z ET0010A ET0100A ET1000A ET10000A

Transcription

1 z ET0010A ET0100A ET1000A ET10000A EncrypTight User Guide EncrypTight acts as a transparent overlay that integrates easily into any existing network architecture, providing encryption rules and keys to EncrypTight Enforcement Points. Customer Support Information Order toll-free in the U.S.: Call BBOX (outside U.S. call ) FREE technical support 24 hours a day, 7 days a week: Call or fax Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA Web site: info@blackbox.com

2

3 Table of Contents Preface About This Document Contacting Customer Support Chapter 1: EncrypTight Manager Overview Distributed Key Topologies...13 EncrypTight Manager Platform...15 Element Management...15 Policy Generation and Management...15 Key Generation and Distribution...15 Policy Enforcement Point...15 Point-to-Point Negotiated Topology...16 Security Within EncrypTight...17 Secure Communications Between EncrypTight Manager and PEPs...17 Secure Key Storage...18 Chapter 2: Working with the EncrypTight Manager User Interface Logging into EncrypTight Manager...19 EncrypTight Manager Page...20 Panels...21 Sorting and Filtering...21 Selecting Items...22 Working with Columns...23 Toolbars...23 Editors...24 Viewing Status...25 Understanding User Roles...26 Managing Licenses...26 Installing Licenses...27 Upgrading Licenses...28 Upgrading the EncrypTight Manager License...28 Upgrading PEP Licenses...28 Logging Out...29 Chapter 3: Provisioning PEPs Provisioning Basics...31 Adopting a PEP...31 Pre-Provisioning an Appliance...33 Configuring PEPs for Use with EncrypTight...33 Saving PEP Configurations...34 Applying Configurations...34 Viewing PEP Status...34 Controlling the Status Refresh Interval...36 EncrypTight Manager User Guide 3

4 Table of Contents Comparing Configurations...36 Customizing the PEPs View...37 Rebooting PEPs...39 Provisioning Large Numbers of PEPs...39 Working with Configuration Templates...40 Creating PEP Templates...40 Customizing PEP Configuration Templates...40 Copying PEP Template Configurations...41 Comparing PEP Templates...41 Deleting PEP Templates...41 Importing Configurations from an Excel File...41 Creating the Import File...41 Checking the Time on New Appliances...42 Shutting Down Appliances...42 Additional Configuration Options...42 Chapter 4: Managing Networks Adding Networks...43 Advanced Uses for Networks in Policies...44 Grouping Networks into Supernets...44 Using Non-contiguous Network Masks...45 Editing Networks...46 Deleting Networks...47 Chapter 5: Managing Network Sets Types of Network Sets...49 Adding a Network Set...51 Importing Networks and Network Sets...53 Editing a Network Set...54 Deleting a Network Set...54 Chapter 6: Creating VLAN ID Ranges Adding a VLAN ID Range...55 Editing a VLAN ID Range...56 Deleting a VLAN ID Range...56 Chapter 7: Understanding Security Policies About Policies...57 Ethernet Policies...57 IP Policies...58 Policy Priority...58 Schedule for Renewing Keys and Refreshing Policy Lifetime...59 Policy Types and Encryption Methods...59 Encapsulation...60 Encryption and Authentication Algorithms...60 Addressing Mode...61 Using Encrypt All Policies with Exceptions...62 Policy Size and PEP Operational Limits...62 Minimizing Policy Size EncrypTight Manager User Guide

5 Table of Contents Chapter 8: Working with Policies Creating Policies...65 Policy Options by Mode...65 Layer 2 Policies...65 Layer 3 Policies...67 Common Layer 3 Policy Options...67 Options Specific to Hub and Spoke Policies...69 Options Specific to Point-to-Point Policies...70 Options Specific to Mesh Policies...71 Easy Mesh Policy...71 Options Specific to Multicast Policies...72 Creating Layer 4 Policies...72 Activating and Deactivating Policies...73 Deploying Policies...74 Rekeying Policies...74 Failsafe Rekey Mode...75 Copying Policies...75 Editing Policies...76 Validating Policies...77 Deleting Policies...78 Chapter 9: Policy Design Examples Basic Layer 2 Point-to-Point Policy Example...79 Layer 2 Ethernet Policy Using VLAN IDs...80 Complex Layer 3 Policy Example...82 Encrypt Traffic Between Regional Centers...82 Encrypt Traffic Between Regional Centers and Branches...84 Passing Routing Protocols...86 Chapter 10: Managing PEPs Editing Configurations...89 Changing Settings on a Single Appliance...89 Changing Settings on Multiple Appliances...89 Refreshing Status...90 Deleting PEPs...90 Connecting Directly to a PEP...91 Upgrading PEP Software...91 About Upgrading PEP Software...91 Upgrading PEP Software...92 What to do if an Upgrade is Interrupted...94 Configuring the Upgrade Timeout...95 Checking Upgrade Status...95 Configuring the Upgrade Concurrency Limit...95 Configuring LDAP...95 Restoring the Backup Filesystem...96 Backup and Restore of ETM...97 General Guidelines...97 Backup components provided by ETM...98 Hardware Server specifics...98 EncrypTight Manager User Guide 5

6 Table of Contents Drive failures...98 Other hardware component failures...99 Damage to the ETM software or database...99 Damage to the OS or filesystem...99 Example backup and restore procedures...99 Restoring to factory defaults VM Server specifics VMWare backup guide Understanding VM snapshots Best Practices for VM snapshots Chapter 11: Configuring PEPs Identifying an Appliance Product Family and Software Version Appliance Name Throughput Speed Interface Configuration Management Port Addressing IPv4 Addressing IPv6 Addressing Auto-negotiation - All Ports Remote and Local Port Settings Transparent Mode Local and Remote Port IP Addresses Transmitter Enable DHCP Relay IP Address Ignore DF Bit Reassembly Mode Trusted Hosts SNMP Configuration System Information Community Strings TRAPS SNMPv2 Trap Hosts SNMPv Generating the Engine ID Retrieving and Exporting Engine IDs Configuring the SNMPv3 Trap Host Users Logging Configuration Log Event Settings Defining Syslog Servers Log File Management Advanced Configuration Path Maximum Transmission Unit Non IP Traffic Handling CLI Inactivity Timeout Password Strength Policy XML-RPC Certificate Authentication SSH Access to the PEP PEP Users PEP User Roles Configuring the Password Enforcement Policy EncrypTight Manager User Guide

7 Table of Contents User Name Conventions Default Password Policy Conventions Strong Password Policy Conventions Cautions for Strong Password Enforcement Managing Appliance Users Adding PEP Users Modifying PEP User Credentials Deleting PEP Users Viewing PEP Users SNTP Client Settings IKE VLAN Tags OCSP Settings Certificate Policy Extensions Features Configuration FIPS Mode Enabling FIPS Mode Disabling FIPS Verifying FIPS Status on the PEP EncrypTight Manager Settings Encryption Mode Settings Factory Defaults Interfaces Trusted Hosts SNMP Logging Policy Advanced Features Hard-coded Settings Chapter 12: Managing EncrypTight Manager Users About EncrypTight Manager User Accounts Managing EncrypTight Manager User Accounts Changing a Password How EncrypTight Manager Users Work with PEP Users Chapter 13: Working with Logs About Logs About the Audit Log About the Task History About Activity Messages Viewing Logs Log Actions Logging Configuration Auditing and Logging Controls Configuring Auditing for XML-RPC Calls Configuring System Auditing Configuring the Syslog Server Chapter 14: Using Enhanced Security Features EncrypTight Manager User Guide 7

8 Table of Contents About Enhanced Security Features About Strict Authentication Prerequisites Order of Operations Certificate Information Using Certificates in a EncrypTight System Configuring the Certificate Policies Extension Importing PEP Certificates into EncrypTight Manager Working with Certificates for the PEPs Understanding the PEP Certificates Page Certificates Workflow PolicyServer CA Certificate PolicyServer Certificate PolicyServer TLS Client PolicyServer Certificate Authority Certificate Distribution Directory Structure Customizing Generating the PolicyServer CA and Server Certificates Replacing the PolicyServer CA and Server Certificates Working with Certificate Requests Requesting a Certificate Installing a Signed Certificate Viewing a Pending Certificate Request Canceling a Pending Certificate Request Setting Certificate Request Preferences Exporting Certificates Deleting Certificates Validating Certificates Validating Certificates Using CRLs Configuring CRL Usage in EncrypTight Manager Configuring CRL Usage on PEPs Handling Revocation Check Failures Validating Certificates Using OCSP Configuring OCSP for EncrypTight Manager Configuring OCSP for PEPs Enabling and Disabling Strict Authentication Removing Certificates Chapter 15: Using A Disaster Recovery Server About Disaster Recovery Servers Configuring a Disaster Recovery Server Configuring the Main Servers Backup and Restore of EncrypTight Manager General Guidelines Backup components provided by ETM Hardware Server specifics Other hardware component failures Damage to the ETM software or database Damage to the OS or filesystem Example backup and restore procedures EncrypTight Manager User Guide

9 Table of Contents Procedure 1. Backing up the entire filesystem Procedure 2. Restoring the complete filesystem, including the OS Alternative *nix backup methods Procedure 3. Backing up the ETM software and data Procedure 4. Restoring the ETM software and data Procedure 5. Backing up the ETM database Procedure 6. Restoring the ETM database Restoring to factory defaults VM Server specifics Index EncrypTight Manager User Guide 9

10 Table of Contents 10 EncrypTight Manager User Guide

11 Preface About This Document Purpose The EncrypTight Manager User Guide provides detailed information on how to install, configure, and troubleshoot EncrypTight Manager components, including the EncrypTight Manager software, EncrypTight servers, and Balck Box ETEP appliances. Intended Audience This document is intended for network managers and security administrators who are familiar with setting up and maintaining network equipment. Some knowledge of network security issues and encryption technologies is assumed. Assumptions This document assumes that its readers have an understanding of the following: Black Box encryption appliance features, installation and operation Basic principles of network security issues Basic principles of encryption technologies and terminology Basic principles of TCP/IP networking, including IP addressing, switching and routing Personal computer (PC) operation, common PC terminology, use of terminal emulation software and FTP operations Basic knowledge of the Linux operating system Conventions used in this document Bold Indicates one of the following: a menu item or button the name of a command or parameter Italics Monospaced Indicates a new term Indicates machine text, such as terminal output and filenames Monospaced bold Indicates a command to be issued by the user EncrypTight Manager User Guide 11

12 Preface How to comment Customer comments on Black Box documents are welcome. Send your comments to: Black Box Corporation 1000 Park Drive Lawrence, PA Contacting Customer Support Technical support services are accessible through the Black Box support center. US (toll free) BBOX International outside U.S. call Web FREE technical support 24 hours a day, 7 days a week: Call or fax EncrypTight Manager User Guide

13 1 EncrypTight Manager Overview EncrypTight Manager is an innovative approach to network-wide encryption. EncrypTight Manager acts as a transparent overlay that integrates easily into any existing network architecture, providing encryption rules and keys to Black Box encryption appliances. Distributed Key Topologies EncrypTight Manager centralizes the creation and distribution of encryption keys and policies. It handles the functions of policy management, key generation and distribution, and policy enforcement. By doing so, multiple Policy Enforcement Points (PEPs) can use common keys, while a centralized platform assumes the function of renewing keys at pre-determined intervals. In this system, you use EncrypTight Manager to configure the PEPs, to create and manage policies, and to generate keys and distribute keys and policies to the appropriate PEPs. EncrypTight Manager provides the ability to delete, deactivate, and activate a group of policies. The PEPs encrypt traffic according to the policies and keys that they receive. Figure 1 EncrypTight Manager components Elements of Figure 1: 1) Management Layer - Create & manage policies and generate & distribute keys and policies 2) Network Layer - Traffic encryption EncrypTight Manager User Guide 13

14 EncrypTight Manager Overview Using EncrypTight Manager, you can create distributed key policies for the network topologies shown in Table 1. Table 1 Network topologies Topology Layer 3 IP topologies Hub and Spoke Multicast Point-to-point Mesh Layer 2 Ethernet topologies Mesh Description In a hub and spoke network, a hub network communicates with the spoke networks and the spoke networks communicate only with the hub network. In multicast transmission, one or more networks send unidirectional streams to a multicast network address. The multicast routers detect the multicast transmission, determine which nodes have joined the multicast network as destination networks, and duplicate the packet as needed to reach all multicast destination networks. In a point-to-point network, one network sends and receives data to and from one other network. In a mesh network, any network can send or receive data from any other network. For Ethernet, you can create policies for mesh networks. Note that if the network uses VLAN ID tags, you can also create policies for virtual point-to-point connections. Regardless of topology, PEPs are typically located at the point in the network where traffic is being sent to an untrusted network or coming from an untrusted network. As an example, Figure 2 shows a hub and spoke network secured with EncrypTight Manager. Figure 2 PEPs in a Hub and Spoke network Elements of Figure 2: A - C PEPs PEP A encrypts data traffic from Network A that goes to Networks B or C. PEP A also decrypts data that originates from Networks B and C. PEP B encrypts data from Network B that goes to Network A and decrypts data that comes from Network A. PEP C encrypts data from Network C that goes to Network A and decrypts data that comes from Network A. 14 EncrypTight Manager User Guide

15 Distributed Key Topologies EncrypTight Manager Platform The EncrypTight Manager Platform performs various tasks including: Element Management EncrypTight Manager allows you to provision and manage multiple Black Box appliances from a central location. It provides capabilities for appliance configuration, software updates, and maintenance and troubleshooting for your Black Box encryption appliances. Policy Generation and Management EncrypTight Manager creates and manages policies and monitors the status of the PEPs. For each policy it specifies: The PEPs that are controlled The networks each PEP protects The action that is performed (encrypt, send in the clear, or drop) The kind of traffic the policy affects Key Generation and Distribution Key generation and distribution functions are provided by EncrypTight Manager. EncrypTight Manager generates keys for each of the PEPs within its network. The keys and policies associated with its networks are distributed to the appropriate PEPs. Policy Enforcement Point Black Box encryption appliances provide policy enforcement functions, and are referred to generically as PEPs (policy enforcement points). According to the policies distributed by EncrypTight Manager, the PEPs can encrypt and decrypt traffic, send traffic in the clear, or drop traffic. Each PEP can be used in multiple policies simultaneously. To securely transfer data between two PEPs over an untrusted network, both PEPs must share a key. One PEP uses the shared key to encrypt the data for transmission over the untrusted network, while the second PEP uses the same shared key to decrypt the data. Figure 3 illustrates the shared key concepts between two PEPs. EncrypTight Manager User Guide 15

16 EncrypTight Manager Overview Figure 3 Shared keys Elements of Figure 3: A) PEP A B) PEP B In this example, traffic moves between two trusted networks: Network A and Network B. PEP A and PEP B work in unison to insure data security as the traffic passes through an unsecured network. PEP A uses Shared Key 2 to encrypt all outbound traffic intended for Network B. PEP B uses the same shared key to decrypt all traffic inbound from Network A. Traffic flowing in the opposite direction is secured in the same manner using Shared Key 1. EncrypTight Manager Policy Enforcement Points (PEPs) include: Table 2 Black Box PEPs Model ET0010A, Black Box 0100A, ET0100A, ET1000A, ET10000A Layer 2 Ethernet Encryption X Layer 3 IP Encryption X Point-to-Point Negotiated Topology You can protect simple, point-to-point Ethernet links using EncrypTight Manager. Two PEPs can be configured with EncrypTight Manager to protect a Layer 2 Ethernet link. The policies and key are negotiated directly by the two PEPs, without requiring a centralized key generation and distribution tool. This option provides a simple, quick, and straightforward way to secure a single point-to-point Layer 2 Ethernet link. All you need to secure your traffic is EncrypTight Manager and two PEP encryption appliances. The Black Box PEP can be managed in-line or out-of-band through a dedicated Ethernet management interface, as shown in Figure EncrypTight Manager User Guide

17 Security Within EncrypTight Figure 4 Layer 2 Point-to-Point Deployment 1) Layer 2 switch 2) PEP - local site 3) PEP - remote site 4) EncrypTight Manager management PC L, R, M) Local (L), remote (R), and management (M) ports Use EncrypTight Manager to create a Layer 3 point-to-point distributed key policy as one of several policies in a larger a larger, complex EncrypTight Manager deployment. Security Within EncrypTight Because EncrypTight Manager generates keys that provide security throughout a network, it is critical that the EncrypTight Manager components also be secured. Secure Communications Between EncrypTight Manager and PEPs Each node in the distributed key system, the EncrypTight Manager management system, and the PEPs communicate policy and status information with other nodes. Given the distributed nature of networks, much of this communication occurs across public networks. EncrypTight Manager uses Transport Layer Security (TLS) to encrypt management traffic between EncrypTight Manager components. This protocol allows secure communication between the devices in the system while providing information about the secure stream to EncrypTight Manager. You can enhance that security by authenticating the management communications between EncrypTight Manager components using certificates. EncrypTight Manager User Guide 17

18 EncrypTight Manager Overview Secure Key Storage Key generation and key storage are critical to maintaining security in EncrypTight Manager. EncrypTight Manager uses the following mechanisms to protect the keys: Generates and sends nonce to PEP Optionally generates and stores nonce via hardware security module 18 EncrypTight Manager User Guide

19 2 Working with the EncrypTight Manager User Interface Logging into EncrypTight Manager To log into EncrypTight Manager: 1 In the address box of your browser, type Where xxx.xxx.xxx.xxx is the IP address of the EncrypTight server. The EncrypTight Manager Login window displays. There are tabs at the bottom of the login form to log into the main application or to the dashboard. 2 In the User Name box, type your user name. The default user name is admin. 3 In the Password box, type your password. The default password is admin. 4 Click Login. Figure 5 Login Form User Lockout based on failed login attempts After a number of failed login attempts X within a time period 'Y', ETM locks out a user for Z minutes. Current defaults are 5 failures, up to 5 minutes apart, which will cause a 60 minute lockout. EncrypTight Manager User Guide 19

20 Working with the EncrypTight Manager User Interface An administrator may unlock a locked out user from the UI. The lockout functionality must be explicitly enabled, but failed logins are tracked even if disabled. The failure count (X) must be greater than 0 if user login lockout is enabled. If the interval (Y) is set to 0, then failures will be cumulative, reset only after a successful login. If the lockout duration (Z) is set to 0, then no timer will be created to unlock the user login (i.e. the user has to be enabled by an administrator). The EncrypTight Manager window consists of pages, panels, editors, and menus. Some pages include toolbars and shortcut menus are available in many areas. When you first log in to the EncrypTight Manager, the Status page is displayed. Pages are used to present data and to perform a specific set of tasks. Panels group related items together, for example, Active and Saved policies. Toolbars provide quick access to commonly-used functions. Editors are used to add or modify EncrypTight elements and policies. EncrypTight has the ability to delete, deactivate, or activate a group of policies. Menus are used to access views and functions within the EncrypTight Manager software. EncrypTight Manager Page EncrypTight Manager page displays the elements and settings that you work with to create policies and perform other tasks. Many pages display data in a grid format. To switch to a different page, use the menu (see Figure 6). Click a menu button to switch to the main page for that menu, or click the to access a different page. Figure 6 EncrypTight Manager Menu Table 3 EncrypTight Manager menu View Home Policies PEPs Certificates Admin Platform Description Displays the Status page and the Portal page. Displays security policies and policy elements such as PEPs, networks, and network sets. Displays the PEPs page, where you can add and modify PEPs. Displays the certificates page and provides tools for working with certificates. Displays the Admin page, where administrators can create and manage user accounts. Other Admin pages provide access to the Audit logs and other functions. Displays the Platform page, which provides tools for managing the EncrypTight system as a whole. 20 EncrypTight Manager User Guide

21 Panels Panels Some pages include multiple panels. For example, the Policies page includes a Policies panel and a Resources panel (see Figure 7). Figure 7 Resources panel You can show and hide panels as needed. For example, you can hide the Resources panel by clicking the button. To display a hidden Resources panel, click. Sorting and Filtering In some pages and tabs, such as the PEPs page, you can sort and filter the data. To sort a page, click a column header. Click again to toggle the sort order between ascending and descending. In order to filter a page, you must display the header filters. To display or hide header filters: 1 Click on any column header and select Show Header Filters. You can filter data to display only the items you want. The filtering criteria can include multiple fields. In text fields, the search is not case sensitive. You can use % as a wildcard to represent a string of characters. Exclude text by prefixing the search with an!. Also, you can search for null values by typing <null>. EncrypTight Manager User Guide 21

22 Working with the EncrypTight Manager User Interface In number fields, entering a single number searches for an exact match. You can use less than < and greater than > symbols to search for records smaller or larger than a specific value. For example, entering >100 returns all records with numbers greater than 100. You can specify a range of values by separating two criteria with a comma. For example, entering >100, <175 returns all records between 100 and 175. Note that these rules do not apply to fields containing IP addresses. Date fields are similar. You can use less than < and greater than > symbols to search for records before or after a specific date. You can also specify a range of dates by separating two criteria with a comma. Date fields are represented as either yyyy-mm-dd or mm/dd/yyyy. List fields use a drop-down, multi-select menu with checkboxes. You can select multiple values from the list and the EncrypTight Manager will return all rows that include any of the selected values. In Boolean fields, you can select either True or False. In some cases, null is also an accepted value. Figure 8 Example Header Filter box To filter a view: 1 Click in the header filter box for the field by which you want to filter. 2 Type the data by which you want to filter or select values from a list. For example, you could enter 192 in the Management IP Address field to filter a list of PEPs to display only those with IP addresses that begin with Repeat for other fields that you want to add to the filter. 4 Click or press Enter. To remove filters, click or delete the contents of the header filter box and press Enter. Selecting Items To create policies in EncrypTight Manager you will need to select items in order to make configuration changes or to use them in policies. To select an item in a grid, click on it or click on the checkbox next to it. You can select multiple items by pressing Ctrl and clicking on multiple items. To deselect an item, clear the checkbox. To select all items, click the Select all checkbox (indicated with the arrow in Figure 9). 22 EncrypTight Manager User Guide

23 Working with Columns Figure 9 Selected and Unselected PEPs Working with Columns In some views and tabs, you can rearrange the columns and select which columns you want to display. To move a column: 1 Click and drag a column to the new location. Arrows display to indicate where the column will be located. To select columns to display: 1 Click on any column header and select Columns. 2 Select the columns to show or hide. To resize a column: 1 Click on the right edge of a column and drag to resize the column to a new size. Toolbars Toolbars provide access to frequently used functions. Toolbars/buttons are available in multiple views. Table 4 PEPs View Toolbar Button Description Remove all filters. Apply filters. Add a new PEP. Edit the configuration of a PEP. Click to edit specific settings for multiple selected PEPs. Edit the configuration of the selected PEP. Refresh the status of selected PEPs. EncrypTight Manager User Guide 23

24 Working with the EncrypTight Manager User Interface Table 4 PEPs View Toolbar Button Description Compare the stored configuration with the configuration running on the PEP. Apply stored configurations to selected PEPs. Copy the configuration of a selected PEP. Allows you to view a summary of the current license, install a license on an appliance, or install all pending licenses. Run a remote command on a selected PEP. Delete selected PEPs. Import PEP configurations from a file. Displays the policies in which the selected PEP is used and provides access to other PEP-related policy functions. Exports the data displayed in the view to an Excel spreadsheet. Restores the grid view to a default configuration. Editors Editors allow you to add or change EncrypTight components and policies. When you first log in, no editors are open. You can open multiple editors at any time. Each opened editor appears as a tab in the window. 24 EncrypTight Manager User Guide

25 Viewing Status Figure 10 Editors Some editors, such as the Policy editors, require a drag and drop operation. To enter a PEP, network, network set, or VLAN range into an editor, select the element and then drag it to the desired box on the editor. Once the element has been dragged to the editor, it is removed from the original tab. To delete elements from an editor, right-click on an element and click Remove (Remove Network Set, for example). After you remove an element from an editor, it becomes available again on the original tab. When information in an editor has been changed but not yet saved, or when there is an error, EncrypTight Manager displays a on the tab. As you work with policies and other elements, fields with errors are highlighted in red. Viewing Status The PEPs view indicates the status of the PEPs, but you can view the current status of your PEPs in a larger and more graphical manner by clicking Home. The left panel displays the number of PEPs in each possible state, while the right panel displays the status of each individual PEP, along with identifying information such as the name and location. You can filter the list in the right panel by status and location. To filter the PEP list by status: 1 Click the State box and select a state. To filter the PEP list by location: 1 Click in the Location box and type the location. To clear the filters, click. EncrypTight Manager User Guide 25

26 Working with the EncrypTight Manager User Interface Understanding User Roles EncrypTight Manager is a multi-user system. There are multiple roles with distinct capabilities that can be assigned to new users. In hierarchical order, the roles include: Platform Administrator Administrator User Appliance Admin Appliance Operator Policy Creator Policy Deployer All users can change their own passwords, but users cannot edit the account settings for any user with more advanced privileges than they have. At least one Platform Administrator account must exist in the EncrypTight Manager. EncrypTight Manager will not allow you to delete the last remaining Administrator account. You can create as many Administrator and other user accounts as you need. You can learn more about user accounts and how EncrypTight Manager user accounts interact with PEP user accounts in Managing EncrypTight Manager Users on page 143. Figure 11 New User Roles Managing Licenses The use and functionality of EncrypTight components are controlled through licenses. How the licenses work and the features available depend on the component. 26 EncrypTight Manager User Guide

27 Managing Licenses NOTE Licenses are required for PEPs with software version 1.6 and later. Previous versions of PEP software do not require licenses. A license is required for the EncrypTight Manager software. Each PEP is capable of transmitting traffic at a range of speeds that varies by model. Licenses control the throughput speed. This allows you to upgrade your existing PEPs to transmit traffic at higher speeds as your network grows and your needs change. Table 5 lists the available speeds for each PEP model. You can specify the throughput speed of the PEP on the Interfaces tab in the appliance editor. Table 5 PEP Throughput Speeds Model ET0010A VSE ET0100A VSE ET1000A VSE ET10000A VSE Available Throughput 3, 6, 10, 25, 50 Mbps 25, 50, 75, 100, 155, 250 Mbps 100, 155, 250, 500, 650 Mbps, 1 Gbps 500, 650 Mbps, 1, 2.5, 5, 10 Gbps You need to install a license on each PEP that you use. Licenses are linked to the serial number of the PEP on which they are installed. You cannot install a license intended for one PEP on a different PEP. Before you begin adding PEPs and using EncrypTight Manager, contact Customer Support to acquire your license key (see Contacting Customer Support on page 16). You need to provide the EncrypTight ID. To view the EncrypTight ID: 1 Choose Admin > License. Figure 12 EncrypTight ID If you upgrade from a command line-only installation to a full EncrypTight Manager deployment, you can no longer use the command line-only license and must acquire a EncrypTight Manager license. You cannot install licenses on your PEPs until you install a license for EncrypTight. The EncrypTight license specifies the maximum number of PEPs that can be managed in your deployment and the speeds at which they are licensed to run. The license specifically controls how many PEPs can be configured to run at each throughput speed. For example, one EncrypTight Manager deployment might run 10 ET0100As at 100 Mbps and an additional four ET0100As at 250 Mbps. When your needs change, you can easily upgrade EncrypTight Manager to support a larger number of PEPs. Installing Licenses You install and update licenses using the EncrypTight License Information view. EncrypTight Manager User Guide 27

28 Working with the EncrypTight Manager User Interface To enter EncrypTight licenses: 1 Choose Admin > License. 2 Enter the license key in the New License box. 3 Click Enter License. After you enter a license for EncrypTight Manager, you can install licenses on your PEPs. The PEP license specifies the speed at which the PEP can transmit traffic. To install a license on the PEP: 1 In the PEPs View, select the PEPs on which you want to install licenses. 2 Click and choose Install License. 3 When you prompted for confirmation, click Yes. You can also install the license on the PEP when you apply configurations by selecting the Check to also install a throughput license option. NOTE You can check to see if a license is installed and the throughput speed configuration by clicking Diff Config. Be aware that CLI commands that affect the file system such as restore-filesystem will erase the currently installed license and you will need to re-install the license to regain full functionality. Upgrading Licenses When your needs change, you can easily upgrade the number of PEPs that EncrypTight Manager can manage and you can also upgrade your PEPs to run at faster throughput speeds. Upgrading the EncrypTight Manager License When you upgrade the EncrypTight Manager license, a new license replaces the old one. Contact Customer Support to acquire a new license. When you receive the new license, follow the procedure for entering EncrypTight Manager licenses (see To enter EncrypTight licenses: on page 28). For information on how to contact Customer Support, see Contacting Customer Support on page 12. Upgrading PEP Licenses You can upgrade PEP licenses in order to configure the PEPs to run at faster throughput speeds. After you install a new EncrypTight Manager license, use the same procedure for installing a license on the PEP to upgrade the PEPs. After installing the licenses, open the appliance editor for each affected PEP and change the Throughput Speed to the new value. For more information about configuring PEPs, see Provisioning PEPs on page 35 and Configuring PEPs on page 103. You can upgrade the PEP whenever you have unused licenses for speeds that a selected PEP can support. Once a license for a specific throughput speed is installed on a specific PEP it cannot be used on any other PEP. 28 EncrypTight Manager User Guide

29 Logging Out Logging Out To maintain security, you should log out and close your browser when you stop working with the EncrypTight Manager software. To log out: 1 Click Logout. EncrypTight Manager User Guide 29

30 Working with the EncrypTight Manager User Interface 30 EncrypTight Manager User Guide

31 3 Provisioning PEPs Provisioning Basics EncrypTight Manager can be used to either adopt a PEP that is already installed in your network or to add a pre-provisioned PEP. An adopted PEP is added to EncrypTight Manager with the configuration saved on the appliance, while a pre-provisioned PEP is manually configured using the EncrypTight Manager PEP editor. When pre-provisioning a new PEP, the first thing to do is select its product family and software version. EncrypTight Manager displays a tabbed configuration screen tailored to the specified model and software version. On most models the Interfaces tab contains the fields required to identify an appliance: its name and interface IP addressing information. Many settings are optional, but to use a PEP with EncrypTight Manager, there are specific settings that must be configured. See Configuring PEPs for Use with EncrypTight on page 33 for a list of these settings. Select other tabs to configure additional items on the appliance, such as SNMP settings or logging. The availability of specific tabs and configuration options varies depending on your appliance model and software version. Other than the interface IP addresses, many appliance settings will be the same for all Black Box appliances in your network. For these cases you can customize the default configuration to use on your appliances. This offers a significant time savings if you are provisioning a large number of appliances. Another time-saving feature that is useful in large deployments is EncrypTight Manager s ability to import basic configuration information from an excel spreadsheet or a comma-separated values (CSV) file. Adopting a PEP You can add a PEP that has been configured previously and copy the previous configuration settings into EncrypTight Manager. You cannot adopt a PEP that has a name or IP address that is already used in the system. To adopt a PEP: 1 Click on the PEPs menu and select Add PEP, or click. The Add PEP menu opens. EncrypTight Manager User Guide 31

32 Provisioning PEPs Figure 13 Add PEP Menu ET0100-XSA 2 In the PEP (mgmt IP address) box type the IP address of the management port. 3 In the Name box, enter a unique name for this PEP. 4 Enter a User ID and Password. 5 Check Adopt. 6 Click Add. The EncrypTight Manager queries the PEP to determine the configuration and then opens an editor where you can make any necessary changes. Figure 14 PEP Editor 7 When you finish making changes, click Save. 32 EncrypTight Manager User Guide

33 Provisioning Basics Pre-Provisioning an Appliance Adding a new appliance in EncrypTight Manager is the first step in being able to manage it remotely. Configuration screens are tailored to a particular combination of hardware and software, so it is important to select the correct product family and software version when adding a new appliance. To Pre-Provision an Appliance: 1 Click PEPs to open the PEPs view. 2 Click on the PEPs menu and select Add PEP, or click. 3 The Add PEP box opens. In the PEP (mgmt IP address) type the IP address of the management port. 4 In the Name box, enter a unique name for this PEP. 5 Enter a User ID and Password. 6 In the Subnet Mask and Default Gateway boxes, enter the appropriate values. 7 From the PEP Type box, select the model. 8 From the PEP Software Version box, select the version of the software currently running on the PEP. 9 Click Add. EncrypTight Manager opens a PEP editor where you can configure other settings (see Figure 14). Configuring PEPs for Use with EncrypTight While your network and deployment needs might call for a number of additional configuration options, Table 6 lists the settings required to use a PEP in a EncrypTight system. Table 6 EncrypTight Manager PEP configuration Configuration Network interfaces Enable passing TLS in the clear Description On the Interfaces tab, configure the management, local and remote port settings of the PEP. If the PEP and the EncrypTight servers are on different subnets, specify a default gateway that the PEP can use for communications. On the Features tab, enable passing TLS in the clear. If this is not enabled, communications between EncrypTight components will not pass through this PEP. Encryption Mode On the Features tab, specify whether the PEP should operate as a Layer 2 (Ethernet) PEP or a Layer 3 (IP) PEP. Enable SNTP for time synchronization On the Advanced tab, click Enable SNTP and enter the IP address of the NTP service. If you enable an SNTP client on the PEP, provide a server address for the most reliable source that retrieves time from a stratum 3 or higher clock source. If the EncrypTight components are not synchronized with a reliable clock source and the time difference between components is significant, policies and keys can expire before they would normally be renewed. Traffic can get dropped or mistakenly passed in the clear. EncrypTight Manager has support for clock skew detection during refresh. The PEP state will indicate if the clock is out of sync with EncrypTight Manager by more than 10 minutes. For complete information about PEP configuration, see Configuring PEPs on page 103. EncrypTight Manager User Guide 33

34 Provisioning PEPs Saving PEP Configurations You can save an appliance configuration at any time during the configuration process. PEP configurations are saved as part of the ETM database. A red dot on the editor tab indicates there are unsaved changes or a field contains an invalid value. EncrypTight Manager provides several ways to save PEP configurations. Table 7 Saving appliance configurations Option OK Save Save & New Description Saves the configuration and closes the PEP editor tab. Saves the configuration. Saves the current configuration, closes the PEP editor tab, and opens the Add PEP menu. NOTE EncrypTight Manager will not save a configuration that contains an error or an invalid entry..all three buttons (OK, Save, and Save & New) are disabled if there are any errors. EncrypTight Manager highlights fields that contain an error in red, and additionally, there is hover text for the error fields, and a popup notification dialog in the lower right corner that lists all of the errors on the form. Applying Configurations After you define the configuration for each PEP, you can apply the configuration to the targeted PEPs. To apply configurations to PEPs: 1 In the PEPs view, select the target PEPs. 2 Click to apply stored configurations to the selected PEPs, or right-click and select Apply Config. 3 When you are prompted for confirmation, click Yes. Success/failure of the operation is indicated in the Management Activity panel, with a brief description. Viewing PEP Status The PEPs view displays information about each PEP, such as its operational status, name, IP addresses, product family, software version, and location (see Table 12 for a list of the available columns). EncrypTight Manager tracks three types of status related to each PEP: Configuration state - Indicates whether the current configuration on the PEP matches the configuration stored on the server. For more information, see Table 8. PEP state - Indicates the operational status of the PEP. For more information, see Table 9. Reachability state - Indicates if the PEP is reachable. For more information, see Table 9. Policy state - Indicates whether the policies currently being enforced on the PEP match the policies stored on the server. For more information, see Table 10. You can always get the latest status of a PEP by clicking and selecting a Refresh Status command. For more information about options for refreshing status, see Refreshing Status on page EncrypTight Manager User Guide

35 Provisioning Basics Table 8 Configuration states Status Description Indicates that the configuration stored in EncrypTight Manager matches the current configuration on the PEP. You can compare the configurations to view the discrepancies (see Comparing Configurations on page 36) Indicates that the configuration stored in EncrypTight Manager is different from the current configuration on the PEP. Indicates that EncrypTight Manager does not know the configuration of the PEP. EncrypTight Manager has not yet queried the PEP or the PEP has not responded. Table 9 PEP states Status Pre-Provisioned Undefined Error Up and Operational Reboot Required Reload Required Control Plane Not Responding Booting Reloading Policies Failure State Stopped Upgrading Deleting Unknown Description Indicates that the configuration for this PEP has been saved in EncrypTight Manager, but not yet applied to the PEP. This allows you to create a configuration for a PEP before it is installed and connected to your network. The PEP is in an error state. See the Installation Guide for the PEP for information about error diagnostics and recovery. Indicates that the configuration stored in EncrypTight Manager is the same as the configuration on the PEP and the PEP is reachable. Indicates that the PEP must be rebooted to apply changes. You might see this state after you have updated the software installed on a PEP, for example. Reload policies required for policies to take effect. Indicates that you might not be able to communicate with or control the PEP. You might need to physically power down the PEP and restart it. The PEP is starting up. Indicates that the PEP is in the process of reloading the policies. Indicates that the PEP has entered a failure state and might be discarding traffic. You should shut down the PEP and contact Customer Support (see Contacting Customer Support on page 12). Indicates that the PEP has been shut down. This is not an error state. Note that although it is possible to shut down a PEP from within the EncrypTight Manager software, you must have physical access to the device to start it. Indicates that the software on the PEP is in the process of being upgraded. Indicates that the PEP is being deleted from the system. EncrypTight Manager does not know the status of the PEP. EncrypTight Manager has not queried the PEP or the PEP is not responding. Table 10 Policy states Status Description Indicates that the policies stored in EncrypTight Manager match the current policies on the PEP. Indicates that the policies stored in EncrypTight Manager are different from the current policies on the PEP. Indicates that EncrypTight Manager does not know the policy status of the PEP. EncrypTight Manager has not yet queried the PEP or the PEP has not responded. EncrypTight Manager User Guide 35

36 Provisioning PEPs Controlling the Status Refresh Interval EncrypTight Manager automatically refreshes the status of your PEPs at periodic intervals. Depending on your needs, you might want to adjust the frequency of these checks. The basic refresh simply determines whether the PEP is reachable.the checks for the status (health) and configuration state of a PEP take longer and are controlled separately. They are expressed as multiples of the basic reachability check. The frequency of the status refresh is controlled by three settings on the Configuration view: Table 11 Auto Refresh Configuration Settings Setting PEP Ping Interval Seconds PEP Ping Diff Frequency PEP Ping Status Frequency Description The interval or cycle at which EncrypTight Manager checks the status of the PEP. The default is every 300 seconds (or 5 minutes). The interval at which EncrypTight Manager queries the PEP for configuration information. The default is every 10 cycles. The interval at which EncrypTight Manager queries the PEP for status. The default is every 5 cycles. You must be logged on as an administrator to make these changes. To configure the auto refresh interval: 1 Click Admin - EncrypTight Configuration. 2 Locate the group PEP Auto Refresh Configuration. 3 To edit the values you need to change, double-click the item, enter the new value, and click Update. For details on the settings, see Table 11. Comparing Configurations When the configuration of a PEP stored in EncrypTight Manager differs from the configuration in operation on the appliance, the appliance status is. EncrypTight Manager provides a side-by-side comparison so you can see how the two configurations differ and determine which is correct. After determining the correct configuration, you can either copy settings from the appliance to EncrypTight Manager or push the EncrypTight Manager configuration to the appliance. You can also compare the configuration of two selected PEPs and copy settings between them. This can be helpful in troubleshooting situations if you want to compare the settings between two PEPs to make sure they are configured similarly. 36 EncrypTight Manager User Guide

37 Provisioning Basics Figure 15 Compare the EncrypTight Manager and appliance configurations To compare and update configurations: 1 In the PEPs view, select the PEP or PEPs that you want to check. 2 Click or right-click and select Diff Config. The Config Diff window displays. The items that are different are listed first. Some configuration items contain too much information to display on a single line. To view complete information for a truncated item, double-click the line. 3 Do one of the following: To copy specific configuration settings from a PEP to EncrypTight Manager or a another PEP, select the items to copy and click. The status changes to indicating that the configuration items are synchronized. To copy all configuration settings from a PEP, click. To revert a selection to a condition prior to changes being made, click Revert Selection. Clicking it will revert any previous changes made to the selected rows. It can be used to correct a value pulled over in error or to streamline the process of pulling over all but one or two values (otherwise, you'd have to close the window and start over, which is very time consuming). For example, to pull over all of the values except for the throughput speed, the user could click the Apply All Diffs button, select the throughput speed row and then click the Revert Selection button before clicking Apply. 4 Click Apply to apply any changes you made in the Config Diff window and update the configuration in EncrypTight Manager. Customizing the PEPs View You can sort and filter the PEPs view to display the information in which you are most interested. You can select the columns that you want to display. EncrypTight Manager User Guide 37

38 Provisioning PEPs To sort the PEPs view: 1 Click any column header. Click again to sort in the reverse order. To filter the PEPs view: 1 Click in the header filter box (see Figure 8) for the column on which you want to filter and do one of the following: Type all or part of a value. If the field has preset options, click and select the values you want to include. 2 Repeat for each field that you want to include in the filter. 3 Click. To display or hide columns: 1 Click on any column header. From the menu, click Columns and then click the column that you want to display or hide. Clear the check box to hide a column. Repeat for each column that you want to display or hide. Table 12 Columns available in the PEPs view Column Description Name Indicates a unique name assigned to the PEP. Config State Indicates the configuration status of the PEP. For a list of possible configuration states, see Table 8. State Indicates the operational status of the PEP (see Table 9). Reachable Indicates whether the system can communicate with the PEP. Policy State Indicates whether the policies being enforced by the PEP match those stored in EncrypTight Manager. Mgmt IP Address Indicates the IP address of the management port on the PEP. This is the address that EncrypTight Manager uses to communicate with the PEP. Mgmt NAT IP Address Indicates if a PEP has a NATed mgmt ip address. Displays "nat-ip-addr (real mgmt ip addr)". Mgmt IPv6 Address Indicates the IPv6 address of the management port on the PEP. Transparent Mode Indicates the original packet header is used as the source. Local IP Indicates the IP address for the local port of the PEP, if assigned. The local port connects to a trusted network. Remote IP Indicates the IP address of the remote port of the PEP, if assigned. The remote port connects to an untrusted network. Throughput Speed Indicates the current throughput speed of the PEP. Mode Indicates whether the PEP is operating as a Layer 2 PEP (Ethernet) or a Layer 3 PEP (IP). Version Indicates the version of the software installed on the PEP. Type Indicates the hardware model of the PEP. Serial Number Indicates the serial number of the PEP. Admin User Indicates the name of the Admin user Tag Indicates the user-assigned tag. Location Indicates the location of the PEP. City Indicates the city in which the PEP is located. ST Indicates the state in which the PEP is located. 38 EncrypTight Manager User Guide

39 Provisioning Large Numbers of PEPs Table 12 Columns available in the PEPs view Column SNMP Name SNMP Contact SNMP Location NTP? NTP Server Install TLS Rule FIPS Enabled Strict Auth? Last Config Sync Create Time Last Update Last Update By OID Description Indicates SNMP name information. Indicates SNMP contact information. Indicates SNMP location information. Specifies whether the PEP synchronizes with an NTP server. Indicates the IP address of the NTP server with which the PEP synchronizes. Indicates TLS Rukle to be installed. Indicates FIPS has been enabled. Indicates whether strict authentication is enabled on the PEP. Indicates the date and time when the PEP config was in sync with EncrypTight Manager server. Indicates the date and time the PEP was added. Indicates the date and time the PEP configuration was last updated. Indicates the name of the user who last updated the PEP configuration. Indicates the Object Identifier of the PEP. Rebooting PEPs Occasionally, you might need to reboot a PEP. Because rebooting a PEP interrupts traffic processing, you should plan the timing of any reboots carefully. CAUTION Rebooting halts all operations on a PEP and interrupts data traffic on its local and remote ports. Rebooting takes several minutes and during this time all traffic is discarded. To reboot PEPs: 1 In the PEPs view, select the target PEPs. 2 Right click and from the shortcut menu select Reboot. 3 At the confirmation prompt, click Yes. After rebooting, you can check the status of a PEP by selecting a type of refresh by clicking Refresh. Provisioning Large Numbers of PEPs If you have many PEPs to add to EncrypTight Manager, entering each configuration individually can be time-consuming. Fortunately, EncrypTight Manager offers some tools to help streamline the provisioning of appliances in large deployments. The general work flow is as follows: 1 Customize configuration templates for each PEP model and software version combination that you need. You can use configuration templates to configure specific settings common to whole groups of PEPs. 2 Enter the basic information for the PEPs into an excel spreadsheet or CSV file and import the file into EncrypTight Manager. At a minimum this can include the name and IP address of your PEPs. EncrypTight Manager User Guide 39

40 Provisioning PEPs Another timesaver is the ability to adopt a PEP. Adopting a PEP copies the existing configuration of the PEP to EncrypTight Manager. Unlike using a configuration template, when you adopt a PEP, the configuration settings are those that existed previously on the PEP, not what was set up in the template. For more information, see Configuring PEPs for Use with EncrypTight on page 33. Working with Configuration Templates Each PEP requires a unique name and management port IP address, but many other settings will be the same for all of your PEPs. EncrypTight Manager allows you to define your own set of default settings to be used in all appliances of a particular model and software version level. You can save these settings as a template and whenever you add a new PEP of that model and software version, your default settings are automatically included. Creating PEP Templates Using a customized default configuration offers a significant time savings when you are provisioning a large number of appliances. Add settings that are common to all appliances of a particular model and software version, such as the NTP server, EncrypTight Manager settings, syslog servers, or the password that EncrypTight Manager uses to access the appliances. To create a new template: 1 From the PEPs menu, select Templates. 2 In the PEP Templates view, click. 3 In the Add PEP Template box, select the PEP Type and the PEP Software Version. 4 If necessary, enter a User ID and Password. 5 In the PEP Template editor, assign default values to the appropriate fields. 6 When you finish, click Save. Customizing PEP Configuration Templates You change the settings in a configuration template as needed. Changing a template has no effect on the PEPs that are already deployed. To customize the default configuration: 1 From the PEPs menu, select Templates. 2 In the PEP Templates view, select the Template that you want to customize and click. 3 In the template editor, make the changes that you need on each tab. 4 Click OK. NOTE EncrypTight Manager will not save a configuration template that contains an error or an invalid entry. The OK and Save buttons are unavailable if an error is detected. EncrypTight Manager highlights fields that contain an error in red. 40 EncrypTight Manager User Guide

41 Provisioning Large Numbers of PEPs Copying PEP Template Configurations For a quick start, you can copy the configuration of an existing template and change it to meet your needs. The copy must be a different model of PEP or have a different software version. To copy a configuration: 1 Select the PEP Template with the settings that you want to reuse. 2 Click. 3 In the Copy PEP Template box, select a different PEP Type or different PEP Software Version, or both. 4 Click Copy. All applicable settings from the existing template are copied to a new PEP template. Comparing PEP Templates If you have two PEP templates that are similar, it can be helpful to compare them to discover the differences. To compare PEP templates: 1 Select the templates that you want to compare and click. EncrypTight Manager displays the settings for the two configuration templates side by side in one window. Deleting PEP Templates You can delete PEP templates that you no longer need. For example, if you have templates for PEPs that used an older software version, you no longer need those templates. You can edit them to serve new purposes, or delete them. To delete a PEP template: 1 Select the PEP Template that you want to remove and click. 2 Click Yes when you are prompted for confirmation. Importing Configurations from an Excel File When you have a large number of appliances to add to EncrypTight Manager, you can save time by entering the basic appliance information in an Excel file and then importing the data into EncrypTight Manager. Creating the Import File To create the import file, enter the data in Excel and save. In the CSV file, commas are used to delineate one field from the another. If the import file contains configuration information for PEPs that have already been added to EncrypTight Manager, you can choose to merge the new information with the existing definitions. Otherwise, EncrypTight Manager rejects the duplicate configurations. EncrypTight Manager User Guide 41

42 Provisioning PEPs To import appliance configurations via Excel to EncrypTight Manager: 1 Create an excel file containing the new appliance configuration data. In EncrypTight Manager, click.to Export grid to Excel. 2 Modify and/or add PEP configuration information as needed and save the Excel file. 3 In EncrypTight Manager, click Import PEPs. 4 In the Import PEPs box, click Browse and select the file to import. Checking the Time on New Appliances After importing configurations to EncrypTight Manager and pushing them to the appliances, refresh the appliance status. In the PEPs Configuration page check the date and time of the new appliances. If any of the new appliances timestamps differ from the management system s time by more than five minutes, edit the appliance to correct the date and time. When the appliance time differs from actual time by more than several minutes, the appliance can have trouble synchronizing with the NTP time server. Time synchronization is essential for proper operation in a EncrypTight deployment. Shutting Down Appliances It is important that a proper system shutdown is performed prior to powering off PEPs. The shutdown operation halts all running tasks on the PEP and prepares it for being powered off. Failure to perform a shutdown may lead to file system corruption and potential appliance failure. Additional Configuration Options While the basic settings needed to add and configure a PEP to be used in a EncrypTight system will meet the needs of many users, there are numerous other configuration options that you can take advantage of, when needed (see Chapter 11, Configuring PEPs). These include, but are not limited to: Using IPv6 addressing Configuring the remote and local ports (non-transparent mode) SNMP settings Syslog reporting FIPS mode 42 EncrypTight Manager User Guide

43 4 Managing Networks In EncrypTight Manager, networks are the IP networks that you want to protect. One or more of these networks are combined with one or more PEPs to make a network set. Network sets are treated as a single network entity within IP policies. Networks are added, modified, and deleted using the networks panel in the EncrypTight Manager Policy view. Figure 16 Networks used in a network set Elements in Figure 16: 1A, 1B) PEPs 2A, 2B) PEPs Adding Networks When you add networks, you need to know the IP address and subnet mask of each network. If you have a large number of networks to add, you can import a list from an Excel file (a CSV file may also be utilized). For more information, see Importing Networks and Network Sets on page 53. To add a network: 1 Display the Networks panel, if needed. The Networks panel lists all of the networks that have been added. You can sort of the list of networks by IP address or network mask by clicking a column header. 2 Click Add Network. 3 In IP Address box, type the IP address of the network. 4 In the Mask box, type the network mask. You can use non-contiguous masks on PEPs with software version 1.4 or later. EncrypTight Manager User Guide 43

44 Managing Networks 5 Click Save. TIP You can use a network mask of to specify an individual address, or host. For example, you might want to do this for traffic from devices such as a Lotus Notes server that needs to be sent in the clear. TIP EncrypTight Manager accepts non-contiguous network masks, which allow you to create policies between particular addresses in your network. For example, a network of with a mask of allows all devices with an IP address of 10.x.x.1 to be managed by a particular policy. See Using Noncontiguous Network Masks on page 45 for more information. Advanced Uses for Networks in Policies If you are familiar with network addressing and network masks, you can use subnetting to make your policies more efficient. Use supernetting to reduce the number of SAs and keys on each PEP in large deployments. Use non-contiguous network masks to apply policies to a specific IP address scheme. Grouping Networks into Supernets Working with large networks, a considerable number of security associations (SAs) and keys can result on each PEP. One way to avoid this is to look for subnetworks within each network set that have contiguous addressing. You can combine these subnets to reduce the number of SAs and keys on each PEP. In Figure 17, if you set up each of these networks as a separate network in EncrypTight Manager, and the policy encrypts traffic between these two networks and five other networks, the PEP for this network set would contain 10 SAs and keys for each direction. 44 EncrypTight Manager User Guide

45 Advanced Uses for Networks in Policies Figure 17 Two networks with contiguous addressing As illustrated in Figure 18, the two networks with subnet mask and with subnet mask could be grouped into one network with subnet mask Figure 18 Two networks with contiguous addressing defined as a supernet If you group the two networks into a supernet and the policy encrypts traffic between these two networks and five other networks, the PEP for this network set would contain only five SAs and keys for each direction, instead of 10. NOTE Where the subnetwork addresses are not completely contiguous, grouping these networks can result in the inclusion of an unintended subnetwork Using Non-contiguous Network Masks Non-contiguous masks are useful when you want to create a policy for devices in a network that contain a specific octet within an IP address. Non-contiguous network masks are available on PEPs version 1.4 and later. The following example demonstrates the use of non-contiguous network masks to pass unencrypted traffic from specific addresses while encrypting everything else. Figure 19 depicts a mesh network in which all traffic on each subnet is encrypted. A router is located on each of the PEP s remote ports, which means that all traffic to it is encrypted. However, the router port that is connected to the PEP s remote port is the default gateway for the site. In order to manage the router, traffic from the laptop needs EncrypTight Manager User Guide 45

46 Managing Networks to pass in the clear. VoIP traffic also needs to pass in the clear. Each site uses IP addresses of x.x.x.129 and x.x.x.1 for the default gateway. Figure 19 Networks with non-contiguous network masks are used in a bypass policy that encompasses all the x.x.x.1 and x.x.x.129 addresses Defining networks with non-contiguous masks allows you to create a single bypass policy that encompasses all the.1 and.129 addresses, enabling the local sites on the x.x network to manage the devices on the remote port side of the PEP. By defining the networks as shown in Table 13, you eliminate the need to create individual bypass policies for each subnet in the network. Table 13 Networks definitions IP Address Network Mask (laptops) (VoIP phones) (any traffic on this network) NOTE When you use non-contiguous network masks, the network set must include a PEP that supports the feature (PEP v.1.4 and later). In addition, all network sets in a policy must include supporting PEPs. EncrypTight Manager prevents you from dragging non-supporting elements into a network set or policy when non-contiguous networks masks are in use. Editing Networks To edit an existing network: 1 In the Networks panel, select the network that you want to modify. 2 Right-click and choose Edit. 3 Make your changes and click Save. 46 EncrypTight Manager User Guide

47 Deleting Networks Deleting Networks Occasionally, you might want to delete a network. For example, if the structure of a network changes, the network you set up in EncrypTight Manager might not be needed. CAUTION Do not delete any networks currently used by any network sets. Prior to deleting a network, modify any network sets using that network to use another network. If you delete a network that is currently used in a policy or a network set, you can create configuration errors that might prevent you from deploying your policies. In this case, check the Policy view to find the components with configuration errors. Correct the errors and then redeploy the policies. To delete a network: 1 In the Networks panel, select the network that you want to remove. 2 Right-click and choose Delete. 3 Click Yes at the confirmation prompt. EncrypTight Manager User Guide 47

48 Managing Networks 48 EncrypTight Manager User Guide

49 5 Managing Network Sets A network set is a collection of IP networks and the associated PEPs. A network set is treated as a single entity in a policy. Figure 20 Network Sets Elements in Figure 20: 1A, 1B) PEPs 2A, 2B) PEPs Figure 20 shows two network sets. Network Set A contains two networks protected by two PEPs and Network Set B contains one network protected by two PEPs. Types of Network Sets The following examples illustrate the different types of network sets: Subnet Load balanced network Collection of networks A network set that does not contain any PEPs EncrypTight Manager User Guide 49

50 Managing Network Sets Figure 21 Network set for a subnet Figure 21 illustrates a network set consisting of a single network and a single PEP. In EncrypTight Manager, this network set would include PEP 1 and the network IP address and mask: IP address Mask Figure 22 Network set for a load balanced or redundant network Figure 22 illustrates a load balanced or redundant network with multiple access to a single network with two PEPs. In the EncrypTight Manager, this network set includes both PEP 1 and PEP 2, and the network IP address and mask: IP address Mask Figure 23 Network set for a collection of networks Figure 23 illustrates a network set comprised of two networks and two PEPs. In the EncrypTight Manager, this network set includes both PEP 1 and PEP 2, and both network IP addresses and masks. IP address Mask EncrypTight Manager User Guide

51 Adding a Network Set Figure 24 Network set that does not include a PEP A network set does not have to include any PEPs. This is useful if you have PEPs that are encrypting traffic between two routers that need to exchange routing protocols. If the PEPs are encrypting all traffic, the routers cannot see the information in the routing packets. To allow the routers to exchange routing information create a clear policy for the routing protocol, for example OSPF (protocol 89). Create one network set with a wildcarded network ( ) that includes PEP 1 and PEP 2. Create a second network set with a wildcarded network ( ), but without any PEPs. Then using these two network sets, you can create a point-to-point policy that passes protocol 89 packets in the clear. Adding a Network Set To add a Network Set: 1 In the Network Sets panel, click Add Network Set. The Network Set editor displays (see Figure 25). 2 In the Name box, type a name for the network set. 3 Optionally, enter a location in the Location box. 4 From the PEPs panel, select the PEPs that you want to use in the network set and drag them to the PEPs box in the Network Set editor. 5 From the Networks panel, select the networks that you want to use in the network set and drag them to the Networks box in the Network Set editor. 6 Select the desired network address mode. 7 Click Save. Table 14 Network Set fields Field Name Location PEPs Description Enter a unique name to identify the network set. Names can be 1-40 characters in length. Alphanumeric characters and spaces are valid. Names are not case sensitive. Enter a location. Click the PEPs panel and drag the appropriate PEPs to the PEPs box in the Network Set editor. To remove a PEP from this list, right-click the desired PEP and click Remove Element. The PEP is removed only from this network set. EncrypTight Manager User Guide 51

52 Managing Network Sets Table 14 Network Set fields Field Networks Network Addressing Mode Description Click the Networks panel drag the appropriate networks to the Networks box in the Network Set editor. You can also edit a network from this editor. Right-click the desired network and click Edit. To remove a network from this list, right-click the desired network and click Remove Element. The network is removed only from this network set. Select the desired network addressing mode. The network addressing mode specifies the source IP address used in the packet header. Use Network IP Address (default) - original packet header containing the network s IP address is used for all outgoing packets. Use PEP Remote IP Address - the PEP s remote port IP address is inserted into the packet header for all outgoing packets. This option is not available if the network set contains more than one PEP. Use Virtual IP Address - the virtual IP address is inserted into the packet header for all outgoing packets. If you select this option, enter the IP address to use as the source address for outgoing packets in the Virtual IP Address box. Depending on the type of PEP selected and its configuration, some options may not be available. PEPs preserve the original network address by default and must be explicitly configured to use any other mode. For more information on how to configure your PEP, see the configuration chapter for your PEP. This setting can be overridden by settings in a policy. For more information, see Addressing Mode on page EncrypTight Manager User Guide

53 Importing Networks and Network Sets Figure 25 Network Set Editor Importing Networks and Network Sets If you need to work with a large number of networks and network sets, you can save time by importing the data. You can create an Excel spreadsheet (or CSV file) that lists the networks and network sets that you need and import the file. The PEPs used in the network sets must have been added to the EncrypTight Manager previously or the import will fail. To create the import file, enter the data in a spreadsheet and save it as an Excel file. You must adhere to the formats shown. The first line in the file must be Version1.0, while the pound symbol (#) indicates a comment line and is ignored during the import operation. In the Excel file, commas are used to delineate one field or item from the next. The format of the Excel file is as follows: Version1.0 network,<networkid>,<ip address>,<mask> networkset,<name>, networkids,<list of network IDs>,peps,<list of PEP names> To import networks and network sets: 1 Create an Excel spreadsheet that identifies the networks and network sets. 2 In the Networks or Network Sets panel, click Import Networks 3 Click Browse, select the file, and click Import Data From File. If EncrypTight Manager detects an error in the file, none of the networks or network sets are imported. EncrypTight Manager displays an error message that includes the number of the line in the EncrypTight Manager User Guide 53

54 Managing Network Sets file that contains the error along with a brief description of the problem. The message also indicates the column number with the error, which is useful if you created a spreadsheet (the column number does not apply to the CSV file in a text editor). Editing a Network Set To edit a Network Set: 1 Click the Network Sets panel and select the network set that you want to edit. 2 Right-click or double click and choose Edit. 3 Make your changes and click Save. Deleting a Network Set You might need to delete a network set if the structure of a network changes or if the network set is empty because the networks were removed. To delete an existing network set: 1 Click the Network Set tab and select the network set that you want to remove. 2 Right-click and choose Delete. 3 Click Yes when you are prompted for confirmation. 54 EncrypTight Manager User Guide

55 6 Creating VLAN ID Ranges If the network uses VLAN ID tags, you have the option of creating policies that select traffic with specific VLAN ID tags or within a range of VLAN ID tags. If you do not include VLAN ID tags in a new Layer 2 policy, the policy is applied to all network traffic. VLAN ID tags are used to create logical networks within a larger physical network. This is often used to separate network traffic by departments, such as Finance or Human Resources. By creating policies that act on specific VLAN ID tags or a range of VLAN ID tags, you can encrypt, pass in the clear, or drop traffic at the logical level (in this case by department). Traffic that does not match the VLAN ID tag (or range of tags) specified in the policy is dropped. PEPs accept only single VLAN ID tags in policies. Adding a VLAN ID Range To add a new VLAN ID Range: 1 In the VLANs panel, click Add VLAN. 2 Create the VLAN range in the editor as described in Table Click Save when complete. NOTE VLAN ranges are now supported in EncrypTight Manager. VLAN ranges can be defined as a range and not one by one. Table 15 VLAN ID range entries Field Description Name Enter a unique name to identify this particular VLAN Range. Names can be 1-40 characters in length. Alphanumeric characters and spaces are valid. Names are not case sensitive. Lower VLAN ID Enter the lower range limit in the range 1 to Upper VLAN ID Enter the upper range limit in the range 1 to EncrypTight Manager User Guide 55

56 Creating VLAN ID Ranges Figure 26 VLAN ID Range Editing a VLAN ID Range To edit a VLAN ID range: 1 In the VLANs panel, select the VLAN ID range that you want to modify. 2 Right-click on the range and choose Edit. 3 Make your changes and click Save. Deleting a VLAN ID Range If changes are made to a network or VLAN, you might need to delete VLAN ID ranges. To delete an existing VLAN ID range: 1 In the VLANs panel, select the VLAN ID range that you want to remove. 2 Right-click on the range and choose Delete. 3 Click Yes when you are prompted for confirmation. 56 EncrypTight Manager User Guide

57 7 Understanding Security Policies A policy specifies what traffic to act on and what action to take. Each PEP can store a large number of policies. As network traffic arrives, each packet or frame is examined by the PEP, and processed based on selection criteria such as IP addresses, ports, protocols, or VLAN tags. When the PEP receives a packet or frame that meets the criteria used in one of its policies, it takes one of three actions: it encrypts the packet or frame, passes it in the clear, or drops it. In addition to selection criteria and actions, each policy specifies: What priority a policy has in relation to other policies How often keys are renewed and policy lifetimes are refreshed What encryption and authentication methods to use Which addressing mode the PEPs in the policy should use Whether to reduce the policy size for an IP policy About Policies A policy specifies what traffic to protect and how to protect it. Each packet or frame is inspected by the PEP and processed based on the filtering criteria specified in the policy. You can create policies for traffic at Layer 2, Layer 3, and Layer 4. Each policy specifies: The PEPs to be used The networks the PEPs will protect The action that is to be performed (encrypt, send in the clear, or drop) The kind of traffic the policy affects Filtering criteria can be high level, such as encrypt everything, or more granular, specifying traffic based on IP addresses, protocols, or VLAN ranges. After applying the traffic filters, the PEP takes one of three actions: it encrypts the packet, passes it in the clear, or it drops the packet. Ethernet Policies In Layer 2 Ethernet, the supported topologies are mesh and point-to-point networks. If an Ethernet network uses VLAN ID tags, a virtual point-to-point topology can also be established. EncrypTight Manager User Guide 57

58 Understanding Security Policies An Ethernet policy can be applied to all Layer 2 traffic or restricted to traffic that contains VLAN ID tags that fall within a given range. Ethernet policies consist of two main components: PEPs VLAN ID ranges enable filtering based on VLAN ID tags (optional) NOTE If you do not include a VLAN ID or range in the policy, all Ethernet traffic is selected for enforcement. IP Policies Supported IP topologies are: Hub and spoke Mesh Point-to-point Multicast Layer 3 IP policies protect IP traffic using PEPs. IP policies consist of three main components: PEPs Networks identify the IP addresses of the networks included in the policy Network sets associate the networks to the protecting PEPs Layer 4 policies are Layer 3 policies that preserve the original addresses, protocls, and ports of the packets received. You would use this option when you need to send the IP header information in the clear. For more information, see Addressing Mode on page 61. Policy Priority You can assign a priority from 1 to to each policy that you create. The policy priority specifies the order in which policies are processed on the PEP. For each incoming packet or frame the PEP searches through the list of policies, starting with the policy that has the highest priority, until it finds a match. When it finds a match, the PEP processes the packet or frame according to the settings in the policy. As you create policies, carefully consider the policy priority that you choose. If your policies are not being implemented as expected, check the priorities assigned to the policies. Incorrect prioritization can produce unexpected results. For example, policy A is a clear policy for a specific destination network for any protocol and has the highest priority. Policy B is an encrypt policy for the same destination network with a particular protocol, but it has a lower priority. Because policy A has the higher priority, all traffic passes and none of the traffic is encrypted. 58 EncrypTight Manager User Guide

59 Schedule for Renewing Keys and Refreshing Policy Lifetime Schedule for Renewing Keys and Refreshing Policy Lifetime The Renew keys value specifies the length of time that the keys will be active. According to the schedule specified, the EncrypTight Manager server sends new keys to the PEPs. The previous keys are maintained on the PEP for up to five minutes to ensure that no traffic interruption occurs. NOTE EncrypTight Manager provides support for clock skew detection during refresh status. The PEP state will indicate if the clock is out of sync with ETM by more than 10 minutes. You schedule the key renewal in an interval of hours or set a daily renewal at a specified time. Hours - enter the re-key interval in hours up to hours. Clear the Renew Keys check box under IPSec if you want the keys to never expire. Most likely, you will only do this if you are troubleshooting. Daily - enter the re-key time using the 24 hour system clock set to the required local time of the EncrypTight Manager server. The re-key time will translate to the local times of other EncrypTight servers and PEPs that might be located in other time zones. TIP Management traffic increases during the policy rekey and renew lifetime process. This is true for both manual and automatic rekeys. If you schedule all policies to rekey at the same time, the EncrypTight servers will send new keys to all of their PEPs at the same time, causing an increase in traffic throughout your network. You can reduce the traffic and processing time by staggering the rekey schedule specified for each policy. For example, one policy could be set to rekey at 1:00 AM while another policy could be set to rekey at 1:30 AM. This significantly reduces the management traffic and PEP processing time. TIP Network connectivity problems can prevent new keys from being distributed to the PEPs before the old keys expire. NOTE In fail-safe mode, EncrypTight Manager will not update the keys of any device if any of the devices are unreachable. Policy Types and Encryption Methods The type of policy specifies the action applied to packets that match the protocol and networks included in this policy. You can choose from the following types: Drop - drops all packets matching this policy. EncrypTight Manager User Guide 59

60 Understanding Security Policies Clear - passes all packets matching this policy in the clear. Encrypt - encrypts or decrypts all packets matching this policy. Encapsulation To provide encryption and authentication, the PEPs use the Black Box Encapsulating Security Payload protocol (CN-ESP). CN-ESP is Black Box packet encapsulation protocol that is based on the IPSec ESP protocol standards. Layer 2: Ethernet payload encryption In Layer 2 policies, the CN-ESP protocol preserves the original Ethernet header information and encrypts only the Ethernet payload, as shown in Figure 27. Figure 27 Ethernet payload encryption Layer 3: IPSec Tunnel mode with original IP header preservation In Layer 3 IP policies, a copy of the original IP header is used as the outer header and the original header and payload are encrypted, as show in Figure 28. Figure 28 IP packet encryption Layer 4: IPSec Transport mode for Layer 4 payload encryption PEPs have an option to encrypt only the Layer 4 payload. The TCP and UDP header information remains in the clear, as shown in Figure 29. All other Layer 4 headers are encrypted. Figure 29 Data payload encryption Encryption and Authentication Algorithms For Layer 3 IP policies, you can specify the encryption and authentication algorithms that you want to use. The encryption algorithms include the Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES). AES is a symmetric block cipher capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits. Triple DES, or 3DES, is a more secure variant of DES. 3DES uses a key length of 168 bits. The Data Encryption Standard (DES) is a symmetric block cipher with a block size of 64 bits and a key length of 56 bits. 60 EncrypTight Manager User Guide

61 Addressing Mode The authentication algorithms available include Secure Hash Algorithm 1 (HMAC-SHA-1) and Message Digest #5 (HMAC-MD5). Both are hash algorithms. HMAC-SHA-1 is more secure than HMAC-MD5. Layer 2 Ethernet encryption policies utilize AES with 256-bit keys to encrypt and decrypt the data and HMAC-SHA-1 to provide data origin authentication and data integrity. Layer 4 IP encryption policies use AES-256 for encryption and HMAC-SHA-1 for authentication. The PEPs do not support 3DES or HMAC-MD5 at Layer 4. ARIA Encryption In addition to the standard encryption algorithms listed above, the ARIA encryption algorithm is available on PEPs that are running PEP software version or later. ARIA provides 256-bit encryption, and is implemented in software. Note the following usage guidelines and constraints: ARIA-256 is available for use in Layer 3 and Layer 4 policies. Layer 2 Ethernet encryption policies do not support ARIA. ARIA-256 is incompatible with the PEP s FIPS mode of operation. Disable FIPS mode on the PEP prior to using ARIA in encryption policies. Addressing Mode When you create network sets in the network sets editor, you specify the IP address the PEPs will use in the outer header of the encrypted packets. The options include the original IP address of the packets received at the PEP s local port (the default setting), the remote port IP address of the PEP, or a virtual IP address that is configured as part of a network set. The second two options are used when the original source IP address must be concealed or when traffic must be routed over the internet. Even when you configure network sets to conceal the original source IP addresses, you might need to preserve the original IP addresses for other traffic that is routed through the same network sets. For example, you might need to transmit traffic that must comply with Service Level Agreements. To handle these situations, you can create additional policies that use the same network sets, but override the specified network addressing mode. In the policy editor, the network addressing mode can use one of three options: Preserve only the original internal network addresses. The source and destination addresses in the IP header are sent in the clear. The protocol and port, as well as the payload of the packet are encrypted. This is referred to as a Layer 3 policy. Preserve the original internal network address, protocol, and port. The source and destination addresses, protocol, and port in the IP header are sent in the clear. With this option, only the payload of the packet is encrypted. This allows you to send the Layer 4 header information in the clear for traffic engineering and Service Level Agreement management (for example, Quality of Service controls or NetFlow statistics monitoring). This is referred to as a Layer 4 policy. Tunnel Mode specifies that the IP address of the remote port of the PEPs should be used, or a virtual IP address if one is assigned to the network sets. EncrypTight Manager User Guide 61

62 Understanding Security Policies Using Encrypt All Policies with Exceptions You can design your policies many different ways for the same results. If you design your policies based on chunks of data such as which port or which source or destination address encrypts, drops, or passes in the clear, a large number of policies can result. With a large number of policies, the policy management overhead increases and keeping track of the priority of each policy can become difficult. You can simplify this process by doing the following: 1 Create a policy to encrypt all data to and from all networks. Assign this policy a relatively low priority to ensure that any missed data will at least pass encrypted. 2 Design a pass in the clear policy and a drop policy with a higher priorities. Table 16 illustrates policies for a mesh network that will pass Protocol 17 (UDP) traffic in the clear, drop all protocol 55 (IP mobile) traffic, and encrypt all other traffic. Table 16 Encrypt all policy with exceptions Policy Policy Type Priority Action Protocol Covered 1 Mesh 100 Encrypt All 2 Mesh 200 Drop 55 3 Mesh 300 Pass in Clear 17 In this case, we started with the assumption that our main job was to encrypt traffic and then decide which traffic to drop or pass in the clear. The PEP analyzes each packet starting with the highest priority policy. The alternative is to decide which traffic should be encrypted, which traffic should be passed in the clear, and which traffic should be dropped. With this approach, you risk creating more policies to manage than you need and increasing the management traffic on the network. You could also easily miss encrypting important traffic. Policy Size and PEP Operational Limits Various combinations of factors can reach or exceed the operational limits of the PEP, including memory, processor speed, and the size of the policy file. Another core issue is the number of security associations (SAs) a PEP can support. An SA identifies what traffic to act on, what kind of security to apply, and the device with which the traffic is being exchanged. SAs typically exist in pairs, one for each direction (inbound and outbound). The policies deployed from EncrypTight Manager create SAs between the PEPs. A simple point-to-point policy creates two SAs on each PEP. More complex configurations such as a mesh policy create more SAs. The policy file is an XML file sent to each PEP that identifies the type of policy, the policy lifetime, and the kind of traffic the policy affects. It also identifies the networks to be protected and the PEPs to be used. The size of a policy file is determined by the type of policy, the number of PEPs, and the number of networks protected. On the ET0010A, the maximum size for the policy file is 512 KB. For the ET0100A, the maximum size is 1024 KB. 62 EncrypTight Manager User Guide

63 Minimizing Policy Size If the policy file is larger than the maximum size, the rekey processing time on the PEP can exceed the system timeout parameters. For example, with the ET0010A the rekey processing time for a 512 KB policy file is approximately three minutes. If the rekey processing takes longer than this, timeouts and errors occur that severely affect overall system performance. When timeouts and errors occur, keys can expire or a policy might not actually be deployed. To prevent this from happening, PEPs generate error messages and reject policy files that are larger than the maximum size. Minimizing Policy Size Using EncrypTight Manager with large, complex networks with multiple subnets protected by separate PEPs can result in a large number of SAs on each PEP. The increased management traffic for renewing keys and refreshing policy lifetimes could adversely affect the performance of the EncrypTight system. If you do not require policy filtering based on subnets located with each PEP, use the minimize policy size feature to avoid this. This feature is not applicable to Layer 2 Ethernet policies. The Minimize Policy Size feature includes two options, depending on the type of policy. You can select Ignore source IP address for any IP policy. For mesh policies, you can select either Ignore source IP address or Apply to all traffic. When you enable the Ignore source IP address option: The source network address for outbound traffic is replaced with an all networks wildcard address ( /0) The destination network address for inbound traffic is replaced with an all networks wildcard address ( /0) This results in a significant reduction in policy size and keys in each PEP associated with the policy. The Apply to all traffic option is useful for large mesh networks when you know that each PEP only sends traffic to other PEPs using the same policy. Selecting this option applies the policy to all traffic, inbound and outbound, regardless of the source and destination addresses or ports. If the policy specifies encryption, all PEPs associated with the policy use the same key set, reducing the number of policy entries and SAs on each PEP. NOTE This option is only available for encryption policies. EncrypTight Manager User Guide 63

64 Understanding Security Policies 64 EncrypTight Manager User Guide

65 8 Working with Policies After you add and configure policy resources such as PEPs and network sets, you can use those resources to create security policies. Creating Policies To create a policy: 1 If you have not yet done so, click Policies on the main menu to switch to the Policies view. 2 From the Saved tab in the Policies panel, click Policy and choose Add Policy. 3 Select the type of policy you want to create. 4 Enter additional information and select the options you need for the type of policy you are creating. Policy types and the options available for each are discussed in Policy Options by Mode on page Click Save. Policy Options by Mode Layer 2 Policies You can create Layer 2 policies for mesh and point-to-point networks. Layer 2 policies use PEPs that are configured as Layer 2 PEPs. They do not use Network Sets. In a Layer 2 mesh network, any network can send or receive data from any other network Table 17 Layer 2 Mesh Policy Options Option Policy Name Priority Description Enter a unique name for the policy. Names can be 1-40 characters in length. Alphanumeric characters and spaces are valid. Names are not case sensitive. Specifies the order in which policies are processed in the PEPs. Enter the priority for this policy from 1 to PEPs enforce policies in descending priority order with the highest priority number processed first. EncrypTight Manager User Guide 65

66 Working with Policies Table 17 Layer 2 Mesh Policy Options Option Description Type Renew Keys/Refresh Lifetime Policy Enforcement Points VLANs Description Enter a brief description of the policy. For example, you might want to briefly mention the purpose of policy. Specifies how the traffic affected by this policy will be handled. Drop - drops all frames matching this policy. Clear - passes all frames matching this policy in the clear. Encrypt - encrypts or decrypts all frames matching this policy. Clear the Renew Keys check box to specify that the encryption keys for this policy are never renewed. Specifies the lifetime of the keys and policies, and the frequency at which the keys are regenerated and policies lifetimes are updated on the PEPs. Regenerate keys and update policies either at a specified interval in hours or daily at a specified time. Click either Hours or Daily. EncrypTight Manager provides support for clock skew detection during refresh status. The PEP state will indicate if the clock is out of sync with EncrypTight Manager by more than 10 minutes. Hours - enter the re-key interval in hours up to hours. Daily - enter the re-key time using the 24 hour system clock set to the required local time of the management workstation. The re-key time will translate to the local times of the EncrypTight servers and PEPs that might be located in other time zones. Lists the PEPs where the policies and keys are distributed. Click the PEPs tab in the EncrypTight Manager Resources panel and drag the appropriate Layer 2 PEP to the PEPs list on the Policy editor. To remove a PEP from this list, right-click the desired PEP and click Remove PEP. The PEP is removed only from this policy. Specifies a VLAN ID tag range for a policy. The policy affects only frames with a VLAN ID tag within the specified range. Traffic that does not match the VLAN ID tag (or range of tags) specified in the policy is dropped. If no range is specified, the policy applies to all frames. PEPs accept only single VLAN ID tags in policies. Click the VLANs tab in the Resources panel and drag the appropriate VLAN range to the VLAN Ranges list on the Policy editor. You can also edit a VLAN Range from this editor. Right-click the desired VLAN Range and click Edit. To remove a VLAN Range from this list, right-click the desired VLAN Range and click Remove VLAN. The VLAN range is removed only from this policy. Layer 2 point-to-point policies affect only the traffic between two defined endpoints. Table 18 Layer 2 Point-to-Point Policy Options Option Policy Name Description Preshared Key Description Enter a unique name for the policy. Names can be 1-40 characters in length. Alphanumeric characters and spaces are valid. Names are not case sensitive. Enter a brief description of the policy. For example, you might want to briefly mention the purpose of policy. Enter the preshared key to use for the point-to-point policy or click Generate Preshared Key. 66 EncrypTight Manager User Guide

67 Policy Options by Mode Table 18 Layer 2 Point-to-Point Policy Options Option Generate Preshared Key Group ID Traffic Handling Point A and Point B Description Click to automatically generate a preshared key to use. Enter the group ID to use. Specifies how the traffic affected by this policy will be handled. Clear - passes all frames matching this policy in the clear. Drop - drops all frames matching this policy. Encrypt - encrypts or decrypts all frames matching this policy. Click and drag the PEPs to be used for the policy to the Point A and Point B boxes. Layer 3 Policies You can create Layer 3 policies for hub and spoke, point-to-point, mesh, and multicast policies. Many options are common to all Layer 3 policies, but some options are unique to each, as described in the following tables: Common Layer 3 Policy Options The following options are available in all policy types except where noted (see Figure 30). Table 19 Common Layer 3 Policy Options Option Policy Name Priority Description Type Description Enter a unique name for the policy. Names can be 1-40 characters in length. Alphanumeric characters and spaces are valid. Names are not case sensitive. Enter the priority for this policy from 1 to PEPs enforce policies in descending priority order with the highest priority number processed first. Enter a brief description of the policy. For example, you might want to briefly mention the purpose of policy. Specifies how the traffic affected by this policy will be handled. Drop - drops all packets matching this policy. Clear - passes all packets matching this policy in the clear. Encrypt - encrypts or decrypts all packets matching this policy. Clear the Renew Keys check box to specify that the encryption keys for this policy are never renewed. EncrypTight Manager User Guide 67

68 Working with Policies Table 19 Common Layer 3 Policy Options Option Renew Keys Encryption Addressing Mode Override Minimize Policy Size Description Specifies the lifetime of the keys and policies, and the frequency at which the keys are regenerated and policies lifetimes are updated on the PEPs. Regenerate keys and update policies either at a specified interval in hours or daily at a specified time. Click either Hours or Daily. EncrypTight Manager provides support for clock skew detection during refresh status. The PEP state will indicate if the clock is out of sync with EncrypTight Manager by more than 10 minutes. Hours - enter the re-key interval in hours up to hours. Daily - enter the re-key time using the 24 hour system clock set to the required local time of the management workstation. The re-key time will translate to the local times of the EncrypTight servers and PEPs that might be located in other time zones. Specifies the encryption and authentication algorithms used in an Encrypt policy. Select the encryption algorithm from the Encryption Algorithms list: AES - Advanced Encryption Standard (default) 3DES - a more secure variant of Data Encryption Standard Select the authentication algorithm from the Authentication Algorithms list: HMAC-SHA-1 - Secure Hash Algorithm HMAC-MD5 - Message Digest 5 Note: Layer 4 policies require AES and HMAC-SHA-1. Overrides the Network addressing setting for the network sets. Layer 3 (Preserve internal network addresses) - This setting is always enabled for multicast policies and cannot be disabled. By default, multicast policies override network set s network addressing mode and preserve the network addressing of the protected networks. The IP header contains the source address of the originating network. Layer 4 (Preserve address, protocol and port) - This setting overrides the network set s addressing mode and preserves the network addressing of the protected networks, as well as the specified protocol and port numbers. The IP header includes the source address, protocol, and port of the originating network. This allows you to send the Layer 4 header information in the clear for traffic engineering and Service Level Agreement (SLA) management (for example, Quality of Service controls). Tunnel Mode (Use PEP remote or VIP address)- Specifies that the policy should use the PEP s remote port IP address or the virtual IP addresses of the included network sets. Specifies a method for reducing the policy size. Ignore source IP address - Reduces policy size by ignoring the network addresses on the local port of the PEP. This limits the amount of network traffic needed to renew keys and refresh policy lifetimes. If you select this option, the source network address for outbound traffic and the destination network address for inbound traffic are replaced with all networks wildcard addresses ( /0). Apply to all traffic - Reduces the policy size by applying the policy to all traffic, inbound and outbound, regardless of the source and destination address and ports. If the policy specifies encryption, all PEPs associated with the policy use the same key set. This option reduces the number of policy entries and SAs on each PEP. Note that this option is only available for Layer 3 Mesh policies. For more information, see Minimizing Policy Size on page EncrypTight Manager User Guide

69 Policy Options by Mode Table 19 Common Layer 3 Policy Options Option Protocol Description Specifies the Layer 3 protocol affected by this policy. The action selected for the policy is only applied to the traffic with the specified protocol. Any - specifies all protocols Only - specifies a particular protocol. Click to select and then enter the required protocol in the range 0 to 255. This option is not available for multicast policies. Figure 30 Some Common Layer 3 Options (Mesh) Options Specific to Hub and Spoke Policies In a hub and spoke network, all traffic either originates from a hub network and is received by a spoke network, or it originates from one of the spoke networks and is received by the hub network. Table 20 Options Specific to Hub and Spoke Policies Option Network Sets Description Identifies the network sets included in this policy. From the Network Sets panel, click and drag the appropriate network sets to either Hubs or Spokes. EncrypTight Manager User Guide 69

70 Working with Policies Figure 31 Hub and Spoke Policy Network Sets Options Specific to Point-to-Point Policies In a point-to-point network, one network or network set sends and receives data to and from one other network or network set. Table 21 Options Specific to Point-to-Point Policies Option Point A - Network Set Point A - Port Point B - Network Set Point B - Ports Description Identifies the network set included in this policy for one side of the point-topoint network configuration. From the Network Sets panel, click and drag the appropriate network set to the Point A - Network Set. Specifies the source and destination ports for the network set selected for Point A. In TCP and UDP, port numbers are used to identify well-known services, such as FTP, and so on. Choosing a specific port limits the action of the policy to traffic using that port. This setting is only valid if the protocol is set to 6 (TCP) or 17 (UDP). Identifies the network set included in this policy for the other side of the point-to-point network configuration. From the Network Sets panel, click and drag the appropriate network set to the Point B - Network Set. Specifies the source and destination ports for the network set selected for Point B. In TCP and UDP, port numbers are used to identify well-known services, such as FTP, and so on. Choosing a specific port limits the action of the policy to traffic using that port. This setting is only valid if the protocol is set to 6 (TCP) or 17 (UDP). 70 EncrypTight Manager User Guide

71 Policy Options by Mode Figure 32 Point-to-Point Policy Network Sets Options Specific to Mesh Policies In a mesh network, any network or network set can send and receive data from any other network or network set. Table 22 Options Specific to Mesh Policies Option Network Sets Description From the Network Sets panel, click and drag the appropriate network sets to the Network Sets box. Figure 33 Mesh Network Sets box Easy Mesh Policy Easy Mesh Policy has a new policy editor panel. The panel has two drag and drop regions: one for networks and one for PEPs. The policy file that ETM creates is the same for all PEPs and includes inbound and outbound selectors for all the networks as both src and dest. The policy elements grid representation is simply a single row with all networks in the networks column and all PEPs in the PEPs column. Note that users can then create an "apply to all" policy as it exists today with simply the network and whatever PEPs they want. They won't have to create or maintain networks sets. This also has a beneficial effect of supporting mesh partial policy deployments. New PEPs can join this policy by simply receiving the same policy file as all other members. No other PEPs will need to be deployed to. EncrypTight Manager User Guide 71

72 Working with Policies Options Specific to Multicast Policies In a multicast network, one or more networks send unidirectional streams to multiple destination networks. Multicast routers detect the multicast transmission, determine which nodes have joined the multicast network as destination networks and duplicate the packets as needed to reach all multicast destination networks. Table 23 Options Specific to Multicast Policies Option Multicast Network Network Sets Description Identifies the multicast address range protected by this policy. IP - multicast IP address Mask - mask for the multicast IP address Identifies the networks included in this policy. From the Network Sets panel, click and drag the appropriate network sets to the desired boxes. Send - lists the networks that only send data Receive - lists the networks that only receive data Send/Receive - lists the networks that send and receive data EncrypTight supports technologies such as Protocol Independent Multicast (PIM) by providing the ability to have multiple senders, receivers, and senders/receivers in multicast policies. Figure 34 Multicast Policy Network Sets Creating Layer 4 Policies Layer 4 policies encrypt only the payload of the packet. The source and destination addresses, protocol, and port in the IP header are sent in the clear. With Layer 4 policies, the Layer 4 header information is sent in the clear for traffic engineering and Service Level Agreement management (for example, Quality of Service controls or NetFlow statistics monitoring). You can create Layer 4 policies for point-to-point, hub and spoke, mesh, and multicast network topologies. 72 EncrypTight Manager User Guide

73 Activating and Deactivating Policies You create Layer 4 policies using PEPs that are configured to operate as Layer 3 PEPs. Create the networks, network sets, and policies as you would for Layer 3 IP policies. In the policy editor, select the option to preserve the address, protocol, and port. This option encrypts only the payload data, making the policy a Layer 4 policy. Layer 4 IP encryption policies use AES-256 for encryption and HMAC-SHA-1 for authentication. PEPs do not support 3DES or HMAC-MD5 at Layer 4. To create a new Layer 4 policy: 1 Follow the instructions for creating policies as described in Creating Policies on page From the Addressing Mode Override section of the policy editor, select Preserve address, protocol and port (see Figure 34). 3 Save the policy Figure 35 Option to Encrypt the Packet Payload Only. Activating and Deactivating Policies New policies are listed in the Saved tab of the Policies panel. Saved policies can be considered works in progress and are not yet active or deployed. When you activate a policy, it is removed from the Saved tab and appears in the Active tab. You can only deploy active policies. To activate a policy: 1 In the Saved tab, select the policy that you want to activate. 2 Click Policy > Activate Policy. 3 Click Yes when you are prompted for confirmation. Policies that have been activated but not yet deployed are marked with a. If you no longer need a policy, you must deactivate it before you can delete it. Deactivating a policy does not immediately remove the policy from the PEPs to which it was deployed. You must redeploy policies to remove the policy from the PEPs. Unlike the Clear Policies CLI command, this allows you to remove a specific policy rather than all policies. To deactivate a policy: 1 In the Active tab of the Policies panel, select the policy. 2 Click Policy > Deactivate Policy. 3 Click Yes when you are prompted for confirmation. 4 Redeploy your policies. EncrypTight Manager User Guide 73

74 Working with Policies Deploying Policies When you deploy policies, the EncrypTight Manager generates encryption keys and sends the keys and policies to the PEPs. When you create or change policies, you have two options for deploying, Deploy Policies and Force Deploy All Policies. Deploy Policies checks to see if any policy or element within a policy has been changed and deploys only the new or changed policies. Among other things, this allows you to add or change elements in existing policies and deploy only those changes instead of every active policy. Force Deploy All Policies deploys all active policies, whether or not any changes have been made to the policies or any elements included in the policies. Before any changes are sent to the PEPs, EncrypTight Manager prompts you for confirmation and displays a list of the PEPs that will be contacted. To deploy policies: 1 In the Active tab of the Policies panel, click Policy and choose one of the following: Deploy Policies to deploy only new and changed policies. Force Deploy All Policies to deploys all active policies 2 In the Confirm Deployment box, click Deploy Policies. When the deployment operation completes, the policies are marked with a. If EncrypTight Manager cannot communicate with a PEP used in a policy, it will keep retrying the deployment action indefinitely. If this happens, you can cancel the deployment and troubleshoot the issues with the unreachable PEP. To cancel a deployment: 1 Click Admin > Task History. 2 Locate and select the incomplete Policy Deployment task and the corresponding Policy Set Deployment task. Both will be marked with a status of In Progress. 3 Click. 4 When you are prompted for confirmation, click Yes. Rekeying Policies When you create policies, you specify a rekey schedule that is either daily or periodically. However, you can initiate a rekey at any time. To rekey policies: 1 In the Active Policy tab, click Policy > Force Rekey Policies. 2 In the Confirm Rekey box, click Rekey Policies. 74 EncrypTight Manager User Guide

75 Failsafe Rekey Mode Failsafe Rekey Mode In Failsafe Rekey mode, EncrypTight Manager will not update the keys of any device if any of the devices are unreachable. The intent is to prevent network outages due to inconsistent key updates that do not reach all of the devices in the network. If the key update can't be completed, they will not attempt the key update and try later. This would prevent loss of traffic or network segmentation due to partial key updates. The implicit trade-off with failsafe key updates is that key updates might fail. This configuration option gives the user the ability to prioritize network availability over enforcing a strict key update interval. In reality, if the network and all devices are functioning properly, key updates will proceed on schedule, and only under exceptional circumstances will key updates be delayed. The behavior is to do a lightweight ping of the PEPs involved before doing the rekey. The ping has a short time-out set (4 seconds) If one or more PEPs are not reachable after 4 attempts, that rekey will be skipped (the task will be marked as canceled due to connectivity requirements not met: pep x,z..."). Copying Policies You can copy an existing policy to serve as a starting point for a new policy. This can be helpful if you need to make a similar policy for different network sets, or use the same network sets in a policy targeting different traffic, for example. The copy includes all of the network sets, PEPs, and other configuration settings from the original. You can copy both active and saved policies. EncrypTight Manager appends copy to the policy name and increments the priority by one. The Policy Elements Grid shows a filterable table based layout of policies and elements so a user can see all network sets, networks and PEPs in one view. EncrypTight Manager User Guide 75

76 Working with Policies To copy a policy: 1 Select the policy that you want to copy. 2 Click Policy > Copy Policy. The copy opens in a policy editor. 3 Make the changes that you need and click Save. Figure 36 Policy Elements Grid Editing Policies You can modify both saved and active policies. When you modify an active policy, EncrypTight Manager marks the policy with a to indicate that the changes have not been deployed. If you do not want to keep the changes made to an active policy, you can undo them before you deploy policies. To edit a policy: 1 Double-click the policy that you want to change or select the policy and click Policy > Edit Policy. 2 Make your changes. 76 EncrypTight Manager User Guide

77 Validating Policies 3 Click Save. To undo edits to an active policy: 1 In the Active tab of the policies panel, click Policy > Restore to Deployed Policies. This action restores all changes made to active policies and their network sets, networks, and VLANs. 2 Click Yes when prompted for confirmation. Figure 37 Editing a policy NOTE When editing a policy, the policy resources are highlighted yellow in the resources panel. Validating Policies You can check your policies for conformance to the policy rules prior to deployment. This is the same validation check on policies performed during a deploy operation and when you create your policies. The Validate Policies command checks for features not universally supported across PEP models and software versions. It looks for inconsistencies such as using a mixture of Layer 2 / 3 PEPs in a policy, using contiguous and non-contiguous network masks in a network set, and the use of virtual IP addresses. Validating policies prior to deployment is useful if you have done any of the following: Made edits to any policy element since you last deployed policies: PEPs, networks, network sets, or policy definitions. EncrypTight Manager User Guide 77

78 Working with Policies Policies include a mix of appliance models. The PEPs in a policy are running a mix of software versions, i.e., PEPs running versions 1.5 and 1.6. To validate policies: 1 On the Active tab, Click Policy > Validate Policies. EncrypTight Manager displays a confirmation message indicating the results of the rules check. 2 If policies contain errors, go to the Policy panel to locate them. Expand the policy tree to find the component with the configuration error. Double-click the component with the error to view the editor and find the entry with the configuration error. Deleting Policies You can delete policies when they are no longer needed. You cannot delete active policies. You must deactivate a policy before you can delete it. This helps to prevent you from deleting policies in error. To delete a policy: 1 In the Active tab of the Policies panel, select the policy to remove. 2 Click Policy > Deactivate Policy. 3 Click Yes when prompted for confirmation. 4 In the Saved tab of the Policies panel, select the policy to remove. 5 Click Policy > Delete Policy. 6 Click Yes when prompted for confirmation. NOTE If deleting a PEP from a network set (L3, or policy, L2) and it is the last network set or policy for the PEP, the PEP receives rules to either pass traffic in the clear or drop all traffic, depending on the configuration setting in the Admin->EncrypTight Configuration page. 78 EncrypTight Manager User Guide

79 9 Policy Design Examples Basic Layer 2 Point-to-Point Policy Example In this example, we secure a single point-to-point Layer 2 Ethernet link using only the EncrypTight Manager software and two encryption appliances. This example focuses on the required settings and does not discuss advanced and optional settings. Figure 38 Point-to-point Layer 2 Ethernet link 1) Layer 2 switch 2) PEP - local site 3) PEP - remote site 4) EncrypTight server L, R, M) Local, remote, and management ports The requirement for this policy is to encrypt all traffic between the two points. In EncrypTight Manager, configure the interfaces for both PEPs, then click the Features tab and do the following: 1 Select Layer 2:Ethernet for the Encryption Policy Settings. To set up the encryption policy between the two PEPs, click the Policy tab for each PEP and make the selections as described in Table 24. Make sure that you use the same key for both PEPs. EncrypTight Manager User Guide 79

80 Policy Design Examples Table 24 Point-to-point Layer 2 encryption policy Setting PEP: PEP: Role Primary Secondary IKE Authentication Method PresharedKey PresharedKey IKE Preshared Key zaq123edc zaq123edc Group ID 0 0 Traffic Handling EthEncrypt EthEncrypt Once the PEP configurations have been saved, push the configuration to the remote PEP first, and then push the configuration to the local PEP. For more information about creating Layer 2 point-to-point policies, see the Configuration chapter for your PEPs. Layer 2 Ethernet Policy Using VLAN IDs This example shows a more complicated Layer 2 Ethernet policy encrypting traffic using specific VLAN IDs. Figure 39 shows a collection of networks for a company with a central headquarters and two branch offices. The company has a partner that needs access to specific company data, but does not need access to the branch offices. Traffic between the headquarters and the branches is assigned a VLAN ID tag. This assures that communications between headquarters and the branches are not accidentally broadcast to other parties, such as the partner. Meanwhile, traffic between the partner and the partner portal server is assigned a different VLAN ID tag. Finally, for added security all traffic not using one of the designated VLAN ID tags is discarded. In this case, three separate policies need to be created: One Layer 2 Mesh encryption policy for traffic between the headquarters and each individual branch using VLAN ID 10 One encryption policy for the traffic between the partner and partner portal server, using VLAN ID 20 One drop policy that discards all traffic not using one of the specified VLAN ID tags, which is assigned a lower priority than the other policies 80 EncrypTight Manager User Guide

81 Layer 2 Ethernet Policy Using VLAN IDs Figure 39 Using VLAN IDs Policy Details Policy 1: Headquarters and Branches Name: HQ/Branch Communications Priority: Renew: Once every 24 Hours Type: Encrypt PEPs: Headquarters, Branch 1, Branch 2 VLAN ID: 10 Policy 2: Partner and Partner Portal Server Name: Branch 2 Communications Priority: Renew: Once every 24 Hours Type: Encrypt PEPs: Headquarters, Partner VLAN ID: 20 Policy 3: Discard All Other Name: Drop Priority: Renew: 0 Hours Type: Drop PEPs: All VLAN ID: None To create the policies: 1 In EncrypTight, add and configure the PEPs to operate as Layer 2 PEPs. 2 Push the configurations to the PEPs. 3 In EncrypTight, add the VLAN ID tags. EncrypTight Manager User Guide 81

82 Policy Design Examples 4 Create the policies using the settings described in Policy Details on page Deploy the policies. Complex Layer 3 Policy Example In this example, we have sixteen networks connecting to each other through a public WAN. Four of these networks are considered regional centers. Each regional center has three branches. Figure 40 Network example Encrypt Traffic Between Regional Centers In order to encrypt traffic between the four regional centers, create a Mesh IPSec policy with each regional network in a different network set. Figure 41 Regional mesh encryption policy 82 EncrypTight Manager User Guide

83 Complex Layer 3 Policy Example The network sets required for this policy are: Table 25 Network sets for mesh policy Networks PEPs Network Set A netmask PEP A Network Set B netmask PEP B Network Set C netmask PEP C Network Set D netmask PEP D Using the four network sets, create the mesh policy as shown in the following table: Table 26 Encrypt all mesh policy Field Setting Name Encrypt All Mesh Priority 1000 Renew Keys/Refresh Lifetime 4 hours Type IPSec IPSec Encryption Algorithms - AES Authentication Algorithms - HMAC-SHA-1 Key Generation By Network Set Addressing Mode Override Preserve internal network addresses Minimize Policy Size Disable Network Sets Network Set A Network Set B Network Set C Network Set D Protocol Any EncrypTight Manager User Guide 83

84 Policy Design Examples Encrypt Traffic Between Regional Centers and Branches In order to encrypt traffic between each regional center and its branches, four hub and spoke policies are required. The following figure illustrates the hub and spoke policy between Regional Network A and its branches: Branch A1, Branch A2, and Branch A3. Figure 42 Regional center to branches hub and spoke policy These hub and spoke policies require the four network sets created in Encrypt Traffic Between Regional Centers on page 82 and twelve network sets for the branch networks. Table 27 Network sets for the hub and spoke policies Networks PEPs Network Set A netmask PEP A1 Network Set A netmask PEP A2 Network Set A netmask PEP A3 Network Set B netmask PEP B1 Network Set B netmask PEP B2 Network Set B netmask PEP B3 Network Set C netmask PEP C1 Network Set C netmask PEP C2 Network Set C netmask PEP C3 Network Set D netmask PEP D1 Network Set D netmask PEP D2 Network Set D netmask PEP D3 The next three tables show the four regional hub and spoke policies. Using Network Sets A, A1, A2, and A3, create a hub and spoke policy for region A as shown in the following table: Table 28 Region A hub and spoke policy Field Setting Name Region A Hub and Spoke Priority 900 Renew Keys/Refresh Lifetime 4 hours 84 EncrypTight Manager User Guide

85 Complex Layer 3 Policy Example Table 28 Region A hub and spoke policy Field Type IPSec Key Generation Addressing Mode Override Minimize Policy Size Hub Spokes Protocol Setting IPSec Encryption Algorithm - AES Authentication Algorithms - HMAC-SHA-1 By Network Set Preserve internal network addresses Disable Network Set A Network Set A1 Network Set A2 Network Set A3 Any Using Network Sets B, B1, B2, and B3, create a hub and spoke policy for region B as shown in the following table: Table 29 Region B hub and spoke policy Field Setting Name Region B Hub and Spoke Priority 901 Renew Keys/Refresh Lifetime 4 hours Type IPSec IPSec Encryption Algorithm - AES Authentication Algorithms - HMAC-SHA-1 Key Generation By Network Set Addressing Mode Override Preserve internal network addresses Minimize Policy Size Disable Hub Network Set B Spokes Network Set B1 Network Set B2 Network Set B3 Protocol Any Using Network Sets C, C1, C2, and C3, create a hub and spoke policy for region C as shown in the following table: Table 30 Region C hub and spoke policy Field Setting Name Region C Hub and Spoke Priority 902 Renew Keys/Refresh Lifetime 4 hours Type IPSec IPSec Encryption Algorithm - AES Authentication Algorithms - HMAC-SHA-1 Key Generation By Network Set EncrypTight Manager User Guide 85

86 Policy Design Examples Table 30 Region C hub and spoke policy Field Addressing Mode Override Minimize Policy Size Hub Spokes Protocol Setting Preserve internal network addresses Disable Network Set C Network Set C1 Network Set C2 Network Set C3 Any Using Network Sets D, D1, D2, and D3, create a hub and spoke policy for region D as show in the following table: Table 31 Region D hub and spoke policy Field Setting Name Region D Hub and Spoke Priority 903 Renew Keys/Refresh Lifetime 4 hours Type IPSec IPSec Encryption Algorithm - AES Authentication Algorithms - HMAC-SHA-1 Key Generation By Network Set Addressing Mode Override Preserve internal network addresses Minimize Policy Size Disable Hub Network Set D Spokes Network Set D1 Network Set D2 Network Set D3 Protocol Any Passing Routing Protocols With Layer 3 routed networks, you might need to pass routing protocols in the clear. This is normally true when routers are placed behind the PEPs and when your WAN uses a private routed infrastructure. With a public routed infrastructure, the ISP handles the routing. To create policies to pass routing protocols in the clear, include the router interfaces or subnets that participate in sharing the routing protocol. In our example, all the regional networks are Layer 3 routed networks and all branches are switched networks. Each regional network shares routing information with the other regional networks using EIGRP (protocol 88). 86 EncrypTight Manager User Guide

87 Complex Layer 3 Policy Example Figure 43 Passing routing protocol in the clear Using the four network sets created in Encrypt Traffic Between Regional Centers on page 82, create a mesh policy as shown in the following table: Table 32 Pass protocol 88 in the clear mesh policy Field Setting Name Clear EIGRP Priority 2000 Renew Keys/Refresh Lifetime 4 hours Type Bypass IPSec Key Generation By Network Set Addressing Mode Override Preserve internal network addresses Minimize Policy Size Disable Network Sets Network Set A Network Set B Network Set C Network Set D Protocol 88 This policy must be set to a higher priority than the mesh policy created in Encrypt Traffic Between Regional Centers on page 82. If this policy is set to a lower priority, the mesh encryption policy will override the bypass policy and the routing protocol will be encrypted. EncrypTight Manager User Guide 87

88 Policy Design Examples 88 EncrypTight Manager User Guide

89 10 Managing PEPs Editing Configurations You can change the configuration of a single PEP as needed by opening the configuration editor for that PEP. You can also change some settings for multiple PEPs in a single operation. Changing Settings on a Single Appliance To edit the configuration of a single appliance: 1 In the PEPs view, select the PEP that you want to change. 2 Click Edit. 3 In the editor, modify the configuration settings. To change all of the values to their defaults, click Use Defaults. 4 When you are done, do one of the following: Click OK to save your changes and close the appliance editor. Click Save to save your changes and keep the appliance editor open. 5 Apply the new configuration to the appliance (click Apply ). TIP You can change some settings directly in the grid in the PEPs view. Double-click on the PEP that you want to edit, change the settings you want to alter, and click Update. Changing Settings on Multiple Appliances When you edit a setting for a group of appliances, the editor displays the current data for the first appliance selected. You can accept those values and apply them to all of the selected appliances or use them as a starting point for as many changes as you would like. The settings that you can change for multiple PEPs include: PEP users Data port settings: auto-negotiation, flow control, and link speed Encryption mode (Layer 2 or Layer 3) EncrypTight Manager User Guide 89

90 Managing PEPs Reassembly mode SNMP community strings, trap hosts, and trap masks SNTP settings PEP software version Syslog server To update configuration settings on multiple PEPs: 1 In the PEPs view, select the PEPs that you want to change. 2 Right-click and choose Edt Multiple PEPs and click the setting that you want to change. 3 In the editing window, make the changes that you need and click Apply. 4 Click Apply to apply the changes to the PEPs. Refreshing Status EncrypTight Manager automatically checks the status of your PEPs at periodic intervals, but you can initiate a status refresh as needed. There are two ways to refresh status: Refresh PEP State - Refreshes the status of the PEP only. Refresh All- Refreshes the PEP state, the configuration state, and the state of the policies on the PEP. A full refresh takes longer than a quick refresh. To refresh status: 1 Select the PEPs that you want to check. 2 Do one of the following: Click to refresh that status of the PEPs only. Click the next to the and choose Refresh All. For more information status indicators, see Viewing PEP Status on page 34. Deleting PEPs You can delete PEPs from EncrypTight Manager when you need to remove it from service. When you delete a PEP, it is removed from the PEPs view and any network sets in which it was included. At this point, the PEP cannot be configured or managed through EncrypTight Manager. To delete PEPs: 1 In the PEPs view, select the PEP that you want to remove. 2 Click Delete. 3 Click Yes when you are prompted for confirmation.. NOTE If deleting a PEP from its last policy, the PEP receives rules to either pass traffic in the clear or drop all traffic, depending on the configuration setting in the Admin->EncrypTight Configuration page. 90 EncrypTight Manager User Guide

91 Connecting Directly to a PEP Connecting Directly to a PEP You can connect directly to a PEP s command line interface (CLI) using SSH to perform troubleshooting and diagnostic tasks. You can also access a number of show commands through the EncrypTight Manager software. To access the full CLI for a PEP, open an SSH client and log in. For complete details about commands and using the CLI, see the ETEP CLI User Guide. To access show commands for a PEP through EncrypTight Manager: 1 Select the PEP and click Remote Command. 2 From the Command box, select the command to run. 3 Click Execute. Upgrading PEP Software Using EncrypTight Manager, you can download new software from an FTP server to one or many PEPs. You can upgrade a mix of PEP models, such as ET0010As, ET0100As, and ET1000As, in a single operation. About Upgrading PEP Software When upgrading software on PEP 1.6 and later appliances, you have the option of using FTP or SFTP for secure file transfer. If you choose SFTP as the connection method, all of the selected appliances must support SFTP. Software upgrades on multiple appliances are performed in parallel. By default, EncrypTight Manager can upgrade groups of 10 appliances at a time. If you select a larger number of appliances to upgrade, as each upgrade completes, EncrypTight Manager starts upgrading one of the remaining appliances. This continues until upgrades have been initiated on all of the selected appliances. You can configure the number of PEPs EncrypTight Manager can upgrade concurrently. The amount of time it takes to complete a software upgrade depends on the appliance model and speed of the link. The upgrade time increases proportionately to the decrease in the link speed. If software is not successfully loaded to any particular appliance in a predefined time frame, the connection times out. The software upgrade timeout is user-configurable (Admin > Configuration). If you experience a problem with an upgrade, you can restore the appliance s file system from the backup copy. A backup is created automatically on PEP appliances. Upgrade remote appliances first when managing appliances in-line, where management traffic flows through the data path. EncrypTight Manager User Guide 91

92 Managing PEPs Figure 44 Upgrade remote appliances Elements of : 1) Local site appliance 2) Workstation 3) EncrypTight Server 4) Remote site appliances R, L, M Remote port (R), local port (L), and management port (M) If you are managing your Black Box appliances in-line as shown in, we recommend performing a software upgrade in two stages. First, upgrade all the appliances at remote sites and reboot them. When the remote site appliances are up and operational, upgrade the local site appliance, which is co-located with the EncrypTight Manager server. Upgrading the local appliance at the same time as the remote appliances can cause connectivity with the management system to be lost and the remote site upgrades to fail. CAUTION We recommend rebooting immediately after upgrading. Any configuration changes that are made between the upgrade and subsequent reboot will be lost when the appliance reboots. This includes changes to policies and keys (including rekeys), certificates, and appliance configuration. Rebooting an appliance interrupts traffic on the data ports for several minutes. During the reboot operation all packets are discarded. Upgrading PEP Software To upgrade PEP software using the EncrypTight Manager FTP server: 1 In the PEPs view, select the target appliances. If you are managing the PEPs in-line, upgrade the remote site appliances first before upgrading the data center appliance, as shown in. 2 Right-click on the PEPs and click Upgrade Software. 92 EncrypTight Manager User Guide

93 Upgrading PEP Software 3 Select Use the EncrypTight Manager FTP server. 4 From the User box, select the appropriate user account. 5 For the Upgrade Directory, click Browse, select the upgrade zip file. 6 Optionally, test the connection by clicking Verify. 7 Decide when to reboot the upgraded appliances. Appliances must be rebooted for the new software to take effect. Select the Reboot appliances immediately after operations complete check box to automatically reboot the appliances immediately following a successful upgrade. Clear the check box to reboot the appliances at a later time, for example after working hours. See Rebooting PEPs on page 39 for more information about rebooting appliances. 8 Click Submit. EncrypTight Manager confirms that the FTP site is reachable before it begins the upgrade operation. Upgrade results for each appliance are displayed in the Management activity area. To use an external FTP server, you must have previously added one in the Admin - EncrypTight Configuration view. To upgrade PEP software using an external FTP server: 1 From the CD for the PEPs that you want to upgrade, copy the folder for your appliance model to your default FTP directory. 2 In the PEPs view, select the target appliances. If you are managing the PEPs in-line, upgrade the remote site appliances first before upgrading the data center appliance, as shown in. 3 Right-click on the PEPs and click Upgrade Software. 4 Select Use an external FTP server. 5 From the Alias box select the FTP server connection that you want to use. 6 For the Upgrade Directory, click Browse, select the folder you copied in step 1, and click Open. 7 To specify a folder on the FTP server to store the upgrade software, for New Software Archive, click Browse, select a folder, and click Open. 8 From the Connection Method box, select FTP or SFTP, as needed. 9 Optionally, test the connection by clicking Verify. 10 Decide when to reboot the upgraded appliances. Appliances must be rebooted for the new software to take effect. Select the Reboot appliances immediately after operations complete check box to automatically reboot the appliances immediately following a successful upgrade. Clear the check box to reboot the appliances at a later time, for example after working hours. See Rebooting PEPs on page 39 for more information about rebooting appliances. 11 Click Submit. Table 33 FTP server information for appliance software upgrades Field File Reboot appliances immediately after operations complete Stage upgrade only (do not perform upgrade or reboot) Use the EncrypTight Manager FTP server Description Specifies the software upgrade folder that you want to use. Click Browse to select a folder. Specifies that the PEPs should be rebooted once the software upgrade is complete. Select this option if you are preparing for an eventual upgrade, but not yet ready to upgrade your appliances. This option copies the software upgrade files to the FTP server in preparation for an upgrade. Specifies that you want to use the default EncrypTight Manager FTP server. EncrypTight Manager User Guide 93

94 Managing PEPs Table 33 FTP server information for appliance software upgrades Field User Relative Path Use an external FTP server Alias Relative Path Connection Method Description User ID of a user on the FTP server. Do not use the following :? # < > & The directory on the FTP server that contains the files of interest. Valid entries are the default FTP directory and its subdirectories. Enter the directory listing relative to the default directory. If the files are located in the default directory, leave this field blank. Specifies that you want to use an external FTP server. You must have previously added an external FTP server from the Admin - EncrypTight Configuration view. Select a name for the FTP connection. EncrypTight Manager completes the remaining FTP server information for you based on the selected Alias. The directory on the external FTP server that contains the files of interest. Valid entries are the default FTP directory and its subdirectories. Enter the directory listing relative to the default directory. If the files are located in the default directory, leave this field blank. As needed, select FTP or SFTP. Figure 45 Upgrade PEPs Upgrading PEP software can take a significant amount of time, especially if you have many PEPs to upgrade. In this scenario, you might want to stage the upgrade ahead of time and rollout the actual upgrades according to a schedule. Staging the upgrade copies the software upgrade files to the server but does not actually install it on any PEPs. What to do if an Upgrade is Interrupted If the upgrade operation is interrupted or times out prior to completion, refer to the results table to see which appliances were successfully upgraded and which were not. For appliances that were not successfully upgraded do the following: 94 EncrypTight Manager User Guide

95 Upgrading PEP Software 1 Make a note of the appliance name and problem description in the Result column. 2 Close the Upgrade Appliances window. 3 Fix the problem with the appliance. 4 Select the target appliances and restart the software upgrade operation. Configuring the Upgrade Timeout By default, if an upgrade does not complete in an hour, the system times out and cancels the upgrade. Depending on you need, you might want to adjust the timeout period. To configure the upgrade timeout: 1 Click Admin > EncrypTight Configuration. 2 Under General Configuration, double-click Upgrade Timeout. 3 Enter a new value in the box and click Update. Checking Upgrade Status You can check on the status of an upgrade using two methods: In EncrypTight Manager, configure a syslog server to receive events generated by the PEP. Several system log events with a priority level of notice are generated by the PEP during the upgrade process. The show upgrade-status and show system-log CLI commands provide status on the upgrade process. During an upgrade the CLI is available from the serial port, but you cannot initiate an SSH session until the upgrade is complete. The show commands are available in PEP 1.5 and later. Configuring the Upgrade Concurrency Limit You can configure the number of PEPs that EncrypTight Manager can upgrade at the same time. The default is 10, but you can increase or decrease the number as needed. Keep in mind that a a larger number of concurrent upgrades could increase the traffic load on your network. You must be logged in as a platform administrator to change this setting. To configure the upgrade concurrency limit: 1 Click Admin > EncrypTight Configuration. 2 Under General Configuration, double-click Upgrade Concurrency Limit. 3 Type a new limit in the box and click Update. Configuring LDAP You can configure the Lightweight Directory Access Protocol (LDAP) setting of a PEP from the LDAP Configuration menu by selecting the Admin tab and selecting the EncrypTight Configuration tab. EncrypTight Manager User Guide 95

96 Managing PEPs To configure LDAP: 1 Click Admin > EncrypTight Configuration. 2 Under Login Configuration, double-click LDAP Configuration for the PEP desired. 3 The LDAP Configuration screen appears Figure 46 LDAP Configuration Restoring the Backup Filesystem The restore operation restores the backup copy of the appliance file system. As part of the software upgrade process the PEP preserves a backup copy of the file system. The backup copy of the appliance file system contains a software image, configuration files, policies and keys, certificates, log files, and passwords. Restoring the backup file system replaces the current file system with the backup files. 96 EncrypTight Manager User Guide

97 Backup and Restore of ETM The restore operation can be reversed. The restore operation essentially toggles between the current file system and the backup image. Each time you issue the restore command, the appliance switches its running image to whichever file system is not currently in use. Review the following recommendations and cautions prior to restoring the file system: Make sure that you know the passwords used in the backup configuration. Once the backup image is restored on the appliance, you must use the passwords from the backup configuration to log in. After restoring the file system, redeploy policies to the PEP to ensure that the appliance is using the current set of policies and keys. The restore operation replaces the current certificate with the backup certificate. If you replaced a certificate after the backup image was created, you will need to reinstall that certificate after the file system is restored. Failure to do so can result in a communication failure between the PEP and EncrypTight Manager. To restore the appliance file system from a backup copy: 1 In the PEPs view, select the target appliances. 2 Right-click and choose Restore from Backup. 3 Click Yes to confirm the action. The appliance will automatically reboot to complete the restore operation. 4 Redeploy policies to the PEP to ensure that the appliance uses the current set of policies and keys. Backup and Restore of ETM General Guidelines There are a variety of failure scenarios that can occur in a production environment, and recovering from these scenarios will not always involve the same procedures. The procedures to follow will be specific to what type of failure occurred, and how much data loss there was as a result. The common failure cases, addressed here are: disk drive failures other hardware component failures damage to the ETM software or database other filesystem damage complete loss of the OS Every IT organization will have policies or practices related to backing up servers, so we should learn what a given customer does and ensure that they include the ETM servers in their procedures. We should also ensure that their practices include creating, or already having, some form of bootable media (e.g. DVD) so that they can access the disk drives of a ETM server in case some radical damage is done to the OS (such as 'rm -rf /'). Common examples would be a bootable Linux CD/DVD, a recovery CD made from Clonezilla, a Ghost recovery DVD, or a generic rescue CD (or even USB stick) such as this EncrypTight Manager User Guide 97

98 Managing PEPs Backup components provided by ETM EncrypTight Manager provides mechanisms for backing up its database, and also for backing up the ETM software. Customers who do not do full server backups regularly can use those tools to ensure that they can recover as close to a point of failure as possible, while backing up the minimal amount of data necessary to restore. They can schedule periodic backups using EncrypTight Manager. ETM also reduces the need for frequent full system backups. Database Backup: To capture a known good point in time configuration, users can take database snapshots. It is recommended that this be done each time they deploy a production set of policies, at a minimum. See procedure 5 below. Database Restore: To restore to a known good point in time, a database backup can be used to restore from. See procedure 6 below. If restoring an entire cluster, this only needs to be done on one node, and then the other node should be sync'd via the UI. ETM Backup: A full ETM backup does not need to be performed as frequently as the database backup, as the changes to a ETM distribution are much less frequent than changes to the database. However, whenever changes are made, it is advisable to take a backup. Users should keep backups in a directory other than the log directory. Such changes would include: Upgrading the ETM software Staging new ETEP software on the ETM ftp server Topology changes to a cluster (adding or removing a node) EncrypTight Manager Restore: Restoring from a ETM backup would be necessary if some damage had occurred within the ETM install directories, such as unintentional deletion of the policyserver config files or binaries. The ETM backup includes a database backup within the archive (tar file), however, it may not be necessary to restore the database. If the intention of the restore is to simply fix the filesystem, the database does not need to be restored. If, however, a full system recovery is being performed, then the most recent ETM backup and database backup should be used for restoration. If the most recent database backup is that contained within the ETM backup, then that should be used. Hardware Server specifics Drive failures A hardware ETM server has two possible configurations: a non-raid dual drive system, or a RAID 1 dual drive system (mirroring). RAID system For a drive failure in a RAID configuration, simply replacing the failed drive is all that is necessary. non-raid system. There are two possibilities: Failure of the main drive Boot from the backup drive (change the BIOS order), and restore with either procedure 2., 4., or 6. below, depending on how many changes were made outside of the ETM software. Then replace the failed drive and dd the main drive to the new drive, which is now the new backup drive. Failure of the backup drive Replace the backup drive and repeat the dd operation to copy the main drive to the backup drive 98 EncrypTight Manager User Guide

99 Backup and Restore of ETM Other hardware component failures If some component other than a drive has failed, that component could be replaced in the field, or the server could be RMA'd back to Black Box. Damage to the ETM software or database If some damage is done to the ETM installation, such as unintentional removal of key configuration files or binaries under /opt/jboss/server/policyserver, then the ETM software should be restored. If that is all that occurred, then the database does not need to be restored. See procedure 4 below for restoring the ETM software. Damage to the OS or filesystem If damage is done to other areas of the filesystem, such as unintentional removal of OS files, or files outside of the ETM root directory, then a restore from backup will be necessary. Depending on what was damaged, either part of the backup or all of the backup may be necessary for the restore. For example, if the only damage was to /etc, then only that portion of the backup would be needed to recover. If something as drastic as 'rm -rf /' had occurred, then the full backup would be needed, and then a subsequent ETM backup or database backup might also need to be applied. That would be necessary if such a backup existed that was more recent than the full backup. See procedure 2 and procedures 4 and 6 below. Example backup and restore procedures Procedure 0. copying drives with dd (only for non-raid systems!!!!) An example command, run as root to copy drive a to drive b: dd if=/dev/sda of=/dev/sdb bs=100m conv=notrunc,noerror Be careful with order of if and of. You can write a blank disk to a good disk if you get confused. More info on dd can be found on wikipedia, and also on linuxquestions.org The above procedure could be run regularly to snapshot a drive as it is modified, to keep the backup as current as desired. This procedure can serve as a full filesystem backup (alternate for Procedure 1. below) for non-raid configured servers. However, it is subject to drive failure of this backup drive. Procedure 1. Backing up the entire filesystem As stated in the General Guidelines, each IT organization will/should have standardized backup practices. At a minimum, they should grab a full snapshot of a ETM filesystem at least once, after the installation script has been run and they have made whatever configuration changes they wanted to for a given site (such as changes to files in /etc). There are many ways to accomplish this. One simple method is using the tar command. An example is provided here (this should be run as root). cd / tar cvpzf backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/backup.tgz --exclude=/mnt --exclude=/sys / Please familiarize yourself with the tar command and its arguments. The man pages are included in the ETM distro. As noted above, the dd operation for non-raid configured servers also serves as a full filesystem backup. It can be performed at important milestones to keep the backup current. EncrypTight Manager User Guide 99

100 Managing PEPs Procedure 2. Restoring the complete filesystem, including the OS Restoring the complete filesystem will depend on how the backup was taken. If it was via the example tar command above, then restoring would involve untarring the backup like so: cd / tar xvpfz backup.tgz -C / Note that, obviously, if restoring a completely destroyed filesystem on the boot partition, the server bootup will have to be done via other media: either a CD/DVD/drive as mentioned at the beginning of this document, or a secondary drive if the system is non-raid and the secondary drive holds a backup. If using a dd version of backup to restore from, the dd operation should be performed in the same manner as was done initially, but the "if" and "of" arguments should be reversed. For example: dd if=/dev/sdb of=/dev/sda bs=100m conv=notrunc,noerror Alternative *nix backup methods There are many other methods for backing up and restoring a *nix operating system. Methods include dar, rsync, cp, scp, tar, dd, clonezilla, ghost, amanda, and many more. If scphost is configured, scp database should be backed up (as is done for server backups). As mentioned previously, it is expected that a customer's IT organization will have already established backup policies and procedures. If not, or, for general reference, there are many sites available on the internet that discuss this topic. For reference, the following are listed here: Procedure 3. Backing up the ETM software and data To backup the EncrypTight Manager software and data, navigate to the Platform->Utilities page, then the AppServer Nodes tab, then select the server you are logged into, right-click, and choose Backup. This will perform a database backup, and then create a tar archive file containing the ETM software, the root directory where ETM is installed, the database backup, and other directories used by ETM, specifically the ftp dir and filestore dir. The user should keep backups in a directory other than the log directory. It will also optionally scp the backup to a remote server if those configuration properties are setup. This was discussed and documented in the tech Webex session on , but for convenience, these properties are also listed here. They are named as such in the Admin->ETM Config page: Backup Server (ip) Backup Server scp Directory Backup Server scp User Backup Server scp Password Also note that the ETM root dir is /opt/jboss/server/policyserver, and that the /opt/scripts directory is a symlink to /opt/jboss/server/policyserver/scripts, so that directory will be backed up. It contains the config files that were used during installation. Files in /etc/init.d are not included in this tar, so those should be backed up separately, after installation. They should never change after installation. Whether or not the backup is scp'd to a remote host, a copy will be left in the /opt/jboss/server/ policyserver/log dir, and can be downloaded via the browser from the Admin->Server Files page (from the logs folder). Double clicking on it will download it. The database backup will also be located there. The user should keep backups in a directory other than the log directory. 100 EncrypTight Manager User Guide

101 Backup and Restore of ETM The names are of the following format: <host ip address>-backup-yyyymmdd-hh-mm.tar.gz db-backup-yyyymmdd-hh-mm.sql.gz Procedure 4. Restoring the ETM software and data To restore from a EncrypTight Manager server backup, obtain the backup that was taken for the particular host (note that the ip address of the host is part of the backup file name), scp it to the ETM host, and untar it. (The application server should be stopped before doing this: /etc/init.d/policyserver stop) For example: scp backup tar.gz root@etmserver:/ ssh root@etmserver cd / gunzip -c backup tar.gz tar xvpf - At this point, the database backup that is located in /opt/jboss/server/policyserver/log can be used (only if necessary) to restore the database. See procedure 6. Once completed, the application server can be restarted, /etc/init.d/policyserver start. See the notes below on details related to cluster nodes and DR servers. Procedure 5. Backing up the ETM database To backup the just the EncrypTight Manager database, navigate to the Platform->Utilities page, then the DB Nodes tab, then select the database for the server you are logged into, right-click, and choose Backup. This will create a backup that can be downloaded from the Admin->Server Files page, in the logs folder. It will be named like db-backup-yyyymmdd-hh-mm.sql.gz. Double clicking on it will download it to your local disk, from where it should be safely archived. Procedure 6. Restoring the ETM database To restore the database from a backup, scp the backup to the host being restored, and execute the dbimport.sh script. If scphost is configured, scp database should be backed up (as is done for server backups). For example: scp db-backup sql.gz root@etmserver:/opt/filestore ssh root@etmserver cd /opt/filestore gunzip db-backup sql.gz /opt/scripts/db-import.sh --importfile=db-backup sql If you changed the database userid or password, you will have to supply those options as well. [root@policyserver log]# /opt/scripts/db-import.sh --help db-import.sh --help --dbuser=dbuser --dbpass=dbpassword --dbtype=dbtype --importfile=importfile --disasterserver=[true/false] A disasterrekey override has been added to the policyserver-init.conf. If set to false the disaster server will NOT start rekeys. Manual intervention is required to start rekeys on the DR in this situation. NOTE policyserver-init.conf has been modified to simplify certificate options and group HSM options in one place (random number generation). EncrypTight Manager User Guide 101

102 Managing PEPs Cluster notes Restoring a cluster node should not include restoring the database if another cluster node with a database is still active. Instead, the database on the restored node should be synchronized via the ETM web application. On the Platform->Utilities page, on the DB Nodes tab, find the inactive database, right click on it and choose Activate. Server time has been added to the AppServer Nodes grid. Each server in a cluster provides it s time, which can be viewed and checked for clock skew. Server version information has also been added to the AppServer Nodes grid. DR notes If restoring a DR datbase (which should really never be necessary, since the backup can be pushed from the main ETM site via the UI), you must supply the --disasterserver=true command line option. Restoring to factory defaults If for some reason a server needs to be set back to the state in which it was delivered from Black Box, the /opt/scripts/factory-restore.sh script can be run. The user will be prompted twice before proceeding. This script will stop the ETM server, delete the database and reset all configuration files to their original state. The installer can be re-run after performing this operation. VM Server specifics VMWare backup guide Note that VMWare does not consider VM snapshots backups. For more information about snapshots, read the following knowledge base articles. Understanding VM snapshots search.do?language=en_us&cmd=displaykc&externalid= Best Practices for VM snapshots search.do?language=en_us&cmd=displaykc&externalid= EncrypTight Manager User Guide

103 11 Configuring PEPs This chapter provides procedures and reference information for configuring PEP appliances. To prepare the PEP for operation in your network, do the following: In the PEPs view, click Add to open the Appliance editor. Select the PEP appliance model from the Product Family list (ET0010A, ET0100A, ET1000A), and select the software version loaded on the PEP. On the Interfaces tab: Enter the appliance name, and password (password is needed for PEP software version 1.3) Specify the throughput speed at which you want the PEP to run (PEP software version 1.6 and later). The throughput speed is determined by the PEP model and license that you purchased. For more information about throughput speeds and licenses, see Managing Licenses on page 61. Enter the management port IP address, mask, and gateway. On the Features tab, configure the encryption policy setting for Layer 2 or Layer 3. For standalone operation (point-to-point policies), disable EncrypTight Manager. Configure the settings appropriate to the type of policies that you will be creating: For distributed key policies, see Configuring PEPs for Use with EncrypTight on page 33 For point-to-point policies, see Layer 2 Policies on page 65 You can configure other items as desired, such as auto-negotiation, logging, SNMP trap hosts, or other network interoperability settings. Configuration options vary among software revisions. For a listing of options that are available for each software version and the default settings, see Factory Defaults on page 138. Changing the default password is an important step in maintaining the security of your network. You can manage user accounts and passwords in the EncrypTight Manager software or through the CLI. After adding and configuring a new appliance, be sure to add users and passwords prior to pushing the configuration to the appliance. If you plan to operate the PEP in FIPS mode, we recommend enabling FIPS mode as one of your first configuration tasks. Entering FIPS mode resets many configuration items, such as passwords, policies, and certificates. To avoid having to reconfigure the PEP, enable FIPS mode and then perform the rest of the appliance and policy configuration tasks. See FIPS Mode on page 135 for more information about FIPS mode. EncrypTight Manager User Guide 103

104 Configuring PEPs Identifying an Appliance In order to add a PEP, you must: Specify the product family and software version Enter a unique name Enter the desired throughput speed (PEPs with software version 1.6 and later) The Interfaces tab contains the fields that EncrypTight Manager uses to identify an appliance and communicate with it: appliance name, throughput speed, and management interface IP address. Product Family and Software Version When you configure a new appliance, you must select the product family for example, ET0100A and the software version loaded on the appliance, such as PEP1.6. EncrypTight Manager displays a configuration screen tailored to the specified appliance model and software version. Appliance Name The appliance name is defined on the Interfaces tab. The appliance name identifies an appliance to EncrypTight Manager. Names must adhere to the following conventions: Appliance names must be unique Names can be characters Alphanumeric characters are valid (upper and lower case alpha characters and numbers 0-9) Spaces are allowed within a name The following special characters cannot be used: < > & *? / \ : Names are not case sensitive Because the appliance name is also the SNMP system name on the appliance, be aware of the following restrictions when copying a name from the appliance to EncrypTight Manager. Names with any of the characteristics listed below cannot be copied from an appliance to EncrypTight Manager: Name with one or more invalid special characters Blank name Name that is already in use as an appliance name in the EncrypTight Manager To learn more about copying configurations from the appliance to EncrypTight Manager, see Comparing Configurations on page 36. Throughput Speed This section applies only to PEPs with software version 1.6 and later. In the Throughput Speed box, enter the speed at which the PEP should run. The allowable throughput speed depends on the PEP model and the license you purchased. EncrypTight Manager will only allow you to run a PEP at the speed for which it is licensed. For more information about licenses and throughput speeds, see Managing Licenses on page EncrypTight Manager User Guide

105 Interface Configuration Interface Configuration The PEP management, local and remote ports are defined on the Interfaces tab (see Figure 47). To configure appliance interfaces: 1 In the PEPs view, click Add. 2 In the Add PEP box, type the IP address and enter a unique name for the PEP. 3 Click OK. 4 Configure the items on the Interfaces tab, which are described in the rest of this section. 5 When you have finished configuring the appliance interfaces, do one of the following: Click one of the other tabs to configure additional parameters. Click Save and New to save the appliance configuration and add another. Click Save to save the appliance configuration. Click OK to exit the editor. Management Port Addressing Management of the PEP is performed out-of-band or in-line through the Ethernet management port. The PEP management port must have an assigned IP address in order to be managed remotely and communicate with other devices. The IP address that you enter in EncrypTight Manager must match the IP address in effect on the appliance s management port. PEPs running software version 1.6 and later include support for IPv4 and IPv6 addresses on the management port. Figure 47 Management Port Addressing Settings IPv4 Addressing The PEP requires an IPv4 address for proper operation, even when it is deployed in an IPv6 network. Enter the IPv4 address, subnet mask, and gateway that is configured on the PEP s management port. EncrypTight Manager User Guide 105

106 Configuring PEPs Table 34 IPv4 management port addressing Parameter IP Address and Subnet Mask Default Gateway NAT IP Address Description Enter the IPv4 address and subnet mask that has been assigned to the PEP management port, in dotted decimal notation. Specifies how to route traffic between the PEP management port and the management system and/or other EncrypTight servers. When the management port is on a different subnet than the management system or EncrypTight server, specify the IP address of the router s local port that is on the same subnet as the PEP management port. In Figure 48, the default gateway is and the management port IP address is If the other devices are on the same subnet as the management port, you do not need to enter a default gateway. If your network requires the use of allocated IP addresses when communicating over a public network, enter the Network Address Translation (NAT) IP address for EncrypTight Manager to use when communicating with the PEP. If you use a NAT address, you must still configure the management port IP address, subnet mask, and default gateway. The NAT IP address is used only by EncrypTight Manager. It is not pushed to the PEP, therefore it does not appear when comparing the EncrypTight Manager and appliance configurations. Figure 48 Management port default gateway on the PEP Elements of Figure 48: 1) PEP 2) Router 3) Management workstation 106 EncrypTight Manager User Guide

107 Interface Configuration IPv6 Addressing The use of IPv6 addressing is optional. If you select Use IPv6, EncrypTight components will use IPv6 to communicate with the PEP. When using IPv6, you must configure the PEP for dual-homed operation by assigning an IPv4 and an IPv6 address to the management port. To configure the PEP for operation in an IPv6 network, do the following: 1 Select Use IPv6. This tells the EncrypTight Manager to use an IPv6 address when communicating with the PEP. 2 Enter the IPv4 address, subnet mask, and default gateway that is configured on the PEP, if you haven t already. 3 Enter the IPv6 address and default gateway that is configured on the PEP. Table 35 IPv6 management port addressing Parameter IPv6 Address IPv6 Default Gateway Description <ip address>/<prefix-length> IPv6 address of the PEP management port. This is a 128-bit address consisting of eight hexadecimal groups that are separated by colons. Each group is a 4-digit hexadecimal number. The hexadecimal letters in IPv6 addresses are not case sensitive. The prefix length is a decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address. The decimal value is preceded by a forward slash (/). Valid values are inclusive. IPv6 address of the router port that is on the same local network as the PEP management port (see Figure 48). IPv6 addresses are typically composed of two logical parts: a network prefix (a block of address space, like an IPv4 subnet mask), and a host part. The prefix length indicates the number of bits used for the network portion of the address. The following is an example of an IPv6 address with a 64-bit prefix: 2001:0DB8:0000:0000:0211:11FF:FE58:0743/64 IPv6 representation can be simplified by removing the leading zeros in any of the hexadecimal groups. Trailing zeroes may not be removed. Each group must include at least one digit. IPv6 addresses often contain consecutive groups of zeros. To further simplify address entry, you can use two colons (::) to represent the consecutive groups of zeros when typing the IPv6 address. You can use two colons (::) only once in an IPv6 address. Table 36 IPv6 address representations Address Format Full format Leading zeroes dropped Compressed format (two colons) with leading zeroes dropped Address Representation 2001:0DB8:0000:0000:0211:11FF:FE58: :DB8:0:0:211:11FF:FE58: :DB8::211:11FF:FE58:743 EncrypTight Manager User Guide 107

108 Configuring PEPs Related topics: To learn how to set auto-negotiation on the management port, see Auto-negotiation - All Ports on page 108. To learn how to restrict access by specifying the hosts that are allowed to communicate with the management port, see Trusted Hosts on page 139. Auto-negotiation - All Ports Auto-negotiation and flow control are configured on a per port basis. Management, local, and remote port auto-negotiation settings are configured independently of each other. The default setting for the PEP enables auto-negotiation, which negotiates the link speed, duplex setting, and flow control. If the device to which the PEP connects from a particular port does not support auto-negotiation or flow control, disable one or both of these functions on that port. It is essential that the PEP port and the connecting device s port are configured the same way. Both devices should either auto-negotiate or be set manually to the same speed and duplex mode. Having one device set manually and the other auto-negotiate can cause problems that make the link perform slowly. When manually setting the PEP link speed, configure the speed and duplex mode to match that of the other device. When changing the auto-negotiation setting from the EncrypTight Manager, there is a slight delay before the new setting takes effect on the PEP. The delay is typically a few seconds, but can be as long as 30 seconds. During this period, the old setting remains in effect. On the management port, the PEPs support the speeds shown in Table 37. Table 37 Link speeds on the management port Link speed Auto-negotiate Auto-negotiate Fixed Speed ET0010A ET0100A / ET0100A / ET1000A 10 Mbps Half-duplex 10 Mbps Full-duplex 100 Mbps Half-duplex 100 Mbps Full-duplex 1000 Mbps Full-duplex 1000 Mbps Half-duplex All PEPs On the local and remote ports, the PEPs support the speeds shown in Table 38. Table 38 Link speeds on the local and remote ports Link speed Auto-negotiate Fixed Speed Fixed Speed All PEPs 10 Mbps Half-duplex ET0010A / ET0100A / ET0100A ET1000A 10 Mbps Full-duplex 108 EncrypTight Manager User Guide

109 Interface Configuration Table 38 Link speeds on the local and remote ports Link speed Auto-negotiate Fixed Speed Fixed Speed All PEPs 100 Mbps Half-duplex ET0010A / ET0100A / ET0100A ET1000A 100 Mbps Full-duplex 1000 Mbps Full-duplex NOTE If you are using copper SFP transceivers, auto-negotiation must be enabled on the ET1000A and on the device that the ET1000A is connecting to. The recommended copper SFP transceivers negotiate only to 1 Gbps, even though they advertise other speeds. See the PEP Release Notes for a list of recommended transceivers. Remote and Local Port Settings The remote port connects the PEP to an untrusted network, which is typically a WAN, campus LAN, or MAN. The local port connects the PEP to a device on the local, trusted side of the network, such as a server or a switch. Transparent Mode Transparent mode is the PEP s default mode of operation on the local and remote ports. It is appropriate for Layer 2 policies and for most distributed key policies. When operating in transparent mode the PEP preserves the network addressing of the protected network by copying the original source IP and MAC addresses from the incoming packet to the outbound packet header. In transparent mode the PEP s remote and local ports are not viewable from a network standpoint. The local and remote ports do not use user-assigned IP addresses. In Layer 3 IP networks the local and remote ports cannot be contacted through an IP address, and they do not respond to ARPs. The PEP is also transparent in Ethernet networks when configured as a Layer 2 encryptor. If you want to conceal the original source IP address when sending encrypted traffic, configure the PEP to operate in non-transparent mode. In non-transparent mode, the original source IP address in the outbound packet header is replaced with either an IP address for the remote port or a virtual IP address. The PEP port MAC address is used as the packet s source MAC address. You must assign IP addresses to the local and remote ports when configuring the PEP for this mode of operation. Table 39 When to use transparent mode Policy Type Layer 2 policies (distributed key mesh and stand-alone point-to-point) Layer 3 distributed key policy: Copy the original source IP address to the encryption header Mode of operation Transparent mode Transparent mode EncrypTight Manager User Guide 109

110 Configuring PEPs Table 39 When to use transparent mode Policy Type Layer 3 distributed key policy: Conceal the original source IP address and replace it with one of the following: PEP remote port IP address. This forces traffic through a specific PEP. User defined virtual IP address. This is useful for load balanced traffic over a private data network, or when sending traffic over the public internet. Mode of operation Non-transparent mode Local and Remote Port IP Addresses When transparent mode is disabled, you need to assign an IP address, subnet mask, and default gateway to the local and remote ports. The remote port connects the PEP to an untrusted network, which is typically a WAN, campus LAN, or MAN. The local port IP address identifies the PEP to the device on the local side of the network, such as a server or a switch. NOTE If you change the remote IP address on a PEP that is already deployed in a policy, you must redeploy your policies after the new configuration is pushed to the appliance. Figure 49 Local and Remote Port Settings IP Address and Subnet Mask Enter the IP address and subnet mask that you want to assign to the port, in dotted decimal notation. 110 EncrypTight Manager User Guide

111 Interface Configuration Default Gateway The default gateway identifies the router s local access port, which is used to forward packets to their destination. The gateway IP address must be on the same subnet as the port s IP address. In Figure 50, the remote default gateway is the router port The local default gateway address is A default gateway IP address is required when the PEP is in a routed network. If the PEPs are in the same subnet with no routers between them you may leave the default gateway field blank. The PEP determines if the packet destination is on the same subnet as the port, and if so, uses ARP to resolve the destination MAC address. If the packet destination IP address is on a different subnet, the PEP sends the packet to the designated default gateway. Figure 50 Remote port default gateway in a routed network Elements of Figure 50: 1) PEP 2) Router to untrusted network 3) Router to trusted local network Transmitter Enable The PEP can be configured to propagate a loss of signal event detected at one of its data ports to the device connected to its other data port. The PEP performs this function by monitoring for loss of signal at the port s receiver. For example, when the loss of signal is detected on the PEP s remote port, the local port transmitter is disabled, generating a loss of signal event in connecting device s port. When the loss of signal event clears on the remote port, the local port transmitter is enabled, clearing the event in the connecting device s port. Similarly, when a loss of signal is detected on the local port, the remote port transmitter is disabled. Alternatively, the PEP port transmitter can be configured to always remain enabled, regardless of the other port s link state. In this state the PEP can reliably recover from a link loss. But because the transmitter is always on, the appliance may inadvertently mask cable or device failures in the network. EncrypTight Manager User Guide 111

112 Configuring PEPs The transmitter behavior configuration should be the same on both the local and remote ports. Table 40 Transmitter Enable settings on the PEP Setting Follow receiver Always Description The transmitter follows the behavior of the receiver. If loss of signal is detected on the remote port, then the transmitter on the local port is disabled. Similarly, if loss of signal is detected on the local port, the PEP disables the transmitter on the remote port. When the lost signal is restored, the correlating transmitter is enabled. The transmitter is always on regardless of whether a signal is received. DHCP Relay IP Address The DHCP Relay feature allows DHCP clients on the local port subnet to access a DHCP server that is on a different subnet. The DHCP relay feature is applicable in Layer 3 IP networks. Enable the DHCP Relay feature only on PEPs that have DHCP clients on the local port that require access to a DHCP server that is on a different subnet from the local clients (see Figure 51). This feature is not needed when DHCP servers or relay agents are on the same local network with the DHCP clients, nor is it needed on the PEP at the remote site where the DHCP server is located. Figure 51 DHCP Relay allows local clients to access a DHCP server on a remote subnet Elements in Figure 51: 1) PEP on local subnet with DHCP clients off the local port (L1). DHCP Relay feature is enabled. 2) Remote site PEP, co-located with DHCP server. DHCP Relay feature disabled. Local and remote port IP addresses are required for proper DHCP Relay Agent behavior. In order to use local and remote port IP addresses, the PEP must be operating in non-transparent mode. To use the DHCP Relay feature, configure the following items on the Interfaces tab: 1 Disable transparent mode. 2 Assign local and remote port IP addresses to the PEP. 3 In the DHCP Relay IP Address field, enter the IP address of the DHCP server. 112 EncrypTight Manager User Guide

113 Interface Configuration Ignore DF Bit When the PEP is configured for use in Layer 3 IP encryption policies, its default behavior is to enable DF Bit handling on the local port. This tells the PEP to ignore the do not fragment (DF) bit in the IP header, and fragment outbound packets that exceed the MTU of the system. This setting should be used under the following conditions: Reassembly mode is set to gateway ICMP is blocked at the firewall PMTU path discovery isn t working A symptom of a PMTU problem is when the network operates normally when traffic passes in the clear but loses packets when encryption is turned on. You can override the default behavior by disabling the DF Bit handling on the local port. The PEP will then discard packets in which the DF bit is set and the packet length, including the encryption header, exceed the PMTU. Table 41 Ignore DF Bit settings Setting Enabled Disabled Description The PEP ignores the DF bit in the IP header and fragments outbound packets greater than the MTU of the system. This setting is automatically enabled when the reassembly mode is set to gateway. The PEP acts in accordance with the DF bit setting in the IP header. Reassembly Mode The reassembly mode setting applies to packets entering the PEP s local port that are subject to fragmentation. This setting specifies whether packets are fragmented before or after they are encrypted and who performs the reassembly of the fragmented packet: the destination host or gateway. The reassembly mode option is available only when the PEP s Encryption Policy Setting is set to Layer 3:IP. When the Encryption Policy Setting is set to Layer 2:Ethernet, packets that are subject to fragmentation are encrypted prior to fragmentation. Layer 2 jumbo packets that exceed the PMTU are discarded. The Encryption Policy Setting is configured on the Features tab. Table 42 Reassembly mode settings Setting Gateway Host Description This setting is recommended for PEP-PEP encryption. Packets are encrypted first and then fragmented based on the new packet size, which includes the encryption header. This behavior is consistent with RFC The gateway (PEP) performs the reassembly. When the reassembly mode is set to gateway, the Ignore DFBit setting is automatically enabled. This setting is required for the PEPs to interoperate successfully with Black Box SGs. Packets are fragmented before they are encrypted, and the encryption header is added to the packet fragments. The destination host performs the reassembly. EncrypTight Manager User Guide 113

114 Configuring PEPs Trusted Hosts In its default state the PEP management port accepts all packets from any host. The trusted host feature lets you restrict access by specifying the hosts that are allowed to communicate with the management port. When the trusted host feature is enabled, packets that are received from non-trusted hosts are discarded. An exception is SSH, which is a secure protocol. It is always allowed regardless of host. Figure 52 Trusted host list All EncrypTight servers must be included in the trusted host list when the trusted hosts feature is enabled, and at least one trusted host must have HTTPS enabled. HTTPS (TLS) is required for EncrypTight Manager to PEP communications. If you enter the IP address incorrectly, EncrypTight Manager will be unable to communicate with the PEP. To recover, you will need to log in to the CLI and issue the disable-trusted-hosts command. See Troubleshooting for more information. All EncrypTight servers that communicate with this PEP must also be included in the trusted host list. If you add a new EncrypTight server after the trusted host feature is enabled on the PEP, you can add the server to its trusted host list in one of the following ways: Use the server in a policy definition On each PEP that is using the trusted host feature, clear the Enable Trusted Hosts checkbox and then select it again In either case, you must apply the new configuration to the PEPs for the new trusted host list to become effective. Until you apply the new configuration, the PEP s status is displayed as not equal in the PEPs view. The PEP interacts with two types of hosts: Inbound hosts are the management system protocols used to communicate with the PEP: HTTPS, ICMP, and SNMP. Outbound hosts receive packets initiated by the PEP: SNMP trap hosts, syslog servers, and NTP server hosts. 114 EncrypTight Manager User Guide

115 SNMP Configuration Inbound host protocols (HTTPS, ICMP, and SNMP) are enabled and disabled on the Trusted Host tab. Inbound protocols are enabled by default for each host. Use caution when disabling these protocols as it can affect the management system s ability to communicate with the PEP. Table 43 Inbound trusted host protocols used by the EncrypTight Manager Protocol HTTPS ICMP SNMP Description Used for secure communication between the management system and the PEP. Used for pings and other diagnostic and routing messages. Used to get SNMP data from the PEP (name, location, and contact). You cannot add, modify or delete an outbound host directly from the trusted host list. You must make changes in the Appliance editor tab for that feature (Table 44). When you add an outbound host such as a syslog server, NTP server or SNMP trap host to the appliance configuration, the host s IP address is automatically added to the trusted host list. For example, if you add a NTP server in the Appliance editor Advanced tab, the NTP server is automatically added to the trusted host list as shown in Figure 52. The process is similar when deleting an outbound host. Using the syslog server as an example, delete the syslog server from the Logging tab. One of two outcomes occur: If no other ports are enabled for that IP address, the trusted host entry is automatically deleted. If other ports are enabled for that IP address the change is automatically reflected in the trusted host list, which displays a status of no in the Syslog column for that IP address. You can then either leave the modified entry as is, or you can select the trusted host entry and click Delete to remove it from the trusted host list. Table 44 Modify outbound trusted hosts on their respective Appliance editor tabs Outbound host Syslog server NTP SNMP traps Appliance Editor Tab Logging Advanced SNMP To add a trusted host: 1 On the trusted Hosts tab, click Enable Trusted Hosts. 2 Click. 3 In the box, type the IP address of the host. 4 Click the checkbox for the applicable protocols. 5 Click Update. SNMP Configuration The PEP includes an SNMP agent. When enabled, the SNMP agent in the PEP sends traps to one or more management systems. Traps can be monitored and viewed using an SNMP network management application. EncrypTight Manager User Guide 115

116 Configuring PEPs The PEP supports the SNMP versions shown in Table 45. On PEPs that support SNMPv2 and SNMPv3, you can configure the PEP to use both types of trap hosts. Table 45 SNMP support in PEP software versions PEP Software version SNMPv2c SNMPv3 PEP v yes no PEP v1.6 and later yes yes System Information For managing a number of PEP appliances from a single management system, it is helpful to have some basic housekeeping information about the SNMP agent in the PEP, such as its name, location, and a contact person for the device. SNMP uses the Appliance Name as the MIB2 sysname. Figure 53 SNMP configuration for system information, community strings, and traps Take note of the following requirements when defining SNMP system information: To set the system information on an appliance, the community string must be defined as read/write, as described in Community Strings on page EncrypTight Manager User Guide

117 SNMP Configuration System information can contain alphanumeric characters and spaces. The following special characters are not allowed: < > & Table 46 SNMP system information Setting Name Description Location Contact Definition Indicates the name assigned to the PEP. Provides a brief description of the PEP or other notes. Describes the location of the PEP in the network. Defines the designated contact information for the device. Community Strings By default the PEP disregards SNMP requests from a network management system. A community name must be defined for the network management system to monitor and collect statistics from the appliance. The community name identifies a group of devices and management systems running SMNP. An SNMP device or agent can belong to more than one SNMP community. An appliance will not respond to requests from management systems that do not belong to one of its communities. To define a community name: 1 Under Community Strings, click. 2 In the Access box, select an access option. A read-only community name allows queries of the SNMP agent in the appliance. A read-write community name allows a network management system to perform queries and limited set operations (system location and contact). 3 In the String box, enter an SNMP community name. The name is a text string of alphanumeric characters, with a maximum length of 255. All printable characters are valid except: < > & 4 Click Update. EncrypTight Manager User Guide 117

118 Configuring PEPs TRAPS To configure SNMP traps, first select the trap types to be generated. All of the selected trap types will be sent to the configured hosts. Traps cannot be configured on a per-host basis. Table 47 Traps reported on the PEP Trap Description Critical error The following critical errors traps indicate that the PEP is in an error state: criticalfailure: Traffic on the device has been halted and the device is in a failure state. filesystemfailure: Inadequate free space in flash memory. temperaturefailure: The PEP has exceeded the temperature threshold for safe operation. The following platform warning traps indicate issues that warrant immediate attention, but do not put the PEP in an error state: deployfailure: The PEP encountered a problem while replacing its policies. certificatemanagementwarning: Security certificate management encountered an issue of interest to network operators, such as failed certificate generation, installation, or validation. checksystemclockwarning: The PEP detected clock skew that may affect policies. System clock synchronization (NTP) should be checked as soon as possible. filesystemwarning: The file system is approaching memory space limits or the syslog daemon is not running. ntpmonitorwarning: The PEP is unable to synchronize with an NTP server after trying for 30 minutes. powersupplywarning: ET1000A only. The PEP detects problems in one of two redundant power supplies. rekeyfailure: The PEP encountered a problem while rekeying current policies. temperaturewarning: The operating temperature is approaching unsafe limits. The device should be checked as soon as possible. Generic coldstart: the SNMP agent has been powered on. notifyshutdown: the SNMP agent is in process of being shut down. linkup: one of the communication links has come up (local or remote port). linkdown: one of the communication links has failed (local or remote port). authenticationfailure: the SNMP agent received a packet with an incorrect community string. Fan fan failed trap down: Fan failure detected. Fan is operating at less than 75% of full speed. fan failed trap up: Fans are operating normally. Log in Reports successful and failed log in and log out attempts. NOTE The coldstart and notifyshutdown traps are always generated, even when Generic traps are disabled 118 EncrypTight Manager User Guide

119 SNMP Configuration SNMPv2 Trap Hosts After selecting the traps that the PEP will generate, specify the IP address of the trap hosts that will receive the traps. All of the selected traps are sent to the defined trap hosts. Traps cannot be configured on a per-host basis. Figure 54 SNMPv2 Trap Hosts To configure a trap host: 1 Under Trap Hosts, click. 2 In the IP Address box, type the trap host s IP address. Traps that are enabled on the appliance will be sent to the designated host. Traps are enabled at the appliance level; they cannot be enabled or disabled at the host level. With PEP software version 1.6 and later, you can use either IPv4 or IPv6 addresses. 3 To finish configuring trap hosts, click Update. SNMPv3 PEP version 1.6 and later includes support for SNMPv3, in addition to SNMPv2c. You can use either version of SNMP, or both simultaneously. SNMPv3 enhances security by adding authentication and encryption features. The engine ID identifies the PEP as a unique SNMP entity. The PEP s engine ID must be configured on every trap recipient before traps can be authenticated and processed by the trap host. Three security levels are available to control access to the management information: no authentication and no encryption, authentication and no encryption, and authentication and encryption. Trap host users define the destination that receives the traps, plus security information about communication between SNMPv3 entities. Trap host users are defined by a user name, security level, IP address, and optional authentication and encryption parameters. The PEP supports IPv4 and IPv6 addresses. In order to exchange messages between an SNMP manager and PEP agent, both parties have to be configured with the same user. The manager also has to know the PEP s engine ID. If you want to authenticate communications, the authentication algorithm and authentication key must be known to both parties. For encryption, two more pieces of information are necessary: the encryption algorithm and encryption key. The keys are generated from the authentication and encryption passwords. Other notes about the SNMPv3 implementation on the PEP: Traps apply globally to all trap host users. The PEP does not support trap filtering to individual hosts. EncrypTight Manager User Guide 119

120 Configuring PEPs The PEP supports SMNPv3 MIB walks when authentication is enabled (security level set to authnopriv or authpriv). To use SNMPv3 with encryption when in FIPS mode, SNMP traffic for each trap host must be secured in an IPsec tunnel. When using SNMPv3 on the PEP, do the following: 1 Configure the system information and community string. 2 Select the traps to enable on the PEP. 3 Select a method for generating the engine ID. 4 Configure the SNMPv3 trap host users. Generating the Engine ID The engine ID is a unique local identifier for the SNMP agent in the PEP. The PEP automatically generates its own engine ID upon startup, or you can manually enter an engine ID seed that the PEP will use to generate the engine ID. Each PEP must have a unique engine ID. Duplicate engine IDs can cause SNMP errors. To prevent duplicate IDs, we recommend letting the PEP generate its own pseudo-random ID. To use the PEPgenerated seed, leave the Engine ID field blank. If you manually enter an engine ID seed, be sure to use a different seed for each PEP. Manually entered engine ID seeds must conform to the following conventions: The engine ID seed is a string from characters. Valid values in include upper and lower case alpha characters (a-z), numbers 0-9, spaces, and most printable keyboard characters. The following characters are not allowed: < > & NOTE Before the manager can authenticate and process traps generated by the PEP, you must copy the PEP s engine ID and trap host user information to the trap hosts. Retrieving and Exporting Engine IDs The PEP s engine ID uniquely identifies the SNMP entity in that PEP. The PEP s engine ID must also be configured on every trap host before traps can be authenticated and processed by the trap host. Using EncrypTight Manager, you can retrieve and display the PEP engine ID. EncrypTight Manager can export the engine IDs to a text file. Alternatively, the SNMP engine ID can be viewed from the CLI by issuing the show running-config command. To retrieve engine IDs: 1 In the PEPs view, select the target appliances. EncrypTight Manager can retrieve the engine IDs from multiple appliances in a single operation. 2 Right-click and choose View SNMPv3 Engine Ids. The engine IDs are displayed. 120 EncrypTight Manager User Guide

121 SNMP Configuration Configuring the SNMPv3 Trap Host Users Trap host users define the destination that receives the traps, plus security information about communication between SNMPv3 entities. Trap host users are defined by a user name, security level, authentication and encryption parameters, and an IP address. The PEP supports IPv4 and IPv6 addresses. NOTE If you plan to use SNMPv3 with encryption in FIPS mode, SNMP traffic for each trap host must be secured in an IPsec tunnel. See the PEP CLI User Guide to learn how to create an IPsec policy to secure SNMP traffic on the management port. Figure 55 SNMPv3 Trap Hosts To configure a trap host user: 1 If you haven t already done so, select the traps that the PEP will generate (see Traps on page 114). 2 Under SNMPv3 Trap Hosts, click. 3 Configure the trap host users as described in Table 48 and then click Update. Traps that are enabled on the appliance will be sent to the designated host.the trap host user information must be configured on both the PEP and trap recipient. Table 48 SNMPv3 trap host users Field Description IP Address The IP address of the host that will receive the traps generated by the PEP. With PEP software version 1.6 and later, you can use either IPv4 or IPv6 addresses. User name Name that identifies the PEP s account to the trap host. The user name / IP address combination must be unique. The user name can be characters in length. The following characters are not allowed: < > & *? / \ : Security level noauthnopriv: provides no authentication and no privacy authnopriv: provides authentication but no encryption authpriv: provides authentication and encryption The default is noauthnopriv. Authentication Type SHA. Required for the authnopriv and authpriv security levels. EncrypTight Manager User Guide 121

122 Configuring PEPs Table 48 SNMPv3 trap host users Field Authentication Password Encryption Type Encryption Password Description The password is used to generate the authentication key. It is characters in length. The following characters are not allowed:? < >., AES. Required with the authpriv security level. The password is used to generated the encryption key. It is characters in length. The following characters are not allowed:? < >., Logging Configuration The PEP log keeps track of messages and events generated by various processes, such as encryption, certificates, rekeys, and SNMP. All log messages are sent to a log file. You can select the level of information to record by setting the priority for each log facility, which is a category, or grouping, of log messages. Log messages can be viewed in the following ways: Configure the PEP to send log messages to a syslog server Use EncrypTight Manager to retrieve the log files from an appliance, and view it on the management system as a text file. EncrypTight Manager retrieves the log files for each log facility and concatenates them into a single file. It also saves the log files from each facility in separate files. Figure 56 Logging tab Log Event Settings Categories of log messages are referred to as facilities, and they typically indicate which process submitted a message. Each facility can be assigned a priority, which sets the level at which a log message is triggered. Log events settings consist of a log facility and its priority level. Five facilities are unique to the PEP. When messages from these facilities are sent to a syslog server, syslog displays their source as Local 0 - Local 4. Table 49 describes each facility and provides a mapping 122 EncrypTight Manager User Guide

123 Logging Configuration of the PEP facility name to its syslog counterpart. The Internals facility consists of several operating system facilities. Table 49 Log facilities Facility Description Local0/System Significant system events that are not associated with the other predefined facilities, including: NTP clock sync successes and failures (informational priority) Appliance software upgrade status (notice priority) ET1000A power supply status changes (informational priority) XML-RPC calls from EncrypTight Manager to the PEP (debug priority) Local1/Data plane Messages about packet processing and encryption PMTU changes (debug priority) Local 2/DistKey EncrypTight Manager distributed key functionality, such as rekeys and policy deployments (informational priority) Local 3/PKI Certificate messages Local 4/SNMP SNMP messages Internals Operating system messages for the following Linux facilities: audit, auth and authpriv, cron, daemon, kernel, syslog, user. Audit log events are associated with a user name. The audit log includes events such as the following: Successful and unsuccessful log in attempts Additions and deletions of PEP user accounts Use of administrator functions, such as appliance configuration changes and policy deployments. The priority determines the amount of information that is recorded for a log facility. When you select a priority for a facility, all messages at that priority and higher are logged; for example a priority of error means error + critical + alert + emergency. The priorities shown in Table 50 are listed from lowest (debug) to highest (emergency). Table 50 Log priorities Priority Debug Informational Notice Warning Error Critical Alert Emergency Description Detailed processing status. Not recommended during normal operations. The volume of messages may negatively affect the performance of the management port. Information messages that do not relate to errors, warnings, audits, or debugging. Normal but important events. A problem exists, but it doesn t prevent the appliance from completing tasks. Error conditions and abnormal events. Critical condition, for example the appliance is prevented from accomplishing a task. Immediate action required. The device will continue to run, but not all functions are available. Emergency; system unusable. EncrypTight Manager User Guide 123

124 Configuring PEPs Defining Syslog Servers The PEP can send log messages to a syslog server. The PEP does not impose a limit on the number of syslog servers that can be used. Syslog messages are sent from the management port using port 514 in standard syslog format (RFC 3164). When the facilities are displayed at the syslog server, they appear as Local 0 - Local 4, not as PEP-specific categories such as data plane, PKI, SNMP, or distkey. See Table 49 for a mapping of log facility names to the numeric syslog designation. When you configure a syslog server, the messages from all of the facilities are sent to that server, according to the configured priority for each facility. You cannot exclude specific facilities from the list. To define a syslog server: 1 Under Syslog Servers, click. 2 Enter the IP address of the server. With PEP software version 1.6 and later, you can use either IPv4 or IPv6 addresses. 3 Click Update. Log File Management Each log file is a fixed length list of entries, as shown in Table 51. The log files rotate as they fill; they do not wrap. The most recent events are always written to a.log file in the format <logname>.log. When the first log file is full its contents are archived and rotated to logname.log.1.gz. New events continue to be written to the file the.log file. When the logname.log file fills a second time, its contents rotate to logname.log.1.gz and the contents of the previously designated.log.1.gz rotate to.log.2.gz. The log files rotate until five log files have been filled (.log,.log.1.gz,.log.2.gz.,.log.3.gz,.log.4.gz). At that point the contents of the oldest log file,.log.4.gz, are deleted. Table 51 Log file sizes Log name audit.log dataplane.log distkey.log pki.log snmp.log system.log Internals logs auth.log cron.log daemon.log kern.log syslog.log user.log File size 200k 250k 250k 250k 250k 500K 100k 10k 10k 100k 100k 100k When EncrypTight Manager retrieves the log files from the PEP, it gets the current and archived log files as individual files. The concatenated file contains only the current log files. Archived log files are saved as compressed.gz files. To view the archived files, use gzip, WinZip, or 7-zip to decompress them. 124 EncrypTight Manager User Guide

125 Advanced Configuration Advanced Configuration The items on the Advanced tab define various management and network functions of the appliance, which are described in the following sections: Path Maximum Transmission Unit on page 125 Non IP Traffic Handling on page 126 CLI Inactivity Timeout on page 127 Password Strength Policy on page 127 XML-RPC Certificate Authentication on page 128 SSH Access to the PEP on page 128 SNTP Client Settings on page 133 IKE VLAN Tags on page 134 OCSP Settings on page 134 Certificate Policy Extensions on page 134 The settings on the Advanced tab are often the same across appliances, and therefore are good candidates for inclusion in a default configuration as described in Working with Configuration Templates on page 40. The settings are broadly grouped into the following sections: Appliance Settings SNTP Client Settings IKE VLAN Tag OCSP Settings Certificate Policy Extensions Figure 57 Appliance Settings Path Maximum Transmission Unit The PMTU specifies the maximum payload size of a packet that can be transmitted by the PEP (see Table 52). The PMTU value excludes the Ethernet header, which is bytes long, and the CRC. The PMTU setting applies to the local and remote ports. On the management port the PMTU is hard-coded to 1400 bytes. EncrypTight Manager User Guide 125

126 Configuring PEPs Table 52 Valid PMTU ranges on PEP appliances Layer PMTU range Default Layer bytes 1500 Layer bytes 1500 Before sending a packet from its remote or local port the PEP compares the packet payload size to the configured PMTU. Depending on payload size and appliance configuration the PEP either discards the packet, transmits the packet, or fragments the packet before transmitting, as described in Table 53. Table 53 PMTU and fragmentation behavior on the PEP Packet Payload Size Layer 2 PEP Layer 3 PEP Less than or equal to PMTU Passes the packet Passes the packet Exceeds PMTU When operating in non-jumbo mode (PMTU 1500), the PEP fragments packets that exceed the PMTU. Fragments the packet if the payload exceeds the PMTU by less than 100 bytes, to allow for encapsulation overhead. When operating in jumbo mode (PTMU ), the PEP discards packets that exceed the PMTU. Discards the packet under the following circumstances: - The payload exceeds the PMTU by more than 100 bytes - The DF bit is set in the IP header. Fragmentation resolves the problem of encryption overhead, which consists of the extra bytes that are added to the packet as a result of security encapsulation. For example, a packet with a payload size of 1500 bytes may pass through the network without being discarded. But after encapsulation, the payload size increases by bytes. The resulting larger packet may be rejected by some equipment located in the network between the two peer appliances. By fragmenting the packet, the separate fragments are not rejected by the network. The PEP can be configured to perform pre-encryption or post-encryption fragmentation when it is operating as a Layer 3 encryptor. This feature is called Reassembly mode, and it is defined on the Interfaces tab in the Appliance editor. Reassembly mode cannot be configured when the Encryption Policy Setting is set to Layer 2:Ethernet. At Layer 2, packets that are subject to fragmentation are encrypted prior to fragmentation. Jumbo packets that exceed the PMTU are discarded. When the PEP is configured as a Layer 3 encryptor, the PEP discards packets that exceed the PMTU size and have the DF (do not fragment) bit set in the IP header. You can override the DF bit in the IP header using the Ignore DF Bit setting on the local port. Non IP Traffic Handling The non IP traffic handling setting is available when the PEP is configured for use in Layer 3 encryption policies. This setting provides options for how to handle Layer 2 packets that are not IP at Layer 3. Non- IP packets can be discarded or passed in the clear. When discarding non-ip traffic, you have the option of passing ARP packets in the clear or discarding them as well. All packets that are IP at Layer 3 are handled according the policies that are loaded on the appliance. 126 EncrypTight Manager User Guide

127 Advanced Configuration When the non-ip discard feature is enabled, the appliance looks at the packet s Layer 3 protocol flag. If the protocol flag is IP, then the appliance processes the packet normally. If the protocol flag is non-ip, then the appliance discards the packet. This processing applies to both inbound and outbound packets. The appliance s default setting is clear, where non-ip packets are passed in the clear and IP packets are processed according to the policies loaded on the appliance. Table 54 Non IP traffic handling configuration Setting clear discard discardincludingarp Description All packets that are non-ip at Layer 3 are passed in the clear. All packets that are non-ip at Layer 3 are discarded. ARP packets are excluded from the discard action. All packets that are non-ip at Layer 3 are discarded, including ARP packets. CLI Inactivity Timeout The CLI session is terminated if no activity is detected on the CLI in a specified amount of time. The inactivity timer is set to 10 minutes by default. The timer applies to a CLI session initiated through the serial port or through SSH. The inactivity timer is specified in minutes, with valid values ranging from minutes (24 hours). When the CLI inactivity timer is set to zero the session does not time out. Timers may be deleted outside of development mode. Setting the inactivity timer does not affect the current CLI session. The change is effective on all subsequent CLI sessions. Password Strength Policy The password strength policy affects the following items: Password conventions Password history exclusion, which limits the reuse of passwords Password expirations, warnings, and grace periods Maximum number of concurrent login sessions allowed per user The number of login failures allowed before locking an account The strong password policy enforces more stringent password rules and conventions than the default password policy. The default password policy is enforced unless you explicitly enable the strong password policy. NOTE Enabling strong password enforcement restarts the SSH daemon, closing any open SSH connections between EncrypTight Manager and the PEP. It can take up to 30 seconds to re-establish an SSH connection after enabling strong passwords. EncrypTight Manager User Guide 127

128 Configuring PEPs XML-RPC Certificate Authentication The EncrypTight system supports the use of smart cards such as the DoD Common Access Card (CAC). The use of a CAC provides user authorization in addition to certificate-based authentication. When you use CACs, EncrypTight components use the certificates installed on the card to determine if a user is authorized to perform a specific action. Setting up the PEP to use a CAC involves several tasks: 1 Install certificates on the PEPs. This task is performed using the EncrypTight Manager software. 2 Enable strict authentication on the PEPs. 3 Enable Common Access Card Authentication on the PEPs 4 Add common names to the existing user accounts on the PEPs, or add new user accounts with common names. These names must match the common names used on the identity certificates included on the CACs. Additional steps are required to prepare the management workstation and the EncrypTight servers to use strict authentication with a CAC. Be sure to complete all of the required steps in order, as described in Using Enhanced Security Features on page 153 SSH Access to the PEP SSH is used for secure remote CLI management sessions through the Ethernet management port. SSH access to the appliance is enabled by default. To prevent remote access to the CLI, clear the Enable SSH checkbox. When SSH is disabled, CLI access is limited to the serial port. PEP Users This section discusses user accounts for the PEP appliances. These accounts are unique to the PEP and should not be confused with user accounts for the EncrypTight Manager software. You can manage user accounts for appliance users through EncrypTight Manager or the CLI of the appliance. PEP User Roles The user role determines how a user can access the appliance and what tasks the user can perform once logged in. Users are assigned a role and a password that allows them to access the functionality of the appliance that is available to that role. The PEP can track appliance events based on user name, such as user account activity and policy deployments. 128 EncrypTight Manager User Guide

129 Advanced Configuration The PEP has two roles: Administrator and Ops. The Administrator manages the appliance using the EncrypTight Manager software. The Administrator configures the appliance, and creates and deploys policies. The Ops user is only able to log in to the CLI and has access to a limited set of commands. Table 55 Appliance roles Function Administrator Ops Manage passwords and users Yes No EncrypTight Manager access Yes No CLI access Yes Yes (subset of commands) The Administrator assigns user names, passwords and roles for all users. When first installing the PEP, use the default Administrator password to log in, as shown in Table 56. It is strongly recommended that the Administrator change the default passwords before putting the PEP into operation in the network. Table 56 Default user names and passwords on the PEP Role Default user name Default password Administrator admin admin Ops ops ops You must maintain at least one Administrator user account on the PEP in order to manage the appliance. You can add as many user accounts to the PEP as you need. The PEP does not impose a cap on the number of user accounts that can be added. Configuring the Password Enforcement Policy PEP 1.6 and later allows you to choose whether to use the default password enforcement policy or strong password enforcement. This option is configured on the Advanced tab. Prior to adding appliance users, configure the password policy on the target appliances. If you plan to configure users and passwords for multiple appliances at once, make sure that the target appliances are enforcing the same password strength policy (strong or default). The password strength policy determines the following: Strength of password rules and conventions Password expiration period, expiration warning notification, and grace period Maximum number of concurrent user logins allowed The default password controls are less stringent than the strong password controls, and use standard values for password expiration and maximum number of user logins. The default password controls are enforced on the PEP unless you explicitly enable strong enforcement. Earlier version of PEP software enforce only the default password conventions. User Name Conventions Follow the guidelines below when creating user names. These conventions apply regardless of the password strength policy. User names can range from 1-32 characters. Valid characters are alpha and numeric characters (a-z, 0-9), _ (underscore), and - (dash). EncrypTight Manager User Guide 129

130 Configuring PEPs User names must start with an alpha character or an underscore. The first character cannot be a numeric digit or a dash. Only lower case alpha characters are accepted. User names cannot contain a space. Default Password Policy Conventions The following guidelines apply to the default password strength policy. Passwords must be a minimum of 8 characters. Passwords are case-sensitive. Standard alphanumeric characters and spaces are allowed. a-z A-Z # % ^ * + = { } :., _ ~ / \ - [ ] Passwords must contain at least 2 characters from a mix of upper case letters, lower case letters, numbers and non-alphanumeric symbols. For example, an acceptable password might contain an upper case letter and a number, or a lower case letter and a symbol, or an upper case letter and a lower case letter. Do not use non-printable ASCII characters. Do not use dictionary words. EncrypTight Manager does prevent the use of dictionary words, but a password containing a dictionary word will be rejected by the PEP. EncrypTight Manager and the PEP allow an unlimited number of failed login attempts without locking the user out of the appliance. Strong Password Policy Conventions Passwords must conform to the following conventions when strong password enforcement is enabled on the PEP. Strong password controls are available in PEP 1.6 and later. Passwords must be at least characters long. Standard alphanumeric characters are allowed. a-z A-Z # % ^ * + = { } :., _ ~ / \ - [ ] Passwords must contain a mix of upper case letters, lower case letters, numbers and special characters, including at least two of each of the four types of characters (2 upper case, 2 lower case, 2 numbers, and 2 special characters). When a password is changed, the new password must differ from the previous password by at least four characters. The password must not contain, repeat, or reverse the associated user ID. The password must not contain three of the same characters used consecutively. A user's password must not be identical to any other user's password. A new password must be different from the previous 10 passwords used. Do not use dictionary words. EncrypTight Manager does prevent the use of dictionary words, but a password containing a dictionary word will be rejected by the PEP. In addition, the Administrator can place limits on the following: Password expiration period, expiration warning notification, and grace period. Maximum number of login sessions allowed per user 130 EncrypTight Manager User Guide

131 Advanced Configuration The PEP allows three consecutive failed login attempts in a 15 minute period prior to locking an account. After the third failure the account is locked for 15 minutes. The Administrator can unlock a disabled account from the CLI. Cautions for Strong Password Enforcement The password expiration feature puts you at risk for a lockout under certain circumstances. Review the guidelines below to avoid unintended lockouts. CAUTION If the Administrators passwords expire, all Administrator functionality is lost, including the ability to assign a new password. The only means of resetting the password is to reformat the PEP, which reverts all configurations to their default shipping settings. Reformatting the PEP requires factory service. Upgrading Software To avoid having strong passwords expire during an upgrade process, we recommend minimizing the time period between a software upgrade operation and reboot. If you plan to wait a day or more between an upgrade and reboot, disable strong passwords prior to performing the upgrade. After the upgrade and reboot are complete, re-enable strong passwords. Note the following: Passwords changes that are made between a software upgrade and subsequent reboot do not persist through the reboot. The password expiration timer does not know if a password is changed during that window, placing you at risk of a lockout. Timers may be deleted outside of development mode. If all administrator account passwords expire, the unit must be returned to the factory. Removing PEPs From Service To avoid having strong passwords expire during a planned service outage or equipment redeployment, disable strong passwords prior to removing the PEP from service. If the password expiration and grace period is exceeded for all administrator accounts while the PEP is out of service, all users will be locked out and the PEP must be returned to the factory. Managing Appliance Users NOTE This section applies only if you use EncrypTight Manager to manage user accounts on PEPs running software version 1.4 and later. You can add, modify, and delete appliance users directly from EncrypTight Manager. You can update user accounts for a single appliance or for a group of appliances. When managing users, changes take effect immediately. There is no need to push the user data to the PEP. Changing appliance user names and passwords can affect the EncrypTight Manager s ability to communicate directly with the PEP. See How EncrypTight Manager Users Work with PEP Users on page 145 to learn more about the interaction between EncrypTight Manager users and PEP users. EncrypTight Manager User Guide 131

132 Configuring PEPs Adding PEP Users For security purposes, we recommend replacing the default users and passwords on the PEP. To ensure your ability to communicate with the PEP, set up the new users prior to deleting the default account. You can add user accounts for a single appliance or for a group of appliances. PEP 1.6 and later includes enhanced security options, including password expiration settings. These settings apply when strong password enforcement is enabled on the Advanced tab of the appliance editor. When the default password policy is enforced, the password expiration options are not visible. The default password policy values shown in Table 57 cannot be modified by the Administrator. To add a user to the PEP: 1 Select the target appliances in the PEPs view. 2 Click and choose Other PEP User. 3 In the User Information window, click. 4 In the Name box enter the user name conforming to the conventions listed in User Name Conventions on page If EncrypTight Manager is configured to use Common Access Card Authentication, enter the common name from the Common Access Card s identity certificate. You will not see this field if the feature is disabled. 6 In the Password box, enter the password for the user, then reenter it in the Confirm Password box. The password conventions are dependent on the password strength policy that is in effect for the PEP. 7 Select the role to be associated with the user. Admin is the only role that can manage PEPs from EncrypTight Manager. 8 On appliances that are enforcing strong passwords, configure the password expiration settings as described in Table Click Apply to send the user credentials to the selected appliances. The change takes effect immediately. Table 57 Password policy values Parameter Default password policy Strong password policy Password expiration days Default is 60. Range is Notify before expiration 7 days Default is 10. Range is Expiration grace period The number of days after expiration that a user can login with the old password. 0 days Default is 10. Range is Password change waiting period Minimum number of days a user must wait before changing the password. Max simultaneous log-in sessions The maximum number of concurrent sessions allowed for a user. 0 days Default is 1. Range is 1-7. Unlimited Default is 2. Range is 1-5. Modifying PEP User Credentials You can update user accounts for a single appliance or for a group of appliances. If strong password enforcement is enabled on the PEPs, you can also modify the password expiration settings. 132 EncrypTight Manager User Guide

133 Advanced Configuration To modify PEP user credentials: 1 In the PEPs view, select the target PEPs. 2 Click and choose Other PEP User. 3 In the User Information window, select the user account that you want to edit and click. 4 Make your changes and click Update. Deleting PEP Users You can delete an appliance user on a single appliance or on a group of appliances. The user is removed immediately upon completing the procedure below. The PEP prevents you from deleting the default Administrator account (admin/admin) until you have established an alternate Administrator account. It also prevents you from deleting the only remaining Administrator account on the appliance. CAUTION We recommend that you store your passwords in a safe place. If you are unable to log in to the PEP with a valid Administrator user name and password, the PEP must be returned to the factory to be reset. To delete a user from the PEP: 1 In the PEPs view, select the target PEPs. 2 Click and choose Other PEP Users. 3 In the User Information window, select the user account that you want to remove. 4 Click. 5 The user account is immediately removed. Viewing PEP Users You can check the user accounts that are configured on a particular PEP by clicking and selecting Other PEP Users. The Users view lists the user name and role for each user on the appliance. Passwords are not displayed. Password expiration settings can be viewed from the CLI (user-config level show command). SNTP Client Settings The PEP includes a Network Time Protocol (NTP) client, which is used to synchronize the appliance time with an NTP server. NTP is useful in minimizing or eliminating clock drift that can occur over time, and keeping timestamps of log events consistent across appliances and other devices in the network. The NTP client supports unicast client mode, in which the client (PEP) sends a request to a designated NTP server and waits for a reply from the server. The PEP synchronizes with the NTP service at a dynamic interval inherent in the operating system s NTP client. Time synchronization with the NTP time service overrides any manually set date and time. The UTC offset is unaffected. EncrypTight Manager User Guide 133

134 Configuring PEPs Figure 58 SNTP Settings To configure the NTP client: 1 Click the Enable SNTP Client checkbox. 2 Enter the IP address of the NTP service. With PEP software version 1.6 and later, you can use either IPv4 or IPv6 addresses. IKE VLAN Tags When the PEP is configured for operation with Layer 2 point-to-point policies, the two PEPs must be able to communicate with each other to exchange key information. In some Layer 2 networks, all frames must have a VLAN tag to traverse the network. The PEP can be configured to add a VLAN tag to the Ethernet frames used for PEP-to-PEP communications. This setting has no effect when the PEP is configured for use in EncrypTight distributed key policies. The following settings are prerequisites for configuring this feature: 1 On the Features tab, set the Encryption Policy Setting to Layer 2:Ethernet. 2 On the Advanced tab, select Enable IKE VLAN Tag. Table 58 IKE VLAN Tags Field Description IKE VLAN tag priority Sets the VLAN priority. Valid values range from 0-7. IKE VLAN tag identifier Sets the VLAN ID. Valid values range from OCSP Settings Online Certificate Status Protocol (OCSP) provides a way for devices that use certificates to verify that a received certificate is currently valid. OCSP is an alternative to using Certificate Revocation Lists (CRLs). If your organization uses certificates to authenticate management communications in a EncrypTight deployment, you can use OCSP to check the validity of the certificates you install. Also, you can use a batching task to install CRLs on multiple PEPs. Certificate Policy Extensions Certificate policy extensions indicate the purposes for which a certificate was issued, for example signing or encryption. If your organization uses certificates and makes use of the certificate policy extension, you can enable support for the extensions on the PEP and enter the allowable OIDs. 134 EncrypTight Manager User Guide

135 Features Configuration Features Configuration The items on the Features tab define what kind of policies the PEP can enforce and what layer of traffic it acts on. FIPS Mode on page 135 Configures the PEP for FIPS mode operation (supported in specific versions of PEP software). EncrypTight Manager Settings on page 137 Determines whether the PEP will enforce EncrypTight distributed key policies or stand-alone point-topoint policies. Also enables strict authentication on the PEP. To configure Layer 2 point-to-point policies, select the Layer 2: Ethernet encryption policy setting.. on page 137 Configures the PEP for use in Layer 2 or Layer 3 policies. Figure 59 Features tab FIPS Mode When operating in FIPS mode, the PEP must be configured to use FIPS-approved encryption and authentication algorithms. FIPS approved algorithms are listed in Table 59. Note that some of the FIPSapproved algorithms are available for use only on the management port. EncrypTight Manager prevents the PEP from entering FIPS mode if it detects distributed key policies that contain non-fips approved algorithms. The PEP prevents entry into FIPS mode when any of the following conditions are true: EncrypTight distributed key policies are installed that use non-fips approved algorithms IKE policies are configured on the management port interface that use non-fips approved algorithms Manual key policies are installed on the management port interface. If you plan to use manual key policies, deploy them after FIPS mode is enabled on the PEP. SNMPv3 configuration uses cryptography for SNMP trap hosts, but no IPsec policy has been configured to protect the SNMP traffic for each specific trap host The debug shell is in use Strict client authentication is enabled on the management port If you plan to use strict authentication to secure management port communications, you must enable FIPS mode prior to enabling strict authentication. To learn more about using strict authentication, see the Using Enhanced Security Features on page 153and Order of Operations on page 155. EncrypTight Manager User Guide 135

136 Configuring PEPs. Table 59 FIPS approved encryption and authentication algorithms Encryption algorithms 3des-cbc aes128-cbc aes256-cbc Authentication algorithms sha1-96-hmac sha2-256-hmac sha2-384-hmac Enabling FIPS Mode To configure the PEP for FIPS operation, select the FIPS Mode Enabled checkbox. After pushing a FIPS-enabled configuration to the PEP, it takes several minutes for the PEP to enter FIPS mode. Some communications services are reset when FIPS is enabled and disabled. SSH sessions are terminated, and cannot be re-established until FIPS mode is fully operational. You may experience a brief loss of connectivity between the PEP and EncrypTight Manager. When putting the PEP in FIPS mode, the PEP performs the following actions and self-tests: Runs self-tests during the boot process and when entering FIPS mode that include cryptographic algorithm tests, firmware integrity tests, and critical function tests Performs a software integrity test Clears pre-existing polices and keys, as described in Table 60. Generates a new self-signed certificate on the management interface Removes all externally signed certificates Resets passwords to the factory defaults Closes remote SSH client sessions Table 60 Effects of clearing policies and keys when entering FIPS mode Policy Type Distributed key policies Point-to-point Layer 2 policies Management port policies Action upon entering FIPS mode Traffic passes in the clear until new encryption policies are created and deployed to the PEP. Keys are automatically renegotiated. Traffic is discarded in the interim. Keys are automatically renegotiated. Traffic is discarded in the interim. Operational Notes Entering FIPS mode may cause some delays when communicating with the PEP. When the PEP is rebooted with FIPS mode enabled, the PEP does not become operational until seconds after the login prompt is displayed. In the interim, attempts to communicate with the PEP from EncrypTight Manager or the CLI result in error messages (attempting to access a locked shared resource or failure to create input stream). If you receive an error message, wait several seconds and retry. The Ethernet management interface uses FIPS-approved cipher and authentication algorithms for SSL and SSH connections. When operating in FIPS mode, it can take seconds to establish an SSH 136 EncrypTight Manager User Guide

137 Features Configuration session. EncrypTight Manager also supports certificate-based client authentication (two-way SSL authentication between the browser and EncrypTight Manager). If you used SSH to manage the PEP prior to entering FIPS mode, you may not be able to establish an SSH session after FIPS is enabled. To correct, clear the known host entry of the SSH client and retry. Disabling FIPS The PEP performs the following actions when exiting FIPS mode: Existing policies continue to run until they are replaced or deleted. SSH is reset when FIPS is disabled, terminating the current session. Verifying FIPS Status on the PEP You can verify that FIPS is enabled on the PEP in the following two ways: In PEPs view, compare the stored and PEP configurations (select the PEP, right-click on it and choose Diff Config). Log in to the CLI and issue one of the following commands: show running-config or show fipsmode. EncrypTight Manager Settings To configure Layer 2 or Layer 3 distributed key policies, select the encryption policy setting for Layer 2: Ethernet or Layer 3: IP/Layer 4: Payload policies. To configure Layer 2 point-to-point policies, select the Layer 2: Ethernet encryption policy setting.. Table 61 EncrypTight Manager settings Setting Enable passing TLS traffic in the clear Definition Passing TLS-based management traffic in the clear is required for EncrypTight distributed key policies, and when the PEP is managed inline. When the PEP is operating in Layer 2 distributed key mode, ARP traffic is also passed in the clear when tls-clear is set to true. Encryption Policy Settings Specifies whether the PEP can be used in Layer 2 or Layer 3/Layer 4 policies. Enable strict client authentication EncrypTight Manager uses TLS to encrypt traffic between EncrypTight components. EncrypTight Manager can use TLS with encryption only, or TLS with encryption and strict authentication. When strict authentication is enabled, TLS enforces certificate-based authentication among the EncrypTight components (all EncrypTight servers and PEPs). See Using Enhanced Security Features on page 153 for procedures to install certificates and enable strict authentication on the various components of the EncrypTight system. CAUTION Certificates must be installed on the PEP prior to pushing a configuration that enables strict client authentication. Enabling strict authentication without first installing certificates locks up the PEP s management port. EncrypTight Manager User Guide 137

138 Configuring PEPs Encryption Mode Settings The Encryption Mode Setting determines the type of policies that the PEP can be used in: Layer 2 Ethernet policies or Layer 3 IP policies. Appliances that are configured for Layer 2 cannot be used in Layer 3 policies, and vice versa. If you intend to create a Layer 4 policy to encrypt only the packet payload, set the Encryption Policy Setting to Layer 3:IP/Layer 4 Payload. Table 62 Encryption mode settings Setting Layer 2: Ethernet Layer 3: IP/Layer 4 Payload Definition Enable this setting to use the PEP in Layer 2 Ethernet policies. Enable this setting to use the PEP in Layer 3 IP policies, or if you intend to create a policy to encrypt only the Layer 4 payload. When you change the encryption policy setting of a PEP that is already in service, all encrypt and drop policies currently installed on the PEP are removed and all traffic is sent in the clear until you create and deploy new policies, or until the policies are rekeyed. If you are using EncrypTight Manager, take the following steps to ensure proper enforcement of your distributed key polices when you change the encryption policy setting: 1 In the Features tab, set the Encryption Policy Setting to Layer 2 or Layer 3/Layer 4 Payload. 2 Apply the new configuration to the PEP (click Apply config). 3 Remove pep from any policy or network set it is a member of 4 Create a new policy for the reconfigured PEP. 5 Deploy the new policy. Factory Defaults Factory settings are listed by appliance model and software version for the following categories: Interfaces Trusted Hosts SNMP Logging Policy Advanced Features Hard-coded Settings 138 EncrypTight Manager User Guide

139 Factory Defaults Interfaces Table 63 Interfaces defaults Interfaces PEP 1.5 PEP 1.6 and later Appliance Identification Remote user password Not applicable Not applicable Appliance name model number_version (e.g., ET0100A_ETEP1.5) model number_version (e.g., ET0100A_ETEP1.6) Throughput speed Not available Undefined Management IPv4 address Undefined Undefined Subnet mask IPv4 default gateway None None Natted IP address Undefined Undefined IPv6 address Not available Undefined IPv6 default gateway Not available Undefined Flow control Negotiated Negotiated Link speed Negotiated Negotiated Remote Transparent mode Enabled Enabled IP address Undefined Undefined Subnet mask Default gateway None None Flow control Negotiated Negotiated Link speed Negotiated Negotiated Transmitter enable FollowRx FollowRx Local IP address Undefined Undefined Subnet mask Default gateway None None Flow control Negotiated Negotiated Link speed Negotiated Negotiated DHCP Relay IP Address Undefined Undefined Ignore DF Bit Enabled Enabled Reassembly mode Gateway Gateway Transmitter enable FollowRx FollowRx Trusted Hosts Trusted Hosts is disabled by default in PEP v1.5 and later. EncrypTight Manager User Guide 139

140 Configuring PEPs SNMP Table 64 SNMP defaults SNMP PEP v1.5 PEP v1.6 and later Contact Undefined Undefined Location Undefined Undefined Community string Undefined Undefined Traps Critical error trap Enabled Enabled Fan trap Enabled Enabled Generic trap Enabled Enabled Login Enabled Enabled Trap Hosts SNMPv2 trap hosts Undefined Undefined SNMPv3 trap hosts Not available Undefined Logging Table 65 Logging defaults Logging Local 0 / System Local 1 / Dataplane Local 2 / DistKey Local 3 / PKI Local 4 / SNMP Internal Syslog server Default Setting Informational Informational Informational Informational Informational Informational None Policy Table 66 Policy defaults Policy PEP v1.4 and later Role Primary IKE Authentication Preshared key IKE Preshared Key Group ID 0 Traffic Handling EthEncrypt 140 EncrypTight Manager User Guide

141 Factory Defaults Advanced Table 67 Advanced defaults Advanced PEP 1.5 PEP 1.6 and later PMTU Non IP traffic handling Clear Clear CLI Inactivity Timer 15 minutes 10 minutes Password Policy Not available Disabled XML-RPC Certificate Not available Disabled Authentication SSH Enable Not available Enabled SNTP Client None None IKE VLAN tag Disabled Disabled OCSP Settings Not available Disabled Certificate Policy Extensions Not available Disabled Features Table 68 Features defaults Features PEP 1.5 PEP 1.6 and later Enable FIPS Mode Not available Disabled Enable TLS in the clear Enabled Enabled Encryption Policy Settings Layer 3:IP Layer 3:IP Enable strict client authentication Not available Disabled Hard-coded Settings The following settings are hard-coded in the PEP: Management port PMTU is 1400 bytes Syslog server port is 514 Time zone is set to UTC 0 EncrypTight Manager User Guide 141

142 Configuring PEPs 142 EncrypTight Manager User Guide

143 12 Managing EncrypTight Manager Users About EncrypTight Manager User Accounts This chapter discusses user accounts for the EncrypTight Manager software. These accounts are unique to EncrypTight Manager and should not be confused with user accounts on the PEPs. EncrypTight Manager is able to authenticate users when you first start EncrypTight Manager. Log in to EncrypTight Manager using the default user name admin and password admin. The following list summarizes how user accounts work: EncrypTight Manager user accounts can be granted roles with a variety of privileges, as outlined in EncrypTight Manager User Account Roles on page 143. You must have at least one administrator account. If you have only one administrator account, EncrypTight Manager prevents you from deleting it until you create a replacement. User names must be unique. When authentication is enabled, the default password expiration period is set to zero, which means do not expire. When any user performs an action in the system such as configuring a PEP or deploying policies, that action is tracked in an Audit Log entry that indicates the name of the user that initiated the action. User account roles create a hierarchy of privileges as listed in EncrypTight Manager User Account Roles on page 143. You create and manage user accounts from the Users view. To access the Users view: 1 On the main menu, click Admin > Users. EncrypTight Manager User Account Roles Platform Administrator The Platform Administrator role has complete access to the system, including the ability to change configuration settings that affect the communications and interactions between all components in the deployment. Platform Administrators can also create and manage multiple EncrypTight Manager deployments. The default EncrypTight Manager user account (admin) has the Platform Administrator role. EncrypTight Manager User Guide 143

144 Managing EncrypTight Manager Users Administrator EncrypTight Manager Administrators have full access to all features of the system, including the ability to create and edit user accounts. User Users have access to the system but cannot create new user accounts. Users can also be assigned one or more of the following roles: Appliance Admin Appliance Administrator accounts are user accounts that exist on the PEPs. In order to communicate with the PEPs, EncrypTight Manager must know the name and password of at least one valid appliance admin account. Appliance Administrators cannot create new EncrypTight Manager users or make configuration changes in the EncrypTight Manager software. Appliance Operator Appliance Operator accounts are user accounts that exist on the PEPs. Policy Creator Users assigned Policy Creator privileges can create policies but they cannot add or edit appliance configurations, or create new user accounts. Policy Deployer Users assigned Policy Deployer privileges can view data and deploy policies, but they cannot edit configurations or policies. Managing EncrypTight Manager User Accounts Only platform administrator accounts and administrator accounts can create new user accounts and edit all existing user accounts. Administrator accounts cannot create or edit platform administrator accounts. Basic user accounts cannot create new user accounts or edit any account settings. Table 69 EncrypTight Manager user name and password conventions Parameter User Name Password Length 1-32 characters Minimum of 8 characters Case sensitive Yes Yes Invalid characters < > & < > & Spaces allowed Yes Yes Must be unique Yes No Other conventions N/A N/A To add a EncrypTight Manager user account: 1 In the Users view, click to open the Create User box. 2 In the Create User dialog box, enter a Username and a User Display Name. 3 Enter a Password for the new user amd reenter it in the Confirm Password Box. 4 From the User Roles list, select the roles that you want to assign to this user. 144 EncrypTight Manager User Guide

145 Changing a Password 5 Click Create. To modify a user account: 1 Select the user account that you want to modify. 2 Click. 3 Make your changes. 4 Click Update. To delete a user account: 1 Select the account that you want to delete. 2 Click. 3 Click Yes when prompted for confirmation. Changing a Password Platform administrators and administrators can change their own passwords as well as the passwords for any other user account. The platform administrator can also change the passwords of administrator accounts. User accounts that are not administrators or platform administrators cannot change their own passwords or edit any other user account settings. To change a password: 1 In the Users view, select the account that you want to modify. 2 Click. 3 Make your changes. 4 Click Update. The password change takes effect immediately. How EncrypTight Manager Users Work with PEP Users EncrypTight Manager manages user accounts on PEP version 1.5 and later appliances. In order for EncrypTight Manager to communicate with the PEP, it needs to know an admin level user name and password for the PEP. The default admin level user name and password on the PEP is admin/admin. These credentials are initially set in ETM in the Add PEP form and can later be modified in the Edit PEP form, under the Advanced tab. EncrypTight Manager User Guide 145

146 Managing EncrypTight Manager Users Figure 60 Add PEP Form ET0100-XSA Figure 61 Edit PEP Form - Advanced Tab Select the drop down icon on the Users button, and then choose EncrypTight PEP Users. 146 EncrypTight Manager User Guide

147 How EncrypTight Manager Users Work with PEP Users Figure 62 Users Dropdown Figure 63 ETM PEP Users A form will be presented that will allow you to change the user name and password that EncrypTight will use when communicating with the PEP. You can optionally update the PEP when changing these values. NOTE The current user name and password (before the change) will be used to communicate to the PEP when making the change, and so must be valid for that PEP. You can also manage the PEP users (those users who can ssh into the PEP and access the CLI) from EncrypTight Manager. To do so, select the drop down icon on the Users button in the Advanced tab of the PEP edit form, and then choose Other PEP Users. This will retrieve the current users and their roles from the PEP and allow you to add, modify, or delete user accounts. EncrypTight Manager User Guide 147

148 Managing EncrypTight Manager Users Figure 64 Other PEP Users 148 EncrypTight Manager User Guide

149 13 Working with Logs About Logs EncrypTight Manager tracks system actions and user activity in several logs: Audit Log - Tracks user and system activity such as log ins and log outs, configuration changes, and policy changes. The audit log also records all interactions with the PEPs. Task History - Tracks all EncrypTight Manager operations, PEP-related tasks, including policy deployments, rekeys, certificate actions, license installation, and so on. This provides more of a view of system activity than user activity and includes items such as the number of attempts made to accomplish a given task. ETM only fail rekeys to the policies that are affected by the unreachable PEP, instead of all policies in that interval. Activity Messages - Tracks all messages provided to EncrypTight Manager users during the process of performing a task. For example, during a rekey operation a user could see messages tracking the start, failure, retry, and completion of the task. About the Audit Log Use the Audit log when you need to examine the changes a specific user has made in the system. The Audit log tracks every action performed by EncrypTight Manager users and all interactions with the PEPs whether they are initiated by a user or by the system. The data is presented in a grid and each record includes the following information: User name - the name of the user that initiated the action. Time of the action - the date and time at which the action was performed. ID - the database ID (key) of the entity involved in the event. For entities that are not related to a database, this field displays null. Type - the type of entity involved in the event. Action - the type of action of the event being recorded. Name - the name of the item involved in the event. In many cases, this will be the name of a PEP, but it can also be the name of a type of task, such as PEP status refresh. Details - a description of the event. EncrypTight Manager User Guide 149

150 Working with Logs About the Task History Use the Task history to focus on interactions with the PEPs. For each record, the view includes the following information: Message - the type of task User - the name of the user account that initiated the task. PEP - the name of the PEP associated with the task. IP Address - the IP address of the PEP. Status - the status of the task. Details - details describing the task, if available Create Time - the date and time the task was created. Started - the date and time the task was started. Completed - the date and time the task was completed. Processing - the time from task start through task completion. Duration - the time from task creation through task completion (total time it took to complete the task). Failures - the number of times this task failed. Attempts - the number of times this task was attempted. About Activity Messages Activity Messages lists all of the messages provided to a user including all of the intermediate tasks performed during the process of an operation. For example, a rekey operation can entail multiple tasks, such as start, fail, retry, and complete. For each entry, the Activity Messages view includes the following information: User Name - the name of the user that initiated the operation. Status - the status of the task. Message - the text of the message. Action - the type of operation or task involved. Activity Time - the time at which the system generated the message, tracked to the millisecond. Create Time - the time the record was created in the database. Viewing Logs From the Admin menu, choose Audit Log, Task History, or Activity Messages. 150 EncrypTight Manager User Guide

151 Log Actions Log Actions Depending on the type of logs you are accessing, you can sort and filter the view, cancel tasks, and purge older records. You can also view technical details of many events. You can sort and filter the list of events by any field. For instructions on sorting and filtering, see Sorting and Filtering on page 21. To view details for an event: Double-click on a record to view a detailed entry that might provide technical information helpful to Customer Support. You can purge records older than a certain date and time from the view. To purge records: 1 Click. 2 In the interval box, enter the maximum number of days or the maximum number of hours worth of records to keep. Type the number of days, followed by d. For example, type 7d to keep 7 days of records. Type the number of hours, followed by h. For example, type 12h to keep 12 hours of records. 3 Click OK. In the Task History view, you can also cancel tasks that are in progress or queued. To cancel a task: 1 In the list, select the task. 2 Click Cancel. Logging Configuration You can access a number of settings that control auditing and logging behavior from the Configuration window. You must be logged in with Administrative privileges to make these changes. Auditing and Logging Controls Although you most likely will not need to make changes, you can turn auditing off and and on as needed. You can also specify whether or not to audit all XML-RPC calls between the servers and the PEPs. Configuring Auditing for XML-RPC Calls By default, the system does not track all XML-RPC calls between components. You might want to enable this for troubleshooting purposes, but be aware that it causes an increase in network traffic. EncrypTight Manager User Guide 151

152 Working with Logs To audit XML-RPC calls: 1 Click Admin > Configuration. 2 Double-click Audit XML-RPC Calls and click the check box to select it. 3 Click Update. Configuring System Auditing By default, auditing is activated. All changes and operations by every system user are tracked and recorded in log files. In addition to turning auditing on and off, you can specify how many days of records to keep and how often the system checks for records to purge. To turn auditing on and off: 1 Click Admin > Configuration. 2 Double-click Auditing and select the check box to activate auditing. Clear the check box to deactivate auditing. 3 Click Update. To configure record retention: 1 Click Admin > Configuration. 2 Double-click Days Worth of History Records to Keep and type the number of days in the box. 3 Click Update. 4 Double-click Maintenance Interval in Hours and type the number of hours between log file purges. 5 Click Update. Configuring the Syslog Server You can configure your PEPs to send messages to a Syslog server running on the EncrypTight Manager. In order to do so, you must assign an IP address to the syslog server in the configuration view. To assign an IP address to the syslog server: 1 Click Admin > Configuration. 2 Double-click Syslog Server and type the IP address in the box. 3 Click Update. 152 EncrypTight Manager User Guide

153 14 Using Enhanced Security Features About Enhanced Security Features EncrypTight Manager provides a number of features that you can use to increase system security. These features are disabled by default, but available for your use. Some of these features are specific to the operation of the PEPs, while others affect system-wide EncrypTight operations. Enhanced security features include: FIPS mode Federal Information Processing Standards are security standards that govern the use of computer systems in non-military U.S. government agencies and contractors. When PEPs operate in FIPS mode, only specific encryption and authentication algorithms are accepted. To learn more about PEPs and FIPS mode, see FIPS Mode on page 135. IPsec on the management interface By default, communication between the management workstation and the PEPs is secured using SSH and TLS. You can provide additional security for EncrypTight Manager management communications by using IPsec policies on the management ports instead. This feature is controlled through the command line interface for the PEP. To learn more about creating IPsec policies for the PEP management ports, refer to the ETEP CLI User Guide. Strong password enforcement PEPs with software version 1.6 or later can be configured to use strong password enforcement. The conventions used with strong password enforcement are far more stringent than those used with the default password management. To learn more about strong password enforcement, see Configuring the Password Enforcement Policy on page 129. Strict authentication With strict authentication, all communications between EncrypTight components is authenticated using certificates. To learn more about strict authentication and using certificates see About Strict Authentication on page 154. Hardware Security Module A hardware security module (HSM) is available as an option for your EncrypTight servers. Currently with EncrypTight Manager, HSMs are used for random number generation. NOTE policyserver-init.conf has been modified to simplify certificate options and group HSM options in one place (random number generation). EncrypTight Manager User Guide 153

154 Using Enhanced Security Features About Strict Authentication The EncrypTight system uses the Transport Layer Security (TLS) protocol for secure communication between the different components of the system (the management workstation and the PEPs). EncrypTight Manager can use either: TLS with encryption only TLS with encryption and strict authentication enabled When strict authentication is enabled, all TLS communications between EncrypTight components is authenticated using certificates. Authenticating the communications between components provides an extra level of security. Optionally, you can also set up the system to validate certificates by checking Certificate Revocation Lists (CRLs) or by using the Online Certificate Status Protocol (OCSP). Strict authentication is available for PEPs with software version 1.6 or later. Strict authentication is disabled by default. After you install certificates on all of the devices that you are going to use, you can enable strict authentication. CAUTION Do not enable strict authentication before you install certificates on all of the EncrypTight components. Doing so can lead to errors and communication failures. A certificate is an electronic document that contains a public key that corresponds to the private key of the entity named as the subject of the certificate. Certificates can be generated by the entity itself (selfsigned) or they can be issued by a certificate authority (CA). A CA is a trusted organization that authenticates certificate applications, issues and revokes certificates, and maintains status information about certificates. CA-signed certificates help establish a chain of trust. EncrypTight servers include a CA that you can use to sign certificate requests for your PEPs. Keys and certificates are stored in an encrypted, password-protected keystore. Prerequisites An important prerequisite to installing new certificates is identifying the certificate authority you plan to use. Your organization may have a standard CA that everyone uses, or you may need to select one for this particular security application. The information in this chapter assumes that you have established a relationship with a certificate authority. In order to follow the procedures discussed in this section and work with certificates in a EncrypTight system, you need to understand how to do several tasks covered in more detail in other sections. Cross references to those sections are provided in Table 70. Table 70 Prerequisites for Using Certificates with EncrypTight Manager How to: Navigate and work with EncrypTight Manager Reference: Working with the EncrypTight Manager User Interface on page 19 Add and configure PEPs Provisioning PEPs on page 29 Access the command line interface for a PEP See the configuration chapter for the model of PEP that you are using. 154 EncrypTight Manager User Guide

155 About Strict Authentication NOTE If you plan to operate in FIPS mode, make sure you enable FIPS mode first and push the configuration to the PEPs before you begin to install certificates and set up strict authentication. If you enable FIPS mode after strict authentication has been activated, you will need to reinstall your certificates. Order of Operations You should proceed with caution as you enable strict authentication in your deployment. Among the issues you could encounter are invalid, misconfigured, or expired certificates that cause communication failures. The following order of operations is recommended: 1 If you plan to operate in FIPS mode, enable FIPS mode on your PEPs before you make other changes. 2 Install a few PEP certificates into EncrypTight and the EncrypTight server certificates onto PEPs. 3 Temporarily enable strict authentication in the EncrypTight Manager and make sure that you can still communicate with the PEPs (refresh status for the PEPs that you used in step 3). If the PEPs respond appropriately, continue with the next step. If you cannot communicate with the PEPs, troubleshoot and fix the problems found. 4 If step 4 was successful, enable strict authentication on the PEPs that you used in step 3 and retest communications. If EncrypTight Manager can still communicate with the PEPs, then the EncrypTight Manager has certificates that can be used. At this point, you can disable strict authentication and continue to provision more of the network. 5 When you have installed certificates on all of the devices in the system (including all EncrypTight servers and all of your PEPs), you can reenable strict authentication in EncrypTight Manager. 6 Refresh status for all devices to verify that EncrypTight Manager can still communicate with all devices. If you cannot communicate with a device, it probably has an invalid or misconfigured certificate. Fix any issues discovered and proceed. 7 Enable strict authentication on all of the PEPs. 8 Enable strict authentication in EncrypTight Manager in the Admin->EncrypTight NOTE If you need to add a new PEP after you have enabled strict authentication, temporarily disable strict authentication in the EncrypTight configuration window first, and then add the PEP. Configure the PEP as needed. After you push the configuration, install certificates on the PEP and re-enable strict authentication in EncrypTight Manager. Refresh status to test the communications and if everything is successful, enable strict authentication on the new PEP. Certificate Information When you generate a keypair and create certificate requests, you must provide information that uniquely identifies the device. This information is referred to as a distinguished name and consists of the values described in Table 71. When you generate a keypair using the keytool utility, this information is specified as part of the -dname parameter. EncrypTight Manager User Guide 155

156 Using Enhanced Security Features Table 71 Distinguished name information Setting Common Name (CN) Organizational Unit (OU) Organization (O) Locality (L) Description A name that identifies the device or person. Length: 0-64 characters. Name of a sub-section of the organization, such as a department or division. Length: 0-64 characters. Organization or company name. Length: 0-64 characters. City, town, or geographical area where the organizational unit is located. Length: characters. State/Province (S) State or province where the organizational unit is located. Length: characters. Country (C) Two letter country abbreviation (optional). In usage, you type this string as follows: -dname cn=<common name>, ou=<organization unit>, o=<organization name>, l=<location>, s=<state/province>, c=<country> The information must be entered in the order shown. For example: -dname cn=john Doe, ou=customer support, o=my company, l=raleigh, s=nc, c=us Using Certificates in a EncrypTight System EncrypTight components ship with self-signed identity certificates. You can continue to use these certificates, or you can replace them with certificates acquired from a trusted CA. By default, the EncrypTight system uses the Transport Layer Security (TLS) protocol for communications between components. This encrypts communications, but does not automatically provide authentication. If you enable strict authentication, you can use certificates to authenticate identities and set up encrypted communications for management traffic between components. To authenticate the communications, each component needs one of the following: A copy of the identity certificate for every component with which it communicates. A trusted root CA. Manually exporting and installing certificates for a large number of devices can be burdensome. In larger deployments it is more efficient to use a CA certificate than to install individual certificates for each component with which a device might need to communicate. When you replace the self-signed certificates, each component in a EncrypTight system needs at least an identity certificate for itself and a copy of the trusted CA certificate. The CA certificate is used to validate the identity certificate when communication sessions are initiated. You might also need certificates for any intermediate CAs in the chain. 156 EncrypTight Manager User Guide

157 Configuring the Certificate Policies Extension Configuring the Certificate Policies Extension EncrypTight Manager supports the use of the certificate policies extension in certificates. CAs use this extension to indicate the purposes for which a certificate was issued, for example, digitally signing or encryption. If a certificate is being used for a purpose that is not indicated by the extension, it can be rejected. In a certificate, the certificate policies extension indicates the purposes for which a certificate was issued with one or more registered Object Identifiers (OIDs), which are values that can vary by organization and industry. If the CA that issues the certificate does not want to limit the purposes for which the certificate can be used, they can use a special OID that indicates it can be used for any policy. If your organization uses the certificate policies extension in certificates, you need to specify the OIDs that will be accepted by the EncrypTight Manager software and each PEP before you begin requesting and installing certificates. The OIDs are ignored until you enable strict authentication. You can configure the certificate policies extension for PEPs on the Advanced tab of the Appliance Editor. The changes do not take effect until you push the configurations to the PEPs. To configure the certificate policies extension for PEPs: 1 In Appliance editor for the PEP, click the Advanced tab. 2 Click Enable Policy Extensions. 3 For each OID, click, type the OID and click Update. If you make a mistake, select the OID in the list and click to change it. If you need to remove an OID, select it and click. TIP If you are deploying numerous PEPs, you can save time by modifying the template for the PEP models that you use. For more information about modifying default configurations, see Working with Configuration Templates on page 40. You can enable the certificate policies extension for EncrypTight Manager in the EncrypTight Configuration view. Add the OIDs in the Certificate Policy Extension OIDs view. These changes take effect immediately. To configure certificate policies extension for EncrypTight Manager: 1 In EncrypTight Manager, select Admin > EncrypTight Configuration. 2 Double-click Certificate Policy Extension OIDs Enabled. 3 Click the checkbox and click Update. 4 Click Certificates > Certificate Policy Extension OIDs. 5 For each OID, click and type the OID. To edit an existing item, select it and click. 6 Click Update. EncrypTight Manager User Guide 157

158 Using Enhanced Security Features About the Policy Constraints Extension The certificate policies extension can be used in conjunction with the policy constraint extension. This extension is configured by your CA and requires no setup in EncrypTight Manager components. It places additional controls on how certificates can be used. The policy constraints extension can: Prohibit policy mapping Policy mapping is the practice by which one OID is considered equivalent to a different OID. When policy mapping is prohibited, a value in the extension indicates the number of additional certificates in the chain that can be checked before policy mapping is prohibited. Beyond that point, policy mapping is not allowed and authentication can fail. Require that every certificate in the certificate chain include acceptable policy identifiers, as specified in the certificate policies extension With this option, a value in the extension indicates the number of additional certificates in the chain that can be checked before all certificates in the chain must include acceptable policy identifiers, either an exact match to an OID configured in the device or an OID considered equivalent through policy mapping. If the next certificate in the chain does not include acceptable OIDs, authentication can fail. Your CAs can provide information about their practice for using these extensions. Importing PEP Certificates into EncrypTight Manager Before you enable strict authentication, the EncrypTight server must have a copy of the certificate for each PEP you use. To import ETEP certificates into EncrypTight Manager: 1 In EncrypTight Manager, from the Certificates menu, choose EncrypTight Certificates. 2 In the keystore Certificates section, click Browse. 3 Locate the certificates file that you want to import, select it, and click Open. TIP For larger deployments, you can save time by importing certificates from a ZIP file. Export the certificates from the PEPs, create a ZIP file, and select it in step 3. Working with Certificates for the PEPs You can use the PEP Certificates page to manage certificates for your PEPs. To open the PEP Certificates page: 1 On the menu bar, click the on the Certificates menu. 2 Click PEP Certificates. 158 EncrypTight Manager User Guide

159 Working with Certificates for the PEPs Understanding the PEP Certificates Page The PEP Certificates page provides toolbars and shortcut menus for working with certificate-related functions. It includes the following elements: Table 72 PEP Certificates Page Elements Element PEPs list Certificates tab Certificate Requests tab Certificate Revocations tab Certificate Details Certificate Request Details Description Lists the available PEPs. For each PEP, the list indicates whether it is configured for strict authentication and if it has a pending certificate signing request. To perform a certificate-related task on a PEP, select it in the list and use the short Lists the certificates installed on the selected PEPs. Lists the pending certificate signing requests for the selected PEPs. Lists the certificate revocation lists installed on the selected PEPs. Displays the details of the selected certificate. Displays the details of the selected certificate signing request. Figure 65 PEP Certificates Page PEPs list The PEPs list displays the available PEPs. For each PEP, the list indicates whether it is configured for strict authentication and if it has a pending certificate signing request. To perform a certificate-related task on a PEP, select it in the list and use the shortcut menu or a toolbar button to select an action. Certificates tab The Certificates tab lists the certificates installed on the selected PEPs. using toolbar buttons, you can delete certificates or export them. Certificate Requests tab The Certificate Requests tab lists the pending certificate signing requests for the selected PEPs. You can manage certificate signing requests using the toolbar buttons or the shortcut menu. EncrypTight Manager User Guide 159

160 Using Enhanced Security Features Certificate Revocations tab The Certificate Revocations tab lists the Certificate Revocation Lists (CRLs) installed on the selected PEPs. You can delete and export CRLs using toolbar buttons or the shortcut menu. You can also use a batching task to install CRLs on multiple PEPs. Certificate Details The Certificate Details tab displays the details of a selected certificate. Certificate Request Details The Certificate Request Details tab displays the details of a selected certificate signing request. Certificates Workflow EncrypTight Manager (ETM) certificate management has several aspects. The server accepts SSL connections from clients, providing it's own certificate chain to those clients. The ETM server also acts as a TLS client to PEPs, optionally using OCSP and/or CRL checking for the PEP certificate chain. Finally, it can also serve as a Certificate Authority (CA) for PEPs, accepting their Certificate Signing Requests (CSR), signing them with it's own CA certificate and installing the resulting certificate on the appropriate appliance. Additionally, certificates and CSRs can be exported as PEM-encoded text files. Underlying support is provided by openssl for generating the PolicyServer CA and server certificates, and by the Bouncy Castle Cryptography Library for CA and basic X509 certificate and CSR support. By default, the PolicyServer CA and server credentials are stored in a password-protected JCEKS keystore, while PEP certificates are stored in a separate password-protected JCEKS keystore. The PolicyServer certificate chain can be downloaded from the EncrypTight Certificates page of the application, as a PEM-encoded text file. By default, during installation ETM creates two (openssl-generated) certificates on the first cluster node: a self-signed CA certificate and a server certificate used for authentication. If desired, either one (or both) may be replaced with a certificate signed by a different CA. How to do this is described in more detail in the Customization section below. When installing a PolicyServer cluster, subsequent nodes will generate only their own server certificate; the CA credentials will be copied from the first PolicyServer node installed. EncrypTight Manager supports certificate based client authentication (two-way SSL authentication between the browser and ETM). PolicyServer CA Certificate The CA certificate is a self-signed X509 certificate, issued and signed by Black Box. When requested, the CA certificate is used to sign the PolicyServer server certificate and to sign PEP certificate signing requests (CSRs) when an external CA is not being used. PolicyServer Certificate The PolicyServer certificate is the leaf certificate presented to SSL clients of ETM, typically with the CA certificate as the only other certificate in the chain. The default server certificate contains it's IP address as the CN, with PolicyServer CA as the issuer. Optionally, during installation, a new server CSR can be generated for a specific CN and subject name using openssl and signed with the CA certificate. Specific instructions are provided in the Customization section below. 160 EncrypTight Manager User Guide

161 Working with Certificates for the PEPs PolicyServer TLS Client The ETM server always uses TLS to communicate (using XML-RPC) with PEPs. By default, the client does not perform server authentication; rather, it only uses the TLS connection for encryption of the communication between ETM and the PEP. However, when strict certificate authentication is enabled, a PKIX EncrypTight Manager is used to enable (if configured) OCSP and/or (if configured) CRL checks as part of the SSL socket connection initialization. When FIPS mode is not enabled, the default Trust Manager is wrapped with a custom EncrypTight Manager to check (any) CRL extension point obtained from the PEP certificate and/or a static configured file when OCSP is not enabled or (optionally) when the OCSP responder fails. PolicyServer Certificate Authority By default, PEPs are delivered with a self-signed certificate already installed on the appliance. If desired, this certificate can be replaced with one signed by the PolicyServer Certificate Authority, or any other CA. Certificates created by the PolicyServer CA are X509 Version 3 certificates, signed with the PolicyServer CA certificate, and contain the following standard extensions: Authority Key Identifier: the public key of the signing authority Subject Key Identifier: the public key of the requesting entity Basic Constraints: false - the certificate will not be used for signing Key Usage: non-repudiation, digital signature, key encipherment The serial number will be a randomly generated eight-octet number. By default, the certificate will expire in ten years, but this is configurable via the EncrypTight Configuration page in the application. Other configurable aspects of the CSR include: the distinguished name parts (C, O, OU, ST, L), the public key length, and the timeout (in seconds) for generating the CSR on the PEP. Certificate Distribution EncrypTight Manager provides a grid for all PEPs, and separate grids for the certificate(s), CSR, and (optionally) Certificate Revocation Lists (CRLs) installed on each PEP. The details of each certificate or CSR can be viewed and/or exported individually. Additionally, multiple CSRs can be downloaded as a zip archive file to facilitate distribution to an external CA. You can also use a batching task to install CRLs on multiple PEPs. External trusted certificates and CRLs can be installed to one or more appliances by uploading the appropriate PEM-encoded text file. A CSR can be generated for individual PEPs and may be optionally signed by the PolicyServer CA and installed immediately after generation. NOTE Currently, only the certificate of the ETM server used to sign the CSR is automatically installed on the PEP. When a ETM cluster is used, the certificate(s) of the other cluster member(s) will all need to be installed on the PEP before mutual certificate authentication is enabled. Directory Structure The PolicyServer CA and server credentials are originally created as password-protected PKCS12 files in a private subdirectory of the jboss application server's configuration directory (jboss_home/server/ EncrypTight Manager User Guide 161

162 Using Enhanced Security Features policyserver/conf/private), named as root.p12 and server.p12, respectively by default. During installation, they are loaded into the PolicyServer JCEKS keystore file, which also resides in the private subdirectory. Customizing Generating the PolicyServer CA and Server Certificates During installation, PolicyServer CA and server certificates are generated, with appropriate options for overriding default values for the subject DN (or just the server CN part) and the password used to protect the key and PKCS12 files. CSRs are generated by openssl using the corresponding key file in the application server's private configuration directory. The PolicyServer CA CSR is self-signed and the server CSR is signed using the PolicyServer CA credentials, with a serial number based on the root.srl file. If desired, the create-certs.sh script can be run subsequent to installation (separately, or in conjunction with policyserver-install) to generate new PolicyServer CA and/or server credentials. New credentials are generated if the corresponding private PKCS12 file is not present. To use existing credentials, copy the desired PKCS12 files containing the desired private key and certificate chain to the policyserver/conf/private directory prior to running the policyserver-install script. NOTE For a cluster configuration, the installation must be completed on the first node so that the PolicyServer CA credentials can be copied to subsequent nodes during their installation. A unique server certificate should be generated for each PolicyServer node. Replacing the PolicyServer CA and Server Certificates At any time, the PolicyServer CA and Server credentials (certificates and private keys) can be replaced by importing new PKCS12 files to replace the existing keystore entries. The alias of the PolicyServer entry must match the configured value (which is also referenced in jboss_home/server/policyserver/ deploy/jbossweb.sar/server.xml) and the alias of the PolicyServer CA entry must match the lowercased value of the PolicyServer CA certificate's CN (e.g. the default value is "policyserver ca", derived from the default CN=PolicyServer CA) if it is to be used for signing PEP CSRs. Furthermore, to be acceptable for use in signing, the certificate would most likely be an intermediary certificate signed by a trusted certificate authority that has been created with appropriate values (e.g. Basic Constraint true). Working with Certificate Requests The workflow for requesting and installing an identity certificate on a Black Box appliance is as follows: 1 Generate a certificate signing request. 2 Send the request to a CA. If the request is approved, the CA returns a signed certificate. 3 Install the signed certificate on the appliance. You can use an external CA or the included EncrypTight CA. If you use the EncrypTight CA, you can generate a request, submit it, and install the resulting signed certificate in one operation. Only one certificate request is allowed on the appliance. Prior to creating a new certificate request you must remove the existing one. 162 EncrypTight Manager User Guide

163 Working with Certificates for the PEPs Requesting a Certificate Complete the following procedure to create a certificate signing request. Figure 66 Generate a certificate signing request Black Box EncrypTight Manager To generate a certificate signing request: 1 In the PEPs list, right-click the target appliance and click Generate in the shortcut menu. 2 Complete the Subject Name fields (see Table 71). 3 From the Public Key Length box, select the size of the key that you want to use. The key is generated using the RSA algorithm. The key size typically refers to the size of the modulus. A larger modulus is more secure, but the algorithm operations are slower. You can select from: 512: Offers little security. Use only for very short-term security needs. 768: Suitable for less valuable information. 1024: Recommended for most corporate use. 2048: Provides the highest level of security. EncrypTight Manager generates a certificate request in Privacy Enhanced Mail (PEM) format. 4 When prompted, save the file. The file is saved with a.csr extension. 5 Send the certificate request to a certificate authority, following their instructions for completing the request. If the request is successful, the certificate authority will send back an identity certificate that has been digitally signed with the private key of the certificate authority. NOTE EncrypTight Manager lets you set default values to be used when generating a certificate request. Many values are common for all certificate requests from a company or division. Setting preferences for these fields can save time when submitting a request. See Setting Certificate Request Preferences on page 165 for more information. EncrypTight Manager User Guide 163

164 Using Enhanced Security Features Installing a Signed Certificate When a certificate authority accepts a certificate request, it issues a digitally signed identity certificate and returns it electronically. The certificate must be a PEM-formatted X.509 certificate. Figure 67 Select a certificate file and its usage To install a signed certificate on a Black Box appliance: 1 In the PEPs list, select the target appliance. 2 Click the Certificate Requests tab. 3 Click to install the signed certificate. 4 In the Import Signed Certificate box, click Browse, select the certificate file, and click Open. 5 Click Submit. Viewing a Pending Certificate Request Pending certificate requests are displayed in the Certificate Request view. To view a pending certificate signing request: 1 In the PEPs list, select the target appliance. 1 Click the Certificate Requests tab. 2 To view the details of a particular request, select it. The details of the request display in the Certificate Request Details tab. Figure 68 View pending certificate signing requests Canceling a Pending Certificate Request The Black Box appliance allows for only one pending certificate request. In order to replace the pending request with a new one, you must cancel the pending request. 164 EncrypTight Manager User Guide

165 Working with Certificates for the PEPs To cancel a pending certificate request: On the Certificate Request tab, select the certificate request and click. The certificate request is deleted and you can create a new certificate request. Setting Certificate Request Preferences EncrypTight Manager lets you set default values that will be used when generating a certificate request. Many values are common for all certificate requests from a company or division. Setting preferences for these fields can save time when generating a request. Any field set in the preferences can be overridden when a certificate request is generated. To set certificate request preferences: 1 Click Admin > EncrypTight Configuration. 2 Double-click Certificate Signing Request. 3 In the Certificate Signing Request Configuration box, set the desired default values and click OK. The Common Name (CN) defaults to the appliance name; it cannot be set as a preference and does not appear in the Subject Name box. For information about other distinguished name fields, see Table 71. Other certificate requests preferences are described in Table 73. Table 73 Certificate request preference fields Setting Subject Name Public Key Length Communication timeout Description Specify default values for the distinguished name information to be used for most certificate signing requests (see Table 71). The key is generated using the RSA algorithm. The RSA key size typically refers to the size of the modulus. A larger modulus is more secure, but the algorithm operations are slower. 512: Offers little security. Use only for very short-term security needs. 768: Suitable for less valuable information. 1024: Recommended for most corporate use. 2048: Provides the highest level of security. The timeout for generating a certificate signing request. The timeout is specified in seconds. Valid values range from (5 minutes). The larger the key size, the longer it takes to generate a certificate request. NOTE The larger the key size, the longer it takes the Black Box appliance to generate the certificate request due to the complexity of the algorithm s operations. A certificate request with a key size of 2048 bits can take several minutes to generate. Exporting Certificates This procedure describes how to export an installed certificate from the Black Box appliance. The exported certificate can then be installed as a peer certificate on another device, such as the EncrypTight server. EncrypTight Manager User Guide 165

166 Using Enhanced Security Features To export an installed certificate: 1 In the PEPs list, select the appliance with the certificate that you want to export and click. 2 On the Certificates tab, select the certificate that you want to export and click. 3 Open or save the file when your browser prompts you. Deleting Certificates Delete external certificates if they have expired or are no longer used. External certificates are the only type of certificate that you can delete from the Black Box appliance. You can overwrite existing management ID certificates to replace them, but you cannot explicitly delete them. CAUTION You must have at least one external certificate installed on the Black Box appliance. Deleting an external certificate that is currently being used for authentication will cause management communications to fail. To delete an external certificate: 1 Turn off strict authentication on the PEP in the configuration editor and push the new configuration, or use the strict client authentication disable CLI command. (For more information, see Enabling and Disabling Strict Authentication on page 170.) 2 Switch to the PEP Certificates view. 3 In the PEPs list, select the appliance with the certificate that you want to delete and click. 4 On the Certificates tab, select the target certificate and click. The certificate is removed from the Certificates tab and is no longer available to authenticate peers. Validating Certificates Generally, certificates are considered valid until they expire. However, certificates can be revoked by CAs when necessary. Devices can check the validity of a certificate using certificate revocation lists (CRLs) or the online certificate status protocol (OCSP). Validating Certificates Using CRLs Certificate authorities publish certificate revocation lists (CRLs) to identify certificates that it considers invalid. Certificates include a field called a CRL Distribution Point extension, which provides a URL for the certificate authority that has its CRL. By default, EncrypTight Manager examines received certificates to determine the URL to use and checks this location for CRLs. You must obtain and install a copy of the CRL on the PEPs that you use. In EncrypTight Manager, you can specify a local directory to check for CRLs. All EncrypTight components check the CRLs the first time a device initiates communication and then stores the CRL until it expires. Storing the CRLs locally can accelerate the process of checking CRLs and helps minimize false authentication failures due to revocation check failures. If you choose to store CRLs locally, you must 166 EncrypTight Manager User Guide

167 Validating Certificates remember to periodically retrieve updated copies of the CRL and install it on each EncrypTight component. NOTE CRLs are only supported in PEPs with software version 1.6 or later. You must upgrade PEPs with earlier software versions in order to use this feature. To learn more about upgrading the software on PEPs, see Installing Software Updates on page 77. Configuring CRL Usage in EncrypTight Manager By default EncrypTight Manager reads installed certificates to find the location of the CRL. You can override this behavior and specify a local directory for the CRL instead. To use CRLs with the EncrypTight Manager software: 1 On the management workstation, create a directory where you want to store the CRL files. 2 In EncrypTight Manager, select Admin > EncrypTight Configuration. 3 Double-click CRL File. 4 In the Upload file box, click Browse, navigate to the file location and select the CRL file. 5 Click Open. 6 Do one of the following: To copy the file to the server, click Copy file to file store. To remove the file from the server, click Remove file from file store. 7 Click Submit. NOTE This setting does not take effect until you enable strict authentication. Configuring CRL Usage on PEPs You manage CRLs for the PEPs using the Certificates view in the EncrypTight Manager software. To install a CRL on the PEP: 1 Switch to the Certificates view. 2 In the PEPs view, right-click on the target PEP and choose Install CRL. 3 Navigate to the appropriate directory and select the CRL file that you want to install. 4 Click Open. 5 Push the modified configuration to the PEP in order to complete the installation NOTE You can also use a batching task to install CRLs on multiple PEPs. EncrypTight Manager User Guide 167

168 Using Enhanced Security Features To view CRLs 1 In the PEPs view, right-click the target PEP and click View CRLs in the shortcut menu. A list of installed CRLs is displayed in the CRLs view. To delete CRLs 1 In the PEPs view, select the target PEP. 2 Click the CRLs tab. 3 Right-click on the CRL that you want to remove and select Delete. Handling Revocation Check Failures Not being able to check a CRL does not automatically indicate that a certificate is expired or revoked, especially if the CRL is stored on a server on a different network. By default, if a EncrypTight component cannot check a CRL for any reason, it logs the failure, but still allows a secure communication session to be created. You can change this behavior to fail the authentication instead. To change the default EncrypTight Manager action when a CRL cannot be checked: 1 In EncrypTight Manager, select Admin > EncrypTight Configuration. 2 Double-click the Ignore CRL access failure item. 3 Click Ignore CRL access failure to clear the check box. 4 Click Update. Validating Certificates Using OCSP As an alternative to using CRLs, you can validate certificates with the online certificate status protocol (OCSP). With OCSP, the device that wants to check the validity of a certificate reads the certificate to determine the URL of the OCSP responder and sends a request that identifies the certificate in question. Organizations can also explicitly specify a URL to use for the OCSP responder. The OCSP responder returns a signed OCSP response indicating the validity of the certificate. In order to use OCSP, you must enable it on each EncrypTight component. PEPs can read the URL from the certificate itself, but you can specify a URL to use if needed. EncrypTight Manager provides additional options that allow you to specify the default action if no OCSP responder can be located or if the URL cannot be contacted. When OCSP is enabled, EncrypTight Manager tries to check the revocation status using OCSP. If no default OCSP responder is defined, then EncrypTight Manager checks the certificate to determine the URL to use to contact an OCSP responder. If there is no OCSP URL defined in the certificate, you can specify that EncrypTight Manager checks the certificate for the URL of a CRL Distribution Point as a fallback. If the CRL Distribution Point URL is not present or if the URL cannot be reached, the validation fails. Unlike using CRLs only, there is no option to ignore revocation check failures in this scenario. By default, the system assumes that OCSP responses are signed by the issuer of the certificate whose status is being checked. You can override this and specify an alternative signer by entering the subject name of the signer s certificate. 168 EncrypTight Manager User Guide

169 Validating Certificates In addition, in order to verify the response from the OCSP responder, you need to install the certificate from the OCSP responder. For more information about installing certificates, see Installing an External Certificate on page 160. Configuring OCSP for EncrypTight Manager In EncrypTight Manager, you must be logged in with Platform Administrator privileges in order to configure OCSP. In addition, on PEPs you must enable strict authentication before you can configure OCSP (see Enabling and Disabling Strict Authentication on page 170). To set up OCSP in EncrypTight Manager: 1 Log into EncrypTight Manager as a platform administrator. 2 In EncrypTight Manager, click Admin > EncrypTight Configuration. 3 Double-click Online Certificate Status Protocol (OCSP). 4 In the OCSP Configuration box, click Enable Online Certificate Status Protocol (OCSP). 5 Configure other options as needed (see Table 74). 6 Click OK. Table 74 EncrypTight Manager OCSP Options Options Enable Online Certificate Status Protocol (OCSP) Responder DN OCSP URL Revert to CRL on Responder Failure Description Enables and disables the use of OCSP in EncrypTight Manager. By default, this is disabled. Specifies the subject name of the certificate for the OCSP responder. Specifies the URL to use for OCSP checking. This option overrides the use of any OCSP URL that might be indicated in certificates. Specifies that if the OCSP responder does not reply or cannot be reached, EncrypTight Manager should read the certificate to determine the location of the CRL to use to validate the certificate. Note that authentication fails when OCSP is enabled and a CRL cannot be accessed as a fallback. NOTE For enhanced security, if you want to validate certificates using OCSP only, disable Revert to CRL on OCSP Responder Failure. EncrypTight Manager User Guide 169

170 Using Enhanced Security Features Figure 69 OCSP Configuration Configuring OCSP for PEPs To set up OCSP on the PEPs: 1 In the PEPs view, select the appliance that you want to change and click. 2 Click the Features tab. 3 Click Enable strict authentication. 4 Click the Advanced tab. 5 Click Enable OCSP. 6 In the Responder URL box, enter the URL of the OCSP responder. 7 Make other selections as needed. See Table 75 for an explanation of the OCSP settings. 8 Click OK. Table 75 OCSP Settings Option Enable OCSP Verify OCSP Response Ignore Failure to Respond Check Certificate Chain Responder URL Description When checked, enables the use of OCSP. The default is unchecked. Verifies OCSP responses by authenticating the response with the installed certificate. The default is to verify the OCSP response. Not receiving a response does not indicate that a certificate has expired or that it has been revoked. This option allows the PEP to proceed when a response to an OCSP query is not received in a timely manner. The default is to ignore the failure to respond. When checked, this option instructs the PEP to use OCSP to check the validity of every certificate in the responder s chain of trust. The default is unchecked. Specifies the URL to use for the OCSP responder. Enabling and Disabling Strict Authentication After you have installed certificates on each EncrypTight component, you can enable strict authentication. Strict authentication is a setting that affects communications between all EncrypTight components. Once you enable strict authentication on a component, it begins to use certificates to authenticate 170 EncrypTight Manager User Guide

171 Enabling and Disabling Strict Authentication communications from devices that attempt to communicate with it. To use strict authentication systemwide, you must specifically enable it in EncrypTight Manager and on each PEP in use. NOTE Strict authentication is available for PEPs with software version 1.6 and later. To enable strict authentication in EncrypTight Manager: 1 In EncrypTight Manager, select Admin > EncrypTight Configuration. 2 Double-click Use Strict Certificate Authentication. 3 Click the Use Strict Certificate Authentication check box. 4 Click Update. To enable strict authentication on PEPs: 1 For each PEP, in the PEPs view select the PEP and click. 2 Click the Features tab. 3 Click Enable Strict Client Authentication. 4 Click OK. 5 In the PEPs view, select all of the PEPs that you changed. 6 Click. 7 Click Submit to close the Provision PEP dialog box and apply the changed configurations to the PEPs If you need to remove a PEP from service and use it elsewhere, you need to disable strict authentication and remove all certificates and policies. To disable strict authentication: 1 In the PEPs view, select the target PEP and click. 2 Click the Features tab. 3 Clear the Enable Strict Client Authentication box. If certificates expire or if you enable strict authentication before installing certificates, you might not be able to communicate with the PEP from the management workstation. In this case, you can connect a serial cable to the PEP and disable strict authentication from the command line. To disable strict authentication from the command line: 1 Connect to the serial port of the appliance and open a terminal session. 2 Log in and type configure to enter configuration mode. 3 Type management-interface to enter management interface configuration mode. 4 Enter strict-client-authentication disable. For example: admin> configure Entering configuration mode... EncrypTight Manager User Guide 171

172 Using Enhanced Security Features config> management-interface Entering management interface configuration mode... man-if> strict-client-authentication disable For more information about using the strict-client-authentication command, see the CLI User Guide for the PEP. Removing Certificates You can remove certificates when they are no longer needed or when they have expired. However, you can only remove external certificates and you must disable strict authentication first. In EncrypTight Manager, you can remove individual certificates from a PEP or a group of selected certificates. From a command line window, you can remove all certificates on a PEP. When you remove all certificates, the appliance regenerates a self-signed certificate. For information on using CLI commands, see the ETEP CLI User Guide. To remove certificates: 1 Select the PEP in the PEPs list and click. 2 In the Certificates view, select the certificates that you want to remove. 3 Click. 4 Click OK when you are prompted for confirmation. CAUTION Do not use this function if strict authentication is enabled. Doing so can cause errors and prevent communication between the management workstation and the appliance. Disable strict authentication first and then remove the certificates. 172 EncrypTight Manager User Guide

173 15 Using A Disaster Recovery Server About Disaster Recovery Servers You can set up a secondary server to use as a Disaster Recovery Server. The Disaster Recovery Server can take over operations in the event that the primary EncrypTight Server becomes unavailable. Most often, the Disaster Recovery Server and the main server are not located together. The Disaster Recovery Server expects a heartbeat signal from the main servers at a configurable interval (every 30 seconds by default). If that signal is not received for five consecutive intervals, the Disaster Recovery Server begins to take over operations and does the following: Determines what policies are deployed and which ones are encryption policies. Starts the rekey interval for each encryption policy. Listens for a heartbeat signal from any main server Updates after policies are flushed The disaster recovery server is updated after a flush policies has been performed on a PEP. As soon as a signal from a main server is detected, the Disaster Recovery Server ceases activity and stops any rekey timers. You must be logged in as a Platform Administrator in order to configure EncrypTight Manager to use a Disaster Recovery Server. To use a Disaster Recovery Server in a EncrypTight system, you need to configure settings on the Disaster Recovery Server and on each Main EncrypTight Server. NOTE A disasterrekey override has been added to the policyserver-init.conf. If set to false the disaster server will NOT start rekeys. Manual intervention is required to start rekeys on the DR in this situation. Configuring a Disaster Recovery Server You need to configure the Disaster Recovery Server to act as one and specify the main servers that it should monitor. To configure the Disaster Recovery Server: 1 Select Admin > Configuration. 2 Changing to be the Disaster Recovery Server requires a restart. EncrypTight Manager User Guide 173

174 Using A Disaster Recovery Server 3 If you need to make changes to the list, double-click Heartbeat Server Check Hosts and enter the hostnames or IP addresses for the main servers that you want the Disaster Recovery Server to monitor. Separate multiple servers with commas. This field would ordinarily include values that you set when you first installed and set up the server. 4 Click Update. 5 If necessary, you can change the values for Heartbeat Server Check Interval and Heartbeat Server Check Port. 6 Double-click This Is The Disaster Recovery Server, click the check box, and click Update. Configuring the Main Servers The main servers need to know the IP address of the Disaster Recovery Server. Every time you deploy policies, the main servers copy the EncrypTight Manager database to the Disaster Recovery Server. Log in and perform these steps on the main server. To configure the main servers to use a Disaster Recovery Server: 1 In the Main Server Configuration group, enter the Database Backup Password and Database Backup User name. 2 Double-click Disaster Recovery Host and enter the IP address of the Disaster Recovery server. 3 Click Update. 4 Enter the Disaster Recovery Host SSH Password and username. 5 Double-click Heartbeat Server Enabled and click the check box to activate it. 6 Click Update. Backup and Restore of EncrypTight Manager General Guidelines There are a variety of failure scenarios that can occur in a production environment, and recovering from these scenarios will not always involve the same procedures. The procedures to follow will be specific to what type of failure occurred, and how much data loss there was as a result. The common failure cases, addressed here are: disk drive failures other hardware component failures damage to the ETM software or database other filesystem damage complete loss of the OS Every IT organization will have policies or practices related to backing up servers, so we should learn what a given customer does and ensure that they include the ETM servers in their procedures. We should also ensure that their practices include creating, or already having, some form of bootable media (e.g. DVD) so that they can access the disk drives of a ETM server in case some radical damage is done to the OS (such as 'rm -rf /'). Common examples would be a bootable Linux CD/DVD, a recovery CD made from Clonezilla, a Ghost recovery DVD, or a generic rescue CD (or even USB stick) such as this 174 EncrypTight Manager User Guide

175 About Disaster Recovery Servers Backup components provided by ETM EncrypTight Manager provides mechanisms for backing up its database, and also for backing up the ETM software. Customers who do not do full server backups regularly can use those tools to ensure that they can recover as close to a point of failure as possible, while backing up the minimal amount of data necessary to restore. Using these tools also reduces the need for frequent full system backups. Database Backup: To capture a known good point in time configuration, users can take database snapshots. It is recommended that this be done each time they deploy a production set of policies, at a minimum. See procedure 5 below. Database Restore: To restore to a known good point in time, a database backup can be used to restore from. See procedure 6 below. If restoring an entire cluster, this only needs to be done on one node, and then the other node should be sync'd via the UI. ETM Backup: A full ETM backup does not need to be performed as frequently as the database backup, as the changes to a ETM distribution are much less frequent than changes to the database. However, whenever changes are made, it is advisable to take a backup. Such changes would include: Upgrading the ETM software Staging new ETEP software on the ETM ftp server Topology changes to a cluster (adding or removing a node) ETM Restore: Restoring from a ETM backup would be necessary if some damage had occurred within the ETM install directories, such as unintentional deletion of the policyserver config files or binaries. The ETM backup includes a database backup within the archive (tar file), however, it may not be necessary to restore the database. If the intention of the restore is to simply fix the filesystem, the database does not need to be restored. If, however, a full system recovery is being performed, then the most recent ETM backup and database backup should be used for restoration. If the most recent database backup is that contained within the ETM backup, then that should be used. Hardware Server specifics Drive failures A hardware ETM server has two possible configurations: a non-raid dual drive system, or a RAID 1 dual drive system (mirroring). RAID system For a drive failure in a RAID configuration, simply replacing the failed drive is all that is necessary. non-raid system. There are two possibilities: Failure of the main drive Boot from the backup drive (change the BIOS order), and restore with either procedure 2., 4., or 6. below, depending on how many changes were made outside of the ETM software. Then replace the failed drive and dd the main drive to the new drive, which is now the new backup drive. Failure of the backup drive Replace the backup drive and repeat the dd operation to copy the main drive to the backup drive Other hardware component failures If some component other than a drive has failed, that component could be replaced in the field, or the server could be RMA'd back to Black Box. EncrypTight Manager User Guide 175

176 Using A Disaster Recovery Server Damage to the ETM software or database If some damage is done to the ETM installation, such as unintentional removal of key configuration files or binaries under /opt/jboss/server/policyserver, then the ETM software should be restored. If that is all that occurred, then the database does not need to be restored. See procedure 4 below for restoring the ETM software. Damage to the OS or filesystem If damage is done to other areas of the filesystem, such as unintentional removal of OS files, or files outside of the ETM root directory, then a restore from backup will be necessary. Depending on what was damaged, either part of the backup or all of the backup may be necessary for the restore. For example, if the only damage was to /etc, then only that portion of the backup would be needed to recover. If something as drastic as 'rm -rf /' had occurred, then the full backup would be needed, and then a subsequent ETM backup or database backup might also need to be applied. That would be necessary if such a backup existed that was more recent than the full backup. See procedure 2 and procedures 4 and 6 below. Example backup and restore procedures Procedure 0. copying drives with dd (only for non-raid systems!!!!) An example command, run as root to copy drive a to drive b: dd if=/dev/sda of=/dev/sdb bs=100m conv=notrunc,noerror Be careful with order of if and of. You can write a blank disk to a good disk if you get confused. More info on dd can be found on wikipedia, and also on linuxquestions.org The above procedure could be run regularly to snapshot a drive as it is modified, to keep the backup as current as desired. This procedure can serve as a full filesystem backup (alternate for Procedure 1. below) for non-raid configured servers. However, it is subject to drive failure of this backup drive. Procedure 1. Backing up the entire filesystem As stated in the General Guidelines, each IT organization will/should have standardized backup practices. At a minimum, they should retain a full snapshot of a ETM filesystem at least once, after the installation script has been run and they have made whatever configuration changes they wanted to for a given site (such as changes to files in /etc). There are many ways to accomplish this. One simple method is using the tar command. An example is provided here (this should be run as root). cd / tar cvpzf backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/backup.tgz --exclude=/mnt --exclude=/sys / Please familiarize yourself with the tar command and its arguments. The man pages are included in the ETM distro. As noted above, the dd operation for non-raid configured servers also serves as a full filesystem backup. It can be performed at important milestones to keep the backup current. 176 EncrypTight Manager User Guide

177 About Disaster Recovery Servers Procedure 2. Restoring the complete filesystem, including the OS Restoring the complete filesystem will depend on how the backup was taken. If it was via the example tar command above, then restoring would involve untarring the backup like so: cd / tar xvpfz backup.tgz -C / NOTE If restoring a completely destroyed filesystem on the boot partition, the server bootup will have to be done via other media: either a CD/DVD/drive as mentioned at the beginning of this document, or a secondary drive if the system is non-raid and the secondary drive holds a backup. If using a dd version of backup to restore from, the dd operation should be performed in the same manner as was done initially, but the "if" and "of" arguments should be reversed. For example: dd if=/dev/sdb of=/dev/sda bs=100m conv=notrunc,noerror Alternative *nix backup methods There are many other methods for backing up and restoring a *nix operating system. Methods include dar, rsync, cp, scp, tar, dd, clonezilla, ghost, amanda, and many more. As mentioned previously, it is expected that a customer's IT organization will have already established backup policies and procedures. If not, or, for general reference, there are many sites available on the internet that discuss this topic. For reference, the following are listed here: Procedure 3. Backing up the ETM software and data To backup the ETM software and data, navigate to the Platform->Utilities page, then the AppServer Nodes tab, then select the server you are logged into, right-click, and choose Backup. This will perform a database backup, and then create a tar archive file containing the ETM software, the root directory where ETM is installed, the database backup, and other directories used by ETM, specifically the ftp dir and filestore dir. It will also optionally scp the backup to a remote server if those configuration properties are setup. This was discussed and documented in the tech Webex session on , but for convenience, these properties are also listed here. They are named as such in the Admin->ETM Config page: Backup Server (ip) Backup Server scp Directory Backup Server scp User Backup Server scp Password EncrypTight Manager User Guide 177

178 Using A Disaster Recovery Server Also note that the ETM root dir is /opt/jboss/server/policyserver, and that the /opt/scripts directory is a symlink to /opt/jboss/server/policyserver/scripts, so that directory will be backed up. It contains the config files that were used during installation. Files in /etc/init.d are not included in this tar, so those should be backed up separately, after installation. They should never change after installation. Whether or not the backup is scp'd to a remote host, a copy will be left in the /opt/jboss/server/ policyserver/log dir, and can be downloaded via the browser from the Admin->Server Files page (from the logs folder). Double clicking on it will download it. The database backup will also be located there. The names are of the following format: <host ip address>-backup-yyyymmdd-hh-mm.tar.gz db-backup-yyyymmdd-hh-mm.sql.gz Procedure 4. Restoring the ETM software and data To restore from a ETM server backup, obtain the backup that was taken for the particular host (note that the ip address of the host is part of the backup file name), scp it to the ETM host, and untar it. (The application server should be stopped before doing this: /etc/init.d/policyserver stop) For example: scp backup tar.gz root@etmserver:/ ssh root@etmserver cd / gunzip -c backup tar.gz tar xvpf - At this point, the database backup that is located in /opt/jboss/server/policyserver/log can be used (only if necessary) to restore the database. See procedure 6. Once completed, the application server can be restarted, /etc/init.d/policyserver start. See the notes below on details related to cluster nodes and DR servers. Procedure 5. Backing up the ETM database To backup the just the ETM database, navigate to the Platform->Utilities page, then the DB Nodes tab, then select the database for the server you are logged into, right-click, and choose Backup. This will create a backup that can be downloaded from the Admin->Server Files page, in the logs folder. It will be named like db-backup-yyyymmdd-hh-mm.sql.gz. Double clicking on it will download it to your local disk, from where it should be safely archived. Procedure 6. Restoring the ETM database To restore the database from a backup, scp the backup to the host being restored, and execute the dbimport.sh script. For example: scp db-backup sql.gz root@etmserver:/opt/filestore ssh root@etmserver cd /opt/filestore gunzip db-backup sql.gz /opt/scripts/db-import.sh --importfile=db-backup sql If you changed the database userid or password, you will have to supply those options as well. 178 EncrypTight Manager User Guide

179 About Disaster Recovery Servers log]# /opt/scripts/db-import.sh --help db-import.sh --help --dbuser=dbuser --dbpass=dbpassword --dbtype=dbtype --importfile=importfile --disasterserver=[true/false] Cluster notes Restoring a cluster node should not include restoring the database if another cluster node with a database is still active. Instead, the database on the restored node should be synchronized via the ETM web application. On the Platform->Utilities page, on the DB Nodes tab, find the inactive database, right click on it and choose Activate. DR notes If restoring a DR datbase (which should really never be necessary, since the backup can be pushed from the main ETM site via the UI), you must supply the --disasterserver=true command line option. Restoring to factory defaults If for some reason a server needs to be set back to the state in which it was delivered from Black Box, the /opt/scripts/factory-restore.sh script can be run. The user will be prompted twice before proceeding. This script will stop the ETM server, delete the database and reset all configuration files to their original state. The installer can be re-run after performing this operation. VM Server specifics VMware specific information is found on the VMware website. VMWare backup guide NOTE Note that VMWare does not consider VM snapshots backups. For more information about snapshots, read the following knowledge base articles. Understanding VM snapshots search.do?language=en_us&cmd=displaykc&externalid= Best Practices for VM snapshots search.do?language=en_us&cmd=displaykc&externalid= EncrypTight Manager User Guide 179

180 Using A Disaster Recovery Server 180 EncrypTight Manager User Guide

181 Index Symbols , 103 Numerics 3DES, 60 A addressing mode, 61 advanced configuration ETEP, Advanced Encryption Standard, 60 AES, 60 appliance configuration ETEP, appliance users See user accounts appliance-level tasks managing ETEP user accounts, 131 appliances shutting down, 42 apply to all traffic, minimizing mesh policy size, 63 ARIA encryption, 61 authentication algorithms, 61 auto-negotiation configuration PEP, 108 B backing up appliance file system, 91 C ETEP throughput, 104 ETEP configuration, Certificate Manager cancelling a pending certificate request, 164 certificate request preferences, setting, 165 CRLs deleting from ETEPs, 168 installing on ETEPs, 167 viewing on ETEPs, 168 deleting external certificates, 166 exporting certificates, 165 generating certificate requests, 163 installing a signed certificate, 164 viewing pending certificate requests, 164 certificate policy extensions, 157 configuring in EncrypTight Manager, 157 configuring on ETEPs, 157 certificate revocation lists (CRLs), see CRLs, 166 certificates about, 154 certificate policy extensions, 157 certificate revocation lists (CRLs), 166 configuring CRL usage, 166 configuring CRL usage in EncrypTight Manager, 167 deleting all on a ETEP, 172 deleting specific certificates from a ETEP, 166 distinguished name, 155 handling revocation check failures, 168 OCSP configuration, 168 policy constraint extension, 158 policy mapping, 158 prerequisites, 154 recommended order of operations, 155 strict authentication, 154 disabling, 171 enabling, 170 using in a EncrypTight system, 156 clear policy action, 57 CLI inactivity timer ETEP, 127 clock synchronization using SNTP ETEP, 133 configuration comparing configurations, 36 templates, 40 creating, 40 modifying defaults, 40 EncrypTight Manager User Guide 181

182 Index configuring an appliance ETEP, Configuring LDAP, 95 CRLs about, 166 configuring usage in EncrypTight Manager, 167 deleting from ETEPs, 168 installing on ETEP, 167 viewing on ETEPs, 168 customer support, 12 D default gateway configuration ETEP management port, 105 ETEP remote and local ports, 111 deploy policies, 74 DES, 60 DF bit configuration ETEP, 113 DHCP Relay, configuring on the ETEP, 112 distinguished name, 155 distributed key policies, supported topologies, 13 downloading software upgrades, 91 drop policy action, 57 E Easy Mesh Policy, 71 Edit menu commands Preferences Certificate Manager, 165 editing configuration templates, 40 network set, 54 networks, 46 VLAN ID range, 56 encapsulation method used in the EncrypTight system, 60 encrypt all policies with exceptions, defining, 62 encrypt policy action, 57 encryption algorithms in the EncrypTight system, 60 changing from Layer 3 to Layer 2, 138 policy settings changing on the ETEP, 138 Ethernet policies, 57 exporting certificates from the appliance, 165 external certificates deleting, 166 F factory settings defaults ETEP, failed login, 19 features configuring on the ETEP, 135 filtering filtering criteria in policies, 57 FIPS mode, enabling on the ETEP, 135 flow control configuration PEP, 108 fragmentation ETEP choosing the reassembly mode, 113 setting the PMTU, 126 FTP server configuring for software upgrades, 92 G grouping networks, 44 I ignore DF bit ETEP, 113 ignore source IP address, 63 IKE VLAN tag, enabling, 134 Importing Configurations from an Excel File, 41 importing networks and network sets from an Excel file, 53 inactivity timer ETEP, 127 in-line management appliance upgrade considerations, 92 installation appliance software upgrades, 91 interface configuration ETEP, IP policies, 58 L Layer 2 mesh policy options, 65 point-to-point policy example, 79 point-to-point policy options, 66 Layer 3 common policy options, 67 hub and spoke policy options, 69 mesh policy options, 71 multicast policy options, 72 point-to-point policy options, EncrypTight Manager User Guide

183 Index Layer 4 adding a new Layer 4 policy, 72 encapsulation method, 60 multicast policy addressing mode override, 68 payload encryption policy, 61 license EncrypTight Manager, 28 ETEP, 28 upgrading, 28 link speed configuration PEP, 108 loading software updates, 92 local port configuration ETEP, logging configuration ETEP, M management port configuration auto-negotiation, 108 ETEP, 105 NAT, 106 MD5, 61 Message Digest #5, 61 minimize policy size, 63 N naming the appliance ETEP, 104 NAT on the ETEP management port, configuring, 106 negotiated key topology, 16 negotiated point-to-point policy, 16 network adding, 43 addressing methods, 52 deleting, 47 grouping into supernets, 44 importing from an Excel file, 53 modifying, 46 using non-contiguous network masks, 45 network masks, non-contiguous, 45 network set, 49 adding, 51 addressing mode, 61 deleting, 54 importing from an Excel file, 53 modifying, 54 network topology for distributed key policies hub and spoke, 14 mesh, 14 multicast, 14 point to point, 14 for negotiated policies, 16 non-contiguous network masks, using in network sets, 45 non-ip traffic handling, configuring on the ETEP, 126 O OCSP about, 168 enabling in ETEPs, 170 enabling in EncrypTight Manager, 169 P password configuring the ETEP password strength policy, 127 default password conventions on the ETEP, 130 setting on ETEPs, 132 strong password conventions on the ETEP, 130 payload only encryption, 61 PEP adding new PEPs and using strict authentication, 155 overview, 15 PEPs adding new PEPs, 33 applying configurations, 34 comparing configurations, 36 configuration for EncrypTight, 33 configuration status, 35 configuration templates, 40 customizing the PEPs view, 37 rebooting, 39 status, 34 PMTU configuration ETEP, 126 point-to-point policy Layer 2 example, 79 policies See also policy management EncrypTight Manager distributed key policies overview, 13 ETEP clearing policies on the ETEP, 138 setting L2 or L3 encryption, 138 policies description, 57 EncrypTight Manager User Guide 183

184 Index policy concepts, 57 creating, 65 policy constraint extension, 158 Policy Enforcement Point, see PEP policy management activating policies, 73 cancelling a deployment task, 74 copying policies, 75 creating policies, 65 deleting policies, 78 deploying policies, 74 editing policies, 76 encapsulation method, 60 encrypt all policy with exceptions, creating, 62 encryption algorithms, 60 encryption methods, 59 Layer 2 mesh policy options, 65 point-to-point policy options, 66 Layer 2 Ethernet policies, overview, 58 Layer 3 common policy options, 67 hub and spoke policy options, 69 mesh policy options, 71 multicast policy options, 72 point-to-point policy options, 70 Layer 3 IP policies, overview, 58 Layer 4 payload encryption, 61 Layer 4 policy, creating, 72 lifetime, defining, 59 minimizing policy size, 63 priority, setting, 58 rekey interval, defining, 59 rekeying policies, 74 scheduling rekey interval and policy lifetime refresh, 59 validating policies, 77 policy management with MAP policy design examples, 82 port configuration See interface configuration preferences certificate policy extensions, 157 certificate requests, 165 priority, for policy processing, 58 pushing software updates to appliances, 92 R reassembling fragmented packets, ETEP, 113 reboot after a software upgrade, 93 rebooting a PEP, 39 refresh policy lifetime, 59 rekey policies, 74 remote port configuration ETEP, 109?? renew keys, scheduling, 59 restoring appliance software from a backup copy, 96 S scheduling renew keys and refreshing lifetime, 59 Secure Hash Algorithm, 61 SHA-1, 61 shared key example, 15 shutdown procedure for ETEPs, 42 SNMP configuration ETEP, SNMPv3 configuration concepts, 119 engine ID generating, 120 viewing and exporting, 120 trap host users, 121 SNTP configuration ETEP, 133 for EncrypTight PEPs, 33 software updates appliance software checking status, 95 logging upgrade status, 123 overview, 91 staging upgrades, 94 ssh enabling and disabling on the ETEP, 128 status automatic refresh, controlling, 36 strict authentication See also certificates about, 154 adding new PEPs, 155 CRLs, 166 disabling, 171 enabling, 170 OCSP, 168 TLS with encryption and, 154 supernetting, 44 syslog configuring on the ETEP, 124 syslog server, EncrypTight Manager User Guide

185 Index T technical support, 12 templates, 40 throughput configuring on ETEPs, 104 licensed ETEP speeds, 27 TLS passing in the clear, ETEP, 135 Tools menu commands Appliance Users, 131 topologies distributed key Ethernet, 57 distributed key IP, 58 transmitter behavior configuration ETEP, 111 transparent mode operation on the ETEP enabling and disabling, 109 local and remote port IP addressing, 110 Transport Layer Security (TLS), 17 See also TLS Triple Data Encryption Standard, 60 troubleshooting clearing policies on the ETEP, 138 trusted hosts configuring on ETEPs, 114 EncrypTight configuring on the ETEP, 135 U upgrading appliance software, 92 checking status, 95 concurrency limit, 95 staging appliance upgrades, 94 user accounts ETEP adding a ETEP user, 132 deleting ETEP users, 133 password enforcement policy, 129 user name conventions, 129 viewing users, 133 PEP PEP user roles, 128 EncrypTight Manager adding, 144 changing passwords, 145 deleting, 145 modifying, 145 name and password conventions, 144 overview, 143 user roles ETEP roles, 128 V EncrypTight Manager roles, 143 validating policies, 77 View menu commands Appliance Users, 133 virtual IP address for network sets, 52 virtual IP addresses, using in policies, 109 VLAN ID, 55 adding, 55 deleting, 56 editing, 56 VLAN tagging, 134 EncrypTight Manager User Guide 185

186 Black Box Tech Support: FREE! Live. 24/7. Tech support the way it should be. Great tech support is just 30 seconds away at or blackbox.com. About Black Box Black Box Network Services is your source for an extensive range of networking and infrastructure products. You ll find everything from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by free, live 24/7 Tech support available in 30 seconds or less. Copyright All rights reserved. Black Box and the Double Diamond logo are registered trademarks, and EncrypTight is a trademark, of BB Technologies, Inc. Any third-party trademarks appearing in this manual are acknowledged to be the property of their respective owners. ET0010A User Guide, version blackbox.com