figure 77 202 Multicast policy editor EncrypTight User Guide
Adding Layer 3 IP Policies Adding a Point-to-point Policy In a point-to-point network, one network or network set sends and receives data to and from one other network or network set. Figure 78 Point-to-point network example In Figure 78, the end-points are Networks A and B. PEP 1 encrypts the traffic sent from Network A to Network B and decrypts traffic received from Network B. PEP 2 encrypts the traffic sent from Network B to Network A and decrypts traffic received from Network A.
Creating Distributed Key Policies 4 Click Save when complete. Table 51 Point-to-point policy entries Field Description Name Enter a unique name to identify the policy. Names can be 1 - 40 characters in length. Alphanumeric characters and spaces are valid. The special characters <, >, &, ,“ *, ?, /, \, : and | cannot be used in the policy name. Names are not case sensitive. Priority Enter the priority for this policy from 1 to 65000.
Adding Layer 3 IP Policies Table 51 Point-to-point policy entries (continued) Field Description Addressing Mode Override Overrides the Network addressing setting for the network sets. • Preserve internal network addresses - This setting overrides the network set’s network addressing mode and preserves the network addressing of the protected networks. The IP header contains the source address of the originating network.
Creating Distributed Key Policies Figure 79 Point-to-point policy editor Adding Layer 4 Policies Layer 4 policies encrypt only the payload of the packet. The source and destination addresses, protocol, and port in the IP header are sent in the clear. With Layer 4 policies, the Layer 4 header information is sent in the clear for traffic engineering and Service Level Agreement management (for example, Quality of Service controls or NetFlow statistics monitoring).
Policy Deployment You create Layer 4 policies using ETEPs that are configured to operate as Layer 3 PEPs. Create the networks, network sets, and policies as you would for Layer 3 IP policies. In the policy editor, select the option to preserve the address, protocol, and port. This option encrypts only the payload data, making the policy a Layer 4 policy. Layer 4 IP encryption policies use AES-256 for encryption and HMAC-SHA-1 for authentication. The ETEP PEPs do not support 3DES or HMAC-MD5 at Layer 4.
Creating Distributed Key Policies To verify policies: 1 Click Tools > Verify policies. ETPM displays a confirmation message indicating the results of the rules check. 2 If the policies contain errors, go to the Policy View to locate them. Expand the policy tree to find the component with the configuration error. Double-click the component with the error to view the editor and find the entry with the configuration error. You can mouse over the to view a message describing the error.
Editing a Policy Figure 81 ETPM Preferences 3 Select or clear the Ask for confirmation before deploying a metapolicy checkbox. 4 Click Apply. Editing a Policy To edit an existing policy: 1 From the Policy view, double click the desired policy name on the policy list. 2 Modify the desired entries in the Policy editor. 3 Click Save on the Policy editor when complete.
Creating Distributed Key Policies To delete an existing policy: 1 From the Policy view, right-click the desired policy name and click Remove element. 2 Click OK on the Permanently Delete an Element window. In addition to deleting specific policies, you can delete all of the policies on the ETEP. This can be useful in troubleshooting situations or if you need to relocate the ETEP. Clearing all policies from the ETEP restores the default policy to send all traffic in the clear.
16 Policy Design Examples This section provides two examples of creating policies with EncrypTight: ● Basic Layer 2 Point-to-Point Policy Example ● Layer 2 Ethernet Policy Using VLAN IDs ● Complex Layer 3 Policy Example Basic Layer 2 Point-to-Point Policy Example In this example, we secure a single point-to-point Layer 2 Ethernet link using only the ETEMS software and two encryption appliances. This example focuses on the required settings and does not discuss advanced and optional settings.
Policy Design Examples In ETEMS, configure the interfaces for both PEPs, then click the Features tab and do the following: 1 Select Layer 2:Ethernet for the Encryption Policy Settings. 2 Clear the Enable EncrypTight checkbox. To set up the encryption policy between the two PEPs, click the Policy tab for each PEP and make the selections as described in Table 53. Make sure that you use the same key for both PEPs. Table 53 Point-to-point Layer 2 encryption policy Setting PEP: 192.168.1.43 PEP: 192.168.1.
Layer 2 Ethernet Policy Using VLAN IDs Figure 83 Using VLAN IDs Policy Details Policy 1: Headquarters and Branches Name: Priority: Renew: Type: PEPs: VLAN ID: ETKMS: HQ/Branch Communications 60000 Once every 24 Hours Encrypt Headquarters, Branch 1, Branch 2 10 ETKMS1 Policy 2: Partner and Partner Portal Server Name: Priority: Renew: Type: PEPs: VLAN ID: ETKMS: Branch 2 Communications 60000 Once every 24 Hours Encrypt Headquarters, Partner 20 ETKMS1 Policy 3: Discard All Other Name: Priority: Renew: T
Policy Design Examples To create the policies: 1 In ETEMS, add and configure the ETEPs to operate as Layer 2 PEPs. 2 Add the ETKMS for the policies. 3 Push the configurations to the ETEPs. 4 In ETPM, add the VLAN ID tags. 5 Create the policies using the settings described in “Policy Details” on page 213. 6 Deploy the policies. Complex Layer 3 Policy Example In this example, we have sixteen networks connecting to each other through a public WAN. Four of these networks are considered regional centers.
Complex Layer 3 Policy Example The network sets required for this policy are: Table 54 Network sets for mesh policy Networks PEPs Default ETKMS Network Set A 192.33.3.0 netmask 255.255.255.0 PEP A ETKMS 1 Network Set B 172.44.0.0 netmask 255.255.255.0 PEP B ETKMS 1 Network Set C 100.22.3.0 netmask 255.255.255.0 PEP C ETKMS 1 Network Set D 100.33.1.0 netmask 255.255.255.
Policy Design Examples These hub and spoke policies require the four network sets created in “Encrypt Traffic Between Regional Centers” on page 214 and twelve network sets for the branch networks. Table 56 Network sets for the hub and spoke policies Networks PEPs Default ETKMS Network Set A1 192.33.5.0 netmask 255.255.255.0 PEP A1 ETKMS 1 Network Set A2 192.33.6.0 netmask 255.255.255.0 PEP A2 ETKMS 1 Network Set A3 192.33.9.0 netmask 255.255.255.0 PEP A3 ETKMS 1 Network Set B1 172.44.5.
Complex Layer 3 Policy Example Using Network Sets B, B1, B2, and B3, create a hub and spoke policy for region B as shown in the following table: Table 58 Region B hub and spoke policy Field Setting Name Region B Hub and Spoke Priority 901 Renew Keys/Refresh Lifetime 4 hours Type IPSec IPSec Encryption Algorithms - AES Authentication Algorithms - HMAC-SHA-1 Key Generation By Network Set Addressing Mode Override Preserve internal network addresses Minimize Policy Size Disable Hub Network
Policy Design Examples Table 60 Region D hub and spoke policy (continued) Field Setting Priority 903 Renew Keys/Refresh Lifetime 4 hours Type IPSec IPSec Encryption Algorithms - AES Authentication Algorithms - HMAC-SHA-1 Key Generation By Network Set Addressing Mode Override Preserve internal network addresses Minimize Policy Size Disable Hub Network Set D Spokes Network Set D1 Network Set D2 Network Set D3 Protocol Any Passing Routing Protocols With Layer 3 routed networks, you mig
Complex Layer 3 Policy Example Table 61 Pass protocol 88 in the clear mesh policy (continued) Field Setting Addressing Mode Override Preserve internal network addresses Minimize Policy Size Disable Network Sets Network Network Network Network Protocol 88 Set Set Set Set A B C D This policy must be set to a higher priority than the mesh policy created in “Encrypt Traffic Between Regional Centers” on page 214.
Policy Design Examples 220 EncrypTight User Guide
Part IV Troubleshooting
222 EncrypTight User Guide
17 ETEMS Troubleshooting This section includes the following topics: ● Possible Problems and Solutions ● Pinging the Management Port ● Retrieving Appliance Log Files ● Viewing Diagnostic Data ● Working with the Application Log Possible Problems and Solutions The troubleshooting information in this section is grouped into categories. Within each category you will find a list of symptoms and possible solutions.
ETEMS Troubleshooting Appliance Unreachable Symptom Explanation and possible solutions Symptoms of ETEMS’s inability to communicate with an appliance are: • Check physical connectivity to the appliance’s management port (proper seating of the RJ-45 Ethernet cable). • Status indicator of ?. • • “Operation failed” result when putting a configuration to an appliance, refreshing status, or comparing configurations. Verify that the management IP address is the same in ETEMS and on the appliance.
Possible Problems and Solutions Symptom Explanation and possible solutions The ETEP cannot ping the management workstation. Check whether the trusted host feature is enabled on the ETEP. The request times out or returns an “Operation not permitted” message. • Check the configuration for the trusted workstation. Pings are not allowed when the ICMP is unchecked in the trusted host configuration. • You can disable trusted hosts from ETEMS or by issuing the disable-trusted-hosts CLI command.
ETEMS Troubleshooting Pushing Configurations Symptom Explanation and possible solutions New configuration isn’t active on the appliance. • In the Appliances view, select the appliance and refresh its status. • Some configuration changes require an appliance reboot to take effect. If the appliance status is , reboot the appliance (Tools > Reboot). • If the ETEMS and appliance configurations are not equal, compare the configurations (Tools > Compare Config to Appliance) to determine the differences.
Pinging the Management Port Software Upgrades Symptom Explanation and possible solutions Can’t download files from an FTP server. • Verify that the FTP server software is active on the specified host. • Check the FTP server host, path, user ID, and password. Make sure that the following invalid characters are not used in the user ID and password: @ : ? # < > & • Ping the FTP server and the appliance management port. If not successful, contact your Network Administrator.
ETEMS Troubleshooting Figure 88 Tools preferences To change the default ping tool: 1 In the Edit menu, click Preferences. 2 Click ETEMS to expand the tree, and then click Tools (Figure 88). 3 In the Tools window, browse to the location of the ping executable that you want to use. 4 Optional. Enter arguments to use with the ping command. 5 Click Apply, and then click OK. Retrieving Appliance Log Files You can retrieve and view log files from any appliance managed by ETEMS.
Retrieving Appliance Log Files To retrieve log files from an appliance: 1 Verify that an FTP server is running on the ETEMS workstation. 2 In the Appliance Manager, select the target appliances in the Appliances view. ETEMS can retrieve logs from multiple appliance in a single operation. 3 On the Tools menu, click Retrieve Appliance Logs. 4 In the Retrieve Appliance Logs window, enter the FTP server site information as described in Table 62.
ETEMS Troubleshooting Table 62 FTP server site information for log retrieval Field Description Password Password associated with the user name. Do not use the following characters: @ : ? # < > & Connection Method FTP is the default file transfer protocol and is supported on all appliance models and software revisions. SFTP provides secure file transfer. It is supported on ETEP appliances running version 1.6 and later software.
Viewing Diagnostic Data Figure 89 Encryption statistics and packet counters displayed for two ETEPs To display statistics: 1 In the Appliance Manager, select the target appliances in the Appliances view. 2 On the View menu, click Statistics. See Table 63 for a description of ETEP statistics. 3 Click the Refresh or Clear button for the area of interest (IPSec Encryption Statistics or MAC/MIB2 Statistics). Each area has its own independent clear and refresh functions.
ETEMS Troubleshooting Viewing Port and Discard Status The Status view displays information about local and remote port status, and discarded packets. Port status is available only for ETEPs. The details displayed for discarded packets varies by appliance model. See the user manuals for your appliance for more information. Figure 90 ETEP port status and discarded packets counts To display status: 1 In the Appliance Manager, select the target appliance in the Appliances view.
Viewing Diagnostic Data Figure 91 Export the SAD or SPD to a CSV file To export the SAD or SPD from the ETEP: 1 In the Appliance Manager, select the target appliance in the Appliances view. 2 On the View menu, click Statistics. 3 In the upper right corner of the Statistics view, click the Export menu button. From the list, choose which file to export (SAD or SPD). 4 You will be prompted to save the CSV file. Browse to a location on the hard drive and click Save.
ETEMS Troubleshooting Working with the Application Log The application log provides information about significant events and failures with EncrypTight. The application log captures events specific to ETEMS and ETPM and their interaction with appliances. The user ID associated with an event is recorded in the log.
Working with the Application Log a On the application log tool bar, click . b In the application log menu, click Activate on new events. A check mark appears next to this menu item when the feature is active. Click the menu item to toggle the feature on and off. Sending Application Log Events to a Syslog Server EncrypTight can send application log events to a syslog server. To configure a syslog server: 1 In the ETEMS Appliance Manager, click Edit > Preferences.
ETEMS Troubleshooting Figure 94 Application log filters NOTE Increasing the visible event limit to a large number (more than 200) can noticeably slow the speed at which ETEMS updates appliance status. If you notice that status refreshes are abnormally slow, clear application log file and reset the visible events limit to a lower value. Other Application Log Actions You can perform the following actions from the Log view using the buttons shown in Table 64.
18 ETPM and ETKMS Troubleshooting This section provides information to help you with ETPM and ETKMS problem resolution, including: ● Learning About Problems ● ETKMS Troubleshooting Tools ● PEP Troubleshooting Tools ● Troubleshooting Policies ● Solving Network Connectivity Problems ● Modifying EncrypTight Timing Parameters ● Certificate Implementation Errors Learning About Problems Troubleshooting the EncrypTight system should start with the status monitoring feature on the Policy Manager (ET
ETPM and ETKMS Troubleshooting Table 65 ETPM status problems and solutions Indicator Explanation and Possible Solutions Status Unknown The current status is unknown or questionable. This state can occur if: • A policy or a component of a policy has been changed and the policy has not been deployed. In this case, the indicator appears next to only those policies where changes have been made to the policy or its components. Deploy the policies. • The application was closed and then restarted.
Learning About Problems NOTE Always check the status of the PEPs in the Policy View after deploying policies, refreshing status, or renewing keys. All PEPs should show a Consistent indicator . This section includes the following topics: ● “Policy Errors” on page 239 ● “Status Errors” on page 240 ● “Renew Key Errors” on page 240 Policy Errors Symptom Explanation and possible solutions Policies are not executing as expected. Check the policy priorities for uniqueness.
ETPM and ETKMS Troubleshooting Status Errors Symptom Explanation and possible solutions ETEMS cannot verify that the software version installed on the ETKMS matches the version selected in the Appliance Manager. In the Appliance Manager in ETEMS, when you refresh status for a ETKMS, the ETKMS does not return information regarding the version of the ETKMS software that is running on the ETKMS.
Learning About Problems Viewing Log Files Each component in the EncrypTight system creates and maintains log files that you can use to troubleshoot issues. This section includes the following topics: ● “ETPM Log Files” on page 241 ● “ETKMS Log Files” on page 241 ● “PEP Log Files” on page 242 ETPM Log Files ETPM and ETEMS record significant events and failures in the application log.
ETPM and ETKMS Troubleshooting PEP Log Files You can retrieve and view log files from any PEP using ETEMS. When a PEP receives a command from ETEMS, it sends its log files to the designated FTP server. To use this feature you must have FTP server software running on the ETEMS workstation. If a PEP contains several log files, ETEMS combines the log files into a single file. ETEMS creates a directory named cvLogFiles in the FTP root directory, where the combined log files are stored as .txt files.
PEP Troubleshooting Tools Optimizing Time Synchronization With NTP, time synchronization does not always happen instantaneously. If the time difference between the ETKMS (or any system component) and the NTP server is large enough, it can take a significant amount of time to synchronize. If this occurs, you can use the following command to set up step-ticker files that can improve the performance of the NTP service.
ETPM and ETKMS Troubleshooting Statistics For ETEP PEPs, you can use the Statistics view in the ETEMS Appliance Manager to display encryption statistics and packet counters. This includes information about packet encryptions and decryptions. The exact statistics displayed vary depending on the model of the PEP that you select. You can also use the Status view to see information about discards. To view statistics: 1 In the Appliance Manager perspective, select the target PEP.
Troubleshooting Policies deployed to the PEP, including the destination and source IP addresses, priority, and the policy type. The SAD includes information on every security association (SA) established between the ETEP PEP and another appliance. You can use this information to help you troubleshoot policy problems involving ETEP PEPs. You can use ETEMS to export the SPD and SAD to CSV files.
ETPM and ETKMS Troubleshooting 3 In the MAC Statistics section (for ETEP PEPs), note the values in the Transmit and Receive packet entries for the Local and Remote interfaces (Local Port and Remote Port). ● If packets are being received on the Local interface and transmitted on the Remote interface, traffic is being passed in the outbound direction. If packets are not being transmitted on the Remote interface, traffic is not being passed.
Troubleshooting Policies Do one of the following: ● In the Appliance Manager view, select the ETEP and choose Tools > Clear Policies. ● In ETPM, create a bypass policy and deploy it to the PEPs. ● For distributed key policies: In ETEMS, change the Encryption Policy setting on the Features tab from Layer 2 to Layer 3 (or vice versa), and push the configuration to the ETEP. Encrypt and drop policies are removed from the ETEP, and traffic passes in the clear until you create and deploy new policies.
ETPM and ETKMS Troubleshooting To fix these issues, redeploy your policies from ETPM to make sure that your PEPs have current policies and keys. Cannot Add a Network Set to a Policy Non-contiguous subnet masks are supported on ETEP PEPs version 1.4 and later. When you use noncontiguous network masks, the network set must include a PEP that supports the feature. In addition, all network sets in a policy must include supporting PEPs.
Modifying EncrypTight Timing Parameters ● For ETPM to ETKMS communications errors, check the ETEMS or ETPM application log for an error entry as described in “ETPM Log Files” on page 241. ● For ETKMS to PEP communications errors, check the ETKMS log files as described in “ETKMS Log Files” on page 241. Modifying EncrypTight Timing Parameters Depending on the deployment, the default timing parameters for communications between EncrypTight components may need to be adjusted.
ETPM and ETKMS Troubleshooting To add a new PEP in a system configured to use strict authentication: 1 In the ETEMS preferences, temporarily disable strict authentication. 2 Add and configure the PEP. 3 Install certificates on the PEP and the re-enable strict authentication in ETEMS. 4 Refresh status. 5 If the status is okay, enable strict authentication on the PEP.
Certificate Implementation Errors To disable strict authentication on ETEPs: 1 Connect to the serial port of the appliance and open a terminal session. 2 Log in and type configure to enter configuration mode. 3 Type management-interface to enter management interface configuration mode. 4 Enter strict-client-authentication disable. For example: admin> configure Entering configuration mode... config> management-interface Entering management interface configuration mode...
ETPM and ETKMS Troubleshooting 252 EncrypTight User Guide
Part V Reference
254 EncrypTight User Guide
19 Modifying the ETKMS Properties File This section provides information about settings in the ETKMS properties file that you can use to control and optimize the performance of the ETKMS, including: ● About the ETKMS Properties File ● Hardware Security Module Configuration ● Digital Certificate Configuration ● Logging Setup ● Base Directory for Storing Operational State Data ● Peer ETKMS and ETPM Communications Timing ● Policy Refresh Timing ● PEP Communications Timing About the ETKMS Prop
Modifying the ETKMS Properties File Hardware Security Module Configuration The following entries control whether the encryption keys are stored in a Hardware Security Module (HSM). # Hardware Security Module Configuration hardwareModuleInUse=false vaultBaseDir=../keys To store the encryption keys in an HSM, set the hardwareModuleInUse entry to true. When the entry is set to false, the encryption keys are stored in the directory specified by the vaultBaseDir entry.
Base Directory for Storing Operational State Data log4j.appender.R.layout=org.apache.log4j.PatternLayout log4j.appender.R.layout.ConversionPattern=%d [%t] %-5p %c - %m%n ## Console logging #log4j.rootLogger=ALL,stdout #log4j.appender.stdout.Threshold=INFO #log4j.appender.stdout=org.apache.log4j.ConsoleAppender #log4j.appender.stdout.layout=org.apache.log4j.PatternLayout #log4j.appender.stdout.layout.
Modifying the ETKMS Properties File Policy Refresh Timing The policy refresh timing controls the timing between the initiation of a renew keys and policy lifetime and the deletion of the expired keys. The following entries specify the timing for the policy refresh.
PEP Communications Timing Once the nth retry (defined by retryCount) is unsuccessful, the ETKMS waits a period of time defined by initialPEPRetryWaitTime when it then repeats the communication attempts as defined by the general timing parameters. This repeats for n times as defined by initialPEPRetryCount.
Modifying the ETKMS Properties File 260 EncrypTight User Guide
20 Using Enhanced Security Features This section includes the following topics: ● About Enhanced Security Features ● About Strict Authentication ● Using Certificates in an EncrypTight System ● Changing the Keystore Password ● Configuring the Certificate Policies Extension ● Working with Certificates for EncrypTight and the ETKMSs ● Working with Certificates and an HSM ● Working with Certificates for the ETEPs ● Validating Certificates ● Enabling and Disabling Strict Authentication ● R
Using Enhanced Security Features ● Strong password enforcement ETEPs with software version 1.6 or later can be configured to use strong password enforcement. The conventions used with strong password enforcement are far more stringent than those used with the default password management. To learn more about strong password enforcement, see “Configuring the Password Enforcement Policy” on page 103.
About Strict Authentication Related topics: ● “Prerequisites” on page 263 ● “Order of Operations” on page 263 ● “Certificate Information” on page 264 ● “Changing the EncrypTight Keystore Password” on page 266 ● “Configuring the Certificate Policies Extension” on page 269 ● “Validating Certificates” on page 287 ● “Enabling and Disabling Strict Authentication” on page 292 Prerequisites An important prerequisite to installing new certificates is identifying the certificate authority you plan to
Using Enhanced Security Features 4 Temporarily enable strict authentication in ETEMS and make sure that you can still communicate with the PEPs (refresh status for the PEPs that you used in step 3. If the PEPs respond appropriately, continue with the next step. If you cannot communicate with the PEPs, troubleshoot and fix the problems found. 5 If step 4 was successful, enable strict authentication on the PEPs that you used in step 3 and retest communications.
Using Certificates in an EncrypTight System In usage, you type this string as follows: -dname “cn=, ou=, o=, l=, s=, c=” The information must be entered in the order shown.
Using Enhanced Security Features Changing the Keystore Password Before you begin using certificates, you need to change the default passwords for the EncrypTight keystore and the ETKMS keystore. This section includes the following topics: ● “Changing the EncrypTight Keystore Password” on page 266 ● “Changing the ETKMS Keystore Password” on page 266 Changing the EncrypTight Keystore Password The keystore is where keys and certificates used by ETEMS are securely stored.
Changing the Keystore Password Changing the Keystore Password on a ETKMS Changing the password on a ETKMS involves multiple steps, including: 1 Stop the ETKMS service 2 Use keytool to change the password 3 Change the password for each individual key stored 4 Change the password listed in the ETKMS properties file 5 Restart the ETKMS service Stopping the ETKMS Service To stop the ETKMS service: 1 Open an SSH session and log into the ETKMS.
Using Enhanced Security Features Changing the Password Used in the ETKMS Properties File The ETKMS properties file includes an entry for the keystore password that the ETKMS software uses for functions that access the keystore. To change the password listed in the ETKMS properties file: 1 Use a text editor to edit the file /opt/etkms/conf/kdist.properties 2 Find the section labelled “Certificate configuration” and enter the new password for the keystorePassword entry.
Configuring the Certificate Policies Extension ./HSMPwdChg.sh The script will print out the new value of the password. Make note of this value. 5 Change the password for the Security Officer role by typing: ctkmu p -O You will be prompted for the value of the old password and then for the value of the new password. 6 Change the password for the User role by typing: ctkmu p You will be prompted for the value of the old password and then for the value of the new password.
Using Enhanced Security Features TIP If you are deploying numerous ETEPs, you can save time by modifying the default configurations for the ETEP models that you use. For more information about modifying default configurations, see “Working with Default Configurations” on page 110. You configure the certificate policies extension for ETKMSs by adding the OIDs to the ETKMS properties file. The ETKMS properties file kdist.properties is located in the /opt/etkms/conf directory.
Configuring the Certificate Policies Extension Figure 95 Communications Preferences About the Policy Constraints Extension The certificate policies extension can be used in conjunction with the policy constraint extension. This extension is configured by your CA and requires no setup in EncrypTight components. It places additional controls on how certificates can be used.
Using Enhanced Security Features Working with Certificates for EncrypTight and the ETKMSs For both the workstation running the EncrypTight software and the ETKMS, use the keytool utility to request and install certificates. The keytool utility is a Java-based utility for key and certificate management. A complete discussion of using the keytool utility is beyond the scope of this guide. You can find additional information on the Internet.
Working with Certificates for EncrypTight and the ETKMSs To generate a key pair: 1 From the command line, use the following command to generate a public/private key pair: keytool -genkeypair -dname {“cn=, ou=, o=, c=”} -alias -keypass -keystore -keyalg -storepass -validity Table 70 Keytool genkeypair Command Parameter Description dname The distinguished name parameters for the certifi
Using Enhanced Security Features Importing a CA Certificate Depending on the CA that you use, you could receive a single certificate or a certificate chain. If the reply is a single certificate and it is not a copy of a CA trusted root certificate, you need acquire the certificate for a trusted root. If the reply from the CA is a chain itself, you only need the root, or top-level certificate in the chain. If the trusted root certificate is not a file by itself, copy and paste it to a new file.
Working with Certificates and an HSM Exporting a Certificate For other devices to authenticate the identity of an entity, they might need a copy of the entity’s certificate. You can use the keytool export command to export certificates for this purpose.
Using Enhanced Security Features Importing CA Certificates into the HSM To import CA certificates into the HSM: 1 To import a CA certificate, at the command line type: ctcert i -f -l 2 To set the certificate as trusted, type: ctcert t -l 3 If prompted, enter the HSM password. Table 73 ctcert Parameters Parameter Description filename The name of the certificate file that you want to import. alias The name of the entry for this certificate in the HSM.
Working with Certificates for the ETEPs Generating a Certificate Signing Request for the HSM To generate a certificate signing request: 1 At the command line, type: keytool -keystore NONE -storetype PKCS11 -certreq -keyalg RSA -providername SunPKCS11-psie -alias -storepass -file Table 75 Generating a Certificate Signing Request for use with the HSM Parameter Description keystore Specifies the keystore to use.
Using Enhanced Security Features To start the Certificate Manager do one of the following: ● In the Windows menu, click Open. In the list of perspectives, click Certificate Manager. ● On the Perspective tab in the upper right corner of the screen, click the Open Perspective button In the list of perspectives, click Certificate Manager. .
Working with Certificates for the ETEPs The Certificate Requests view displays pending certificate requests for selected appliances. You can manage certificate requests from the shortcut menu (view, delete, or install). Select a request from this view to see its contents in detail, including the PEM-formatted certificate request. ● CRLs view The CRLs view displays Certificate Revocation Lists installed on the selected appliances. You can manage CRLs using the shortcut menu.
Using Enhanced Security Features NOTE The procedure for obtaining a CA certificate varies with each CA. These are the typical steps. To obtain a CA certificate from a CA: 1 On the CA's website, complete the registration process. 2 Download the CA certificate from the CA's website. 3 In the Certificate Manager, install the CA certificate as an external certificate. To use the peer appliance’s identity certificate as an external certificate: 1 Export the certificate from the peer appliance.
Working with Certificates for the ETEPs Figure 97 Certificates view shows installed certificates and their usage Working with Certificate Requests The workflow for requesting and installing an identity certificate on an EncrypTight appliance is as follows: 1 Generate a certificate signing request. 2 Send the request to a CA. If the request is approved, the CA returns a signed certificate. 3 Install the signed certificate on the appliance. Only one certificate request is allowed on the appliance.
Using Enhanced Security Features Figure 98 Generate a certificate signing request To generate a certificate signing request: 1 In the Appliances view, right-click the target appliance and click Generate Certificate Signing Request in the shortcut menu. 2 Complete the Subject Name fields (see Table 68). 3 From the RSA Key Length box, select the size of the key that you want to use. The key is generated using the RSA algorithm. The RSA key size typically refers to the size of the modulus.
Working with Certificates for the ETEPs Installing a Signed Certificate When a certificate authority accepts a certificate request, it issues a digitally signed identity certificate and returns it electronically. The certificate must be a PEM-formatted X.509 certificate. The certificate can be used to validate management communications, data traffic, or both.
Using Enhanced Security Features Figure 100 View pending certificate signing requests Canceling a Pending Certificate Request The EncrypTight appliance allows for only one pending certificate request. In order to replace the pending request with a new one, you must cancel the pending request. To cancel a pending certificate request: ● In the Certificate Request view, right-click the target certificate request and click Cancel in the shortcut menu.
Working with Certificates for the ETEPs The Common Name (CN) defaults to the appliance name; it cannot be set as a preference. For information about other distinguished name fields, see Table 68. Other certificate requests preferences are described in Table 78. Table 78 Certificate request preference fields Setting Description Key Length The key is generated using the RSA algorithm. The RSA key size typically refers to the size of the modulus.
Using Enhanced Security Features ● “Deleting a Certificate” on page 287 Viewing a Certificate The Certificate Details view of a selected installed certificate displays the certificate contents and the PEM formatted certificate. From the Certificate Details view you can export the certificate using the Export Certificates button (see “Exporting a Certificate” on page 286).
Validating Certificates Deleting a Certificate Delete external certificates if they have expired or are no longer used. External certificates are the only type of certificate that you can delete from the EncrypTight appliance. You can overwrite existing management ID certificates to replace them, but you cannot explicitly delete them. CAUTION You must have at least one external certificate installed on the EncrypTight appliance.
Using Enhanced Security Features you must remember to periodically retrieve a copy of the CRL and install it on each of the EncrypTight components. NOTE CRLs are only supported in ETEPs with software version 1.6 or later. You must upgrade ETEPs with earlier software versions in order to use this feature. To learn more about upgrading the software on ETEPs, see “Installing Software Updates” on page 73.
Validating Certificates To install a CRL on the ETEP: 1 Switch to the Certificate Manager perspective. 2 In the Appliances view, right-click on the target ETEP and choose Install CRL. 3 Navigate to the appropriate directory and select the CRL file that you want to install. 4 Click Open. 5 Push the modified configuration to the ETEP in order to complete the installation. To view CRLs 1 In the Appliances view, right-click the target ETEP and click View CRLs in the shortcut menu.
Using Enhanced Security Features In order to use OCSP, you must enable it on each EncrypTight component. ETEPs can read the URL from the certificate itself, but you can specify a URL to use if needed. The EncrypTight software and the ETKMSs provide additional options that allow you to specify the default action if no OCSP responder can be located or if the URL cannot be contacted. When OCSP is enabled, EncrypTight and the ETKMS try to check the revocation status using OCSP.
Validating Certificates NOTE For enhanced security, if you want to validate certificates using OCSP only, disable the options to Ignore Failure to Respond and Revert to CRL on OCSP Responder Failure. To set up OCSP in the ETKMS: 1 Log in directly on the ETKMS as root, or open an SSH session and su to root. 2 Using a text editor, open the kdist.properties file and add or edit the following lines: #crlPath=../keys/current.
Using Enhanced Security Features Table 81 OCSP Settings Option Description Ignore Failure to Respond Not receiving a response does not indicate that a certificate has expired or that it has been revoked. This option allows the ETEP to proceed when a response to an OCSP query is not received in a timely manner. The default is to ignore the failure to respond.
Removing Certificates 8 Click Put to push the configurations. 9 Click Close to return to the Appliances view, and then refresh the appliance status (Tools > Refresh Status). NOTE Strict authentication is available for ETEPs with software version 1.6 and later. If you need to remove the ETEP from service and use it elsewhere, you need to disable strict authentication and remove all certificates and policies.
Using Enhanced Security Features To remove certificates: 1 If necessary, switch to the Certificate Manager and select the ETEPs whose certificates you want to remove. 2 Select Tools > Clear Certificates. 3 Click OK when you are prompted for confirmation. 4 Click OK at the message informing you that the connection was reset. CAUTION Do not use this function if strict authentication is enabled. Doing so can cause errors and prevent communication between the management workstation and the appliance.
Using a Common Access Card 5 Add the authorized common names to the cnAuth.cfg file on the ETKMS. For instructions, see “Configuring User Accounts for Use With Common Access Cards” on page 295 6 Enable strict authentication and Common Access Card Authentication on the ETKMS. For more information, see “Enabling and Disabling Strict Authentication” on page 292 and “Enabling Common Access Card Authentication” on page 295.
Using Enhanced Security Features To enable CAC Authentication on the ETEP: 1 Verify that strict authentication is enabled on the ETEP. If strict authentication is not enabled when you enable Common Access Card Authentication, you can lose the ability to communicate with the ETEP. 2 In the Appliance Manager, right-click on the ETEP and select Configuration from the shortcut menu. 3 Click the Advanced tab. 4 Click XML-RPC Certificate Authentication. 5 Click OK. 6 Push the configuration to the ETEP.
Using a Common Access Card NOTE When Common Access Card Authentication is enabled, users of the EncrypTight software can log in without using passwords if the deployment includes only ETEPs running software version 1.6 or later. However, passwords are still required when administrative users log into the ETEPs using the serial port and through SSH.
Using Enhanced Security Features 298 EncrypTight User Guide
21 ETEP Configuration This chapter provides procedures and reference information for configuring ETEP appliances. To prepare the ETEP for operation in your network, do the following: ● In the ETEMS Appliance Manager, click File > New Appliance to open the Appliance editor. Select the ETEP appliance model from the Product Family list (ET0010A, ET0100A, ET1000A), and select the software version loaded on the ETEP. ● On the Interfaces tab, enter the appliance name.
ETEP Configuration This section includes the following topics: ● Identifying an Appliance ● Interface Configuration ● Trusted Hosts ● SNMP Configuration ● Logging Configuration ● Advanced Configuration ● Features Configuration ● Working with Policies ● Factory Defaults Identifying an Appliance In order to add an ETEP in ETEMS, you must: ● Specify the product family and software version ● Enter a unique name ● Enter the desired throughput speed (ETEPs with software version 1.
Interface Configuration ● Alphanumeric characters are valid (upper and lower case alpha characters and numbers 0-9) ● Spaces are allowed within a name ● The following special characters cannot be used: < > & “ * ? / \ : | ● Names are not case sensitive Because the appliance name is also the SNMP system name on the appliance, be aware of the following restrictions when copying a name from the appliance to ETEMS.
ETEP Configuration Figure 103 ET0100A interfaces configuration Related topics: ● “Management Port Addressing” on page 302 ● “Auto-negotiation - All Ports” on page 305 ● “Remote and Local Port Settings” on page 306 ● “Transparent Mode” on page 306 ● “Trusted Hosts” on page 311 Management Port Addressing Management of the ETEP is performed out-of-band or in-line through the Ethernet management port.
Interface Configuration ETEPs running software version 1.6 and later include support for IPv4 and IPv6 addresses on the management port. Related topics: ● “IPv4 Addressing” on page 303 ● “IPv6 Addressing” on page 304 IPv4 Addressing The ETEP requires an IPv4 address for proper operation, even when it is deployed in an IPv6 network. Enter the IPv4 address, subnet mask, and gateway that is configured on the ETEP’s management port.
ETEP Configuration Figure 104 Management port default gateway on the ETEP IPv6 Addressing The use of IPv6 addressing is optional. If you select Use IPv6, ETEMS and other EncrypTight components will use IPv6 to communicate with the ETEP. When using IPv6, you must configure the ETEP for dual-homed operation by assigning an IPv4 and an IPv6 address to the management port. To configure the ETEP for operation in an IPv6 network, do the following: 1 Select Use IPv6.
Interface Configuration IPv6 addresses often contain consecutive groups of zeros. To further simplify address entry, you can use two colons (::) to represent the consecutive groups of zeros when typing the IPv6 address. You can use two colons (::) only once in an IPv6 address.
ETEP Configuration Table 85 Link speeds on the management port Link speed 1000 Mbps Half-duplex Auto-negotiate Auto-negotiate Fixed Speed ET0010A ET0100A / ET1000A All ETEPs 3 On the local and remote ports, the ETEPs support the speeds shown in Table 86.
Interface Configuration preserves the network addressing of the protected network by copying the original source IP and MAC addresses from the incoming packet to the outbound packet header. In transparent mode the ETEP’s remote and local ports are not viewable from a network standpoint. The local and remote ports do not use user-assigned IP addresses. In Layer 3 IP networks the local and remote ports cannot be contacted through an IP address, and they do not respond to ARPs.
ETEP Configuration IP Address and Subnet Mask Enter the IP address and subnet mask that you want to assign to the port, in dotted decimal notation. Default Gateway The default gateway identifies the router’s local access port, which is used to forward packets to their destination. The gateway IP address must be on the same subnet as the port’s IP address. In Figure 105, the remote default gateway is the router port 192.168.144.100. The local default gateway address is 192.168.144.1.
Interface Configuration The transmitter behavior configuration should be the same on both the local and remote ports. Table 88 Transmitter Enable settings on the ETEP Setting Description Follow receiver The transmitter follows the behavior of the receiver. If loss of signal is detected on the remote port, then the transmitter on the local port is disabled. Similarly, if loss of signal is detected on the local port, the ETEP disables the transmitter on the remote port.
ETEP Configuration Ignore DF Bit When the ETEP is configured for use in Layer 3 IP encryption policies, its default behavior is to enable DF Bit handling on the local port. This tells the ETEP to ignore the “do not fragment” (DF) bit in the IP header, and fragment outbound packets that exceed the MTU of the system.
Trusted Hosts Related topic: ● “Ignore DF Bit” on page 310 ● “Path Maximum Transmission Unit” on page 326 ● “Features Configuration” on page 330 Trusted Hosts In its default state the ETEP management port accepts all packets from any host. The trusted host feature lets you restrict access by specifying the hosts that are allowed to communicate with the management port. When the trusted host feature is enabled, packets that are received from non-trusted hosts are discarded.
ETEP Configuration Inbound host protocols (HTTPS, ICMP, and SNMP) are enabled and disabled in the Edit Trusted Host window. Inbound protocols are enabled by default for each host. Use caution when disabling these protocols as it can affect the management station’s ability to communicate with the ETEP. Table 91 Inbound trusted host protocols used by EncrypTight Protocol Description HTTPS Used for secure communication between the management station and the ETEP.
SNMP Configuration Figure 108 Trusted host editor Related topics: ● “Appliance Unreachable” on page 224 ● “IPv6 Addressing” on page 304 ● “Traps” on page 315 ● “Defining Syslog Servers” on page 323 ● “SNTP Client Settings” on page 329 SNMP Configuration The ETEP includes an SNMP agent. When enabled, the SNMP agent in the ETEP sends traps to one or more management stations. Traps can be monitored and viewed using an SNMP network management application. The ETEP supports SNMPv2c and SNMPv3.
ETEP Configuration Figure 109 SNMP configuration for system information, community strings, and traps Take note of the following requirements when defining SNMP system information: ● To set the system information on an appliance, the community string must be defined as read/write, as described in “Community Strings” on page 314. ● System information can contain alphanumeric characters and spaces.
SNMP Configuration Traps To configure SNMP traps, first select the trap types to be generated. All of the selected trap types will be sent to the configured hosts. Traps cannot be configured on a per-host basis. Table 94 Traps reported on the ETEP Trap Description Critical error The following critical errors traps indicate that the ETEP is in an error state: • criticalFailure: Traffic on the device has been halted and the device is in a failure state.
ETEP Configuration NOTE The coldStart and notifyShutdown traps are always generated, even when Generic traps are disabled. Related topics: ● “SNMPv2 Trap Hosts” on page 316 ● “SNMPv3” on page 316 SNMPv2 Trap Hosts After selecting the traps that the ETEP will generate, specify the IP address of the trap hosts that will receive the traps. All of the selected traps are sent to the defined trap hosts. Traps cannot be configured on a per-host basis. To configure a trap host: 1 Under Trap Hosts, click Add.
SNMP Configuration ● The engine ID identifies the ETEP as a unique SNMP entity. The ETEP’s engine ID must be configured on every trap recipient before traps can be authenticated and processed by the trap host. ● Three security levels are available to control access to the management information: no authentication and no encryption, authentication and no encryption, and authentication and encryption.
ETEP Configuration ● “Configuring the SNMPv3 Trap Host Users” on page 319 ● “FIPS Mode” on page 331 Generating the Engine ID The engine ID is a unique local identifier for the SNMP agent in the ETEP. The ETEP automatically generates its own engine ID upon startup, or you can manually enter an engine ID seed that the ETEP will use to generate the engine ID. Each ETEP must have a unique engine ID. Duplicate engine IDs can cause SNMP errors.
SNMP Configuration Figure 111 Viewing SNMPv3 Engine IDs Related topics: ● “Generating the Engine ID” on page 318 Configuring the SNMPv3 Trap Host Users Trap host users define the destination that receives the traps, plus security information about communication between SNMPv3 entities. Trap host users are defined by a user name, security level, authentication and encryption parameters, and an IP address. The ETEP supports IPv4 and IPv6 addresses.
ETEP Configuration Figure 112 SNMPv3 Trap Host configuration To configure a trap host user: 1 If you haven’t already done so, select the traps that the ETEP will generate (see “Traps” on page 315). 2 Under SNMPv3 Trap Hosts, click Add. 3 In the V3 Trap Host dialog box, configure the trap host users as described in Table 95 and then click OK. Traps that are enabled on the appliance will be sent to the designated host.The trap host user information must be configured on both the ETEP and trap recipient.
Logging Configuration Table 95 SNMPv3 trap host users Field Description Authentication Type SHA. Required for the authNoPriv and authPriv security levels. Authentication Password The password is used to generate the authentication key. It is 8-256 characters in length. The following characters are not allowed: ? < > “ . , Encryption Type AES. Required with the authPriv security level. Encryption Password The password is used to generated the encryption key. It is 8-256 characters in length.
ETEP Configuration Related topics: ● “Log Event Settings” on page 322 ● “Defining Syslog Servers” on page 323 ● “Log File Management” on page 324 ● “Retrieving Appliance Log Files” on page 228 Log Event Settings Categories of log messages are referred to as facilities, and they typically indicate which process submitted a message. Each facility can be assigned a priority, which sets the level at which a log message is triggered. Log events settings consist of a log facility and its priority level.
Logging Configuration means “error + critical + alert + emergency.” The priorities shown in Table 97 are listed from lowest (debug) to highest (emergency). Table 97 Log priorities Priority Description Debug Detailed processing status. Not recommended during normal operations. The volume of messages may negatively affect the performance of the management port. Informational Information messages that do not relate to errors, warnings, audits, or debugging. Notice Normal but important events.
ETEP Configuration Related topics: ● “IPv6 Addressing” on page 304 ● “Logging Configuration” on page 321 ● “Log Event Settings” on page 322 Log File Management Each log file is a fixed length list of entries, as shown in Table 98. The log files rotate as they fill; they do not wrap. The most recent events are always written to a .log file in the format .log. When the first log file is full its contents are archived and rotated to logname.log.1.gz.
Advanced Configuration Figure 114 Log files extracted from the ETEP Related topics: ● “Retrieving Appliance Log Files” on page 228 ● “Logging Configuration” on page 321 ● “Log Event Settings” on page 322 Advanced Configuration The items on the Advanced tab define various management and network functions of the appliance, which are described in the following sections: ● “Path Maximum Transmission Unit” on page 326 ● “Non IP Traffic Handling” on page 327 ● “CLI Inactivity Timer” on page 327 ● “
ETEP Configuration Path Maximum Transmission Unit The PMTU specifies the maximum payload size of a packet that can be transmitted by the ETEP. The PMTU value excludes the Ethernet header, which is 14-18 bytes long, and the CRC. The PMTU setting applies to the local and remote ports, as shown in Table 99. On the management port the PMTU is hardcoded to 1400 bytes.
Advanced Configuration ● “Reassembly Mode” on page 310 ● “Features Configuration” on page 330 Non IP Traffic Handling The non IP traffic handling setting is available when the ETEP is configured for use in Layer 3 encryption policies. This setting provides options for how to handle Layer 2 packets that are not IP at Layer 3. Non-IP packets can be discarded or passed in the clear. When discarding non-IP traffic, you have the option of passing ARP packets in the clear or discarding them as well.
ETEP Configuration ● Maximum number of concurrent login sessions allowed per user ● The number of login failures allowed before locking an account The strong password policy enforces more stringent password rules and conventions than the default password policy. The default password policy is enforced unless you explicitly enable the strong password policy. NOTE Enabling strong password enforcement restarts the SSH daemon, closing any open SSH connections between ETEMS and the ETEP.
Advanced Configuration SSH Access to the ETEP SSH is used for secure remote CLI management sessions through the Ethernet management port. SSH access to the appliance is enabled by default. To prevent remote access to the CLI, clear the Enable SSH checkbox. When SSH is disabled, CLI access is limited to the serial port.
ETEP Configuration 3 On the Advanced tab, select Enable IKE VLAN Tag. Table 102 IKE VLAN Tags Field Description IKE VLAN tag priority Sets the VLAN priority. Valid values range from 0-7. IKE VLAN tag identifier Sets the VLAN ID. Valid values range from 0-4094. OCSP Settings Online Certificate Status Protocol (OCSP) provides a way for devices that use certificates to verify that a received certificate is currently valid. OCSP is an alternative to using Certificate Revocation Lists (CRLs).
Features Configuration FIPS Mode When operating in FIPS mode, the ETEP must be configured to use FIPS-approved encryption and authentication algorithms. FIPS approved algorithms are listed in Table 103. Note that some of the FIPSapproved algorithms are available for use only on the management port. EncrypTight prevents the ETEP from entering FIPS mode if ETPM detects EncrypTight distributed key policies that contain non-FIPS approved algorithms.
ETEP Configuration ● Performs a software integrity test ● Clears pre-existing polices and keys, as described in Table 104.
Features Configuration ● “EncrypTight Settings” on page 333 ● “Encryption Policy Settings” on page 334 ● “Creating Layer 2 Point-to-Point Policies” on page 335 ● ETEP CLI User Guide, “FIPS 140-2 Level 2 Operation” EncrypTight Settings The EncrypTight settings define whether the ETEP is to be used as a PEP in an EncrypTight system or operate as a standalone point-to-point encryptor. ● To configure Layer 2 or Layer 3 distributed key policies, select the Enable EncrypTight checkbox.
ETEP Configuration ● “Encryption Policy Settings” on page 334 ● “Working with Policies” on page 334 Encryption Policy Settings The Encryption Policy Setting determines the type of policies that the ETEP can be used in: Layer 2 Ethernet policies or Layer 3 IP policies. Appliances that are configured for Layer 2 cannot be used in Layer 3 policies, and vice versa. If you intend to create a Layer 4 policy to encrypt only the packet payload, set the Encryption Policy Setting to Layer 3:IP.
Working with Policies Related topics: ● “Using EncrypTight Distributed Key Policies” on page 335 ● “Creating Layer 2 Point-to-Point Policies” on page 335 Using EncrypTight Distributed Key Policies After you have configured the ETEPs for network operation, use the Policy Manager (ETPM) to create and deploy distributed key policies.
ETEP Configuration Figure 115 ETEP Policy tab When ETEPs are first installed they pass all traffic in the clear until they receive policies. After you push the Layer 2 point-to-point policy configuration to the ETEPs they will begin negotiations to encrypt traffic. You can change the way in which the ETEP processes traffic by modifying the traffic handling setting to pass traffic in the clear, discard traffic, or encrypt traffic.
Working with Policies deploy management port IPsec polices while in Layer 2 point-to-point mode, use manual key policies to encrypt management port traffic. ● We recommend setting the time on the ETEPs before setting up the Layer 2 point-to-point policy. Changing the clocks after the policy is established may cause traffic to be dropped.
ETEP Configuration Selecting the Traffic Handling Mode The ETEP has three options for processing packets: ● Encrypt all packets ● Discard all packets ● Pass all packets in the clear Under normal operation, the ETEP is configured to encrypt all traffic that is exchanged between two peer appliances. This is the ETEP’s default mode of operation. Other methods of traffic handling are used for debugging and troubleshooting. The traffic handling setting persists through a reboot.
Factory Defaults Table 108 IKE Phase 2 Parameters Parameter Value Hash algorithm HMAC-SHA-1 PFS Diffie-Hellman group 5 Lifetime One hour Negotiation mode Main mode Factory Defaults ETEMS’s factory settings are listed by appliance model and software version for the following categories: ● Interfaces ● Trusted Hosts ● SNMP ● Logging ● Policy ● Advanced ● Features ● Hard-coded Settings Interfaces Table 109 Interfaces defaults Interfaces Default Setting Appliance Identification
ETEP Configuration Table 109 Interfaces defaults Interfaces Default Setting Default gateway None Flow control Negotiated Link speed Negotiated Transmitter enable FollowRx Local IP address Undefined Subnet mask 255.255.255.
Factory Defaults Logging Table 112 Logging defaults Logging Default Setting Local 0 / System Informational Local 1 / Dataplane Informational Local 2 / DistKey Informational Local 3 / PKI Informational Local 4 / SNMP Informational Internal Informational Syslog server None Policy Table 113 Policy defaults Policy Default Setting Role Primary IKE Authentication Preshared key IKE Preshared Key 01234567 Group ID 0 Traffic Handling EthEncrypt Advanced Table 114 Advanced defaults
ETEP Configuration Features Table 115 Features defaults Features Default Setting Enable FIPS Mode Not available Enable EncrypTight Enabled (user configurable) Enable TLS in the clear Enabled Encryption Policy Settings Layer 3:IP Enable strict client authentication Disabled Hard-coded Settings The following settings are hard-coded in the ETEP: 342 ● Management port PMTU is 1400 bytes ● Syslog server port is 514 ● Time zone is set to UTC 0 EncrypTight User Guide
Index Numerics 3DES, 184 algorithms, 184 auto-negotiation configuration ETEP, 305 A B addressing mode, 171, 185 advanced configuration ETEP, 325–329 Advanced Encryption Standard, 184 AES, 184 appliance configuration customizing default configurations, 110 ETEP, 299–342 importing from a CSV file, 112 overview, 95 restoring factory defaults, 111 appliance users See user accounts appliance-level tasks connecting to the CLI, 123 managing ETEP user accounts, 106 retrieving log files, 228 appliances adding a
Index certificate revocation lists (CRLs), see CRLs, 287 certificates See also Certificate Manager about, 262 and common access cards, 294 certificate policy extensions, 269 certificate revocation lists (CRLs), 287 configuring CRL usage, 287 configuring CRL usage in EncrypTight, 288 configuring CRL usage on the ETKMS, 288 deleting all on an ETEP, 293 deleting specific certificates from an ETEP, 287 distinguished name, 264 EncrypTight keystore password, 266 errors, 249 ETKMS keystore password, 266 exporting
Index D E database See workspace date and time about clock synchronization, 33 changing on an appliance, 121 configuring on the ETKMS, 51 default configurations, 110 modifying defaults, 110 restoring, 121 using factory settings, 111 default ETKMS, 185 default gateway configuration ETEP management port, 302 ETEP remote and local ports, 308 default user accounts and passwords, 56 deleting appliances, 122 policies, 209 workspace, 72 deploy policies procedure, 207 receiving confirmation, 208 status icon, 137
Index defining appliance configurations, 83 maintenance and troubleshooting, 86 policy and certificate support, 87 pushing configurations, 84 upgrading software, 85 ETEP license, 56 replacing license, 245 throughput, 301 ETEP configuration, 299–342 Ethernet policies at Layer 2, adding, 188 ETKMS configuration changing the admin password, 47 changing the root password, 48 checking the status of the ETKMS service, 53, 54 configuring the time and date properties, 51 external ETKMS overview, 46 external ETKMS,
Index firewall ports, 39 flow control configuration ETEP, 305 fragmentation ETEP choosing the reassembly mode, 310 setting the PMTU, 326 FTP server configuring for software upgrades, 125 enabling on the management station, 42 G global ETKMS, 185 group ID ETEP, 337 grouping networks, 161 H hardware requirements, 38 hardware security module See also HSM HTTPS (TLS), 42 hub and spoke policy, adding, 191 I ignore DF bit ETEP, 310 ignore source IP address, 187 IKE Phase 1 parameters, 338 Phase 2 parameters,
Index hub and spoke policy addressing mode override, 193 mesh policy addressing mode override, 197 multicast policy addressing mode override, 201 payload encryption policy, 185 point-to-point policy addressing mode override, 205 license, 56 EncrypTight, 57 ETEP, 57 replacing ETEPs, 245 upgrading, 58 link speed configuration ETEP, 305 Linux commands for external ETKMSs, 242 load balancing, 35 loading configurations, 97 software updates, 125 workspaces, 71 local port configuration ETEP, 306–308 log files app
Index NTP, 149 O OCSP about, 289 communication preferences, 94 enabling in EncrypTight, 290 enabling in ETEPs, 291 enabling on ETKMSs, 291 open perspective, 131 out-of-band management ETKMS to ETKMS connections, 30 ETKMS to PEP connections, 32 ETPM to ETKMS connections, 28 P passing TLS traffic in the clear, 149 password changing the ETKMS admin password, 47 changing the ETKMS root password, 48 configuring the ETEP password strength policy, 327 default password conventions on the ETEP, 104 default passwo
Index See also ETPM introduction, 20 log file, 241 monitoring status, 237 port configuration See interface configuration port status, viewing, 232 ports, configuring your firewall for EncrypTight, 39 preferences certificate policy extensions, 270 certificate requests, 284 communication timeouts, 92 importing appliance configurations, 115 login, 63 ping tool, 228 policy deployment confirmation, 208 status checking in ETEMS, 99 status checking in ETPM, 137 strict authentication, 93 preserving network IP addr
Index editing on multiple appliances, 152 ETEP, 329 ETKMS, 51 for EncrypTight PEPs, 149 software requirements, 38 software updates appliance software cancelling, 127 checking status, 127 logging upgrade status, 322 overview, 123 procedure, 125 for EncrypTight, 73 SPD, exporting from the ETEP, 232 SSH troubleshooting, 225 ssh connecting to the appliance CLI, 123 enabling and disabling on the ETEP, 329 troubleshooting an ETEP connection, 225 starting EncrypTight, 40 statistics using CLI commands to view appl
Index Triple Data Encryption Standard, 184 troubleshooting See also diagnostic tools application log, 234 certificate implementation errors, 249 clearing policies on the ETEP, 334 CLI diagnostic commands, 233 ETEMS appliance configuration, 225 appliance software upgrades, 227 appliance unreachable, 224 pinging the management port, 227 pushing configurations, 226 status indicators, 226 ETKMS log files, 241 rebooting, 243 recovering the admin account, 243 restarting an external ETKMS, 243 server operation, 2
Black Box Tech Support: FREE! Live. 24/7. Tech support the way it should be. Great tech support is just 30 seconds away at 724-746-5500 or blackbox.com. About Black Box Black Box Network Services is your source for more than 118,000 networking and infrastructure products. You’ll find everything from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by free, live 24/7 Tech support available in 30 seconds or less. © Copyright 2011.