SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Transcription

1 SonicWALL Addendum A Supplement to the SonicWALL Internet Security Appliance User's Guide

2

3 Contents SonicWALL Addendum New Network Features... 3 NAT with L2TP Client... 3 New Tools Features... 5 Tech Support Report Features... 5 New VPN Features... 6 Security Policy... 6 Phase 1 DH Group... 6 Phase 1 Encryption/Authentication... 7 Phase 2 Encryption/Authentication... 7 VPN Advanced Settings... 8 Use Aggressive Mode... 8 Enable Keep Alive... 9 Require XAUTH/RADIUS (only allows VPN Clients)... 9 Enable Windows Networking (NetBIOS) broadcast... 9 Apply NAT and firewall rules... 9 Forward Packets to Remote VPNs... 9 Route all internet traffic through this SA Enable Perfect Forward Secrecy Phase 2 DH Group Default LAN Gateway VPN Advanced Settings Matrix New RADIUS Settings RADIUS Global Settings Primary and Secondary Server Configuration RADIUS Client Test High Availability and Digital Certificates SonicWALL Firmware Addendum Page 1

4 Page 2 SonicWALL Firmware Addendum

5 SonicWALL Addendum SonicWALL firmware version includes several features and enhancements not documented in the SonicWALL Internet Security Appliance User s Guide.The new firmware features are documented in the Addendum. You should also download and review the Release Notes associated with firmware version New Network Features NAT with L2TP Client L2TP is a standard tunneling protocol that is used to encapsulate Point-to-Point Protocol (PPP) frames for transmission over TCP/IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks. It can be used to create virtual private networks (VPN) over public networks such as the Internet. It also provides interoperability between different VPN vendors which other protocols do not provide. PPP provides the connection over which L2TP sends packets through a tunnel. The tunnel can be initiated by either a dial-up client used by the customer, or by the network access server (NAS) located at the L2TP service provider such as an ISP. When the client initiates the connection to the NAS, the NAS is referred to as an L2TP access concentrator (LAC). The LAC forwards its L2TP traffic to a remote node called an L2TP network server (LNS). The NAS performs the server-side function of PPP termination and acts as the receiver of incoming connections. If the NAS initiates the L2TP tunnel to the customer premises, the client PC acts as the LNS. A VPN tunnel using L2TP can be initiated two ways: Client-initiated tunnel - The client initiates a tunnel in a way similar to PPTP tunnels. NAS-initiated tunnel - If the tunnel is initiated by the NAS, it enables telephone companies and ISPs to provide corporate customers with VPN solutions. To configure the SonicWALL for NAT with L2TP Client, follow these steps: 1. Select NAT with L2TP Client from the Network Addressing Mode menu on the Network tab. Page 3 SonicWALL Firmware Addendum

6 2. Configure the LAN Settings by typing in the IP addresses for the SonicWALL LAN and the LAN Subnet Mask. 3. Type the IP address for the WAN in the WAN Gateway (Router) Address field. Then enter the IP address for the SonicWALL WAN IP (NAT Public) Address, and the WAN/DMZ Subnet Mask. 4. Configure the DNS Settings by typing the DNS Server IP address into the DNS Server field. SonicWALL Firmware Addendum Page 4

7 5. Enter the IP address of the L2TP Server into the L2TP Server IP Address field. Also, enter the User Name and User Password into the User Name and User Password fields. 6. You can select the Disconnect after minutes of inactivity check box, and also enter a value in minutes to disconnect an inactive user. The default value is 10 minutes. 7. Click Update to add the settings to the SonicWALL. The L2TP Gateway Address, L2TP SonicWALL IP Address, and the L2TP DNS Server addresses are configured once the connection is established between the SonicWALL and the L2TP server. New Tools Features Tech Support Report Features In the Tools section, click the Diagnostic tab, and then select Tech Support Report from the Choose a diagnostic tool menu. In the Tech Support Report section, there are four Report Options that can be selected: VPN Keys - saves shared secrets, encryption, and authentication keys to the report. ARP Cache - saves a table relating IP addresses to the corresponding MAC or physical addresses. DHCP Bindings - saves entries from the SonicWALL DHCP server. IKE Info - saves current information about active IKE configurations. Page 5 SonicWALL Firmware Addendum

8 Click Save Report to save the file to your system. Attach the report to your Tech Support Request . When you click Save Report, a warning message is displayed. The report contains all of the information about your SonicWALL configuration in plaintext. New VPN Features Security Policy Phase 1 DH Group Diffie-Hellman (DH) Key Exchange (a key agreement protocol) is used during phase 1 of the authentication process to establish pre-shared keys. You can now select from three well-known DH groups: Group 1 - less secure Group 2 - more secure Group 5 - most secure Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed below: Group Descriptor Prime Size (bits) If network connection speed is preferred, select Group 1. If network security is preferred, select Group 5. To compromise between speed and security, select Group 2. SonicWALL Firmware Addendum Page 6

9 Phase 1 Encryption/Authentication This field defines the type of encryption and authentication methods used to secure Phase 1 exchange using Internet Key Exchange (IKE). There are four methods that can be selected from the menu (listed in order from least secure to most secure): DES & MD5 DES & SHA1 3DES & MD5 3DES & SHA1 Data Encryption Standard (DES) is a U.S. government standard for encrypting information. It is a symmetric encryption scheme that requires the sender and the receiver to know the secret key in order to communicate securely. DES is based on a 56-bit key that allows for 7.2 x possible keys. This makes DES fairly secure, but when it was cracked in 1997, a more secure variant was developed called 3DES. Triple DES encrypts each message using three different 56-bit keys in succession. MD5 (Message Digest) is derived from a group of hashing algorithms used in cryptography. Message Digest refers to a hash value of fixed length that is computed from a longer variable message that is hashed by the algorithm. MD5 produces a 128-bit hash value. MDs are commonly used to generate a digital signature from a message. MD5 uses four rounds of hashing and is fairly difficult to crack. SHA1 (Secure Hashing Algorithm) is a hashing algorithm developed by National Institute of Standards and Technology (NIST). If network speed is preferred, select DES & MD5. If network security is preferred, then select 3DES & SHA1. Phase 2 Encryption/Authentication The list of encryption/authentication methods has not changed from previous versions of SonicWALL firmware, except for the Group VPN Security Association. The VPN Client software does not support ArcFour encryption methods and you cannot disable authentication in the VPN Client software. The following encryption/authentication methods are available for the Group VPN Security Association (listed from most secure to least secure): Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1) Strong Encrypt and Authenticate (ESP 3DES HMAC MD5) Encrypt and Authenticate (ESP DES HMAC SHA1) Encrypt and Authenticate (ESP DES HMAC MD5) If network connection speed is preferred, select Encrypt and Authenticate (ESP DES HMAC MD5) from the menu. If network security is preferred, select Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1). Page 7 SonicWALL Firmware Addendum

10 VPN Advanced Settings Two new check boxes, Use Aggressive Mode and Phase 2 DH, are available in the Edit Advanced Settings for VPN connections. The following settings are available in the Edit Advanced Settings window: Use Aggressive Mode Enable Keep Alive Require XAUTH/RADIUS (only allows VPN clients) Enable Windows Networking (NetBIOS) broadcast Apply NAT and firewall rules Forward packets to remote VPNs Route all internet traffic through this SA Enable Perfect Forward Secrecy Phase 2 DH Group Default LAN Gateway Use Aggressive Mode Selecting the Use Aggressive Mode check box forces the SonicWALL appliance to use Aggressive Mode to establish the VPN tunnel even if the SonicWALL has a static IP address. Aggressive Mode requires half of the main mode messages to be exchanged in Phase One of the SA exchange. Use Aggressive Mode is useful when the SonicWALL is located behind another NAT device. The check box is only available if IKE using Pre-shared Secret or IKE using certificates (SonicWALL to SonicWALL) is selected as the IPSec Keying Mode. SonicWALL Firmware Addendum Page 8

11 Enable Keep Alive Selecting the Enable Keep Alive checkbox allows the VPN tunnel to remain active or maintain its current connection by listening for traffic on the network segment between the two connections. Interruption of the signal forces the tunnel to renegotiate the connection. Require XAUTH/RADIUS (only allows VPN Clients) An IKE Security Association may be configured to require RADIUS authentication before allowing VPN clients to access LAN resources. XAUTH/RADIUS authentication provides an additional layer of VPN security while simplifying and centralizing management. RADIUS authentication allows many VPN clients to share the same VPN configuration, but requires each client to authenticate with a unique user name and password. And because a RADIUS server controls network access, all employee privileges may be created and modified from one location. Enable Windows Networking (NetBIOS) broadcast Computers running Microsoft Windows communicate with one another through NetBIOS broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast checkbox to access remote network resources by browsing the Windows Network Neighborhood. Apply NAT and firewall rules This feature allows the remote site s LAN subnet to be hidden from the corporate site, and is most useful when a remote office s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN. If the SonicWALL uses the Standard network configuration, using this checkbox applies the firewall access rules and checks for attacks. It does not apply NAT as the SonicWALL is not configured for it. If the SonicWALL uses NAT network configuration, then using this checkbox performs normal firewall checks, access rules, and applies NAT. Note: You cannot use this feature if you have Route all internet traffic through this SA enabled. Forward Packets to Remote VPNs Checking the Forward Packets to Remote VPNs checkbox for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL local LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section. Enabling this feature allows a network administrator to create a hub and spoke network configuration by forwarding inbound traffic to a remote site via a VPN security association. Page 9 SonicWALL Firmware Addendum

12 To create a hub and spoke network, enable the Forward Packets to Remote VPNs checkbox for each Security Association in your SonicWALL. Traffic is now able to go from branch office to branch office via the corporate office. Note: It is strongly recommended not to select this feature if you are configuring a Group VPN SA or a Manual Key SA for a VPN Client. Route all internet traffic through this SA Checking this box allows a network administrator to force all network traffic to the WAN to go through a VPN tunnel to a central site. Outgoing packets are checked against the remote network definitions for all Security Associations (SA). If a match is detected, the packet is then routed to the appropriate destination. If no match is detected, the SonicWALL checks for the presence of a SA using this checkbox. If an SA is detected, the packet is sent using that SA. If there is no SA with this option enabled, and if the destination does not match any other SA, the packet goes unencrypted to the WAN. Note: Only one SA may have this checkbox enabled. Enable Perfect Forward Secrecy The Enable Perfect Forward Secrecy checkbox increases the renegotiation time of the VPN tunnel. By enabling Perfect Forward Secrecy, a hacker using brute force to break encryption keys is not able to obtain other or future IPSec keys. During the phase 2 renegotiation between two SonicWALL appliances or a Group VPN SA, an additional Diffie- Hellman key exchange is performed. Enable Perfect Forward Secrecy adds incremental security between gateways. Phase 2 DH Group Diffie-Hellmen (DH) Key Exchange (a key agreement protocol) is used during phase 2 of the authentication process if Enable Perfect Forward Secrecy is selected. You can now select from three well-known DH groups: Group 1 - less secure Group 2 - more secure Group 5 - most secure Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed below: Group Descriptor Prime Size (bits) If network connection speed is an issue, select Group 1. If network security is an issue, select Group 5. To compromise between speed and security, select Group 2. SonicWALL Firmware Addendum Page 10

13 Default LAN Gateway A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through this SA checkbox. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets may have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. Page 11 SonicWALL Firmware Addendum

14 VPN Advanced Settings Matrix Group VPN using IKE/ Pre-shared Secret Group VPN using IKE/ Certificates Manual Key* IKE using Preshared Secret IKE using Certificates Use Aggressive Mode Enable Keep Alive Require XAUTH/ RADIUS Enable Perfect Forward Secrecy Phase 2 DH Group Enable Windows Networking (Net- BIOS) broadcast Apply NAT and Firewall Settings Forward Packets to Remote VPNs Route all internet traffic through this SA Default LAN Gateway *Default LAN Gateway and Forward Packets to Remote VPN are not configured for VPN Client to SonicWALL appliance connections using Manual Key Exchange. SonicWALL Firmware Addendum Page 12

15 New RADIUS Settings RADIUS Global Settings RADIUS Server Retries - There is now a default value of 3, an allowable range of 1-10, and recommended value of 3. RADIUS Server Timeout in Seconds - There is now a default value of 5, an allowable range of 1-60 seconds, and recommended value of 5 seconds. Primary and Secondary Server Configuration A Primary and Secondary Radius Server can be configured on the Radius tab in the VPN section of the SonicWALL Management interface. To configure the RADIUS servers, follow the instructions below: 1. Enter the IP address of the primary server in the IP Address field. 2. Enter the Port Number in the Port Number field. The default value is Enter the Shared Secret in the Shared Secret field. Click Update to update the SonicWALL settings. RADIUS Client Test To test the RADIUS server configuration, type in a valid RADIUS user name and password. Click Update to validate that the client is a valid account with the RADIUS Server. If the validation is successful, Success appears in the Status line at the bottom of the RADUIUS tab. If the connection is unsuccessful, Failure appears in the Status line at the bottom of the RADIUS tab. Page 13 SonicWALL Firmware Addendum

16 High Availability and Digital Certificates If a digital certificate is used to identify the primary SonicWALL, then the digital certificate must also be imported into the secondary (backup) SonicWALL. Typically, all primary SonicWALL settings are exchanged with the backup SonicWALL during the synchronization phase of High Availability setup. This feature is supported by the GX series, the PRO, and the PRO-VX models of the SonicWALL Internet Security appliance. To import the digital certificate into the backup SonicWALL, click VPN, then Certificates. Click Import to import the certificate into the backup SonicWALL. SonicWALL Firmware Addendum Page 14

17 SonicWALL, Inc Bordeaux Dr. Sunnyvale, CA Phone: Fax: Web: Part # Rev A 10/01