advertisement
▼
Scroll to page 2
of 33
VSU-100 VPNware Service Unit User Guide VPNet Technologies, Inc. Licenses, Warranties, Copyrights, and Trademarks THE SPECIFICATIONS REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. LIMITED WARRANTY Hardware. VPNet Technologies, Inc. (“VPNet”) warrants that for a period of one (1) year from the date of shipment from VPNet that the Hardware will be free from defects in material and workmanship under normal use. This limited warranty extends only to Customer as the original purchaser. Customer’s exclusive remedy and the entire liability of VPNet and its suppliers under this limited warranty will be, at VPNet or its service center's option, repair or replacement within ten (10) business days or refund of the Hardware if returned to the party supplying the Hardware to Customer, freight and insurance prepaid. VPNet replacement parts used in Hardware repair may be new or equivalent to new. Restrictions. This warranty does not apply if the product (a) has been altered, except by VPNet (b) has not been installed, operated, repaired, or maintained in accordance with instructions supplied by VPNet, (c) has been subjected to abnormal physical or electrical stress, misuse, negligence, or accident, or (d) is used in ultrahazardous activities. DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. IN NO EVENT WILL VPNET OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR DATA, OR FOR SPECIAL INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE PRODUCT EVEN IF VPNET OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall VPNet's or its suppliers’ liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. VSU-100 User Guide The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. BMSI (Chinese Warning Label) Hardware, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export, or import hardware. VSU, VPNmanager, VPNremote, VPLink, VPNos, and VPNet are trademarks belonging to VPNet Technologies, Inc. MD5 Message Digest Algorithm copyright RSA Data Security, Inc. All other product names mentioned in this manual are trademarks or registered trademarks of their respective manufacturers. VSU-100 VPN Service Units User Guide Copyright 2001 VPNet Technologies, Inc. All rights reserved. Printed in USA. January 2001 P/N 09-0041-02 VSU-100 User Guide VSU-100 User Guide Table of Contents Preface How This Guide Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i Product Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i Contacting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i Chapter 1 Introduction Functional Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 VSU-100 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 General Site Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Chapter 2 Installing the VSU-100 Connecting the VSU-100 to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Chapter 3 Preparing the VSU-100 for Configuration Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FIPS Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General Firmware Upgrade Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . APPENDIX A Specifications Glossary VSU Acronyms 3-1 3-1 3-8 3-8 VSU-100 User Guide Preface This user guide provides installation and configuration information for the VSU-100 VPN Service Unit (VSU). How This Guide Is Organized Chapter 1, Introduction, includes a functional overview of the VSU-100 and its major components along with site requirements for safe installation and operation of the VSU-100. Chapter 2, Installing the VSU-100, provides instructions for physical installation, including placement and connection to the network. Chapter 3, Preparing the VSU-100 for Configuration, provides instructions for setting up VSU-100 addressing and enabling remote connectivity for using the VPNmanager. Appendix A, Specifications, documents physical, environmental, electrical, and compliance specifications, as well as additional features. Product Registration To register the VSU-100, navigate to http://www.vpnet.com on the World Wide Web. Contacting Technical Support Technical support is available to registered users of the VSU-100. • Voice: 1-888-VPNET-88 (within U.S.) or +1 408-404-1400 (outside U.S.) i VSU-100 User Guide • FAX: +1 408-404-1414 • Email: [email protected] • World Wide Web: http://www.vpnet.com ii Chapter 1 Introduction Functional Overview The VSU-100 is a dedicated hardware-based VPN gateway that enables secure data communications over public IP networks such as the Internet for a small enterprise or small office environment. Designed to work with an existing IP-based WAN-access router, the VSU-100 provides all the services required to implement a virtual private network (VPN), including a network firewall, in one compact desktop enclosure. The VSU-100 comes in two models: • VSU-100 (site-to-site only) • VSU-100R (site-to-site and supports VPNremote remote client access) Figure 1-1 Introduction The VSU-100 1-1 VSU-100 User Guide The VSU-100R adds remote access support for remote clients running VPNremote™ client software on their PCs. Both units support up to 100 conncurrent IPSec sessions. Each has its own version of embedded operating system, VPNos. The VSU-100 VPNos can be field upgraded (optional) to the VSU-100R. Like other platforms in the VPNware family, the VSU-100 adds encryption, compression, authentication, and key management to public network data links to ensure privacy and integrity of corporate data over public IP networks, and to enable the efficient and secure operation of virtual private networks (VPNs). It is designed to perform complex operations, in real-time, without compromising network performance, and in many cases can actually increase data throughput. The VSU-100 supports a full suite of VPN services including: ICSA-certified IPSec-based encryption, data compression, packet and user authentication, IKE and SKIP key management, Network Address Translation (NAT), routing, and packet filtering. Security The VSU-100 provides data stream privacy by employing cryptographic algorithms and keys powerful enough for the most sensitive business communications. It supports 56-bit DES and 168-bit Triple DES encryption, as well as the ISAKMP and SKIP key management standards. The VSU-100 is able to change keys frequently during transmission. Data authenticity is assured by using MD5™ or SHA-1 hashing to reject altered or forged packets. All security mechanisms employed by the VSU-100 conform to IPSec standards, in order to provide interoperability and broaden the use of VPN technology. Performance The VSU-100 supports IP over 10BASE-T or 100BASE-T local area networks (LANs). Up to 100 concurrent site-tosite IPSec sessions are supported. When packets are encrypted and authenticated according to IPSec protocol guidelines, additional bytes—in the form of IPSec headers—must be added to packets. In many cases, the additional packet overhead imposes a performance penalty in return for security. The extra bytes may lengthen packets and reduce the throughput (measured in packets per second). Of even greater impact is the tendency for packets lengthened by IPSec headers to be fragmented by network routers, causing further reductions in performance and additional latency. Real- 1-2 Introduction VSU-100 User Guide time compression performed by the VSU-100 eliminates packet fragmentation and produces fewer, smaller packets, which can significantly enhance network throughput and performance. Plug-and-Play Installation The VSU-100 can be placed in a variety of configurations on a 10/100BASE-T LAN to provide VPN functionality. Native support for IP ensures that the VSU-100 interoperates transparently with the broadest range of intranet and other network applications. The graphical VPNmanager™ (available separately) network management application steps network managers through the configuration process and allows them to create a VPN in minutes. The VPNmanager also supports extensive facilities for VPN monitoring and troubleshooting, and for establishing multicompany extranets. The VSU-100 provides support for RADIUS servers, enabling VPNs that support hundreds of remote users and a variety of mechanisms for remote user authentication. VSU-100 Components Each of the major VSU-100 components are shown in Figure 1-2. Private Port Console Port Figure 1-2 Public Port Ethernet Ports Status Indicators DC Power Connector VSU-100 Front Panel Ethernet Ports The VSU-100 includes two 10/100BASE-T Ethernet interfaces for a public (encrypted) and private (unencrypted) interface port. Introduction 1-3 VSU-100 User Guide NOTE: The VSU-100 is enclosed in a FIPS 140-1 compliant tamper-evident case and may be opened only by an authorized service technician. The status indication of the LEDs on each of the two Ethernet ports are shown in Figure 1-3 below: Activity ON = Full Duplex OFF = Half Duplex ON = 100 Mbps Connection OFF = 10 Mbps Connection Link Figure 1-3 Ethernet Port Status Indicators General Site Requirements This section describes the requirements your site must meet for safe installation and operation of your system. Ensure that your site is properly prepared before beginning installation. Environmental Requirements The VSU-100 is intended for use in a normal office environment. For more extreme conditions, verify that temperature, humidity, and power conditions meet the specifications indicated in Table 1-1. Table 1-1 Environmental Requirements Item Operating Specification Temperature 32° to 104° F, 0° to 40°C Relative Humidity 5-90%, non-condensing Altitude 0-12,000 feet, 0-3,660 meters Voltage 100-240 VAC Input Frequency 47-63 Hz AC input current 0.7 Amp Additional VSU-100 specifications are included in Appendix A. 1-4 Introduction VSU-100 User Guide Site Power Considerations Check the power at your site to ensure that you are receiving “clean” power (free of spikes and noise). Install a power conditioner if necessary. WARNING: This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that a fuse or circuit breaker no larger than 120 VAC, 15A U.S. (240 VAC, 10A international) is used on the phase conductor (all current-carrying conductors). Required Equipment The VSU-100 shipping carton should contain: Quantity Part Description 1 VSU-100 VPN Service Unit 1 VSU-100 VPN Service Unit User Guide 1 Null Modem Cable 1 UTP Crossover Cable 1 VSU-100 DC Power Supply 1 Power cord (110V) or Power cord (230V) 4 Rubber feet for desktop installations 1 VSU-100 Firmware diskette To install and use the VSU-100 in a typical network, the customer must already have or supply: • Router providing connectivity to a WAN such as the Internet • 10/100BASE-T Ethernet hub, router, or switch providing connectivity to the office LAN • CAT 3, 4, or 5 UTP cable to interconnect router, VSU-100, and hub(s) • An asynchronous ASCII terminal supporting RS-232 or a PC running terminal emulation software to provide initial IP configuration (IP address, subnet mask, default router) • PC workstation to run VPNmanager network management application Introduction 1-5 VSU-100 User Guide 1-6 Introduction Chapter 2 Installing the VSU-100 This chapter provides instructions for Connecting the VSU-100 to the Network. Connecting the VSU-100 to the Network Figure 2-1 shows a typical network using the VSU-100. Figure 2-1 Installing the VSU-100 Router Public Port VSU-100 Private LAN Hub, Switch, Router Private Port Public Network Typical VSU-100 Hardware Installation 2-1 VSU-100 User Guide The VSU-100 rear panel is shown in Figure 2-2. Connect Cable between the VSU-100 Public Port and the Router Connect Cable between the VSU-100 Private Port and the Private LAN Figure 2-2 VSU-100 Frontpanel Connectors The console port accepts a female RS-232 DB-9 connection from an asynchronous ASCII terminal or a PC running terminal emulation software. The connection requires a null modem cable, (supplied) and is used to assign IP network configuration. The communication settings for a terminal or PC connected to the console port are provided in Table 2-1. Table 2-1 Terminal Settings Parameter Setting Baud 9600 Data Bits 8 Stop bits 1 Parity No Flow control Hardware (RTS/CTS) The Public port provides an interface to the public network, while the Private port provides an interface to the private network. 2-2 Installing the VSU-100 VSU-100 User Guide Both Ethernet ports are 10/100BASE-T ports. They accept category 3, 4, or 5 UTP cabling terminated in an RJ-45 connector per IEEE 802.3 requirements for 10/100BASE-T. Perform the following steps to install the VSU-100 in a typical LAN: 1. Connect the VSU-100 Public port to the public side of the LAN. 2. Connect the VSU-100 Private port to the private side of the LAN. 3. Connect an asynchronous ASCII terminal or PC running terminal emulation software to the VSU-100 console port using the RS-232 null modem cable which came with the VSU-100. The terminal’s communications parameters should be set to 9600 baud, 8 data bits, 1 stop bit, no parity, and RTS/CTS hardware flow control. 4. Connect the DC power cable from the power supply to the VSU-100, then plug in the AC power cable into an outlet. Proceed to Chapter 3, Preparing the VSU-100 for Configuration. Figure 2-3 Installing the VSU-100 Connecting the DC Power Supply to the VSU-100 2-3 VSU-100 User Guide 2-4 Installing the VSU-100 Chapter 3 Preparing the VSU-100 for Configuration Preparation Before the VSU-100 can be incorporated into a Virtual Private Network (VPN), it must be configured through the VPNmanager. However, to enable communication between the VPNmanager and the VSU-100, you must first assign an IP address, subnet mask, and default route to the VSU-100. This chapter describes how to set up the VSU-100 addressing and remote connectivity capabilities in preparation for remote configuration using the VPNmanager software. This preliminary configuration is performed using a terminal (or a PC running terminal emulation software) connected to the RS-232 console port. The following procedure assumes that the VSU-100 has been physically installed on the network, according to the instructions provided in Chapter 2 Configuration Beginning with VPNware 3.1, the following information is configured through the VSU console Quick Setup: • The VSU’s IP address and mask. • The VSU’s secondary IP address and mask (Optional). • The VSU’s default route. • The VSU console password. Beginning with VPNware 3.1, if you forget this password and need console access, it can be changed through the VPNmanager’s Configuration console. Select the VSU Advanced Action tab, then the Reset Password dialog box. Preparing the VSU-100 for Configuration 3-1 VSU-100 User Guide • The SuperUser name. This is the name that is authorized to perform any kind of configuration request on a VSU. This name is provided by the VPNmanager administrator the first time the VSU is added into the VPNmanager database. The SuperUser name is case sensitive. • The SuperUser password. This password authenticates the SuperUser name. The SuperUser password is case sensitive. If the VPN administrator forgets the SuperUser password, the VSU may still be reconfigured through the VSU console Quick Setup menu as long the administrator has access to the VSU console and knows the VSU console password. • Configuration of blocking mode. This involves selecting one of three filtering choices according to your organization’s security policy: Permit all non-VPN traffic - When checked (default), all non VPN traffic is allowed to pass through the VSU. Deny all IP non-VPN traffic - When checked, all non-IP traffic is passed through the VSU. All non-VPN IP traffic is dropped except for the following: ICMP, IGMP, GGP, EGP, IGP, DGP, EIGRP, and OSPF. NOTE: This mode should be used when the VSU dedicated to VPN traffic and is the only device between the private and the public networks. Deny all non-VPN traffic - When checked, all non-VPN traffic is prevented from passing through the VSU. This mode blocks non-IP traffic and nonVPN IP traffic including broadcast traffic (e.g. ARPs), IP-multicast traffic (e.g. OSPF updates) and other traffic containing routing information. NOTE: This mode should be used when the VSU is dedicated to VPN traffic and is in parallel with another device (such as a router or firewall) that will enforce the network's non-VPN traffic policy. This mode should not be used when the VSU is the only path between network devices and a router with which those devices need to communicate. • Setting the unit to run in FIPs-compliant mode or not. • The current time and date. NOTE: Each of these items are preserved over firmware upgrades. When the VSU-100 is powered on for the first time, the terminal screen should display the initial power on bootup screen shown in Figure 3-1. 3-2 Preparing the VSU-100 for Configuration VSU-100 User Guide VPNet Service Unit Model XXXX 3DES ENCRYPTION Runtime System version x.x.xx, x/xx/2000 Copyright (C) 1996-2000 VPNet Technologies, Inc. All Rights Reserved. -- Month Day 2000, 17:06:01 --ethernet0: MAC Address 00:60:a1:00:23:f9 ethernet1: MAC Address 00:60:a1:00:23:fa ethernet2: MAC Address 00:60:a1:00:16:9a ethernet3: MAC Address 00:60:a1:00:16:9b Checking Non Volatile RAM integrity... OK Checking Configuration Database... OK Checking Certificate Database... OK Calibrating CPU performance monitor... OK Power/Cooling subsystems Monitor initializing... Power Subsystem is Good. Cooling Subsystem Good. ...Done. VPNet Technologies - VSU XXXX 3DES ENCRYPTION - Main 1) 2) 3) 4) 5) Menu Configuration Statistics Utilities Logout Quick Setup Your choice [1-5]: Figure 3-1 Preparing the VSU-100 for Configuration Initial Power On Bootup Screen for VSU 3-3 VSU-100 User Guide Preconfigure the VSU-100 to communicate with the VPNmanager using the Quick Setup menu selection as described below: 1. From the Main Menu, select 5) Quick Setup. VPNet Technologies - VSU XXXX- Main Menu 1) 2) 3) 4) 5) Configuration Statistics Utilities Logout Quick Setup Your choice [1-5]: 5 You will be prompted for the information required to set up the VSU. To accept the current value and go to the next prompt, press Return. 2. Enter the IP address and netmask assigned to the VSU. NOTE: The Secondary IP address and mask are optional. IP address: 192.0.2.1 Mask: 255.255.255.0 IP address: 210.1.18.135 IP mask: 255.255.255.0 Do you want a secondary IP address on this unit? [yn] y Secondary IP address: Secondary Mask: 255.0.0.0 Secondary IP address: 10.0.0.1 Secondary IP mask: 255.255.255.0 3. Enter the default route for this VSU. Default Route is not configured. Enter Default Route: 210.1.18.1 Typically, the default route is the IP address of the gateway router that provides an IP route between the VSU-100 and the public network (e.g., Internet). 3-4 Preparing the VSU-100 for Configuration VSU-100 User Guide 4. To prevent unauthorized users from accessing the VSU-100 through the console port, enter and confirm the new VSU console password. VSU Console password may be up to 31 characters. Enter new VSU console password: ****** Confirm new VSU console password: ****** CAUTION: Do not forget this password. As a security measure, the only way to bypass an unknown console password is to return the VSU-100 to the factory at the customer’s expense. The password may be up to 31 characters in length and is case-sensitive. Once the password is set, it must be entered to gain future access to the VSU console. Pressing Return without typing anything at the “Enter new VSU console password” and “Confirm new VSU console password” prompts will set the VSU console password to empty (no password required). 5. A superuser name and password is required to allow the Network Administrator to initially configure this VSU through the VPNmanager application. This VSU's superuser name is: "root". Change superuser name? [yn] y This VSU's superuser name may be up to 31 characters. Enter new superuser name: superuser This VSU's superuser password may be up to 31 characters. Enter new superuser password: ****** Confirm new superuser password: ****** Press Return or enter “n” to leave the superuser name at its default value of root, or enter “y” to change the superuser name. Both the superuser name and password may be up to 31 characters and are case-sensitive. The name and password will be required later when first setting up the VSU through the VPNmanager application. After the VSU has been initially set up, the VSU may use the VPNmanager Directory Server to authenticate a configuration request, at the Network Administrator’s option. Preparing the VSU-100 for Configuration 3-5 VSU-100 User Guide Non-VPN traffic mode: non-VPN traffic is currently forwarded. Non-VPN Traffic Configuration Menu 1) 2) 3) P) Permit all non-VPN traffic Deny IP non-VPN traffic only Deny all non-VPN traffic Previous menu Your choice [1-3]: 6. Select a traffic mode from the Traffic Configuration Menu. Permit all non-VPN traffic - When checked (default), all non VPN traffic is allowed to pass through the VSU. Deny all IP non-VPN traffic - When checked, all non-IP traffic is passed through the VSU. Deny all non-VPN traffic - When checked, all non-VPN traffic is prevented from passing through the VSU. For additional information regarding traffic modes, see page 3-2. Do you want this unit to run in FIPs-compliant mode? [yn] y 7. Enter “n” if you do not want the VSU to run in FIPs-compliant mode. If you answer “n”, the code skips to the date and time configuration. Go to Step 7. Enter “y” if you want the VSU to run in FIPs-compliant mode. If you answer “y”, answer the following configuration questions. For more information regarding FIPS, see “FIPS Mode” on page 3-8. FIPs-compilant mode may only be disabled via VPNmanager. Please confirm that you want this unit to run in FIPscompilant mode. [yn] y 3-6 Preparing the VSU-100 for Configuration VSU-100 User Guide 8. Enter the current date and time. Date: 3-9-2000 Enter date [MM-DD-YYYY]: Time: 13:51:53 Enter time [HH:MM:SS]: This date and time setting are primarily used to ensure accurate timestamps when logging events. When changing either the date or time, all three parts of the date (MM-DD-YYYY) or time (HH:MM:SS) must be entered. A 24-hour clock is used when setting the time. For example, 13:00:00 is equivalent to 1:00 PM. 9. Reboot the VSU-100. Reboot is required to complete Quick Setup. Reboot Now? [yn] y Your VSU-100 is now prepared for configuration by using the VPNmanager. The VSU initially passes all traffic between its Public and Private ports. This would be a good time to verify connectivity by pinging the VSU from public and private machines, and by passing traffic between public and private machines. Proceed to the VPNmanager Administrator Guide to continue configuring your VSU. Preparing the VSU-100 for Configuration 3-7 VSU-100 User Guide FIPS Mode FIPS (Federal Information Processing Standards) Mode forces the VSU to operate in a FIPS 140-1 Level 2 compliant mode. It is recommended that this mode only be used if your organization’s policy requires FIPS 140-1 Level 2 certification for cryptographic devices. Note that in the FIPS mode (as dictated by the FIPS 140-1 requirements specification), the following are NOT supported: • SKIP VPNs • VPNremote 2.5x Clients • Any encryption algorithm other than DES or 3DES • Any authentication algorithm other than SHA-1 General Firmware Upgrade Information Configuration Items Left to the VPNmanager The following items are likely to be configured by most administrators, but are left to VPNmanager or other VSU console menu items to keep the Quick Setup menu minimal: • LDAP servers used to authenticate VPNmanager console users. • Disable a VSU’s SuperUser account. Flushing the configuration on VPNware 3.1 In the event you flush the configuration (via VSU console menu item Configuration->Flush Configuration) on a VSU running VPNware 3.1 the following occurs: • The superuser name will be “root”. • There will be no superuser password. • If a VSU console password is configured, it will be preserved. • The secondary IP address will be empty. • The blocking mode will be set to forward all non-VPN traffic. 3-8 Preparing the VSU-100 for Configuration APPENDIX A Specifications Packet Encryption • DES encryption (56-bit key) • Triple DES (EDE-CBC) encryption (168-bit key) • Weak and semi-weak keys are automatically discarded Packet Authentication • Keyed MD5™ AH Message Digest Algorithm (RFC 1321) • HMAC-MD5 and HMAC SHA-1 (RFC 2104) User Authentication • RADIUS servers (Ascend Access Control™, Security Dynamics ACE/Server Access Manager, BaySecure™ Access Control, Funk Steel Belted RADIUS Server) • CHAP and PAP • SecurID™ tokens Compression • Stac™ Lempel-Ziv hardware data compression VSU-100 User Guide A-1 Specifications Key Management • • • • IKE: Key updates configurable starting from 60 seconds (RFC 2409) SKIP: Keys updated every 30 seconds Manual All packet, traffic, and authenticating keys automatically generated Firewall Integration • Bypass mode for non-VPN traffic Network Address Translation (NAT) • Supports static, dynamic, and port mapping • Reverse address translation for dynamic IP clients Protocol Support • IEEE 802.3, Ethernet • Full IPSec compliance: RFC 2401, 2402, 2403, 2404, 2405, 2406, 2407, 2408, 2409, 2410, 2412, 2451, IPSec Key Management using SKIP or IKE. (Tunnel and transport modes supported.) Digital Certificates • X.509v3 for management and IPSec communication • Compatible with certificates generated by VeriSign, GTE Cybertrust, Entrust, Frontier Technologies, Baltimore, Netscape, Microsoft, and Thawte System Management • • • • • Configuration via Java-based VPNmanager™ Monitoring from any application with SNMPv1 via VSU-1100 MIB Configuration traffic secured through SSL Secure software download for system upgrades Syslog event and usage logging Remote Client Support • VPNremote Client Software for Windows 95/98/NT A-2 VSU-100 User Guide Specifications Compatibility • Fully compatible with all other VPNware Service Units and VPNremote Client Software for Windows 95/98/NT (using transport or tunnel mode) • ICSA-certified IPSec Dimensions • 7.75" W x 6.5" D x 1.9" H (19.68 cm x 16.5 cm x 4.8 cm) Weight • 16 ounces. (497 grams) Physical Security • Tamper-evident enclosure (FIPS 140-1 Level 2) LAN Interface • Two 10/100BASE-T Ethernet ports Management Interfaces • RS-232 and Ethernet Software Upgrade • Via built-in flash memory Power Requirements (AC Adapter) • • • • • 100/240 VAC Input frequency: 50 to 60 Hz AC input current: 1 Amp Input +5.0 VDC 5%, 10 watts max. CAUTION: Danger of explosion if memory backup battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer’s instructions. Note that the battery in this unit is a non-serviceable part. Operating Environment • Temperature: 32° to 104° F, 0 to 40°C • Relative Humidity: 5 to 90% (non-condensing) • Altitude: 0-12,000 feet, 3660 meters VSU-100 User Guide A-3 Specifications Safety Certification • UL, CSA, CE , CB Scheme EMI/RFI • FCC Part 15, Class B, CISPR 22/85A • VCCI A-4 VSU-100 User Guide GLOSSARY VSU Acronyms CBC – Cipher Block Chaining encryption DES – Data Encryption Standard encryption DNS – Domain Name Server (a distributed database system used to map host names to IP addresses and vice versa) DCE – Data Communication Equipment DSU/CSU – Data Service Unit/Channel Service Unit DTE – Data Terminal Equipment ECB – Electronic Code Book encryption HDLC – High-level Data Link Control ISAKMP – Internet Security Association Key Management Protocol IPSEC – Internet Protocol SECurity MD5 – Message Digest Algorithm VSU-100 User Guide G-1 PPP – Point to Point Protocol RADIUS – Remote Authentication Dial-In User Server RFC – Request For Comment SHA – Secure Hash Algorithm SKIP – Simple Key Management for Internet Protocol SNMP – Simple Network Management Protocol SSL – Secure Socket Layer TCP/IP – Transmission Control Protocol / Internet Protocol URL – Uniform Resource Locator UTP – Unshielded Twisted Pair VPN – Virtual Private Network VSU – Virtual Service Unit G-2 VSU-100 User Guide Index B bootup screen 3-2 C configuration preparation 3-1 configuring using quick setup menu 3-4 connections Ethernet LAN 2-3 router 2-3 console password 3-5 contacting VPNet 1-i D date and time 3-7 default route 3-4 DES 1-2 E email support 1-i environmental requirements 1-4 equipment provided by customer 1-5 provided by VPNnet 1-5 F FAX support 1-i I IP address 3-4 IPSec standards 1-2 L LAN connections 2-3 N netmask 3-4 P password VSU console 3-5 performance 1-2 phone support 1-i plug-and-play installation 1-3 power on bootup screen 3-2 product registration 1-i Q quick setup menu 3-4 R reboot 3-7 registration 1-i requirements environmental 1-4 router connections 2-3 S security 1-2 SHA1 1-2 SKIP 1-2 specifications A-1 T technical support 1-i terminal settings 2-2 time 3-7 triple DES 1-2 V VPNmanager 3-1, 3-7 VSU console password 3-5 W world wide web support 1-i
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement