HP ProCurve Threat Management Services zl Module Management and Configuration Guide
HP ProCurve Threat Management Services zl Module November 2009 ST.1.0.
© Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.
Contents 1 Overview Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internal Ports . . . . . .
Deployment Models for Monitor Mode—Threat Detection . . . . . . . . . . . . 1-29 Deployment Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29 Deployment Tasks for Internal Threat Detection . . . . . . . . . . . . . . . . 1-29 Named Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31 IDS/IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57 VPN Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57 L2TP over IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57 GRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Initial Setup in Routing Mode Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Deploying the TMS zl Module in Routing Mode . . . . . . . . . . . . . . . . . . . . . . 2-4 Select the Deployment Location .
Configure Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39 Navigating the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-44 Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-46 Default Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Initial Setup in Monitor Mode Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Monitor Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Deploying the TMS zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40 Configuring Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41 Exporting Local Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41 Configure Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43 Configure Email Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Named Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13 Service Groups . . . . . . . . . . . . . . . . . . . . . . . .
Port Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-71 Mapping Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-72 Application-Level Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-74 ALG Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-76 aim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resource Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-100 Zone Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-100 Connection Reservations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-100 Reservation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-101 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NAT Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25 Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25 Network Merger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25 Single NAT Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31 Limited NAT Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reconnaissance Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16 TCP SYN Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16 TCP FIN Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17 TCP ACK Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18 UDP Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 Virtual Private Networks Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 Overview of IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 IPsec Headers .
Configure Firewall Access Policies for Your VPN . . . . . . . . . . . . . . . . . . 7-112 Access Policies for an IPsec Site-to-Site VPN with IKE . . . . . . . . . . . . 7-112 Access Policies for an IPsec Site-to-Site VPN with Manual Keying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-116 Access Policies for an IPsec Client-to-Site VPN with IKE . . . . . . . . . . . 7-118 Access Policies for an L2TP over IPsec VPN . . . . . . . . . . . . . . . . . .
Updating Cluster Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12 Back up the Master’s Startup Configuration . . . . . . . . . . . . . . . . . . . . . . . 8-12 Remove the Participant from the Cluster . . . . . . . . . . . . . . . . . . . . . . . . . 8-13 Update the Master’s Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14 Update the Participant’s Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stub Areas and Stub Routers . . . . . . . . . . . . . . . . . . . .
A Threat Management Services zl Module Command-Line Reference Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6 Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7 Services OS Manager Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . A-8 boot . . . . . . . .
Product OS Manager Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . A-16 TMS zl Module Product Index and Product Name . . . . . . . . . . . . . . . . . A-17 batch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-19 boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-19 capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
erase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-41 exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-41 gre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-42 high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-43 Set the HA interface . . . . . . . . . . . . . .
page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-61 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-61 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-62 port-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-63 port-trigger . . . . . . . . . . . . . . . . . . . . .
show gre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-88 show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-88 show ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-88 show ip rip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-89 show ip ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C Log Messages Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 Reading the Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-3 Finding the Log Message Family and ID . . . . . . . . . . . . . . . . . . . . . . . . . C-4 Log Message Formats and Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
D Troubleshooting Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-3 Basic Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-3 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-4 traceroute . . . . . . . . . .
Troubleshooting IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-50 Ensure That IPS Is Enabled Globally . . . . . . . . . . . . . . . . . . . . . . . . D-51 Enable IPS on an Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-52 Signature Is Triggered Too Frequently . . . . . . . . . . . . . . . . . . . . . . D-53 Troubleshooting Problems with Downloading the IDS/IPS Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Overview Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Internal Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Hardware Specifications . . . .
Overview Contents Access Control with Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27 Use Models for Access Control with Authentication . . . . . . . . . 1-27 Deployment Location for Access Control with Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27 Deployment Tasks for Access Control with Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview Contents Firewall Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-53 Firewall Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-53 Firewall Event Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-54 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-54 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview Overview Overview The HP ProCurve Threat Management Services (TMS) zl Module detects and mitigates threats from both internal and external sources. The module supports multiple capabilities for managing threats, which you can enable in various combinations.
Overview Hardware Overview Hardware Overview Installation The TMS zl Module is installed in an HP ProCurve Series 5400zl switch chassis or HP ProCurve 8212zl switch chassis using software K.13.55 or newer. You can install up to four TMS zl Modules in the same chassis as long as no more than two are in an HA cluster. (If you attempt to install a fifth module, that module will not boot.) You can install a TMS zl Module in any chassis slot. However, ProCurve recommends that you avoid using slot A.
Overview Licensing Hardware Specifications The TMS zl Module has the following hardware specifications: ■ CPU—Intel 2.2 GHz ■ RAM—4 GB ■ Hard drive—250 GB, including 38 GB for image storage Performance Consult the data sheet for the TMS zl Module at procurve.com/library.
Overview Operating Modes Operating Modes The TMS zl Module supports two operating modes: ■ Routing mode ■ Monitor mode Routing Mode In routing mode, you must set up your network infrastructure so that the TMS zl Module acts as a router for all VLANs on which you want to manage threats. You assign the module an IP address on these VLANs so that it can route and filter their traffic; these VLANs are then called TMS VLANs.
Overview Operating Modes Figure 1-1. Traffic Managed by the TMS zl Module In this example, you can see that traffic between the server in VLAN 10 and the Internet passes through the module, as does traffic between VLAN 30 and VLAN 40. However, traffic between the two nodes in VLAN 20 is forwarded directly by the switch at Layer 2, thereby bypassing the module. Only traffic that requires Layer 3 routing can be filtered by the TMS zl Module.
Overview Operating Modes Internal Ports in Routing Mode As mentioned earlier, the TMS zl Module has two internal ports. If you select routing mode, the two internal ports operate as follows: ■ Port 1—This port sends and receives all network traffic that is being filtered by the TMS zl Module. It also sends and receives all management traffic. ■ Port 2—This port sends and receives traffic related to an HA cluster (if one is configured on the TMS zl Module). Port 1 VLAN Membership.
Overview Operating Modes ■ Port 2—This port is used for management traffic. When you configure the management VLAN for the TMS zl Module, port 2 automatically becomes an untagged member of the management VLAN. For example, if you configure VLAN 2 as the management VLAN and the TMS zl Module is installed in slot C, the internal port C2 is an untagged member of VLAN 2. By default, port 2 is an untagged member of VLAN 1, the default VLAN, which means that this VLAN is the management VLAN.
Overview Zones Table 1-3. Monitor Mode Supported Capabilities Analyzed Traffic IDS Traffic that is mirrored to the module’s port 1 Zones The TMS zl Module uses zones to control traffic. Zones are logical groupings of TMS VLANs that have similar security needs or levels of trust. You can organize TMS VLANs into zones only when the TMS zl Module is in routing mode. Zones enable you to create common policies, such as access policies and NAT policies, that apply to all members of the zone.
Overview Zones Access Control Zones The TMS zl Module supports nine access control zones, which have the following names and intended purposes: ■ Internal—your private network ■ External—the Internet or other untrusted networks ■ DMZ—demilitarized zone; publicly-accessible servers that are logically located between the private network and the external network ■ Zone1 through Zone6—any user-defined purpose, as needed Before the TMS zl Module can filter traffic on a VLAN, you must associate that VLAN
Overview Deployment Options for Routing Mode—Threat Protection Deployment Options for Routing Mode—Threat Protection The TMS zl Module in routing mode can protect your network in many ways. This section covers several use models for deploying the module in routing mode. Each use model explains the reasons for selecting the deployment option, the services that are provided by the TMS zl Module, and a list of tasks that must be performed to deploy and configure the module.
Overview Deployment Options for Routing Mode—Threat Protection Internal VPN. You might implement a client-to-site VPN within the internal network when you have resources that require particularly strong protection. Configure VPN policies on the TMS zl Module to require encryption for all traffic destined to or from these resources. Then configure VPN clients on the high-security resources and the endpoints allowed to access those resources.
Overview Deployment Options for Routing Mode—Threat Protection Figure 1-3. Internal Deployment of the TMS zl Module Deployment Tasks for Internal Threat Protection You must complete these tasks to deploy a TMS zl Module that provides internal threat protection: 1. As you deploy the TMS zl Module, you may cause network outages. You should complete these steps during the network’s lowest utilization times. 2.
Overview Deployment Options for Routing Mode—Threat Protection 4. Remove all IP addresses on the selected VLANs from the host switch except the switch’s management address. However, if you plan to have the host switch act as the TMS zl Module’s default gateway, also leave an IP address on the VLAN that connects to an external router. 5. If the host switch no longer needs to route any traffic, you should disable routing on the switch. 6. Access the TMS zl Module’s CLI through the host switch’s CLI. 7.
Overview Deployment Options for Routing Mode—Threat Protection Follow these steps: a. Determine the TMS VLAN on which the TMS zl Module connects to its default gateway: Figure 1-4. Host Switch as Default Gateway – – If the module’s host switch is the default gateway, this VLAN is typically the VLAN on which the switch connects to the external router. Make sure that the switch has an IP address on that TMS VLAN.
Overview Deployment Options for Routing Mode—Threat Protection – If an external router is the default gateway, this VLAN is the TMS VLAN on which the host switch connects to the external router. If this VLAN does not already exist on the host switch, extend the VLAN to the switch. b. On the TMS zl Module, associate this VLAN with a zone (External is recommended). Assign the module an IP address on the TMS VLAN— often the address that you removed from the host switch on that VLAN.
Overview Deployment Options for Routing Mode—Threat Protection Figure 1-6. Associating VLANs with Zones Often you associate user (or data) VLANs with the Internal zone. Alternatively, you can divide your internal network into multiple zones and separate various user and server VLANs into various zones (Zone1 to Zone6). In Figure 1-6, VLAN20 and VLAN40 are associated with Zone1 and VLAN30 and VLAN50 are associated with Zone2.
Overview Deployment Options for Routing Mode—Threat Protection The TMS zl Module in Figure 1-6 has the following IP addresses on its TMS VLANs, which are also the default gateway addresses for those VLANs: • VLAN20—10.1.20.99 • VLAN30—10.1.30.99 • VLAN40—10.1.40.99 • VLAN50—10.1.50.99 See “Zones” on page 1-11 for an overview of zones and “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode” for detailed instructions. 12. Configure dynamic or static routing.
Overview Deployment Options for Routing Mode—Threat Protection 15. Optionally, configure NAT to translate addresses between TMS VLANs. For example, you could follow these steps to configure NAT between TMS VLANs in the Internal zone and a guest TMS VLAN in Zone2: a. The guests have IP addresses in a private subnet that is not used in the rest of the private network. b. Configure a Zone2-to-Internal NAT policy that applies source NAT to guest IP addresses. c.
Overview Deployment Options for Routing Mode—Threat Protection types of traffic. For example, you could limit the number of connections to your Web server to 300 and the number of connections to your FTP server to 50. Furthermore, you can configure policies to apply only during certain hours of the day. For example, you can configure a policy so that it applies only during office hours.
Overview Deployment Options for Routing Mode—Threat Protection Figure 1-7. Perimeter Deployment of the TMS zl Module Deployment Tasks for Perimeter Threat Protection You must complete these tasks to deploy your TMS zl Module to provide perimeter threat protection: 1. As you deploy the TMS zl Module, you may cause network outages. You should complete the following steps when the network is inactive. 2.
Overview Deployment Options for Routing Mode—Threat Protection 4. Note On the host switch, remove the IP address from the VLAN that connects to the external router. If the host switch is the router for the internal network, leave its other IP addresses intact. If you want the TMS zl Module to provide internal protection as well as perimeter protection, you should remove all IP addresses from the host switch except its management address and make the TMS zl Module the router for the internal network.
Overview Deployment Options for Routing Mode—Threat Protection 9. Configure the default gateway for the module. When the TMS zl Module provides perimeter protection, the default gateway is typically an external router: a. On the TMS zl Module, associate the VLAN on which the module connects to the default gateway with a zone (External is recommended). Assign the module an IP address on this VLAN—typically, assign the module the IP address that you removed from the host switch. b.
Overview Deployment Options for Routing Mode—Threat Protection i. Extend internal VLANs to the host switch but remove IP addresses on those VLANs from the switch. ii. Associate the internal VLANs with zones on the TMS zl Module (the Internal zone or Zone1 to Zone6) and assign the module a valid IP address on each VLAN. Typically, assign the module the IP addresses that you removed from the host switch. iii. Configure the module as the default router for these VLANs (for example, in DHCP scopes).
Overview Deployment Options for Routing Mode—Threat Protection You can create site-to-site and client-to-site VPNs. See “Virtual Private Network (VPN)” on page 1-57 for an overview and Chapter 7: “Virtual Private Networks” for detailed instructions. 16. Optionally, configure the TMS zl Module as a member of an HA cluster with another TMS zl Module. See “Overview” in Chapter 8: “High Availability” for an overview and for detailed instructions.
Overview Deployment Options for Routing Mode—Threat Protection users, install it in a location where it can act as the VPN gateway. There are no rigid rules about the deployment location. You must simply ensure that the module routes the traffic that arrives from the users that you want to control. Deployment Tasks for Access Control with Authentication You must complete these tasks to deploy your TMS zl Module so that it provides access control with authentication: 1. 2.
Overview Deployment Models for Monitor Mode—Threat Detection Deployment Models for Monitor Mode— Threat Detection In monitor mode, the TMS zl Module can detect known DoS attacks, exploits, worms, viruses, and other threats that are launched by internal users (users who have been allowed access to the network). It logs the attack internally and can forward the log to a syslog server, to an SNMP server, to an SNMP trap server, or as an email.
Overview Deployment Models for Monitor Mode—Threat Detection 2. Create a mirror session for which the TMS zl Module’s data port (port 1) is the destination exit port. For the session source, specify ports, trunks, or VLANs on the module’s switch. If you are using remote mirroring, configure a mirror session on each remote switch. The TMS zl Module’s host switch should be the destination.
Overview Named Objects Named Objects The TMS zl Module supports named objects for greater ease of configuration. A named object is a logical “container” that can be used in firewall access policies, NAT policies, port triggers, and IPsec policy traffic selectors to represent one or more addresses, one or more services, or a schedule.
Overview Named Objects For example, rather than manually specify the IP address of your Web server in multiple policies, you can create an object named WebServer with the Web server’s IP address. You can then specify the WebServer object every time that you create a policy for controlling access to the Web server. If the IP address of the Web server changes you can edit the address object, and the change will propagate through all of the policies that include the object.
Overview IDS/IPS IDS/IPS The TMS zl Module can act as an IDS, which detects worms, denial of service (DoS) attacks, and other threats. In routing mode, the TMS zl Module can also function as an IPS, which mitigates these threats as well as detects them. Threat Detection When it functions as either an IDS or an IDS/IPS, the TMS zl Module detects threats in all traffic received on its data port (port 1).
Overview IDS/IPS ■ HP ProCurve Threat Management Services 2-year IDS/IPS Subscription (J9158A) ■ HP ProCurve Threat Management Services 3-year IDS/IPS Subscription (J9159A) You can also purchase a module with a subscription: the HP ProCurve Threat Management Services zl Module with 1-year IDS/IPS Subscription (J9156A).
Overview IDS/IPS ■ ■ SMTP • Ensure that the command line does not exceed 512 bytes • Check the recursive boundary depth in SMTP data • Check for a header length that exceeds the maximum limit (userconfigurable) FTP • ■ IMAP • ■ ■ ■ Check for malformed requests (the command line lacks the proper tag, command, and so forth) POP3 • ■ Ensure that the command line does not exceed 512 bytes Ensure that the command line does not exceed 512 bytes DNS • Check for a DNS reply without a valid reque
Overview IDS/IPS from the known pattern, using polymorphism or other evasion techniques. Protocol anomaly detection helps the TMS zl Module to catch these variant attacks. Finally, protocol anomaly detection does not require signature updates or subscription licenses, thus lowering the administrative overhead. Port Maps. In order to check for protocol anomalies, the TMS zl Module must know with which application a particular session is associated. The module receives this information from its port maps.
Overview IDS/IPS No matter which action you choose, threats are logged locally. You can also configure the module to forward logs about threats of a specific severity (such as Minor and higher). You can forward logs as one or more of the following: ■ SNMP traps ■ Syslog messages ■ Email messages See “Configuring Event Logging” in Chapter 2: “Initial Setup in Routing Mode” and “Configuring Event Logging” in Chapter 3: “Initial Setup in Monitor Mode.
Overview Firewall \ Figure 1-8. TMS zl Module Integration with NIM Figure 1-8 shows how the IDS/IPS function on the TMS zl Module sends SNMP traps to NIM. NIM processes the trap and responds as indicated in its alert and policy configurations. For example, NIM might track the source of the threat to its point of connection and take action there—perhaps, ordering a switch to throttle or block the port to which the offender connects.
Overview Firewall Note Traffic that is transmitted between devices on the same TMS VLAN is not filtered by the TMS zl Module in routing mode. You control the traffic that passes through the firewall with firewall access policies. The following sections give more information. Access Policies The TMS zl Module supports up to 20,000 access policies.
Overview Firewall The TMS zl Module can resolve the IP address for a DNS name and match the policy to packets with that source address. Warning When the TMS zl Module evaluates a firewall access policy that contains a domain name that cannot be resolved, it terminates evaluation and denies the session. As a result of this safeguard, a DNS failure can deny traffic that would otherwise be allowed by subsequent policies.
Overview Firewall User Group You can create different sets of access policies for each user group that is configured on the module—as well as a set of access policies that apply to all users not assigned to a group. When a user authenticates to your network through the TMS zl Module, the module assigns the authenticated user’s IP address to the user group. The module then applies the set of access policies that are configured for that group to traffic received from that source address.
Overview Firewall Rate Limiting Instead of simply permitting or denying all traffic that matches an access policy, the TMS zl Module can control the traffic in a more nuanced way. It can also limit the number of sessions and the amount of bandwidth devoted to the permitted traffic. For example, you can limit the bandwidth for traffic that is sent to the Internet by users in a TMS VLAN that guests use. Rate limiting is supported for unicast policies but not for multicast policies.
Overview Firewall Within these policies, the module starts with the policy that has the highest position (lowest numerical value). For example, it will match a packet against Internal-to-External access policy 1 before it matches it to Internal -to-External access policy 2. The module takes the action that is specified in the first policy that the packet matches. It then stops processing policies. If the packet never matches a policy, the module drops it.
Overview Firewall However, each connection reservation that you make decreases the total number of connections that are available generally, so you should always take into account how many connections the TMS zl Module supports (total and per-zone) in comparison to the number of reservations that you make. Refer to Table 1-5. Table 1-5.
Overview Firewall ■ The number of total active connections in the system has reached the total active connections threshold. When this threshold has been reached, non-reserved IP addresses cannot make any connections even if their zone limits have not been reached. Only the reserved IP addresses can make connections. For a definition of the total active connection threshold see Table 1-5. Connection Reservation Examples To better understand how connection reservations function, read the examples below.
Overview Firewall In this example, a connection reservation count of 10 has been configured for 50 IP addresses: 10.1.1.11–10.1.1.60. The total reservation connection count is 500 (10 x 50) connections. The following is therefore true: Figure 1-10. Outbound Connection Reservation Implication ■ When the total active connection threshold of 39,500 (40,000 – 500) is reached, the module will not permit any more connections—unless the connections are initiated by hosts with IP addresses in the 10.1.1.11– 10.
Overview Firewall ■ If the number of non-reserved connections from Zone1 reaches 10,000, the module will set aside 500 connections from the other zones’ connection limits, provided that enough connections are available in the other zones. For example, if there are 1,500 total connections left for all three of the other zones, 500 of these will be set aside. Then only 1,000 total connections are available for the other zones. Figure 1-12.
Overview Firewall Figure 1-13. Inbound Connection Reservation In this example, a connection reservation count of 100 has been configured for one IP address: 10.1.2.22. The reservation count is 100 (100 x 1) connections from Zone1 to the IP address 10.1.2.22.
Overview Firewall The following is therefore true: Figure 1-14. Inbound Connection Reservation Implication ■ When the total active connection threshold of 39,900 (40,000 – 100) is reached, the module will not permit any more connections unless the connections are destined for the server at 10.1.2.22 from Zone1. Figure 1-15.
Overview Firewall ■ When the number of connections from Zone1 reaches 10,000, the module will set aside 100 connections from the other zones' connection limits, provided that enough connections are available in the other zones. For example, if there are 1,500 total connections left for all three of the other zones, 100 of these will be set aside. Then only 1,400 total connections are available for the other zones. Figure 1-16.
Overview Firewall Some of the firewall checks are customizable and can be enabled or disabled separately. Other checks cannot be disabled. For one of the checks, you can also configure settings. See “Attack Checking” in Chapter 4: “Firewall” for more information. Table 1-6 summarizes the module’s capabilities. Table 1-6.
Overview Firewall Table 1-7. Supported ALGs ALG General DNS (for internal DNS server hosting) FTP ILS (Internet Location Server for Microsoft NetMeeting) ILS2 NetBIOS NNTP (Microsoft News Server, Outlook Express 6) RPC SMTP (SurgeMail, Ability Mail Server) SQL (SQL*Plus 8.1.5.
Overview Firewall Firewall Troubleshooting You can troubleshoot the firewall from the CLI interface.
Overview Network Address Translation (NAT) Firewall Event Severity Each event has an associated severity level. From greatest to least severity, these levels are as follows: ■ Critical—Error may lead to failure ■ Major—Error may lead to failure or faulty functioning ■ Minor—Error may lead to faulty functioning ■ Warning—Error should be corrected ■ Information—Notification of significant events Network Address Translation (NAT) In routing mode, the TMS zl Module can apply NAT to network traffic.
Overview Network Address Translation (NAT) • Many-to-many The module assigns each local device that attempts to reach the destination network a separate IP address in that network. A range of new IP addresses is available. When every IP address in the range has been assigned to a local device, additional local devices cannot reach the destination network. ■ Destination NAT With destination NAT, the TMS zl Module translates the destination IP address of a packet to a new IP address.
Overview Network Address Translation (NAT) Note The information above is simply intended to inform you of the module’s capabilities. When you configure NAT, you do not need to determine the specific type of source or destination NAT that you require. Once you configure the source, destination, and NAT addresses, the Web browser interface handles the configuration. You can also configure NAT policies that exclude specific addresses. For example, if you have configured source NAT for addresses 10.1.1.
Overview Virtual Private Network (VPN) Virtual Private Network (VPN) The TMS zl Module can act as a VPN gateway. You should use the VPN functionality when you want to protect traffic from eavesdropping and from tampering. Typically, such protection is necessary when the traffic passes through an untrusted network such as the Internet or a wireless network that does not offer encryption. You can also create VPNs inside your private network to protect sensitive information from all but authorized users.
Overview Virtual Private Network (VPN) L2TP tunnels data, but it does not secure it. With L2TP over IPsec, the L2TP session is encapsulated and secured by IPsec. See “Layer 2 Tunneling Protocol (L2TP) over IPsec” in Chapter 7: “Virtual Private Networks.” GRE GRE is a Layer 2 protocol that establishes a virtual point-to-point connection between two devices across an intervening network. It can encapsulate any protocol that Ethernet can encapsulate.
Overview Virtual Private Network (VPN) Client-to-Site VPNs A client-to-site VPN is a set of tunnels between individual endpoints and the TMS zl Module, each endpoint having its own tunnel to the module. The TMS zl module can support a VPN tunnel to any IPsec with IKE v1-compliant endpoint. A client-to-site VPN can be used to: ■ Allow users to access the private network through their own Internet connection ■ Implement encryption throughout the private network Client-to-Site VPNs.
Overview Routing Routing When it operates in routing mode, the TMS zl Module must be able to route the traffic that it is filtering and analyzing for threats. The module’s VPN capabilities also require the module to know the correct routes. The module supports these routing capabilities: ■ Static routing ■ Routing Information Protocol (RIP) ■ Open Shortest Path First (OSPF) The TMS zl Module supports up to 10,000 total route entries, including static and dynamic routes.
Overview Routing By default, the TMS zl Module firewall allows all RIP updates between any zone and the Self zone. For greater security, the TMS zl Module supports these types of RIP authentication: ■ Simple password ■ MD5 You can also modify firewall access policies to further secure routing messages. For more information and for instructions on configuring this feature, see “RIP” in Chapter 9: “Routing.” OSPF The TMS zl Module supports all fives types of OSPF Link State Advertisements (LSAs).
Overview Routing Depending on your needs, the TMS zl Module can be configured to act in any of these roles: ■ Area Border Router (ABR) ■ The TMS zl Module has one or more VLANs in the backbone area as well as one or more VLANs in other areas. The module acts as the router for inter-area traffic. Internal router ■ The module has VLANs in one area only. Autonomous System Border Router (ASBR) The module is either an internal router or an ABR. It also connects to a router in another autonomous system.
Overview HA Clusters Multicast Routing The TMS zl Module supports Internet Group Membership Protocol (IGMP), which allows endpoints to join groups and receive traffic that is destined to specific multicast addresses. You enable IGMP per-TMS VLAN. The TMS zl Module also supports routing multicast traffic between TMS VLANs. You must select the TMS VLANs on which multicast routing is enabled.
Overview HA Clusters HA VLAN HA cluster members communicate on the HA VLAN, which is configured on the each member’s internal port 2. Each member has its own IP address on the HA VLAN. The default HA VLAN is VLAN 1. However, it is recommended that you set the HA VLAN to a VLAN not otherwise used in your network. Otherwise, the TMS zl Module will receive broadcast traffic that the firewall must drop— which can cause an undue number of log messages.
Overview HA Clusters HA Cluster Operation Rules The TMS zl Modules in an HA cluster synchronize their connection state information by sending messages over the HA VLAN, which must be dedicated to HA traffic. The HA VLAN is configured on the modules’ internal port 2, which must be dedicated to HA traffic. The modules in an HA cluster can be installed in the same switch chassis or in different switch chassis.
Overview Feature Interaction Feature Interaction This section explains how the TMS zl Module’s various capabilities work together to protect your network from threats. Packet Flow on the TMS zl Module Understanding how packets flow through the TMS zl Module helps you to understand how features interact. Packet Flow in Routing Mode In routing mode, the TMS zl Module applies features in this order: 1. VPN (decrypting incoming traffic) 2. Firewall attack checks 3.
Overview Feature Interaction 2. 3. If the packet is an IPsec packet, the TMS zl Module looks up the SA by its SPI: • If the SA exists, the module uses the SA’s parameters to decrypt the packet. It forwards the decrypted and decapsulated packet to the firewall. See step 3. • If the SA does not exist or if the packet fails VPN checks, the module drops the packet. The module’s firewall checks the packet for attacks.
Overview Feature Interaction 7. The module matches the packet against access policies in the group until it finds a match. The module matches the packet first against the policy that has the highest position (lowest numerical value). • If the packet matches the access policy (including matches the policy’s schedule if any), the module applies the rule’s action: – If the action is deny, the module drops the packet. – If the action is permit, the module checks the rate limiting and other settings.
Overview Feature Interaction 9. The TMS zl module determines whether to apply NAT: The module matches the packet against NAT policies for its source zone and destination zone. It processes the policies in order, beginning with the policy with the highest position (lowest numerical value), until it finds a match. • If the packet matches a NAT policy, the module follows this process to apply NAT: i.
Overview Feature Interaction session specifies the source and destination addresses and ports both before and after NAT has been applied. This session fills one of the maximum number of connections that are allowed on the TMS zl Module. The module then proceeds to step 12. • If a NAT-capable ALG does not apply to the packet, the module simply creates the session and proceeds to step 12. 12. The TMS zl Module determines whether the packet is part of a GRE or L2TP tunnel.
Overview Feature Interaction 14. The TMS zl Module forwards the packet to the next-hop router specified in the route to its destination IP address, tagging the frame for the forwarding VLAN of the route. Note that the destination IP address is the NAT destination for traffic to which destination NAT has been applied. The destination IP address is the destination in the delivery IP header for traffic that is part of an IPsec or GRE tunnel.
Overview Default Operation Default Operation You should understand how the TMS zl Module operates at factory defaults: ■ Default management settings ■ Default enabled capabilities ■ Default firewall access policies Default Management Settings At factory default settings, the TMS zl Module has no IP address. You must access the TMS zl Module CLI through the host switch CLI. In the CLI, you can enable remote management access: ■ For a module that you want to deploy in routing mode: a.
Overview Default Operation You can then access the Web browser interface or the CLI through SSH. The default login settings for remote access are: ■ Username = manager ■ Password = procurve ProCurve recommends that you change the passwords as soon as possible. Default Enabled Capabilities By default, the TMS zl Module functions in routing mode. The following capabilities are enabled: ■ ■ IDS • Protocol anomalies are detected with the default settings.
Overview Default Operation ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ 1-74 Zone1-to-Self • permit RIP any any • permit OSPFIGP any any Zone2-to-Self • permit RIP any any • permit OSPFIGP any any Zone3-to-Self • permit RIP any any • permit OSPFIGP any any Zone4-to-Self • permit RIP any any • permit OSPFIGP any any Zone5-to-Self • permit RIP any any • permit OSPFIGP any any Zone6-to-Self • permit RIP any any • permit OSPFIGP any any Self-to-Internal • permit RIP any any • permit OSPFIGP any
Overview Default Operation ■ ■ ■ ■ Self-to-Zone3 • permit RIP any any • permit OSPFIGP any any Self-to-Zone4 • permit RIP any any • permit OSPFIGP any any Self-to-Zone5 • permit RIP any any • permit OSPFIGP any any Self-to-Zone6 • permit RIP any any • permit OSPFIGP any any 1-75
Overview Default Operation 1-76
2 Initial Setup in Routing Mode Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Deploying the TMS zl Module in Routing Mode . . . . . . . . . . . . . . . . . . . . . . 2-4 Select the Deployment Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Perimeter Protection . . . . . . . . . . . . . . .
Initial Setup in Routing Mode Contents Configure Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . 2-39 Navigating the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . 2-44 Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-46 Default Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Initial Setup in Routing Mode Overview Overview This setup chapter provides instructions for the initial setup in routing mode. At this point, you should have decided which operating mode you want to use. (See “Operating Modes” in Chapter 1: “Overview.
Initial Setup in Routing Mode Deploying the TMS zl Module in Routing Mode When operating in this mode, the TMS zl Module has an IP address for each TMS VLAN, and endpoints in those VLANs use the TMS zl Module as their default gateway. In some TMS VLANs (such as those in the External zone), other routers might exist. These routers route traffic to the other TMS VLANs through the module.
Initial Setup in Routing Mode Deploying the TMS zl Module in Routing Mode ■ Provide a site-to-site VPN tunnel between the corporate head office and branch offices ■ Provide a client-to-site VPN for the mobile workforce to connect to the corporate intranet Figure 2-1.
Initial Setup in Routing Mode Deploying the TMS zl Module in Routing Mode Figure 2-2. Internal Deployment of the TMS zl Module Both Perimeter and Internal Protection A TMS zl Module can be deployed to provide both perimeter and internal security. Implementing both methods allows you to check both internal and external traffic.
Initial Setup in Routing Mode Deploying the TMS zl Module in Routing Mode Plan the Zones Zones are logical groupings of VLANs that have the same trust levels or security needs. You can create common firewall policies that apply to all members of a zone or to selected members of a zone. After you associate a VLAN with a zone, it is called a “TMS VLAN.” TMS VLANs can be associated with only one zone at a time. You can create up to 19 VLAN associations.
Initial Setup in Routing Mode Deploying the TMS zl Module in Routing Mode In Figure 2-3, VLAN_7 handles all of the wireless traffic, and it has been assigned to its own zone (Zone3). VLAN_3 and VLAN_5 are in the Internal zone (which is a management-access zone), the server in VLAN_9 is in the DMZ, and the interface that handles all VPN traffic is in the External zone.
Initial Setup in Routing Mode Deploying the TMS zl Module in Routing Mode Figure 2-4. Zones Inside the TMS zl Module Figure 2-4 shows the zones and VLANs from Figure 2-3 as they might be deployed in a network. Physical port 1, the data port, is tagged for all TMS VLANs. Port 2 will forward HA traffic to the other member of the cluster (if configured), but the IP address for port 2 is not in the Self zone. Port 2 is an untagged member of the HA VLAN, if HA is configured.
Initial Setup in Routing Mode Deploying the TMS zl Module in Routing Mode Figure 2-5. Filtering Traffic for VLANs That Are Not TMS VLANs Figure 2-5 shows an example. VLANs 2 through 8 are configured on switch A, but only VLAN 2 is configured on switch B, which hosts the module. If VLAN 3 is to be checked by the module, you must configure switch A to specify the TMS zl Module as the next-hop router for VLAN 3.
Initial Setup in Routing Mode Deploying the TMS zl Module in Routing Mode ■ Depending on the complexity and security needs of your network, you should continue separating the internal network VLANs into specific zones (Zone1 through Zone6), according to the security needs of the VLANs. Ready the Host Switch After you install a TMS zl Module in a chassis slot in an HP ProCurve 5400zl or 8200zl Series switch, the switch recognizes the module by its ID.
Initial Setup in Routing Mode Deploying the TMS zl Module in Routing Mode The host switch must have an IP address on a TMS VLAN so that the module can route non-TMS VLAN traffic to it. If the switch is also routing traffic to the Internet, you can use the Internet TMS VLAN for this purpose. You could also use the management VLAN, but this would place the non-TMS VLANs in the management zone, which is undesirable. 3.
Initial Setup in Routing Mode Initial Setup Initial Setup The TMS zl Module must be installed in one of the following chassis: ■ HP ProCurve Series 5400zl switch ■ HP ProCurve 8212zl switch Consult the ProCurve Switch zl Module Installation Guide or “Hardware Overview” in Chapter 1: “Overview“ for information on how to properly install the module in the switch chassis.
Initial Setup in Routing Mode Initial Setup Ensure That the Host Switch Recognizes the TMS zl Module You should first ensure that the host switch recognizes that the TMS zl Module is installed in the switch. Enter the following command: hostswitch# show services Table 2-1 shows an example output for this command. Notice that two items are listed for each TMS zl Module: Services zl Module and Threat Management Services zl Module. The Services zl Module is always displayed first with index number 1.
Initial Setup in Routing Mode Initial Setup Otherwise, simply make a note of the index number. You will need this index number when you access the Product OS (see “Access the TMS zl Module Product OS Context” on page 2-27). First, however, you must activate the TMS zl Module. See “Activate the TMS zl Module” on page 2-17.
Initial Setup in Routing Mode Initial Setup Table 2-3. CLI Display of Services Example 2 Slot Index Description Name C,D, E 1. Services zl Module services-module D 2. Data Center Connection Manager dcm C,E 3. Threat Management Services zl Module tms-module Whenever you reboot the host switch, a TMS zl Module, or a ONE Services zl Module, you should enter the show services command to check the index numbers.
Initial Setup in Routing Mode Initial Setup The TMS zl Module can be booted to either the Services OS or the Product OS. (However, you can boot the TMS zl Module to the Product OS only after you activate the TMS zl Module, as described in “Activate the TMS zl Module” on page 2-17.
Initial Setup in Routing Mode Initial Setup Make sure you have the correct Registration and Licensing Card Locate the product registration ID Figure 2-6. HP ProCurve Threat Management Services zl Module Registration and Licensing Card Activation Hardware ID. The TMS zl Module has two hardware IDs, as shown in Table 2-4. Table 2-4.
Initial Setup in Routing Mode Initial Setup To register the IDS/IPS signature subscription (if you have purchased one), you need the TMS-subscription hardware ID. (Instructions for registering the IDS/IPS signature subscription are provided after these instructions for activating the TMS zl Module. See “Register the IDS/IPS Signature Subscription” on page 2-21.) To obtain the activation hardware ID, complete the following steps: 1. Access the host switch’s CLI. 2.
Initial Setup in Routing Mode Initial Setup Figure 2-7. My ProCurve Sign In Window 2. Type your My ProCurve ID and Password in the appropriate fields. (If you do not have a My ProCurve ID, click Customer account or Partner account under Create an account and follow the prompts to set one up.) 3. Click Sign In. 4. Click My Licenses. 5. Complete the process to register the TMS zl Module. When you are done, a confirmation email, which contains the product license key, is sent to you.
Initial Setup in Routing Mode Initial Setup 2. Install the product license key by typing the following command: Syntax: licenses install activation Installs the product license key on the switch. Replace with the product license key that was generated when you registered the TMS zl Module on the My ProCurve portal.
Initial Setup in Routing Mode Initial Setup To begin using an IDS/IPS signature subscription, you must first register it on the My ProCurve portal (a process that is outlined below). Unlike the TMS zl Module activation process, the subscription registration process does not require you to install a subscription license key. You can register the IDS/IPS signature subscription now as part of the initial setup or later after you boot the TMS zl Module to the Product OS.
Initial Setup in Routing Mode Initial Setup Make sure you have the correct Registration Card Locate the subscription registration ID Figure 2-8. HP ProCurve Threat Management Services x-Year IDS/IPS Subscription Registration Card TMS-Subscription Hardware ID. To obtain the TMS-subscription hardware ID, complete the following steps: 1. Access the host switch’s CLI. 2.
Initial Setup in Routing Mode Initial Setup You are now in the Services OS context, and you should see a prompt that is similar to the following: hostswitch(services-module-C:HD)# 3. Display the TMS-subscription hardware ID by entering the following command in the TMS zl Module’s Service OS CLI. Syntax: licenses hardware-id tms-subscription Displays the hardware ID for the IDS/IPS signature subscription. 4. Record the TMS-subscription hardware ID. (You may want to copy this hardware ID to a text file.
Initial Setup in Routing Mode Initial Setup 2. Type your My ProCurve ID and Password in the appropriate fields and click Sign In. 3. Click My Licenses. Complete the process to register the IDS/IPS Subscription. When you are done, a confirmation message is displayed, explaining that the license has been accepted. The TMS-subscription hardware ID is now registered with the ProCurve signature server, and you will receive an email message, confirming that you completed the process successfully.
Initial Setup in Routing Mode Initial Setup 2. You will be returned to the host switch’s CLI. If you want to view the progress of the reboot process, enter the following commands in succession: Syntax: show services Displays the current status of the module and the version of the operating systems running on the module. Replace with the letter of the chassis slot in which the module is installed. Syntax: repeat Repeatedly executes the previous command you entered.
Initial Setup in Routing Mode Initial Setup Access the TMS zl Module Product OS Context The Product OS context is used to configure the firewall, IDS or IPS, VPN, and other features provided by the TMS zl Module. There are two options for entering this context. The advantage of the first option is that it requires fewer keystrokes. The second option, on the other hand, does not require you to know the index number for TMS zl Modules on your host switch.
Initial Setup in Routing Mode Initial Setup If, instead, you saw the output shown in Table 2-6, you would enter this command to access the Product OS for the TMS zl Module in slot C: hostswitch# services c 3 Table 2-6. CLI Display of Services Example 2 Slot Index Description Name C,D, E 1. Services zl Module services-module D 2. Data Center Connection Manager dcm C,E 3.
Initial Setup in Routing Mode Configure Management Access Configure Management Access Before you can access the Web browser interface and begin configuring the TMS zl Module, you must access the Product OS context and perform some initial tasks.
Initial Setup in Routing Mode Configure Management Access To begin configuring management access, complete these steps. 1. Access the host switch’s CLI and enter the Product OS context: hostswitch# services Replace with the letter of the chassis slot in which the module is installed. Replace with the TMS zl Module’s letter of the chassis slot in which the module is installed. The prompt should look like the following: hostswitch(tms-module-C)# 2.
Initial Setup in Routing Mode Configure Management Access and manually configure an access policy to permit HTTPS traffic from Zone1 to Self. In this case, you could access the module’s Web browser interface from Zone1 even though it is not a management-access zone. 4. Associate a VLAN with the management-access zone: Syntax: vlan zone Associates a VLAN with a zone. Replace with the number of a VLAN to associate with the zone. Replace with the name of a zone.
Initial Setup in Routing Mode Configure Management Access For example: hostswitch(tms-module-C:config)# vlan 5 ip address 10.1.5.99 255.255.255.0 Note If you plan to do your initial setup on another VLAN, repeat the steps above. Initially, you will only be able to access the Web browser interface from the VLANs that you configure now in the CLI. 6.
Initial Setup in Routing Mode Configure Management Access Figure 2-11. Routing Internal-to-External Traffic through the Module • If the module’s host switch is the default gateway, this VLAN is typically the VLAN on which the host switch connects to the external router. Make sure that the switch has an IP address on that VLAN. For example, in Figure 2-12, the host switch connects to the external router on VLAN99 (subnet 10.1.99.0/24).
Initial Setup in Routing Mode Configure Management Access 8. If the default gateway is on the VLAN you have already added to the management-access zone, skip this step and continue with step 9. Otherwise, complete this step. a. Associate the VLAN on which the TMS zl Module connects to its default gateway with a zone (often this is the External zone). Syntax: vlan zone Associates a VLAN with a zone. Replace with the number of a VLAN to associate with the zone.
Initial Setup in Routing Mode Configure Management Access 9. Define a default gateway: Syntax: ip route 0.0.0.0/0 Sets a default gateway for the module. Replace with the IP address of the default gateway for the module. For example: hostswitch(tms-module-C:config)# ip route 0.0.0.0/ 0 10.1.99.101 10. Ping the default gateway to verify connectivity. If the default gateway is in the management-access zone you defined, complete step 10a.
Initial Setup in Routing Mode Configure Management Access b. If the default gateway is not in a management-access zone, the TMS zl Module will block ICMP echo packets between the Self zone and the gateway’s zone until you create an access policy to allow this traffic. i. Create an access policy to permit ICMP echo packets between the Self zone and the gateway’s zone.
Initial Setup in Routing Mode Configure Management Access Parameter Options action • permit • deny • move to The module checks the policies according to their priority.
Initial Setup in Routing Mode Configure Management Access Parameter Options extended options • schedule This command must be entered before all other extended options commands. • log • ips-off • enable • disable • insert-at • update-at < position | id > You can use any combination of the extra options—as many or as few as you like. ii. Ping the default gateway.
Initial Setup in Routing Mode Configure Management Access Accessing the Web Browser Interface To access the Threat Management Services zl Module’s Web browser interface through a secure HTTPS session, you will need you will need a supported Web browser: ■ Firefox 2.x or higher ■ Internet Explorer 7 or higher Additionally, JavaScript must be enabled on your Web browser. In the address bar, type https:// followed by your module’s IP address. For example, if your module has the IP address 192.168.2.
Initial Setup in Routing Mode Configure Management Access Figure 2-13. Firefox 2.x Certificate Security Warning b. Select Accept this certificate permanently. c. Click OK. Another warning is displayed. Figure 2-14. Firefox 2.x Domain Name Warning d. 2-40 Click OK. Depending on your security settings, another warning may be displayed, which tells you that you are about to view an encrypted page. If a warning is displayed, click OK.
Initial Setup in Routing Mode Configure Management Access ■ Firefox 3 a. Type https:// followed by your module’s IP address in the address field. The following warning is displayed. Figure 2-15. Firefox 3 Certificate Security Warning b. Click Or you can add an exception. c. Click Add Exception. The Add Security Exception window is displayed.
Initial Setup in Routing Mode Configure Management Access Figure 2-16. Add Security Exception Window ■ d. Click Get Certificate. The window updates to tell you that the certificate belongs to a different site. e. Click Confirm Security Exception. The login window is displayed. Internet Explorer 7 or 8 a. 2-42 Type https:// followed by your module’s IP address in the address field. The following warning is displayed.
Initial Setup in Routing Mode Configure Management Access Figure 2-17. Firefox 2.x Certificate Security Warning Window b. Click Continue to this website (not recommended). The login window is displayed. When you gain access to the Web browser interface login window, you are prompted to enter a username and password. (See Figure 2-18.) Figure 2-18. Web Browser Interface Login Window In the User Name field, type manager, and in the Password field, type the default password: procurve.
Initial Setup in Routing Mode Configure Management Access Navigating the Web Browser Interface The Web browser interface includes a navigation pane on the left.
Initial Setup in Routing Mode Configure Management Access To save configuration changes to the startup configuration and ensure that they are not lost when the TMS zl Module is rebooted, you must click Save in the top-right corner of the Web browser interface. When your changes are saved, you will see this message near the top of the window: Figure 2-20. Changes Saved to NVRAM If you are using the CLI, you must enter the write memory command to save the running configuration to NVRAM.
Initial Setup in Routing Mode Configure Management Access Icons. Figure 2-21 shows several common icons that appear in the Web browser interface. Delete Edit Move Move Left Move Right Figure 2-21. Icons ■ Click the Delete icon to remove a policy or named object. ■ Click the Edit icon to edit a policy or named object. ■ Click the Move icon to change the priority of a policy. ■ Click the Move Left icon to remove an object from an object group.
Initial Setup in Routing Mode Configure Management Access Table 2-8. Field TMS zl Module Dashboard Information Description How to Configure System Information Hostname User-defined module name (maximum of 30 System > Settings > General ASCII characters). Default: ProCurve-TMS- See “Configure Management Access” on page 2-29.
Initial Setup in Routing Mode Configure Management Access Field Description How to Configure Name of the TMS VLAN. Network > Settings > Zones Network Interfaces Name See “Plan the Zones” on page 2-7.
Initial Setup in Routing Mode Configure Management Access Field Description How to Configure Packets In Number of IPsec packets that arrive per second* n/a Packets Out Number of IPsec packets that are sent per n/a second* VPN *If you configure a VPN using GRE over IPsec or L2TP over IPsec, this field will display the number of all VPN packets (including GRE and L2TP) per second. Note The connections listed in the Firewall section include both passive and active connections.
Initial Setup in Routing Mode Configure Management Access can access management interfaces, you can edit the policy to specify the source IPs. You can configure different access settings for each zone that is enabled for management access, and you can also restrict these settings according to source addresses (if you do not want to allow management access for the whole zone). The other preconfigured policies can also be edited or deleted.
Initial Setup in Routing Mode Configure Management Access Modify the TMS zl Module’s Management Settings To access the Web browser interface, you configured a set of management settings. You enabled management access on a zone, added a VLAN to that zone, and configured a static IP address for the VLAN. The TMS zl Module allows you to manage the module from as many zones as you want, so you can specify additional zones as management-access zones.
Initial Setup in Routing Mode Configure Management Access Table 2-9. Services Permitted from a Management-Access Zone to Self ICMP/echo snmp bootpc snmptrap bootps ssh https Table 2-10. Services Permitted from Self to a Management-Access Zone bootpc ftp radius snmptrap bootps http radius-acct ssh dns-tcp https smtp syslog dns-udp ICMP/echo snmp tftp 4. Note Click Save.
Initial Setup in Routing Mode Configure Management Access Typically, the TMS zl Module connects to its default gateway on a VLAN in the External zone. However, you may have associated the VLAN with a different zone. Therefore, you should add another VLAN to the module for the connection to the default gateway. Follow these steps: 1. Determine the VLAN on which the TMS zl Module connects to its default gateway. See “Configure Management Access” on page 2-29 to see how to determine the default gateway. 2.
Initial Setup in Routing Mode Configure Management Access Change the Operating Mode The operating mode described in this chapter is routing. Because this is the default operating mode, you should not need to change it. However, if for whatever reason the current operating mode is monitor, follow these steps to change the mode: 1. Select System > Settings and click the Operating Mode tab. Figure 2-25. System Settings Operating Mode Window 2. Select Routing.
Initial Setup in Routing Mode Configure Management Access Note Note 2. From the User list, select manager (read/write) or operator (read only). 3. Type the Old password. The default passwords are: manager = procurve; operator = operator. 4. For New password and Confirm new password, type a new password for the user. The new password cannot have more than 14 characters. 5. Click Apply My Changes. The operator cannot change passwords. Operator is read-only in all windows. 6. Click Save.
Initial Setup in Routing Mode Configure Management Access Figure 2-27. Network > Settings > General Window 2. For Primary Server, type the IP address of your primary DNS server. 3. Optionally, for Secondary Server, type the IP address of your secondary DNS server. If you do not have a secondary DNS server, leave this field blank. 4. For Domain Suffix, type the suffix of your DNS domain name. 5. Click Apply My Changes. 6. Click Save.
Initial Setup in Routing Mode Configure Management Access Log entries are sent from the following sources: ■ Security systems (firewall, IPS, VPN, high availability) ■ Open architecture system ■ Startup scripts (initialization, reboot) ■ Management systems (Web browser, CLI, SNMP) ■ Common services (DHCP relay, DNS client, TFTP, SCP, RADIUS client, LDAP client, and others) Exporting Local Logs To view or export local logs, select System > Logging > View Log. Figure 2-28.
Initial Setup in Routing Mode Configure Management Access To filter the logs that are displayed in this window, select and clear the appropriate check boxes under Filter. For example, to see logs of minor severity, complete the following steps. 1. Under Filter, select the Severity check box. 2. Select is for the type of filter. 3. Select Minor for the filter severity. 4. Click Apply filter. Only events with minor severity art displayed on the window.
Initial Setup in Routing Mode Configure Management Access To configure log settings, follow these steps: 1. Select System > Logging and click the Settings tab. Figure 2-29. System > Logging > Settings Window 2. From the list, select the lowest severity level of the messages that you want to forward. 3. In the space provided, type the number of duplicate messages that you want to occur before a tally message is forwarded. Figure 2-30. Duplicate Message Text Box 4.
Initial Setup in Routing Mode Configure Management Access Configure Email Forwarding To forward event logs to email accounts, select System > Logging and click the Email Forwarding tab. Figure 2-32. System > Logging > Email Forwarding Window 2-60 1. Select the Enable email forwarding check box. 2. For Email Server, type the IP address or FQDN of the email server. 3. For From Email Address, type the email address that will appear in the From field.
Initial Setup in Routing Mode Configure Management Access Configure Syslog Forwarding To forward event logs to a syslog server, select System > Logging and click the Syslog Forwarding tab. You can add up to three entries. Figure 2-33. System > Logging > Syslog Forwarding Window 1. Select the Enable syslog forwarding check box. 2. Click Add Syslog Server. The Add Syslog Server window is displayed. Figure 2-34. Add Syslog Server Window 3. For Address, type the IP address or FQDN of the syslog server.
Initial Setup in Routing Mode Configure Management Access Configure SNMP Traps SNMP traps are unsolicited messages that are sent by managed devices to alert you about specific events. For example, you can use PCM+ to manage the TMS zl Module by specifying PCM+ as a trap destination. The TMS zl Module supports the standard MIB-II, the IF-MIB, and a proprietary MIB that is particular to the operation of the TMS zl Module.
Initial Setup in Routing Mode Configure Management Access Figure 2-36. Add SNMPv2 Destination Window 2. For Server Address, type the IP address or FQDN of the SNMP server. For example, if you are using PCM+, you would enter the IP address or FQDN of the server running PCM+. 3. For Community Name, type the read-write (unrestricted) community name. You must enter the read-write community name that is configured on the SNMP server. 4. Click OK. 5. Click Save.
Initial Setup in Routing Mode Configure Management Access 2. For Server Address, type the IP address or FQDN of an SNMPv3 server. For example, if you are using PCM+, you would enter the IP address or FQDN of the server running PCM+. 3. For Username, type the SNMPv3 username for an account on the server. This must match the username configured on the SNMP server (such as PCM+). 4. For Auth Passphrase, type the authentication passphrase for the account on the server.
Initial Setup in Routing Mode Configure Management Access Figure 2-38. System > Settings > SNMP Window SNMPv1/v2c To configure SNMPv1/v2c settings, complete the following steps: 1. From the System > Settings > SNMP window, select Enable SNMPv1/v2. 2. Under Enable SNMPv1/v2, click Add another community. The Add SNMPv1/v2 Community window is displayed. Figure 2-39. Add SNMPv1/v2 Community Window 3. For Community Name, type the community name for the SNMP server.
Initial Setup in Routing Mode Configure Management Access 4. From the Role list, select Manager (read/write) or Operator (read only). Select the role that corresponds with the community name that you typed in step 3. 5. From the Write Access list, select Unrestricted (read/write) or Restricted (read only). Select the access that corresponds with the community name and role that you specified in steps 3 and 4. 6. Click Apply. 7. Click Save.
Initial Setup in Routing Mode Configure Management Access 6. For Authentication Passphrase, type the authentication passphrase for the account. 7. For Privacy Protocol, select the privacy protocol used for the account: None, DES, or AES. For the manager role, you must configure privacy settings. For the operator role, you may optionally configure privacy settings, but are not required to do so. 8.
Initial Setup in Routing Mode Configure Management Access Figure 2-42. Add VLAN Association Window Note 3. From the Zone list, select a zone. 4. From the VLAN list, select a VLAN. The VLANs displayed in the list are VLANs that already exist on the switch and have not yet been associated with a zone. 5. Optionally, select the Allow switch to have IP address on this VLAN check box.
Initial Setup in Routing Mode Configure Management Access 7. If you selected Static do the following: a. In the IP Address field, type an IP address for the TMS zl Module’s virtual interface in dotted decimal format. For example, type 10.1.15.100. b. To avoid configuration errors, ensure that this IP address is not the same as the IP address for this VLAN on the switch. In the Subnet Mask field, type the subnet mask in dotted-decimal format. For example, type 255.255.255.0. 8. Click OK. 9.
Initial Setup in Routing Mode Configure Management Access 1. Select Network > Settings and click the DHCP Relay tab. Figure 2-43. Network > Settings > DHCP Relay Window 2. Select the Enable DHCP Relay check box. 3. For DHCP Server, type the IP address of the DHCP server. 4. The Network > Settings > DHCP Relay window lists all of your TMS VLANs. Next to each VLAN for which you want to enable DHCP relay, select the Enable DHCP Relay check box. 5. Click Apply My Changes. 6. Click Save.
Initial Setup in Routing Mode Configure Management Access Figure 2-44. DHCP Relay Access Policies ■ If the client is in a management-access zone, you do not need to configure policies 1 and 4. ■ If the server is in a management-access zone, you do not need to configure policies 2 and 3. ■ If both the client and the server are in a management-access zone you do not need to configure any firewall access policies.
Initial Setup in Routing Mode System Maintenance System Maintenance It is recommended that you frequently save the startup configuration to a hard drive so that you can restore it to the TMS zl Module if the running configuration becomes corrupted or unusable for any reason. When configuring settings: ■ Click Apply My Changes and similar buttons to save changes to the running configuration.
Initial Setup in Routing Mode System Maintenance Note The saved configuration file is encrypted. If you need to analyze the saved configuration, contact HP ProCurve technical support. Restore to a Previously Saved Configuration To restore the module to a previously saved startup configuration: 1. From the System > Maintenance > Back Up/Restore window, click Browse. 2. Navigate to the saved configuration file and double-click the file to select it. 3. Click Restore and Reboot.
Initial Setup in Routing Mode System Maintenance Figure 2-46. System > Maintenance > Factory Defaults Window 2. Click Erase Startup-Config and Reboot to reboot the module with the factorydefault settings and the IDS/IPS signatures. 3. Click Yes in the warning that is displayed. Erasing the Startup Configuration from the CLI Product OS. You can erase the startup configuration from the Product OS context with the following commands. 1.
Initial Setup in Routing Mode System Maintenance Restore to Factory Default Settings You can restore the module to the factory default settings by uninstalling then reinstalling the software image. When you uninstall and reinstall the software, you will lose all of your IDS/IPS signatures as well as all of your settings. After restoring factory defaults, you will need to reconfigure your module settings and download the IDS/IPS signatures again.
Initial Setup in Routing Mode System Maintenance For example: hostswitch(services-module-C:HD)# show images --------Image Repository--------1) ST.3.2.090315 2) ST.3.3.090821 3) ST.3.4.091103 6. If the latest software image is not in the image repository, follow steps 1 through 8 in “Update the Software with USB Drive” on page 2-80 to transfer the image folder to the module. 7. Uninstall the current product software: Syntax: uninstall product Uninstalls the current TMS zl Module software.
Initial Setup in Routing Mode System Maintenance 9. When the installation has finished, boot the Product OS: Syntax: boot product Boots the Product OS. For example: hostswitch# boot product System will be rebooted. Do you want to continue [y/n]? Rebooting The module is now restored to the factory default settings. Updating the Module Software The software for the module can be updated through the Web browser interface or the CLI.
Initial Setup in Routing Mode System Maintenance If you select TFTP: a. Server IP —Type the IP address of the TFTP server in dotted-decimal format. b. File Name — Type the name of the image file, including the extension, for example, ST.3.2.091103.zip. If you select SCP: 5. Note a. Server IP—Type the IP address of the SCP server in dotted-decimal format. b. User Name—Type the user name for an SCP account. c. Password—Type the password for the user name that you just specified. d.
Initial Setup in Routing Mode System Maintenance 4. Copy the image from the server and install. Syntax: copy image user Copies and installs the latest software version of the TMS zl Module from an FTP or SCP server. Replace with the IP address of the server. Replace with the path and filename of the software image, including the .zip extension.
Initial Setup in Routing Mode System Maintenance 4. Copy the image from the TFTP server and install. Syntax: copy tftp image Copies and installs the latest software version of the TMS zl Module from a TFTP server. Replace with the IP address of the server. Replace with the path and filename of the software image, including the .zip extension. 5. 6.
Initial Setup in Routing Mode System Maintenance 6. Insert the USB drive in the USB port on the TMS zl Module. 7. Wait a few seconds, then mount the USB drive. hostswitch(services-module-C:HD)# usb mount 8. Copy the image from the drive to the module. Syntax: usb copyfrom Copies a file from the USB drive to the module. Replace with the name of the extracted directory. For example, if the image directory name is ST.3.2.
Initial Setup in Routing Mode System Maintenance 2-82
3 Initial Setup in Monitor Mode Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Monitor Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Deploying the TMS zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Selecting the Deployment Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 At the Perimeter . . . . . . . . . . . .
Initial Setup in Monitor Mode Contents Configuring Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26 Configure Initial Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26 Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . 3-28 Navigating the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . 3-33 Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Initial Setup in Monitor Mode Overview Overview This chapter provides instructions for setting up the TMS zl Module if you are using monitor mode.
Initial Setup in Monitor Mode Overview Figure 3-1. Logical Operation of TMS zl Module in Monitor Mode In Figure 3-1, the TMS zl Module’s host switch receives traffic from directly connected devices, which can be endpoints or other switches. The switch both forwards the traffic to its destination and mirrors the traffic to the module data port. Both intra-VLAN and inter-VLAN traffic can be mirrored.
Initial Setup in Monitor Mode Overview In Figure 3-2, a ProVision ASIC switch capable of remote mirroring also mirrors traffic to the TMS zl Module. When the switch receives traffic that has been selected for mirroring (whether by its port or VLAN), it both forwards the traffic toward its destination and sends a copy of the traffic in a mirror session to the module’s host switch.
Initial Setup in Monitor Mode Deploying the TMS zl Module Deploying the TMS zl Module This section includes guidelines for deploying your TMS zl Module: ■ Selecting the deployment location ■ Readying the host switch Selecting the Deployment Location In monitor mode, the module operates as a traditional offline IDS, which analyzes traffic that is mirrored to it.
Initial Setup in Monitor Mode Deploying the TMS zl Module The sections below present several typical deployments of a TMS zl Module operating in monitor mode. At the Perimeter The TMS zl Module in monitor mode can be deployed at the perimeter to monitor traffic routed to and from an external network, such as the Internet or a remote office. The key reason to deploy the TMS zl Module in monitor mode at the perimeter is to detect attacks from the Internet.
Initial Setup in Monitor Mode Deploying the TMS zl Module Installing several TMS zl Modules in host switches in different LAN segments will also increase the amount of traffic that is analyzed. Figure 3-5. Deploying the TMS zl Module in Monitor Mode for Internal Protection Both at the Perimeter and Inside the LAN A TMS zl Module can be deployed to provide security both on the perimeter and within the LAN. Implementing both methods allows you to check both internal and external traffic.
Initial Setup in Monitor Mode Deploying the TMS zl Module Ready the Host Switch After you install a TMS zl Module in a chassis slot in an HP ProCurve 5400zl or 8200zl Series switch, the switch recognizes the module by its ID. The switch names the modules two internal ports as follows: ■ Port 1—This port is used for data, which, in monitor mode, is mirrored traffic that is to be analyzed by the module’s IDS. ■ Port 2—This port is used for management traffic.
Initial Setup in Monitor Mode Initial Setup Initial Setup At this point, you should have planned your deployment, installed your TMS zl Module in an HP ProCurve 5400zl or 8200zl Series switch, and made necessary configurations to this switch. This section teaches you how to access the CLI for the TMS zl Module Services OS, install licenses, and boot the TMS zl Module Product OS.
Initial Setup in Monitor Mode Initial Setup Ensure That the Host Switch Recognizes the TMS zl Module You should first ensure that the host switch recognizes that the TMS zl Module is installed in the switch by entering the following command: hostswitch# show services Table 3-1 shows an example output for this command. Notice that two items are listed for each TMS zl Module: Services zl Module and Threat Management Services zl Module. The Services zl Module is always displayed first with index number 1.
Initial Setup in Monitor Mode Initial Setup Understanding Index Numbers The host switch assigns index numbers to all TMS zl Module and HP ProCurve ONE Services zl Module products according to these rules: ■ The host switch always assigns index number 1 to the Services OS that runs on ONE Services zl Modules and TMS zl Modules. ■ The host switch assigns index numbers to other products based on the order in which the products boot. The first to boot is assigned index number 2 and so forth.
Initial Setup in Monitor Mode Initial Setup Whenever you reboot the host switch, a TMS zl Module, or a ONE Services zl Module, you should enter the show services command to check the index numbers. Access the TMS zl Module Services OS Context The Services OS context is used to complete basic setup and maintenance tasks. You will configure the TMS zl Module itself from the Product OS context. (See “Access the TMS zl Module Product OS Context” on page 3-24.
Initial Setup in Monitor Mode Initial Setup Activate the TMS zl Module Before you begin configuring the TMS zl Module, you must activate the product by completing the following tasks. (Step-by-step instructions for each task are provided in the sections that follow.) ■ Register the TMS zl Module on the My ProCurve portal (https://my.procurve.com). • Obtain the product registration ID and the activation hardware ID. For step-by-step instructions, see “Obtain the Necessary IDs” on page 3-14.
Initial Setup in Monitor Mode Initial Setup Make sure you have the correct Registration and Licensing Card Locate the product registration ID Figure 3-6. HP ProCurve Threat Management Services zl Module Registration and Licensing Card Activation Hardware ID. The TMS zl Module has two hardware IDs, as shown in Table 3-4. Table 3-4.
Initial Setup in Monitor Mode Initial Setup To register the IDS/IPS signature subscription (if you have purchased one), you need the TMS-subscription hardware ID. (Instructions for registering the IDS/IPS signature subscription are provided after these instructions for activating the TMS zl Module. See “Register the IDS/IPS Signature Subscription” on page 3-19.) To obtain the activation hardware ID, complete the following steps: 1. Access the host switch’s CLI. 2.
Initial Setup in Monitor Mode Initial Setup Register the TMS zl Module Once you have obtained the product registration ID and the activation hardware ID, you can complete the TMS zl Module registration process on the My ProCurve portal. 1. Open a Web browser and enter https://my.procurve.com in the address bar. Figure 3-7. My ProCurve Sign In Window 2. Type your My ProCurve ID and Password in the appropriate fields.
Initial Setup in Monitor Mode Initial Setup Install the Product License Key The final step in the TMS zl Module activation process is to install the product license key. Complete the following steps: 1. Access the Services OS of the TMS zl Module. For example, if the TMS zl Module is installed in slot C in the switch chassis, you would type the following: hostswitch# services c 1 2.
Initial Setup in Monitor Mode Initial Setup Register the IDS/IPS Signature Subscription To receive updated IDS/IPS signatures, you can purchase one of the following: ■ HP ProCurve Threat Management Services zl Module with 1-year IDS/IPS Subscription (J9156A) ■ HP ProCurve Threat Management Services 1-year IDS/IPS Subscription (J9157A) ■ HP ProCurve Threat Management Services 2-year IDS/IPS Subscription (J9158A) ■ HP ProCurve Threat Management Services 3-year IDS/IPS Subscription (J9159A) To begin using an
Initial Setup in Monitor Mode Initial Setup tion registration ID is printed on the front of this Registration Card. You will need this subscription registration ID when you register the IDS/IPS signature subscription. Make sure you have the correct Registration Card Locate the subscription registration ID Figure 3-8. HP ProCurve Threat Management Services x-Year IDS/IPS Subscription Registration Card TMS-Subscription Hardware ID.
Initial Setup in Monitor Mode Initial Setup You are now in the Services OS context, and you should see a prompt that is similar to the following: hostswitch(services-module-C:HD)# 3. Display the TMS-subscription hardware ID by entering the following command in the TMS zl Module’s Service OS CLI. Syntax: licenses hardware-id tms-subscription Displays the hardware ID for the IDS/IPS signature subscription. 4. Record the TMS-subscription hardware ID. (You may want to copy this hardware ID to a text file.
Initial Setup in Monitor Mode Initial Setup 2. Type your My ProCurve ID and Password in the appropriate fields and click Sign In. 3. Click My Licenses. 4. Complete the process for registering the IDS subscription license. When you are done, a confirmation message is displayed, explaining that the license has been accepted. The TMS-subscription hardware ID is registered with the ProCurve signature server, and you will receive an email message, confirming that you completed the process successfully.
Initial Setup in Monitor Mode Initial Setup Displays the current status of the module and the version of the operating systems running on the module. Replace with the letter of the slot where the. Syntax: repeat Repeatedly executes the previous command you entered For example, if the TMS zl Module is in slot C, you would enter: hostswitch# show services c hostswitch# repeat You will continue to see updated output for the show services command.
Initial Setup in Monitor Mode Initial Setup Access the TMS zl Module Product OS Context The Product OS context is used to configure the IDS and other features provided by the TMS zl Module. There are two command options for entering this context. The advantage of the first option is that it requires fewer keystrokes. The second option, on the other hand, does not require you to know the index number for TMS zl Modules on your host switch.
Initial Setup in Monitor Mode Initial Setup Table 3-6. CLI Display of Services Example 2 Slot Index Description Name C,D, E 1. Services zl Module services-module D 2. Data Center Connection Manager dcm C,E 3. Threat Management Services zl Module tms-module Option 2. Alternatively, you can access the Product OS context by specifying the product name for the TMS zl Module. This name never changes.
Initial Setup in Monitor Mode Configuring Management Access Configuring Management Access This section explains how to configure management access on the TMS zl Module, as well as how to navigate the module’s Web browser interface. Configure Initial Settings Before you can access the Web browser interface and begin configuring the TMS zl Module, you must configure some initial settings. Specifically, you must access the CLI and complete these tasks: ■ Set the operating mode to monitor.
Initial Setup in Monitor Mode Configuring Management Access 4. Configure the management VLAN: Syntax: management vlan Sets the VLAN for management and HA traffic. For example: hostswitch(tms-module-C:config)# management vlan 2 Note You may want to set the management VLAN of the TMS zl Module to match the management VLAN of the switch, if any. The management VLAN, however, should not be the default VLAN: VLAN 1. 5.
Initial Setup in Monitor Mode Configuring Management Access hostswitch(tms-module-C:config)# ip route 0.0.0.0/0 10.1.5.1 See Appendix A: “Threat Management Services zl Module Command-Line Reference” for a complete list of CLI commands for the TMS zl Module. You can now access the module using the Web browser interface by typing the IP address of the management VLAN in the browser’s address bar. See the following section, “Accessing the Web Browser Interface.
Initial Setup in Monitor Mode Configuring Management Access Figure 3-10. Firefox 2.x Certificate Security Warning b. Select Accept this certificate permanently. c. Click OK. Another warning is displayed. Figure 3-11. Firefox 2.x Domain Name Warning d. Click OK. Depending on your security settings, another warning may be displayed, which tells you that you are about to view an encrypted page. If a warning is displayed, click OK.
Initial Setup in Monitor Mode Configuring Management Access ■ Firefox 3 a. Type https:// followed by your module’s IP address in the address field. The following warning is displayed. Figure 3-12. Firefox 3 Certificate Security Warning 3-30 b. Click Or you can add an exception. c. Click Add Exception. The Add Security Exception window is displayed.
Initial Setup in Monitor Mode Configuring Management Access Figure 3-13. Add Security Exception Window ■ d. Click Get Certificate. The window updates to tell you that the certificate belongs to a different site. e. Click Confirm Security Exception. The login window is displayed. Internet Explorer 7 or 8 a. Type https:// followed by your module’s IP address in the address field. The following warning is displayed.
Initial Setup in Monitor Mode Configuring Management Access Figure 3-14. Firefox 2.x Certificate Security Warning Window b. Click Continue to this website (not recommended). The login window is displayed. When you gain access to the Web browser interface login window, you are prompted to enter a username and password. (See Figure 3-15.) Figure 3-15. Web Browser Interface Login Window In the User Name field, type manager, and in the Password field, type the default password: procurve.
Initial Setup in Monitor Mode Configuring Management Access Navigating the Web Browser Interface The Web browser interface includes a navigation bar on the left.
Initial Setup in Monitor Mode Configuring Management Access To save configuration changes to NVRAM and ensure that they are not lost when the TMS zl Module is rebooted, you must click Save in the top right corner of the Web browser interface. When your changes are saved, you will see this message near the top of the window: Figure 3-17. Changes Saved to the Startup Configuration If you are using the CLI, you must enter the write memory command to save the running configuration to startup config.
Initial Setup in Monitor Mode Configuring Management Access Icons. Figure 3-18 shows several common icons that appear in the Web browser interface. Delete Edit Figure 3-18. Icons ■ Click the Delete icon to remove an object. ■ Click the Edit icon to edit an object. The Delete and Edit icons are called “Tools.” Dashboard The TMS zl Module’s dashboard displays module settings and real-time statistics. The refresh rate (nonconfigurable) for the dashboard is four seconds. Table 3-7.
Initial Setup in Monitor Mode Configuring Management Access Field Description How to Configure CPU Usage Percentage of TMS zl Module processor cycles being used n/a Memory Usage Percentage of real and cached memory n/a being used on the TMS zl Module. High memory usage during low activity periods does not necessarily signal a problem; the cache memory may not have flushed recently.
Initial Setup in Monitor Mode Configuring Management Access Configure the Module’s Management Settings To access the Web browser interface, you configured a set of management settings. You assigned a management VLAN and IP address, as well as a default gateway. But you can change these settings in the Web browser interface. To view or change the module’s management settings, complete the following steps. 1. Select System > Settings and click the General tab. Figure 3-19.
Initial Setup in Monitor Mode Configuring Management Access Configure the Default Gateway Typically, you should configure the default gateway as part of the initial set up from the CLI; however, you can also configure the default gateway from the Web browser interface. Complete these steps: 1. Select Network > Routing > Static Routes. 2. Click Add Static Route. Figure 3-20. Add Static Route Window 3. For Destination Type, select Default Gateway. 4.
Initial Setup in Monitor Mode Configuring Management Access 1. Select System > Settings and click the Operating Mode tab. Figure 3-21. System > Settings > Operating Mode Window 2. Select Routing or Monitor. See “Operating Modes” in Chapter 1: “Overview” for an explanation of the operating modes. 3. Click Apply My Changes. Follow the prompts to reboot the module. 4. Click Save. Change the Passwords To configure new passwords for administrative users, follow these steps: 1.
Initial Setup in Monitor Mode Configuring Management Access Note 4. For New password and Confirm new password, type a new password for the user. The new password cannot have more than 14 characters. 5. Click Apply My Changes. The operator cannot change passwords. Operator is read only in all windows. 6. Click Save. Configure DNS To configure the DNS server settings, complete the following steps: 1. Select Network > Settings > General. Figure 3-23. Network > Settings > General Window 3-40 2.
Initial Setup in Monitor Mode Configuring Management Access Configuring Event Logging There are four mechanisms for logging security events that the TMS zl Module detects: ■ Local logging—The module keeps its own internal logs, which may be exported to a compressed .tar file. ■ Email forwarding—The module can send alerts to as many as three email accounts. ■ Syslog forwarding—The module can forward log entries to up to three syslog servers.
Initial Setup in Monitor Mode Configuring Management Access Figure 3-24. System > Logging > View Log Window In this window, you can see a real-time list of events for the TMS zl Module’s operation. To filter the logs that are displayed in this window, select and clear the appropriate check boxes under Filter. For example, to see logs of minor severity, complete the following steps. 1. Under Filter, select the Severity check box. 2. Select is for the type of filter. 3.
Initial Setup in Monitor Mode Configuring Management Access Your browser will save the .tgz file according to browser settings. The .tgz file is a compressed archive that contains a space-delimited .tar file that you can read with Windows Notepad or an equivalent text reader. You can also import the .tar file into a spreadsheet application such as Microsoft Excel. It is a good idea to name the log file after the date on which it was created.
Initial Setup in Monitor Mode Configuring Management Access To configure log settings, follow these steps: 1. Select System > Logging and click the Settings tab. Figure 3-25. System > Logging > Log Settings Window 2. From the list, select the lowest severity level of the messages that you want to forward. 3. In the space provided, type the number of duplicate messages that you want to occur before a tally message is forwarded. Figure 3-26. Duplicate Message Text Box 4.
Initial Setup in Monitor Mode Configuring Management Access Configure Email Forwarding To forward event logs to email accounts, select System > Logging and click the Email Forwarding tab. Figure 3-28. System > Logging > Email Forwarding Window 1. Select the Enable email forwarding check box. 2. For Email Server, type the IP address or FQDN of the email server. 3. For From Email Address, type the email address from which event logs will be sent. 4.
Initial Setup in Monitor Mode Configuring Management Access Configure Syslog Forwarding To forward event logs to a syslog server, select System > Logging and click the Syslog Forwarding tab. Figure 3-29. System > Logging > Syslog Forwarding Window 1. Select the Enable syslog forwarding check box. 2. Click Add Syslog Server. The Add Syslog Server window is displayed. Figure 3-30. Add Syslog Server Window 3-46 3. For Address, type the IP address or FQDN of the syslog server. 4.
Initial Setup in Monitor Mode Configuring Management Access Configure SNMP Traps SNMP traps are unsolicited messages that are sent by managed devices to alert you about specific events. For example, you can use PCM+ to manage the TMS zl Module by specifying the device running PCM+ as a trap destination. The TMS zl Module supports the standard MIB-II, the IF-MIB, and a proprietary MIB that is particular to the operation of the TMS zl Module.
Initial Setup in Monitor Mode Configuring Management Access Figure 3-32. Add SNMPv2 Destination Window 2. For Server Address, type the IP address or FQDN of an SNMP server. For example, if you are using PCM+, you would enter the IP address or FQDN of the server running PCM+. 3. For Community Name, type the read-write (unrestricted) community name.You must enter the read-write community name that is configured on the SNMP server. 4. Click OK. 5. Click Save.
Initial Setup in Monitor Mode Configuring Management Access 2. For Server Address, type the IP address or FQDN of an SNMPv3 server. For example, if you are using PCM+, you would enter the IP address or FQDN of the server running PCM+. 3. For Username, type the SNMPv3 username for an account on the server. This must match the username configured on the SNMP server (such as PCM+). 4. For Auth Passphrase, type the authentication passphrase for the account on the server.
Initial Setup in Monitor Mode Configuring Management Access Figure 3-34. System > Settings > SNMP Window SNMPv1/v2c To configure SNMPv1/v2c settings, complete the following steps: 1. From the System > Settings > SNMP window, select Enable SNMPv1/v2 and click Add another community. The Add SNMPv1/v2 Community window is displayed. Figure 3-35. Add SNMPv1/v2 Community Window 3-50 2. For Community Name, type the community name for the SNMP server. 3.
Initial Setup in Monitor Mode Configuring Management Access 4. From the Write Access list, select Unrestricted (read-write) or Restricted (read only). Select the access that corresponds with the community name and role that you specified in steps 2 and 3. 5. Click OK. 6. Click Save. SNMPv3 To configure SNMPv3 settings: 1. From the System > Settings > SNMP window, select Enable SNMPv3 and click Add another user. The Add SNMPv3 User window is displayed. Figure 3-36. Add SNMPv3 User Window 2.
Initial Setup in Monitor Mode Configuring Management Access 6. For Privacy Protocol, select the privacy protocol used for the account: None, DES, or AES. For the manager role, you must configure privacy settings. For the operator role, you may optionally configure privacy settings, but are not required to do so. 7. If you selected a protocol in the previous step, for Privacy Passphrase, type the privacy passphrase for the account. 8. Click OK. 9. Click Save.
Initial Setup in Monitor Mode System Maintenance System Maintenance It is recommended that you frequently save the startup configuration to a hard drive so that you can restore it to the TMS zl Module if the running configuration becomes corrupted or unusable for any reason. When configuring settings: ■ Click Apply My Changes and similar buttons to save changes to the running configuration.
Initial Setup in Monitor Mode System Maintenance Note The saved configuration file is encrypted. If you need to analyze the saved configuration, contact HP ProCurve technical support. Restore to a Previously Saved Configuration To restore the module to a previously saved startup configuration: 1. From the System > Maintenance > Back Up/Restore window, click Browse. 2. Navigate to the saved configuration file and double-click the file to select it. 3. Click Restore and Reboot.
Initial Setup in Monitor Mode System Maintenance Figure 3-38. System > Maintenance > Factory Defaults Window 2. Click Erase Startup-Config and Reboot to reboot the module with the factorydefault settings and the IDS/IPS signatures. 3. Click Yes in the warning that is displayed. Erasing the Startup Configuration from the CLI Product OS. You can erase the startup configuration from the Product OS context with the following commands. 1.
Initial Setup in Monitor Mode System Maintenance Restore to Factory Default Settings You can restore the module to the factory default settings by uninstalling then reinstalling the software image. When you uninstall and reinstall the software, you will lose all of your IDS/IPS signatures as well as all of your settings. After restoring factory defaults, you will need to reconfigure your module settings and download the IDS/IPS signatures again.
Initial Setup in Monitor Mode System Maintenance For example: hostswitch(services-module-C:HD)# show images --------Image Repository--------1) ST.3.2.090315 2) ST.3.3.090821 3) ST.3.4.091103 6. If the latest software image is not in the image repository, follow steps 1 through 8 in “Update the Software with USB Drive” on page 3-61 to transfer the image folder to the module. 7. Uninstall the current product software: Syntax: uninstall product Uninstalls the current TMS zl Module software.
Initial Setup in Monitor Mode System Maintenance For example: hostswitch# boot product System will be rebooted. Do you want to continue [y/n]? y Rebooting The module is now restored to the factory default settings. Updating the Module Software The software for the module can be updated through the Web browser interface or the CLI.
Initial Setup in Monitor Mode System Maintenance 3. c. Password—Type the password for the user name that you just specified. d. File Name—Type the name of the image file, including the extension, for example, ST.3.2.091103.zip. Click Download and install to download the software to the module and install it. After the software has been installed, you must reboot the module to complete the installation. Update Software with the CLI Download the compressed software image from procurve.com.
Initial Setup in Monitor Mode System Maintenance 6. You would type the following: hostswitch(tms-module-C)# copy ftp image 192.168.1.13 ST.3.2.090311.zip user PROCURVEU\IUSR_CA After you press Enter, the module prompts you for the password. Password: procurve 7. The image is copied to the module, then automatically installed. When the prompt says that the installation is finished, reboot the module to complete the update. hostswitch(tms-module-C)# reboot Update the Software from a TFTP Server.
Initial Setup in Monitor Mode System Maintenance Update the Software with USB Drive. To update the software image using a USB drive, do the following: Note 1. Extract the compressed software image. 2. Transfer the extracted image folder onto a USB drive in a directory called /services/images. The first partition on the USB drive must be in FAT32 or EXT2FS format. 3. Initiate a console session with the host switch. 4.
Initial Setup in Monitor Mode System Maintenance 9. Update the software. Syntax: update product Updates the module software. Replace with the name of the extracted directory that you copied to the module. For example, if the new image directory is ST.3.2.090311, you would type: hostswitch(services-module-C:HD)# update product ST.3.2.090311 Again, you can use Tab completion for the file name. 10.
4 Firewall Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Advantages of an Integrated Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Packet-Filtering Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Circuit-Level Gateway . . . . . . . . . . . . . . . . . . . . . . .
Firewall Contents Processing Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-31 Modifying an Existing Access Policy . . . . . . . . . . . . . . . . . . . . . . . 4-32 Adding an Overlapping, Higher-Position Policy . . . . . . . . . . . . . . 4-36 Deleting a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38 Pinging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firewall Contents smtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-83 sql . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-83 tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-83 Port Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-83 Example Port Trigger . . . . . . . . .
Firewall Overview Overview In the past, corporate networks were defined by clear, distinct boundaries, and network administrators implemented security using an “us versus them” mentality. Their job was to protect the inside, trusted network (us) against would-be attackers on the outside (them).
Firewall Overview Advantages of an Integrated Firewall Although firewall software can protect individual PCs, a firewall integrated into a switch has several advantages: ■ Software firewalls often use mainstream operating systems. Attackers study such systems for vulnerabilities. These operating systems are more vulnerable to targeted attacks and sporadic lock-ups, which can take down your firewall and leave your network unprotected.
Firewall Overview Circuit-Level Gateway A circuit-level gateway acts at the OSI Session Layer (Layer 5) to monitor the establishment of sessions between trusted and untrusted devices. Some circuit-level gateways establish proxy sessions with untrusted hosts for their clients. Attack Checking. A circuit-level gateway monitors TCP handshakes between devices to determine whether or not a requested session is legitimate.
Firewall Overview A stateful firewall, such as the firewall on the TMS zl Module, can analyze Application Layer data without acting as a proxy server. Instead, the firewall monitors sessions between hosts. When it determines that a session is valid, it allows the session to be established. Then the firewall uses algorithms to process the Application Layer data for packets that are associated with the session.
Firewall Named Objects Monitor Mode Figure 4-2. Packet Flow in Monitor Mode In monitor mode, traffic is copied to the TMS zl Module, which analyzes the traffic for threats. If a threat is detected, the IDS creates a log entry, which may be forwarded to a syslog server, an SNMP trap server, or an email account, if configured.
Firewall Named Objects There are five types of named objects: ■ Address objects ■ Address groups ■ Service objects ■ Service groups ■ Schedule objects To see a summary of where you can use each type of named object, see Table 1-4, “Named Objects and Their Uses” on page 1-32 of Chapter 1: “Overview.
Firewall Named Objects For IP, range, and network address objects there are two entry types: ■ Single-entry—can be used in address groups, firewall access policies, NAT policies, port triggers, and IPsec policy traffic selectors ■ Multiple-entry—can be used in address groups and firewall access policies To create an address object, follow these steps: 1.
Firewall Named Objects • • • i. Select IP from the Type list. ii. Select an entry type. iii. In space provided, type an IP address in dotted-decimal format. For multiple-entry objects type each entry on its own line. Example: 192.168.1.1 10.154.1.54 You can add up to 100 IP addresses to a single address object. Create an IP range address object: i. Select Range (IP1-IP2) from the Type list. ii. Select an entry type. iii. In space provided, type an IP address range, each in dotteddecimal format.
Firewall Named Objects Address Groups Address groups are user-defined groupings of address objects. Any number or type of address objects can be placed in an address group. An address object can belong to more than one address group. You can create up to 1000 address groups, each with up to 500 address objects. You can use address groups when creating firewall access policies. To add an address group, follow these steps: 1. Select Firewall > Access Policies and click the Address Groups tab. 2.
Firewall Named Objects Service Objects A service object is a named object that contains a type of service. You can have up to 500 service objects. Some common service objects are included with the TMS zl Module, as shown in Table 4-1. You can use service objects in firewall access policies, NAT policies, port triggers, and IPsec policy traffic selectors. Table 4-1.
Firewall Named Objects Service Transport Protocol Port Description ident TCP 113 Identification Authentication Protocol imap4 TCP 143 Internet Message Access Protocol ipsec-nat-t-tcp TCP 4500 NAT transversal for IPsec over TCP ipsec-nat-t-udp UDP 4500 NAT transversal for IPsec over UDP irc TCP 194 Internet Relay Chat Protocol isakmp UDP 500 Internet Security Association and Key Management Protocol kerberos-tcp TCP 750 Kerberos protocol over TCP kerberos-udp UDP 750 Kerbero
Firewall Named Objects Service Transport Protocol Port Description radius UDP 1812 Remote Authentication Dial-In User Service radius-acct UDP 1813 Remote Authentication Dial-In User Service (accounting) rip UDP 520 Routing Information Protocol secureid-udp UDP 5510 SecureID handshaking protocol over UDP smtp TCP 25 Simple Mail Transfer Protocol snmp UDP 161 Simple Network Management Protocol snmptrap UDP 162 Simple Network Management Protocol Trap sqlnet TCP 1521 Structure
Firewall Named Objects 2. Click Add Service. Figure 4-5. Add Service Window 3. Note In the Name field, type the name of the service. You can use only letters, numbers, and the underscore character (_) in this field. 4. From the Protocol list, select a protocol. If you select TCP or UDP in step 4, in the Port(s) fields, type the port number range, or if there is only one port number, type it in the first field.
Firewall Named Objects 2. Click Add Service Group. Figure 4-6. Add Service Group Window 3. In the Name field, specify a name for the service group. 4. From the Available Services list, select a service. 5. Click the Move Right button to move the service into the Group Members list. 6. Repeat the previous two steps for each service that you want to put in the group. 7. Click Apply. 8. Create a new service group or click Close. 9. Click Save.
Firewall Named Objects Figure 4-7. Add Schedule Window 3. Note You can use only letters, numbers, and the underscore character (_) in this field. 4. Select each day that you want to include in the schedule. 5. Under Time, select one of the following: Note Note 4-18 Specify name for the schedule object in the Name field. • All day, to apply the schedule from midnight to midnight on the selected day(s). • Starts, to specify a starting and ending time for the schedule.
Firewall Firewall Access Policies Firewall Access Policies A network’s first line of defense is its firewall, and the firewall’s access policies determine its effectiveness. The access policies tell the firewall which types of traffic are allowed to cross TMS VLAN boundaries. Firewall access policies specify what kind of traffic can cross zonal boundaries and under what circumstances.
Firewall Firewall Access Policies Policy Groups Firewall access policies are grouped by the following criteria: ■ Source and destination zones ■ Unicast or multicast traffic ■ User group Default Access Policies Some access policies are preconfigured on the factory default TMS zl Module. These general policies allow basic network operation, such as allowing routing protocols between all zones.
Firewall Firewall Access Policies Preventing DoS on a Management-Access Zone One of the policies that is created for a management-access zone permits HTTPS traffic from any IP address in the zone to the TMS zl Module. This policy opens up the potential for a DoS attack on the TMS zl Module’s internal HTTP server. A malicious user could flood the module’s HTTP server with connections, which could prevent management access from the Web browser interface.
Firewall Firewall Access Policies 2. From the User Group list, select the user group to which you want to apply the policy. 3. Click Add a Policy and follow these steps: Basic Tab Figure 4-8. Basic Add Policy Window 1. From the Action list, select Permit Traffic or Deny Traffic. 2. From the From list, select the source zone. 3. From the To list, select the destination zone. 4. Under Matching Criteria, accept the default values (any service, any address) or do the following: a.
Firewall Firewall Access Policies iii. From the Protocol list, select a protocol. If you selected TCP or UDP in step 4, in the Port(s) fields, type the port number range, or if there is only one port number, type it in the first field. When creating a service object for a well-known service on an alternative port, you may also need to add the portto-service association. See “Port Mapping” on page 4-71. b. From the Source and Destination fields, select an address object.
Firewall Firewall Access Policies Figure 4-9. Advanced Tab 4-24 1. From the Schedule list, select a schedule object. 2. Under Limits, specify the limits to impose for the access policy. • To place an absolute upper limit on the number of connections: – For Maximum connections, specify the number of connections in the space provided. • To limit the number of connections within a time span: – For Number of connections, specify the maximum number of connections.
Firewall Firewall Access Policies Orphaned Policies With the module in routing mode (Layer 3), only the traffic that crosses TMS VLAN boundaries can be filtered by the TMS zl Module. If you configure a policy to affect traffic that originates in and is destined for the same TMS VLAN, the policy will not take effect because the traffic is not routed through the module. Figure 4-10.
Firewall Firewall Access Policies When host 10.10.0.56 tries to contact server 10.5.0.220, however, the switch forwards the traffic to the module because the traffic must cross a VLAN (subnet) boundary, which requires the services of a Layer-3 routing device. The TMS zl Module can therefore block the traffic from 10.10.0.56 with a firewall access policy.
Firewall Firewall Access Policies Figure 4-11. Add Policy Window 11. Select the Enable this Policy check box. 12. Select the Enable IPS for this Policy check box to enable IPS to check packets on this policy. 13. Select the Enable logging on this Policy check box. 14. Click Apply. 15. Click Save. The policy should appear as shown in Figure 4-12. Figure 4-12.
Firewall Firewall Access Policies To create this policy, follow these steps: 1. Create a single-entry range address object called Exec_Suite with 10.1.1.10-10.1.1.50. (See “Address Objects” on page 4-9 for instructions.) (This example assumes that the affected users have already been assigned IP addresses in that range.) 2. Create a schedule object called Thurs_Mtg for Thursdays from 9:00 am to 11:00 am. (See “Schedule Objects” on page 4-17 for instructions.) 3.
Firewall Firewall Access Policies 12. Select the Enable this Policy check box. 13. Select the Enable IPS for this Policy check box to enable IPS to check packets on this policy. 14. Select the Enable logging on this Policy check box. 15. Click the Advanced tab. Figure 4-14. Add Policy Window 16. From the Schedule list, select Thurs_Mtg. 17. Click Apply, then Close. 18. Click Save. The policy should appear as in Figure 4-15. Figure 4-15.
Firewall Firewall Access Policies To create this policy, follow these steps: 1. Select Firewall > Access Policies > Unicast. 2. From the User Group list, select guest. 3. Click Add a Policy. 4. From the Action list, select Permit Traffic. 5. From the From list, select INTERNAL. 6. From the To list, select EXTERNAL. 7. From the Service list, select Any Service. 8. From the Source list, select Any Address. 9. From the Destination list, select Any Address. Figure 4-16. Add Policy Window 10.
Firewall Firewall Access Policies Figure 4-17. Add Policy Window 14. For Maximum connections, type 500. 15. Click Apply, then Close. 16. Click Save. The policy should be displayed as in Figure 4-18. Figure 4-18.
Firewall Firewall Access Policies Within these policies, the module starts with the policy that has the highest position (lowest numerical value). For example, it will compare a packet against Internal-to-External access policy 1 before it compares it to Internalto-External access policy 2. The module takes the action that is specified in the first policy that the packet matches. It then stops processing policies.
Firewall Firewall Access Policies In Figure 4-19, the endpoint in the Internal zone has an established FTP session with the FTP server in the DMZ. This connection was permitted by Internal-to-DMZ policy 2. Figure 4-19.
Firewall Firewall Access Policies If you modify access policy 2 to permit only traffic from 10.1.5.5–10.1.5.30, the connection will be reevaluated against the modified policy. The modified policy permits the traffic, so the session is continued. Figure 4-20 shows that the connection is still permitted by Internal-to-DMZ policy 2. Figure 4-20.
Firewall Firewall Access Policies If you modify access policy 2 to permit only HTTPS traffic, the connection will be reevaluated against the modified policy. The modified policy does not permit the traffic, so the connection is dropped. When the endpoint in the Internal zone attempts to reconnect, the connection request is evaluated against all of the Internal-to-DMZ policies. In Figure 4-21, you can see that the traffic is now permitted by Internal-to-DMZ policy 3. Figure 4-21.
Firewall Firewall Access Policies Adding an Overlapping, Higher-Position Policy If you add a policy that overlaps an existing policy, and the new policy is a higher priority, then traffic that was allowed by the original policy will be dropped and reevaluated. In Figure 4-22, the endpoint in the Internal zone has an established FTP session with the FTP server in the DMZ. This connection was permitted by Internal-to-DMZ policy 2. Figure 4-22.
Firewall Firewall Access Policies If you add a new policy with priority 2 to the Internal-to-DMZ policies, the connection is dropped and then reevaluated against all of the Internal-to-DMZ policies. Figure 4-23 shows that the connection is permitted by Internal-toDMZ policy 3, which used to be policy 2. Figure 4-23.
Firewall Firewall Access Policies Deleting a Policy If you delete the policy that allowed an endpoint to send or receive traffic, the the connections will be dropped and reevaluated. In Figure 4-24, the endpoint in the Internal zone has an established FTP session with the FTP server in the DMZ. This connection was permitted by Internal-to-DMZ policy 2. Figure 4-24.
Firewall Firewall Access Policies If you delete Internal-to-DMZ policy 2, the connection is dropped and then reevaluated against all of the Internal-to-DMZ policies. Figure 4-25 shows that the connection is now permitted by Internal-to-DMZ policy 2,which used to be policy 3. Figure 4-25.
Firewall Pinging Pinging Before you get your network up and running, you will likely want to check connectivity. This is most easily done by sending a ping from one workstation to another. However, you must configure firewall access policies to allow ICMP echo messages before you can use ping messages.
Firewall Pinging Figure 4-26. Add Policy Window 12. Click Apply, and then click Close. Sending a Ping from the TMS zl Module To ping an IP address or hostname, complete the following steps: 1. Select System > Utilities > Ping. 2. For Hostname/IP Address, type the hostname or IP address of the device you are trying to reach. 3. For Count, select the number of ping messages you want to the module to send. 4.
Firewall Pinging Figure 4-27.
Firewall User Authentication User Authentication Beyond firewalls, VPNs, and intrusion prevention and detection systems, the TMS zl Module provides security for your network by requiring users to authenticate to the network and requiring authorization for users to access specific resources and services. With the TMS zl Module, you can require network users to authenticate by entering their login credentials on a Web page (for which you can customize the banner).
Firewall User Authentication Figure 4-28. System > Settings > General Window 2. If you want to use HTTP or HTTPS ports other than the well-known ports, configure the settings under Web Sessions. These port numbers will apply to both the authenticating users and management users. You also might need to configure a port map for the new HTTP port. See “Port Mapping” on page 4-71.) a. For HTTP Port, type the new port for HTTP authentication traffic. b.
Firewall User Authentication 2. For User Group, select the group name that you have configured on the local database (see “Local Database” on page 4-68). 3. Click Add Policy. The Add Policy window is displayed. 4. From the Action list, select Permit Traffic. 5. From the From list, select the zone for which you want to require authentication. 6. From the To list, select SELF. 7. Under Matching Criteria, accept the default values (any service, any address) or do the following: a.
Firewall User Authentication Figure 4-29. Add Policy Window 12. Optionally, in the Insert Position field, specify the priority of this access policy. 13. Click Apply, and then click the Advanced tab. 14. Specify the number of connections and interval by which you want to limit traffic. In this example, the limit is 800 connections per second.
Firewall User Authentication Figure 4-30. Add Policy Window 15. Click Apply then Close. 16. Click Save. Once users authenticate, the TMS zl Module applies user-based firewall access policies to the zone from which the user logged in. The user’s zone is determined by the source IP address from which the user authenticated. Using a RADIUS Server to Authenticate Users The TMS zl Module works with RADIUS servers to provide both authentication and authorization.
Firewall User Authentication combining authentication and authorization does have a disadvantage: you must use RADIUS for both functions. Therefore, if your network includes a legacy authentication server, you cannot add a RADIUS server just for authorization. Rather, you must either integrate the RADIUS server with the existing system or transfer all authentication information to the RADIUS server, essentially replacing the legacy authentication server.
Firewall User Authentication Figure 4-31. CHAP Handshake The steps of the handshake are as follows: 1. The client sends a request for access to the NAS, which translates it into an Access-Request packet and sends it to the RADIUS server. An Access-Request packet has the following fields: Note • Username • Password • NAS port • NAS ID The field NAS-Identifier is only sent for CHAP and MS-CHAP authentication requests (not for PAP requests). 2.
Firewall User Authentication 4. The RADIUS server performs a one-way hash on its own request and compares this value with the client’s response. If the values don’t match, the RADIUS server either: • sends an Access-Reject packet, and the NAS denies access to the user. • sends another Access-Challenge packet. If the values match, the RADIUS server sends an Access-Accept packet, and the NAS allows the user to access the network. Some advantages and disadvantages of CHAP are listed in Table 4-4.
Firewall User Authentication Figure 4-32. PAP Handshake The PAP handshake process is as follows: 1. The client sends a request to the NAS. The NAS translates the packet and forwards it to the RADIUS server. This packet includes only a username and password. 2. The RADIUS server determines if the credentials are valid. If the credentials are invalid, the RADIUS server sends an Access-Reject packet. The NAS denies network access to the user.
Firewall User Authentication Access Control List. An ACL is a list of permissions attached to an object— in this case, the user. The list specifies exactly which other users (or subnets) the object is allowed to contact (and vice versa). It also specifies exactly which resources the user is allowed to access.
Firewall User Authentication This window displays each RADIUS server’s: ■ Address ■ Secret key ■ NAS ID ■ Domain name ■ Whether you are stripping the domain 2. Under RADIUS Global Configuration, select an authentication Protocol from the list. You can configure up to three RADIUS servers on each domain. To add a RADIUS server, complete the following: 1. Click Add RADIUS Server. The Add RADIUS Server window is displayed. Figure 4-34. Add RADIUS Server Window 2.
Firewall User Authentication 6. On the TMS zl Module, users submit their username followed by @. In some cases, you may need to strip the domain name from the credentials. To do this, select the Strip domain check box. 7. Click OK. The RADIUS server is now displayed in the Network > Authentication > RADIUS window. 8. Click Save. Example RADIUS Configurations Coordination with Windows Server 2003.
Firewall User Authentication 4. Right-click RADIUS Clients, and then click New > RADIUS Client. The New RADIUS Client Wizard is launched. Figure 4-36. Windows Server 2003—New RADIUS Client Wizard 5. For Friendly name, type a name for the TMS zl Module. 6. For Client address (IP or DNS), type the IP address or domain name of the module. 7. Click Next.
Firewall User Authentication Figure 4-37. Windows Server 2003—New RADIUS Client Wizard 8. For Client Vendor, accept the default, RADIUS Standard. 9. For Shared secret and Confirm shared secret, type a shared secret for the RADIUS server. 10. Clear the Request must contain the Message Authenticator attribute check box and click Finish. 11. In the Internet Authentication Server window, right-click Remote Access Policies, and then select New > Remote Access Policies.
Firewall User Authentication Figure 4-38. Windows Server 2003—New Remote Access Policy Wizard 13. Select Set up a custom policy. 14. For Policy name, type the name of the policy. 15. Click Next.
Firewall User Authentication Figure 4-39. Windows Server 2003—New Remote Access Policy Wizard 16. Click Add. The Select Attribute window is displayed.
Firewall User Authentication Figure 4-40. Windows Server 2003—New Remote Access Policy Wizard (Select Attribute) 17. Select Windows-Groups and click Add. 18. In the Groups window, click Add. The Select Groups window is displayed. Figure 4-41.
Firewall User Authentication 19. In the Select Groups window, type the names of the groups that you want to authenticate to the module using a RADIUS server. 20. Click OK twice, and then click Next. 21. Select Grant Remote Access and click Next. 22. Click Edit Profile. 23. In the window that is displayed, click the Authentication tab. 24. Select the check box(es) for the type of RADIUS authentication used on your network. 25. Click OK. Click No for any prompts that are displayed. 26.
Firewall User Authentication Figure 4-43. Add RADIUS Server Window 32. For Server Address, type the address of your IAS. 33. For Secret, type the shared secret for your RADIUS server. Be sure to set the same secret here that you did in step 9. 34. For NAS Identifier, type the NAS ID of your module. Be sure to set the same identifier here that you did in step 6. 35. For Domain Name, type the name of the domain to which your server belongs. 36. Click OK. 37. Click Save.
Firewall User Authentication For more information, see http://www.microsoft.com. 1. Open NPS on your Windows server by selecting Start > Administrative Tools > Network Policy Server. The Network Policy Server window is displayed. Figure 4-44. Windows Server 2008—Network Policy Server Window 4-62 2. Expand RADIUS Clients and Servers. 3. Right-click RADIUS Clients, and then click New RADIUS Client. The New RADIUS Client window is displayed.
Firewall User Authentication Figure 4-45. Windows Server 2008—New RADIUS Client Window 4. For Friendly name, type a name for the TMS zl Module. 5. For Address (IP or DNS), type the IP address or domain name of the module. 6. For Vendor name, accept the default, RADIUS Standard. 7. For Shared secret and Confirm shared secret, type the shared secret for the RADIUS server. 8.
Firewall User Authentication 10. Right-click Network Policies, and then select New. The New Network Policy wizard is launched. 11. For Policy name, type the name of the policy. 12. Click Next. Figure 4-46. Windows Server 2008—New Network Policy Wizard 13. Click Add. The Select Conditions window is displayed.
Firewall User Authentication Figure 4-47. Windows Server 2008—New Network Policy Wizard (Select Attribute) 14. Select Windows Groups and click Add. 15. In the Windows Groups window, click Add Groups. Figure 4-48. Windows Server 2008—New Remote Access Policy Wizard (Select Groups) 16. In the Select Groups window, type the names of the groups that you want to authenticate to the module using a RADIUS server.
Firewall User Authentication 17. Click OK twice, and then click Next. 18. Select Access Granted and click Next. 19. Select the check box(es) for the type of RADIUS authentication used on your network. 20. Click Next in the next three windows. 21. Review the policy settings, and then click Finish. 22. On the TMS zl Module, create a firewall access policy that permits RADIUS and RADIUS-ACCT traffic from the Self zone to the zone in which your NPS resides.
Firewall User Authentication Figure 4-50. Add RADIUS Server Window 28. For Server Address, type the address of your NPS. 29. For Secret, type the shared secret for your RADIUS server. Be sure to set the same secret here that you did in step 7. 30. For NAS Identifier, accept the default, which is the NAS ID of your module, or if you specified another ID in step 5, type that ID. 31. For Domain Name, type the domain to which your server belongs. 32. Click OK. 33. Click Save.
Firewall User Authentication Local Database Rather than use an external server, you can use the module to authenticate users. The TMS zl Module has just one default user group, the guest user group. However, you can configure up to 16 user groups and up to 100 users. In addition to keeping a local list of user groups and their associated users, the module can enforce timeout limits on a per-user basis.
Firewall User Authentication The Network > Authentication > Local Users window displays the following information: ■ User group ■ User name ■ Inactivity Timeout—the number of seconds of inactivity allowed per user. The module has one default user group, guest. To add a user group, click Add Group. The Add Group window is displayed. Figure 4-53. Add Group Window 1. Note For Group Name, type the name of the user group.
Firewall User Authentication Figure 4-54. Add User Window (guest group) 2. For Username, type the username for the user that you are adding. 3. For Password and Verify password, type the password for the user. 4. For Inactivity Timeout, type the number of seconds that you want an inactive session to remain open. 5. Click OK. The user is now displayed in the Network > Authentication > Local Users window. 6. Click Save.
Firewall Port Mapping Port Mapping A port map is a port-to-application association. The firewall ALGs draw on the port maps to learn which application to expect on a particular TCP or UDP port. For example, if you add a port map that associates FTP with UDP 55555, the TMS zl Module will treat traffic on UDP 55555 as FTP traffic—any ALGs that apply to FTP will be applied to traffic on UDP 55555.
Firewall Port Mapping Service Protocol Port SMTP TCP 25 SNMP UDP 162 SNMP UDP 161 TCPDNS TCP 53 TCPRPC TCP 111 TCPRPC TCP 1025 TCPSIP TCP 5060 TELNET TCP 23 UDPDNS UDP 53 UDPRPC UDP 111 UDPRPC UDP 1024 UDPRPC UDP 369 UDPSIP UDP 5060 Mapping Ports If you suspect that an attacker is more likely to attack a certain service, you may want to send that traffic through a different port.
Firewall Port Mapping To configure a port map, complete the following steps: 1. Click Add Port Map. The Add Port Map window is displayed. Figure 4-56. Add Port Map Window 2. For Service, select a service from the list. The protocol that is used with that service will automatically populate the Protocol field. 3. Type the port number that you want to assign to the service in the Port field. 4. Click OK. 5. Click Save.
Firewall Application-Level Gateways Application-Level Gateways Acting as a proxy server between a trusted client and an untrusted host, an ALG filters packets at Layer 5. Some applications open data-transfer connections dynamically by negotiating IP addresses and service ports, which requires special handling by the firewall. Some ALGs also perform NAT inside the packet types that they support. You cannot enable or disable the ALGs from the Web browser interface: you must use the CLI.
Firewall Application-Level Gateways Table 4-6. Supported ALGs CLI Name ALG Name Control Ports to Open ALG Type aim America Online Instant Messenger 5.9, ICQ 4.
Firewall Application-Level Gateways ALG Functions The following section lists the ALGs in alphabetical order by CLI name and explains how each ALG functions. aim The AOL IM ALG ■ supports the following functionalities of AOL IM 5.
Firewall Application-Level Gateways Unlike other ALGs that do either NAT-ALG or firewall-ALG functionality, the ESP ALG also keeps track of SPI values to ensure that the packets are handed over correctly to the internal machines. ftpv4 The FTP ALG: ■ ■ ■ ■ ■ creates dynamic associations based on the information that is exchanged in the control-connection payloads, which enables data connections to be established between the server and client.
Firewall Application-Level Gateways ike Some IKE applications expect the peers to always use source port UDP 500. If a NAT device is present at the peer end, this does not work, because the NAT device translates traffic coming from one of the internal devices inside the private network. The IKE ALG ensures that only one IKE session is in negotiation at one time, thereby allowing the internal device to use UDP 500.
Firewall Application-Level Gateways l2tp The Layer 2 Tunneling Protocol (L2TP) ALG is required to cover the following two scenarios: 1. The Windows 200x L2TP Network Server (LNS) deviates from the L2TP implementation by always sending L2TP data packets to UDP 1701 rather than to the port number from which the client initiated the connection.
Firewall Application-Level Gateways msn The MSN ALG supports the following functionalities of Microsoft Instant Messenger 7.
Firewall Application-Level Gateways pptp PPTP uses TCP 1723 for its control connection and Generic Routing Encapsulation (GRE) for its data connection. The PPTP ALG: ■ ■ ■ ■ ■ processes all packets that arrive on TCP 1723. PPTP control message types are the following: • Control-connection management — The ALG does not process any of these messages; the packets are allowed to pass through without any processing.
Firewall Application-Level Gateways rpc The RPC ALG: ■ interprets the following message types: • CALL — Contains the RPC transaction ID. • REPLY — Contains the RPC transaction ID that is sent by the client and the protocol and port number on which the data connection is to be established. • ACCEPT — Specified in the reply message, this type means that the server has accepted the call.
Firewall Port Triggers smtp The SMTP ALG allows you to restrict access to some SMTP commands and checks the SMTP command to see if the command is allowed or not. If the command is not allowed, it drops the packet. sql The SQL ALG interprets and translates the redirect messages coming from the network listener. This message contains the IP address and the listen port of the SQL server that client needs to contact for data transfer.
Firewall Port Triggers Figure 4-57. Firewall > Port Triggers > Policies Window 2. Click Add a port trigger. The Add Port Trigger window is displayed. Figure 4-58. Add Port Trigger Window 4-84 3. Type a name in the Policy Name field. It is a good practice to specify a policy name that reflects the services involved in the trigger. 4. For Source, specify a device that is behind the firewall by doing one of the following: • Select Any or an address object from the list.
Firewall Port Triggers 5. 6. 7. From the Protocol/Ports list, specify the port on which the application makes its control connection by doing one of the following: • Select a service object from the list. Service groups are not displayed in this list. Do not select service objects with multiple ports. • Click Options. – Select Enter custom Protocol/Ports. – For Protocol/Ports, select TCP or UDP. – For Ports, type a port or range of ports.
Firewall Port Triggers Figure 4-59. Sample Network The figure above shows the clients behind the firewall and two sets of clients outside of the firewall. You want to permit connections only to and from the two addresses (172.19.55.0/24 and 172.23.11.0/24) on the Internet. To configure this example, you will need a port trigger to permit connections to be initiated from either side of the firewall, and firewall access policies to limit the connections to the two addresses.
Firewall Port Triggers 7. Under Allow Outbound Connections from Source, do the following: • Select UDP, then type 7175 in the Ports field. • Select TCP, then type 8680 and 8686 in the Ports fields. 8. Select the Allow inbound connections from any machine check box. 9. Select the Enable this port trigger check box. Figure 4-60. Add Port Trigger Window 10. Click OK and Close. 11. Click Save. 12.
Firewall Attack Checking Attack Checking The TMS zl Module automatically detects and blocks specific known attacks. It monitors TCP handshakes and drops packets with flags that signal known attacks. The TMS zl Module firewall checks for these attacks by default: Note ■ IP spoofing ■ Ping of death ■ Land attacks ■ IP reassembly attacks You cannot prevent the firewall from dropping packets that display the signs of these attacks.
Firewall Attack Checking ICMP Replay In this attack, the attacker sends Internet Control Message Protocol (ICMP) messages to one or many ports, in hopes of mapping out open and closed ports. No response indicates that a port is open. The attacker can then use this information to launch many types of attacks, including a DoS attack. Enable this check to drop all duplicate ICMP messages. ICMP Error Messages ICMP reports problems that are incurred while delivering IP packets.
Firewall Attack Checking Figure 4-61. ICMP Blind Connection-Reset Attack ■ Blind throughput-reduction attacks Source Quench messages are sent if a router or host does not have the buffer space needed to sequence the packets for the next network device or if they are sent too fast for the receiving device to process. This message is a request for the sender to slow the rate at which packets are sent. An attacker can forge a Source Quench message, which causes a significant decrease in throughput.
Firewall Attack Checking Figure 4-62. SYN Flood Attack A variation of this attack creates another victim, as well as the original target. Rather than using an unreachable source address, the attacker uses IP spoofing to include a source address from another legitimate source. The target host then begins sending SYN/ACK packets to the spoofed address, which did not send the SYN packets. The attacker can then create havoc on two, or even more, systems at once.
Firewall Attack Checking Generally, source routing use is limited to network administrators who are checking the connectivity of network devices. By forcing a packet to route through a particular device, the administrator confirms that a device is connected because the packet is not dropped. Source routing can also be used by an attacker to: ■ Map a network By specifying the exact route each packet must take, an attacker can eventually determine the location of the end device and all devices in between.
Firewall Attack Checking The two devices participating in the three-way handshake exchange initial sequence numbers (ISNs) in the first two steps of the three-way TCP handshake. An attacker can mount a sequence-number-prediction attack in two ways by: ■ Guessing the ISN and using a spoofed IP address, thereby securing a session with the targeted network device. ■ Hijacking a TCP session by predicting a packet’s sequence number and injecting a packet with that number.
Firewall Attack Checking Figure 4-64. TCP Sliding Window In Figure 4-64, as bytes are acknowledged by the server, the window “slides” to the right. That is why it is called a sliding window. The TMS zl Module allows you to set the range of bytes within the window, called the sequence range. The advantages and disadvantages of the sequence range sizes are discussed in the following table. Table 4-7.
Firewall Attack Checking The optimal sequence range is the product of these two elements. A correctly sized range allows data to be sent continuously (without the sender stopping to wait for acknowledgment) while enabling fast recovery times for lost data. After you select the Sequence Number Out of Range check box, configure the following: ■ In the Range field, type a number between 1 and 65535. The larger the TCP window size, the larger the range of sequence numbers that will be accepted.
Firewall Attack Checking Enable and Disable Optional Attack Checks To select the attack checks that you want the TMS zl Module to perform, complete the following steps: 1. Select Firewall > Settings > Attack Settings. Figure 4-65. Firewall > Settings > Attack Settings window 4-96 2. Select or clear a check box to enable or disable, respectively, an attack check. 3. Click Apply my changes. 4. Click Save.
Firewall Connection Timeouts Connection Timeouts In addition to screening TCP and UDP packets for attacks, the TMS zl Module monitors all ICMP, TCP, and UDP sessions. One of the advantages of a stateful firewall is that it monitors sessions to ensure that they proceed in a valid and logical fashion. To maintain secure sessions, the firewall times out inactive sessions after a specified time.
Firewall Connection Timeouts ■ Risk tolerance Timeout settings are proportional to risk tolerance. They should increase as risk tolerance increases. For example, a network with low risk tolerance should have short timeout values. Configure Timeout Settings for Sessions To configure the timeout settings, complete the following steps: 1. Select Firewall > Settings and click the Connection Timeouts tab. The Connection Timeouts window is displayed. Figure 4-66. Connection Timeouts window 4-98 2.
Firewall Connection Timeouts Configure Timeout Settings for Services To configure a custom timeout, complete the following steps: 1. Click Add Custom Timeout. The Add Custom Timeout window is displayed. Figure 4-67. Add Custom Timeout 2. Type the name of the service in the Name field. 3. Choose either TCP or UDP from the Protocol list. Be sure to select a protocol that is compatible with the service you typed in step 2. 4. For Port, type a port number or port range for the service. 5.
Firewall Resource Allocation Resource Allocation With any network, it is important to ensure that every user is able to access resources. Additionally, there may be some users who need priority over others. The TMS zl Module allows you to set connection limits for each zone as well as reserve firewall connections for specific addresses or address ranges.
Firewall Resource Allocation Suggested uses for connection reservations include the following: ■ Ensuring that network administrators have connectivity during a DoS attack ■ Guaranteeing that users can always access certain applications ■ Reserving connections for users who must be able to connect to a network resource at all times However, each connection reservation that you make decreases the total number of connections that are available generally, so you should always take into account how many
Firewall Resource Allocation Figure 4-68. Outbound Connection Reservation In this example, a connection reservation count of 10 has been configured for 50 IP addresses: 10.1.1.11–10.1.1.60. Therefore, 500 (10 x 50) connections are reserved from IP addresses 10.1.1.11–10.1.1.60 into the DMZ zone.
Firewall Resource Allocation The following is therefore true: Figure 4-69. Outbound Connection Reservation Implication ■ When the total active connection threshold of 39,500 (40,000 – 500) is reached, the module will not permit any more connections into the External zone unless the connections are initiated by hosts with IP addresses in the 10.1.1.11–10.1.1.60 range. Figure 4-70.
Firewall Resource Allocation Figure 4-71. Outbound Connection Reservation Implication ■ If the current connection count in Zone1 is 10,500 (500 connections of which are reserved), and 500 non-reserved connections are closed, then the Zone1 limit will revert to its limit of 10,000. At this point the Zone1 maximum connection threshold (10,000) already provides for the reserved connections. Any other new connections from Zone1 to any zone will not be successful.
Firewall Resource Allocation Figure 4-72. Inbound Connection Reservation In this example, a connection reservation count of 100 has been configured for one IP address: 10.1.2.22. Therefore, 100 (100 x 1) connections are reserved from Zone1 to the IP address 10.1.2.22. The following is therefore true: Figure 4-73.
Firewall Resource Allocation ■ When the total active connection threshold of 39,900 (40,000 – 100) is reached, the module will not permit any more connections from Zone1 unless the connections are destined for the server at 10.1.2.22. Figure 4-74. Inbound Connection Reservation Implication ■ When the number of connections from Zone1 reaches 10,000, the module will set aside 100 connections from the other zones’ connection limits, provided that enough connections are available in the other zones.
Firewall Resource Allocation connections. Any other new connections from Zone1 to any zone will not be successful. However, if the connection limits for other zones have not been reached, new connections can be made to and from those zones. You can also define timeouts for services. In these examples the reservation is made across zones, but you can also make reservations within a zone.
Firewall Resource Allocation Figure 4-77. Add Connection Reservation Window 3. From the Zone list, select a zone that will be either the source or destination of the reserved connections. For inbound connections, this is the source zone. For outbound connections, this is the destination zone. You cannot select EXTERNAL. 4. From the Direction list, select one of the following: • Inbound if the reserved IP addresses are the destination • Outbound if the reserved IP addresses are the source 5.
Firewall Resource Allocation To make the reservations shown in the figure above, follow these steps: 1. Select Firewall > Settings and click the Connection Allocations tab. 2. Click Add Connection Reservation. 3. From the Zone list, select Zone1. 4. From the Direction list, select Outbound. 5. In the Reserved for IP Addresses fields, type 10.1.1.100 and 10.1.1.102.
Firewall Resource Allocation Figure 4-79. Add Connection Reservation Window Figure 4-80. Firewall > Settings > Connection Allocations (with Connections Configured) 14. Click Save.
Firewall IP Reassembly IP Reassembly The maximum transmission unit (MTU) determines the size of the largest packet that can pass through the Data-Link Layer (Layer 2) of a connection. If a packet is larger than the MTU for that device, it will be broken into fragments. Fragments from one intermediate device may be further fragmented by another intermediate device.
Firewall IP Reassembly Figure 4-82. Packet Reassembly Configuring MTU The default setting for the MTU is 1500, but the TMS zl Module allows you to adjust this setting to between 1500 and 16,110. To adjust the MTU, complete the following steps: 1. Select Network > Settings > General. Figure 4-83. Network > Settings > General Window 4-112 2. Under General Settings, for MTU, type the desired MTU value. 3. Click Apply my changes. 4. Click Save.
Firewall IP Reassembly Configuring IP Reassembly The default settings for IP reassembly are in Table 4-8. Consult the product literature for your routing devices to see the optimum settings for your network. Table 4-8.
Firewall IP Reassembly 4-114
5 Network Address Translation Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 NAT Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 One-to-One . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Many-to-One . . . . .
Network Address Translation Overview Overview Network Address Translation (NAT) is the process of translating network IP addresses in a way that is transparent to the end users. It has traditionally been a method of translating internal, private IP addresses into public IP addresses. Companies typically choose to translate internal IP addresses for address conservation.
Network Address Translation NAT Operations NAT Operations In routing mode the TMS zl Module can apply NAT to network traffic. (Monitor mode does not support NAT.) While the module’s firewall provides the NAT capability, the NAT policies are entirely separate from the firewall access policies for increased flexibility. This section describes the types of NAT that the TMS zl Module can perform. This information is only intended to inform you of the module’s capabilities.
Network Address Translation NAT Operations Figure 5-1. Source NAT Note Source NAT is often referred to as just NAT. This guide will always refer to it as source NAT. One-to-One With one-to-one source NAT, each local device receives its own new IP address for the destination network. The source IP address is replaced with the NAT IP address, but the source port remains the same. The TMS zl Module will perform one-to-one NAT if the number of source addresses and the number of NAT addresses is identical.
Network Address Translation NAT Operations The source and destination IP address (SA, DA) and port fields (SP, DP) in five outbound IP packet headers are shown in Table 5-2. The translated fields are shown with shading. Notice that the source port is translated only if two devices have the same original source port. The module keeps track of this change so that it can correctly translate reverse traffic to these devices. Table 5-2.
Network Address Translation NAT Operations Table 5-3. Many-to-Many Source NAT Before NAT After NAT SA1 SP1 DA1 DP1 SA2 SP2 DA2 DP2 10.1.1.10 50055 172.16.122.63 80 192.168.5.22 50055 172.16.122.63 80 10.1.1.11 50056 192.168.2.77 21 192.168.5.23 50056 192.168.2.77 21 10.1.1.12 50057 172.16.222.8 88 192.168.5.24 50057 172.16.222.8 88 10.1.1.13 50058 192.168.2.75 53 dropped dropped dropped dropped 10.1.1.14 50059 172.16.53.
Network Address Translation NAT Operations One-to-One Translation (IP Address Only) With this type of destination NAT, all traffic destined to a certain public IP address is translated to the same private destination IP address. For example, for the public NAT IP address, 192.168.5.23, there is one private IP address, 10.1.1.13. In the IP-only type of destination NAT, the destination address is translated, but the port numbers are not translated.
Network Address Translation NAT Operations Table 5-5. One-to-Many Destination NAT Before NAT After NAT SA1 SP1 DA1 DP1 SA2 SP2 DA2 DP2 172.16.122.63 51005 192.168.5.23 80 172.16.122.63 51005 10.1.1.10 80 10.1.5.48 50056 192.168.5.24 21 10.1.5.48 50056 10.1.1.10 21 10.100.148.77 50057 192.168.5.24 88 10.100.148.77 50057 10.1.1.10 88 172.20.222.8 50058 192.168.5.25 53 172.20.222.8 50058 10.1.1.10 53 172.25.121.75 50059 192.168.5.23 69 172.25.121.75 50059 10.
Network Address Translation NAT Operations In a variation on this type of NAT, you can translate multiple public IP addresses to a particular private IP address based on the service. For example, HTTP traffic destined to either 192.168.5.23 or 192.168.5.24 is translated to the private IP address 10.1.1.10. Another NAT policy could apply to FTP traffic destined the same two public IP addresses, translating this traffic to the private IP address 10.1.1.11.
Network Address Translation NAT Operations Exclusion NAT You can use this NAT type to exclude specific traffic from being translated, according to the following parameters: ■ Source and destination zone ■ Service ■ Source and destination addresses Use exclusion NAT if you have an existing source or destination NAT policy, but you want to exclude a subset of those addresses or services from translation. For example, if you configure a policy to translate all traffic from subnet 10.1.1.
Network Address Translation NAT Operations Figure 5-3. NAT packet flow The packet flow for the source NAT step is shown in more detail in Figure 5-4.
Network Address Translation NAT Operations Figure 5-4. Source NAT packet flow The packet flow for the destination NAT step is shown in more detail in Figure 5-5.
Network Address Translation NAT Operations Figure 5-5.
Network Address Translation Configuring NAT Policies Configuring NAT Policies The TMS zl Module requires you to specify the following parameters for each NAT policy: ■ NAT type (source, destination, or exclusion) ■ Source and destination zones ■ Services to which NAT is applied ■ Source address(es) ■ Destination address(es) ■ New IP address(es) and port(s) When configuring NAT policies, follow these guidelines: ■ Along with the NAT policy, you must configure a firewall access policy that permi
Network Address Translation Configuring NAT Policies Sometimes you might also want to exclude traffic that is sent over a GRE tunnel from translation. The exclusion policy’s destination addresses should match the subnets in the tunnel’s traffic selector. The source addresses should be local addresses allowed to send traffic over the tunnel. ■ The relationship between the original number of IP addresses and the number of NAT addresses helps determine the NAT operation that the TMS zl Module performs.
Network Address Translation Configuring NAT Policies Source NAT Policies To add a source NAT policy, follow these steps: 1. Click Firewall > NAT Policies > Policies. 2. Click Add Policy. 3. For Translate, select Source. Figure 5-6. Add NAT Policy Window 5-16 4. For From Zone, select the zone where traffic originates. (See “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode.”) 5. For To Zone, select the zone where traffic is destined. 6.
Network Address Translation Configuring NAT Policies 7. For Source, do one of the following: • From the list, select an address object. (See “Address Objects” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter custom IP, IP/mask or IP-Range. ii. In the space provided, type an IP address in dotted-decimal format, an IP address with network mask in CIDR format, or an IP address range. Examples: 192.168.5.23 172.16.56.100/24 10.1.1.10-10.1.1.50 • 8. 9.
Network Address Translation Configuring NAT Policies • Select Use IP of routed VLAN interface to have the TMS zl Module translate each source address to an IP address on one of its TMS VLANs. The module uses the IP address on the TMS VLAN that is the forwarding interface for each packet’s destination. In this way, source addresses are always translated to a valid IP address in the destination address. 10. Optionally, for Insert Position (Optional), type a priority for the policy. 11. Click OK. 12.
Network Address Translation Configuring NAT Policies Figure 5-7. Add NAT Policy Window 4. For From Zone, select the zone where traffic originates. (See “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode.”) 5. The To Zone field is automatically populated with Self. 6. For Service, do one of the following: • From the list, select a service object. (See “Service Objects” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter Custom Protocol/Port. ii. Select a Protocol from the list.
Network Address Translation Configuring NAT Policies 7. For Source, do one of the following: • From the list, select an address object. (See “Address Objects” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter custom IP, IP/mask or IP-Range. ii. In the space provided, type an IP address in dotted-decimal format, an IP address with network mask in CIDR format, or an IP address range. Examples: 192.168.5.23 172.16.56.100/24 10.1.1.10-10.1.1.50 • 8.
Network Address Translation Configuring NAT Policies 12. Click OK. 13. If necessary, create a firewall access policy with the same source and destination zones as the NAT policy you just created and that permits the same services and addresses. (See “Firewall Access Policies for NAT” on page 5-23.) 14. Click Save. Exclusion NAT Policies To add an exclusion NAT policy, follow these steps: 1. Select Firewall > NAT Policies > Policies. 2. Click Add Policy. 3. Select None for translation type.
Network Address Translation Configuring NAT Policies 6. 7. For Service, do one of the following: • From the list, select a service object. (See “Service Objects” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter Custom Protocol/Port. ii. Select a Protocol from the list. iii. In the space provided, type a Port (range). • Leave the default, Any Service, when you want to exclude all types of traffic (that matches other criteria in the policy) from NAT.
Network Address Translation Configuring NAT Policies 11. If necessary, create a firewall access policy with the same source and destination zones as the NAT policy you just created and that permits the same services and addresses. (See “Firewall Access Policies for NAT,” below.) 12. Click Save. Firewall Access Policies for NAT Because the firewall checks traffic against its access policies before applying NAT, you need to configure a firewall access policy for each NAT policy.
Network Address Translation Configuring NAT Policies Table 5-9. Firewall Access Policy for Source NAT Parameter Source NAT Policy Firewall Access Policy From Internal Internal To Zone4 Zone4 Service Any Service Any Service Source Address(es) 172.16.45.0/24 172.16.45.0/24 Destination Address(es) 10.1.154.101-10.1.154.254 10.1.154.101-10.1.154.254 NAT IP Address(es) 192.168.154.1–192.168.154.
Network Address Translation NAT Examples Table 5-10. Firewall Access Policy for Destination NAT Parameter Source NAT Policy Firewall Access Policy From EXTERNAL EXTERNAL To SELF SELF Service Any Service Any Service Source Address(es) Any Address Any Address Destination Address(es) 192.168.5.177 192.168.5.177 NAT IP Address(es) 10.1.1.222 n/a NAT Examples This section contains examples of NAT implementations with step-by-step configuration instructions.
Network Address Translation NAT Examples Figure 5-11. Source NAT—Network Merger Example Follow these steps to configure the first module (illustrated in the lower segment of the figure): 1. 5-26 Create a NAT policy to translate source addresses on traffic from Zone1 to the shared data center (Zone 3). a. Click Firewall > NAT Policies > Policies. b. Click Add Policy. c. For Translate, select Source. d. For From Zone, select ZONE1. e. For To Zone, select ZONE3. f.
Network Address Translation NAT Examples i. Select Use IP of routed VLAN interface. The module will translate all source Address(es) to its own IP address on the VLAN interface to which the NATed traffic is routed—in this example, 10.1.1.1. . Figure 5-12. Add NAT Policy Window—Module 1 j. 2. Click OK. Create a firewall access policy to permit the traffic from Zone5 to the data center. a. Select Firewall > Access Policies > Unicast. b. Click Add a Policy. c. For Action, select Permit Traffic. d.
Network Address Translation NAT Examples g. For Source, click Options, select Enter custom IP, IP/mask or IP-Range, and type 192.168.8.0/21. h. For Destination, click Options, select Enter custom IP, IP/mask or IPRange, and type 10.1.1.0/24. i. Select the Enable this Policy check box to enable the access policy. j. Select the Enable IPS for this Policy check box if you want to enable IPS to check packets on this policy. k.
Network Address Translation NAT Examples Follow these steps to configure the second module (illustrated at the top of the figure): 1. Create a NAT policy to translate source addresses on traffic from Zone1 to the shared data center (Zone 3). a. Click Firewall > NAT Policies > Policies. b. Click Add Policy c. For Translate, select Source. d. For From Zone, select ZONE1. e. For To Zone, select ZONE3. f. For Service, accept the default: Any Service. g.
Network Address Translation NAT Examples . Figure 5-14. Add NAT Policy Window—Module 2 j. 2. Click OK. Create a firewall access policy to permit the traffic from Zone1 to Zone3. a. Click Firewall > Access Policies > Unicast. b. Click Add a Policy. c. For Action, select Permit Traffic. d. For From, select ZONE1. e. For To, select ZONE3. f. For Service, accept the default, Any Service. You can, of course, limit the firewall policy to allow only certain services. 5-30 g.
Network Address Translation NAT Examples j. Select the Enable IPS for this Policy check box if you want to enable IPS to check packets on this policy. k. Optionally, select the Enable logging on this Policy check box to log access policy activities. Note It is not recommended that you enable logging permanently because policy logging is processor intensive. Use logging for troubleshooting and testing only. l.
Network Address Translation NAT Examples is the module’s IP address on the VLAN associated with the DMZ. On this network the DMZ is a Web server farm, so those devices do not need to initiate contact with the devices in the Internal zone. Figure 5-16. Source NAT—Single Internet Address Example Figure 5-16 shows the translation of the source addresses of the devices in Internal to a single address for DMZ. To implement this plan, follow these steps: 5-32 1.
Network Address Translation NAT Examples Note In this example, you could also select Any Address because VLAN 10 is the only VLAN in the zone. h. From Destination, select VLAN20. i. For NAT IP address, select Use IP of routed VLAN interface. The TMS zl Module will translate the traffic to 10.1.2.107, which is the TMS zl Module’s IP address on VLAN 20, the VLAN on which the traffic will be forwarded. Figure 5-17. Add NAT Policy Window 4. j. Click OK. k. Click Save.
Network Address Translation NAT Examples f. For Service, accept the default: Any Service. You could also limit the internal devices to accessing certain services. Note g. For Source, select VLAN10. h. For Destination, select VLAN20. i. Select the Enable this Policy check box to enable the access policy. j. Select the Enable IPS for this Policy check box to enable IPS to check packets on this policy. k.
Network Address Translation NAT Examples You could also create a more general firewall access policy. This might permit you to create fewer firewall access policies overall because more than one of the NAT policies would be covered by a single firewall access policy. Limited NAT Pool In this type of source NAT there is a limited pool of NAT address for Internal devices to use when accessing resources in Zone5.
Network Address Translation NAT Examples 2. Create another single-entry network address object named VLAN2 that contains 10.10.2.0/24. 3. Create a NAT policy to translate source addresses for traffic from Internal to Zone5. a. Select Firewall > NAT Policies > Policies. b. Click Add Policy. c. Select Source for translation type. d. For From Zone, select INTERNAL. e. For To Zone, select ZONE5. f. For Service, accept the default: Any Service. g. For Source, select VLAN10. h.
Network Address Translation NAT Examples 4. Note Create a firewall access policy to permit the NAT traffic. a. Select Firewall > Access Policies > Unicast. b. Click Add Policy. c. For Action, select Permit Traffic. d. For From, select INTERNAL. e. For To, select ZONE5. f. For Service, accept the default: Any Service. g. For Source, select VLAN10. h. For Destination, select VLAN2. i. Select the Enable this Policy check box to enable the access policy. j.
Network Address Translation NAT Examples l. Click Apply. m. Click Close. n. Click Save. You could also create a more general firewall access policy. This might allow you to create fewer firewall access policies overall because more than one of the NAT policies would be covered by a single firewall access policy. Destination NAT This section includes one example of a destination NAT configuration.
Network Address Translation NAT Examples To set up this example, follow these steps: 1. Create a single-entry IP address object named Web_Services that contains 172.16.100.100. (See “Address Objects” in Chapter 4: “Firewall“ for instructions.) 2. Configure a NAT policy to translate FTP traffic. a. Click Firewall > NAT Policies > Policies. b. Click Add Policy. Figure 5-23. Add NAT Policy Window c. Select Destination for the translation type. d. For From Zone, select INTERNAL.
Network Address Translation NAT Examples 3. Configure a NAT policy to translate HTTP traffic. a. Click Add Policy again. Figure 5-24. Add NAT Policy Window 4. 5-40 b. Select Destination for the translation type. c. For From Zone, select INTERNAL. d. To Zone is automatically set to Self. e. For Service, select http. f. For Source, select Any Address. g. For Destination, select Web_Services. h. For NAT IP address, type 10.1.1.12. i. For NAT Port (Optional), type 8088. j. Click OK. k.
Network Address Translation NAT Examples Figure 5-25. Add Policy Window c. For Action, select Permit Traffic. d. For From, select INTERNAL. e. For To, select SELF. f. For Service list, accept the default: Any Service. Note You can also narrow the scope of this access policy by creating and selecting a service group that contains http and ftp. (See “Service Groups” in Chapter 4: “Firewall.”) g. For Source, accept the default: Any Address. h. For Destination, select Web_Services. i.
Network Address Translation NAT Examples Note It is not recommended that you enable logging permanently because policy logging is processor-intensive. Use logging for troubleshooting and testing only. l. Click Apply. m. Click Close. n. Click Save. You could also apply a more general firewall access policy. This might allow you to create fewer firewall access policies overall because more than one of the NAT policies would be covered by a single firewall access policy.
Network Address Translation NAT Examples Figure 5-26. Using an Exclude NAT Policy In this example, the IPsec policy traffic selector for a site-to-site VPN specifies traffic between VLAN 20 and a remote network (192.168.4.0/22). An existing NAT policy selects all internal traffic that is destined to the External zone and translates the source address to the TMS zl Module’s external address (172.19.44.44). Because the remote network is reached through the External zone, the two policies overlap.
Network Address Translation NAT Examples 3. Create a NAT policy to exclude traffic that should be sent over the VPN from translation. a. Select Firewall > NAT Policies > Policies. b. Click Add Policy. c. Select None for the translation type. d. For From Zone, select INTERNAL. e. For To Zone, select EXTERNAL. f. For Service, select Any Service. g. For Source, select VLAN20. h. For Destination, select RemoteClients. i. For Insert Position (Optional), type 1. Figure 5-27.
6 Intrusion Detection and Prevention Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 External Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Internal Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Attack Types . . . . . . . .
Intrusion Detection and Prevention Contents Protocol Anomaly Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22 Port Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24 Signature Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25 Configuring IDS/IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27 Configuring Protocol Anomaly Detection . . . .
Intrusion Detection and Prevention Overview Overview Hacker attacks, employee threats, virus skirmishes, and battles with worms— to implement successful network security, you must first understand the types of attacks that threaten your network. In Chapter 4: “Firewall,” you learned about several specific attacks. While a list of every attack is beyond the scope of this (or any) guide, this chapter will explore some of the most common network attacks.
Intrusion Detection and Prevention Overview However, some external attacks use perfectly legitimate traffic to infiltrate, overwhelm, rob, cripple, or destroy your network. Because attackers use legitimate traffic, attacks cannot always be easily distinguished and stopped by perimeter protection methods, such as a traditional firewall. External Intentional Attacks. In most cases, external attackers will aim attacks at well-known network vulnerabilities.
Intrusion Detection and Prevention Overview Internal Intentional Attacks. Internal intentional attacks are caused by someone who already has some trusted access to your network. Perpetrators might include disgruntled employees, partners, or administrators who abuse their network access privileges to wreak havoc or deliberately open perimeter network security holes. Internal Unintentional Attacks. Internal attacks are largely the effect of uninformed users or administrators.
Intrusion Detection and Prevention Overview ■ Exploits ■ Denial of service (DoS) ■ Backdoors Policy Violations An example of a policy violation attack is when a user leaves the password field empty while trying to access an FTP server. Cross-Site Scripting (XSS) Cross-site scripting is the most common type of publicly reported security vulnerability.
Intrusion Detection and Prevention Overview SQL Injection Similar to XSS attacks, an SQL attack is launched when a user injects malicious SQL code when accessing Web page that uses an SQL database. For example, Web pages using improperly secured ASP.NET applications are vulnerable to SQL injection attacks. A successful SQL injection can endanger data stored in these databases and possibly execute remote code.
Intrusion Detection and Prevention Overview ■ ■ ■ ■ Adware—software that displays unwanted pop-up ads on an infected endpoint Spyware—software that keeps a record of Web sites visited, keystrokes, and other personal information.
Intrusion Detection and Prevention Overview Protocol Anomalies It is possible to generate packets that follow a protocol’s specifications but have no legitimate purpose. These packets are referred to as protocol anomalies because the protocol is being used in a way that is inconsistent with common practice, not because the packet causes network traffic to deviate from normal behavior.
Intrusion Detection and Prevention Overview Unauthorized Access Unauthorized access attacks occur when an unauthorized user accesses your network either by guessing or stealing a password or by finding insecure network access points. Some methods used to gain unauthorized access are: ■ Brute force In a brute force attack, an attacker systematically attempts all possible password combinations, in order to discover a password and gain access to the network.
Intrusion Detection and Prevention Overview Exploits Unlike protocol anomaly attacks that exploit protocol weaknesses, these attacks exploit weaknesses or vulnerabilities in software and hardware. Attackers use these vulnerabilities to gain control of a computer system in order to access confidential information or data or degrade network performance.
Intrusion Detection and Prevention Overview Backdoors Rootkits are often disguised as attachments to emails or files on the internet or by Trojan horses. When the victim of the rootkit attack clicks the link or downloads the file or program, a backdoor is installed. These backdoors can be exploited by attackers to gain access to a network.
Intrusion Detection and Prevention Threat Detection and Prevention Threat Detection and Prevention In monitor mode, the TMS zl Module can provide Intrusion Detection System (IDS) functionality. An IDS detects intrusions but does not take action to stop or prevent them. An IDS is offline, and its only role is to detect threats and log them, as shown in Figure 6-1.
Intrusion Detection and Prevention Threat Detection and Prevention Figure 6-2. IDS Packet Flow in Monitor Mode A packet that is mirrored to the TMS zl Module in monitor mode is examined by the IDS. If the IDS detects a threat, it creates a log entry. IDS sessions are based on several factors: ■ Protocol ■ Source zone ■ Source IP ■ Source port ■ Destination zone ■ Destination IP ■ Destination port However, the IDS depends on sessions, and if the sessions run out, the IDS will drop packets.
Intrusion Detection and Prevention Threat Detection and Prevention Figure 6-3. IDS/IPS Packet Flow in Routing Mode Routing Mode A packet that is routed to the TMS zl Module in routing mode is passed first to the firewall, then to the IDS. If the IDS does not detect a threat, it returns the packet to the firewall, which sends it to its destination.
Intrusion Detection and Prevention Threat Detection and Prevention Reconnaissance Detection When looking for reconnaissance attacks, the TMS zl Module inspects packet headers. It looks for any irregularities. The TMS zl Module can detect reconnaissance probes such as port scan, OS fingerprinting probes, and so on.
Intrusion Detection and Prevention Threat Detection and Prevention Figure 6-5. TCP SYN Attack, Open Port If the port is open, the host returns an acknowledgement (ACK) packet. The TCP SYN scan is detected both when the module receives only SYN packets and when the full TCP handshake (SYN, SYN/ACK, ACK) is performed. When the module detects 1000 or more SYN packets in one second, it registers an attack.
Intrusion Detection and Prevention Threat Detection and Prevention Figure 6-7. TCP FIN Scan, Open Port If the port is open, the host does not return a packet because the FIN packet is not part of an established connection. TCP ACK Scan In this scan, the attacker attempts to discover which TCP ports on a host are filtered by a firewall by sending an unsolicited acknowledge (ACK) packet to a particular port. Figure 6-8.
Intrusion Detection and Prevention Threat Detection and Prevention If the port is unfiltered, the host returns an RST packet. If you are operating the TMS zl Module in routing mode, go to Firewall > Settings > Attack Settings and enable the Pre-Connection ACK check box. The TMS zl Module will send an RST packet for all unsolicited ACK packets, which will create the illusion that all ports are unfiltered. (Also see “Pre-Connection ACK” in Chapter 4: “Firewall.
Intrusion Detection and Prevention Threat Detection and Prevention Figure 6-12. UDP Scan, Port Open If the port is open, the host will return the requested data. IP Protocol Scan In this scan, the attacker attempts to discover which IP protocols are in use on a host. If the target device is suspected to be a router, the attacker will check for protocols such as EGP and IGP. Figure 6-13. IP Protocol Scan, Protocol Not Present If the protocol is not in use, the host does not respond.
Intrusion Detection and Prevention Threat Detection and Prevention If the protocol is in use, the host responds in a manner specific to the protocol that is being queried. This example shows a query for TCP. TCP Null Flag Scan In this scan, the attacker attempts to discover which TCP ports are open on a host by sending a TCP packet with no flags set, which would not occur in a real network. Figure 6-15. TCP Null Flag Scan, Closed Port If the port is closed, the host returns an RST packet. Figure 6-16.
Intrusion Detection and Prevention Threat Detection and Prevention Figure 6-17. Ping Scan, Inactive Device or Filter If the host is inactive or the firewall does not let ICMP packets pass through, the host does not return a packet. Figure 6-18. Ping Scan, Active Device and No Filter If the host is active and the firewall permits ICMP packets, the host returns an ICMP Echo Reply.
Intrusion Detection and Prevention Threat Detection and Prevention Protocol anomaly detection has powerful capabilities because it does not require a prior signature to detect certain classes of attacks; it can detect some zero-day attacks even before the signatures are published. This capability eliminates the window of vulnerability that often exists during the first hours or days after an attack is launched.
Intrusion Detection and Prevention Threat Detection and Prevention ■ ■ ■ DNS • Check for a DNS reply without a valid request • Check for unknown DNS operation flags • Check for a domain name greater than 255 bytes • Check for a label size greater than 63 bytes • Check for an invalid DNS label offset • Check the resource record (RR) count and match it with the number in the RR record • Ensure that a label reference is with the message SNMP • Malformed SNMP message with the wrong ASN.
Intrusion Detection and Prevention Threat Detection and Prevention Signature Detection The IDS/IPS on the TMS zl Module can use signatures to detect known attacks that have well-defined attack patterns. By comparing traffic to these signatures, the IDS/IPS can identify patterns in the packet payload or header that are known to indicate attacks. Because hackers are constantly creating new attacks, the signature file must be updated regularly to ensure your network is protected.
Intrusion Detection and Prevention Threat Detection and Prevention ■ ■ ■ ■ ■ ■ ■ ■ ■ 6-26 Virus • AIM Bot • BugBear • Trojan Haxdoor • VBS.
Intrusion Detection and Prevention Configuring IDS/IPS ■ Backdoor • Acid Battery • Meet the Lamer • Back Orifice • AOL Admin • Alvgus • Ruler Configuring IDS/IPS When you use the TMS zl Module as an IDS, you can configure: ■ Protocol anomaly detection settings ■ Port maps ■ IDS signatures that are used to perform checks ■ Session inspection When you use the TMS zl Module as an IPS, you can configure: ■ Protocol anomaly detection settings ■ Port maps ■ IPS signatures that are used t
Intrusion Detection and Prevention Configuring IDS/IPS ■ ■ MIME headers • Maximum header size—1024 bytes • Maximum boundaries—5 per message SMTP headers • Maximum header size—1024 bytes If you do choose to adjust the default settings, follow these steps: 1. Select Intrusion Detection > Protocol Anomalies or Intrusion Prevention > Protocol Anomalies. 2. Adjust the values in the fields. 3. Click Apply My Changes. 4. Click Save. Configuring Port Maps To add a port map, follow these steps: 1.
Intrusion Detection and Prevention Configuring IDS/IPS Register the IDS/IPS Signature Subscription To begin using an IDS/IPS signature subscription, you must first register it on the My ProCurve portal (https://my.procurve.com). You can register the IDS/ IPS signature subscription at any time. The registration process does not require you to install a subscription license key or to disrupt the service of the TMS zl Module by rebooting it.
Intrusion Detection and Prevention Configuring IDS/IPS Make sure you have the correct registration card Locate the subscription registration ID Figure 6-20.
Intrusion Detection and Prevention Configuring IDS/IPS TMS-Subscription Hardware ID. If you have booted the TMS zl Module to the Product OS, you can obtain the TMS-subscription hardware ID from: ■ Product OS context of the CLI ■ Web browser interface To obtain the TMS-subscription hardware ID from the Product OS context of the CLI, you must first access the host switch’s CLI. Then, from the managerlevel context of the host switch’s CLI, complete the following steps: 1.
Intrusion Detection and Prevention Configuring IDS/IPS Entering the Registration and TMS-Subscription Hardware ID on the My ProCurve Portal To register the IDS/IPS signature subscription, follow these steps: 1. Open a Web browser and type https://my.procurve.com in the address bar. Figure 6-21. My ProCurve Sign In Window 6-32 2. Type your My ProCurve ID and Password in the appropriate fields and click Sign In. 3. Click My Licenses. 4. Click Device Software License. 5.
Intrusion Detection and Prevention Configuring IDS/IPS Figure 6-22. My Software Window on the My ProCurve Portal 6. For Hardware ID, type the TMS-subscription hardware ID and click Next. 7. Review the license agreement. Then select I agree to the license terms and click Next. 8. Configure your license expiration notification setting, which determines when ProCurve will notify you when your subscription is due to expire. You can select one or more of the following settings: 9.
Intrusion Detection and Prevention Configuring IDS/IPS key.) When your TMS zl Module attempts to download signatures, the ProCurve signature server will recognize that your module has a valid IDS/IPS signature subscription and allow it to download the signatures.
Intrusion Detection and Prevention Configuring IDS/IPS Figure 6-23. Intrusion Prevention > Signatures > Download Window 3. If you use a proxy server to connect to the Internet, select the Use a proxy server check box. • In the Address field, type the IP address or FQDN of the proxy server. • In the Port field, type the port number to access the proxy server. • Click Apply My Changes. 4.
Intrusion Detection and Prevention Configuring IDS/IPS 9. Click Download Now. The module should connect to tmsupdate.procurve.com and download the latest signatures. Resolving Problems in Downloading Signatures. If you encounter problems while downloading signatures, try the following troubleshooting tips: 1. Ensure that your IDS/IPS signature subscription is still valid. 2. If the TMS zl Module is operating in routing mode, ensure the appropriate access policy has been added. 3.
Intrusion Detection and Prevention Configuring IDS/IPS Figure 6-24. Intrusion Prevention > Signatures > Preferences Window 2. Select the Full Session Inspection check box. 3. Click Apply My Changes. 4. Click Save. View Signatures To view the signatures, complete the following steps: 1. Click Intrusion Detection > Signatures and click the View tab or click Intrusion Prevention > Signatures and click the View tab.
Intrusion Detection and Prevention Configuring IDS/IPS Figure 6-25. Intrusion Prevention > Signatures > View Window The Intrusion Prevention (Detection) > Signatures > View windows lists the following information about each signature: 6-38 • Name—Name of the attack, usually an industry-standard name • Threat Level—A preconfigured indicator of the attack’s severity level • Action—The action that is taken when the attack is detected (routing mode only).
Intrusion Detection and Prevention Configuring IDS/IPS 2. To find out more about a particular signature, click the name (which is underlined). A pop-up box is displayed, providing information about the signature’s capabilities. Figure 6-26. Additional Information about a Signature 3. Click OK to close the box. Enable or Disable Signatures By default, all the signatures are enabled. To disable a particular signature, clear its Enable check box.
Intrusion Detection and Prevention Configuring IDS/IPS Figure 6-27. Intrusion Prevention > Signatures > View Window Note If you disable a signature, the IDS/IPS, the TMS zl Module will no longer check packets against that signature, leaving you network vulnerable to known attacks.
Intrusion Detection and Prevention Configuring IDS/IPS ■ Terminate the session—The TMS zl Module closes the session with the offending traffic. It drops all traffic that is associated with the session. For example, if the threat was detected in an HTTP session to a private server, the offender is blocked from sending any traffic to that server on the HTTP port. No TCP reset or similar message is returned.
Intrusion Detection and Prevention Configuring IDS/IPS Note 6-42 When signature and protocol anomaly detection is enabled, a log entry is generated for each instance in which suspect packets or traffic is found, regardless of the Action setting. 3. For each threat severity level, select the actions that you want the TMS zl Module to take. 4. Click Apply My Changes. 5. Click Save.
Intrusion Detection and Prevention Integration with HP ProCurve Network Immunity Manager Integration with HP ProCurve Network Immunity Manager TMS zl Modules can be configured and managed from one central location using HP ProCurve Manager (PCM+) and HP ProCurve Network Immunity Manager (NIM). Because the TMS zl Module can detect and mitigate threats from both internal and external sources, the TMS zl Module is the perfect companion to NIM.
Intrusion Detection and Prevention Integration with HP ProCurve Network Immunity Manager 6-44
7 Virtual Private Networks Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 Overview of IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 IPsec Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 IPsec Modes . . . . . . . . .
Virtual Private Networks Contents Configuring L2TP over IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-96 Create an L2TP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-99 Add L2TP Dial-in Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-102 Manage L2TP over IPsec Connections . . . . . . . . . . . . . . . . . . . . . . . . 7-106 Generic Routing Encapsulation (GRE) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Private Networks Overview Overview The Threat Management Services (TMS) zl Module supports virtual private networks (VPNs), which are tunnels that connect two trusted endpoints through an untrusted network. The tunnel typically provides data integrity and data privacy for traffic transmitted over the tunnel.
Virtual Private Networks Overview Remote VPN Gateway or Clients VPN Type Configuration Guidelines IPSecuritas for Macintosh IPsec with IKEv1 client-to-site VPN • See “Configure IPSecuritas for Macintosh VPN Client” on page 7-153 for a list of steps. • When configuring the IKE policy, IPsec policy, and firewall access policies, follow the instructions in the client-to-site sections. ProCurve Secure Router Series 7000dl software version J.08.
Virtual Private Networks IPsec VPNs IPsec VPNs IPsec, which supports a variety of industry-standard authentication and encryption protocols, is a flexible, highly secure method of establishing a VPN. The TMS zl Module acts as the gateway device for the IPsec VPN—that is, the tunnel endpoint. The other end of the tunnel can be another VPN gateway (in a site-to-site VPN) or a remote endpoint (in a client-to-site VPN).
Virtual Private Networks IPsec VPNs Figure 7-1. Tunnel Mode In tunnel mode, an AH header authenticates both the payload (including the original IP header) and the delivery IP header. An ESP header authenticates only the payload (including the original IP header) but can also encrypt the payload. Transport Mode. In transport mode, a packet is encapsulated with an IPsec header before the IP header is added. Therefore, both ends of the tunnel must be the ultimate originators of the traffic.
Virtual Private Networks IPsec VPNs In transport mode, an AH header authenticates the entire packet including the IP header. The ESP header authenticates only the payload but can also encrypt the payload. Authentication and Encryption Algorithms To provide data integrity, an IPsec tunnel endpoint transforms packets with authentication algorithms.
Virtual Private Networks IPsec VPNs When receiving inbound packets, the TMS zl Module first checks the packet for an IPsec header. If an IPsec header is present, the module uses the SPI to identify the packet’s SA. The module then uses the keys in the SA to decrypt and authenticate the packet. When sending outbound packets, the TMS zl Module checks whether the packet matches the traffic selector in an active outbound SA. If it does, the module uses the keys in the SA to encrypt and encapsulate the packet.
Virtual Private Networks IPsec VPNs IKE Phase 1. During phase 1, IKE must complete three tasks: ■ Negotiate security parameters for the IKE SA ■ Generate the keys used to secure data sent over the IKE SA ■ Authenticate the endpoints of the tunnel (the two hosts) Therefor, IKE phase 1 typically involves three exchanges between hosts, or six total messages. Exchange 1: Security parameters.
Virtual Private Networks IPsec VPNs Figure 7-3. IKE Phase 1: Security Parameters Exchange The remote endpoint searches its IKE policies for one that specifies the other endpoint and that includes an identical security proposal. When it finds a match, the remote endpoint returns these security parameters to the original endpoint. If the remote endpoint cannot find a match, the VPN connection fails. This is why it is very important that you match IKE policies at both ends of the connection.
Virtual Private Networks IPsec VPNs Figure 7-4. IKE Phase 1: Key Generation Exchange The final IKE phase 1 exchange and all IKE phase 2 exchanges will be secured by these keys. In this way, IKE provides an additional layer of security; endpoints transmit their authentication information in secured packets, and secured packets negotiate the IPsec SA itself. Exchange 3: Authentication.
Virtual Private Networks IPsec VPNs The ID can be one of these: ■ An IP address A local ID of this type should be the IP address for the interface that handles incoming VPN traffic. Similarly, a remote ID of this type should specify the remote interface to which VPN traffic is destined. The remote ID on one peer must match the local ID on the other peer. ■ A fully qualified domain name (FQDN) A local ID of this type is typically the FQDN of the local VPN gateway.
Virtual Private Networks IPsec VPNs Figure 7-6. IKE Aggressive Key Exchange Mode Aggressive mode condenses the process into three total messages—two from the initiator and one from the respondent. Aggressive mode is quicker than main. However, it requires endpoints to send identifying information before exchanges are encrypted, so it is less secure. IKE Phase 2. The goal of IKE phase 2 is to negotiate the IPsec SA.
Virtual Private Networks IPsec VPNs Figure 7-7. IKE Phase 2: Security Proposal When negotiating the IPsec SA, IKE follows much the same process it did in IKE phase 1.
Virtual Private Networks IPsec VPNs The respondent searches its IPsec policies for a match. When it finds a match, it returns the policy to the initiator. IKE then manages the generation and exchange of any hash and encryption keys. It also associates an SPI with the IPsec SA. The endpoints can now transmit data securely over the IPsec SA. XAUTH. XAUTH provides an additional, optional layer of security to IKE. If enabled, XAUTH occurs between IKE phase 1 and IKE phase 2.
Virtual Private Networks IPsec VPNs ■ You can configure IKE config mode only for an IPsec policy that specifies Auto (with IKEv1) for Key Management and that specifies a client-to-site IKEv1 policy. Each IKEv1 client-to-site policy supports only one IP address pool. ■ Microsoft Windows VPN clients and IPSecuritas for Macintosh VPN clients do not support the TMS zl Module implementation of IKE mode config.
Virtual Private Networks IPsec VPNs Table 7-2. Advanced IPsec Features Feature Default Setting IP compression Disabled Anti-replay window Always enabled—default size, 32 Extended sequence number Disabled Re-key on sequence number overflow Enabled Persistent tunnel Disabled Fragment before IPsec Enabled Copy DSCP value from the clear packet Disabled Copy DF bit from the clear packet Enabled IP Compression.
Virtual Private Networks IPsec VPNs Re-key on Sequence Number Overflow. As described in the previous section, an SA is limited to 232 or 264 packets (depending on whether you enabled extended sequence numbers). You can enable the TMS zl Module to automatically renegotiate the SA before it reaches the last sequence number. By default, this feature is enabled. You should typically leave it enabled. Otherwise, if the SA runs out of sequence numbers, it becomes unavailable until its lifetime expires.
Virtual Private Networks IPsec VPNs The VPN tunnel endpoints must trust the CAs that sign each other’s certificates. The TMS zl Module supports X.509 certificates in Distinguished Encoding Rules (DER) or Privacy Enhanced Mail (PEM) format. For the public/private keypair, it supports DSA and RSA. You can import certificates to the TMS zl Module manually, or you can obtain them automatically using Simple Certificate Enrollment Protocol (SCEP).
Virtual Private Networks IPsec VPNs Figure 7-8. NAT Traversal How NAT Traversal Works. NAT-T uses UDP encapsulation to address this incompatibility between NAT and L2TP over IPsec. UDP encapsulates the IPsec packet in a UDP/IP header. The NAT device changes the address in this header without tampering with the IPsec packet. Peers agree to use NAT-T during IKE negotiations by exchanging a predetermined, known value that indicates that they support NAT-T.
Virtual Private Networks IPsec VPNs The TMS zl Module implements NAT-T under any of the following circumstances: ■ Client device is behind a NAT device. ■ TMS zl Module is behind a NAT device. ■ Both are behind a NAT device. ■ Multiple clients are behind separate NAT devices but have the same IP address. The TMS zl Module implements NAT-T in this way: ■ IKE packets are accepted from any port and responses are sent to the port from which the packet came.
Virtual Private Networks IPsec VPNs 6. Create necessary firewall access policies. See “Configure Firewall Access Policies for Your VPN” on page 7-112. 7. Create a static route, if necessary. See “Verify Routes for the VPN” on page 7-137. Create Named Objects for the VPN (Optional) You might want to configure named objects that you can use for the VPN. See “Named Objects” in Chapter 4: “Firewall” for instructions about configuring the objects. IPsec Policy Traffic Selector.
Virtual Private Networks IPsec VPNs Figure 7-9. VPN > IPsec > IKEv1 Policies Window 3. Click Add IKE Policy. The Add IKE Policy window is displayed. Figure 7-10. Add IKE Policy Window—Step 1 of 3 4. For IKE Policy Name, type a string that is unique to this policy. The string can include 1 to 15 alphanumeric characters. 5. For IKE Policy Type, select Site-to-Site (Initiator & Responder). The TMS zl Module will respond to IKE messages from the gateway at the remote site.
Virtual Private Networks IPsec VPNs 6. For Local Gateway, specify an IP address on this module. You have two options: • Select IP Address and type the IP address in the box. The IP address must be an IP address configured on the TMS zl Module. Type an address that the remote gateway can reach. • Select Use VLAN IP Address and select a VLAN from the list. Select the VLAN on which the remote gateway reaches the TMS zl Module.
Virtual Private Networks IPsec VPNs Table 7-3 shows the format for each ID type. Table 7-3. Local ID Values Local ID Type Remote ID Value Examples IP Address A.B.C.D 172.16.40.103 Domain Name TMS.procurve.com Email Address @ tms@procurve.com Distinguished Name /CN= 9. /CN=TMS.procurve.com For Remote ID, specify an ID that matches the ID that the remote gateway sends to authenticate itself: a.
Virtual Private Networks IPsec VPNs Figure 7-11. Add IKE Policy Window—Step 2 of 3 11. Under IKE Authentication, configure these settings: a. For Key Exchange Mode, select Main Mode or Aggressive Mode. The mode must match that configured on the remote endpoint. See IKE modes in “IKE Phase 2” on page 7-13 for guidelines. b. For Authentication Method, select one of the following: – Preshared Key – DSA Signature – RSA Signature If you select DSA Signature or RSA Signature, you can go directly to step 12.
Virtual Private Networks IPsec VPNs 12. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA: a. For Diffie-Hellman (DH) Group, select the group for the Diffie-Hellman exchange: – Group 1 (768) – Group 2 (1024) – Group 5 (1536) The group determines the length of the prime number used during the exchange. The larger the number, the more secure the key generated by the exchange. b.
Virtual Private Networks IPsec VPNs Figure 7-12. Add IKE Policy Window—Step 3 of 3 14. Configure XAUTH, which is an optional additional layer of security.
Virtual Private Networks IPsec VPNs Figure 7-13. Add IKE Policy Window—Step 3 of 3 (XAUTH Client Enabled) For Authentication Type, select Generic or CHAP. CHAP offers greater security. ii. For Username, type a username accepted by the remote gateway’s authentication server. iii. For Password, type the password associated with that username. i. • Select Enable XAUTH Server.
Virtual Private Networks IPsec VPNs Figure 7-14. Add IKE Policy Window—Step 3 of 3 • Then, for Authentication Type, select Generic or CHAP. At some point, you must complete these steps: i. Configure the user group for the remote gateway. (Or you can use a group already configured on the TMS zl Module.) See “User Authentication” in Chapter 4: “Firewall.” ii. Configure the username and password for the remote gateway on either an external RADIUS server or the module itself.
Virtual Private Networks IPsec VPNs Figure 7-15. VPN > IPsec > IKEv1 Policies Window (Policy Added) Move to the next task: ■ If you selected DSA or RSA signatures for the authentication method, “Install Certificates for IKE” on page 7-37. ■ If you selected pre-shared key for the authentication method, “Create an IPsec Proposal” on page 7-53. Create an IKE Policy for a Client-to-Site IPsec VPN.
Virtual Private Networks IPsec VPNs Figure 7-17. Add IKE Policy Window—Step 1 of 3 Remote endpoints will initiate the VPN connection. The TMS zl Module will respond to their IKE messages. Note You must configure firewall access policies to allow the IKE messages from the remote endpoints. See “Configure Firewall Access Policies for Your VPN” on page 7-112. 6. For Local Gateway, specify an IP address that the remote endpoint can reach.
Virtual Private Networks IPsec VPNs 7. For Local ID, configure the ID that the TMS zl Module sends to authenticate itself. This ID must match exactly, in both type and value, the remote ID specified on remote endpoints. For more information about ID types, see “IKE Phase 1” on page 7-9. a. For Type, select the ID type: – IP Address – Domain Name – Email Address – Distinguished Name b. For Value, type the correct value.
Virtual Private Networks IPsec VPNs Table 7-5. Remote ID Values and Wildcards Remote ID Type Remote ID Value Wildcard Example Example Wildcard IP Address A.B.C.D 0.0.0.0 172.16.40.103 0.0.0.0 Domain Name user1.procurve.com procurve.com Email Address @ *@ user1@procurve.com *@procurve.com Distinguished Name /CN= /CN=TMS.procurve.com • /CN=*.procurve.com • * 9. • /CN=* • /* Click Next. Figure 7-18.
Virtual Private Networks IPsec VPNs b. For Authentication Method, select one of the following: – Preshared Key – DSA Signature – RSA Signature If you want to use SCEP to install certificates, select RSA Signature rather than DSA Signature. If you select DSA Signature or RSA Signature, you can go directly to step 11. (After you finish the IKEv1 policy, you must install certificates as described in “Install Certificates for IKE” on page 7-37.) c.
Virtual Private Networks IPsec VPNs d. For SA Lifetime in Seconds, type the number of seconds that the IKE SA is kept open. Valid values are between 300 seconds and 86400 seconds (1 day). Remember that this setting applies to IKE SA, which is a temporary tunnel used only to establish the IPsec SA. 12. Click Next. 13. Configure XAUTH, which is an optional additional layer of security.
Virtual Private Networks IPsec VPNs To complete the configuration, you must follow these steps as well: i. Configure a user group or groups for the remote users. (Or you can use groups that are already configured on the TMS zl Module.) See “User Authentication” in Chapter 4: “Firewall.” ii. Configure usernames and passwords for the remote users on either an external RADIUS server or on the module itself. See “User Authentication” in Chapter 4: “Firewall.” iii.
Virtual Private Networks IPsec VPNs You can install certificates manually or using SCEP (for the latter, the CA must support SCEP as well). Read the appropriate section: ■ “Install Certificates Manually” on page 7-38 ■ “Install Certificates Using SCEP” on page 7-48 Install Certificates Manually. Follow these steps to install a certificate manually: 1. In the left navigation bar of the Web browser interface, select VPN > Certificates. 2. Click the IPsec Certificates tab. Figure 7-21.
Virtual Private Networks IPsec VPNs Figure 7-22. Generate Private Key Window b. For Private Key Identifier, type a descriptive string between 1 and 31 alphanumeric characters. The string must be unique to this key. c. For Key Algorithm, select RSA or DSA. When you configured the IKEv1 policy, you selected DSA Signature or RSA Signature for Authentication Method (see step 11b on page 7-26). Match this setting. d. For Key Size, select 512, 1024, or 2048, which determines the length of the key in bits.
Virtual Private Networks IPsec VPNs Figure 7-23. VPN > Certificates > IPsec Certificates Window (Private Key Added) f. 5. Go to step 6. Import a private key that was generated elsewhere: a. Transfer the private key to your management workstation. Make sure that all copies of the private key are stored in secure locations. Otherwise, the certificate could be compromised. b. Click Import Private Key. Figure 7-24. Import Private Key Window c.
Virtual Private Networks IPsec VPNs d. For Select Private Key, type the path and filename for the private key. Alternatively, click Browse and navigate to the private key file. e. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. f. 6. Delete the private key from your management workstation. Next, create a certificate request. In the VPN > Certificates > IPsec Certificates window, click Generate Certificate Request. Figure 7-25.
Virtual Private Networks IPsec VPNs 9. For Private Key Identifier, select the private key that you added in step 3 on page 7-38. 10. For Subject Name, type the FQDN of the TMS zl Module. Use the format . For example, type TMS.procurve.com. The certificate request will store this name as a distinguished name, automatically adding /CN= to the name that you type. 11. In the Subject Alternate Names section, you can specify other IDs with which the module identifies itself.
Virtual Private Networks IPsec VPNs Figure 7-26. VPN > Certificates > IPsec Certificates Window (Certificate Request Added) 13. Click the Edit icon in the Tools column for the certificate request. Figure 7-27.
Virtual Private Networks IPsec VPNs 14. Copy the data (for example, by pressing [Ctrl] + [c]) and paste it in a document created in a text editor. Save the file (if necessary, using the file extension required by your CA). Click OK in the Certificate Request Data window to close the window. 15. Submit the certificate request file to your CA. Request that certificate files be returned to you in PEM or DER format. 16.
Virtual Private Networks IPsec VPNs 21. Click Apply. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. Figure 7-30. VPN > Certificates > Certificate Authorities Window Note If you receive an error message, the TMS zl Module cannot validate the CA certificate. A common problem is that the module has the incorrect time. The module takes its clock from the host switch. Verify that this switch has the correct time. 22.
Virtual Private Networks IPsec VPNs Figure 7-32. Import Self Signed Certificate Window 24. Under Select self-signed certificate, type the path and filename for the TMS zl Module’s certificate. Alternatively, click Browse and navigate to the certificate file. 25. Click Apply. The module’s certificate is displayed under Certificates in the VPN > IPsec > IPsec Certificates window. Figure 7-33. VPN > Certificates > IPsec Certificates (Certificate Installed) 26. Finally, you must install the CRL.
Virtual Private Networks IPsec VPNs Figure 7-34. VPN > Certificates > CRL Window 27. Click Import CRL. Figure 7-35. Import CRL Window 28. For Select CRL, type the path and filename for the CRL. Alternatively, click Browse and navigate to the CRL file. 29. Click OK. The CRL is displayed in the VPN > Certificates > CRL window. Figure 7-36. VPN > Certificates > CRL Window (CRL Added) 30. Click Save. Move to the next task: “Create an IPsec Proposal” on page 7-53.
Virtual Private Networks IPsec VPNs Install Certificates Using SCEP. Before you begin to configure the settings for using SCEP to install certificates, make sure that the TMS zl Module has the correct time. If the module does not have the correct time, the SCEP process may fail. The TMS zl Module takes its time from the host switch, so if you need to adjust the time, you will need to configure the switch. Follow these steps to install certificates automatically using SCEP: 1.
Virtual Private Networks IPsec VPNs 9. Next, you must import the CA certificate. Click the Certificate Authorities tab. Figure 7-38. VPN > Certificates > Certificate Authorities Window 10. Click Retrieve certificate through SCEP. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. (If the certificate is not imported, check the IP address or FQDN that you set in step 3 on page 7-48.) Figure 7-39. VPN > Certificates > Certificate Authorities Window 11.
Virtual Private Networks IPsec VPNs Figure 7-40. VPN > Certificates > IPsec Certificates Window 12. Click Retrieve Certificate through SCEP under Certificates. Figure 7-41. Retrieve Self Signed Certificate through SCEP Window 13. For Subject Name, typically you type the TMS zl Module’s FQDN after /CN=. The remote tunnel endpoint will use this subject name to authenticate the module. Therefore, the subject name must match a remote ID that is configured on the remote endpoint.
Virtual Private Networks IPsec VPNs 14. For Trusted Certificate to verify Certificate, select the CA root certificate that you installed in step 10. 15. For Certificate Type, select RSA-MD5 or RSA-SHA-1. This setting determines the algorithm for the private key. You should have selected RSA Signature for Authentication Method in the IKE policy. 16. For Encryption Algorithm, select 3DES or DES. 17. For Challenge Password, type the password that your CA has given you.
Virtual Private Networks IPsec VPNs 21. Next, you should install the CRL. Ask your CA administrator if you need a particular CGI path to the CRL distribution point. If you do, follow these steps: a. Click the SCEP tab. b. For CGI-Path, type the new path given to you by your CA. For example, for a Windows 2008 CA, you might type /CertEnroll/ .crl. c. Click Apply My Changes. 22. Click the CRL tab. Figure 7-43. VPN > Certificates > CRL Window 23. Click Retrieve CRL through SCEP.
Virtual Private Networks IPsec VPNs Figure 7-45. VPN > Certificates > CRL Window (CRL Added) Move to the next task: “Create an IPsec Proposal.” Create an IPsec Proposal Each IPsec proposal specifies the following: ■ IPsec mode (tunnel or transport) ■ IPsec security protocol: • AH and a single authentication algorithm • ESP, a single authentication algorithm, and a single encryption algorithm You can configure multiple IPsec proposals. In a later task, you will specify a proposal in an IPsec policy.
Virtual Private Networks IPsec VPNs Figure 7-47. Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 10 alphanumeric characters. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, select one of the following: • Tunnel Mode—Select this mode for a site-to-site IPsec VPN.
Virtual Private Networks IPsec VPNs The number in parentheses after AES options indicates the key length for the algorithm in bytes. 8. 9. If you selected either ESP or AH, for Authentication Algorithm, select one of the following: • MD5 • SHA-1 • AES-XCBC Click OK. The IPsec proposal is displayed in the VPN > IPsec > IPsec Proposals window. Figure 7-48. VPN > IPsec > IPsec Proposals Window (Proposal Added) 10. Click Save.
Virtual Private Networks IPsec VPNs Follow these steps to create the IPsec policy: 1. In the left navigation bar of the Web browser interface, select VPN > IPsec. 2. Click the IPsec Policies tab. Figure 7-49. VPN > IPsec > IPsec Policies Window 3. Click Add IPsec Policy. The Add IPsec Policy window is displayed. Figure 7-50.
Virtual Private Networks IPsec VPNs 4. For Policy Name, type an alphanumeric string between 1 and 10 characters. The string must be unique to this policy. 5. By default the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Virtual Private Networks IPsec VPNs Note If your traffic selector will include management traffic, you must configure a Bypass policy with top priority that selects the management traffic, or you will be locked out of the Web browser interface. If you do lock yourself out, reboot the module, but DO NOT SAVE the configuration. See “Configure Bypass and Ignore IPsec Policies” on page 7-84. If your traffic selector will include traffic that is also selected for NAT, you must create a NAT exclusion policy.
Virtual Private Networks IPsec VPNs Note Typically, the local addresses are internal addresses on your private network while the local gateway address (which you configured in the IKE policy) is the TMS zl Module’s public or external address. If, however, for whatever reason the set of local addresses specified here includes the local gateway address, you must create a Bypass policy to exclude IKE traffic to and from the module from the VPN. Otherwise the VPN cannot be established.
Virtual Private Networks IPsec VPNs Figure 7-51. Add IPsec Policy Window—Step 2 of 4 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select a previously-configured IKEv1 policy. Select the IKEv1 policy that specifies the remote gateway for the remote addresses configured in this policy’s traffic selector. 13. Optionally, select the Enable PFS (Perfect Forward Secrecy) for keys check box, which forces the tunnel endpoints to generate new keys for the IPsec SA.
Virtual Private Networks IPsec VPNs 14. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes). This setting determines how long the IPsec SA remains open. When the lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl Module checks whether the SA has experienced any activity.
Virtual Private Networks IPsec VPNs Figure 7-52. Add IPsec Policy Window—Step 3 of 4 17. The Step 3 of 4 window allows you to configure settings for IKE mode config, which is not valid for a site-to-site VPN. Click Next.
Virtual Private Networks IPsec VPNs Figure 7-53. Add IPsec Policy Window—Step 4 of 4 18. If desired, configure settings in the Advanced Settings (Optional) section. a.
Virtual Private Networks IPsec VPNs b. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Advanced IPsec Features” on page 7-16 for more information. c. When you select the Enable Copy DSCP value from data packet check box, the TMS zl Module assigns each IPsec packet the DSCP value assigned to the original IP packet.
Virtual Private Networks IPsec VPNs The advantages and disadvantages of using manual keying are listed below: ■ Advantages • ■ Manual keying does not depend on the IKE protocol, so less processing is used initially to negotiate the SA. • You do not need to open UDP 500 (ISAKMP) in the firewall. • Manual keying is required for an IPsec VPN that is limited to ICMP echo or timestamp traffic. Disadvantages • Keys can be leaked, and overall the tunnel is less secure. • Lengthy keys can be mistyped.
Virtual Private Networks IPsec VPNs Figure 7-56. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type an alphanumeric string between 1 and 10 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6. For Action, keep the default, Apply. 7. For Position, type a number.
Virtual Private Networks IPsec VPNs A default IPsec policy prevents all traffic from being encrypted by the VPN engine; therefore, all IPsec policies that you configure must have a higher priority than this default policy. Next, you configure the VPN traffic selector, which determines which traffic is selected by the policy. For example, the selector might specify all IP traffic between 192.168.2.0/24 (a local network) and 192.168.3.0/24 (a remote network).
Virtual Private Networks IPsec VPNs – Note Manually type an IP address (for an L2TP over IPsec VPN, type the IP address of the local VPN gateway), IP address range, or network address in CIDR format (192.168.1.1/24). Typically, the local addresses are internal addresses on your private network while the local gateway address (which you configured in the IKE policy) is the TMS zl Module’s public or external address.
Virtual Private Networks IPsec VPNs Figure 7-57. Add IPsec Policy Window—Step 2 of 4 (Top Section) 12. For Local Gateway, specify an IP address that the remote endpoint can reach. You have two options: • Select IP Address and type an IP address on the module in the box. The IP address must be an IP address already configured on the TMS zl Module. Type the address that the remote gateway can reach. • Select Use VLAN IP Address and select a VLAN from the list.
Virtual Private Networks IPsec VPNs Figure 7-58. Add IPsec Policy Window—Step 2 of 4 (Bottom Section) 14. Next, set the SPI and keys for the protocol that you selected in the IPsec proposal (ESP, in the example displayed in Figure 7-58). The correct number of characters for a key depends on the algorithm that you selected in the IPsec proposal and is indicated to the right of the box. Note also that if you selected AH, you will not see boxes for encryption keys: a.
Virtual Private Networks IPsec VPNs Figure 7-59. Add IPsec Policy Window—Step 3 of 4 16. The Step 3 of 4 window allows you to configure settings for IKE Mode Config, which is not valid for a site-to-site VPN. Click Next.
Virtual Private Networks IPsec VPNs Figure 7-60. Add IPsec Policy Window—Step 4 of 4 17. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable fragment before IPsec – Enable Copy DSCP value from data packet For information and guidelines on these settings, see “Advanced IPsec Features” on page 7-16. b. For Anti-Replay Window Size, type a value between 32 and 1024.
Virtual Private Networks IPsec VPNs c. When you select the Enable Copy DSCP value from data packet check box, the TMS zl Module assigns each IPsec packet the DSCP value assigned to the original IP packet. If you do not select this check box, you can assign the same DSCP value to all IPsec packets in this VPN. Type a value between 0 and 63 for DSCP Value. d.
Virtual Private Networks IPsec VPNs Note An L2TP over IPsec VPN requires specific settings for the IPsec policy. See “Layer 2 Tunneling Protocol (L2TP) over IPsec” on page 7-96 for more information. Follow these steps to create the IPsec policy: 1. In the left navigation bar of the Web browser interface, select VPN > IPsec. 2. Click the IPsec Policies tab. Figure 7-62. VPN > IPsec > IPsec Policies Window 3. 7-74 Click Add IPsec Policy.
Virtual Private Networks IPsec VPNs Figure 7-63. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type an alphanumeric string between 1 and 10 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Virtual Private Networks IPsec VPNs • • Bypass—Traffic is forwarded to its destination but is not secured by the IPsec SA. Ignore—Traffic is discarded. For information on configuring Bypass and Ignore policies, see “Configure Bypass and Ignore IPsec Policies” on page 7-84. 7. For Position, type a number. The position determines the order in which the TMS zl Module processes IPsec policies. The module processes the policy with the lowest value first (for example, position 1 before position 2).
Virtual Private Networks IPsec VPNs 8. For Traffic Selector, configure these settings: a. For Protocol, specify the protocol for traffic allowed over the VPN: – Any—Any IP protocol. Select this option when you want to select all traffic between local and remote endpoints. – TCP or UDP—Select this option in conjunction with a local port to allow remote clients to access only specific services in the local network. – ICMP—Select this option when you want to select only ICMP traffic.
Virtual Private Networks IPsec VPNs If you will not use IKE mode config, you must match the exact value that the remote clients send for their local IP address. Some clients always send their actual IP address. In this case, you must specify this single address and create a separate IPsec policy for each remote client. Other clients (such as the Mac IPSecuritas) can send an entire subnet.
Virtual Private Networks IPsec VPNs Figure 7-64. Add IPsec Policy Window—Step 2 of 4 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select a previously-configured IKEv1 policy. You must select a policy of the client-to-site type. 13. Optionally, select the Enable PFS (Perfect Forward Secrecy) for keys check box, which forces the tunnel endpoints to generate new keys for the IPsec SA.
Virtual Private Networks IPsec VPNs 14. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes). This setting determines how long the IPsec SA remains open. When the lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl Module checks whether the SA has experienced any activity.
Virtual Private Networks IPsec VPNs Figure 7-65. Add IPsec Policy Window—Step 3 of 4 17. Configure the IP addresses and other settings assigned to remote endpoints through IKE mode config. Note It is generally recommended that you use IKE mode config. However, if your clients do not support this feature, clear the Enable IP Address Pool for IRAS (Mode Config) check box and move to the next step. a. The Enable IP Address Pool for IRAS (Mode Config) check box should be selected. b.
Virtual Private Networks IPsec VPNs c. For Firewall Zone, select the zone for remote clients after they establish the VPN connection.When you configure firewall access policies for the IKE mode config addresses, use this zone. d. For IP Address Ranges, type one or more ranges of IP addresses in the same subnet as the IRAS. Type each range on its own line, using this format: -. For example, type 172.16.100.50172.16.100.74.
Virtual Private Networks IPsec VPNs Figure 7-66. Add IPsec Policy Window—Step 4 of 4 19. If desired, configure settings in the Advanced Settings (Optional) section. a.
Virtual Private Networks IPsec VPNs b. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Advanced IPsec Features” on page 7-16 for more information. c. When you select the Enable Copy DSCP value from data packet check box, the TMS zl Module assigns each IPsec packet the DSCP value assigned to the original IP packet.
Virtual Private Networks IPsec VPNs Bypass Policies. The TMS zl Module forwards traffic that matches Bypass policies but it does not secure it with an IPsec SA. By default, the module has a Bypass policy that selects all traffic, allowing non-VPN traffic that the firewall permits to reach its destination.
Virtual Private Networks IPsec VPNs 4. For Policy Name, type an alphanumeric string between 1 and 10 characters. The string must be unique to this policy. 5. The policy does not take effect until it is enabled. Select the Enable this policy check box to enable the policy as soon as you finish it. Clear the check box if you want to enable the policy later. 6. For Action, select how the TMS zl Module treats traffic that is selected for this policy (see step 9): 7.
Virtual Private Networks IPsec VPNs 9. For Traffic Selector, configure these settings: – Any—Any IP protocol. Select this option when you want to select all traffic between local and remote endpoints. – TCP or UDP—Select this option in conjunction with a local port to select remote traffic that is destined for specific services in the local network. Select this option in conjunction with a remote port to select local traffic that is destined for specific services in the remote network.
Virtual Private Networks IPsec VPNs Configure Global IPsec Settings You can configure several more settings which affect all IPsec connections. These settings control: ■ Whether IPsec is enabled ■ How ICMP error messages are handled ICMP error messages may not be allowed by the IPsec traffic selectors. However, these error messages are often necessary for a session. You can configure how the TMS zl Module handles ICMP error messages.
Virtual Private Networks IPsec VPNs Figure 7-69. VPN > IPsec > Settings Window 4. Configure how the TMS zl Module handles ICMP error messages: • Select the Send ICMP error messages check box to have the TMS zl Module return an ICMP error message when it receives bad data. By default, this check box is selected. • Select the Handle ICMP error messages check box to have the TMS zl Module accept incoming ICMP error messages. By default, this check box is selected. 5.
Virtual Private Networks IPsec VPNs 7. For Minimum Packet Size for IP Compression, type a packet size in bytes. When IP compression is enabled for an SA (as specified in the IPsec policy advanced settings), all packets of this size or larger will be compressed. The valid range is 91 to 2147483647 bytes. The default is 1500 bytes. View VPN Connections To view active VPN connections, follow these steps: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2.
Virtual Private Networks IPsec VPNs ■ Status—click the View status link to see more details. The Status window for the IKE SA is displayed. Figure 7-71. Status ( - ) Window These details are displayed: ■ Peer Address—the IP address of the remote tunnel endpoint or client with which the module has established the SA ■ State—the current state of the IKE SA The state for an active IKE SA is SA_Mature.
Virtual Private Networks IPsec VPNs ■ Local Gateway—the local IP addresses in the traffic selector for this policy ■ Remote Gateway—the remote IP addresses in the traffic selector for this policy ■ Status—click the View status link to see more details. The Status window for that SA is displayed. Figure 7-72.
Virtual Private Networks IPsec VPNs ■ SoftLife Time in KB—the number of kilobytes that the SA will carry before the TMS zl Module begins renegotiating the SA (unless the soft lifetime in seconds expires first) ■ Bytes Processed—the number of bytes received or transmitted by this SA ■ NAT Status—whether the SA is using NAT-T ■ IP Compression Status—whether the SA supports IP compression Clear VPN Connections Sometimes you might want to clear a VPN connection before the SA lifetime expires.
Virtual Private Networks IPsec VPNs 3. 4. To clear an IKE SA, follow these steps: a. Select the SA from the list in the IKE Security Associations section. b. Click Flush above. To clear an IPsec tunnel, follow these steps: a. Select the SA from the list in the IPsec VPN Tunnels section. b. Click Flush above. View IP Address Pools You can view information about the pools that you have created for IKE Mode Config as well as addresses currently assigned to remote endpoints.
Virtual Private Networks IPsec VPNs ■ Primary WINS—the primary WINS server assigned to remote endpoints ■ Secondary WINS—the secondary WINS server assigned to remote endpoints ■ IKE Policy—the IKE policy associated with the pool (through the IPsec policy) The Active IP Address Pool Sessions section displays the IP addresses currently assigned to remote endpoints: ■ Assigned IP Address—the IP address assigned to the remote endpoint through IKE Mode Config ■ Peer Address—the remote endpoint’s actual
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec Layer 2 Tunneling Protocol (L2TP) over IPsec Microsoft VPN clients use Layer 2 Tunneling Protocol (L2TP) over IPsec to establish VPN connections. The TMS zl Module can act as a gateway for these endpoints, allowing them remote access to the private network. L2TP over IPsec Overview L2TP is a session-layer protocol (Layer 5) that mimics a data-link protocol (Layer 2).
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec 2. Create an IKE policy for remote access (client-to-site). Only one IKE policy can specify the client-to-site type, main mode, and preshared keys. Often you must configure a policy that is valid for all of your remote clients.
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec Table 7-7. IKE Security Settings Proposed by Windows XP Clients Proposal Encryption Algorithm Authentication Algorithm Diffie-Hellman Group SA Lifetime in Seconds 1 3DES SHA-1 2 28800 2 3DES MD5 2 28800 3 DES SHA-1 1 28800 4 DES MD5 1 28800 3. If you selected a DSA or RSA signature for the authentication method in the IKE policy, install certificates. See “Install Certificates for IKE” on page 7-37. 4.
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec Note Do not select (115) L2TP for Protocol. You must select UDP and then specify the L2TP port (1701). L2TP needs to operate at Layer 4/5 in this case instead of at Layer 3. 6. • Select the IKE policy and the IPsec proposal that you just configured. • Disable PFS and leave the lifetime settings at their defaults (28800 seconds and 0 kilobytes). • Clear the Enable IP Address Pool for IRAS (Mode Config) check box.
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec Figure 7-76. Add L2TP Policy Window—Step 1 of 2 4. For Policy Name, type a unique name for this policy. The name can be between 1 and 30 alphanumeric characters. 5. By default, the Enable this policy check box is selected, which means the policy will be enabled as soon as you finish configuring it. Clear the check box if you do not want to enable the policy at this point. 7-100 6.
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec Figure 7-77. Add L2TP Policy—Step 2 of 2 8. For Proposal, select the IPsec proposal that you configured for the L2TP connection. You must select a transport-mode proposal that uses the ESP protocol. 9. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes).
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec The TMS zl Module checks an IPsec SA for inactivity when the SA has transmitted and received 80 percent of the allowed bandwidth in kilobytes. If the SA is active, the module renegotiates it, deleting the old SA when the new one is established. The module deletes an inactive SA if it is still inactive when the total lifetime in kilobytes is reached.
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec Figure 7-79. VPN > IPsec > L2TP Remote Access Window 3. Click Add Dial-In User. Figure 7-80. Add Dial-In User Window—Step 1 of 3 4. For Dial-In User Name, type a name for this user. The name can be 1 to 16 alphanumeric characters. This setting only affects how the user is displayed in the dial-in user list on the module. 5.
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec 6. For User IP Address, type the IP address that the remote client uses on the tunnel. This IP address must be on the same subnet as the LNS address that you configured in the previous step. You might place multiple remote clients in the same subnet. Make sure to assign each user account a unique IP address. 7.
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec 10. For Policy Group Name, select the user group that you configured on the TMS zl Module. (Step 1 on page 7-96.) When you configure firewall access policies that control how the L2TP clients use the local network, you will configure them for this user group. 11.
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec 15. For Primary DNS Server, type the IP address of a DNS server that the remote client can use to resolve hostnames. 16. For Secondary DNS Server, type the IP address of another DNS server. This setting is optional. 17. For Primary WINS Server, type the IP address of a WINS server (if your network uses WINS). This setting is optional. 18. For Secondary WINS Server, type the IP address of another WINS server. This setting is optional. 19.
Virtual Private Networks Generic Routing Encapsulation (GRE) Generic Routing Encapsulation (GRE) GRE is a Layer 2 protocol that can encapsulate any protocol that Ethernet can encapsulate. GRE tunneling establishes a virtual point-to-point connection between two devices across an intervening network. For example, you could use GRE to tunnel FTP or HTTP traffic between two networks across an intervening network.
Virtual Private Networks Generic Routing Encapsulation (GRE) Figure 7-85. Add GRE Tunnel Window 4. For Tunnel Name, type a name that is unique for this tunnel. The name can be from 1 to 10 alphanumeric characters. It is recommended that you use a name that indicates the destination of the tunnel. 5. By default, the Enable this tunnel check box is selected, which allows the GRE tunnel to be established as soon as you finish configuring it. Clear the check box if you want to enable the tunnel later. 6.
Virtual Private Networks Generic Routing Encapsulation (GRE) 9. For Remote IP Address, type an accessible IP address on the tunnel’s remote endpoint (different from the address configured on the subnet reserved for the tunnel). 10. Under Tunnel Traffic Selector, click Add Traffic selector. Figure 7-86. Add GRE Tunnel Window (Adding a Tunnel Traffic Selector) 11. IP Address and Subnet Mask boxes are displayed. Type the network IP address and mask for the subnet to which tunneled traffic is destined.
Virtual Private Networks Generic Routing Encapsulation (GRE) Figure 7-87. VPN > GRE Window (Tunnel Added) 14. Click Save. Remember to configure firewall access policies to allow traffic over the tunnel. See “Access Policies for a GRE Tunnel” on page 7-126. Configure GRE over IPsec You must complete these tasks to configure GRE over IPsec: 1. Create a GRE tunnel for the traffic that you want to secure with GRE over IPsec. See “Create a GRE Tunnel” on page 7-107. 2. Create an IKEv1 policy, if desired.
Virtual Private Networks Generic Routing Encapsulation (GRE) 3. Create an IPsec proposal. The mode is typically transport mode because the TMS zl Module generates the GRE packets, but you can also use tunnel mode. You can configure other settings as you choose, making sure to match them on the remote tunnel endpoint. See “Create an IPsec Proposal” on page 7-53. If you have an appropriate proposal, you can use the existing proposal. 4. Create an IPsec policy.
Virtual Private Networks Configure Firewall Access Policies for Your VPN Configure Firewall Access Policies for Your VPN You must configure firewall access policies that allow the encapsulated traffic as well as the decrypted traffic.
Virtual Private Networks Configure Firewall Access Policies for Your VPN 5. Allow IKE messages from the remote gateway. a. For Action, accept the default: Permit Traffic. b. For From, select the remote zone. c. For To, select Self. d. For Service, select isakmp. e. For Source, specify the IP address that you configured for the remote gateway in the IKE policy.
Virtual Private Networks Configure Firewall Access Policies for Your VPN d. For Service, select isakmp. e. For Source, leave Any Address or specify the local gateway IP address. f. For Destination, specify the remote gateway IP address. Figure 7-89. Add Policy Window g. 7. Click Apply. Permit traffic from the local endpoints to the remote endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select the local zone. c. For To, select the remote zone. d.
Virtual Private Networks Configure Firewall Access Policies for Your VPN In the most basic setup, these are the same IP addresses configured as remote addresses in the IPsec traffic selector. Figure 7-90. Add Policy Window g. 8. Click Apply. Permit traffic from the remote endpoints to the local endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select the remote zone. c. For To, select the local zone. d. For Service, leave Any Address. This is the most basic configuration.
Virtual Private Networks Configure Firewall Access Policies for Your VPN 9. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic somewhere between the gateways), you must create access policies to allow the NAT-T traffic between the remote gateway and the module and vice versa: a. For Action, accept the default: Permit Traffic. b. For From, select the remote zone. c. For To, select Self. d. For Service, select ipsec-nat-t-udp. e. For Source, specify the remote gateway’s address.
Virtual Private Networks Configure Firewall Access Policies for Your VPN 4. Permit traffic from the local endpoints to the remote endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select the local zone. c. For To, select the remote zone. d. For Service, leave Any Service. This is the most basic configuration. You could also create access policies that permit only certain services. e. For Source, specify the local IP addresses allowed to send traffic on the VPN.
Virtual Private Networks Configure Firewall Access Policies for Your VPN 5. Permit traffic from the remote endpoints to the local endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select the remote zone. c. For To, select the local zone. d. For Service, leave Any Address. This is the most basic configuration. You could also create access policies that permit only certain services. 6. e. For Source, specify the remote IP addresses allowed to send traffic on the VPN. f.
Virtual Private Networks Configure Firewall Access Policies for Your VPN d. For Service, select isakmp. e. For Source, accept the default, Any Address. If you know the public addresses of all of your remote endpoints, you could create a named object with those addresses and specify that object here. However, allowing any IP address is the easiest way to set up the VPN. IKE will provide authentication, ensuring that only the correct endpoints can connect. f.
Virtual Private Networks Configure Firewall Access Policies for Your VPN f. For Destination, accept the default, Any Address. If you know the public addresses of all of your remote endpoints, you could create a named object with those addresses and specify that object here. However, allowing any IP address is the easiest way to set up the VPN. g. 5. Click Apply. If you do not enforce XAUTH, move directly to step 6 on page 7-120.
Virtual Private Networks Configure Firewall Access Policies for Your VPN 9. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic somewhere between the remote endpoints and the module), you must create two access policies to allow the NAT-T traffic: a. For Action, accept the default: Permit Traffic. b. For From, select the remote zone. c. For To, select Self. d. For Service, select ipsec-nat-t-udp. e. For Source, specify Any Address.
Virtual Private Networks Configure Firewall Access Policies for Your VPN You should also determine the zone for local endpoints allowed on the VPN. This might be the Internal zone or another zone. The instructions below will refer to this zone as the “local zone.” Finally, you must remember the name of the user group (or groups) that you configured for L2TP dial-in users. Some of the access policies will be configured for those groups. 1.
Virtual Private Networks Configure Firewall Access Policies for Your VPN Figure 7-93. Add Policy Window g. 4. 5. Click Apply. Allow IKE messages to the remote endpoints. a. For Action, leave the default, Permit Traffic. b. For From, select Self. c. For To, select the remote zone. d. For Service, select isakmp. e. For Source, type Any Address. f. For Destination, leave Any Address or specify the local gateway IP address. Permit L2TP traffic from the remote endpoints: a.
Virtual Private Networks Configure Firewall Access Policies for Your VPN e. For Source, accept the default, Any Address. If you know the public addresses of all of your remote endpoints, you could create a named object with those addresses and specify that object here. f. For Destination, leave Any Address or specify the local gateway IP address. Figure 7-94. Add Policy Window g. 6. Click Apply. Permit L2TP traffic from the module to the remote endpoints: a.
Virtual Private Networks Configure Firewall Access Policies for Your VPN g. 7. Click Apply. You must consider the user group in which you want to configure the remaining access policies. The TMS zl Module applies the access policies for the None user group to all users. Therefore, you can configure access policies to control the remote users’ traffic from the None user group. However, you might want to create access policies that apply to specific groups.
Virtual Private Networks Configure Firewall Access Policies for Your VPN 11. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic somewhere between the remote endpoints and the module), you must create two access policies to allow the NAT-T traffic: a. Verify that for User Group, None is selected. a. For Action, accept the default: Permit Traffic. b. For From, select the remote zone. c. For To, select Self. d. For Service, select ipsec-nat-t-udp. e.
Virtual Private Networks Configure Firewall Access Policies for Your VPN Finally, determine the zone for local endpoints that are allowed to send traffic over the tunnel. The instructions below will refer to this zone as the “local zone.” 1. In the left navigation bar of the Web browser interface, click Firewall > Access Policies. 2. If you have not already done so, create a service object for GRE: Note You could alternatively specify the service manually when you create policies. a.
Virtual Private Networks Configure Firewall Access Policies for Your VPN e. For Source, specify the actual IP address of the remote tunnel endpoint. This is the IP address configured as the remote address is the GRE tunnel. It is different from the address configured on the subnet reserved for the tunnel. You can select a previously-configured address object or type the IP address manually. (Click Options and select the custom option.) f.
Virtual Private Networks Configure Firewall Access Policies for Your VPN d. For Service, specify the object that you configured for GRE. e. For Source, leave Any Address or specify an actual module IP address on a TMS VLAN that the remote endpoint can reach. This is the IP address configured as the local address in the GRE tunnel. It is different from the address configured on the subnet reserved for the tunnel. f. For Destination, specify the actual IP address of the remote tunnel endpoint.
Virtual Private Networks Configure Firewall Access Policies for Your VPN Figure 7-97. Add Policy Window g. Click Apply. 8. If necessary, repeat step 9 to permit other traffic (for example, if you configured multiple tunnel traffic selectors). 9. Permit remote traffic that arrives on the tunnel: a. For Action, leave the default, Permit Traffic. b. For From, select the tunnel zone. c. For To, select the local zone. d. For Service, leave Any Service. This is the most basic configuration.
Virtual Private Networks Configure Firewall Access Policies for Your VPN Access Policies for a GRE Tunnel over IPsec Before you begin configuring firewall access policies, determine the zone on which traffic from the remote tunnel gateway arrives. This is the zone associated with the TMS VLAN on which the tunnel’s local IP address is configured. The instructions below will refer to this zone as the “remote zone.
Virtual Private Networks Configure Firewall Access Policies for Your VPN 3. Click the Unicast tab. 4. Click Add a Policy. 5. Allow GRE traffic from the remote tunnel endpoint: a. For Action, leave the default Permit Traffic. b. For From, select the remote zone. c. For To, select Self. d. For Service, specify GRE. e. For Source, specify the public IP address of the remote tunnel endpoint. You can select a previously-configured address object or type the IP address manually.
Virtual Private Networks Configure Firewall Access Policies for Your VPN 6. 7. Allow GRE traffic from the TMS zl Module to the remote tunnel endpoint: a. For Action, leave the default Permit Traffic. b. For From, select Self. c. For To, select the remote zone. d. For Service, specify GRE. e. For Source, leave Any Address or specify the IP address that you configured for the local endpoint IP address. f. For Destination, specify the public IP address of the remote tunnel endpoint. g.
Virtual Private Networks Configure Firewall Access Policies for Your VPN Figure 7-100. Add Policy Window g. 8. 7-134 Click Apply. If you are using IKE, permit IKE messages from the TMS zl Module to the remote tunnel endpoint: a. For Action, leave the default Permit Traffic. b. For From, select Self. c. For To, select the remote zone. d. For Service, select isakmp. e. For Source, leave Any Address or specify the IP address configured for the local gateway in the IKE policy. f.
Virtual Private Networks Configure Firewall Access Policies for Your VPN Figure 7-101. Add Policy Window g. 9. Click Apply. Permit local traffic that is sent across the tunnel: a. For Action, leave the default, Permit Traffic. b. For From, select the local zone. c. For To, select the tunnel zone. d. For Service, leave Any Service. This is the most basic configuration. You could also permit only certain types of traffic. e.
Virtual Private Networks Configure Firewall Access Policies for Your VPN Figure 7-102. Add Policy Window g. Click Apply. 10. If necessary, repeat step 9 to permit other traffic (for example, if you configured multiple tunnel traffic selectors). 11. Permit remote traffic that arrives on the tunnel: a. For Action, leave the default, Permit Traffic. b. For From, select the tunnel zone. c. For To, select the local zone. d. For Service, leave Any Service. This is the most basic configuration.
Virtual Private Networks Verify Routes for the VPN 12. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic somewhere between the gateways), you must create access policies to allow the NAT-T traffic between the remote gateway and the module and vice versa: a. For Action, accept the default: Permit Traffic. b. For From, select the remote zone. c. For To, select Self. d. For Service, select ipsec-nat-t-udp. e. For Source, specify the remote gateway’s address. f.
Virtual Private Networks Verify Routes for the VPN Verify that the following routes exist for a client-to-site VPN: ■ A route to the remote endpoints The route’s forwarding interface must be the interface with the IP address that you specified as the local gateway address as the local gateway address in the IKE policy. This can be a default route.
Virtual Private Networks Verify Routes for the VPN Figure 7-103.
Virtual Private Networks Configure the VPN Client Configure the VPN Client See the sections below for guidelines for configuring your VPN client: ■ “Configure a ProCurve VPN Client” on page 7-140 ■ “Configure IPSecuritas for Macintosh VPN Client” on page 7-153 ■ “Configure a Windows Vista Client for L2TP over IPsec” on page 7-222 Configure a ProCurve VPN Client This section includes step-by-step instructions for configuring a ProCurve VPN Client to establish an IPsec connection to the TMS zl Module.
Virtual Private Networks Configure the VPN Client Figure 7-104. Security Policy Editor Window 3. Right-click the My Connections folder and click Add > Connection. 4. Type a meaningful name for the new connection. 5. If you desire, under Connection Security, select the Only Connect Manually check box.
Virtual Private Networks Configure the VPN Client Figure 7-105. Security Policy Editor Window (Connection Added) 6. Under Remote Party Identity and Addressing, you specify the addresses in the internal network that the remote client can reach. These settings must match the local addresses in the traffic selector of the TMS zl Module’s IPsec policy: a. For ID Type, select the type of value or object configured for the Local Address in the module’s traffic selector.
Virtual Private Networks Configure the VPN Client c. For Protocol, match the protocol selected in the module’s IPsec policy traffic selector. If the module’s setting is Any, leave the default All. d. If you selected TCP or UDP for Protocol, for Port, select a service that matches the Local Port in the TMS zl Module’s IPsec policy traffic selector. 7. Select the Connect Using Secure Gateway Tunnel check box. 8. For ID Type, select the local ID type in the module’s IKE policy.
Virtual Private Networks Configure the VPN Client Figure 7-107. ProCurve VPN Client—Security Policy Editor—New Connection > My Identity Window 11. Configure authentication settings to match the settings on the TMS zl Module: • If you selected RSA Signature or DSA Signature for the authentication method in the TMS zl Module IKE policy, you can leave the default setting for Select Certificate: Select automatically during IKE negotiation. You must, however, install a valid certificate on endpoint.
Virtual Private Networks Configure the VPN Client Figure 7-108. ProCurve VPN Client—Security Policy Editor— Pre-Shared Key Window iii. Click Enter Key and type the preshared key that you specified in the module’s IKE policy. iv. Click OK. 12. For ID Type, match the remote ID type in TMS zl Module’s IKE policy. 13. If you selected None for Select Certificate and Domain Name or E-mail Address for ID Type, you must configure the ID value.
Virtual Private Networks Configure the VPN Client Figure 7-109. ProCurve VPN Client—Security Policy Editor—My Identity Note that the module’s IKE policy might use wildcards, which allows multiple values to match the policy. For example, the remote ID type and value in the module’s IKE policy might be Email Address and *@procurve.com. In the My Identity window, you would select E-mail Address for ID Type. You could then type, for example, user1@procurve.com in the box below.
Virtual Private Networks Configure the VPN Client Figure 7-110. ProCurve VPN Client—Security Policy Editor—Authentication Proposal Window 16. In the right pane, configure security settings to match those in the TMS zl Module’s IKE policy: a. For Encrypt Alg, select the encryption algorithm specified on the module. b. For Hash Alg, select the authentication algorithm specified on the module. c. For SA Life, select Seconds. Then type the number of seconds configured on the module. d.
Virtual Private Networks Configure the VPN Client Table 7-9. Default TMS zl Module IKE Settings Parameter Default Setting Authentication Algorithm MD5 Encryption Algorithm 3DES SA Life 28800 seconds Diffie-Hellman (DH) Group 1 17. If you enabled the XAUTH server in the module’s IKE policy, for Authentication, select Preshared Key; Extended Authentication. 18. In the left navigation pane, expand Key Exchange (Phase 2) and click Proposal 1. Figure 7-111.
Virtual Private Networks Configure the VPN Client – – If the setting for kilobytes on the module is 0, select Seconds. In the Seconds box, type the number of seconds configured on the module. If the module has a non-zero setting for both seconds and kilobytes, select Both. Match the seconds and kilobytes settings on the module in the Seconds and KBytes boxes. b. If the module’s IPsec proposal specifies ESP for the protocol, select the Encapsulation Protocol (ESP) check box.
Virtual Private Networks Configure the VPN Client Figure 7-112. ProCurve VPN Client—Security Policy Editor—Security Policy 21. For Select Phase 1 Negotiation Method, match the Key Exchange Mode setting in the TMS zl Module’s IKE policy. Select either Main Mode or Aggressive Mode. 22. If you enabled PFS in the module’s IPsec policy, select the Enable Perfect Forward Secrecy (PFS) check box. For PFS Key Group, match the group setting in the module’s IPsec policy. 23. Click the Save button. 24.
Virtual Private Networks Configure the VPN Client sary routes should be in place on the TMS zl Module. In this configuration, the TMS zl Module reaches remote clients on a VLAN in the External zone (which is a typical configuration). Table 7-11.
Virtual Private Networks Configure the VPN Client Parameter Valid Settings IPsec policy Configuration Window Add IPsec Policy—Step 1 of 4 Action Apply Position Any position Protocol Matches the setting configured in step 6c on page 7-143 Local Address Matches the settings configured in step 6 on page 7-142 Local Port Matches the settings configured in step 6d on page 7-143 Remote Address Any Remote Port Empty Proposal IPsec proposal that you created for the IPsec connection IKEv1 Policy
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window • Permit Self External isakmp Any Any • Permit External Self isakmp Any Any • Other access policies that control traffic from the remote client Add Policy Firewall access policies User Group None If XAUTH is enabled, Access policies that control traffic from the remote client User Group Add Policy Configure IPSecuritas for Macintosh VPN Client This section includes s
Virtual Private Networks Configure the VPN Client Figure 7-113. IPSecuritas—Certificate Manager > Certificates Tab b. 7-154 Create a certificate request for the IPSecuritas client: i. Click the Requests tab.
Virtual Private Networks Configure the VPN Client Figure 7-114. IPSecuritas—Certificate Manager > Requests Tab ii. Click the icon to add a request. iii. For Request name, type a meaningful name. iv. For Common name, type the name (often, the client’s FQDN). When the TMS zl Module’s IKE policy remote ID is set to Distinguished Name for type, the remote ID value must match what you type here. For example, if you type user1.procurvebranch.com for the client’s common name, you must type /CN=user1.
Virtual Private Networks Configure the VPN Client Figure 7-115. IPSecuritas—Certificate Manager (Create Request) vii. Click OK. 7-156 c. Submit the certificate request to the CA that signed the TMS zl Module’s certificate. d. After you receive the certificate from the CA, import it into IPSecuritas: i. Copy the certificate file to the Macintosh endpoint. ii. Open IPSecuritas and the Certificate Manager.
Virtual Private Networks Configure the VPN Client Figure 7-116. IPSecuritas—Certificate Manager > Certificates Tab (Import a Certificate Icon) iii. In the Certificates tab, click the Import Certificate from a File icon. iv. Browse to the certificate file. v. For Certificate type, select PEM/DER encoded certificate without private key.
Virtual Private Networks Configure the VPN Client Figure 7-117. IPSecuritas—Certificate Manager (Import Client Certificate) vi. Click Import. vii. You should see a message indicating that the import was successful. Figure 7-118. IPSecuritas—Matching Request Found Window e. 7-158 Install the TMS zl Module’s certificate: i. Copy the certificate to the Macintosh endpoint. ii. In the Certificates tab of the IPSecuritas Certificate Manager, click the Import Certificate from a File icon. iii.
Virtual Private Networks Configure the VPN Client v. Click Import. vi. You should see a message indicating that the certificate imported successfully. 3. In the IPSecuritas menu, click Connections > Edit Profiles to open the Profile Manager. Figure 7-119. IPSecuritas—Profile Manager 4. Click the Add Profile icon. Figure 7-120.
Virtual Private Networks Configure the VPN Client 5. Specify a meaningful name, for example, VPN–MainCampus. 6. Close the Profile Manager. Figure 7-121. IPSecuritas 7. For Profile, select the profile that you just created. Figure 7-122. IPSecuritas—Connections > Edit Connections 8. 7-160 Click Connections > Edit Connections.
Virtual Private Networks Configure the VPN Client Figure 7-123. IPSecuritas—Connections > General Tab 9. Click the Add Connections icon. 10. Specify a significant name for the connection, such as Main Campus.
Virtual Private Networks Configure the VPN Client Figure 7-124. IPSecuritas—Connections > General Tab 11. Click the General tab. 12. For Remote IPSec Device, type the IP address at which the client reaches the TMS zl Module. Often, this is the same address that the module’s IKE policy specifies as the local gateway. However, if NAT is performed on this module IP address, you must specify the NAT address. 13.
Virtual Private Networks Configure the VPN Client b. For Remote Side, select the Endpoint Mode: – Host — Specifies one IP address on the internal network that the client is permitted to access. Type the address in the IP Address field. – Network — Specifies the internal subnet that the client is permitted to access. For Network Address, type the address of the subnet. For Network Mask (CIDR), type the number of bits in the network mask.
Virtual Private Networks Configure the VPN Client Figure 7-125. IPSecuritas—Connections > Phase 1 Tab 15. Accept the remaining defaults and click the Phase 2 tab. 16. Configure the following settings, which must match settings in the TMS zl Module’s IPsec proposal and IPsec policy: 7-164 a. For Lifetime, select Seconds and type a value in the box. b. For PFS Group, select one of the following: – 768 (1) — DH group 1 – 1024 (2) — DH group 2 – 1536 (5) — DH group 5 c.
Virtual Private Networks Configure the VPN Client Figure 7-126. IPSecuritas—Connections > Phase 2 Tab 17. Click the ID tab and configure the following settings, which correspond to the identities and authentication method in the TMS zl Module IKE policy: a. Local Identifier—Select the identity type for the local endpoint (remote ID on the module) and type the value in the box provided, if any: i. User FQDN—Specify an email address in the box. ii. FQDN—Specify a domain name in the box. iii.
Virtual Private Networks Configure the VPN Client c. Authentication Method—Configure one of these options: – Select Preshared Key. In the Preshared Key box that is displayed, type the key that you specified in the TMS zl Module IKE policy. – Select Certificates. For Local Certificate, select the certificate that you installed for the client. For Remote Certificate, select the certificate that you installed for the TMS zl Module. Figure 7-127. IPSecuritas—Connections > ID Tab 18.
Virtual Private Networks Configure the VPN Client Figure 7-128. IPSecuritas—Connections > Options Tab 21. If you are using certificates for authentication, you must select these check boxes: • Request Certificate • Verify Certificate • Send Certificate 22. Close the Connections window. Figure 7-129.
Virtual Private Networks Configure the VPN Client 23. In the IPSecuritas main menu, click Preferences. Figure 7-130. IPSecuritas—Preferences Window 24. Ensure that the Randomize and Exclusive Trail check boxes are selected. Accept the rest of the defaults and close the Preferences window. Figure 7-131.
Virtual Private Networks Configure the VPN Client 25. To connect, select the profile that you just created. Then select the connection that you just configured. 26. Click Start. TMS zl Module Settings For this configuration to work, you must configure IPsec settings on the module as described in “Create an IKE Policy for a Client-to-Site IPsec VPN” on page 7-31 and “Configure an IPsec VPN Connection” on page 7-21. Valid settings are displayed in Table 7-12.
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Key Exchange Mode Main or Aggressive, as configured in step 14e on page 7-163 Authentication Method Preshared Key Preshared Key Same key as configured in step 17– on page 7-166 Diffie-Hellman (DH) Group Matches the setting configured in step 14b on page 7-163 Configuration Window Add IKE Policy—Step 2 of 3 Encryption Algorithm Matches the setting configured in step 14c on page 7-163 Authentication Algorithm Matches the sett
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Enable IP Address Pool for IRAS (Mode Config) Check box is cleared. IPSecuritas does not support the TMS zl Add IPsec Policy—Step 3 of 4 Module’s implementation of IKE mode config.
Virtual Private Networks Configure the VPN Client Configure a Windows XP SP2 Client for L2TP over IPsec This section includes step-by-step instructions for configuring a Windows XP SP2 client to establish a L2TP over IPsec connection to the TMS zl Module. You have two options for configuring the client: ■ Use the New Connection Wizard and its default IPsec policies. Using the default policies is the easiest way to set up the connection.
Virtual Private Networks Configure the VPN Client Figure 7-132. Windows XP—New Connection Wizard 5. Click Next. 6. Select Virtual Private Network connection. Figure 7-133.
Virtual Private Networks Configure the VPN Client 7. Click Next. 8. For Company Name, type a meaningful name. Figure 7-134. Windows XP—New Connection Wizard 9. 7-174 Click Next.
Virtual Private Networks Configure the VPN Client Figure 7-135. Windows XP—New Connection Wizard 10. If the Public Network page is displayed, specify whether the client needs to make a dial-up connection. If the workstation’s Internet connection is through a dial-up connection, select that connection for Automatically dial this initial connection. Otherwise, select Do not dial the initial connection. 11. Click Next. 12.
Virtual Private Networks Configure the VPN Client Figure 7-136. Windows XP—New Connection Wizard 13. Click Next. 14. If the Smart Cards page is displayed, complete these steps: a. Select Do not use my smart card. Figure 7-137.
Virtual Private Networks Configure the VPN Client b. Click Next. Figure 7-138. Windows XP—New Connection Wizard 15. If prompted, select whether only the current user can make this connection or all users on this workstation. Click Next. Figure 7-139.
Virtual Private Networks Configure the VPN Client 16. If you want, select the Add a shortcut to this connection to my desktop check box. Click Finish. 17. The Connect window should be displayed. Figure 7-140. Connect Window 18. Click Properties to open the Properties window. 19. Click the Networking tab. 20. For Type of VPN, select L2TP IPSec VPN.
Virtual Private Networks Configure the VPN Client Figure 7-141. Windows XP— Properties Window > Networking Tab 21. Select Internet Protocol (TCP/IP) in the This connection uses the following items box and click Properties. 22. Ensure that Obtain an IP address automatically and Obtain DNS server address automatically are selected so that the TMS zl Module can assign these values while the client is visiting the private network. Click OK to exit. 23.
Virtual Private Networks Configure the VPN Client Figure 7-142. Windows XP— Properties Window > Security Tab 25. Click Settings next to Advanced (custom settings).
Virtual Private Networks Configure the VPN Client Figure 7-143. Windows XP—Advanced Security Settings 26. For Data encryption, ensure that Require encryption (disconnect if server declines) is selected. 27. Select Allow these protocols. 28. Clear the Microsoft CHAP Version 2 (MS-CHAP v2) check box. If it is not already selected, select the check box for the authentication protocol specified in the TMS zl Module L2TP dial-in user account.
Virtual Private Networks Configure the VPN Client Figure 7-144. Windows XP—IPSec Settings Window b. Select the Use pre-shared key for authentication check box. c. For Key, type the preshared key that you specified in the IKE policy on the TMS zl Module and click OK. 31. Click OK to close the Properties window and return to the Connect window. Figure 7-145. Connect Window 32.
Virtual Private Networks Configure the VPN Client 33. For Password, type the password that you specified for this dial-in user on the TMS zl Module. The password matches the setting in the Add Dial-In User—Step 2 of 3 window. 34. Click Connect. After a minute or so, you should see a message that informs you that the connection was successful. TMS zl Module Settings for an L2TP over IPsec Connection to a Client Set Up with the Wizard.
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Security Parameters Proposal Select one of these combinations: • DH Group = 2 Encryption Algorithm = 3DES Authentication Algorithm = MD5 SA Lifetime in Seconds = 28800 • DH Group = 2 Encryption Algorithm = 3DES Authentication Algorithm = SHA-1 SA Lifetime in Seconds = 28800 • DH Group = 1 Encryption Algorithm = DES Authentication Algorithm = MD5, SA Lifetime in Seconds = 28800 • DH Group = 1 Encryption Algori
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Action Apply Position Any position Add IPsec Policy— Step 1 of 4 Protocol UDP Local Address TMS zl Module’s public IP address Matches the IP address set in 12 on page 7-175 Local Port 1701 Matching Setting on the Windows XP Client IPsec policy Remote Address Any Remote Port 1701 Proposal IPsec proposal that you created for the L2TP connection IKEv1 Policy IKE policy that you created for the L
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client L2TP Dial-in User (one user for each client) Dial-In User Name Any unique string that you desire Server IP Address/Mask Any IP address in a private subnet not in use in your network User IP Address Any IP address that is: • In the same subnet as the server IP address • Not assigned to another dial-in user Authentication None Policy Group Name The group on the
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client Firewall access policies User Group None • Permit Self UDP 1701 Add Policy Any Any • Permit Self UDP 1701 Any Any • Permit Self isakmp Any Any • Permit Self isakmp Any Any User Group None • Permit External
Virtual Private Networks Configure the VPN Client Figure 7-146. Windows XP Registry Editor > HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters 4. Right-click the Parameters folder and click New > DWORD Value. 5. A new entry appears in the right panel. Name it ProhibitIpSec. Use the same spelling and capitalization as shown in Figure 7-147. Figure 7-147.
Virtual Private Networks Configure the VPN Client 6. Right-click ProhibitIpSec and click Modify. 7. For Value, type 1. Figure 7-148. Windows XP—Edit DWORD Value Window 8. If you configured L2TP authentication in the Add Dial-in User—Step 1 of 3 window on the TMS zl Module, you must configure the shared secret in the client’s registry. See “Configuring the L2TP Shared Secret on the Windows Client” on page 7-267 for instructions. 9. Close the registry editor and restart the computer. 10.
Virtual Private Networks Configure the VPN Client Figure 7-150. Windows XP—IP Security Policy Wizard 14. In the IP Security Policy Wizard, click Next. Figure 7-151. Windows XP—IP Security Policy Wizard > IP Security Policy Name Page 15. For name, type a meaningful name such as TMS Remote Access. 16. Click Next. 17. Clear the Activate the default response rule check box.
Virtual Private Networks Configure the VPN Client Figure 7-152. Windows XP—IP Security Policy Wizard > Requests for Secure Communication Page 18. Click Next. Figure 7-153. Windows XP—IP Security Policy Wizard > Completing the IP Security policy wizard Page 19. Leave the Edit properties check box selected and click Finish. 20. The Properties window is displayed. Clear the Use Add Wizard check box.
Virtual Private Networks Configure the VPN Client Figure 7-154. Windows XP— Properties Window 21. Click Add. Figure 7-155.
Virtual Private Networks Configure the VPN Client 22. In the New Rule Properties window, click Add on the IP Filter Lists tab. 23. In the IP Filter List window, for Name, type a meaningful string such as TMS L2TP Traffic. Figure 7-156. Windows XP—IP Filter List Window 24. Clear the Use Add Wizard check box. 25. Click Add.
Virtual Private Networks Configure the VPN Client Figure 7-157. Windows XP—Filter Properties Window > Addressing Tab 26. In the Filter Properties window, the Addressing tab should be selected. 27. For Source address, select Any IP Address. Often, you want the TMS zl Module to use a single IPsec policy to negotiate connections to multiple remote clients. In this case, you would specify Any for the Remote Address in the IPsec policy traffic selector.
Virtual Private Networks Configure the VPN Client Figure 7-158. Windows XP—Filter Properties Window > Addressing Tab (Addresses Configured) 30. Select the Protocol tab. 31. For Select a protocol, select UDP. 32. In the Set the IP protocol port section, select From this port. 33. Type 1701 in the box below. 34. In the Set the IP protocol port section, select To this port. 35. Type 1701 in the box below.
Virtual Private Networks Configure the VPN Client Figure 7-159. Windows XP—Filter Properties Window > Protocol Tab 36. Click OK to close the Filter Properties window. 37. Click OK to close the IP Filter List window. 38. In the New Rule Properties window, select the IP filter list that you just created.
Virtual Private Networks Configure the VPN Client Figure 7-160. Windows XP—New Rule Properties Window (IP Filter Selected) 39. Click the Filter Action tab. 40. Clear the Use Add Wizard check box.
Virtual Private Networks Configure the VPN Client Figure 7-161. Windows XP—New Rule Properties Window > Filter Action Window 41. Click Add.
Virtual Private Networks Configure the VPN Client Figure 7-162. Windows XP—New Filter Action Properties Window 42. In the New Filter Action Properties window, click Add. 43. In the New Security Method window, select Custom.
Virtual Private Networks Configure the VPN Client Figure 7-163. Windows XP—New Security Method Window 44. Click Settings. Figure 7-164.
Virtual Private Networks Configure the VPN Client 45. In the Custom Security Method Settings window, select settings that match the IPsec proposal and IPsec policy settings on the TMS zl Module: a. Select the Data integrity and encryption (ESP) check box. b. For Integrity algorithm, match the authentication algorithm in the module’s IPsec proposal. c. For Encryption algorithm, match the encryption algorithm in the module’s IPsec proposal. d.
Virtual Private Networks Configure the VPN Client Figure 7-165. Windows XP—Custom Security Method Settings Window (Match Module’s Default Settings) 46. Click OK to close the Custom Security Settings window. 47. Click OK to close the New Security Method window. 48. In the New Filter Action Properties window, click the General tab.
Virtual Private Networks Configure the VPN Client Figure 7-166. Windows XP—New Filter Action Properties Window > General Tab 49. For Name, type a meaningful string such as TMS IPsec Negotiation. 50. Click OK to close the New Filter Action Properties window. 51. In the New Rule Properties window, select the Filter Action that you just created.
Virtual Private Networks Configure the VPN Client Figure 7-167. Windows XP—New Rule Properties Window > Filter Action Tab (Action Selected) 52. Click the Authentication Methods tab.
Virtual Private Networks Configure the VPN Client Figure 7-168. New Rule Properties Window > Authentication Methods Tab 53. Click Edit. Figure 7-169.
Virtual Private Networks Configure the VPN Client 54. Select the authentication method that matches the method specified in the TMS zl Module’s IKE policy: • If the module’s IKE policy specifies RSA Signature or DSA Signature, select Use a certificate from this certification authority (CA). Click Browse and navigate to the certificate for the CA that signed the TMS zl Module’s certificate. Figure 7-170. Windows XP—Select Certificate The CA certificate must be already installed on the remote endpoint.
Virtual Private Networks Configure the VPN Client Figure 7-171. Windows XP—Edit Authentication Method Properties Window (Preshared key selected) 55. Click OK. 56. Click Close to close the New Rule Properties window. 57. In the Properties window, click the General tab.
Virtual Private Networks Configure the VPN Client Figure 7-172. Windows XP— Properties Window > General Tab 58. Click Advanced. Figure 7-173. Windows XP—Key Exchange Settings Window 59. If the TMS zl Module IPsec policy enables PFS, select the Master key perfect forward secrecy (PFS) check box. Then select the group that matches the DH group in the module’s IPsec policy.
Virtual Private Networks Configure the VPN Client 60. In the minutes box under Authenticate and generate a new key after every, type a value that corresponds to the SA lifetime in the TMS zl Module’s IKE policy. Note that setting on the Windows client is in minutes while the setting on the TMS zl Module is in seconds. Make sure to divide the number on the module by 60. For example, if you left the default setting on the module (28800 seconds), type 480 in the minutes box. 61. Click Methods. Figure 7-174.
Virtual Private Networks Configure the VPN Client Figure 7-175. Windows XP—IKE Security Algorithms Window 64. Configure settings to match the settings in the TMS zl Module’s IKE policy: a. For Integrity algorithm, match the module’s IKE authentication algorithm setting. b. For Encryption algorithm, match the module’s IKE encryption algorithm setting. c. For Diffie-Hellman Group, match the module’s DH group setting. Table 7-15 displays the default settings for a TMS zl Module IKE policy. Table 7-15.
Virtual Private Networks Configure the VPN Client Figure 7-176. Windows XP—Local Security Settings Window (Assign the Policy) 69. Open the Network Connections window. 70. Click New Connection Wizard. 71. The wizard is launched. Click Next. 72. Select Connect to the network at my workplace. Figure 7-177.
Virtual Private Networks Configure the VPN Client 73. Click Next. Figure 7-178. Windows XP—New Connection Wizard > Network Connection Page 74. Select Virtual Private Network connection. 75. Click Next.
Virtual Private Networks Configure the VPN Client Figure 7-179. Windows XP—New Connection Wizard > Connection Name Page 76. For Company Name, type a meaningful name. 77. Click Next. Figure 7-180.
Virtual Private Networks Configure the VPN Client 78. If the Public Network page is displayed, specify whether the VPN connection should use a dial-up connection. If the workstation’s Internet connection is through a dial-up connection, select that connection for Automatically dial this initial connection. Otherwise, select Do not dial the initial connection. 79. For Host name or IP address, type the TMS zl Module’s public IP address or type an FQDN that resolves to this address.
Virtual Private Networks Configure the VPN Client Figure 7-182. Windows XP—New Connection Wizard b. Click Next. Figure 7-183. Windows XP—New Connection Wizard 82. If prompted, select whether only the current user can make this connection or all users on this workstation. Click Next. 83. Click Next.
Virtual Private Networks Configure the VPN Client Figure 7-184. Windows XP—New Connection Wizard > Completing the New Connection Wizard Page 84. If you want, select the Add a shortcut to this connection to my desktop check box. Click Finish. 85. The Connect window should display. Figure 7-185.
Virtual Private Networks Configure the VPN Client 86. Click Properties to open the Properties window. 87. Click the Networking tab. 88. For Type of VPN, select L2TP IPSec VPN. Figure 7-186. Windows XP— Properties Window > Networking Tab 89. Select Internet Protocol (TCP/IP) in the This connection uses the following items box and click Properties. 90.
Virtual Private Networks Configure the VPN Client 93. For Password, type the password that you specified for this dial-in user on the TMS zl Module. 94. Again, the password matches the setting in the Add Dial-In User—Step 2 of 3 window. 95. Click Connect. After a minute or so, you should see a message that informs you that the connection was successful. TMS zl Module Settings for an L2TP over IPsec Connection to a Manually Configured Client.
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Key Exchange Mode Main Mode Add IKE Policy—Step 2 of 3 Authentication Method • Preshared Key • RSA Signature • DSA Signature Matching Setting on the Windows XP Client (Manual Method) Setting in the Edit Authentication Methods window (step 54 on page 7-206) Preshared Key (if Matches the string configured on the remote Preshared key client was selected) String in the Edit Authentication Methods window (s
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client (Manual Method) Action Apply Position Any position Add IPsec Policy— Step 1 of 4 Protocol UDP Protocol in the IP filter (step 31 on page 7-195) Local Address TMS zl Module’s public IP address Matches the IP address set in 12 on page 7-175 Destination address in the IP filter (step 28 on page 7-194) Local Port 1701 To this port in the IP filter (step 35 on
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client (Manual Method) L2TP Dial-in User (one user for each client) Dial-In User Name Any unique string that you desire Server IP Address/Mask Any IP address in a private subnet not in use in your network User IP Address Any IP address that is: • In the same subnet as the server IP address • Not assigned to another dial-in user Authentication • • • • Preshared Key N
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client (Manual Method) Firewall access policies User Group None • Permit Self UDP 1701 Add Policy Any Any • Permit Self UDP 1701 Any Any • Permit Self isakmp Any Any • Permit Self isakmp Any Any User Group None • Permit External Any
Virtual Private Networks Configure the VPN Client Before you configure the VPN connection, make sure to uninstall any other third-party VPN client; these clients can interfere with the Windows Vista client. Then follow these steps: Figure 7-187. Windows Vista — Start > Run 1. On the Windows Vista client, click Start > Run. If your Start menu does not include the run command, you must customize the menu: a. Right-click Start and click Properties. b. Click Customize. c.
Virtual Private Networks Configure the VPN Client 2. In the Run window, type regedit and click OK. 3. Navigate to HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters. Figure 7-189. Registry Editor — HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters 4. Click Edit > New > DWORD (32-bit) Value. Figure 7-190. Registry Editor — Edit > New > DWORD (32-bit) Value 5. 7-224 A new entry appears in the right panel. Name it ProhibitIpSec.
Virtual Private Networks Configure the VPN Client Figure 7-191. Registry Editor — Name REG_DWORD ProhibitIpSec 6. Right-click ProhibitIpSec and select Modify. Figure 7-192. Registry Editor — Modify ProhibitIpSec 7. In the Edit DWORD (32-bit) Value window, type 1 in the Value data box and click OK.
Virtual Private Networks Configure the VPN Client Figure 7-193. Edit DWORD (32-bit) Value 8. If you configured L2TP authentication in the Add Dial-in User—Step 1 of 3 window on the TMS zl Module, you must follow the steps in “Configuring the L2TP Shared Secret on the Windows Client” on page 7-267. 9. Close the registry editor and restart the computer. 10. Click Start > Run. 11. Type secpol.msc and click OK. 12. Select IP Security Policies on Local Computer in the left pane. Figure 7-194.
Virtual Private Networks Configure the VPN Client Figure 7-195. Windows Vista—IP Security Policy Wizard 14. In the IP Security Policy Wizard, click Next. Figure 7-196. Windows Vista—IP Security Policy Wizard—IP Security Policy Name Page 15. For Name, type a meaningful name such as TMS Remote Access.
Virtual Private Networks Configure the VPN Client 16. Click Next. Figure 7-197. Windows Vista—IP Security Policy Wizard— Requests for Secure Communication Page 17. Make sure that the Activate the default response rule check box is not selected. 18. Click Next.
Virtual Private Networks Configure the VPN Client Figure 7-198. Windows Vista—IP Security Policy Wizard— Completing the IP Security policy wizard Page 19. Leave the Edit properties check box selected and click Finish. 20. The Properties window is displayed. Clear the Use Add Wizard check box.
Virtual Private Networks Configure the VPN Client Figure 7-199. Windows Vista— Properties Window 21. Click Add.
Virtual Private Networks Configure the VPN Client Figure 7-200. Windows Vista—New Rule Properties Window 22. In the New Rule Properties window, click Add in the IP Filter Lists section. 23. In the IP Filter List window, for Name, type a meaningful string such as TMS L2TP Traffic. 24. Clear the Use Add Wizard check box.
Virtual Private Networks Configure the VPN Client Figure 7-201. Windows Vista—IP Filter List Window 25. Click Add.
Virtual Private Networks Configure the VPN Client Figure 7-202. Windows Vista—Filter Properties Window > Addressing Tab 26. In the Filter Properties window, the Addressing tab should be selected. 27. For Source address, typically, leave Any IP Address selected. Often, you want the TMS zl Module to use a single IPsec policy to negotiate connections to multiple remote clients. In this case, you would specify Any for the Remote Address in the IPsec policy traffic selector.
Virtual Private Networks Configure the VPN Client This IP address must be the Local Gateway IP Address in the IKE policy configured on the TMS zl Module. It must also be the Local Address in the module’s IPsec policy traffic selector. Often, it is the IP address on a VLAN in the External zone. Figure 7-203. Windows Vista—Filter Properties Window > Addressing Tab (Addresses Configured) 30. Select the Protocol tab. 31. For Select a protocol, select UDP. 32.
Virtual Private Networks Configure the VPN Client Figure 7-204. Windows Vista—Filter Properties Window > Protocol Tab 34. Click OK to close the Filter Properties window. 35. Click OK to close the IP Filter List window. 36. In the New Rule Properties window, select the IP filter list that you just created.
Virtual Private Networks Configure the VPN Client Figure 7-205. Windows Vista—New Rule Properties Window (IP Filter Selected) 37. Click the Filter Action tab.
Virtual Private Networks Configure the VPN Client Figure 7-206. Windows Vista—New Rule Properties Window > Filter Action Window 38. Clear the Use Add Wizard check box and click Add.
Virtual Private Networks Configure the VPN Client Figure 7-207. Windows Vista—New Filter Action Properties Window 39. In the New Filter Action Properties window, click Add.
Virtual Private Networks Configure the VPN Client Figure 7-208. Windows Vista—New Security Method Window 40. In the New Security Method window, select Custom. 41. Click Settings.
Virtual Private Networks Configure the VPN Client Figure 7-209. Windows Vista—Custom Security Method Settings Window 42. In the Custom Security Method Settings window, select settings that match the IPsec proposal and IPsec policy settings on the TMS zl Module: a. Select the Data integrity and encryption (ESP) check box. b. For Integrity algorithm, match the authentication algorithm in the module’s IPsec proposal. c.
Virtual Private Networks Configure the VPN Client Table 7-17. Default TMS zl Module IPsec Settings Parameter Default Setting Protocol ESP Encryption Algorithm 3DES Authentication Algorithm MD5 SA Lifetime in Seconds 28800 SA Lifetime in Kilobytes 0 (None) Figure 7-210. Windows Vista—Custom Security Method Settings Window (Match Module’s Default Settings) 43. Click OK to close the Custom Security Settings window.
Virtual Private Networks Configure the VPN Client Figure 7-211. Windows Vista—New Filter Action Properties Window > General Tab 46. For Name, type a meaningful string such as TMS IPsec Negotiation. 47. Click OK to close the New Filter Action Properties window. 48. In the New Rule Properties window, select the filter action that you just created.
Virtual Private Networks Configure the VPN Client Figure 7-212. Windows Vista—New Rule Properties Window > Filter Action Tab (Action Selected) 49. Click the Authentication Methods tab.
Virtual Private Networks Configure the VPN Client Figure 7-213. Windows Vista—New Rule Properties Window > Authentication Methods Tab 50. Click Edit.
Virtual Private Networks Configure the VPN Client Figure 7-214. Windows Vista—Edit Authentication Method Properties Window 51. Select the authentication method that matches the method specified in the TMS zl Module’s IKE policy: • If the module’ s IKE policy specifies RSA Signature or DSA Signature, select Use a certificate from this certification authority (CA). Click Browse and navigate to the certificate of the CA that signed the TMS zl Module’s certificate.
Virtual Private Networks Configure the VPN Client Figure 7-215. Windows Vista—Edit Authentication Method Properties Window (Preshared Key Selected) 52. Click OK. 53. Click Close to close the New Rule Properties window.
Virtual Private Networks Configure the VPN Client Figure 7-216. Windows Vista— Properties Window > General Tab 54. In the Properties window, click the General tab. 55. Click Settings.
Virtual Private Networks Configure the VPN Client Figure 7-217. Windows Vista—Key Exchange Settings Window 56. If the TMS zl Module IPsec policy enables PFS, select the Master key perfect forward secrecy (PFS) check box. Then select the group that matches the DH group in the module’s IPsec policy. 57. In the minutes box under Authenticate and generate a new key after every, type a value that corresponds to the SA lifetime in the TMS zl Module’s IKE policy.
Virtual Private Networks Configure the VPN Client Figure 7-218. Windows Vista—Key Exchange Security Methods Window 59. To prevent the VPN client from sending unsupported parameters, remove the default security methods. Select each method and click Remove. (Click Yes to confirm the deletion). 60. Click Add. Figure 7-219.
Virtual Private Networks Configure the VPN Client 61. Configure settings to match the settings in the TMS zl Module’s IKE policy: a. For Integrity algorithm, match the module’s IKE authentication algorithm setting. b. For Encryption algorithm, match the module’s IKE encryption algorithm setting. c. For Diffie-Hellman Group, match the module’s DH group setting. Table 7-18 displays the default settings for a TMS zl Module IKE policy. Table 7-18.
Virtual Private Networks Configure the VPN Client Figure 7-221. Windows Vista—Control Panel 67. Double-click Network and Sharing Center.
Virtual Private Networks Configure the VPN Client Figure 7-222. Windows Vista—Control Panel > Network and Sharing Center 68. In the left navigation bar, click Set up a connection or network. 69. Select Connect to a workplace.
Virtual Private Networks Configure the VPN Client Figure 7-223. Windows Vista—Set up a connection or network > Choose a connection option Page 70. Click Next.
Virtual Private Networks Configure the VPN Client Figure 7-224. Windows Vista—Connect to a workplace > How do you want to connect Page 71. Click Use my Internet connection (VPN). 72. For Internet address, type the TMS zl Module’s public IP address. This IP address must be the Local Gateway IP Address in the IKE policy configured on the TMS zl Module. Often, it is the IP address on a VLAN in the External zone. 73. For Destination name, type a meaningful name for the connection. 74.
Virtual Private Networks Configure the VPN Client Figure 7-225. Windows Vista—Connect to a workplace > Type the Internet address to connect to Page 75. Click Next.
Virtual Private Networks Configure the VPN Client Figure 7-226. Windows Vista—Connect to a workplace > Type your username and password Page 76. For User Name, type the username that you specified for a dial-in user on the TMS zl Module. Note that the username must match the setting for User in the Add Dial-In User—Step 2 of 3 window not the setting for Dial-In User Name in the Add Dial-In User—Step 1 of 3 window. 77.
Virtual Private Networks Configure the VPN Client Figure 7-227. Windows Vista—Connect to a workplace > The connection is ready to use Page 80. Leave The connection is ready to use page open and return to the Network and Sharing Center window.
Virtual Private Networks Configure the VPN Client Figure 7-228. Windows Vista—Control Panel > Network and Sharing Center 81. In the left navigation bar, click Manage network connections.
Virtual Private Networks Configure the VPN Client Figure 7-229. Windows Vista—Network Connections Window 82. Double-click the connection that you just created. Figure 7-230.
Virtual Private Networks Configure the VPN Client 83. Click Properties. 84. Click the Security tab. 85. Select Advanced (custom settings). Figure 7-231. Windows Vista— Properties Window > Security Tab 86. Click Settings. 87. Select Allow these protocols and clear the Microsoft CHAP Version 2 (MSCHAP v2) check box. Select the check box for the authentication protocol configured in the TMS zl Module’s dial-in user account.
Virtual Private Networks Configure the VPN Client Figure 7-232. Windows Vista—Advanced Security Settings 88. Click OK. 89. Click the Networking tab. 90. For Type of VPN, select L2TP IPSec VPN.
Virtual Private Networks Configure the VPN Client Figure 7-233. Windows Vista— Properties Window > Networking Tab 91. Select Internet Protocol Version 4 (TCP/IPv4) in the This connection uses the following items box and click Properties. 92. Ensure that Obtain an IP address automatically and Obtain DNS server address automatically are selected so that the TMS zl Module can assign these values while the client is visiting the private network. Click OK to exit. 93.
Virtual Private Networks Configure the VPN Client TMS zl Module Settings for an L2TP over IPsec Connection to a Windows Vista Endpoint Table 7-19 displays the settings that should be established on the TMS zl Module to support the L2TP over IPsec connection. The table also displays necessary firewall policies. Finally, note that VLANs and necessary routes should already be in place on the TMS zl Module. Table 7-19.
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Key Exchange Mode Main Mode Add IKE Policy—Step 2 of 3 Authentication Meth- • Preshared Key od • RSA Signature • DSA Signature Matching Setting on the Windows Vista Client Setting in the Edit Authentication Methods window (step 51 on page 7-245) Preshared Key (if Pre- Matches the string configured on the remote shared key was se- client lected) String in the Edit Authentication Methods window (step 51 on
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Matching Setting on the Windows Vista Client Action Apply Position Any position Add IPsec Policy—Step 1 of 4 Protocol UDP Protocol in the IP filter (step 31 on page 7-234) Local Address TMS zl Module’s public IP address Matches the IP address set in 12 on page 7175 Destination address in the IP filter (step 29 on page 7-233) Local Port 1701 To this port in the IP filter (step 33 on page 7-234) R
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Matching Setting on the Windows Vista Client L2TP Dial-in User (one user for each client) Dial-In User Name Any unique string that you desire Server IP Address/ Mask Any IP address in a private subnet not in use in your network User IP Address Any IP address that is: • In the same subnet as the server IP address • Not assigned to another dial-in user Authentication • • • • Preshared Key Not applicabl
Virtual Private Networks Configure the VPN Client Parameter Valid Settings Configuration Window Matching Setting on the Windows Vista Client Firewall access policies Add Policy User Group None • Permit Self UDP 1701 Any Any • Permit Self UDP 1701 Any Any • Permit Self isakmp Any Any • Permit Self isakmp Any Any User Group • Permit External Any
Virtual Private Networks Configure the VPN Client To configure the same shared secret on the Windows 2000, XP, or Vista client, you must edit the registry by following these steps. 1. On the Windows Task bar, select Start > Run. 2. In the Run window, type regedit and press OK. 3. In the left pane of the Registry Editor, select HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Class. 4.
Virtual Private Networks Configure the VPN Client 6. One by one, click the subdirectories until you find this value in the right pane: DriverDesc | REG_SZ | WAN Miniport (L2TP). Figure 7-237. Registry Editor Window—DriverDesc Registry Entry 7. Select Edit > New > String Value. Figure 7-238. Registry Editor Window 8. A new value appears in the right pane.
Virtual Private Networks Configure the VPN Client Figure 7-239. Registry Editor Window (New Value Added) 9. Name the value Password. Figure 7-240. Registry Editor Window (New Value Named) 10. Right-click the value and select Modify. Figure 7-241. Registry Editor Window—Modify Registry Entry 11. In the Value data field, type the shared secret.
Virtual Private Networks Configure the VPN Client Figure 7-242. Edit String Window 12. Click OK. The entry should appear as shown in Figure 7-243. Figure 7-243. Registry Editor Window—Registry Entry Completed 13. Close the registry and restart the computer.
Virtual Private Networks Configure the VPN Client 7-272
8 High Availability Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Active-Standby Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Failover Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Boot Order . . . . . . . . . . . . . .
High Availability Overview Overview High availability (HA) is a strategy for minimizing network downtime so that users can access the network with minimal interruption in the event that a network device fails. The best approach for providing HA for the Threat Management Services (TMS) zl Module is to implement an HA cluster—a group of modules that can take over the workload of another module if it fails. Two TMS zl Modules can be clustered for HA.
High Availability Overview Figure 8-1. Active-Standby Mode In active-standby mode, the master handles all network traffic, so the participant does not have any IP addresses on the TMS VLANs; therefore, you cannot access the Web browser interface for the participant. Any configuration changes must be made to the master and then synchronized to the participant. When you remove the master from an active-standby cluster, it will lose all of its TMS VLAN IP addresses.
High Availability Overview If the cluster members are in different host switches, you must ensure the following: ■ The same VLANs are configured on both host switches. ■ There are redundant Layer 2 connections between the host switches. See “Boot Order” on page 8-4 for more information. Failover Process The failover process for each HA mode is detailed below: 1. The master fails. 2.
High Availability Overview 3. The TMS VLAN settings that were configured on the cluster participant before becoming a cluster member are permanently erased. 4. When the cluster master fails, the cluster participant becomes the cluster master without significant interruption. 5. When the former cluster master comes back online, it uploads the startupconfig of the current cluster master and becomes the cluster participant.
High Availability Overview has gone offline, so it assumes the role of master and begins to transmit gratuitous ARP messages over the network to associate the cluster’s IP addresses with the participant’s MAC addresses. In the meantime, the master continues to respond to ARP requests by associating its MAC addresses with the cluster’s IP addresses.
High Availability Overview IDS/IPS and HA If you use the intrusion detection/prevention (IDS/IPS) signatures on an HA cluster, it is recommended that you purchase one subscription for each cluster member, even though it is technically possible to operate the HA cluster if you register the master module only. ■ If you purchase one IDS/IPS subscription for the cluster master, you will be able to download the signature updates as long as the master is active.
High Availability Configuring High Availability Configuring High Availability Before you configure HA, review this summary of HA behavior and functionality: 8-8 ■ Only one HA cluster (two modules) is supported in a single switch chassis. ■ You cannot install HA cluster members that are members of different clusters in the same switch chassis. ■ All cluster members must be running the same software version.
High Availability Configuring High Availability To configure HA settings, complete the following: 1. 2. Back up the startup-config on the cluster master. Should you need to restore the startup-config, remember that it does not include the HA settings. a. On the cluster master, select System > Maintenance. Then click the Back Up/Restore tab. b. Click Back Up and save the configuration to your workstation. Select System > Settings and click the High Availability tab. Figure 8-2.
High Availability Configuring High Availability Both cluster members must use the same HA VLAN, and different clusters on the same subnet can also use the same HA VLAN or a different HA VLAN. Note It is highly recommended that you change the HA VLAN to a dedicated VLAN that does not carry general data traffic, even if you are not implementing HA. If you do not change the HA VLAN, general broadcast traffic will be received by the module on VLAN 1 and then dropped by the firewall.
High Availability Configuring High Availability Managing the Cluster On the master of an HA cluster, the Sync Configuration Now button is active. Figure 8-3. System > Settings > High Availability on the Cluster Master ■ Click Sync Configuration Now to propagate HA changes that you made to the master to the other cluster members. If the members of the cluster have different configurations when you synchronize the configuration, the participant will be rebooted with the new startup-config.
High Availability Updating Cluster Software Updating Cluster Software Warning This operation will cause you to lose network connectivity for 15–30 minutes; therefore, you should plan these software updates for a low network-utilization time.
High Availability Updating Cluster Software 2. Click the Back Up/Restore tab. 3. Click Back Up. A window is displayed that prompts you to save the file to your workstation. 4. Select Save File and click OK. Remove the Participant from the Cluster In this step you will remove the participant from the cluster. You must do this to prevent the modules from attempting to establish (or maintain) the cluster while the two modules are using different software versions 1.
High Availability Updating Cluster Software 5. Save the current configuration and reboot the module. Syntax: boot Reboots the module When asked if you would like to reboot the module and if you want to save the current configuration, type [y]. For example: hostswitch(services-module-C:PR)# boot service Device will be rebooted, do you want to continue [y/n]? y Do you want to save the current configuration [y/n]? y Saving running config... Performing user initiated reboot.
High Availability Updating Cluster Software 1. When the participant finishes rebooting, access the host switch’s CLI and enter the Product OS context: hostswitch# services 2 Replace with the letter of the chassis slot in which the module is installed. The prompt should look like the following: hostswitch(tms-module-C)# 2. Enter the global configuration context for the module: Syntax: configure terminal Enters the configuration context for the module.
High Availability Updating Cluster Software Rejoin the Participant to the Cluster In this section, you will reconfigure the high-available settings on the participant and reestablish a cluster with the master. Perform these steps on the participant. 1. When the module has finished rebooting, access its Web browser interface. 2. Select System > Settings, then click the High Availability tab. 3. For Cluster Scheme, select Active-Standby. 4. For VLAN ID, type the cluster’s VLAN ID.
High Availability Updating Cluster Software c. Verify that the participant is visible in the Cluster Devices table. Figure 8-4.
High Availability Updating Cluster Software 8-18
9 Routing Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Configuring Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Configuring a Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 Dynamic Routing . . . . . . . . . . . . . . . . . . .
Routing Contents Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27 Stub Areas and Stub Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28 Backbone (Area 0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29 NSSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29 Normal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing Overview Overview This chapter provides instructions for the module’s routing configuration.
Routing Static Routing If the module learns about more than 10,000 total routes as a result of either RIP or OSPF, routes after the 10,000th route will not be added to the routing table. The excess routes will be “floating” routes, which means that they exist but are not in the routing table. However, both routes in the routing table and floating routes are shown in the Web browser interface and the CLI. See “Viewing Unicast Routes” on page 9-53.
Routing Static Routing Configuring Static Routes To configure static routes, you must configure the following parameters: ■ Destination Type The TMS zl Module allows three destination types: ■ • Network—select this option if the destination is a subnet. • Host—select this option if the destination is a specific device. • Default Gateway—select this option when creating a default route. See “Configuring a Default Gateway” on page 9-7.
Routing Static Routing When you configure a static route, the TMS zl Module requires you to enter a prefix length for the destination address. When the module looks for a route that matches a packet’s destination, it only compares the bits specified by the prefix. ■ Gateway Address The gateway address is the IP address for the router that is the next hop toward the destination. For example, for the TMS zl Module in Figure 91, Router A is the next hop to the network that is directly connected to Router B.
Routing Static Routing Figure 9-3. Add Static Route Window 3. For Destination Type, select the destination type: Network or Host. 4. The Destination Address depends on the destination type that you chose: • Network—type the IP address and subnet mask of the destination. • Host—type the IP address of the host. 5. For Gateway Address, type IP address of the next-hop router. 6. For Metric, type a value to represent the distance to the destination address.
Routing Static Routing 2. Click the Static Routes tab. 3. Click Add Static Route. The Add Static Route window is displayed. Figure 9-4. Add Default Static Route Window 4. For Destination Type, select Default Gateway. 5. For Gateway Address, type the next-hop address. 6. For Metric, type 0. 7. Click OK. The route is now displayed in the Network > Routing > Static Routes window. You can only configure one default route for the module.
Routing Dynamic Routing Dynamic Routing As a network becomes larger and more complicated, manually configuring every route on every router becomes infeasible. Even when you use default routes and hub routers to minimize the number of routes individual routers must know, manually configuring routes for an expanding a network can be time consuming.
Routing Dynamic Routing so that you can select the best routing protocol (or protocols) for your network environment. If necessary, you can change which routes are chosen by altering the default metrics that a protocol assigns certain routes. ■ What information routers include in routing updates—With some routing protocols, routers exchange their entire routing tables. With other routing protocols, routers exchange only portions of the routing table.
Routing Dynamic Routing Table 9-2. RIP and OSPF Comparison Option RIP OSPF Metric computation and route selection Number of hops to the destination. • Inverse bandwidth • Type of service (ToS) (rarely used) Information in updates Routers send the complete RIP routing table.
Routing Dynamic Routing On the other hand, routing protocols consume bandwidth as routers exchange updates and CPU processes as routers calculate the best routes. In addition, a router that has been carelessly configured may send updates to unauthorized devices, creating a security vulnerability. However, a well-designed network eliminates many of these problems. Table 9-3 lists some advantages and disadvantages of RIP and OSPF. As you can see, each protocol provides different best uses.
Routing RIP RIP RIP is a well-known and commonly used distance-vector routing protocol. RIP is simple to configure but can be slow to converge. Because route selection relies purely on hop count, RIP may not always generate the best routes. For example, LANs often include links of varying bandwidth, so the lowest hop count is not always the fastest or best route. RIP Overview Read this section if you are interested in learning more about how RIP functions on the TMS zl Module.
Routing RIP ■ A different neighbor advertises a route with a lower metric. The module changes the route to list this neighbor as the next-hop address and enters the new metric. ■ The module does not receive information about the route for the entire length of the invalid interval. The module marks the route for deletion. RIP Updates, v1 and v2 RIP update packets contain different information, depending on whether the RIP version is 1 or 2.
Routing RIP When the module discovers a new or better route to a destination from a RIPv2 packet, it enters the route with the next-hop IP address specified in the packet. If the next-hop IP address field is all zeros, the module assumes that the source of the packet is the next-hop IP address. (This assumption provides some backward compatibility with RIPv1.) RIPv1 interfaces broadcast their routing updates to the entire subnet. RIPv2 routers join the group for the RIPv2 multicast address (224.0.0.
Routing RIP Authentication with MD5 is more secure than simple password authentication. Attackers can intercept a valid RIP packet and read the simple password. However, message digests are unique to each packet and impossible to generate without the secret key. Simple password authentication is most useful for ensuring routers do not send messages into networks in the wrong area. Just configure a different simple password for each VLAN interface.
Routing RIP Poison Reverse The TMS zl Module supports poison reverse, in which, when the module receives a route to a network from a neighbor, it advertises a poison route (metric 16) to that network back to the neighbor. This feature is intended to prevent convergence problems by ensuring that routers do not advertise routes back to the routers from which they received them. Poison reverse is enabled by default. You can enable and disable poison reverse from the CLI.
Routing RIP Figure 9-5. Network > Routing > RIP Window 2. Select the Enable RIP check box. 3. Redistribute routes: a. Under Router Redistribution, for Default Metric, type a number between 1 and 15. The TMS zl Module advertises redistributed routes with this metric. You might want to raise the metric to indicate that redistributed routes are to networks that are further away. (This setting applies only to redistributed routes.
Routing RIP 5. Click Enable RIP on an interface. The Enable RIP on Interface window is displayed. Figure 9-6. Enable RIP on Interface Window 6. For Interface, select an interface from the list. The interfaces in the list are TMS VLANs and GRE tunnels configured on the module on which RIP is not already enabled. 7. For Version, select the version used by other routers on this subnet. The TMS zl Module does not support RIP compatibility mode, and a VLAN listening for v2 updates will reject v1 updates.
Routing RIP • MD5—The module and other routers in this subnet authenticate each other with MD5 authentication. – For Key ID, type the key ID, which must match the ID on other routers in this subnet. – For Key, type the key, which must match the key on other routers in this subnet. 11. Click OK. 12. Repeat steps 5 through 11 for all of the VLANs on which you want to enable RIP. 13. Click Save. 14. Click Apply My Changes.
Routing RIP Figure 9-7. Example RIP Router Setup with TMS zl Modules Below is a sample of the settings and routing tables on each module after all routes have been communicated.
Routing RIP TMS zl Module A Settings This module must redistribute static and connected routes. Table 9-6. Module A RIP Settings VLAN IP Passive Metric 2 10.1.2.1 no 1 Table 9-7. 9-22 Module A Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 172.16.1.2 0 vlan16 static 10.1.1.0/24 10.1.1.1 1 vlan1 connected 10.1.2.0/24 10.1.2.1 1 vlan2 connected 10.1.3.0/24 10.1.2.2 3 vlan2 rip 10.1.4.0/24 10.1.4.1 1 vlan4 connected 10.1.5.0/24 10.1.2.
Routing RIP TMS zl Module B Settings This module must redistribute connected routes. Table 9-8. Module B RIP Settings VLAN IP Passive Metric 2 10.1.2.1 no 1 5 10.1.5.1 no 1 Table 9-9. Module B Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.2.2 3 vlan2 rip 10.1.1.0/24 10.1.2.1 3 vlan2 rip 10.1.2.0/24 10.1.2.2 1 vlan2 connected 10.1.3.0/24 10.1.3.1 1 vlan3 connected 10.1.4.0/24 10.1.2.1 3 vlan2 rip 10.1.5.0/24 10.1.5.
Routing RIP Table 9-11. Module C Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.5.1 5 vlan5 rip 10.1.1.0/24 10.1.5.1 5 vlan5 rip 10.1.2.0/24 10.1.5.1 3 vlan5 rip 10.1.3.0/24 10.1.5.1 3 vlan5 rip 10.1.4.0/24 10.1.5.1 5 vlan5 rip 10.1.5.0/24 10.1.5.2 1 vlan5 connected 10.1.6.0/24 10.1.6.1 1 vlan6 connected 10.1.7.0/24 10.1.6.2 3 vlan6 rip 172.16.1.0/30 10.1.5.
Routing OSPF Destination Gateway Metric VLAN Type 10.1.7.0/24 10.1.7.1 1 vlan7 connected 172.16.1.0/30 10.1.6.1 7 vlan6 rip OSPF OSPF is a sophisticated routing protocol designed for large networks. Read the section below if you are interested in learning more about OSPF and how it functions on the TMS zl Module. If you are interested only in configuring OSPF on the module, move directly to “Enable OSPF” on page 9-39.
Routing OSPF Because OSPF routers send each other more messages than RIP routers send, OSPF can consume more bandwidth. However, OSPF minimizes the number of packets routers must send in several ways. In point-to-point networks, only neighboring routers fully exchange their databases. In multicast networks, only one router (the DR) floods LSAs. Also, OSPF VLANs only send updates on their own link states rather than sending all routes discovered by the protocol, as RIP VLANs do.
Routing OSPF OSPF defines specific rules for synchronizing databases with a minimum of traffic between routers. Any two routers running OSPF in the same VLAN are neighbors that could potentially send each other LSAs. However, not all neighbors establish full adjacency—that is, exchange LSAs. OSPF institutes protocols by which all routers can synchronize their databases without all of them exchanging LSAs.
Routing OSPF a non-local area network to the ABR that advertised the summary for that area. When this traffic arrives in Area 0, the ABRs route it toward the correct area. When the traffic arrives in the new area, internal routers use intra-area routing to direct it to its destination. Autonomous system border routers (ASBRs) support external traffic (in networks with one area or with multiple areas.) An ASBR connects to an external network and runs both OSPF and the external network’s routing protocol.
Routing OSPF Internal routers in a stub area are stub routers. At least one router in the area communicates with an ABR in Area 0. The network that the two routers have in common is defined as part of the stub area, making the Area 0 router part of both Area 0 and the stub area. This topology prevents routers from processing superfluous information. Routers in the stub area deal primarily with intra-area LSAs.
Routing OSPF an ASBR. Typically, OSPF would not permit the external routes to be distributed into the stub area. However, internal routers in an NSSA can receive specially defined LSAs for external routes. Normal A normal area is an area that does not fall into the categories listed above. Traffic can pass through normal areas to other areas, and routers in normal areas can receive external LSAs and inter-area LSAs.
Routing OSPF LSA Type Contains Originated By Link State ID Flooded To 5—summary external links • External network or range of external networks • Cost for the link • External 1 (E1) routes, which include external cost and the cost to the ASBR • External 2 (E2) routes, which only include external cost An ASBR • All ABRs • All internal routers in normal areas and the backbone • Not sent to internal routers in stub and total stub areas External network address All routers generate Type 1 LSAs, which
Routing OSPF Route Computation Routers use the information they receive from LSAs to assemble a topological database of the AS (or, if configured, area). This database includes: ■ All routers in the AS or area ■ All networks in the AS or area ■ All links in the AS or area ■ The cost for all links The topological database for all routers in an AS (or area) is the same. Theoretically, any router could calculate a route to a destination for any other router.
Routing OSPF OSPF Intervals OSPF can be a relatively chatty protocol. For example, an interface sends its neighbor a hello message every 10 seconds to notify it that the link is still up. If necessary, you can change the hello and dead intervals. You configure these intervals for individual VLANs. (See “Enable OSPF on a VLAN” on page 9-42.) Note When you change an interface’s hello interval, you must remember to change its peer interface’s dead interval accordingly.
Routing OSPF The TMS zl Module supports two types of OSPF authentication: ■ OSPF simple password authentication ■ Authentication with MD5 With OSPF simple password authentication, routers simply add a password to the 64-bit authentication field in the OSPF header. With MD5 authentication, a router uses a secret key and the MD5 algorithm to generate a message digest for a packet. Routers that receive the packet dehash the message digest using the same key.
Routing OSPF ■ Authentication with MD5 With OSPF simple password authentication, routers simply add a password to the 64-bit authentication field in the OSPF header. With MD5 authentication, a router uses a secret key and the MD5 algorithm to generate a message digest for a packet. Routers that receive the packet dehash the message digest using the same key. If the dehashed message digest matches the packet, the packet is authentic.
Routing OSPF ■ The OSPF area for each directly connected network One common topology for a network is a headquarters, defined as Area 0, that connects to stub areas at one or more remote sites. In this topology, the headquarters’ routers that connect to the remote sites are ABRs. The routers at the remote sites are internal routers. If a router connects to a public or other external network, such as an ISP, it is an ASBR. (See Figure 9-9.) Figure 9-9.
Routing OSPF Figure 9-10. OSPF Network with WAN as Area 0 If these routers are the only routers at the remote sites or if the remote sites are quite small, you could leave the network undivided. (A general rule is that an area should include fewer than 50 routers.) In this case, all networks would be defined as part of Area 0. (See Figure 9-11.) Figure 9-11.
Routing OSPF Table 9-16.
Routing OSPF ■ Note Define NSSA, stub, and total stub areas If you are configuring dynamic routing, but you want to configure a static default route, you must configure the static default route first. Otherwise, the module might receive a dynamic default route, preventing you from creating your static default route. To remove the dynamic default route, you would need to disable dynamic routing (RIP and OSPF), which you could re-enable after configuring your static default route.
Routing OSPF Set the Router ID When OSPF routers exchange certain types of messages, they include their router ID. Routers piece messages together into a coherent network topology. They can only complete this task if each router’s ID is unique, consistent, and significant for the entire network. The TMS zl Module likely has several different TMS VLANs, each with its own IP address. You must select a single address for OSPF to consistently identify the module.
Routing OSPF Set the Administrative Distance The administrative distance on the TMS zl Module is 110 by default. You can change the administrative distance from the Network > Routing > OSPF window by typing a new value in the Administrative Distance field. Redistribute Routes Discovered by Other Methods Many networks use more than one routing protocol. Routing protocols discover routes in different ways. They provide overlapping, but not identical, services.
Routing OSPF Enable OSPF on a VLAN You must enable OSPF on each TMS VLAN that you want to participate in sending and receiving OSPF messages. When you enable OSPF on a TMS VLAN, you will also define the VLAN’s area and other settings. You can place more than one TMS VLAN in the same OSPF area, and you can configure multiple OSPF areas. To place a enable OSPF on a TMS VLAN and add it to an area, complete the following steps: 1. Select Network > Routing and click the OSPF tab. Figure 9-13.
Routing OSPF Figure 9-14. Enable OSPF on a VLAN Window 3. For VLAN, select a VLAN from the list. The VLANs listed are those that you configured in “Configure Zones” in Chapter 2: “Initial Setup in Routing Mode“ and on which OSPF has not already been enabled. 4. For Area ID, type the area to which you want to assign the VLAN. For Area ID, you can use integer or dotted-decimal (x.x.x.x) notation. On the OSPF routing window, the area ID will always be displayed in dotteddecimal notation. For example, 0.0.
Routing OSPF Note When you change an interface’s hello interval, you must remember to change its peer interface’s dead interval accordingly. Otherwise, the peer may wrongly decide the interface is down. You can determine how many times longer the dead interval should be than the hello interval according to how reliable your network is.
Routing OSPF To configure an NSSA or stub area, complete the following: 1. Select Network > Routing and click the OSPF tab. Figure 9-15. Network > Routing > OSPF Window 2. Click Add NSSA or Stub Area. Figure 9-16.
Routing OSPF 3. For Area ID, type an identification number for the area. For Area ID, you can use integer or dotted-decimal (x.x.x.x) notation. On the OSPF routing window, the area ID will always be displayed in dotteddecimal notation. For example, 0.0.0.1 will be displayed if you type 1 as the area ID and 0.0.1.0 will be displayed if you type 256 as the area ID. 4. From the Area Type list, select the type of area you want to configure: NSSA or STUB. 5.
Routing OSPF ■ Rate You can impose rate limits on OSPF traffic, which can help to reduce the effect of OSPF updates on your network. To edit an existing OSPF firewall access policy, complete the following: 1. Select one of the following: • Firewall > Access Policies > Unicast • Firewall > Access Policies and click the Multicast tab. 2. Find the OSPF policy that you want to edit and click the Edit icon. 3. Edit the fields that you want to change. 4. Click Apply, then click Close.
Routing OSPF Note It is not recommended that you enable logging permanently, because policy logging is processor-intensive. Use logging for troubleshooting and testing only. 11. In the Position field, specify the priority of this access policy. Be sure that you set the position of this policy above the position of the policy that allows all Zone1-to-Internal zone OSPF traffic. 12. Click Apply. Then you can optionally click the Advanced tab to further narrow the policy.
Routing OSPF Figure 9-17. Example OSPF Setup with TMS zl Modules Below is a sample of the settings and routing tables of the modules after all routes have been communicated. TMS zl Module A Settings OSPF Settings ■ Router ID — 9.9.9.
Routing OSPF Table 9-17. Module A VLAN and Area Settings VLAN IP Area ID Cost 2 10.1.2.1 0.0.0.1 1 Table 9-18. Module A Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 172.16.1.2 0 vlan16 static 10.1.1.0/24 10.1.1.1 1 vlan1 connected 10.1.2.0/24 10.1.2.1 1 vlan2 connected 10.1.3.0/24 10.1.2.2 1 vlan2 ospf 10.1.4.0/24 10.1.4.1 1 vlan4 connected 10.1.5.0/24 10.1.2.2 2 vlan2 ospf 10.1.6.0/24 10.1.2.2 3 vlan2 ospf 10.1.7.0/24 10.1.2.
Routing OSPF Table 9-20. Module B Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.2.1 1 vlan2 ospf 10.1.1.0/24 10.1.2.1 1 vlan2 ospf 10.1.2.0/24 10.1.2.2 1 vlan2 connected 10.1.3.0/24 10.1.3.1 1 vlan3 connected 10.1.4.0/24 10.1.2.1 2 vlan2 ospf 10.1.5.0/24 10.1.5.1 1 vlan5 connected 10.1.6.0/24 10.1.5.2 2 vlan5 ospf 10.1.7.0/24 10.1.5.2 3 vlan5 ospf 172.16.1.0/30 10.1.2.
Routing OSPF Table 9-23. Module C Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.5.1 2 vlan5 ospf 10.1.1.0/0 10.1.5.1 2 vlan5 ospf 10.1.2.0/24 10.1.5.1 2 vlan5 ospf 10.1.3.0/24 10.1.5.1 1 vlan5 ospf 10.1.4.0/24 10.1.5.1 2 vlan5 ospf 10.1.5.0/24 10.1.5.2 1 vlan5 connected 10.1.6.0/24 10.1.6.1 1 vlan6 connected 10.1.7.0/24 10.1.6.2 2 vlan6 ospf 172.16.1.0/30 10.1.5.1 2 vlan5 ospf TMS zl Module D Settings OSPF Settings ■ Router ID — 6.6.6.
Routing Viewing Unicast Routes Table 9-26. Module D Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.6.1 2 vlan6 ospf 10.1.2.0/24 10.1.6.1 3 vlan6 ospf 10.1.5.0/24 10.1.6.1 2 vlan6 ospf 10.1.6.0/24 10.1.6.1 1 vlan6 connected 10.1.7.0/24 10.1.7.1 1 vlan7 connected Viewing Unicast Routes To view static routes, as well as routes discovered with RIP and OSPF, follow these steps: 1. Select Network > Routing, then click the View Routes tab. Figure 9-18.
Routing Viewing Unicast Routes Figure 9-19. Network > Routing > View Routes Window The columns are as follows: ■ Destination Address — The route's destination, either a host or a network; the default gateway shows 0.0.0.0/0. ■ Gateway Address — The address of the gateway for that destination ■ Metric — The route’s metric; the default gateway is always 0.
Routing Multicast Multicast Many emerging applications rely on delivering the same information to many hosts. LAN TV, video conferencing, collaborative computing, and desktop conferencing all involve transmitting a great deal of information from a source, or many sources, to many hosts. Email systems can more efficiently deliver mail to multiple servers simultaneously rather than one by one.
Routing Multicast It is not hard to imagine the challenges broadcast messages pose for packet containment. A malfunctioning or misconfigured device can congest an entire network. Even properly functioning devices must flood all hosts with unnecessary information just to send a message to the hosts that do need it. IP multicasting addresses these problems by allowing a host to send a message to a select group. Figure 9-21.
Routing Multicast points can join and leave a group. They can belong to more than one group at once, and groups can contain any number of endpoints at any location in the network. IGMP IGMP is the protocol that allows endpoints to join and leave multicast groups. The TMS zl Module uses IGMP to determine which multicast groups have members in which TMS VLANs so that it can properly forward multicast messages.
Routing Multicast Figure 9-23. Multicasting with IGMP You should enable IGMP on each TMS VLAN that includes endpoints that might need to join a multicast group. Multicast Routing Protocol, PIM-SM PIM-SM, which is a multicast routing protocol, which enables TMS zl Module to route multicast traffic that arrives on one TMS VLAN into other TMS VLANs. PIM-SM creates trees for each multicast group. The tree includes a rendezvous point (RP).
Routing Multicast Configuring Multicast Routing To configure the TMS zl Module to receive multicasts, complete these steps: 1. Enable IP multicast routing. 2. Configure IP multicast routing on each VLAN that uses multicast traffic. The TMS zl Module must implement multicast routing to keep track of which VLANs forward packets destined to certain multicast addresses. By default, multicast routing is disabled. To enable it, complete the following steps: 1.
Routing Multicast Figure 9-25. Enable Multicast on VLAN Window 5. For VLAN ID, select the multicast VLAN from the list. 6. For IGMP Enabled, select yes or no. Typically, you should select yes. Note 7. For DR Priority, select the priority of the TMS zl Module in DR election on the VLAN. 8. Click OK. 9. Repeat steps 4 through 8 for each VLAN that supports multicast routing. Enabling multicast on a VLAN automatically enables multicasting.
Routing Multicast 2. Select Multicast from the Show routes list. The window displays all of the multicast routes that the module knows. As you can see, multicast routes are different from unicast routes. Traffic destined to a multicast address is usually destined to many different devices. Therefore the TMS zl Module may need to copy a multicast packet and forward it to several TMS VLANs. Therefore, instead of a gateway address, the route lists VLANs.
Routing Multicast 9-62
A Threat Management Services zl Module Command-Line Reference Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6 Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7 Services OS Manager Context Commands . . . . . . . . . . . . . . . . . . . . . . . . . A-8 boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-9 delete . . . . . . .
Threat Management Services zl Module Command-Line Reference Contents Product OS Manager Context Commands . . . . . . . . . . . . . . . . . . . . . . . . A-16 TMS zl Module Product Index and Product Name . . . . . . . . . . . . . . A-17 batch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-19 boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-19 capture . . . . . . . . . . . . . . . . . .
Threat Management Services zl Module Command-Line Reference Contents erase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-41 exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-41 gre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-42 high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Threat Management Services zl Module Command-Line Reference Contents page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-61 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-61 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-62 port-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Threat Management Services zl Module Command-Line Reference Contents show gre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-88 show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-88 show ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-88 show ip rip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Threat Management Services zl Module Command-Line Reference Overview Overview This chapter describes the commands provided by the command line interface (CLI). The TMS zl Module CLI is context-based; different commands are available from different contexts. When you are managing the TMS zl Module and you try to use a command that is not supported from the current context, you will receive an error message. The following sections introduce groups of commands that are available from various CLI contexts.
Threat Management Services zl Module Command-Line Reference Overview Figure A-1. CLI Context Command Groups Command Syntax Statements Syntax: copy [event-log | startup-config | snapshot | pcap] [tftp | scp] Vertical bars ( | ) separate alternative, mutually exclusive elements. Square brackets ( [ ] ) indicate optional elements. Braces ( < > ) enclose required elements.
Threat Management Services zl Module Command-Line Reference Services OS Manager Context Commands Services OS Manager Context Commands The Services OS operator context allows restricted access to some troubleshooting commands on the Services OS of the module. To access this context, enter the following command from the host switch’s operator-level context: Syntax: services < | name > Moves you to an OS context on the module.
Threat Management Services zl Module Command-Line Reference Services OS Manager Context Commands Figure A-2. CLI Context Command Groups To access all commands in the Services OS manager context, you must boot the module in the Services OS using the boot command. Until the module is booted in the Services OS, you can access a limited set of commands, including boot, licenses, exit, and some show commands.
Threat Management Services zl Module Command-Line Reference Services OS Manager Context Commands For example, to boot the Product OS, enter the following command: ProCurve(services-module-)# boot product Changing boot from Service OS to Product OS. System will be rebooted. Do you want to continue [y/n]? delete This command deletes images from the module.
Threat Management Services zl Module Command-Line Reference Services OS Manager Context Commands install Use this command to install operating system software on the module. Syntax: install < service | product | cf_services > Replace with the filename of the image you want to download. ip This is the only configuration command available from the Services OS manager context. It allows you to configure the module’s IP address and default gateway.
Threat Management Services zl Module Command-Line Reference Services OS Manager Context Commands page This command enables and disables page mode. In page mode, the terminal output will pause when it fills the screen and wait for a keystroke such as space or Ctrl+C. Syntax: [no] page ping Use this command to send an ICMP echo to a specified destination. Syntax: ping < IP address | hostname > Replace with the IP address of the ping destination.
Threat Management Services zl Module Command-Line Reference Services OS Manager Context Commands uninstall Use this command to uninstall operating system software from the module.
Threat Management Services zl Module Command-Line Reference Services OS Show Commands Services OS Show Commands The Services OS show commands allow you to view information about the blade and to troubleshoot. The show commands available in the Services OS are described below. Figure A-4. CLI Services OS Context show assigned-mac-address This command shows the MAC address assigned to the module by the switch.
Threat Management Services zl Module Command-Line Reference Services OS Show Commands show images This command shows the images in the images repository. Syntax: show images [details] show ip This command shows the IP settings of the module (IP address and default gateway). Syntax: show ip show licenses This command shows the license status for services. Syntax: show licenses [uninstalled] Enter the optional uninstalled keyword to view uninstalled licenses.
Threat Management Services zl Module Command-Line Reference Product OS Manager Context Commands show temperature This command shows the temperature of the blade in degrees Celsius. Syntax: show temperature show version This command shows the software version. Syntax: show version [details] Product OS Manager Context Commands The Product OS operator context features a limited number of commands that allow an operator to collect troubleshooting information.
Threat Management Services zl Module Command-Line Reference Product OS Manager Context Commands TMS zl Module Product Index and Product Name To enter the TMS zl Module CLI’s Product OS, you must either specify the module’s product name or product number. The product name for the TMS zl Module is always tms-module. The product index number is assigned to the TMS zl Module by the switch.
Threat Management Services zl Module Command-Line Reference Product OS Manager Context Commands hostswitch> services e 2 hostswitch> services e name tms-module Table A-3 provides an example of a host switch that is running: ■ DCM on a ONE Services zl Module ■ TMS zl Module On this host switch, DCM was installed and booted first, so the host switch assigned it index number 2. It then assigned the TMS zl Module index number 3. Table A-3. CLI Display of Services Slot Index Description Name C,D, E 1.
Threat Management Services zl Module Command-Line Reference Product OS Manager Context Commands Figure A-5. CLI Product Context The following sections describe commands that are available from the manager context of the Product OS. batch This command enables and disables batch, or scripting, mode. Syntax: [no] batch This command is also available from the global configuration context. boot This command exits the current session and reboots the module.
Threat Management Services zl Module Command-Line Reference Product OS Manager Context Commands capture This command shows the current packets on a specified network. This command is useful for troubleshooting connection problems and monitoring network activity because it allows you to see all of the packets that are moving across particular network interfaces. You can view the output to the terminal, or you can save the output in a pcap file.
Threat Management Services zl Module Command-Line Reference Product OS Manager Context Commands configure The command moves you to the Product OS CLI’s global configuration context. Syntax: configure [terminal] copy The copy commands are used for managing files on your module.
Threat Management Services zl Module Command-Line Reference Product OS Manager Context Commands Replace with the username on the account on your FTP or SCP server. These commands are also available in the global configuration context. end To return to the manager context, enter end. The end command moves you back to the manager context, regardless of the context from which you enter the command. Syntax: end This command is available from all contexts.
Threat Management Services zl Module Command-Line Reference Product OS Manager Context Commands no connections To close existing connections for a specific source or destination address, source or destination port, or access policy, enter the following: Syntax: no connections [sip ] [dip ] [sp ] [dp ] [pid ] Replace with IP address for which you want to close all outbound connections.
Threat Management Services zl Module Command-Line Reference Product OS Manager Context Commands ping This command sends an ICMP echo to a specified destination. Syntax: ping < IP address | hostname > Replace with the IP address of the ping destination. Replace with the hostname of the ping destination. The module displays the number of pings sent and responses received. For example, to send a ping to a device with the IP address 192.168.115.
Threat Management Services zl Module Command-Line Reference Product OS Manager Context Commands ■ File systems ■ Networks ■ Services ■ Miscellaneous files ■ Third-party software To take a snapshot, type the following command: Syntax: snapshot traceroute This command pings an IP address and displays the hops that the packet takes en route to the destination.
Threat Management Services zl Module Command-Line Reference Global Configuration Context write This command is a file management command that manages the runningconfig file. This command is similar to the copy command. The write memory command saves the running-configuration to the startup-configuration. You can enter the write memory command from any context.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Figure A-7. CLI Global Configuration Context The following sections describe commands available from the global configuration context of the Product OS. access-policy You use the access-policy command to configure all of your firewall access policies.
Threat Management Services zl Module Command-Line Reference Global Configuration Context To configure a unicast access policy (and optionally specify a user group), enter the following command: Syntax: [no] access-policy [group ] { | [service ]} [source port] [] [extended options] Replace with the name of the user group you are creating.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Parameter Options destination zone • • • • • • • • • • action • permit • deny • move to The module checks the policies according to their priority.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Parameter Options source port • port • range destination address • • • • • destination port • destination port • range extended options • schedule This command must be entered before all other extended options commands.
Threat Management Services zl Module Command-Line Reference Global Configuration Context pop2 pop3 pptp radius radius-acct rip securied-udp smtp snmp snmptrap sqlnet ssh syslog tacacs-tcp tacacs-udp talk-tcp talk-udp telnet tftp time uucp who whois xdmcp user configured service objects For example, if you want to allow a multicast policy for all FTP traffic between Zone3 and Zone5, you would enter the following command: ProCurve(tms-module-:config)# access-policy multicast
Threat Management Services zl Module Command-Line Reference Global Configuration Context address-group This command can be used to: ■ Create an address group object ■ Add address objects to an existing address group ■ Remove address objects from an existing address group To create a new address group object, enter the following command: Syntax: [no] address-group [ add
Threat Management Services zl Module Command-Line Reference Global Configuration Context ALG name Description irc Internet Relay Chat l2tp Link-Layer Transfer Protocol msn Microsoft Network netbios Network Basic Input/Output System nntp Network News Transfer Protocol pptp Point-to-point Tunneling Protocol rpc Remote Procedure Call rtspv4 Real Time Streaming Protocol version 4 smtp Simple Mail Transfer Protocol sql Structured Query Language tftp Trivial File Transfer Protocol attack-s
Threat Management Services zl Module Command-Line Reference Global Configuration Context The sequence-out-of-range option allows you to specify addition parameters. You can set the limit at which a packet is considered out-of-range and the number at which the sequence numbers reset.
Threat Management Services zl Module Command-Line Reference Global Configuration Context This command shows the current packets on a specified network. This command is useful for troubleshooting connection problems and monitoring network activity because it allows you to see all of the packets that are moving across particular network interfaces. You can view the output to the terminal, or you can save the output in a pcap file.
Threat Management Services zl Module Command-Line Reference Global Configuration Context connection-settings The connection-settings command allows you to set various restrictions on connections to your network: ■ Absolute number of connections limits ■ Timeout limits ■ Resource allocation limits Table A-11 gives the available options for the connection-settings command. Table A-11.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Zone Default connection-settings Limits zone4 21428 zone5 21428 zone6 21428 For example, to set an absolute maximum of 3000 connections for the external zone, enter the following command: ProCurve(tms-module-:config)# connectionsettings limit external 3000 connection-settings timeout Set a limit for the amount of time and inactive connection can stay open.
Threat Management Services zl Module Command-Line Reference Global Configuration Context To create a custom service and timeout, enter the following command: Syntax: [no] connection-settings timeout < tcp | udp > Replace with a custom service name. Replace with the TCP or UDP port for the service. Replace with the number of seconds that you want an inactive session to remain open.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Replace with a comment string to define the connection reservation. Replace with ID of the rule that you are updating. For example, network administrators at ProCurve University want to create a connection reservation for the research faculty members in Zone1. They want to reserve 500 outbound connections, and the research faculty are assigned IP addresses 10.164.2.50–10.62.32.4.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Replace with the IP address of your TFTP server. Replace with the name that you want to assign to the file. Replace with the username on the account on your FTP or SCP server.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Syntax: [no] dhcp-relay-enable vlan Replace with the ID of the VLAN. For example: ProCurve(tms-module-:config)# dhcp-relay-enable vlan 5 Note You cannot delete a VLAN association if DHCP relay is enabled on the VLAN, even if DHCP is disabled globally. end To return to the manager context, enter end.
Threat Management Services zl Module Command-Line Reference Global Configuration Context gre With this command you can create GRE tunnels and their associated traffic selectors. To configure a GRE tunnel, enter the following command: Syntax: [no] gre tunnel [disable] Replace with type a character string that is unique for this tunnel.
Threat Management Services zl Module Command-Line Reference Global Configuration Context high-availability This command allows you to configure all parts of high-availability, including: ■ Cluster scheme ■ Cluster information ■ ■ • Cluster ID • Multicast address Device information • Device ID • Device priority Cluster management • Rebalancing • Synchronizing Table A-14 gives the available options for the high-availability command. Table A-14.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Note Even if you do not plan to configure the module for high availability (HA), you should change the HA VLAN from default to prevent unwanted multicast traffic from occupying the firewall's resources.
Threat Management Services zl Module Command-Line Reference Global Configuration Context hostname It is often useful to give the router a name that helps to distinguish it from other routers in your network. To change the router’s hostname, enter the following command: Syntax: [no] hostname Replace with the hostname you want to assign to the module. This name can only include alphanumeric characters.
Threat Management Services zl Module Command-Line Reference Global Configuration Context ip route This command creates static routes for the module, including the default route. To create a static route, enter the following command: Syntax: [no] ip route < ] | > [metric ] Replace with the IP address and subnet mask of the route’s destination. For a default route, type 0.0.0.0 0.0.0.0.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Table A-15.
Threat Management Services zl Module Command-Line Reference Global Configuration Context For example, to drop packets classified as critical, enter the following command: ProCurve(tms-module-:config)# ips threat-level critical terminate ips signatures With the ips signatures command, you can enable and disable specific signatures, as well as update all of your signatures and set the update interval. You can also enable and disable signatures according to threat level.
Threat Management Services zl Module Command-Line Reference Global Configuration Context For example, if you want to update your signatures now, enter the following command: ProCurve(tms-module-)# ips signatures update now ips web-proxy The ips web-proxy command allows you to configure a web proxy for your IPS.
Threat Management Services zl Module Command-Line Reference Global Configuration Context MIME. You can configure the following MIME parameters: ■ Maximum header size ■ Boundaries To configure MIME protocol anomalies, enter the following command: Syntax: [no] ips protocol-anomaly mime [ header-size | boundaries ] Replace with the maximum header size in bytes (100–2048).
Threat Management Services zl Module Command-Line Reference Global Configuration Context logging The logging command allows you to set the severity level for logging; the module forwards messages for events of the selected severity level or higher. It also allows you to set up log forwarding using the following methods: ■ SNMP traps ■ Syslog messages ■ Email messages Threshold Table A-16 gives the available options for the logging threshold command. Table A-16.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Syntax: [no] logging threshold duplicates time Replace with the number of duplicate events that you want to occur before the module forwards a log message. Replace with the number of seconds that you want to pass before the module forwards another log message about the same event.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Syntax: [no] logging snmpv3 user auth [md5 | sha] privacy [aes | des] This command specifies the SNMPv3 user to which you are forwarding logs. Replace < IP address> with IP address to which the module will forward logs. Replace with SNMPv3 user that the module will forward logs to.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Table A-17.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Set the email server and account information for email log forwarding: Syntax: logging email server from-address [user password ] Replace with the hostname or IP address of the email server. Replace with the IP address the module will forward logs from.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Routing Mode To configure the management zone, type the following command: Syntax: management zone Replace with the zone from which you want to manage the module.
Threat Management Services zl Module Command-Line Reference Global Configuration Context For example, to assign the module IP address 10.10.15.72/24 in VLAN 3, enter the following commands: ProCurve Switch 5406zl(tms-module-:config)# management ip 10.10.15.72 255.255.255.0 ProCurve Switch 5406zl(tms-module-:config)# management vlan 3 nat You use the nat command to configure all of your NAT policies.
Threat Management Services zl Module Command-Line Reference Global Configuration Context The available parameters and options are shown in Table A-18. At the end of the access-policy command, you can append various optional keywords, which are listed in Table A-18 as .
Threat Management Services zl Module Command-Line Reference Global Configuration Context Parameter Options destination zone • • • • • • • • • • internal external dmz zone1 zone2 zone3 zone4 zone5 zone6 self protocol • • • • • • • • • • • • • any <0-255> tcp udp ah esp ip icmp igmp gre l2tp ospf pim service • See Table A-19 on page A-60.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Table A-19.
Threat Management Services zl Module Command-Line Reference Global Configuration Context nslookup This command is used to learn a device’s IP address according to its hostname. Syntax: nslookup Replace with the hostname of the device for which you are looking up the IP address. For example, if you wanted to know the IP address for router5, you would enter: ProCurve(tms-module-)# nslookup router5 operating-mode This command sets the operating mode.
Threat Management Services zl Module Command-Line Reference Global Configuration Context For example, to change the manager password to $tms*manager33, you would enter: ProCurve(tms-module-:config)# password manager New password for manager: $tms*manager33 Please retype new password for manager: $tms*manager33 ping This command sends an ICMP echo to a specified destination. Syntax: ping < IP address | hostname > Replace with the IP address of the ping destination.
Threat Management Services zl Module Command-Line Reference Global Configuration Context port-map This command allows you to configure port maps so that your firewall and IPS/IDS know which type of traffic is expected on which ports. To configure a port map, enter the following command: Syntax: [no] port-map < tcp | udp > Replace with the name of the service for which you are creating the map.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Replace with one of the following options: • any • • address Replace with one of the following options: • < tcp | udp > < port | range > • service See Table A-21 for available services. Replace with the ports allowed for dynamic negotiation.
Threat Management Services zl Module Command-Line Reference Global Configuration Context nntp ntp pcanywhere-data pcanywherestatus pim-auto-rp-tcp pim-auto-rp-udp pop2 pop3 pptp radius radius-acct rip securied-udp smtp snmp snmptrap sqlnet ssh syslog tacacs-tcp tacacs-udp talk-tcp talk-udp telnet tftp time uucp who whois xdmcp user-configured service objects radius-server Use this command to specify the TMS zl Module’s RADIUS server.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Replace with the domain name associated with your RADIUS server. On the TMS zl Module, users submit their username followed by @. Use the optional strip domain segment to strip the domain name from the credentials. For example, to add a primary RADIUS authentication server with the IP address 10.10.10.10 and to specify “procurve” as the secret key, 10.10.15.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Replace with the rule ID of the firewall access policy. This rule ID is specific to the group and type of policy. Replace and with the options displayed in Table . To delete a rate limiting policy, enter the following command: Syntax: [no] rate-limit [ group ] id Replace with the name of the group to which the firewall policy applies.
Threat Management Services zl Module Command-Line Reference Global Configuration Context RIP Figure A-9. RIP Context To access the RIP context, enter the following: Syntax: [no] router rip To verify your location in the CLI, check the prompt. In the RIP context, the prompt is ProCurve(tms-module-:rip)#.
Threat Management Services zl Module Command-Line Reference Global Configuration Context To enable poison reverse, enter the following command: Syntax: [no] poison-reverse To redistribute routes, enter the following command: Syntax: [no] redistribute < connected | static | ospf > To restrict addresses, enter the following command: Syntax: [no] restrict < | > Replace with the IP address and subnet mask of subnets you want to restrict.
Threat Management Services zl Module Command-Line Reference Global Configuration Context From the global configuration context, you can configure: ■ The administrative distance ■ Route redistribution—connected, static, RIP ■ The default metric ■ The metric type ■ The router ID To set the administrative distance, enter the following: Syntax: router ospf distance Replace with the administrative distance (1–255).
Threat Management Services zl Module Command-Line Reference Global Configuration Context To configure graceful restart, enter the following command: Syntax: [no] graceful-restart [ helper-disable | restart-time ] Replace with the number of seconds allowed for a graceful restart. The default restart time is 120 seconds (2 minutes).
Threat Management Services zl Module Command-Line Reference Global Configuration Context Replace with the cost for routes to the area. Replace with the unique ID of the neighbor router. Replace with one of the following options. ■ md5 ■ simple Replace with the appropriate interval. Replace with the VLAN’s transmit delay (1-3600).
Threat Management Services zl Module Command-Line Reference Global Configuration Context PIM Figure A-11. PIM Context From the router configuration context, you can configure PIM’s Static Rendezvous Points (static RPs). To configure static RPs, enter the following command: Syntax: [no] router pim rp-address Replace with the IP address of the static RP.
Threat Management Services zl Module Command-Line Reference Global Configuration Context schedule This command creates a schedule object. With a schedule object, you can configure the days and the time of day for which a firewall access policy applies.
Threat Management Services zl Module Command-Line Reference Global Configuration Context Table A-23.
Threat Management Services zl Module Command-Line Reference Global Configuration Context snapshot This command creates a restore point for your network. The snapshot command captures information about the following: ■ Kernel ■ Hardware ■ Log files ■ Software ■ File systems ■ Networks ■ Services ■ Miscellaneous files ■ Third-party software To take a snapshot, type the following command: Syntax: [no] snapshot snmpv2 This command configures SNMPv2 settings.
Threat Management Services zl Module Command-Line Reference Global Configuration Context For example, to create a community called “private” for restricted manager access, enter the following command: ProCurve(tms-module-:config)# snmpv2 server community private manager restricted snmpv3 This command configures SNMPv3 settings.
Threat Management Services zl Module Command-Line Reference Global Configuration Context time This command displays the module’s time only. You cannot configure the module’s time as it automatically synchronizes with the switch time. To view the module’s time, enter the following command: Syntax: time traceroute This command pings an IP address and displays the hops that the packet takes en route to the destination.
Threat Management Services zl Module Command-Line Reference Global Configuration Context user This command creates a local database of network users, assigns them a password, and optionally sets a timeout setting. This way network users can authenticate to the module without having to use a RADIUS server.
Threat Management Services zl Module Command-Line Reference Global Configuration Context To assign a VLAN to a zone, enter the following command: Syntax: [no] vlan zone [allow-switch-ip] Note You cannot delete a VLAN association if DHCP relay or routing is enabled on the VLAN. Replace with the VLAN ID. Replace with the zone to which you are assigning the VLAN.
Threat Management Services zl Module Command-Line Reference Global Configuration Context To enable multicast routing on the VLAN, enter the following command: Syntax: vlan ip pim-sparse Note Enabling PIM on a VLAN automatically enables multicasting. If you do not intend to enable multicasting, you must access the Web browser interface and disable multicasting once you have enabled PIM on a VLAN. Replace with the VLAN ID with the ID of a host switch VLAN.
Threat Management Services zl Module Command-Line Reference Global Configuration Context To enter the VLAN context, enter the following: Syntax: vlan Replace with the VLAN ID. To verify your location in the CLI, check the prompt. In the VLAN context, the prompt is ProCurve(tms-module-:vlan-)#.
Threat Management Services zl Module Command-Line Reference Global Configuration Context To set the RIP version for the VLAN, enter the following command: Syntax: ip rip [v1-only | v2-only | v1-and-v2] To disable the VLAN from sending RIP updates, enter the following command: Syntax: ip rip send disabled To configure the RIP authentication settings for this VLAN, enter the following command: Syntax: ip rip < authentication-key | md5 > Replace wit
■ priority To set the VLAN priority, enter the following command: Syntax: ip ospf priority Replace with the priority of the VLAN (1-255). ■ retransmit interval To set the retransmit interval, enter the following command: Syntax: ip ospf retransmit-interval Replace with the retransmit interval (1-3600).
Threat Management Services zl Module Command-Line Reference Product OS Show Commands Product OS Show Commands The Product OS show commands allow you to view information about, or the current status of, an interface or feature. They help you to troubleshoot. The show commands available in the Product OS are described in the sections below. You can enter the commands from any context of the Product OS. show access-policy This command shows the firewall access policies currently configured on the module.
Threat Management Services zl Module Command-Line Reference Product OS Show Commands show address This command shows all or one of your address objects. The name, object type, and IP address information are displayed. To view your address object or objects, enter the following command: Syntax: show address show address-group This command shows all or one of your address groups. The groups and their members are displayed.
Threat Management Services zl Module Command-Line Reference Product OS Show Commands To view your banner text, enter the following command: Syntax: show banner motd show connection-settings This command shows your connection restriction settings.
Threat Management Services zl Module Command-Line Reference Product OS Show Commands Note This command shows the active connections on the module, whereas the connections values displayed on the Web browser interface dashboard window show both active and passive connections. Therefore, these two connection values may be slightly different.
Threat Management Services zl Module Command-Line Reference Product OS Show Commands To view the dns and route settings, enter the following command: Syntax: show ip [ dns | route | mroute ] To view the IGMP and PIM configurations, enter the following command: Syntax: show ip [ igmp [config] | pim [rp-set] ] show ip rip The show ip rip command shows information about RIP on the network.
Threat Management Services zl Module Command-Line Reference Product OS Show Commands ■ External link-states ■ OSPF on a particular interface ■ Neighbors ■ Data grace link-state information ■ Redistribution ■ Restrictions To view general information about OSPF, enter the following command: Syntax: show ip ospf general To view information about OSPF areas, enter the following command: Syntax: show ip ospf area To view information about OSPF area link-states, enter the following command: Syntax: sh
Threat Management Services zl Module Command-Line Reference Product OS Show Commands To view restricted addresses, enter the following command: Syntax: show ip ospf restrict show ip pim To view the module's PIM settings, enter the following command: Syntax: show ip pim [rp-set] show ip-mtu This command shows the module’s MTU. Syntax: show ip-mtu show ip-reassembly This command shows the IP reassembly constraints. Syntax: show ip-reassembly show ips This command shows your IPS settings.
Threat Management Services zl Module Command-Line Reference Product OS Show Commands To view the IPS protocol anomaly settings, enter the following command: Syntax: show ips protocol-anomaly To view the IPS inspection settings, enter the following command: Syntax: show ips full-inspection show lldp This command shows the LLDP configuration. Syntax: show lldp show logging This command shows all of the logging information.
Threat Management Services zl Module Command-Line Reference Product OS Show Commands show nat This command shows your NAT policies. Syntax: show nat show operating-mode Use this command to view your operating mode. Syntax: show operating-mode show port-map This command shows all of your port-maps. Syntax: show port-map show port-trigger This command shows your port trigger policies. Syntax: show port-trigger [trigger name] show radius-server This command shows information about your RADIUS server.
Threat Management Services zl Module Command-Line Reference Product OS Show Commands show running-config This command shows the module’s running-configuration. For general troubleshooting, you should enter the show running-config (or just show run) command. Syntax: show running-config show schedule This command shows the module’s schedule objects. Each object’s name and the associated days and times is displayed. Syntax: show schedule show service This command shows all or one of your service objects.
Threat Management Services zl Module Command-Line Reference Product OS Show Commands show system-information This command shows all globally configured and operational system parameters. Syntax: show system-information show tech This command shows all of the information you will need for troubleshooting. Syntax: show tech show time This command displays the module’s time and date. Syntax: show time show user This command shows user and user group information.
Threat Management Services zl Module Command-Line Reference Product OS Show Commands A-96
B Glossary Numeric 3DES Triple DES. A version of DES in which three encryption phases are applied. A AAA Authentication, Authorization, and Accounting. Processes that are used to control network access and enforce security policies. For more information, see RFC 2989 at http://www.ietf.org/rfc/rfc2989.txt. See also authentication, authorization, and accounting. ABR Area Border Router. A router that is attached to more than one OSPF area. access policy See firewall access policy.
Glossary AF Assured Forwarding. A Differentiated Services PBH group comprised of four classes that allows a provider DS domain to offer different levels of forwarding assurances for IP packets received from a customer DS domain. aggressive mode Aggressive mode uses three total messages during IKE phase 1—two from the initiator and one from the responder. AH Authentication Header. A part of the IPsec protocol suite that guarantees connectionless integrity and data origin authentication of IP packets.
Glossary ASN.1 Abstract Syntax Notation One. A standard notation to describe data structures for representing, encoding, transmitting, and decoding data. DER is an example of ASN.1 encoding rules. assured See AF. forwarding authenticated Network access that was granted after the user submitted credentials to an network access authentication server.
Glossary CA certificate A certificate that is issued by a CA that validates all other certificates that are issued by the CA. Also called a “CA root certificate.” You store CA certificates in VPN > Certificates > CA Certificates. certificate An electronic document that contains a public key and is digitally signed by a third-party issuer such as a CA. Digital certificates are used for network authentication.
Glossary Classless Inter- See CIDR. Domain Routing clear DF bit An option that permits you to set the DF bit to 0, which means that the packet can be fragmented in an IPsec SA. cleartext Data that is immediately comprehensible to a human being--a message that is transmitted or stored without encryption. CLI Command-Line Interface. An interface that requires that the user manually type commands at a command prompt, one line at a time. A CLI is usually accessed via Telnet, SSH, or a serial connection.
Glossary convergence The time that it takes all routers on a network to receive the same information about network topology and the best routes to use to reach a particular destination. copy DF bit The IPsec option to copy the DF bit from the original IP header to the delivery header. In this way, it ensures the correct handling for the packet. copy DSCP value The IPsec option to copy the DSCP value from the original IP header to the delivery header, which marks the packet for a particular QoS.
Glossary default gateway The next-hop router to which a device sends all traffic that is destined to a different network or subnet. default metric The metric that is assigned to redistributed routes. defragmentation The reassembly of fragmented packets, often performed by a router or by the TMS zl Module. demilitarized zone See DMZ. denial of service See DoS. DER Distinguished Encoding Rules. A method for encoding data objects. For more information, see ITU-T X.690 at http://www.itu.
Glossary Differentiated See DSCP. Services code point Differentiated The IP header field (DS) that is used as a codepoint to select the PHB. Services field Diffie-Hellman Determines the length of the base prime number used during a Diffie-Hellman group key exchange. Diffie-Hellman key A key exchange method that generates the actual keys during the second exchange exchange of IKE phase 1.
Glossary DoS Denial of Service. A type of attack that monopolizes a system's resources so that other users cannot access it. DR Designated Router. The only router in an OSPF area that floods LSAs to other routers in the area. DR priority The priority of a router during DR election. drop out-of An attack check performed by the TMS zl Module that drops packets that are sequence packets received out of order. DSA Digital Signature Algorithm. A published standard used to create digital signatures.
Glossary ESP Encapsulating Security Protocol. A part of the IPsec protocol suite that provides origin authenticity, integrity, and confidentiality protection for packets. exchange method See key exchange method. exchange mode See key exchange mode. expedited See EF. forwarding extended ACL extended Access Control List. On the TMS zl Module, the extended ACL is called the traffic selector. The term extended ACL is used on the HP ProCurve Secure Router 7000dl series. eXtended See XAUTH.
Glossary firewall zone One of 11 pre-defined zones, which are logical groupings of VLANs for which you can configure similar firewall access policies. The Self zone filters all traffic to or from the module itself. Access control zones filter traffic that crosses VLAN boundaries: External, Internal, DMZ, Self, Zone1, Zone2, Zone3, Zone4, Zone5, and Zone6. FQDN Fully Qualified Domain Name. An FQDN specifies the exact location of a node in the DNS’s tree hierarchy. For example: eng.procurve.edu.
Glossary H HA High Availability. The provision of nearly constant services or connectivity. It is achieved through redundancy and hot failover. HA cluster Two TMS zl Modules that are configured for HA. HA control A Layer 2 protocol to manage data flow, such as number of sessions per protocol module, between the master and the participant in an HA cluster. HA data protocol A Layer 2 protocol to send data from the cluster master to the participant.
Glossary I IANA Internet Assigned Numbers Authority. The organization that oversees the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. IANA IP protocols Protocols for which the IANA has assigned a unique identifier. For example, TCP is identified by the number 6. IAS Internet Authentication Services. The Microsoft implementation of RADIUS. ICMP Internet Message Control Protocol.
Glossary IE Microsoft’s Internet Explorer browser. IETF Internet Engineering Task Force. An organization that promotes LAN and other networking standards. See www.ietf.org. IGMP Internet Group Management Protocol. A protocol used by hosts and multicast routers to establish and manage IP multicast groups. ignore An action for an IPsec policy. Ignore means that the traffic that is specified in the traffic selector is discarded and not passed through the IPsec tunnel. See also Bypass and Apply.
Glossary integrity check See ICV. value inter-chassis A failover scheme in which the members of an HA cluster fail over to other failover members in the different host chassis. inter-VLAN Between different VLANs. Internal The Internal zone. A zone on the internal network. intra-chassis A failover scheme in which the members of an HA cluster fail over to other failover members in the same host chassis. intra-VLAN Within the same VLAN. intrusion See IDS. detection intrusion See IPS.
Glossary IPS Intrusion Prevention System. A network device that can prevent network attacks before they begin or stop an attack in progress. IPS port map A list of which port(s) an application runs on. IPsec Internet Protocol security. A suite of protocols that are used to establish a VPN tunnel between devices that communicate over the Internet, thereby protecting their data. For more information, see the IPsec Working Group home page at http://www.ietf.org/html.charters/OLD/ipsec-charter.html.
Glossary K key In cryptography, a key is a unique value or string of text that is used to encrypt data when that data is run through an encryption or hash algorithm. To decrypt or dehash the data, a device must apply the correct key to the encrypted data. The length of a key generally determines how difficult it will be to decrypt the data. Keys can be either symmetric or asymmetric. key exchange The method used to generate the keys used to negotiate an IPsec SA, either IKE method or manual keying.
Glossary local gateway The VPN gateway of the device that you are configuring. local mirroring Copying all traffic transmitted on one port (the monitored port) to another port on the same device (the mirror port). The TMS zl Module in monitor mode uses the host switch’s local mirroring capability to monitor traffic. local user A user in the local database. logging The process of documenting events (usually security events) detected by the TMS zl Module.
Glossary many-to-many A source NAT operation wherein a pool of NAT addresses is assigned to a limited number of outgoing connections. many-to-one A NAT operation whereby multiple IP addresses are assigned the same IP address. master The member of an HA cluster that coordinates the workload of an active-active cluster or performs the workload of an active-backup cluster and stores the primary configuration for the cluster. maximum See MTU. transmission unit MD5 Message-Digest algorithm 5.
Glossary mode See operating mode. monitor mode An operating mode in which the TMS zl Module acts as an offline IDS. MS-CHAP Microsoft CHAP. The Microsoft implementation of CHAP. For more information, see RFC 2759 at http://www.ietf.org/rfc/rfc2759.txt. MTU Maximum Transmission Unit. The MTU determines the size of the largest packet that can pass through the Data Link Layer (Layer 2) of a connection. multicast A send method wherein the packet is sent by one device and is destined for multiple other devices.
Glossary NAT Network Address Translation. A method of reusing IP addresses wherein endpoints inside one network have IP addresses that are different from those that are presented to the Internet or another network. For more information, see RFC 3022 at http://www.ietf.org/rfc/rfc3022.txt. NAT policy A rule that defines which addresses are translated, what they are translated into, and under what circumstances NAT-T NAT-Traversal.
Glossary O one-to-one A NAT operation wherein each internal IP address is assigned its own unique NAT address. Open Shortest See OSPF. Path First operating mode A functionality set for the TMS zl Module, either routing (Layer 3) or monitor (IDS). operator account An administrative account with read-only privileges. orphaned access A firewall access policy that is configured to affect traffic in the same TMS policy VLAN.
Glossary passive mode A RIP VLAN mode in which the VLAN receives routing tables from other routers but does not broadcast its own routing table. passphrase A passphrase is a password that is used for authentication or encryption. A passphrase is typically more complex than the average password. PAT Port Address Translation. A type of destination NAT where the port is translated as well as (or instead of) the IP address. path MTU See PMTU. PDU Protocol Data Unit.
Glossary ping scan The attacker sends ICMP Echo Request packets, and the host responds with an ICMP Echo Reply packet if it is active and the firewall does not filter ICMP packets. PMTU Path Maximum Transmission Unit. A technique for detecting the maximum size for an IP packet along a particular path. For more information, see RFC 1191 at http://www.ietf.org/rfc/rfc1191.txt. poison reverse In RIP, a poison reverse message tells a router that a route in the routing table is no longer connected.
Glossary priority The position of an object relative to other objects. A policy in the top position (1) is applied first, then the next policy, then the next. As soon as a packet matches a policy, that policy is applied and all other policies are ignored. A module in top position (255) is elected master of an HA cluster. priority VLAN A VLAN from which you can gain management access regardless of traffic volume or workload.
Glossary reconnaissance A attack in which the attacker floods the victim device with a certain packet scan (for example, ping or ACK packets) so that they can learn which of the victim device's ports are open, closed, and filtered. rekey on sequence An IPsec option that automatically reestablishes the SA before it reaches the number overflow last sequence number. remote access Communication with a network from a remote location.
Glossary RPC Remote Procedure Call. A procedure where arguments or parameters are sent to a program on a remote system. The remote program executes and returns the results. For more information, see RFC 1831 at http://www.ietf.org/rfc/ rfc1831.txt. RSA Rivest-Shamir-Adleman. A public-key encryption technology that was developed by RSA Data Security, Inc. The RSA algorithm is based on the fact that there is no efficient way to factor very large numbers.
Glossary sequence number When packets are received outside of the TCP sliding window's parameters. out of range This can be an indication of an attack. sequence number A condition wherein an IPsec SA exhausts all of its sequence numbers before overflow the session has ended. sequence number An attack in which the attacker guesses or sniffs a TCP session sequence prediction number to gain unwarranted access to a network. See ISN.
Glossary sliding window A TCP header field that specifies the maximum number of unacknowledged bytes allowed in a session. slot ID The number assigned to the chassis slot. SNMP Simple Network Management Protocol. An application-layer protocol that supports the exchange of management information between network devices. An SNMP network consists of agents, managed devices, and network-management systems. Hierarchically organized information about network devices is stored in and accessed from a MIB.
Glossary strong authentication. It secures communications over unsecured channels and can be used when tunneling. For more information, see the SSH Internet Draft at http://www.free.lp.se/fish/rfc.txt. SSL Secure Socket Layer. Used for securing the transmission of messages over insecure networks such as the Internet, SSL works by using asymmetric keys to encrypt message data. startup-config The settings that have been saved to the module’s flash memory.
Glossary T TCP Transmission Control Protocol. Part of the IP protocol suite, TCP allows applications on networked hosts to create connections to one another and exchange data. TCP guarantees reliable and in-order data delivery. TCP protocols include, among many others, HTTP, email, and SSH. For more information about TCP, see Request for Comments (RFC) 793 (at http://www.ietf.org/ rfc/rfc0793.txt).
Glossary transform set On the TMS zl Module, the transform set is called IPsec proposal. The term transform set is used by the HP ProCurve Secure Router 7000dl series. transport mode The IPsec mode in which a packet is encapsulated with an IPsec header before the IP header is added. Therefore, both ends of the tunnel must be the ultimate originators of the traffic. Triple DES See 3DES. tunnel A virtual path through another network.
Glossary V virtual interface Because the TMS zl Module only has two physical ports, VLANs are virtual interfaces instead of network interfaces. For ever virtual interface on the module there must be a network interface on the host switch. virtual IP address An IP address associated with a cluster rather than an individual member of a cluster. The cluster will still receive packets in the event that a specific network device fails. virus A computer program that can copy itself and damage a computer system.
Glossary W Web browser A management access method that requires an HTTPS over IP connection to interface the module plus a Web browser. Firefox 2.x and later and IE 7 and later are supported. well-known port The port on which the IANA has assigned a protocol to run. For example, the well-known port for HTTP is 80. WinNuke attack An attack that is launched by sending out-of-band (OOB) data to port 139. X XAUTH eXtended AUTHentication.
C Log Messages Contents Reading the Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-3 Finding the Log Message Family and ID . . . . . . . . . . . . . . . . . . . . . . . C-4 Log Message Formats and Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 Firewall: Access Control . . . . . . . . . . . . . . . . . . . . . . . . . .
Log Messages Contents Network Access System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-18 Network Access System: DHCP Client . . . . . . . . . . . . . . . . . . . . C-18 Network Access System: DHCP Server . . . . . . . . . . . . . . . . . . . . C-19 Network Access System: IGMP Proxy . . . . . . . . . . . . . . . . . . . . C-19 Network Access System: NTP Client . . . . . . . . . . . . . . . . . . . . . . C-19 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Log Messages Reading the Log Messages Reading the Log Messages All log messages begin with the following fields, in this order: ■ time=[YYYY-MM-DD HH:MM:SS] The timestamp for the log message is derived from the host switch. ■ severity=[critical | major | minor | warning | info] One of five severity levels that is pre-assigned to each log message type. ■ pri=[0–7] Priority of the message.
Log Messages Reading the Log Messages • System – • Configuration – • • user_statistics Layer 2 Bridge – • config_configuration User Authentication – • system_error l2br_bridge Intrusion Detection/Protection System – ips_attack_family – ips_traffic_anomaly_family – ips_application_detection_family – session_open_logs_family – session_close_logs_family Network Access – netacc_dhcp_client – netacc_dhcp_server – netacc_igmp_proxy – netacc_ntp_client • IP Reassembly • Threat M
Log Messages Reading the Log Messages Figure C-1. Finding Log Message Families and Message IDs. You can use this information to filter the log messages. For example, in the Web browser interface, on System > Logging > View Logs, you can type id=vpn_ in the Keyword field to find all of the messages that the VPN engine has generated. You can also use the log family names and message IDs to filter log messages that have been exported and opened in a text editor or a spreadsheet program.
Log Messages Log Message Formats and Fields Log Message Formats and Fields The format for a log message varies according to the system that generated the message. Some types of log messages contain only the fields shown on Page C-3 plus message texts. Others contain several other fields, which are included or omitted depending on the type of message. Listed below are the fields that each type of log message might contain, plus values and value types for some of the fields.
Log Messages Log Message Formats and Fields Field Name Value Format Description ruleaction [permit | deny] The value in the Action field of the access policy ruledsc [rule position] accesspolicy [source zone] [destination zone] [permit | deny] service [service] [source address] [destination address] (ID:[rule ID]) Description of the access policy in the format shown, which is the same format as in the CLI.
Log Messages Log Message Formats and Fields Firewall: Application Filters Log messages in the application filters family (id=fw_application_filters) may contain the following fields in addition to firewall access control fields, listed in alphabetical order: Table C-2.
Log Messages Log Message Formats and Fields High Availability Cluster: VSRP Messages from the VSRP (HA control) protocol (id=hacl_vsrp) may contain the following fields in addition to the HA cluster fields: Table C-4. High Availability VSRP Message Family Fields Field Name Value Format Description masterid [1 | 2] Identifier of the cluster master from the Device ID field mgmt_ipaddress [x.x.x.
Log Messages Log Message Formats and Fields VPN Log messages from the VPN engine (id=vpn_...) contain these fields, in this order: Table C-5. VPN Message Family Fields Field Name Value Format Description msg text Text of the message src [x.x.x.x] Source IP address in the IP packet header srcport 0–65535 Source port number in the IP packet header dst [x.x.x.
Log Messages Log Message Formats and Fields VPN: IPsec Log messages from IPsec version 4 (id=vpn_ipsecipv4) may contain these fields in addition to the VPN fields: Table C-6.
Log Messages Log Message Formats and Fields VPN: IKEv1 Log messages from IKE version 1 (id=vpn_ikev1) may contain these fields in addition to the VPN fields: Table C-7.
Log Messages Log Message Formats and Fields VPN: IKEv2 Log messages from IKE version 2 (id=vpn_ikev2) may contain these fields in addition to or instead of the VPN and IKEv1 fields: Table C-8.
Log Messages Log Message Formats and Fields System System errors (id=system_system_error) contain these fields: ■ srczone=SELF dstzone=SELF System messages always apply to the Self zone only. ■ errortype=[memory_allocation | socket | file_system | driver | resource_allocation] Type of error. Configuration Log messages from the configuration (id=config_configuration) may contain these fields, in this order: Table C-10.
Log Messages Log Message Formats and Fields Figure C-2. Finding the Signature Family and Signature ID Figure C-2 shows a log message that shows that rule 30091 of the DOS signature family was activated. Log messages from the IPS attack family (id=ips_attack_family) may also contain these fields: Table C-11.
Log Messages Log Message Formats and Fields Field Name Value Format Description rulefam [general | backdoor | DOS The signature family of the rule that was triggered exploits | gain | access | traffic | info | traffic | anomaly | protocol anomaly | reconnaissance | malware | virus | inappropriate | botnet | spamhaus] rulename text rulethreat [Critical | Severe | Minor | Warning | Information] tcpoptions integer TCP options timetolive integer The time to live of the packet that triggered the IP
Log Messages Log Message Formats and Fields Table C-12.
Log Messages Log Message Formats and Fields Layer 2 Bridge Log messages from the Layer 2 bridge (id=l2br_bridge) contain these fields: ■ destination_macaddress=[aa:bb:cc:dd:ee:ff] The destination MAC address of the packet that triggered this log message ■ portname=[text] The name of the port (interface) on which the packet that triggered this log message was received or was being sent ■ packetlength=[integer] The length of the packet that triggered this log message Network Access System Log messages
Log Messages Log Message Formats and Fields Network Access System: DHCP Server Log messages from the DHCP server (id=netacc_dhcp_server) may contain these fields: Table C-15. DHCP Server Family Fields Field Name Value Format interfacename leaseinterval Description The interface on which the server has been enabled integer The lease interval in seconds leaseip [x.x.x.
Log Messages Log Message Abbreviations Log Message Abbreviations Table C-16 lists abbreviations that may be found in the log messages. For an explanation of the log message fields, see “Log Message Formats and Fields” on page C-6. Table C-16.
Log Messages Log Message Abbreviations Abbreviation Definition DIM dynamic interface management DOI domain of interpretation DPLB data plane load-balancing ESN extended sequence number ESP Encapsulation Security Protocol EXCP exception EXTN external FD file descriptor FIN finish FSM finite state machine FW firewall FW-TRPX firewall transparent proxy FWAR firewall association reservation FWCS firewall comp stats FWD forward(ing) FWHA firewall high availability FWILP firewal
Log Messages Log Message Abbreviations C-22 Abbreviation Definition IPCP Internet Protocol Control Protocol IPFRAG IP fragmentation IPRATE IP rate IPROUTE IP routing IPS intrusion prevention system IRC Internet Relay Chat ISAKMP Internet Security Association and Key Management Protocol KE key exchange L2 Layer 2 L2FW Layer 2 firewall L2TP Layer 2 Transport Protocol L3 Layer 3 LB load-balancing LCP Link Control Protocol MACDB Media Access Control database MCAST multicast M
Log Messages Log Message Abbreviations Abbreviation Definition NONCE random number used during IKE negotiation PAC PPTP access concentrator PAP Password Authentication Protocol PFS Perfect Forward Secrecy PMTU path maximum transmission unit PNS PPTP network server POLGRP policy group PPP Point-to-Point Protocol PPTP Point-to-Point Tunneling Protocol PRF preferences PRTSCN port scan PXTR proxy transport RADIUS Remote Access Dial-In User Service REJ reject RIP Routing Informatio
Log Messages Log Message Abbreviations C-24 Abbreviation Definition Tx transmit UDP User Datagram Protocol UPN user principal name USERDB user database USERGRP user group VSRP Virtual Switch Redundancy Protocol XAUTH eXtended AUTHentication XMAS Christmas tree scan
D Troubleshooting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-3 Basic Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-3 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-4 traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-5 nslookup . . . . . . . . . . . .
Troubleshooting Contents Troubleshooting the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-36 Reviewing How the Firewall Operates . . . . . . . . . . . . . . . . . . . . D-36 Strategy for Resolving Firewall Problems . . . . . . . . . . . . . . . . . D-38 Troubleshooting Specific Problems Related to the Firewall . . D-47 Troubleshooting NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-49 Troubleshooting Port Maps . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting Overview Overview This appendix provides some guidance for troubleshooting the HP ProCurve Threat Management Services (TMS) zl Module.
Troubleshooting Basic Troubleshooting Tools ping The ping command is perhaps the most commonly used troubleshooting tool. You can use it to verify that traffic from one endpoint can reach another endpoint. Remember that when the TMS zl Module is operating in routing mode, you must perform an additional step to use the ping utility. You must create an access policy that permits ICMP echo packets (pings) from one endpoint— the source—to another—the destination.
Troubleshooting Basic Troubleshooting Tools From the TMS zl Module’s CLI, enter the following command from either the manager-level context or the global configuration context: Syntax: ping < IP address | hostname > Replace with the IP address of the ping destination. Replace with the host name of the ping destination. The module displays the number of pings sent and the number of responses received. For example, to ping a device with the IP address of 192.168.1.
Troubleshooting Basic Troubleshooting Tools You can set extended options for tracing a route by typing additional keywords after the IP address. You can specify any combination of the extended options shown in Table D-1, and you can enter the options in any order. Table D-1.
Troubleshooting Basic Troubleshooting Tools For example, if you want to know the IP address for router5, enter: hostswitch(tms-module-C)# nslookup router5 show commands The TMS zl Module provides a number of helpful show commands, some of which are listed in Figure D-2. (For more information about any of these commands, see Appendix A, “Threat Management Services zl Module Command-Line Reference.”) Table D-2.
Troubleshooting Basic Troubleshooting Tools Command Syntax Description show running-config show running-config Displays the module’s runningconfiguration. show snmp show snmpv2 server Displays the Simple Network Management Protocol (SNMP) v2 server settings that are configured on the module. Displays the SNMP v3 server settings that are configured on the module. show snmpv3 server show system-information show system-information Displays all globally configured and operational system parameters.
Troubleshooting Basic Troubleshooting Tools If you enter the show system-information command, you will see output similar to that shown in Figure D-3. Figure D-3. Output for the show system-information Command Table D-3 lists some useful show commands for the TMS zl Module when it is operating in routing mode. (For a complete list of show commands, see Appendix A, “Threat Management Services zl Module Command-Line Reference.”) Table D-3.
Troubleshooting Basic Troubleshooting Tools Command Syntax Description • • • • Displays information about OSPF on the network: • General information • Areas • Area link-states • External link-states show ip ospf • • • • • show ip ospf general show ip ospf area show ip ospf area-link-state show ip ospf external-link-state [router-id ] show ip ospf interface [ | vlan ] show ip ospf neighbor show ip ospf data grace-link-state show ip ospf redistribute show ip ospf restri
Troubleshooting Basic Troubleshooting Tools Replace with the network interface for which you want to view the packets. You can set extended options for capturing an interface by typing additional keywords after the network interface. These extended options are shown in Table D-4. Table D-4.
Troubleshooting Basic Troubleshooting Tools If you send the capture to a file, rather than the terminal, you can copy the file to a TFTP, SCP, or FTP server and then use a protocol analyzer to open the file and view the output, as shown in the next section.
Troubleshooting Basic Troubleshooting Tools Figure D-4. Using a Protocol Analyzer to View Output from the TMS zl Module’s capture Command If you are troubleshooting a virtual private network (VPN), on the other hand, you can install a protocol analyzer on the client and then view the packets that are being sent from the client. You can then determine if the client is sending the correct packet types.
Troubleshooting Troubleshooting Problems with the Installation and Boot Process Troubleshooting Problems with the Installation and Boot Process This section describes how to: ■ Monitor the front-panel LEDs to ensure that the TMS zl Module boots and functions properly ■ View or monitor the TMS zl Module’s status from the CLI ■ Resolve specific issues related to the installation and boot process Monitor the Front-Panel LEDs After you install the TMS zl Module, you should monitor the front-panel LEDs to
Troubleshooting Troubleshooting Problems with the Installation and Boot Process ■ Ensure that you installed the TMS zl Module according to the installation guidelines. You can install the TMS zl Module in an HP ProCurve 8200zl switch or HP ProCurve Series 5400zl switch. Depending on if you install the module in a right slot or a left slot, you must ensure that the switch chassis does not exceed the following temperatures: • Any module in a right slot—The chassis temperature must not exceed 40° C (104° F).
Troubleshooting Troubleshooting Problems with the Installation and Boot Process ■ If the TMS zl Module is not listed, check the switch software version. If the show services command does not list all the TMS zl Modules that are installed in the switch, ensure that you are running a version of switch software that supports the TMS zl Module (K.13.55 or above).
Troubleshooting Troubleshooting Problems with the Installation and Boot Process You will continue to see updated output for the show services command. The following shows an example of the output you might see. The Current status information will vary, depending on the progress of the boot process. Status and Counters - Services Module E Status HP Services zl Module J9154A Versions : A.01.
Troubleshooting Troubleshooting Problems with the Installation and Boot Process Resolve Specific Issues Related to the Installation and Boot Process This section lists issues that you may encounter when installing or booting a TMS zl Module and provides a possible solution. ■ Problem updating the Services OS.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode • Install the product license key on the TMS zl Module. For routing mode, see “Install the Product License Key” in Chapter 2: “Initial Setup in Routing Mode.” For monitor mode, see “Install the Product License Key” in Chapter 3: “Initial Setup in Monitor Mode.” Troubleshooting the TMS zl Module in Routing Mode This section explains how to troubleshoot the TMS zl Module when it is operating in routing mode.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Management Interface Issues If you cannot access the TMS zl Module through a Secure Shell (SSH), Telnet, or HTTPS connection, use the suggestions outlined in this section to isolate the problem and fix it. ■ Ensure that you are using HTTPS, rather than HTTP. If you try to access the TMS zl Module’s Web browser interface through HTTP, you will not be successful. By default, the TMS zl Module supports only HTTPS.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode e. Verify that your management station’s VLAN has been configured correctly. In particular, make sure the VLAN has the right IP address and is assigned to the right zone: hostswitch(tms-module-C)# show vlan Replace with the VLAN on which you are attempting to access the TMS zl Module. You will see output similar to the following: Internet (IP) Service IP routing: enabled Default gateway: 10.1.32.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Ensure that your management workstation is in a managementaccess zone. If the management workstation is not in a management-access zone, you must either enable management access on its zone or create an access policy to enable SSH, Telnet, or HTTPS access. Because you cannot access the Web browser interface, you must enable management access or create these policies from the TMS zl Module’s CLI.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If IPS is blocking your management station’s traffic, you can disable IPS for the access policy that permits management access. To view the access policies between the management station’s zone and self, enter: hostswitch(tms-module-C)# show access-policy filter self Replace with the management station’s zone, such as internal.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Move to the module’s global configuration mode and remove this policy, using the following command: hostswitch(tms-module-C:config)# no access-policy self Replace with the number listed at the beginning of the access policy. For the example below, you would type 7.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Check the network infrastructure. If all the settings on the TMS zl Module seem to be correct, you should check the network to ensure that traffic from the workstation can reach the TMS zl Module. To check connectivity, you can ping the module from the management workstation.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you are using Internet Explorer, complete the following steps: ■ a. Click Tools > Internet Options > Privacy. b. Click Sites. c. Type the module’s interface address and click Allow. d. Click OK to close each window. You receive an Invalid Login! error message. If you receive an Invalid Login! error, check the following: • Ensure that the username and password are entered correctly.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Clicking Help does not have any effect. If you cannot access the TMS zl Module’s online help, disable pop-up blockers in your Web browser. Using Log Messages The main tool you will use to resolve problems is the TMS zl Module’s log messages. Enabling Logging for an Access Policy When the TMS zl Module is operating in routing mode, you must enable logging on the access policies that you want to monitor.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure D-5. Edit Policy Window 5. Click OK. The TMS zl Module will then begin to log messages related to this access policy. Changing the Log Level After you enable logging, you should lower the logging level to information so that the TMS zl Module will log all events. Complete the following steps: D-28 1. Click System > Logging. 2. Click Settings. 3. Under Log Severity, select the most basic message level—Information.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure D-6. System > Logging > Settings Window 4. You may also want to disable throttling, so that you can see all messages. 5. Click Apply My Changes. Checking the Time Settings The TMS zl Module synchronizes its time from the host switch. You should ensure that the host switch has the correct time so that the module also has the correct time. The time stamps on your log messages will then be accurate.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure D-7. System > Logging > View Log Window 3. Note Use filters to display only the log messages that are helpful to you. If you have used a named object in an access policy, the log will show the name of the object instead of the values that the object contains. For example, you can use the Keyword field to perform specialized searches. You may want to use the following fields in your keyword searches.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ id=[log family] The log messages are divided into families and subfamilies. See Appendix C, “Log Messages” for a list of log family names. ■ mid=[integer] The message ID can help you find specific messages. Message IDs are unique within their log family, so you will need to search for both the log family (id=[log family]) and the message ID.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Interpreting Log Messages As you view log messages, you must learn to identify which ones are related to the firewall and which are related to IPS. Log messages related to the firewall begin with fw, such as fw_access_control or fw_l2l3_attack. For example, Figure D-7 on page D-30 shows log messages that include fw_1213_attack. Log messages related to IPS begin with ips, such as ips_attack_family or ips_protocol_anomaly_family.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode • From the CLI, enter: hostswitch(tms-module-C)# show logging email 2. Ensure the appropriate SELF access policy is added to allow the TMS zl Module’s SMTP client to contact the SMTP Server. • From the Web browser interface, click Firewall > Access Policies > Unicast. • From the CLI, enter: hostswitch(tms-module-C)# show access-policy 3. Ensure the authentication scheme on the email server is supported by the TMS zl Module.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 2. Ensure that the appropriate access policy is added to allow the TMS zl Module to send SNMP traps. The access policy should allow SNMP traffic between the Self zone and the zone that contains the SNMP trap receiver. • From the Web browser interface, click Firewall > Access Policies > Unicast. • From the CLI, enter: hostswitch(tms-module-C)# show access-policy All of your access policies will be listed.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Workstations Cannot Receive an IP Address If workstations cannot receive a dynamic IP address, you must check two different settings: First, check the DHCP relay settings. Make sure that DHCP is enabled on the VLAN and that the DHCP server settings are correct. Second, check the access policies to ensure that DHCP traffic is allowed from each workstation’s zone to the DHCP server.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshooting the Firewall When you are configuring and troubleshooting the firewall, you should review how the firewall operates. With these guidelines in mind, you can then apply the strategy outlined in this section to isolate your problem and fix it. Reviewing How the Firewall Operates Keep in mind the following general principles for the TMS zl Module’s firewall: ■ All traffic is denied by default.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode A Regular Access Policy Has a Higher Priority Than a User-Based Access Policy. A normal access policy (which applies to any user group) has a higher priority than a user-based access policy. This means that the TMS zl Module will process the normal access policy first. Some Traffic Must Be Transmitted to the Self Zone.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Strategy for Resolving Firewall Problems The advantage of using access policies is that you can tailor them to your company’s unique environment. Access policies can be as complex or as simple as your company needs. Once your access policies are in place, you must ensure that you have configured them correctly so that traffic is being handled appropriately.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Define the Problem. When you define the problem, you should determine exactly what traffic is being handled incorrectly. List the source and destination addresses, the VLANs, the zones, and the type of traffic (both protocol and port). Then, list the exact problem, as you understand it at this point. As you begin to troubleshoot, you will gather additional information about the problem—clarifying it even further—until you find a solution.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Check the logs and answer the following questions: ■ Does the traffic match an access policy? ■ If the traffic matches an access policy, does it match the intended access policy? ■ If the traffic matches the intended access policy, does it reach its destination? The answers to these questions will help you narrow the cause of the problem so you can implement a solution.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Create a temporary access policy to allow ICMP echo messages (pings) from the endpoint. Because the TMS zl Module firewall denies all traffic that is not explicitly permitted, it can be difficult to distinguish between misconfigured access policies and other Layer 3 problems such as missing routes. Therefore, you might want to open the firewall temporarily to eliminate misconfigured access policies from the equation.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Log Message Shows That Traffic Did Not Match Any Access Policy. Filter the TMS zl Module’s log by the source IP address (or named object) of the device that is sending the traffic. If you see the following text in a log message, the firewall does not have an access policy that permits the traffic. In this case, the firewall drops the traffic: id=fw_access_control ruleid=0 msg=”FW: no access policy found, packets dropped.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Check to see if the intended access policy or one above it contains a domain name that cannot be resolved. If the traffic does not match an access policy and the access policy seems to be correct, check to see if this policy or one that is processed before this policy contains a domain name.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode c. Ensure proper connectivity between the TMS zl Module and the DNS server by completing one of the following: – In the Web browser interface, click System > Utilities > Ping and enter the DNS server’s IP address for the Hostname/IP Address. – At the CLI, enter: hostswitch (tms-module-C)# ping d.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ If user authentication is enabled, ensure that it is set up correctly, and the user authenticates successfully. Finally, you may want to see if user authentication is enabled. If it is, make sure it is set up correctly. For example, you must set up the appropriate access policies and ensure that the user authenticated successfully.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you have a custom application that uses a dynamic port, you may need to configure a port trigger so that the firewall can open the correct ports. Keep in mind, however, that you should not use a port trigger if NAT is applied to the traffic. Port triggers do not provide the same functionality that ALGs offer.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode You may assign as many or as few connections per zone as you like, but the total number of connections in all zones cannot exceed 600,000. If you are not using one or more zones, you can transfer their limits to the zones that you are using. ■ Check NAT to ensure that it is configured correctly. See “Troubleshooting NAT” on page D-49. ■ Troubleshoot VPN settings if applicable. See “Troubleshooting VPNs” on page D-55.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode You can view the access policies from the Firewall > Access Policies > Policies window in the Web browser interface or by entering the show access-policy command from the CLI. You Do Not Receive a “Destination unreachable” Message. If you try to ping a host but an access policy does not allow the ping, you will not receive a destination unreachable message. Currently, the TMS zl Module works in stealth mode.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Application Experiences Problems After TMS zl Module Is Installed. If If a network application does not work properly after the TMS zl Module is installed, first ensure that the necessary access policy has been configured to allow the application’s traffic. The access policy must allow the host to communicate with the network application on the ports that the application uses. If you still have problems, complete the following steps: 1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 3. 4. Use the show connections command to verify that addresses are translated as you expect them to be. • Check the NAT policies in the Firewall > NAT Policies > Policies window to ensure that they are configured correctly. • For destination NAT, verify that an access policy to the Self zone permits the traffic selected for NAT. Ensure that other network routers have the correct routing information to route the packets.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Ensure That IPS Is Enabled Globally To check the global IPS setting, complete the following steps: 1. Click Intrusion Prevention > Settings. 2. Click Actions. 3. Ensure that the Enable Signatures and Protocol Anomaly detection option is selected. Figure D-9. Intrusion Prevention > Settings > Actions Window 4. If necessary, click Apply My Changes. You can also check the IPS setting from the CLI.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Signature Version : RLX.10.2.2.82 IPDS Subscription Hardware ID: SG860GG080-H-Y3K27GVG238R79-RKXHVYK-3MCVJYF IPDS Full Inspection : Disabled Note the problem indicated: the TMS zl Module was not able to resolve the domain name and download updated signatures. If you see this error, you should check your DNS settings and make sure your access policies allow DNS traffic.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure D-10. Edit Policy Window 5. Click OK. Signature Is Triggered Too Frequently If an IPS signature is triggered, you should always investigate and find out if network security is being threatened. This is especially true if the IPS signature is triggered excessively.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you want to disable IPS only for a particular device, create a new access policy that affects only that device. Clear the Enable IPS on this Policy option so that IPS does not check the traffic that matches this access policy. To disable the signature itself, complete the following steps: 1. Click Intrusion Prevention > Signatures. 2. Click View. Figure D-11. Intrusion Prevention > Signatures > View Window 3.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshooting Problems with Downloading the IDS/IPS Signatures After you register your IDS/IPS signature subscription, you should be able to download the latest signatures from the HP ProCurve Networking update server. For step-by-step instructions on downloading these signatures, see “Download Signatures” in Chapter 6: “Intrusion Detection and Prevention.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode VPN Troubleshooting Tools Throughout the troubleshooting process, you can check the TMS zl Module’s logs for clues about what is causing the problem. See “Filter for Logs Relevant to the VPN” on page D-56. For more detailed information, you can access the TMS zl Module’s CLI and use the capture command. See “Use the CLI capture Command to Troubleshoot the VPN” on page D-56.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Analyze the capture Messages More Closely. Follow these steps to analyze the establishment of the VPN connection in more detail: 1. Enter this command to copy the packet trace for IKE messages to a file: hostswitch(tms-modules-C)# capture file vlan dp 500 ip udp Note If you want to capture all packets, you can do so by ending the command after vlan. However, best practice is to copy as few packets as necessary. 2.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Clear IKE and IPsec SAs on the TMS zl Module. Follow these steps to clear SAs from the module’s Web browser interface: ■ a. Select VPN > IPsec > VPN Connections. b. Click the Flush link next to the IKE SA or IPsec tunnel that you want to clear. Clear a VPN connection on the client. If you are troubleshooting a client-to-site VPN, you might need to clear the VPN connection from the client’s side.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If the VPN connection comes up and the test client can successfully send traffic across it, then you should look for problems such as these: ■ The TMS zl Module and the actual remote clients cannot reach each other. Check the module’s routes and verify that it has a route to the remote clients (which may not be directly connected to a TMS VLAN as the test client is). ■ The firewall access policies do not permit NAT-T traffic.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure D-12. View VPN Connections This window displays IKE SAs and IPsec VPN tunnels. The IKE SA is a temporary tunnel that must be established before the IPsec tunnel can be established. The IPsec tunnel is the connection over which users send encrypted traffic. Depending on what you see in the VPN > IPsec > VPN Connections window, you can determine which part of the VPN connection you need to troubleshoot.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ IKE SA but no IPsec tunnel If you see an IKE SA, click the Check status link. If the status indicates “SA_Mature,” the IKE SA is fully established. However, the IPsec tunnel has not come up; the connection has failed partway through the process. In this case, begin by troubleshooting IPsec settings. (See “Troubleshoot IPsec Settings for a Client-to-Site IPsec VPN” on page D-68.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table D-7. IKE capture Messages Example capture Messages Problem No messages The module is not receiving or Step 1 on page D-62 not accepting the remote client’s IKE messages. Begin Troubleshooting Step 7 on page D-65 IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 The module and the remote client’s IKE security settings do I ident IP tms2.isakmp > tms1.isakmp: isakmp: phase 1 not match. R inf IP tms1.isakmp > tms2.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Access policies External to Self Permit isakmp Any 172.16.1.254 Permit ipsec-nat-t-udp Any 172.16.1.254 Self to External Permit isakmp 172.16.1.254 Any Permit ipsec-nat-t-udp 172.16.1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note When you create new access policies, enable logging on them for the purposes of troubleshooting. Your access policies might specify particular IP addresses for remote endpoints. If so, create temporary access policies that permit IKE and NAT-T traffic to and from any IP address. Assign these access policies the top priority. If the IKE SA is established, your original access policies are misconfigured.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 7. Check IKE settings on the TMS zl Module against settings on the remote clients. To establish an IKE SA, the TMS zl Module and the remote clients must agree on a number of settings. Table D-8 displays those settings and how they should match up between the module and the remote device. Most settings must match exactly.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you make any corrections to the IKE policy, try to send VPN traffic from the test device. Then re-evaluate. If you must continue troubleshooting, leave any changes to the IKE policy that you are confident are corrections. However, if you experiment with a change and the experiment does not solve the problem, you should revert to your original settings. 8. In the previous step, you checked the general IKE policy.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode b. If the IKE SA comes up, you know that certificates were causing the problem. Look for these common errors: – Certificates are not properly loaded on the TMS zl Module. The module requires a certificate authority (CA) certificate and an IPsec certificate. If you cannot load the module’s IPsec certificate, verify that you have already loaded the CA certificate for the CA that issued the module’s certificate.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshoot IPsec Settings for a Client-to-Site IPsec VPN. This section includes tips for troubleshooting IPsec settings. It is best practice to clear the IKE SA and attempt to establish the VPN connection from the test client after making each change. Then re-evaluate the connection: ■ If the traffic can reach its destination, you can stop troubleshooting.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you do not want to enter the capture command and view the output, try these tips in this order. (Use the Web browser interface to check these settings.) 1. Check the IPsec traffic selector, which is configured in the IPsec policy: The protocol, local addresses, and local ports (if configured) must match exactly the protocol, addresses, and ports configured for the remote network on the remote client.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note that some settings are configured in the IPsec proposal and some are configured in the IPsec policy. The table also indicates where the setting is configured. Table D-10.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Protocol = Any (or the same protocol in the traffic selector) ■ Source addresses = IKE mode config addresses ■ Source port = Any (or the remote port in the traffic selector) ■ Destination addresses = Local address in the traffic selector ■ Destination port = Any (or the local port in the traffic selector) If you can do so securely, try configuring this policy and determining whether your traffic can reach its destination.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Check the module’s routes and verify that it has a route to the remote clients (which may not be directly connected to a TMS VLAN as the test client is). ■ The firewall access policies do not permit NAT-T traffic. A device between the TMS zl Module and the remote clients may perform NAT on the clients’ traffic, which can interfere with the VPN.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode This window displays IKE SAs and IPsec VPN tunnels. The IKE SA is a temporary tunnel that must be established before the IPsec tunnel can be established. The IPsec tunnel is the connection over which users send encrypted traffic. Depending on what you see in the VPN > IPsec > VPN connections window, you can plan which part of the VPN connection you need to troubleshoot.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ If the VPN connection on the client comes up but traffic cannot reach its destination, continue with “Troubleshoot Access Policies for a Client-toSite L2TP over IPsec VPN” on page D-83. ■ If the IPsec tunnel comes up on the TMS zl Module but the VPN connection on the test client does not, continue with “Troubleshoot L2TP Dial-in Settings” on page D-81.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note • NAT-T (in case an intervening NAT device translates the clients’ or the module’s IP address) • L2TP traffic These policies must be configured for the None user group. Access policies External to Self Permit isakmp Any 172.16.1.254 Permit ipsec-nat-t Any 172.16.1.254 Permit l2tp-udp Any 172.16.1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you are missing any of these access policies, add them now. You might also try configuring access policies that permit this traffic to and from each zone and the Self zone (in case you have mistaken the remote clients’ zone). Note When you create new access policies, enable logging on them for the purposes of troubleshooting.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note Check all network objects used in IPsec policies and verify that they are up-to-date and accurate. 4. Check the local gateway address in the IKE policy. Verify that this address is the module IP address that the clients contact. 5. Check the IKE policy on the TMS zl Module and verify that it uses Main for the key exchange mode. 6.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table D-13. IKE Security Settings Proposed by Windows XP Clients Proposal Encryption Algorithm Authentication Algorithm Diffie-Hellman Group SA Lifetime in Seconds 1 3DES SHA-1 2 28800 2 3DES MD5 2 28800 3 DES SHA-1 1 28800 4 DES MD5 1 28800 Common errors include: • Note The local or remote ID has been miskeyed, or the remote device uses a different ID type.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 8. If the IKE policy specifies DSA Signature or RSA Signature for the Authentication mode, you should troubleshoot certificates: a. If possible, configure both ends of the VPN connection to use preshared keys instead of certificates and configure the same key on both devices. If the IKE SA still does not come up, change the authentication mode back to its original setting. The problem may be on the other side of the connection. b.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshoot IPsec Settings for a Client-to-Site L2TP over IPsec VPN. This section includes tips for troubleshooting IPsec settings. It is best practice to clear the IKE SA and attempt to re-establish the VPN connection after making each change. Then re-evaluate the connection: ■ If the traffic can reach its destination, you can stop troubleshooting.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table D-14. IPsec Security Settings Proposed by Windows XP Clients Proposal Protocol Encryption Algorithm Authentication Algorithm 1 ESP 3DES SHA-1 2 ESP 3DES MD5 3 ESP DES SHA-1 4 ESP DES MD5 In the module’s IPsec policy, disable Perfect Forward Secrecy (PFS) and set the lifetime to the default settings. Troubleshoot L2TP Dial-in Settings.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode h. Click the Security tab. Figure D-16. Windows XP— Properties Window > Security Tab i. D-82 Select Advanced (custom settings) and click Settings.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure D-17. Windows XP—Advanced Security Settings 2. j. For Data encryption, ensure that Require encryption (disconnect if server declines) is selected. k. Select Allow these protocols. l. Select the check box for the authentication protocol that is configured on the module. Clear all other check boxes.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode lated and encrypted. It processes incoming VPN traffic after it has been deencapsulated and deencrypted. In other words, the access policies must permit the inner IP traffic that is sent over the VPN. These access policies should be configured for the user group that you assigned to the users’ dial-in policies. Note The TMS zl Module automatically accepts IPsec traffic for which it is the gateway.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshoot a Site-to-Site IPsec VPN This section outlines a process for troubleshooting a failed site-to-site IPsec VPN. Set up a Test Device. As you troubleshoot the VPN, you must periodically attempt to establish the VPN to determine whether you have fixed the problem. To test the site-to-site connection, you must attempt to send allowed traffic over the VPN from a local endpoint to a remote endpoint.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure D-18. View VPN Connections This window displays IKE SAs and IPsec VPN tunnels. The IKE SA is a temporary tunnel that must be established before the IPsec tunnel can be established. The IPsec tunnel is the connection over which users send encrypted traffic. Depending on what you see in the VPN > IPsec > VPN connections window, you can plan which part of the VPN connection you need to troubleshoot.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ IKE SA but no IPsec tunnel If you see an IKE SA, click the Check status link. If the status indicates “SA_Mature,” the IKE SA is fully established. However, the IPsec tunnel has not come up; the connection has failed partway through the process. In this case, begin by troubleshooting IPsec settings. (See “Troubleshoot IPsec Settings for a Client-to-Site IPsec VPN” on page D-68.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table D-15. IKE capture Messages Example capture Messages Problem Begin Troubleshooting At: No messages IKE is not initiating. Step 1 on page D-88 IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 The module and the remote Step 7 on page D-93 I ident gateway’s IKE security settings IP tms2.isakmp > tms1.isakmp: isakmp: phase 1 do not match. R inf IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 I ident IP tms2.isakmp > tms1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Access policies External to Self Permit isakmp 172.16.24.253 172 .16.1.254 Permit ipsec -nat-t-udp 172.16.24.253 172.16.1.254 Self to External Permit isakmp 172.16.1.254 172.16.24.253 Permit ipsec -nat-t-udp 172.16.1.254 172 .16.24.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 2. Check NAT policies and look for interference. The module applies NAT before it selects traffic for the VPN. Therefore, it might translate the source address of traffic that should be sent over the VPN to an address that is not specified in the IPsec traffic selector— preventing the connection from initiating. If you have implemented NAT on the TMS zl Module, you should make sure that NAT does not interfere with the VPN: a.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode c. When you see such a policy, you must create a higher-priority NAT exclusion policy. This policy should specify exactly the same traffic that is configured in the IPsec policy traffic selector, and its setting for Translate should be None. To configure a policy to correct the problem in this example, complete these steps: i. In the Firewall > NAT > NAT Policies window, click Add Policy. ii. For Translate, select None. iii.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Check routes in the Network > Routing > Static Routes window and verify that the correct routes are in place. 3. In a site-to-site VPN, the TMS zl Module must have a route to: • The endpoints behind the remote gateway • The remote gateway If the module uses a default route to reach the remote gateway, that route suffices for the remote endpoints as well.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 5. Check the local gateway address in the IKE policy. Verify that this address is the module IP address that the remote gateway contacts. 6. Check the IKE policies on the TMS zl Module and the remote gateway (if possible). Ensure that both specify the same key exchange mode (main or aggressive). 7. Check IKE settings on the TMS zl Module against settings on the remote gateway.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode • The security settings (encryption algorithm, authentication algorithm, Diffie-Hellman group, and SA lifetime) do not match exactly. If you are troubleshooting a VPN between TMS zl Modules, set the security parameters to their default settings. If this change allows the connection to come up, you can try changing the settings on both sides of the connection to the settings that you want to use.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If the TMS zl Module was acting as an XAUTH client, look for these problems: 9. – A misconfigured password – A mismatch between the authentication protocol and the protocol on the remote gateway – Problems with the remote gateway’s local database or RADIUS server c. After you make a configuration change, re-enable XAUTH in the IKE policy and on the remote gateway. d.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode c. After you have found and corrected the error, change the IKE policy Authentication mode setting back its original setting. d. Clear the IPsec tunnel and IKE SA and try to establish the VPN. e. Check the status of the VPN connection and determine your next step. 10. At this point, at least the IKE SA should be up. If you were using XAUTH and have disabled it, re-enable this setting now.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode The connection will fail for several reasons: Note • The local addresses on the local module do not match the remote addresses on the remote module, and vice versa. The modules do not consider the addresses to match even though the Any setting includes the necessary addresses within it. • The Local port setting on the local module does not match the Remote port setting on the remote gateway.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note that some settings are configured in the IPsec proposal and some are configured in the IPsec policy. The table also indicates where the setting is configured. Table D-17.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you can do so securely, try configuring these most basic policies and see if the traffic can reach its destination. Remember to enable logging on the policies in question so that you can see when traffic matches a policy. It is possible that the module is permitting the traffic but another security device is dropping it. Once you get traffic flowing across the tunnel, you can experiment with more restrictive policies.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Attempt to send traffic to a remote endpoint from the local test device: ■ If the traffic cannot reach its destination, you must troubleshoot the GRE tunnel (see “Troubleshoot the GRE Tunnel” on page D-100). ■ If the traffic can reach its destination, the GRE tunnel is functioning correctly. Re-enable the IPsec policy. You must troubleshoot IKE and IPsec.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Access policies External to Self Permit gre 172.16.24.1 172.16.1.254 Internal to Zone 1 Permit any 10.1.0.0/16 10.2.0.0/16 Self to External Permit gre 172.16.1.254 172.16.24.1 Zone1 to Internal Permit any 10.2.0.0/16 10.1.0.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 2. Check routes in the Network > Routing > Static Routes window and verify that these routes exist: • A route to the remote gateway • A route through the GRE tunnel to the remote network The TMS zl Module requires this route to set up the GRE tunnel. If you do not see this route, the GRE tunnel is not correctly configured. Select VPN > GRE > GRE Tunnels and edit the tunnel.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode It is also important to know the types of traffic required for the protocol. Version 1 uses broadcast, while version 2 uses multicast. Your access policies must allow the appropriate RIP traffic through the firewall. OSPF When you enable OSPF, the TMS zl Module uses version 2. Again, your access policies must allow the appropriate multicast and unicast traffic for OSPF.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode The remainder of this section explains how to resolve HA problems. ■ After you configure a TMS zl Module and then set up an HA cluster, the configuration on the master was lost. This problem probably occurred because you did not set up HA on the intended master first. When you configure an HA cluster, the first member that comes online is the master. When the participant comes online, it takes the configuration from the master.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure D-25. Sample HA Configuration ■ The master is down, but a failover does not occur. Check the following: ■ • Ensure that the ports that connect the host switches are tagged members of the HA VLAN. • If the cluster members are in two different switches, ensure that the same TMS VLANs are configured on both host switches. • Determine if a device between the two switch chassis failed.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ The logs show numerous broadcast messages on VLAN 1, but you have not configured VLAN 1 as a TMS VLAN. HA cluster members communicate on the HA VLAN, which is configured on each member’s internal port 2, and by default, the HA VLAN is VLAN 1. The TMS zl Module receives broadcast traffic on the HA VLAN whether or not you configure HA.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode Troubleshooting the TMS zl Module in Monitor Mode This section provides some guidelines for troubleshooting the TMS zl Module when it operates in monitor mode.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode You should also configure a default gateway: hostswitch(tms-module-C:config)# ip route 0.0.0.0/0 ■ The module’s management port is a tagged member of the management VLAN. When the TMS zl Module operates in monitor mode, its internal data 1 port is used to receive mirrored traffic. Its internal data 2 port is the management port. When you configure a management VLAN, port 2 is automatically tagged on that VLAN.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode If you are using Internet Explorer, complete the following steps: ■ a. Click Tools > Internet Options > Privacy. b. Click Sites. c. Type the module’s interface address and click Allow. d. Click OK to close each window. You receive an Invalid Login! error message. If you receive an Invalid Login! error, check the following: • Ensure that the username and password are entered correctly.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode ■ Clicking Help does not have any effect. If you cannot access the TMS zl Module’s online help, disable pop-up blockers in your Web browser. Using Log Messages to Troubleshoot Problems The main tool you will use to resolve problems is the TMS zl Module’s log messages.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode Checking the Time The TMS zl Module synchronizes its time from the host switch. You should ensure that the switch has the correct time so that the module also has the correct time. The time stamps on your log messages will then be accurate. Viewing Log Messages To use the log messages to monitor the TMS zl Module, complete the following steps. Note 1. Click System > Logging. 2. Click View Log. 3.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode ■ fw=[hostname] If you are reading logs that have been collected from several network devices (such as with SNMP traps or a syslog server), replace [hostname] with the name of a module to select only the messages that the module generated. ■ username=[manager | operator | userid] Search for the username to see when someone logged on to the module with that name or role.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode SNMP. If you configure an SNMP trap destination but no logs reach the SNMP trap receiver, verify the settings by completing one of the following: ■ From the Web browser interface, click System > Logging > SNMP Traps.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode want to disable that signature. The first option is generally preferred so that the TMS zl Module can continue to protect your network from the attack that is detected by that particular signature. To disable a signature, complete the following steps: 1. Click Intrusion Detection > Signatures. 2. Click View. Figure D-27. Intrusion Detection > Signatures > View Window 3. Locate the signature in the list and clear the Enable option. 4.
Index A access policies … 1-39, 4-19, 4-21, 9-46 advanced … 4-23 basic … 4-22 default access policies … 2-49, 4-20 delete … 4-38 examples rate-limiting … 4-29 schedule-based … 4-27 unicast … 4-26 for NAT … 5-23 OSPF … 9-46 VPNs … 7-112 XAUTH … 7-120 implied deny … 1-43, 4-32 intra-VLAN … 4-25 modify … 4-32 multicast … 1-40 orphaned policies … 4-25 overlapping … 4-36 parameters … 1-39, 4-19 perimeter deployment, for … 1-26 policy groups … 4-20 position … 1-43, 4-32 processing … 1-42, 4-31 rate limiting … 1-4
C certificate CA import … 7-44 obtain with SCEP … 7-49 view … 7-45 CRL … 7-47 manual installation … 7-38 obtain with SCEP … 7-50 private key generate … 7-38 import … 7-40 request generate … 7-41 SCEP … 7-50 SCEP … 7-48 subject alternative names … 7-42 CGI path … 7-48 challenge password … 7-51 CLI … 1-16 access methods … 2-13, 3-10 commands … A-1 Product OS … 2-30, 2-73, 3-54, 8-15 Services OS … 2-16, 3-13 client-to-site VPN See IPsec connection reservations … 1-43, 4-100 configure … 4-107 inbound … 1-47, 4-
F firewall … 1-38, 4-4 ALGs … 4-6, 4-74 attack checking … 4-6, 4-88 circuit-level gateway … 4-6 events … 1-54 IP reassembly … 4-111 packet-filtering … 4-5 perimeter deployment … 1-21 See also ALG See also attack checking See also connection reservations See also IP reassembly stateful … 1-43, 4-5 timeouts … 4-97 TMS zl Module functionality … 4-7 troubleshooting … 1-53 firewall policies See access policies fragmentation before IPsec … 7-18 FTP protocol anomaly … 6-23 G gain access … 6-10 gateway application
IKE … 7-8 authentication method … 7-26, 7-35 local gateway client-to-site … 7-32 site-to-site … 7-24 local ID client-to-site … 7-33 site-to-site … 7-24 mode … 7-26, 7-34 phase 1 … 7-9 phase 2 … 7-13 policy configuration client-to-site … 7-31 L2TP, for … 7-97 site-to-site … 7-22 preshared key … 7-35 remote gateway … 7-24 remote ID client-to-site … 7-33 site-to-site … 7-25 SA lifetime … 7-27, 7-36 view … 7-90 security proposal … 7-27, 7-35 IMAP protocol anomaly … 6-23 install the module … 1-5, 2-13, 3-10 Inte
L L2TP … 7-96 access policies for … 7-121, 7-187, 7-222, 7-267 authentication protocol … 7-105 configuration tasks … 7-96 dial-in user … 7-102 policy creation … 7-99 user group … 7-105 username … 7-105 LED Fault … D-14 HDD and CF Status … D-14 Module Status … D-14 Test … D-14 licenses … 1-6 activate … 2-17, 3-14 IDS/IPS … 1-16, 1-24, 1-33 product … 1-16, 1-24 activate … 2-17, 2-21, 3-14, 3-19 install … 2-20, 3-18 local database … 4-68 user groups … 4-19 default groups … 4-69 users … 4-69 local users See loc
examples … 5-25 destination policy … 5-38 exclusion policy … 5-42 inside the LAN … 5-25 limited pool … 5-35 many-to-one source policy … 5-31 network merger … 5-25 port forwarding … 5-38 port translation … 5-38 single internet address … 5-31 source policy … 5-25, 5-31, 5-35 exclusion … 5-10 configure … 5-21 inside the LAN … 1-14, 5-2 packet flow … 5-10 destination … 5-13 source … 5-12 parameters … 1-56 perimeter deployment … 1-22, 5-2 port forwarding … 1-54, 1-55, 5-4, 5-8, 5-9 port translation … 5-5, 5-9, 5
SNMPv1/v2c … 2-65, 3-50 SNMPv3 … 2-67, 3-51 user … 4-70 XAUTH … 7-28 PAT See NAT PCM+, integration with … 2-50 persistent tunnel … 7-18 PIM-SM See routing ping … 4-40 ping scan … 6-21 policy violations … 6-6 polymorphism … 1-36 POP3 protocol anomaly … 6-23 port address translation See NAT port forwarding See NAT port maps … 1-36, 4-71, 6-24 configure … 4-72, 4-73, 6-28 default mappings … 4-71 port triggers … 1-52, 4-83 configure … 4-83 example configuration … 4-85 See also ALG ports … 1-5 data … 1-9, 1-10 h
switch, on the … 1-16 tables … 9-53, 9-60 to an external network with the host switch … 2-33 with the module … 2-32 routing mode … 1-7, 2-3 deployment … 2-4 features … 2-3 IPS … 6-15 packet flow … 4-7 ports … 1-9, 2-11 RPC protocol anomaly … 6-24 running configuration file … 2-44, 3-33 S SA … 7-7 flush … 7-93 lifetime, IKE … 7-27, 7-36 lifetime, IPsec … 7-61, 7-80, 7-101 maximum per policy … 7-89 view … 7-90 SCEP obtain CA certificate … 7-49 obtain CRL … 7-52 obtain self certificate … 7-50 settings … 7-48
V W viruses … 6-7 VLANs associate with zone … 1-18, 1-24, 2-7 best practices … 1-25 guest … 2-10 host switch … 1-16 management … 3-27 OSPF … 9-42 remote … 2-9 VPN … 1-57 access policies for … 7-112 certificate for … 7-37 client HP ProCurve … 7-140 Macintosh … 7-153 Windows Vista … 7-222 Windows XP … 7-172 GRE over IPsec … 7-110 internal … 1-14 IPsec … 7-21 L2TP … 7-96 perimeter deployment … 1-22 remote access … 1-14 routing for … 7-137 See also GRE See also IPsec See also L2TP type client-to-site … 1-14 s
10 – Index
HP ProCurve Datacenter Connection Manager Controller Management and Configuration Guide
Technology for better business outcomes To learn more, visit www.hp.com/go/procurve/ © Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
