Manuel d'utilisation / d'entretien du produit EncrypTight du fabricant Black Box
Aller à la page of 352
B L A C K B O X ® E n c ryp T ig h t a cts as a t r a ns pa re n t o v e r l a y t h a t i n t eg r a t es e as i l y i n t o an y e x i s ti n g n etw o r k arc hitec ture, p ro vidin g enc r ypt ion rule s and k eys to Enc r yp T ig ht E nforc em ent Point s .
EncrypTight User Guide 3 T able of Content s Preface ................................................... ..................................................................... ............... 13 About This Document.... ...................... ..........
4 EncrypTight User Guide Table of Contents Uninstalling EncrypTight Software ....... ................ ... ....................... ...................... ....................... ... 40 Starting EncrypTight ............ ...................... ..........
Table of Contents EncrypTight User Guide 5 Step 2: Prepare ETPM Status and Renew Keys .............. .......................... ...................... ............. 74 Step 3: Upgrade the EncrypTight Software ................... ......................
6 EncrypTight User Guide Table of Contents Provisioning Large Numbers of Appliances ............ ................ ...................... ....................... .............. 111 Creating a Configuration Templa te ...... ...................... ......
Table of Contents EncrypTight User Guide 7 Editing PEPs ............. ....................... ....................... ...................... .......................... ........ ................... 1 51 Editing PEPs From ETEMS .........................
8 EncrypTight User Guide Table of Contents Adding a Multicast Policy ........... ....................... ...................... ....................... ....................... ...... . 199 Adding a Point-to-point Policy ................... ...........
Table of Contents EncrypTight User Guide 9 ETKMS Log Files ............. ...................... .......................... ....................... .......................... .. .. 241 PEP Log Files ............... .....................................
10 EncrypTight User Guide Table of Contents Changing the EncrypTight Keystore Password ...... ....... ...................... ....................... ................. 266 Changing the ETKMS Keystore Pa ssword ................ ....................... .
Table of Contents EncrypTight User Guide 11 Interface Configuration .................. .......................... ...................... .......................... ............ ............... 301 Management Port Addressing ................ ..........
12 EncrypTight User Guide Table of Contents Factory Defaults ............ ...................... ....................... ....................... ...................... ......... .................. 339 Interfaces ......... ....................... .....
EncrypTight User Guide 13 Preface About This Document Purpose The EncrypT ight User Guide provides detailed info rmation on how to install, configure, and trou bleshoot EncrypT ight components: E TEMS, Policy Manager (ETPM), and Ke y Management System (ETKMS).
Preface 14 EncrypTight User Guide Cont acting Black Box T echnical Support Contact our FREE technical support, 24 ho urs a day , 7 days a week: Phone 724-746-5500 Fax 724-746-0746 e-mail info@blackbox.
Part I EncrypT ight Inst allation and Maintenance.
16 EncrypTight User Guide.
EncrypTight User Guide 17 1 EncrypT ight Overview EncrypT ight™ Pol icy and Key Manager is an innovative approach to netwo rk-wide encryption. EncrypT ight acts as a transparent over lay that inte grates easily into any existing netw ork architecture, providing encryption rules and keys to EncrypT ight encryption appli ances.
EncrypTight Overview 18 EncrypTight User Guide multiple Policy Enforcement Points (PEPs) can use common keys, while a centralized platform assumes the function of renewing k eys at pre-determined intervals.
Distributed Key Topologies EncrypTight User Guide 19 Regardless of topology , PEPs are typi cally located at the point in the ne twork where traffic is being s ent to an untrusted ne twork or coming from an untrusted net work. As an example, Figure 2 shows a hub and spoke network secured with Encryp T ight.
EncrypTight Overview 20 EncrypTight User Guide EncrypTight Element Management System The EncrypT ight Element Manageme nt System (ETEMS) is the devi ce management component of the EncrypT ight software, al lowing you to provision and manage m ultiple encryption appliances from a central location.
Distributed Key Topologies EncrypTight User Guide 21 Figure 3 Single ETKMS for multiple sites Figure 4 illustrates an EncrypTight deployment using multiple ETK MSs. W i th lar ge, compl ex networks that have hundreds of PEPs, you might want to use multiple ETK MSs.
EncrypTight Overview 22 EncrypTight User Guide T o securely transfer data between two PEPs over an untrusted network, both PEPs must share a key . One PEP uses the shared key to encrypt the data for transmission over the untru sted network, while the second PEP uses the same shared key to decrypt the data.
Security within EncrypTight EncrypTight User Guide 23 Figure 6 Layer 2 Point-to-P oint Deployment Use the Policy Manager (ETPM) and K ey Management System (ETKMS) to cr eate a Layer 3 point-to- point distributed key policy as one of several policies in a lar ger, m ore complex EncrypT ight deploym ent.
EncrypTight Overview 24 EncrypTight User Guide Secure Communications Between Devices Each node in the distributed key system, the EncrypT ight managemen t station, the ETKMSs, and the PEPs, communicate policy an d status information with other nodes.
EncrypTight User Guide 25 2 EncrypT ight Deployment Planning When deploying EncrypTight, you must plan the following: ● EncrypT ight Co mponent Connections ● Network Clock Synchroni zation ● IPv.
EncrypTight Deployment Planning 26 EncrypTight User Guide ● “Management Station Connections” on page 26 The EncrypT ight software includes ETEMS fo r appliance configuration, ETPM for policy management, and a local ETKMS. The local ETKMS depl oys k eys and policies to all of the PEPs that it manages and checks the PEPs’ stat us.
EncrypTight Component Connection s EncrypTight User Guide 27 This section describes the planning for the fol lowing connections: ● “ETPM and ETKMS on the Sam e Subnetwork” on page 27 ● “ETPM.
EncrypTight Deployment Planning 28 EncrypTight User Guide Figure 8 In-line ETKMS management in a n IP network ETPM and ETKMS in Layer 2 Ethernet Polic ies W ith Ethernet netw orks, you use Layer 2 PEPs.
EncrypTight Component Connection s EncrypTight User Guide 29 External ETKMS to ETKMS Connections ETKMSs must be able to communicat e with each other in two situations: ● Backup ETKMSs are used for r.
EncrypTight Deployment Planning 30 EncrypTight User Guide Connecting Multiple ETKMSs in an IP Network Figure 10 shows two external ETKMSs lo cated on differ ent IP networks.
EncrypTight Component Connection s EncrypTight User Guide 31 Figure 1 1 Out-of-band manage ment of ETKMSs located on different Ether net networks ETKMS to PEP Connections The communications between the ETKMSs and the PEPs require a connection betw een the Ethernet ports on each ETKMS and the management port on each PEP.
EncrypTight Deployment Planning 32 EncrypTight User Guide Figure 12 In-line ETKMS to PEP communications in IP networks ETKMS to PEP Connections in Ethernet Networks If the ETKMS and the PEP are located on the same subnetwork, the ETKMS to PEP interconnection is straightforward.
Network Clock Synchronization EncrypTight User Guide 33 Network Clock Synchronization CAUTION Failure to synchroni ze the time of all EncrypTight components can result in a loss of packets or compromised security . EncrypT ight requires that the clocks on all the system ’ s components be synchronized.
EncrypTight Deployment Planning 34 EncrypTight User Guide IPv6 addresses are 128-bit addresses consisting of eight hexadecimal groups that are separated by colons, followed by an indicati on of the prefix length. Each group is a 4-digit hexadecim al number .
Network Addressing for IP Networks EncrypTight User Guide 35 Another factor to consider if you plan to use certificates is the si ze of your Encry pT ight deployment. Generating requests and installing cer tificates for a lar ge number of a ppliances can take a considerable amount of time.
EncrypTight Deployment Planning 36 EncrypTight User Guide Figure 14 Using remote IP and virtual IP addr esses to obscure the source add ress of the origin al packet ETEP PEPs operate in transparent mode by default and no IP address is assigned to the local or remote ports.
EncrypTight User Guide 37 3 Inst allation and Configuration This section describes how to install and co nfigure EncrypT ight for the first time, i ncluding: ● Before Y ou Start ● EncrypT ight Sof.
Installation and Configuration 38 EncrypTight User Guide ● “Software Requir ements” on page 38 ● “Firewall Ports” on page 39 Hardware Requirement s EncrypT ight software can be i nstalled on a W indows PC or laptop .
EncrypTight Software Installation EncrypTight User Guide 39 Firewall Port s In order for EncrypTight components to commun icate, you need to make sure that any firewalls in your system are configured to allow the following protocols.
Installation and Configuration 40 EncrypTight User Guide NOTE It is strongly recommended that yo u synchronize the wo rkstation hosting the EncrypTight sof tware with an NTP server either on your network or on the Inter net. For EncrypTight to function properly , all o f the elements of EncrypTight need to synchronize with NTP servers.
Management Station Configuration EncrypTight User Guide 41 T o st art ETEMS: 1F r o m t h e S tart menu, select All Programs > EncrypTight . 2 In the Login screen, enter the UserId admin and Password admin . Note that the userId and password are case sensitive.
Installation and Configuration 42 EncrypTight User Guide Securing the Management Interface EncrypT ight provi des the methods listed in T able 7 for encrypted and unenc rypted communications between the management PC and the appliance’ s management port.
Installing ETKMSs EncrypTight User Guide 43 Configuring the Syslog Server The EncrypT ight appliance can be conf igured to send log messages and ev ents to a syslog server on the management PC or other device. Fi rst, install the Kiwi Syslog Daemon as an application and follow the documentation provided w ith the prod uct for initial configuration.
Installation and Configuration 44 EncrypTight User Guide This section includes the fo llowing topics: ● “Basic Configuration for Local ETKMSs” on p age 44 ● “Configuring External ETK MSs” .
Configuring ETKMSs EncrypTight User Guide 45 T o add a local ETKMS: 1 In the Appliance Manager, click File > New . 2 In the New Applian ce editor , from the Product Fam ily box, select ETKMS LM. 3F r o m t h e Softwar e V ersion box, select the approp riate software version.
Installation and Configuration 46 EncrypTight User Guide Changes to the local ETKMS configur ation or EncrypT ight software may necessitate changes to the batch file, as des cribed in T able 9 . Prior to configuring the b atch file do the following: 1 Add a ETKMS LM in ETEMS (s ee “Addin g a Local ETKMS” on page 44 ).
Configuring ETKMSs EncrypTight User Guide 47 This section includes the fo llowing topics: ● “Logging Into the ETKMS” on page 47 ● “Changing the Admin Passw ord” on page 47 ● “Changing .
Installation and Configuration 48 EncrypTight User Guide 6T y p e exit to log out from the admin accoun t. For example: Localhost login: admin Password: [admin@localhost ~] $ passwd (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
Configuring ETKMSs EncrypTight User Guide 49 Configure the Network Connection The eth0 connection is the netwo rk connection with a path to the managem ent workstation running ETPM and to the PEPs’ management port. The eth1 connection is inactive and unavailable.
Installation and Configuration 50 EncrypTight User Guide IPv6 Setting up the network con nections to use IP v6 addresses re quires modifying sever al files.
Configuring ETKMSs EncrypTight User Guide 51 8 At the command line, restart th e ETKMS service by typing service etkms rest art and press Enter . V erify the IP address and hostname changes (see “V erify th e IP Address and Hostname Changes” on page 49 ).
Installation and Configuration 52 EncrypTight User Guide 2 Replace the defaults with your preferred time serv er . Y ou can specify multiple time servers and use either IPv4 or IPv6 addresses. Fo r example, the new section should look similar to the following: # Use public servers from the pool.
Configuring ETKMSs EncrypTight User Guide 53 Related topics: ● “Configure the Network Connection” on page 49 ● “Check the Status of the Hardwa re Security Mod ule” on page 53 ● “Starti.
Installation and Configuration 54 EncrypTight User Guide Checking the St atus of the ETKMS Y ou should check th at the ETKMS service is r unning before you proceed to use EncrypTight.
Policy Enforcement Point Configuration EncrypTight User Guide 55 Replace x.x.x.x with the IP address or the ho stname of the syslog server . 7 Save and close the file.
Installation and Configuration 56 EncrypTight User Guide Default User Account s and Passwords Changing the default passwords for all of the EncrypTight components is an important step in maintaining the secu rity of your network. This l ist is a reminder o f the default passwords that you should change.
Managing Licenses EncrypTight User Guide 57 Before you begin adding PEPs and u sing the EncrypT ight software, contact Custom er Support to acquire your license key (see “Contacting Black Box T ech nical Support” on page 14 ). Y ou need to provide the EncrypT ight ID.
Installation and Configuration 58 EncrypTight User Guide Upgrading Licenses When your needs change, you can eas ily upgrade the number of ETEPs that EncrypTight can manage and you can also upgrade your ETEPs to run at faster throughput speeds.
Next Steps EncrypTight User Guide 59 6 In ETPM, create your policies. 7 In ETPM, deploy the policies to the ETKMSs and PEPs..
Installation and Configuration 60 EncrypTight User Guide.
EncrypTight User Guide 61 4 Managing EncrypT ight Users This section includes the fo llowing topics: ● W orking with EncrypT ight User Accounts ● Configuring EncrypTight User Authentication ● Ma.
Managing EncrypTight Users 62 EncrypTight User Guide NOTE If EncrypTight is managing ETEP 1.4 and later ap p liances, we recommend creating a user account in EncrypTight that matches the user na me and passwor d that you plan to use on the ETEP appliances.
Configuring EncrypTight User Authentication EncrypTight User Guide 63 Figure 15 Login preferenc es T o set login prefer ences: 1 From the Edit menu, click Prefer ences . 2 In the Preferences window , expa nd the ETEMS tree an d click Login . 3 In the Login area, configure the pr eferences.
Managing EncrypTight Users 64 EncrypTight User Guide ■ If your EncrypT ight deployment includes ETEPs runn ing software version 1.6 or later , entering a password is optional. ■ If your deployment includes ETEPs with software pr evious to 1. 6, or other models of PEPs, you must enter a valid password.
Managing EncrypTight Accounts EncrypTight User Guide 65 Although the Login preferences are not saved, user da ta is preserved through an upgrade (user ID and password). If user authentication was disabled p rior to the upgrade, it will be enabled in the new software version.
Managing EncrypTight Users 66 EncrypTight User Guide T o add an EncrypT ight user account: 1 From the Edit menu, click User Accounts . 2 In the User Accounts editor , click Add . 3 In the User dialog box, enter the user name, passwor d, and select a group ID (admin or user).
How EncrypTight Users Work with ETEP Users EncrypTight User Guide 67 How EncrypT ight Users W ork with ETEP Users EncrypT ight manages ETEP user accounts. In order fo r EncrypT ight to commun icate with the ETEP, it needs to know the ETEP’ s user name and password.
Managing EncrypTight Users 68 EncrypTight User Guide 3 In EncrypT ight, add a new ETEP appliance and re fresh its status. Because EncrypT ight and the ETEP are both using their default user names and passwords of admin/admi n , EncrypTight can successfully contact the ETEP.
EncrypTight User Guide 69 5 Maintenance T asks This section includes the fo llowing topics: ● W orking with the EncrypT ight W orkspace ● Installing Software Updates ● Upgrading External ETKMSs .
Maintenance Tasks 70 EncrypTight User Guide CAUTION Appliance configurations and po licy f iles are stored as .xml files. These files are not encrypted or password protected. They can be opened and ed ited using a basic text editor. T ake preca utions to protect these files from unauthorized access.
Working with the EncrypT ight Workspace EncrypTight User Guide 71 Figure 18 Saving one works pace to anot her Loading an Existing W orksp ace Reasons for loading an existing workspace are: ● T o loa.
Maintenance Tasks 72 EncrypTight User Guide 4 Refresh the appliances’ status. From the Edit menu click Select All , then click . Related topic: “Moving a W orkspace to a New PC” on page 72 Movin.
Installing Software Updates EncrypTight User Guide 73 Inst alling Sof tware Up dates Software updates for Encryp T ight are available sepa rately from the PEP software. Y ou might need to update all of the components in you r system, or only specific componen ts.
Maintenance Tasks 74 EncrypTight User Guide Y ou can schedule the upgrade for each PEP at differen t time, depending on the rekey settings and data traffic requirements. Because a reboot is required, the upgrade of each PEP interrupts traffic through that PEP for several minutes.
Installing Software Updates EncrypTight User Guide 75 T o deploy policies: 1C l i c k T ools > Deploy to synchronize the Encryp T ight components with the current po licies.
Maintenance Tasks 76 EncrypTight User Guide CAUTION Software upgrades require a rebo ot to t ake effect. Rebooting the PEP interrupts data traffic for approximately two minutes.
Installing Software Updates EncrypTight User Guide 77 NOTE ● Y ou must reboot the ETEP PEPs after you upgrade. If you make any configuration chang es to the ETEP PEPs after you upgrade and before you reboo t, those changes will be lost when the PEP reboots.
Maintenance Tasks 78 EncrypTight User Guide S tep 7: Return St atus Refresh and Key Renewal to Original Settings T o return st atus refresh and k ey renewal to their original se ttings: 1 If you disab.
Upgrading External ETKMSs EncrypTight User Guide 79 T o mount the CDROM drive: 1 Insert the disk in the drive and close it. 2 If it doesn’t already exist, create the directory /media/cdrom .
Maintenance Tasks 80 EncrypTight User Guide.
Part II W orking with Appliances using ETEMS.
82 EncrypTight User Guide.
EncrypTight User Guide 83 6 Getting S t arted with ETEMS This section includes the fo llowing topics: ● ETEMS Quick T our ● Understanding the ETEMS W o rkbench ● Understanding Roles ● Modifying Communi cation Preferences ETEMS Quick T our ETEMS is the appliance management feature of Encr ypTight.
Getting Started with ETEMS 84 EncrypTight User Guide the factory default configurations o r define your own template for these common values ( Edit > Defaul t Configurations ).
ETEMS Quick Tour EncrypTight User Guide 85 Upgrading Appliance Sof tware New revisions of appliance software can be loaded on the appliances from an FTP server . Simp ly copy the new software to an FTP server , select the tar get appliances, and p oint to the FTP server site.
Getting Started with ETEMS 86 EncrypTight User Guide Figure 23 Comp are the ETEMS configuration to the a ppliance to discover discrep ancies Maintenance and T roubleshooting ETEMS includes tools for monito ring and maintaining EncrypTight appliances.
Understanding the ETEMS Workbench EncrypTight User Guide 87 Figure 24 St atistics view disp lays a snap shot of performance dat a on the ET0100A Policy and Certificate Support ETEMS’ s po licy feature is limited to the creation of po int-to-point policies.
Getting Started with ETEMS 88 EncrypTight User Guide Figure 25 Appliance Manager perspect ive Vie ws V iews display information about items that ETEMS manages, such as appliance configurations or certificates. When you start ETEMS, the Appliance Manag er opens and displays the Appliances view .
Understanding the ETEMS Workbench EncrypTight User Guide 89 ● Y ou can open multiple appliance editors at the same time. The editors are stacked in a tabbed panel. T abbed editor windows allow you to work on more than one appl iance or switch to editors from add- on features.
Getting Started with ETEMS 90 EncrypTight User Guide The Appliance Manager has its own toolb ar that lets you minimize and maximize the vi ew , and filter the appliances that are displayed. The Certificate Manager toolb ar has buttons for gene rati ng, installing, and ma naging certificates.
Understanding Roles EncrypTight User Guide 91 Underst anding Roles EncrypT ight and the EncrypTight appliances each have unique roles that control different aspects of the product.
Getting Started with ETEMS 92 EncrypTight User Guide deploying policies. ETEMS uses the Administrator user to log in to the appliance. T he Administrator also has access to all of the CLI commands. ● The Ops user logs in to the appliance only through the CLI and has access to a su bset of the CLI commands.
Modifying Communication Preferences EncrypTight User Guide 93 3 In the Communicatio ns window , modify a ny of the communication preferences (see Ta b l e 2 4 and T able 25 ). 4 Do one of the following: ● Click Apply to set the new value. ● Click Resto r e Defaults to reset the timeout to the factory setting.
Getting Started with ETEMS 94 EncrypTight User Guide Ignore CRL acces s failure When enabled, allows EncrypTigh t to set up communication with a component even when it cannot access the certificate revocation list (CRL) associated with the certifica te presen ted by the component.
EncrypTight User Guide 95 7 Provisioning Appliances This section includes the fo llowing topics: ● Provisioning Basi cs ● Appliance User Management ● W orking with Default Configurations ● Pro.
Provisioning Appliances 96 EncrypTight User Guide ● “Pushing Configurations t o Appliances” on page 97 ● “W orking with Default Configurati ons” on page 1 10 ● “Provisioning Large Numbers of Appliances” on page 1 1 1 Adding a New Appliance Adding a new appliance in ETEMS is the first step in being able to manage it remotely .
Provisioning Basics EncrypTight User Guide 97 ● “Provisioning Large Numbers of Appliances” on page 1 1 1 ● “Provisioning PEPs” on page 147 Saving an Appliance Configuration Y ou can save an appliance configuration at any time during the co nfigura tion process.
Provisioning Appliances 98 EncrypTight User Guide 3 Optionally , for ETEP appliances with software version 1.6 and later, click Put Thr oughput License to install a license as part of the operation. Y ou can also install a license separately from the Pu t Configuration operation.
Provisioning Basics EncrypTight User Guide 99 Figure 27 Appliances view By default, automatic status refresh is disabled. Y o u can refresh the status manually by selecting the target appliances and clicking the Re fresh St atus button . If you prefer , you can have ETEMS automatically poll th e status of th e appliances.
Provisioning Appliances 100 EncrypTight User Guide Related topics: ● “Comparing Configurations” on page 100 ● “Filtering Appliances Based on Address” on page 101 Comp aring Configurations When the ETEMS configuratio n differs f rom the appliance configur ation, the appliance status is .
Provisioning Basics EncrypTight User Guide 101 Figure 28 Comp are the ETEMS and appliance configurat ions T o comp are and up date configuratio ns: 1 In the Appliance Manager , select an appliance in the Appliances view . 2I n t h e To o l s menu, click Compare Config to Appliance to see a comparison of the ETEMS and appliance configurations.
Provisioning Appliances 102 EncrypTight User Guide . 3 T o restore all appliances in the Appliances view , enter a single as terisk in the Filter Appliances window and then click OK . Rebooting Appliances Appliances must be rebo oted for some configuration ch anges to take ef fect, and after installing a software update.
Appliance User Management EncrypTight User Guide 103 appliance that is available to that role. The ETEP can track appliance events based on user name, such as user account activity and policy deployments. The ETEP has two roles: Administrator and Ops.
Provisioning Appliances 104 EncrypTight User Guide User Name Conventions Follow the guide lines below when creating user names. These conv entions apply regardless of the password strength policy . ● User names can range fr om 1-32 characters. ● V alid characters are alpha and numeric characters (a-z, 0-9), _ (underscore), and - (dash).
Appliance User Management EncrypTight User Guide 105 ● Do not use dictionary words. ETEMS do es prevent the use of dictionary words, but a password containing a dictionary word will be rejected by the ETEP.
Provisioning Appliances 106 EncrypTight User Guide Managing Appliance Users Y ou can add, modify , and delete appliance users di rectly from ETEMS. Y o u can update user accounts for a single appliance or for a group of appliances. When managing users, changes take ef fect immediately .
Appliance User Management EncrypTight User Guide 107 7 On appliances that are enforcing stron g passwords , configure the password expiration settings as described in T abl e 32 . 8C l i c k Apply to send the user credentials to the selected appliances.
Provisioning Appliances 108 EncrypTight User Guide Related t opics: ● “ETEP User Roles” on page 102 ● “User Name Conve ntions” on page 104 ● “Default Password Policy Conventi ons” on.
Appliance User Management EncrypTight User Guide 109 T o delete a user from the ETEP: 1 In the Appliance Manager , select the targ et appliances in the Appliances view . 2O n t h e T ools menu, cl ick Appl iance User > Delete User . 3 In the Delete Appliance User w indow , enter the user name that you wish to delete.
Provisioning Appliances 110 EncrypTight User Guide W orking with Default Configurations Each appliance requires a unique name and man agement port IP address, but many other settings will be the same across all appliances.
Provisioning Large Numbers of Appliances EncrypTight User Guide 111 4C l i c k OK. NOTE ETEMS will not save a default configur ation that contai ns an error or an invalid entry . Th e OK button is disabled if an error is detected. ETEMS indicates the tab and the field that contains the error with .
Provisioning Appliances 112 EncrypTight User Guide Related topics: ● “Creating a Configuration T emplate” on page 112 ● “Importing Configuratio ns from a CSV File” on page 112 ● “Chang.
Provisioning Large Numbers of Appliances EncrypTight User Guide 113 specifies the document type, which ETEMS needs to successfully import the file. The pound symbol (#) indicates a comment line, and i s ignored by ETEMS during the import op eration. In the CSV file, commas are used to delineate one field from the another .
Provisioning Appliances 114 EncrypTight User Guide Figure 34 Put configurations an d reboot appliances Related topics: ● “Importing Remote and Local In terface Addresses” on page 114 ● “Chan.
Provisioning Large Numbers of Appliances EncrypTight User Guide 115 Figure 35 CSV import examples with remote a nd local interface attributes When importing a conf iguration to a new ETEP appliance, sp ecifying the remote and local interface automatically disables Transparent mode.
Provisioning Appliances 116 EncrypTight User Guide Figure 36 Set the preference for importing configurations Checking the T ime on New Appliances After importing configurations to ETEMS and pushin g them to the appliances, refresh the appliance status.
EncrypTight User Guide 117 8 Managing Appliances This section includes the fo llowing topics: ● Editing Configurations ● Deleting Appliances ● Connecting Directly to an Appliance ● Upgrading A.
Managing Appliances 118 EncrypTight User Guide Changing the Management IP Address ETEMS uses the appliance’ s 10/100 Ethernet manage ment port to communicate with the appliance. The management IP address in ETEMS mu st match the address of the applia nce for successful communication.
Editing Configurations EncrypTight User Guide 119 Figure 37 Change Management IP window Related topics: ● “Changing the Address in ETEMS” on page 1 19 ● “Management Port Addressing” on pag.
Managing Appliances 120 EncrypTight User Guide Figure 38 Operation failed message in response to management IP change Changing the Date and T ime ETEMS can change the date and time on a single a ppliance or a group of appliances.
Editing Configurations EncrypTight User Guide 121 NOTE The SNTP client mu st be disabled on an appl iance in order to change its date or time manually . If SNTP is enabled, the date and time cha nge operation will fail. T o change the date and time: 1 Make sure that the SNTP client is disabled on the tar get appliances.
Managing Appliances 122 EncrypTight User Guide ● SNTP client ● Software version ● Syslog servers Other settings that can be edit ed on multiple applia nces are date and time, and p assword. These settings do not use the multiple configurat ions editor: they have their own unique editors, which are accessed from the Edit menu.
Connecting Directly to an Appliance EncrypTight User Guide 123 T o delete applian ces: 1 In the Appliance Manager , select the applia nces to delete in the Appliances view . 2O n t h e Edit menu , click Delete . A con firmation message displ ays. 3C l i c k OK to confirm the selection and delet e the selected appliances.
Managing Appliances 124 EncrypTight User Guide The amount of time it takes to complete a softwar e upgrade depends o n the appliance model and speed of the link.
Upgrading Appliance Software EncrypTight User Guide 125 Figure 41 Upgrade sof tware on multiple appliances from a central location CAUTION Appliances must be rebo oted for the new soft ware to t a ke effect. Rebooting an appliance interrupts traffic on the data ports for several minutes.
Managing Appliances 126 EncrypTight User Guide 6C l i c k Upgrade . ETEMS confirms that the FTP site is reachable before it begins the upgrade operation. Upgrade results for each appliance are displayed in the Result column of th e Upgrade Appliances table.
Restoring the Backup File System EncrypTight User Guide 127 Canceling an Upgrade T o cancel a software upgrade that is underway for a se ries of appliances, click Cancel . Appliance upgrades that are in progress will com plete their up grades but no additional upgrades will be initiated.
Managing Appliances 128 EncrypTight User Guide Review the following recommenda tions and cautions prior to restoring t he file system: ● Make sure that you know the passw ords used in th e backup configuratio n. On ce the backup image is restored on the appliance, you must use the pa sswords from t he backup configuration to log in.
Part III Using ETPM to Create Distributed Key Policies.
130 EncrypTight User Guide.
EncrypTight User Guide 131 9 Getting S t arted with ETPM The Policy Manager (ETPM) is the security policy man agement component of the EncrypTight. Y ou use ETPM to create and manage distri buted key policies that you send to the K ey Management System (ETKMS) The ETKMS generates the keys and distributes the keys and policies to the PEPs.
Getting Started with ETPM 132 EncrypTight User Guide ● Editors are used to add and modify En crypT ight components and policies. ● Policy vi ew is used to view and add policies.
About the ETPM User Interface EncrypTight User Guide 133 EncrypT ight Component s View The EncrypT ight Co mponents view lets you configure the netw ork components used to create a policy . Figure 43 En crypT i ght Components view EncrypT ight components are the buildi ng blocks used to con struct a policy .
Getting Started with ETPM 134 EncrypTight User Guide Editors Editors allow you to add or change EncrypT ight comp onents and policies. When you first start ETPM, no editors are open. T o open an edi tor , dou ble-click a component or policy , or right-cli ck and select Add Element or Edit in the EncrypT ight Components view .
About the ETPM User Interface EncrypTight User Guide 135 Policy V iew The Policy view allows you to v iew , add, and edit policies. Figure 45 Policy view The Policy view lists the policies in an exp andable tree structure. Y ou can use the Policy view to add a new policy , edit a policy , and edit or remove any co mponent in a policy .
Getting Started with ETPM 136 EncrypTight User Guide NOTE The status indicators displayed in the ETPM Policy view change only af ter yo u click Deploy policies, Renew keys, or Refresh Status.
About the ETPM User Interface EncrypTight User Guide 137 ETPM T o olbar The ETPM toolbar provides shortcuts to frequ ently performed tasks. ETPM S t atus Refresh Interval By default, automatic status refresh is disabled. Y ou can refresh the status manually by clicking the Refresh S tatus button.
Getting Started with ETPM 138 EncrypTight User Guide About ETPM Policies A policy specifies what traffic to protect and how to protect it. Each packe t or frame is inspected by the PEP and processed based on the filtering criteria specified in the policy .
Policy Generation and Distribution EncrypTight User Guide 139 ● ETKMSs distribute the k eys and policies to the PEPs ● VLAN ID ranges enable filtering based on VLAN ID tags (optional) NOTE If you do not include a VL AN ID or range in the polic y , all Ethernet traffic is selected for enforcement.
Getting Started with ETPM 140 EncrypTight User Guide Figure 48 Key generation with one ETKMS In this scenario, you could use e ither a local ETKMS or an extern al ETKMS. The ETKMS generates and sends the same shared key to the PEP encrypting t he outbound data and the PEP decrypting the inbound data.
Creating a Policy: An Overview EncrypTight User Guide 141 Figure 49 Key generation with multiple ETKMSs The ETKMS generating the k ey for a PEP’ s o utbound data shares the key with the ETKM Ss that control the PEPs that decrypt the data. In Fig ure 49 , ETKMS 1 controls PEP A and is responsibl e for generating Shared Key 2.
Getting Started with ETPM 142 EncrypTight User Guide Figure 50 Sample point-to-point IP po licy Figure 50 illustrat es an EncrypT ight dep loyment with two networks. This example dem onstrates how to create a point-to-point policy to encr ypt the traffic sent between the two networks over the untrusted network.
Creating a Policy: An Overview EncrypTight User Guide 143 T o create a policy: 1 In the ETEMS Appliance Manager , add PEP A and PEP B ( File > New Appliance ). In the sample illustrated in Fi gure 50 , the management port of PEP A has the IP address 192.
Getting Started with ETPM 144 EncrypTight User Guide 3 In the Appliance Manager, add and configure ETKMS 1 ( File > New Appliance ). In the sample ill ustrated in Figure 50 , ETKMS 1 has the IP address 192.168.1.33 and does not have a backup ETKMS.
Creating a Policy: An Overview EncrypTight User Guide 145 7 Click the Netwo rk Sets tab and in the editor, add Network Set A and Network Set B. In the sample illustrated in Fi gure 50 , Network Set A includes Network A an d PEP A, and uses ETKMS 1. Network Set B includes Network B and PE P B, and uses ETKMS 1.
Getting Started with ETPM 146 EncrypTight User Guide 9 Click the New P oint-to-Point Policy edit or and configure a point-to-point IPSec policy u sing the components you created in the preceding steps. See “Adding Layer 3 IP Policies” on page 191 for more inform ation.
EncrypTight User Guide 147 10 Managing Policy Enforcement Points Policy Enforcement Point s (PEPs) en force the policies created in ETPM and distributed by the ETKMSs.
Managing Policy Enforcement Points 148 EncrypTight User Guide network sets in Layer 3 IP policies. L2 PEPs can be used i n Layer 2 Ethernet policies. Y ou can sort the list of PEPs by type or name by clickin g the column header (SG or Name). When ETEMS communicates with a PEP , it verifies that its hardware and software configuration is valid.
Provisioning PEPs EncrypTight User Guide 149 NOTE ● For more information abou t PEP configuration options, see the ch apter for the PEP model that you are using. ● Although you can create networks and other elements in ETPM, no ETPM data is saved until you add at least one PEP in the ETEMS Appl iance Manager .
Managing Policy Enforcement Points 150 EncrypTight User Guide Adding a New PEP Using ETPM Normally , yo u should add PEPs using the ETEMS Appliance Manager; however , it is possible to add PEPs from ETPM. Keep in mind that you wi ll have to use ETEMS to push the configurations to th e PEPs.
Editing PEPs EncrypTight User Guide 151 Pushing the Configuration After you define the PEP co nfigurations , push the configurations from ETEMS to the tar geted PEPs. T o push ETEMS configurations to PEPs: 1 In the ETEMS Appliances view , select the target PEPs.
Managing Policy Enforcement Points 152 EncrypTight User Guide If you changed the PEP’ s Appliance name in ETEMS, redeploy your policies. If yo u don’ t redep loy , the renamed PEP will issue an error message after every key refresh.
Deleting PEPs EncrypTight User Guide 153 Changing the IP Address of a PEP Occasionally , you might need to change the IP address on a PEP. Fo r example, you might need to move a PEP from one location in your network to another . This could require th at you change the management IP address of the PEP.
Managing Policy Enforcement Points 154 EncrypTight User Guide T o delete PEPs: 1 In the Appliances view in ETEMS, select the PEPs to delete. 2O n t h e Edit menu , click Delete . A con firmation message displ ays. 3C l i c k OK . 4 From ETPM, click Deploy .
EncrypTight User Guide 155 11 Managing Key Management Systems Based on the policies received from the ETPM, the Key Management Systems (ETKMSs) generate and distribute the keys along with the policies to the Policy Enforcem ent Points (PEPs). Y ou must use the ETEMS Appliance Manager to add, edit, and delete ETKMSs.
Managing Key Management Systems 156 EncrypTight User Guide In order to ensure network resiliency , some Encr ypT ight configurat ions may have external E TKMSs installed in pairs: a primary ETKMS and a backup ETKMS. The ETPM distributes the policies to both the primary ETKMS and backup ETKMS.
Editing ETKMSs EncrypTight User Guide 157 4C l i c k Save when complete. Editing ETKMSs If you change the name or the IP address of a lo cal ETKMS, stop the local ET KMS software and restart it for the changes to take ef fect (see “Launching and Stopping a Local ETKMS” on page 45 ).
Managing Key Management Systems 158 EncrypTight User Guide CAUTION Do not delete any ETKMSs currently used by any netw ork sets or policies. Before you delete a ETKMS, modify any network sets and policies using that ET KMS to use another ETKMS.
EncrypTight User Guide 159 12 Managing IP Networks In EncrypTight, networks are the IP networks that you want to pro tect. One or more of these networks are combined with one or more PEPs to make a netw ork set. Network sets are treated as a single network entity within IP poli cies.
Managing IP Networks 160 EncrypTight User Guide T o add a network: 1 From the EncrypTight Com ponents view , click the Networks tab. The Networks tab lists all of the networks that have been added. Y ou can sort of the list of netw orks by IP address or network mask by clicki ng a column header .
Advanced Uses for Networks in Policies EncrypTight User Guide 161 clear . ETPM accepts non-contiguous network masks, which allow you to create polici es between particular addresses in your network. For example, a netwo rk of 10.0.0.1 with a mask of 255.
Managing IP Networks 162 EncrypTight User Guide Figure 56 T wo networks with cont iguous addressing defined as a supernet If you group the two ne tworks into a supernet and th e policy encrypts traf f.
Advanced Uses for Networks in Policies EncrypTight User Guide 163 Figure 57 Networks with non-cont iguous network masks are used in a byp ass policy that encomp asses all the x.x.x.1 and x.x.x.129 addresses Defining networks with non-conti guous masks allows you to create a single bypass policy that encompasses all the .
Managing IP Networks 164 EncrypTight User Guide Editing Networks T o edit an existing network : 1 In the EncrypT ight Com ponents view , click the Networks tab. 2 Right-click the desired network, click Edit. 3 Change the entries of the de sired fields in the editor .
Deleting Networks EncrypTight User Guide 165 T o delete a network : 1 In the EncrypT ight Com ponents view , click the Networks tab. 2 Right-click the desired Network and click Delete.
Managing IP Networks 166 EncrypTight User Guide.
EncrypTight User Guide 167 13 Managing Network Set s A network set is a collection of IP networks, the associ ated PEPs, and a default ETKMS. A network set is treated as a single entity in a policy .
Managing Network Sets 168 EncrypTight User Guide T ypes of Network Set s The following examples illustrate th e dif ferent types of netw ork sets: ● Subnet ● Load balanced network ● Collection o.
Types of Network Sets EncrypTight User Guide 169 Figure 61 Network set for a collection of networks Figure 61 illustrat es a network set comprised of two networks and two PEPs. In ETPM, this network set includes both PEP 1 and PEP 2, and bo th network IP addresses and masks.
Managing Network Sets 170 EncrypTight User Guide Adding a Network Set T o add a Network Set: 1 In the EncrypT ight Com ponents view , click the Network Sets tab. The Network Sets view lists the netw ork sets added previously . Y ou can sort the list of network sets by clicking the Network Name column header .
Adding a Network Set EncrypTight User Guide 171 Key Management System Select the desired Key M anagement Syste m from the Default ETKMS list. You must select a ETKMS even if the network set does not include a PEP. If you create a po licy that includes a netwo rk set that does not have a ETKMS, you will not be ab le to deploy that policy.
Managing Network Sets 172 EncrypTight User Guide Figure 63 Network Set edit or Importing Networks and Network Set s If you need to work with a lar ge number of n etworks and network sets, you can save time by importing the data into ETPM. Y ou can create a CSV file that li sts the n etworks and network sets that you need and import the file.
Importing Networks and Network Sets EncrypTight User Guide 173 line and is ignored by ETPM d uring the import operatio n. In the CSV file, commas are used to delineate one field or item from the next. The format of the CSV file is as follows: Ve r s i o n 1 .
Managing Network Sets 174 EncrypTight User Guide T o import networks and network set s into ETPM: 1 Create a CSV file that iden tifies the networks and network sets. 2 In ETPM, choose File > Import Networks , select the CSV file and click OK . If ETPM detects an error in the CSV file, none of the networks or network sets are imported.
Deleting a Network Set EncrypTight User Guide 175 CAUTION Prior to deleting a network se t, modify any policies us ing that network set to use another network set. If you delete a network set that is currently used in a p olicy , you can create configuration errors that migh t prevent you from deploying your policie s.
Managing Network Sets 176 EncrypTight User Guide.
EncrypTight User Guide 177 14 Creating VLAN ID Ranges for Layer 2 Networks If the network uses VLAN ID tags, you have the op tion of creating policies that select traf fic with specific VLAN ID tags or within a rang e of VLAN ID tags. If you do not inclu de VLAN ID tags in a new Layer 2 policy , the policy is applied to all network traffic.
Creating VLAN ID Ranges for Layer 2 Ne tworks 178 EncrypTight User Guide 2 Right-click anywh ere in the VLAN Ranges view and th en click Add new Element . 3 Create the VLAN range in the editor as described in T abl e 45 . 4C l i c k Save when complete.
Editing a VLAN ID Range EncrypTight User Guide 179 Editing a VLAN ID Range T o edit a VLAN ID range: 1 In the EncrypT ight Com ponents view , click the VLAN Ranges tab. 2 Right-click the desired VLAN ID range and click Edit . 3 Change the entries of the de sired fields in the editor .
Creating VLAN ID Ranges for Layer 2 Ne tworks 180 EncrypTight User Guide 3C l i c k OK ..
EncrypTight User Guide 181 15 Creating Distributed Key Policies From the Policy view , yo u can add, modify , and delete po licies for Layer 3/Layer 4 IP networks and Layer 2 Ethernet networks.
Creating Distributed Key Policies 182 EncrypTight User Guide ● “Key Generation and ETKMSs” on pag e 185 ● “Addressing Mode” on page 185 ● “Using Encrypt All Policies with Exceptions”.
Policy Concepts EncrypTight User Guide 183 TIP Network connectivity problems can prevent new keys from being distributed to the PEPs before the old keys expire. If you experience prob lems of this nature, see “Solvi ng Network Connectivity Problems” on page 248 for suggested workarounds to prevent interruptions.
Creating Distributed Key Policies 184 EncrypTight User Guide Figure 69 Dat a payload e ncryption Encryption and Authe ntication Algorithms For Layer 3 IP policies, you can sp ecify the encryption and authentication algorithm s that you want to use.
Policy Concepts EncrypTight User Guide 185 Key Generation and ETKMSs W ith multicast IP poli cies and Layer 2 Ethernet policies, you choose a single ETKMS to generate and distribute the keys. W ith p oint-to-point, hub and spoke, and mesh IP po licies there are two options for specifying which ETKMSs generate and d istribute keys.
Creating Distributed Key Policies 186 EncrypTight User Guide 1 Create a policy to encrypt all data to and from all networks. Assign thi s policy a relatively low priority to ensure that any missed data will at least pass encrypted. 2 Design a pass in the clear policy and a drop policy with a higher priorities.
Policy Concepts EncrypTight User Guide 187 Minimizing Policy Size Using EncrypTight with lar ge, compl ex networks with multiple subnets protected by separate PEPs can result in a large number of SAs on each PEP.
Creating Distributed Key Policies 188 EncrypTight User Guide Adding Layer 2 Ethernet Policies For Layer 2 Ethernet networks, policies can be created for mesh network s. In a mesh network, any network or network set can send or receive data from any other network or network set.
Adding Layer 2 Ethernet Policies EncrypTight User Guide 189 4C l i c k Save when complete. T able 47 Layer 2 Mesh policy e ntries Field Description Name Enter a unique name to i dentify the poli cy. Names can be 1 - 40 characters in length. Alphanumeric cha racters and spaces are valid.
Creating Distributed Key Policies 190 EncrypTight User Guide Figure 71 Layer 2 Mesh polic y editor NOTE If you need to encrypt or pass in the clear specifi c routing protocols, consider also creating local site policies.
Adding Layer 3 IP Policies EncrypTight User Guide 191 Adding Layer 3 IP Policies An IP policy can be created for hub and sp oke, mesh, multicast, and point-to-point networks.
Creating Distributed Key Policies 192 EncrypTight User Guide T o add a new hub and s poke policy: 1 In the Policy view , right-click anywhere in the view and click Add Hub and Spoke Policy . 2 Double click the new policy nam e added to the policy list.
Adding Layer 3 IP Policies EncrypTight User Guide 193 IPSec Specifies the encryption and authen tication algorithms used in an IPSec po licy. Select the encryption algorithm from the Encryption Algo r.
Creating Distributed Key Policies 194 EncrypTight User Guide Figure 73 Hub and spoke policy editor.
Adding Layer 3 IP Policies EncrypTight User Guide 195 Adding a Mesh Policy In a mesh network, any network or network set can send or receive data from any other network or network set. Figure 74 Mesh network example The PEP for each network in Figure 74 encrypts dat a sent to networks A, B, C, or D and decrypts data from networks A, B, C, or D.
Creating Distributed Key Policies 196 EncrypTight User Guide T able 49 Mesh policy entries Field Description Name Enter a unique name to i dentify the poli cy. Names can be 1 - 40 characters in length. Alphanumeric cha racters and spaces are valid. The special characters <, >, &, “ *, ?, /, , : and | cannot be use d in the policy name.
Adding Layer 3 IP Policies EncrypTight User Guide 197 Addressing Mode Override Overrides the Network ad dressing setting for the network sets. • Preserve in ternal network addresses - This setting overrides the network set’s network addressing mod e and preserves the network addressing of the protected networks.
Creating Distributed Key Policies 198 EncrypTight User Guide Figure 75 Mesh policy edi tor.
Adding Layer 3 IP Policies EncrypTight User Guide 199 Adding a Multicast Policy In a multicast network, one or more net works send unidirectional streams t o multiple destination networks.
Creating Distributed Key Policies 200 EncrypTight User Guide T o add a multicast p olicy: 1 In the Policy view , right-click anywhere in the view and click Add Multicast Policy . 2 Double click the new policy nam e added to the policy list. 3 Create the policy in the Multicast Policy edit or as described in Ta b l e 5 0 .
Adding Layer 3 IP Policies EncrypTight User Guide 201 IPSec Specifies the encryption and authen tication algorithms used in an IPSec po licy. Select the encryption algorithm from the Encryption Algo r.
Creating Distributed Key Policies 202 EncrypTight User Guide Figure 77 Multicast policy editor.
Adding Layer 3 IP Policies EncrypTight User Guide 203 Adding a Point-to-point Policy In a point-to-point network, one n etwork or network set sends and receives data to and from one other network or network set . Figure 78 Point-to-point network ex ample In Figure 78 , the end-points are Networks A and B.
Creating Distributed Key Policies 204 EncrypTight User Guide 4C l i c k Save when complete. T able 51 Point-to-point policy entries Field Description Name Enter a unique name to i dentify the poli cy. Names can be 1 - 40 characters in length. Alphanumeric cha racters and spaces are valid.
Adding Layer 3 IP Policies EncrypTight User Guide 205 Addressing Mode Override Overrides the Network ad dressing setting for the network sets. • Preserve in ternal network addresses - This setting overrides the network set’s network addressing mod e and preserves the network addressing of the protected networks.
Creating Distributed Key Policies 206 EncrypTight User Guide Figure 79 Point-to-point policy e ditor Adding Layer 4 Policies Layer 4 policies encrypt only the paylo ad of the pack et. The source and destination addresses, protocol, and port in the IP header are sent in the clear .
Policy Deployment EncrypTight User Guide 207 Y ou create Layer 4 pol icies using ETEPs that are co nfigured to operate as Layer 3 PEPs. Create the networks, network sets, and poli cies as you would for Layer 3 IP policies. In the poli cy editor , select the option to preserve the address, protocol, and port.
Creating Distributed Key Policies 208 EncrypTight User Guide T o verify policies: 1C l i c k T ools > V erify policies . ETPM displays a confirmation messa ge indicating the results of the rules check. 2 If the policies contain errors, go to the Policy V iew to locate them.
Editing a Policy EncrypTight User Guide 209 Figure 81 ETPM Preferences 3 Select or clear the Ask for confirmation before deploying a metapolicy checkbox. 4C l i c k Apply . Editing a Policy T o edit an existing p olicy: 1 From the Policy view , do uble click the desired policy name on t he policy list.
Creating Distributed Key Policies 210 EncrypTight User Guide T o delete an existi ng policy: 1 From the Policy view , right-click the desired policy name and click Remove element . 2C l i c k OK on the Permanently Delete an Element window . In addition to delet ing specific policies, you can delete all of the policies on the ETEP.
EncrypTight User Guide 211 16 Policy Design Examples This section provides two examples of creating policies with EncrypTight: ● Basic Layer 2 Point-to-Point Policy Example ● Layer 2 Ethernet Poli.
Policy Design Examples 212 EncrypTight User Guide In ETEMS, configure the interfaces for both PEPs, then click the F eatures tab and do the following: 1 Select Layer 2:Ethernet for th e Encryption Policy Settings. 2 Clear the Enable EncrypTight checkbox.
Layer 2 Ethernet Policy Using VLAN IDs EncrypTight User Guide 213 Figure 83 Using VLAN IDs Policy Det ails Policy 1: Headquarters and Branches Name: HQ/Branch Communications Priority: 60000 Renew: Onc.
Policy Design Examples 214 EncrypTight User Guide T o create the policies: 1 In ETEMS, add and configure the ETEPs to operate as Layer 2 PEPs. 2 Add the ETKMS for the policies. 3 Push the configurations to the ETEPs. 4 In ETPM, add the VLAN ID tags. 5 Create the policies using the sett ings described in “Policy Details” on page 21 3 .
Complex Layer 3 Policy Example EncrypTight User Guide 215 The network sets required for this po licy are: Using the four network sets, create the mesh polic y as shown in the following table: Encrypt .
Policy Design Examples 216 EncrypTight User Guide These hub and spoke policies require the four network sets created in “Encrypt T raffic Between Regional Centers” on page 214 an d twelve network sets for the branch networks. The next three tables show the four regi onal hub and spoke policies.
Complex Layer 3 Policy Example EncrypTight User Guide 217 Using Network Sets B, B1 , B2, and B3, create a hub and spoke policy for region B as shown in the following table: Using Network Sets C, C1 , .
Policy Design Examples 218 EncrypTight User Guide Passing Routing Protocols W ith Layer 3 routed networks, y ou might need to pa ss routing protocols in t he clear . This is normally true when routers are placed behind the PEPs and when your W AN us es a private routed infrastructure.
Complex Layer 3 Policy Example EncrypTight User Guide 219 This policy must be set to a hig her priority than the mesh policy created in “Encrypt T raffic Between Regional Ce nters” on page 214 . If this policy is set to a lo wer priority , the mesh en cryption policy will override the bypass policy and the routing protocol will be encrypt ed.
Policy Design Examples 220 EncrypTight User Guide.
Part IV T roubleshooting.
222 EncrypTight User Guide.
EncrypTight User Guide 223 17 ETEMS T roubleshooting This section includes the fo llowing topics: ● Possible Problems and Solu tions ● Pinging the Manageme nt Port ● Retrieving Appliance Log Fil.
ETEMS Troubleshooting 224 EncrypTight User Guide Appliance Unreachable Symptom Explanation and possib le solutions Symptoms of ETEMS’s inability to communicate with an a ppliance are: • Status indicator of ? . • “Operation failed” resu lt when putting a configura tion to an appliance, refreshing status, or comparing configur ations.
Possible Problems and Solutions EncrypTight User Guide 225 Appliance Configuration The ETEP cannot ping the management workstation. The request times out or returns an “Operation not permitted” message. Check whether the trusted host feature is enable d on the ETEP.
ETEMS Troubleshooting 226 EncrypTight User Guide Pushing Configurations S t atus Indicators Symptom Explanation and possible solutions New configuration isn’t active on the appliance. • In the Appliances view, select the appliance a nd refresh its status.
Pinging the Management Port EncrypTight User Guide 227 Sof tware Upgrades Pinging the Management Port If ETEMS is having trouble communicating with an appliance’ s mana gement port, try pinging the port to determine if the port is reachable from the mana gement workstation.
ETEMS Troubleshooting 228 EncrypTight User Guide Figure 88 T ools preferences T o change the defa ult ping tool: 1 In the Edit menu, click Preferences . 2C l i c k ETEMS to expand the tree, and then click To o l s ( Figure 88 ). 3 In the T ools windo w , browse to the location of the ping executable that you want to use.
Retrieving Appliance Log Files EncrypTight User Guide 229 T o retrieve log files fr om an appliance: 1 V erify that an FTP server is running on the ETEMS workstation. 2 In the Appliance Manager , select the tar get appliances in the Appliances view . ETEM S can retrieve logs from multiple appl iance in a single operation.
ETEMS Troubleshooting 230 EncrypTight User Guide V iewing Diagnostic Dat a ETEMS retrieves the following perfo rmance and diagnostic data from an appliance: ● Encryption statistics and a collection of frame and packet counters are di splayed in the Statistics V iew .
Viewing Diagnostic Data EncrypTight User Guide 231 Figure 89 Encryption st atistics and packet cou nters displayed for two ETEPs T o display st atistics: 1 In the Appliance Manager , select the targ et appliances in the Appliances view . 2O n t h e Vi e w menu, click St a t i s t i c s .
ETEMS Troubleshooting 232 EncrypTight User Guide V iewing Port and Discard St atus The Status view displays informa tion about local and remote port st atus, and discarded packets. Port status is available only for ETEPs. The details displaye d for discarded packets vari es by appliance model.
Viewing Diagnostic Data EncrypTight User Guide 233 Figure 91 Export the SAD or SPD to a CSV file T o export the SAD or SPD from the ETEP: 1 In the Appliance Manager , select the ta rget appliance in the Appliances view . 2O n t h e Vi e w menu, click St a t i s t i c s .
ETEMS Troubleshooting 234 EncrypTight User Guide W orking with the Application Log The application log provides in formation about significant events and failures wi th EncrypT ight. The application log captures events sp ecific to ETEMS and ETPM and their interaction with appliances.
Working with the Application Log EncrypTight User Guide 235 a On the application log tool bar , click . b In the application log menu, click Activate on new ev ents . A check mark appears next to this menu item when the feature is active. Click the menu item to toggle t he feature on and off.
ETEMS Troubleshooting 236 EncrypTight User Guide Figure 94 Application log filters NOTE Increasing the visible event limit to a l arge number (more than 200) can noticeably slow the speed at which ETEMS updates appliance status.
EncrypTight User Guide 237 18 ETPM and ETKMS T roubleshooting This section provides i nformation to help you with ETPM and ETKMS problem resolutio n, including: ● Learning About Problems ● ETKMS T.
ETPM and ETKMS Troubleshooting 238 EncrypTight User Guide T able 65 ETPM st atus problems and solu tions TIP After you deploy policies, i f the indicators are anything other than green, click Refresh S tatus before you take other troublesh ooting actions.
Learning About Problems EncrypTight User Guide 239 NOTE Always check the status of the PEPs in the Policy View after deploying policies, refreshing status, or renewing keys.
ETPM and ETKMS Troubleshooting 240 EncrypTight User Guide St atus Errors Renew Key Errors Symptom Explanation and possib le solutions ETEMS cannot veri fy that the software version installed on th e ETKMS matches the version selected in the Appliance Manager.
Learning About Problems EncrypTight User Guide 241 V iewing Log Files Each component in the EncrypT ight system creates and maintains log file s that you can use to troubleshoot issues.
ETPM and ETKMS Troubleshooting 242 EncrypTight User Guide PEP Log Files Y ou can retrieve and vi ew log files from any PEP using ETEMS. When a PEP re ceives a command from ETEMS, it sends it s log files to the desi gnated FTP serv er . T o use this feature you must have FTP server software running on the ETEMS wo rkstation.
PEP Troubleshooting Tools EncrypTight User Guide 243 Optimizing T ime Synchronization W ith NTP , time synchronization does not always happen instantaneously . If the time di f ference between the ETKMS (or any system component) and the NTP server is lar ge enou gh, it can take a significant amount of time to syn chronize.
ETPM and ETKMS Troubleshooting 244 EncrypTight User Guide Stat i st i cs For ETEP PEPs, you can use the S tatistics view in the ETEMS Appliance Manager to display encryption statistics and packet counters. Th is includes information about packet encryptions a nd decryptions.
Troubleshooting Policies EncrypTight User Guide 245 deployed to the PEP, including the dest ination and source IP addresses, priority , and the policy typ e. The SAD includes information on every security associ ation (SA) established betwe en the ETEP PEP and another appliance.
ETPM and ETKMS Troubleshooting 246 EncrypTight User Guide 3 In the MAC Statistics section (for ETEP PEPs), note the values in the T ransmit and Receive packet entries for the Local and Remote interf aces (Local Port and Remote Port).
Troubleshooting Policies EncrypTight User Guide 247 Do one of the following: ● In the Appliance Manager vi ew , select the ETEP and choose T ools > Clear Po licies .
ETPM and ETKMS Troubleshooting 248 EncrypTight User Guide T o fix these issues, redeploy you r po licies from ETPM to make sure that your PEPs have current policies and keys. Cannot Add a Network Set to a Policy Non-contiguous subnet masks are sup ported on ETEP PEPs version 1.
Modifying EncrypTight Timing Parameter s EncrypTight User Guide 249 ● For ETPM to ETKMS communications errors, check the ETEMS or ETPM applicatio n log for an error entry as described in “ETPM Log Files” on page 241 . ● For ETKMS to PEP communicati ons errors, check the ETKMS log files as described in “ETKMS Log Files” on page 241 .
ETPM and ETKMS Troubleshooting 250 EncrypTight User Guide T o add a new PEP in a system configured to use strict authentication: 1 In the ETEMS preferences, temporaril y dis able strict authentication. 2 Add and configure the PEP. 3 Install certificates on the PEP and the re-enable strict authentication in ETEMS.
Certificate Implementation Errors EncrypTight User Guide 251 T o disable strict authentica tion on ETEPs: 1 Connect to the serial port of the appliance and open a terminal session. 2 Log in and type configure to enter co nfiguration mode. 3T y p e management-interface to enter management interface configuration mode.
ETPM and ETKMS Troubleshooting 252 EncrypTight User Guide.
Part V Reference.
254 EncrypTight User Guide.
EncrypTight User Guide 255 19 Modifying the ETKMS Properties File This section provides information about settings in th e ETKMS properties file th at you can use to control and optimize the perform a.
Modifying the ETKMS Properties File 256 EncrypTight User Guide Hardware Security Module Configuration The following entries contro l whether the encryption keys are stored in a Hardw are Security Module (HSM). # Hardware Security Module Configuration hardwareModuleInUse=false vaultBaseDir=.
Base Directory for Storing Operational State Data EncrypTight User Guide 257 log4j.appender.R.layout=org.apache.l og4j.PatternLayout log4j.appender.R.layout.ConversionPa ttern=%d [%t] %-5p %c - %m%n ## Console logging #log4j.rootLogger=ALL,stdout #log4j.
Modifying the ETKMS Properties File 258 EncrypTight User Guide Policy Refresh T iming The policy refresh timing controls the t iming between the initiation of a renew key s and policy lifetime and the deletion of the expired keys. The followin g entries specify the timing for the policy refresh.
PEP Communications Timing EncrypTight User Guide 259 Once the n th retry (defined by retryCount ) is unsuccess ful, the ETKMS wa its a period of time defined by initialPEPRetryWa itTime when it then repeats the communicat ion attempts as defined by the general timing parameters.
Modifying the ETKMS Properties File 260 EncrypTight User Guide.
EncrypTight User Guide 261 20 Using Enhanced Security Features This section includes the fo llowing topics: ● About Enhanced Security Features ● About Strict Authentication ● Using Certificates .
Using Enhanced Security Features 262 EncrypTight User Guide ● Strong password enforcement ETEPs with software versio n 1.6 or later can be c onfigured to use strong password enforcement. The conventions used with st rong password enforcement are far more stringent than those used with the default password managemen t.
About Strict Authentication EncrypTight User Guide 263 Related topics: ● “Prerequisites” on page 263 ● “Order of Operations” on page 263 ● “Certificate Information” on page 264 ● .
Using Enhanced Security Features 264 EncrypTight User Guide 4 T emporarily enable strict authen tication in ETEMS and m ake sure that you can still communicate with the PEPs (refresh status for th e PEPs that you used in step 3. If the PEPs respond appropriat ely , continue with the ne xt step.
Using Certificates in an EncrypTight System EncrypTight User Guide 265 In usage, you type this string as fol lows: -dname “cn=<common name>, ou=<organization unit>, o=<or ganization name>, l=<location>, s=<state/province> , c=<country>” The information must be ent ered in the order shown.
Using Enhanced Security Features 266 EncrypTight User Guide Changing the Keystore Password Before you begin using certificates, you need t o change the default passwords for the EncrypTight keystore and the ETKMS keystore.
Changing the Keystore Password EncrypTight User Guide 267 Changing the Keystore Password on a ETKMS Changing the password on a ETKMS involves multiple steps, including: 1 Stop the ETKMS service 2 Use .
Using Enhanced Security Features 268 EncrypTight User Guide Changing the Password Used in t he ETKMS Properties File The ETKMS properties file includes an entry for the keystore passwor d that the ETKMS software uses for functions that access the keystore.
Configuring the Certificate Policies Extension EncrypTight User Guide 269 ./HSMPwdChg.sh The script will print out th e new value of the password. Make not e of this value. 5 Change the password for the Security Officer role by typing: ctkmu p -O Y ou will be pro mpted for the value of the old password and t hen for the value of the new password.
Using Enhanced Security Features 270 EncrypTight User Guide TIP If you are deploying numerous ET EPs, you can save ti me by modi fying the defaul t configurations for the ETEP models that you use. For more informati on about modifying d efault configurations, see “Worki ng with Default Configurations ” on page 1 10 .
Configuring the Certificate Policies Extension EncrypTight User Guide 271 Figure 95 Communications Preference s About the Policy Constraint s Extension The certificate policies extension can be used in conjunction with the po licy constraint extension.
Using Enhanced Security Features 272 EncrypTight User Guide W orking with Certificates for EncrypT ight and the ETKMSs For both the workst ation running the EncrypTight software and the ETKMS, use the keytool utility to request and install certificates.
Working with Certificates for EncrypTight and the ET KMSs EncrypTight User Guide 273 T o generate a key pair: 1 From the command line, use the fo llowing command to generate a public/ private key pair.
Using Enhanced Security Features 274 EncrypTight User Guide Importing a CA Certificate Depending on the CA that you use, you could receive a single certificate or a certificate chain. If the reply is a single certificate and it is not a copy of a CA trusted root certificate, you need acquire the certificate for a trusted root .
Working with Certificates and an HSM EncrypTight User Guide 275 Exporting a Certificate For other devices to authenticate th e identity of an entity , they mi ght need a copy of the entity’ s certificate. Y ou can use the keytool export command to export certifi cates for this purpose.
Using Enhanced Security Features 276 EncrypTight User Guide Importing CA Certificates into the HSM T o import CA certificates into the HSM: 1 T o import a CA certificate, at the command line type: ctc.
Working with Certificates for the ETEPs EncrypTight User Guide 277 Generating a Certificate Si gning Request for the HSM T o generate a certifica te signing request: 1 At the command line, typ e: keyt.
Using Enhanced Security Features 278 EncrypTight User Guide T o st art the Certificate Manager do one of the following: ● In the W indows m enu, click Open . In the list of perspectives, click Certificate Manager . ● On the Perspective tab in the upper right corner of the screen, click the Open Perspective button .
Working with Certificates for the ETEPs EncrypTight User Guide 279 The Certificate Requests view displays pend ing cer tificate requests for sel ected appliances. Y ou can manage certificate requests from the shortcut menu (vie w , delete, or install).
Using Enhanced Security Features 280 EncrypTight User Guide NOTE The procedure for obtaining a CA certi ficate varies with each CA. These are the typical ste p s. T o obt ain a CA certificate from a CA: 1 On the CA's website, complete the registration process.
Working with Certificates for the ETEPs EncrypTight User Guide 281 Figure 97 Certificates view show s in st alled certificates and t heir usage W orking with Certificate Request s The workflow for requesting and inst alling an identity certificate on an EncrypT ight appliance is as follows: 1 Generate a certificat e signing r equest.
Using Enhanced Security Features 282 EncrypTight User Guide Figure 98 Generate a certifica te signing request T o generate a certifica te signing request: 1 In the Appliances view , right-click the target appliance and click Generate Certif icate Signing Request in the shortcut menu.
Working with Certificates for the ETEPs EncrypTight User Guide 283 Inst alling a Signed Certificate When a certificate authority accepts a certificate reques t, it issues a digitally signed identity certificate and returns it electronically . The certificate must be a PEM-formatted X.
Using Enhanced Security Features 284 EncrypTight User Guide Figure 100 View pending certificate signing req uests Canceling a Pending Certificate Request The EncrypT ight appliance allows for only one pend ing certificate request. In order to replace the pending request wit h a new one, you must cancel the pending requ est.
Working with Certificates for the ETEPs EncrypTight User Guide 285 The Common Name (CN) d efaults to the applianc e name; it cannot be set as a preference. For information about other distinguished name fields, see Ta b l e 6 8 . Other certificate requests preferences are described in Ta b l e 7 8 .
Using Enhanced Security Features 286 EncrypTight User Guide ● “Deleting a Certificate” on page 287 Viewing a Certificate The Certificate Details view of a selected installed certificate displa ys the certificate contents and the PEM formatted certificate.
Validating Certificates EncrypTight User Guide 287 Deleting a Certificate Delete external certificates if they have expired or are no longer used . External certificates are the only type of certificate that you can delete from the EncrypT ight appliance.
Using Enhanced Security Features 288 EncrypTight User Guide you must remember to periodically retrieve a copy of the CRL a nd install it on each of the EncrypT ight components. NOTE CRLs are only supported in ETEPs with software ve rsion 1.6 or late r .
Validating Certificates EncrypTight User Guide 289 T o inst all a CRL on the ETEP: 1 Switch to the Certificate Manager perspective. 2 In the Appliances view , right-click on the target ETEP and choose Install CRL . 3 Navigate to the ap propriate directory and sel ect the CRL file that you w ant to install.
Using Enhanced Security Features 290 EncrypTight User Guide In order to use OCSP , you must enab le it on each Encr ypT ight component. ETEPs can read the URL from the certificate itself, but you can sp ecify a URL to use if needed.
Validating Certificates EncrypTight User Guide 291 NOTE For enhanced security , if you want to validate certificates u sing OCSP only , disable the options to Ignore Failure to Resp ond and Revert to CRL on OC SP Respon der Failure . T o set up OCSP in the ETKMS: 1 Log in directly on the ETKMS as root, or open an SSH session and su to root.
Using Enhanced Security Features 292 EncrypTight User Guide Enabling and Disabling S trict Authentication After you have installed certificates on each EncrypT ight com ponent, you can ena ble strict authentication. Strict authentication is a setting that af fects comm unications between all EncrypT ight components.
Removing Certificates EncrypTight User Guide 293 8C l i c k Put to push the configurations. 9C l i c k Close to return to the Appl iances view , a nd then refresh the appliance status ( To o l s > R e f r e s h St a t u s ). NOTE S tri ct authentication is available for ETEPs with software version 1.
Using Enhanced Security Features 294 EncrypTight User Guide T o remove certificate s: 1 If necessary , switch to the Certificate Manager a nd select the ETEPs whose cer tificates you want to remove. 2 Select T ools > Clear Certificates . 3C l i c k OK when you are prompt ed for confirmation.
Using a Common Access Card EncrypTight User Guide 295 5 Add the authorized common name s to the cnAuth .cfg file on th e ETKMS. For instructions, see “Configuring User Accounts for Use With Common Access Cards” on page 295 6 Enable strict authentication a nd Common Access Card Authentication on th e ETKMS.
Using Enhanced Security Features 296 EncrypTight User Guide T o enable CAC Authentication on the ETEP: 1 V erify that strict authentication is enabled on the ETEP. If strict authentication is not enabled when you enable Common Access Card Authentication, y ou can lose the ability to communicate with the ETEP.
Using a Common Access Card EncrypTight User Guide 297 NOTE When Common Access Card Authe ntication is enabled , users of the EncrypTight software can log in without using passwords if the deployment includes o nly ETEPs running software version 1.6 or later.
Using Enhanced Security Features 298 EncrypTight User Guide.
EncrypTight User Guide 299 21 ETEP Configuration This chapter provides procedures and referen ce information for configuring ETEP appliances. T o prepare the ETEP for operation in your network, do the following: ● In the ETEMS Appliance Manager , click File > New Appliance to open the Appliance editor .
ETEP Configuration 300 EncrypTight User Guide This section includes the fo llowing topics: ● Identifying an Appliance ● Interface Configuration ● T ruste d Hosts ● SNMP Configuration ● Loggi.
Interface Configuration EncrypTight User Guide 301 ● Alphanumeric characters are valid (upper and lower case alpha charact ers and numbers 0-9) ● Spaces are allowed within a name ● The following.
ETEP Configuration 302 EncrypTight User Guide Figure 103 ET0100A in terfaces configuration Related topics: ● “Management Port Addressing” on page 302 ● “Auto-negotiation - All Ports” on pa.
Interface Configuration EncrypTight User Guide 303 ETEPs running software version 1.6 an d later include support for IPv4 and IPv6 addresses on the management port.
ETEP Configuration 304 EncrypTight User Guide Figure 104 Management port d efault gateway on the ETEP IPv6 Addressing The use of IPv6 addressing is optional. If you select Use IPv 6 , ETEMS and other EncrypT ight components will use IPv6 to comm unicate with the ETEP.
Interface Configuration EncrypTight User Guide 305 IPv6 addresses often contain consecutive grou ps of zer os. T o further simp lify address entry , you can use two colons (::) to rep resent the consecutive groups of zeros when t yping the IPv6 address.
ETEP Configuration 306 EncrypTight User Guide On the local and remote p orts, the ETEPs support the speeds shown in Ta b l e 8 6 . NOTE If you are using copper SFP tran sceivers, auto-negotiation must be enabled on the ET1000A and on the device that the ET1000 A is connecting to.
Interface Configuration EncrypTight User Guide 307 preserves the network addressing of the prot ected network by copyin g the original source IP and MAC addresses from the inco ming packet to the outb ound packet header . In transparent mode the ETEP’ s re mote an d local ports are not viewable from a network standp oint.
ETEP Configuration 308 EncrypTight User Guide IP Address and Subnet Ma sk Enter the IP address and subnet mask that y ou want to assign to the port, in dotted decimal notation. Default Gate way The default gateway identifies the router ’ s local access port, which is used to forward packets to their destination.
Interface Configuration EncrypTight User Guide 309 The transmitter behavior configuration should be th e same on both the local and remote ports. DHCP Relay IP Address The DHCP Relay feature allows DHCP clients on the local port su bnet to access a DHCP server that is on a different subnet.
ETEP Configuration 310 EncrypTight User Guide Ignore DF Bit When the ETEP is configured for use in Layer 3 IP en c ryption policies, its defaul t behavior is to enable DF Bit handling on the local port.
Trusted Hosts EncrypTight User Guide 311 Related topic: ● “Ignore DF Bit” on page 31 0 ● “Path Maximum Transmission Unit” on page 326 ● “Features Configuration” on page 330 T rusted Host s In its default state the ETEP mana gement port accepts all packets from any host.
ETEP Configuration 312 EncrypTight User Guide Inbound host proto cols (HTTPS, ICMP , and SNMP) are enabled and disabled in the Edit Trusted Host window . Inbound protocols are en abled by default for each host. Use caution when disabling these protocols as it can affec t the management station’ s ability to comm unicate with the ETEP.
SNMP Configuration EncrypTight User Guide 313 Figure 108 T rusted host editor Related topics: ● “Appliance Unreachable” on page 224 ● “IPv6 Addressing” on page 304 ● “T raps” on page 315 ● “Defining Syslog Servers” on page 323 ● “SNTP Client Settings” on page 329 SNMP Configuration The ETEP includes an SNMP agent.
ETEP Configuration 314 EncrypTight User Guide Figure 109 SNMP configuration fo r system information, community strings , and traps T ake note of the follow ing requirements when defining SNMP system i.
SNMP Configuration EncrypTight User Guide 315 Tr a p s T o configure SNMP traps, first select the trap types to be ge nerated. All of the selected trap ty pes will be sent to the configured hosts.
ETEP Configuration 316 EncrypTight User Guide NOTE The coldSt art a nd notifyShutdown traps are always generated, even when Generic traps are disabled.
SNMP Configuration EncrypTight User Guide 317 ● The engine ID identifies the E TEP as a unique SNMP entity . The ETEP’ s engine ID must be configured on every trap recipient before traps can be authenticated and processed by the trap host.
ETEP Configuration 318 EncrypTight User Guide ● “Configuring the SNMPv3 Trap Host Users” on page 319 ● “FIPS Mode” on page 331 Generating the Engine ID The engine ID is a unique local identifier for th e SNMP agent in the ETEP .
SNMP Configuration EncrypTight User Guide 319 Figure 1 1 1 Viewing SNMPv3 Eng ine IDs Related topics: ● “Generating the Engine ID” on page 318 Configuring the SNMPv3 T rap Host Users T rap host users define the destin ation that receives the traps, plus security information about communication between SNMPv3 entitie s.
ETEP Configuration 320 EncrypTight User Guide Figure 1 12 SNMPv3 T rap Host configuration T o configure a trap ho st user: 1 If you haven’t already done so, select the traps that the ETEP will generate (see “T raps” on pag e 31 5 ). 2 Under SNMPv3 T rap Ho sts, click Add .
Logging Configuration EncrypTight User Guide 321 Related topics: ● “FIPS Mode” on page 331 ● ETEP CLI User Guide , ‘Securing Management Port T raffic with IPsec” Logging Configuration The ETEP log keeps track of messag es and events generated by various processes, such as encry ption, certificates, rekeys, and SNMP .
ETEP Configuration 322 EncrypTight User Guide Related topics: ● “Log Event Settings” on page 322 ● “Defining Syslog Servers” on page 323 ● “Log File Management” on page 324 ● “Re.
Logging Configuration EncrypTight User Guide 323 means “error + critical + alert + em ergency .” The priorities shown i n T able 97 are listed from lowest (debug) to highest (emergency).
ETEP Configuration 324 EncrypTight User Guide Related topics: ● “IPv6 Addressing” on page 304 ● “Logging Configuration” on page 321 ● “Log Event Settings” on page 322 Log File Management Each log file is a fixed length li st of entries, as shown in T able 98 .
Advanced Configuration EncrypTight User Guide 325 Figure 1 14 Log files extracted from t he ETEP Related topics: ● “Retrieving Appliance Log Files” on page 228 ● “Logging Configuration” on.
ETEP Configuration 326 EncrypTight User Guide Path Maximum T ransmission Unit The PMTU specifies the maximum payl oad size of a packet that can be transmitted by the ETEP. The PMTU value ex cludes the Ethernet header , which is 14-18 bytes l ong, and the CRC.
Advanced Configuration EncrypTight User Guide 327 ● “Reassembly Mode” on page 310 ● “Features Configuration” on page 330 Non IP T raffic Handling The non IP traffic handling setting is available wh en the ETEP is configured for use in Layer 3 encryption policies.
ETEP Configuration 328 EncrypTight User Guide ● Maximum number of concurrent lo gin sessions allowed per user ● The number of login failures allowed be fore locking an account The strong password pol icy enforces more stringent password rules and conventions than the default password policy .
Advanced Configuration EncrypTight User Guide 329 SSH Access to the ETEP SSH is used for secure remote CLI managem ent se ssions through the Ethernet management port. SSH access to the appliance is enabled by default. T o prevent remote access to the CLI, clear the Enable SSH checkbox.
ETEP Configuration 330 EncrypTight User Guide 3 On the Advanced tab, select Enable IKE VLAN T ag . OCSP Settings Online Certificate Status Protocol (OCSP) provi des a wa y for devices that use certi ficates to verify that a received certificate is currently valid.
Features Configuration EncrypTight User Guide 331 FIPS Mode When operating in FIPS mode, the ETEP must be configured to use FIPS-approved encryption and authentication algorith ms. FIPS approved algorithms are listed in T ab le 103 . Not e that some of the FIPS- approved algorithms are available for use only on the management port.
ETEP Configuration 332 EncrypTight User Guide ● Performs a softwa re integrity test ● Clears pre-existing polices an d keys, as described in T able 104 .
Features Configuration EncrypTight User Guide 333 ● “EncrypT ight Setti ngs” on page 333 ● “Encryption Policy Settings” on page 334 ● “Creating Layer 2 Point-to-Po int Policies” on p.
ETEP Configuration 334 EncrypTight User Guide ● “Encryption Policy Settings” on page 334 ● “W orking with Policies” on page 334 Encryption Policy Settings The Encryption Policy Setting determines the type of policies that the ETEP can be used in: Layer 2 Ethernet policies or Layer 3 IP poli cies.
Working with Policies EncrypTight User Guide 335 Related topics: ● “Using EncrypTight Distributed Key Policies” on page 335 ● “Creating Layer 2 Point-to-Po int Policies” on page 335 Using .
ETEP Configuration 336 EncrypTight User Guide Figure 1 15 ETEP Policy t ab When ETEPs are first installed they pass all traffic in the clear until th ey receive policies. After you push the Layer 2 point-to-point policy configuration to the ETEPs they will begin ne gotiations to encrypt traffic.
Working with Policies EncrypTight User Guide 337 deploy management port IPsec polices while in La yer 2 point-to-poi nt mode, use manual key policies to encrypt management p ort traf fic. ● W e recommend setting the time on the ETEPs before setting up th e Layer 2 point-to-point policy .
ETEP Configuration 338 EncrypTight User Guide Selecting the T raffic Handling Mode The ETEP has three options for processing packets: ● Encrypt all packets ● Discard all packets ● Pass all packets in the clear Under normal operation, the ETEP is configured to en crypt all traffic that is exchanged between two peer appliances.
Factory Default s EncrypTight User Guide 339 Factory Default s ETEMS’ s factory set tings are listed by appliance mode l and software version for the following categories: ● Interfaces ● T ruste.
ETEP Configuration 340 EncrypTight User Guide T rusted Host s SNMP Default gateway None Flow control Negotiated Link speed Negotiated Transmitter enable Follo wRx Local IP address Undefined Subnet mask 255.
Factory Default s EncrypTight User Guide 341 Logging Policy Advanced T able 1 12 Logging d efaults Logging Default Setting Local 0 / System Informational Local 1 / Dataplane Informational Local 2 / Di.
ETEP Configuration 342 EncrypTight User Guide Features Hard-coded Settings The following settings are h ard-coded in the ETEP: ● Management port PMTU is 1400 bytes ● Syslog server port is 514 ● .
EncrypTight User Guide 343 Index Numerics 3DES, 184 A addressing mode, 17 1, 185 advanced configuration ETEP, 325–329 Advanced Encry ption Standard, 18 4 AES, 184 appliance configuration customizing.
Index 344 EncrypTight User Guide certificate revocation lists (CRLs), see CRLs, 287 certificates See also Certificate Manager about, 262 and common access cards, 294 certificate policy extensions, 269.
EncrypTight User Guide 345 Index D database See workspace date and time about clock synchronization, 33 changing o n an appliance, 12 1 configuring on the ETKMS, 51 default configurations, 110 modifyi.
Index 346 EncrypTight User Guide defining appliance configurations, 83 maintenance and tro ubleshooting, 86 policy and certificate support, 87 pushing configurations , 84 upgrading software, 85 ETEP l.
EncrypTight User Guide 347 Index firewall ports, 39 flow control configuration ETEP, 305 fragmentation ETEP choosing the reas sembly mode, 310 setting the PMTU, 326 FTP server configuring for software.
Index 348 EncrypTight User Guide hub and spoke policy addr essing mode override, 193 mesh policy addressing mode override, 1 97 multicast policy addressing mod e override, 201 payload encryption polic.
EncrypTight User Guide 349 Index NTP, 149 O OCSP about, 289 communication preference s, 94 enabling in EncrypTight, 290 enabling in ETEPs, 291 enabling on ETKMSs, 291 open perspe ctive, 131 out-of-ban.
Index 350 EncrypTight User Guide See also ETPM introduction, 20 log file, 241 monitoring status, 237 port config uration See interface configuration port status , viewing, 232 ports, configurin g your.
EncrypTight User Guide 351 Index editing on multiple appliances, 152 ETEP, 329 ETKMS, 51 for EncrypTight PEPs, 149 software requ irements, 38 software upda tes appliance software cancelling, 127 check.
Index 352 EncrypTight User Guide Triple Data Encr yption Standard, 184 troubleshooting See also diagnostic tools application log, 234 certificate implementation errors, 249 clearing policies on the ET.
72 4 - 7 4 6 -5 500 | blackbo x.c om About Bl ack Bo x Bl ac k Box Networ k Servic es i s yo ur so ur ce f or mo re t han 1 1 8, 00 0 ne twor ki ng an d in fr ast ruct ur e pr odu c ts.
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
 
                Si vous n'avez pas encore acheté Black Box EncrypTight c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du Black Box EncrypTight - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation Black Box EncrypTight, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le Black Box EncrypTight va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le Black Box EncrypTight, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du Black Box EncrypTight.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le Black Box EncrypTight. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei Black Box EncrypTight ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.