Black Box_ETM_User_Guide_3_5

Black Box_ETM_User_Guide_3_5
z
ET0010A
ET0100A
ET1000A
ET10000A
EncrypTight
Guide
EncrypTightUser
User
Guide, Version 3.5
EncrypTight™ acts as a transparent overlay that
BLACK
BOX
integrates easily into any existing
network
architecture, providing encryption rules and keys
to EncrypTight Enforcement Points.
®
Customer
Support
Information
Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500)
FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746
Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018
Web site: www.blackbox.com • E-mail: [email protected]
Table of Contents
Preface ....................................................................................................................................... 11
About This Document.......................................................................................................................... 11
How to comment............................................................................................................................ 12
Contacting Customer Support............................................................................................................. 12
Chapter 1: EncrypTight Manager Overview .......................................................................... 13
Distributed Key Topologies .................................................................................................................. 13
EncrypTight Manager Platform ...................................................................................................... 15
Element Management .............................................................................................................15
Policy Generation and Management....................................................................................... 15
Key Generation and Distribution ............................................................................................. 15
Policy Enforcement Point ........................................................................................................ 15
ETVEP .................................................................................................................................... 15
Point-to-Point Negotiated Topology ..................................................................................................... 16
Security Within ETM............................................................................................................................. 17
Secure Communications Between EncrypTight and PEPs ........................................................... 17
Secure Key Storage ...................................................................................................................... 18
Internet Encryption ............................................................................................................................... 18
Secure Mesh Internet .................................................................................................................... 19
Secure Mesh Internet Features ..................................................................................................... 19
Secure full mesh encryption/authentication for all sites across the Internet ........................... 19
Central management for all sites ........................................................................................... 19
Drop in solution ....................................................................................................................... 19
Regulatory compliance............................................................................................................ 19
Where Files, Certificates and Keys Are Located ........................................................................... 20
Chapter 2: Working with the EncrypTight Manager User Interface .................................... 21
Logging into EncrypTight ..................................................................................................................... 21
EncrypTight Manager Page ................................................................................................................. 22
Panels .................................................................................................................................................. 23
Sorting and Filtering ............................................................................................................................. 23
Selecting Items..................................................................................................................................... 24
Working with Columns ......................................................................................................................... 25
Toolbars ............................................................................................................................................... 25
Editors .................................................................................................................................................. 26
Viewing Status ..................................................................................................................................... 27
Understanding User Roles ................................................................................................................... 28
Managing Licenses .............................................................................................................................. 28
Installing Licenses ......................................................................................................................... 29
Upgrading Licenses....................................................................................................................... 30
Upgrading the EncrypTight License ........................................................................................ 31
Upgrading PEP Licenses ........................................................................................................ 31
Viewing License Summary...................................................................................................... 31
Black Box EncrypTight Manager User Guide
3
Table of Contents
ETVEP Enterprise Licensing ......................................................................................................... 32
Configuring ETVEP CPU Licenses................................................................................................ 33
Logging Out.......................................................................................................................................... 34
Chapter 3: Provisioning PEPs ................................................................................................. 35
Provisioning Basics .............................................................................................................................. 35
Adopting a PEP ............................................................................................................................. 35
Remote in-band management ....................................................................................................... 37
How RIBM affects ETM...........................................................................................................37
Pre-Provisioning an Appliance ...................................................................................................... 38
Configuring PEPs for Use with ETM..............................................................................................39
Saving PEP Configurations ...........................................................................................................40
Applying Configurations................................................................................................................. 40
ETM port configuration requirements for ET0005A ....................................................................... 40
Viewing PEP Status....................................................................................................................... 41
Controlling the Status Refresh Interval .......................................................................................... 42
Comparing Configurations ............................................................................................................. 42
Customizing the PEPs View .......................................................................................................... 43
Rebooting PEPs ............................................................................................................................ 45
Provisioning Large Numbers of PEPs.................................................................................................. 45
Working with Configuration Templates .......................................................................................... 46
Creating PEP Templates......................................................................................................... 46
Customizing PEP Configuration Templates ............................................................................ 46
Copying PEP Template Configurations................................................................................... 47
Comparing PEP Templates..................................................................................................... 47
Deleting PEP Templates ......................................................................................................... 47
Importing Configurations from an Excel File.................................................................................. 47
Creating the Import File...........................................................................................................47
Checking the Time on New Appliances ......................................................................................... 48
Shutting Down Appliances ................................................................................................................... 49
Additional Configuration Options.......................................................................................................... 49
Chapter 4: Managing Networks ............................................................................................... 51
Adding Networks .................................................................................................................................. 51
Advanced Uses for Networks in Policies..............................................................................................52
Grouping Networks into Supernets................................................................................................ 52
Using Non-contiguous Network Masks.......................................................................................... 53
Editing Networks .................................................................................................................................. 54
Deleting Networks ................................................................................................................................ 55
Chapter 5: Managing Network Sets......................................................................................... 57
Types of Network Sets ......................................................................................................................... 57
Adding a Network Set .......................................................................................................................... 59
Importing Networks and Network Sets................................................................................................. 61
Editing a Network Set........................................................................................................................... 61
Deleting a Network Set ........................................................................................................................ 62
Internet Encryption ............................................................................................................................... 62
Requirements for Over the Internet Encryption ............................................................................. 63
Support for IPSEC Pass-through ............................................................................................ 63
IPSEC NAT ............................................................................................................................. 63
4
Black Box EncrypTight Manager User Guide
Table of Contents
Firewalls that perform packet Re-assembly ............................................................................ 64
Chapter 6: Creating VLAN ID Ranges ..................................................................................... 65
Adding a VLAN ID Range .................................................................................................................... 65
Editing a VLAN ID Range..................................................................................................................... 66
Deleting a VLAN ID Range .................................................................................................................. 66
Chapter 7: Understanding Security Policies ......................................................................... 67
About Policies ...................................................................................................................................... 67
Ethernet Policies............................................................................................................................ 67
IP Policies...................................................................................................................................... 68
Policy Priority ....................................................................................................................................... 68
Schedule for Renewing Keys and Refreshing Policy Lifetime ............................................................. 69
Policy Types and Encryption Methods ................................................................................................. 69
Encapsulation ................................................................................................................................ 70
Encryption and Authentication Algorithms..................................................................................... 70
Addressing Mode ................................................................................................................................. 71
Using Encrypt All Policies with Exceptions .......................................................................................... 72
Policy Size and PEP Operational Limits ..............................................................................................72
Minimizing Policy Size.......................................................................................................................... 73
Chapter 8: Working with Policies ............................................................................................ 75
Creating Policies .................................................................................................................................. 75
Policy Options by Mode ....................................................................................................................... 75
Layer 2 Policies ............................................................................................................................. 75
MPLS Encryption ........................................................................................................................... 77
Layer 3 Policies ............................................................................................................................. 79
Common Layer 3 Policy Options............................................................................................. 79
Options Specific to Hub and Spoke Policies ........................................................................... 82
Options Specific to Point-to-Point Policies .............................................................................. 83
Options Specific to Mesh Policies ........................................................................................... 83
Easy Mesh Policy.................................................................................................................... 84
Options Specific to Multicast Policies...................................................................................... 85
Creating Layer 4 Policies ..................................................................................................................... 85
Activating and Deactivating Policies .................................................................................................... 86
Deploying Policies................................................................................................................................ 86
Rekeying Policies................................................................................................................................. 87
Failsafe Rekey Mode ........................................................................................................................... 87
Copying Policies................................................................................................................................... 88
Editing Policies..................................................................................................................................... 89
Validating Policies ................................................................................................................................ 90
Deleting Policies................................................................................................................................... 90
Chapter 9: Policy Design Examples........................................................................................ 91
Basic Layer 2 Point-to-Point Policy Example ....................................................................................... 91
Layer 2 Ethernet Policy Using VLAN IDs ............................................................................................. 92
Complex Layer 3 Policy Example ........................................................................................................ 94
Encrypt Traffic Between Regional Centers.................................................................................... 94
Black Box EncrypTight Manager User Guide
5
Table of Contents
Encrypt Traffic Between Regional Centers and Branches ............................................................ 96
Passing Routing Protocols ............................................................................................................ 98
Chapter 10: Managing PEPs .................................................................................................. 101
Editing Configurations ........................................................................................................................101
Security........................................................................................................................................101
Changing Settings on a Single Appliance ...................................................................................102
Changing Settings on Multiple Appliances ..................................................................................103
Refreshing Status...............................................................................................................................103
Deleting PEPs ....................................................................................................................................104
Connecting Directly to a PEP.............................................................................................................104
Upgrading PEP Software ...................................................................................................................104
About Upgrading PEP Software ..................................................................................................105
Upgrading PEP Software.............................................................................................................106
What to do if an Upgrade is Interrupted.......................................................................................108
Configuring the Upgrade Timeout ...............................................................................................108
Checking Upgrade Status............................................................................................................109
Configuring the Upgrade Concurrency Limit ...............................................................................109
Configuring LDAP........................................................................................................................109
Alarms and email notifications .....................................................................................................110
Restoring the Backup Filesystem.......................................................................................................111
Backup and Restore of ETM ..............................................................................................................112
General Guidelines......................................................................................................................112
Backup components provided by ETM ........................................................................................112
Hardware Server specifics...........................................................................................................113
Drive failures .........................................................................................................................113
Other hardware component failures......................................................................................113
Damage to the ETM software or database ...........................................................................113
Damage to the OS or filesystem ...........................................................................................113
Example backup and restore procedures .............................................................................114
Restoring to factory defaults .................................................................................................117
VM Server specifics .....................................................................................................................117
VMWare backup guide..........................................................................................................117
Understanding VM snapshots ...............................................................................................117
Best Practices for VM snapshots ..........................................................................................117
Chapter 11: Configuring PEPs............................................................................................... 119
Interfaces.....................................................................................................................................120
Security........................................................................................................................................120
Identifying an Appliance .....................................................................................................................121
Product Family and Software Version .........................................................................................122
Appliance Name ..........................................................................................................................122
Throughput Speed.......................................................................................................................122
Interface Configuration.......................................................................................................................122
Management Port Addressing .....................................................................................................123
Management Port Behavior ..................................................................................................123
IPv4 Addressing ....................................................................................................................124
IPv6 Addressing ....................................................................................................................125
Auto-negotiation - All Ports..........................................................................................................126
Remote and Local Port Settings ..................................................................................................127
Transparent Mode.................................................................................................................128
6
Black Box EncrypTight Manager User Guide
Table of Contents
Local and Remote Port IP Addresses ...................................................................................128
Transmitter Enable................................................................................................................130
DHCP Relay IP Address .......................................................................................................131
Ignore DF Bit .........................................................................................................................131
Reassembly Mode ................................................................................................................132
Trusted Hosts.....................................................................................................................................132
SNMP Configuration ..........................................................................................................................134
System Information......................................................................................................................135
Community Strings ......................................................................................................................135
TRAPS.........................................................................................................................................136
SNMPv2 Trap Hosts....................................................................................................................137
SNMPv3 ......................................................................................................................................138
Generating the Engine ID......................................................................................................138
Retrieving and Exporting Engine IDs ....................................................................................139
Configuring the SNMPv3 Trap Host Users ...........................................................................139
Logging Configuration ........................................................................................................................140
Log Event Settings ......................................................................................................................141
Defining Syslog Servers ..............................................................................................................142
Log File Management..................................................................................................................143
Path Maximum Transmission Unit ...............................................................................................144
Non IP Traffic Handling ...............................................................................................................145
CLI Inactivity Timeout ..................................................................................................................145
Password Strength Policy............................................................................................................146
XML-RPC Certificate Authentication ...........................................................................................146
SSH Access to the PEP ..............................................................................................................146
PEP Users ...................................................................................................................................147
PEP User Roles ....................................................................................................................147
Configuring the Password Enforcement Policy .....................................................................147
User Name Conventions .......................................................................................................148
Default Password Policy Conventions ..................................................................................148
Strong Password Policy Conventions ...................................................................................148
Cautions for Strong Password Enforcement .........................................................................149
Managing Appliance Users ...................................................................................................150
Adding PEP Users ................................................................................................................150
Modifying PEP User Credentials...........................................................................................151
Deleting PEP Users ..............................................................................................................151
Viewing PEP Users ...............................................................................................................152
SNTP Client Settings...................................................................................................................152
ETM calling ntpdate with 2.2 appliances .....................................................................................153
IKE VLAN Tags ...........................................................................................................................153
OCSP Settings ............................................................................................................................154
Certificate Policy Extensions .......................................................................................................155
FIPS Mode...................................................................................................................................155
Enabling FIPS Mode .............................................................................................................155
Disabling FIPS ......................................................................................................................156
Verifying FIPS Status on the PEP.........................................................................................156
EncrypTight Settings ...................................................................................................................157
Encryption Mode Settings............................................................................................................157
Factory Defaults .................................................................................................................................158
SNMP ..........................................................................................................................................159
Logging........................................................................................................................................160
Policy ...........................................................................................................................................160
Advanced.....................................................................................................................................160
Black Box EncrypTight Manager User Guide
7
Table of Contents
Features ......................................................................................................................................161
Hard-coded Settings....................................................................................................................161
Safe Mode ...................................................................................................................................161
Safe Mode Recovery.............................................................................................................161
“Not Encrypting” alarm.................................................................................................................162
TACACS+ AAA............................................................................................................................162
Chapter 12: Managing EncrypTight Users ........................................................................... 165
About EncrypTight User Accounts .....................................................................................................165
Managing EncrypTight User Accounts...............................................................................................166
Changing a Password ........................................................................................................................167
How EncrypTight Users Work with PEP Users ..................................................................................167
Chapter 13: Working with Logs ............................................................................................. 171
About Logs .........................................................................................................................................171
About the Audit Log............................................................................................................................171
About the Task History.......................................................................................................................172
About Activity Messages ....................................................................................................................172
Viewing Logs......................................................................................................................................172
Log Actions ........................................................................................................................................173
Logging Configuration ........................................................................................................................173
Auditing and Logging Controls ....................................................................................................173
Configuring Auditing for XML-RPC Calls ..............................................................................173
Configuring System Auditing.................................................................................................174
Configuring the Syslog Server ..............................................................................................174
Chapter 14: Using Enhanced Security Features.................................................................. 175
About Enhanced Security Features ...................................................................................................175
About Strict Authentication.................................................................................................................175
Prerequisites................................................................................................................................176
Order of Operations.....................................................................................................................177
Certificate Information .................................................................................................................177
Using Certificates in a ETM System...................................................................................................178
Configuring the Certificate Policies Extension ...................................................................................178
Importing PEP Certificates into EncrypTight ...............................................................................180
Working with Certificates for the PEPs ..............................................................................................180
Understanding the PEP Certificates Page...................................................................................180
Certificates Workflow...................................................................................................................182
PolicyServer CA Certificate...................................................................................................182
PolicyServer Certificate.........................................................................................................182
PolicyServer TLS Client ........................................................................................................182
PolicyServer Certificate Authority..........................................................................................183
Certificate Distribution ...........................................................................................................183
Directory Structure ................................................................................................................183
Customizing.................................................................................................................................183
Generating the PolicyServer CA and Server Certificates......................................................184
Replacing the PolicyServer CA and Server Certificates .......................................................184
Working with Certificate Requests...............................................................................................184
Requesting a Certificate........................................................................................................184
Installing a Signed Certificate................................................................................................185
8
Black Box EncrypTight Manager User Guide
Table of Contents
Viewing a Pending Certificate Request.................................................................................186
Canceling a Pending Certificate Request .............................................................................186
Setting Certificate Request Preferences ...............................................................................187
Exporting Certificates ..................................................................................................................187
Deleting Certificates ....................................................................................................................188
Validating Certificates ........................................................................................................................188
Validating Certificates Using CRLs..............................................................................................188
Configuring CRL Usage in EncrypTight ................................................................................189
Configuring CRL Usage on PEPs .........................................................................................189
Handling Revocation Check Failures ....................................................................................190
Validating Certificates Using OCSP ............................................................................................190
Configuring OCSP for EncrypTight .......................................................................................190
Configuring OCSP for PEPs .................................................................................................191
Enabling and Disabling Strict Authentication .....................................................................................192
Two-factor Authentication ............................................................................................................193
Removing Certificates ........................................................................................................................195
Chapter 15: Using A Disaster Recovery Server ................................................................... 197
About Disaster Recovery Servers ......................................................................................................197
Configuring a Disaster Recovery Server .....................................................................................197
Configuring the Main Servers ......................................................................................................198
Backup and Restore of EncrypTight Manager.............................................................................198
General Guidelines ...............................................................................................................198
Backup components provided by ETM .................................................................................199
Hardware Server specifics ....................................................................................................199
Other hardware component failures......................................................................................199
Damage to the ETM software or database ...........................................................................200
Damage to the OS or filesystem ...........................................................................................200
Example backup and restore procedures .............................................................................200
Procedure 1. Backing up the entire filesystem......................................................................200
Procedure 2. Restoring the complete filesystem, including the OS ......................................201
Alternative *nix backup methods...........................................................................................201
Procedure 3. Backing up the ETM software and data...........................................................201
Procedure 4. Restoring the ETM software and data .............................................................202
Procedure 5. Backing up the ETM database ........................................................................202
Procedure 6. Restoring the ETM database...........................................................................202
Restoring to factory defaults .................................................................................................203
VM Server specifics .....................................................................................................................203
Index......................................................................................................................................... 205
Black Box EncrypTight Manager User Guide
9
Table of Contents
10
Black Box EncrypTight Manager User Guide
Preface
About This Document
Purpose
The Black Box EncrypTight Manager User Guide provides detailed information on how to install,
configure, and troubleshoot EncrypTight components, including the EncrypTight software, ETM servers,
and Black Box ETEP appliances.
Intended Audience
This document is intended for network managers and security administrators who are familiar with setting
up and maintaining network equipment. Some knowledge of network security issues and encryption
technologies is assumed.
Assumptions
This document assumes that its readers have an understanding of the following:
•
Black Box encryption appliance features, installation and operation
•
Basic principles of network security issues
•
Basic principles of encryption technologies and terminology
•
Basic principles of TCP/IP networking, including IP addressing, switching and routing
•
Personal computer (PC) operation, common PC terminology, use of terminal emulation software and
FTP operations
•
Basic knowledge of the Linux operating system
Conventions used in this document
Bold
Indicates one of the following:
•
a menu item or button
•
the name of a command or parameter
Italics
Indicates a new term
Monospaced
Indicates machine text, such as terminal output and filenames
Monospaced bold Indicates a command to be issued by the user
Black Box EncrypTight Manager User Guide
11
Preface
How to comment
Customer comments on Black Box documents are welcome. Send your comments to:
Black Box Corporation
1000 Park Drive
Lawrence, PA 15055-1018
email: [email protected]
Contacting Customer Support
Technical support services are accessible through the Black Box support center.
US (toll free)
1-877-877-BBOX
International
outside U.S. call 724-746-5500
Email
[email protected]
Web
www.blackbox.com
FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746
12
Black Box EncrypTight Manager User Guide
1
EncrypTight Manager Overview
EncrypTight Manager™ is an innovative approach to network-wide encryption. EncrypTight acts as a
transparent overlay that integrates easily into any existing network architecture, providing encryption
rules and keys to Black Box encryption appliances.
Distributed Key Topologies
EncrypTight Manager centralizes the creation and distribution of encryption keys and policies. It handles
the functions of policy management, key generation and distribution, and policy enforcement. By doing
so, multiple Policy Enforcement Points (PEPs) can use common keys, while a centralized platform
assumes the function of renewing keys at pre-determined intervals.
In this system, you use EncrypTight to configure the PEPs, to create and manage policies, and to generate
keys and distribute keys and policies to the appropriate PEPs. EncrypTight Manager provides the ability
to delete, deactivate, and activate a group of policies. The PEPs encrypt traffic according to the policies
and keys that they receive.
Figure 1
EncrypTight Manager components
Elements of :
1)
Management Layer - Create & manage policies and generate & distribute keys and
policies
2)
Network Layer - Traffic encryption
Black Box EncrypTight Manager User Guide
13
EncrypTight Manager Overview
Using EncrypTight Manager, you can create distributed key policies for the network topologies shown in
Table 1.
Table 1
Network topologies
Topology
Description
Layer 3 IP topologies
Hub and Spoke
In a hub and spoke network, a hub network communicates with the
spoke networks and the spoke networks communicate only with the
hub network.
Multicast
In multicast transmission, one or more networks send unidirectional
streams to a multicast network address. The multicast routers detect
the multicast transmission, determine which nodes have joined the
multicast network as destination networks, and duplicate the packet as
needed to reach all multicast destination networks.
Point-to-point
In a point-to-point network, one network sends and receives data to
and from one other network.
Mesh
In a mesh network, any network can send or receive data from any
other network.
Layer 2 Ethernet topologies
Mesh
For Ethernet, you can create policies for mesh networks. Note that if
the network uses VLAN ID tags, you can also create policies for virtual
point-to-point connections.
Regardless of topology, PEPs are typically located at the point in the network where traffic is being sent
to an untrusted network or coming from an untrusted network. As an example, Figure 2 shows a hub and
spoke network secured with EncrypTight Manager.
Figure 2
PEPs in a Hub and Spoke network
Elements of Figure 2:
A-C
PEPs
PEP A encrypts data traffic from Network A that goes to Networks B or C. PEP A also decrypts data that
originates from Networks B and C. PEP B encrypts data from Network B that goes to Network A and
decrypts data that comes from Network A. PEP C encrypts data from Network C that goes to Network A
and decrypts data that comes from Network A.
14
Black Box EncrypTight Manager User Guide
Distributed Key Topologies
EncrypTight Manager Platform
The EncrypTight Platform performs various tasks including:
Element Management
EncrypTight allows you to provision and manage multiple Black Box appliances from a central location.
It provides capabilities for appliance configuration, software updates, and maintenance and
troubleshooting for your Black Box encryption appliances.
Policy Generation and Management
EncrypTight creates and manages policies and monitors the status of the PEPs. For each policy it
specifies:
•
The PEPs that are controlled
•
The networks each PEP protects
•
The action that is performed (encrypt, send in the clear, or drop)
•
The kind of traffic the policy affects
Key Generation and Distribution
Key generation and distribution functions are provided by EncrypTight. EncrypTight generates keys for
each of the PEPs within its network. The keys and policies associated with its networks are distributed to
the appropriate PEPs.
Policy Enforcement Point
Black Box encryption appliances provide policy enforcement functions, and are referred to generically as
PEPs (policy enforcement points). According to the policies distributed by EncrypTight, the PEPs can
encrypt and decrypt traffic, send traffic in the clear, or drop traffic. Each PEP can be used in multiple
policies simultaneously.
To securely transfer data between two PEPs over an untrusted network, both PEPs must share a key. One
PEP uses the shared key to encrypt the data for transmission over the untrusted network, while the second
PEP uses the same shared key to decrypt the data. Figure 3 illustrates the shared key concepts between
two PEPs.
ETVEP
The Black Box ET0100A is a virtual appliance for VMWare ESX/ESXi environments that enables
sensitive workloads to execute and communicate securely in untrusted networks. The ETVEP provides
data confidentiality and integrity for sensitive data in motion in shared environments and prevents one
tenant from monitoring the network traffic or attacking the virtual servers of another tenant. Furthermore,
the ETVEP allows the data owner or a trusted third party to control the encryption keys without the need
to share the encryption keys to the infrastructure provider.
Black Box EncrypTight Manager User Guide
15
EncrypTight Manager Overview
Figure 3
Shared keys
Elements of Figure 3:
A)
PEP A
B)
PEP B
In this example, traffic moves between two trusted networks: Network A and Network B. PEP A and
PEP B work in unison to insure data security as the traffic passes through an unsecured network. PEP A
uses Shared Key 2 to encrypt all outbound traffic intended for Network B. PEP B uses the same shared
key to decrypt all traffic inbound from Network A. Traffic flowing in the opposite direction is secured in
the same manner using Shared Key 1.
EncrypTight Manager Policy Enforcement Points (PEPs) include:
Table 2
Black Box PEPs
Model
ET0005A, ET0010A, ET0100A, ET0100A,
ET1000A, ET10000A
Layer 2 Ethernet
Encryption
Layer 3 IP Encryption
X
X
Point-to-Point Negotiated Topology
You can protect simple, point-to-point Ethernet links using EncrypTight. Two PEPs can be configured
with EncrypTight to protect a Layer 2 Ethernet link. The policies and key are negotiated directly by the
two PEPs, without requiring a centralized key generation and distribution tool.
This option provides a simple, quick, and straightforward way to secure a single point-to-point Layer 2
Ethernet link. All you need to secure your traffic is EncrypTight and two PEP encryption appliances.
The Black Box PEP can be managed in-line or out-of-band through a dedicated Ethernet management
interface, as shown in Figure 4.
16
Black Box EncrypTight Manager User Guide
Security Within ETM
Figure 4
Layer 2 Point-to-Point Deployment
1)
Layer 2 switch
2)
PEP - local site
3)
PEP - remote site
4)
EncrypTight Manager management PC
L, R, M) Local (L), remote (R), and management (M) ports
Use EncrypTight to create a Layer 3 point-to-point distributed key policy as one of several policies in a
larger a larger, complex EncrypTight Manager deployment.
Security Within ETM
Because EncrypTight Manager generates keys that provide security throughout a network, it is critical
that the EncrypTight Manager components also be secured.
Secure Communications Between EncrypTight and PEPs
Each node in the distributed key system, the EncrypTight Manager management system, and the PEPs
communicate policy and status information with other nodes. Given the distributed nature of networks,
much of this communication occurs across public networks.
EncrypTight Manager uses Transport Layer Security (TLS) to encrypt management traffic between
EncrypTight Manager components. This protocol allows secure communication between the devices in
the system while providing information about the secure stream to EncrypTight Manager. You can
enhance that security by authenticating the management communications between EncrypTight Manager
components using certificates.
Black Box EncrypTight Manager User Guide
17
EncrypTight Manager Overview
Secure Key Storage
Key generation and key storage are critical to maintaining security in EncrypTight Manager. EncrypTight
uses the following mechanisms to protect the keys:
•
Generates and sends nonce to PEP
•
Optionally generates and stores nonce via hardware security module
Internet Encryption
The Network Addressing Mode in ETM allows the use of the PEPs for encryption over the internet as
long as there is a firewall in place that can forward the ESP packets to the PEP.
Below is an illustration of encryption over the internet reflecting the following benefits:
•
Only one public IP address is required (must be static)
•
Improves performance (Full-mesh among branch sites)
•
No hairpinning
•
Only one encrypt/decrypt cycle vs two for hub-and-spoke
•
GW can send Internet traffic directly to the Internet (split tunnel)
•
GW needs to support IPSec forwarding (ESP)
Figure 5
18
Encryption Over the Internet
Black Box EncrypTight Manager User Guide
Internet Encryption
Secure Mesh Internet
Figure 6
Secure Mesh Internet
Secure Mesh Internet Features
Secure full mesh encryption/authentication for all sites across the Internet
•
Low latency - no need to hairpin traffic through a central site
•
Better reliability than hub-and-spoke tunnels - all sites have direct connectivity to all other sites
•
Works with business or consumer class Internet service (static or dynamic IP)
Central management for all sites
•
Drag and drop provisioning for all sites
•
No need to provision individual p-to-p tunnels
•
Optional SaaS-based management – no need to deploy a server to manage it
Drop in solution
•
Easy to deploy to existing networks without infrastructure changes
•
Keep existing firewalls, gateways, and other edge security infrastructure
Regulatory compliance
•
Powerful auditing and logging make it easy to demonstrate compliance with security mandates, such
as PCI, HIPAA, and other PII legislation
Black Box EncrypTight Manager User Guide
19
EncrypTight Manager Overview
Where Files, Certificates and Keys Are Located
20
Black Box EncrypTight Manager User Guide
2
Working with the EncrypTight
Manager User Interface
Logging into EncrypTight
To log into EncrypTight:
1 In the address box of your browser, type https://xxx.xxx.xxx.xxx
Where xxx.xxx.xxx.xxx is the IP address of the ETM server.
The EncrypTight Login window displays. There are tabs at the bottom of the login form to log into
the main application or to the dashboard.
2 In the User Name box, type your user name. The default user name is admin.
3 In the Password box, type your password. The default password is admin.
4 Click Login.
Figure 7
Login Form
User Lockout based on failed login attempts
After a number of failed login attempts “X” within a time period 'Y', ETM locks out a user for “Z”
minutes. Current defaults are 5 failures, up to 5 minutes apart, which will cause a 60 minute lockout.
Black Box EncrypTight Manager User Guide
21
Working with the EncrypTight Manager User Interface
•
An administrator may unlock a locked out user from the UI.
•
The lockout functionality must be explicitly enabled, but failed logins are tracked even if disabled.
•
The failure count (X) must be greater than 0 if user login lockout is enabled.
•
If the interval (Y) is set to 0, then failures will be cumulative, reset only after a successful login.
If the lockout duration (Z) is set to 0, then no timer will be created to unlock the user login (i.e. the user
has to be enabled by an administrator).
The EncrypTight window consists of pages, panels, editors, and menus. Some pages include toolbars and
shortcut menus are available in many areas. When you first log in to the EncrypTight, the Status page is
displayed.
•
Pages are used to present data and to perform a specific set of tasks.
•
Panels group related items together, for example, Active and Saved policies.
•
Toolbars provide quick access to commonly-used functions.
•
Editors are used to add or modify ETM elements and policies. EncrypTight has the ability to delete,
deactivate, or activate a group of policies.
•
Menus are used to access views and functions within the EncrypTight software.
EncrypTight Manager Page
EncrypTight Manager page displays the elements and settings that you work with to create policies and
perform other tasks. Many pages display data in a grid format. To switch to a different page, use the
menu (see Figure 8). Click a menu button to switch to the main page for that menu, or click the
to
access a different page.
Figure 8
EncrypTight Manager Menu
Table 3
EncrypTight Manager menu
View
22
Description
Home
Displays the Status page and the Portal page.
Policies
Displays security policies and policy elements such as PEPs, networks, and
network sets.
PEPs
Displays the PEPs page, where you can add and modify PEPs.
Certificates
Displays the certificates page and provides tools for working with certificates.
Admin
Displays the Admin page, where administrators can create and manage user
accounts. Other Admin pages provide access to the Audit logs and other
functions.
Platform
Displays the Platform page, which provides tools for managing the ETM
system as a whole.
Black Box EncrypTight Manager User Guide
Panels
Panels
Some pages include multiple panels. For example, the Policies page includes tabs to display panels for L3
Policies, L2 Policies, and Networks. (see Figure 9).
Figure 9
Resources panel
You can show and hide panels as needed. For example, you can hide the Resources panel by clicking the
button. To display a hidden Resources panel, click
.
Sorting and Filtering
In some pages and tabs, such as the PEPs page, you can sort and filter the data.
To sort a page, click a column header. Click again to toggle the sort order between ascending and
descending.
In order to filter a page, you must display the header filters.
To display or hide header filters:
1 Click
on any column header and select Show Header Filters.
You can filter data to display only the items you want. The filtering criteria can include multiple fields.
In text fields, the search is not case sensitive. You can use % as a wildcard to represent a string of
characters. Exclude text by prefixing the search with an !. Also, you can search for null values by typing
<null>.
Black Box EncrypTight Manager User Guide
23
Working with the EncrypTight Manager User Interface
In number fields, entering a single number searches for an exact match. You can use less than < and
greater than > symbols to search for records smaller or larger than a specific value. For example, entering
>100 returns all records with numbers greater than 100. You can specify a range of values by separating
two criteria with a comma. For example, entering >100, <175 returns all records between 100 and 175.
Note that these rules do not apply to fields containing IP addresses.
Date fields are similar. You can use less than < and greater than > symbols to search for records before or
after a specific date. You can also specify a range of dates by separating two criteria with a comma. Date
fields are represented as either yyyy-mm-dd or mm/dd/yyyy.
List fields use a drop-down, multi-select menu with checkboxes. You can select multiple values from the
list and the EncrypTight will return all rows that include any of the selected values.
In Boolean fields, you can select either True or False. In some cases, null is also an accepted value.
Figure 10
Example Header Filter box
To filter a view:
1 Click in the header filter box for the field by which you want to filter.
2 Type the data by which you want to filter or select values from a list.
For example, you could enter 192 in the Management IP Address field to filter a list of PEPs to
display only those with IP addresses that begin with 192.
3 Repeat for other fields that you want to add to the filter.
4 Click
or press Enter.
To remove filters, click
or delete the contents of the header filter box and press Enter.
Selecting Items
To create policies in EncrypTight you will need to select items in order to make configuration changes or
to use them in policies.
24
•
To select an item in a grid, click on it or click on the checkbox next to it. You can select multiple
items by pressing Ctrl and clicking on multiple items.
•
To deselect an item, clear the checkbox.
•
To select all items, click the Select all checkbox (indicated with the arrow in Figure 11).
Black Box EncrypTight Manager User Guide
Working with Columns
Figure 11
Selected and Unselected PEPs
Working with Columns
In some views and tabs, you can rearrange the columns and select which columns you want to display.
To move a column:
1 Click and drag a column to the new location. Arrows display to indicate where the column will be
located.
To select columns to display:
1 Click
on any column header and select Columns.
2 Select the columns to show or hide.
To resize a column:
1 Click on the right edge of a column and drag to resize the column to a new size.
Toolbars
Toolbars provide access to frequently used functions. Toolbars/buttons are available in multiple views.
Table 4
Button
PEPs View Toolbar
Description
Remove all filters.
Apply filters.
Add a new PEP.
Edit the configuration of a PEP. Click
selected PEPs.
to edit specific settings for multiple
Edit the configuration of the selected PEP.
Refresh the status of selected PEPs.
Black Box EncrypTight Manager User Guide
25
Working with the EncrypTight Manager User Interface
Table 4
PEPs View Toolbar
Button
Description
Compare the stored configuration with the configuration running on the PEP.
Apply stored configurations to selected PEPs.
Copy the configuration of a selected PEP.
Allows you to view a summary of the current license, install a license on an
appliance, or install all pending licenses.
Remote show command on a selected PEP
Run a secure shell remote command on a selected PEP.
Delete selected PEPs.
Import PEP configurations from a file.
Displays the policies in which the selected PEP is used and provides access
to other PEP-related policy functions.
Exports the data displayed in the view to an Excel spreadsheet.
Restores the grid view to a default configuration.
Editors
Editors allow you to add or change ETM components and policies. When you first log in, no editors are
open. You can open multiple editors at any time. Each opened editor appears as a tab in the window.
26
Black Box EncrypTight Manager User Guide
Viewing Status
Figure 12
Editors
Some editors, such as the Policy editors, require a drag and drop operation. To enter a PEP, network,
network set, or VLAN range into an editor, select the element and then drag it to the desired box on the
editor. Once the element has been dragged to the editor, it is removed from the original tab.
To delete elements from an editor, right-click on an element and click Remove (Remove Network Set,
for example). After you remove an element from an editor, it becomes available again on the original tab.
When information in an editor has been changed but not yet saved, or when there is an error, EncrypTight
displays a
on the tab. As you work with policies and other elements, fields with errors are
highlighted in red.
Viewing Status
The PEPs view indicates the status of the PEPs, but you can view the current status of your PEPs in a
larger and more graphical manner by clicking Home. The left panel displays the number of PEPs in each
possible state, while the right panel displays the status of each individual PEP, along with identifying
information such as the name and location. You can filter the list in the right panel by status and location.
To filter the PEP list by status:
1 Click the State box and select a state.
To filter the PEP list by location:
1 Click in the Location box and type the location.
To clear the filters, click
.
Black Box EncrypTight Manager User Guide
27
Working with the EncrypTight Manager User Interface
Understanding User Roles
EncrypTight is a multi-user system. There are multiple roles with distinct capabilities that can be assigned
to new users. In hierarchical order, the roles include:
•
Platform Administrator
•
Administrator
•
User
•
Appliance Admin
•
Appliance Operator
•
Policy Creator
•
Policy Deployer
All users can change their own passwords, but users cannot edit the account settings for any user with
more advanced privileges than they have.
At least one Platform Administrator account must exist in the EncrypTight. EncrypTight will not allow
you to delete the last remaining Administrator account. You can create as many Administrator and other
user accounts as you need.
You can learn more about user accounts and how EncrypTight user accounts interact with PEP user
accounts in “Managing EncrypTight Users” on page 165.
Figure 13
New User Roles
Managing Licenses
The use and functionality of ETM components are controlled through licenses. How the licenses work
and the features available depend on the component.
28
Black Box EncrypTight Manager User Guide
Managing Licenses
NOTE
•
Licenses are required for PEPs with software version 1.6 and later. Previous versions of PEP software
do not require licenses.
•
A license is required for the EncrypTight software.
Each PEP is capable of transmitting traffic at a range of speeds that varies by model. Licenses control the
throughput speed. This allows you to upgrade your existing PEPs to transmit traffic at higher speeds as
your network grows and your needs change. Table 5 lists the available speeds for each PEP model. You
can specify the throughput speed of the PEP on the Interfaces tab in the appliance editor.
Table 5
PEP Throughput Speeds
Model
Available Throughput
ET0005A
up to 5 Mbps
ET0010A VSE
3, 6, 10, 25, 50 Mbps
ET0100A VSE
25, 50, 75, 100, 155, 250 Mbps
ET1000A VSE
100, 155, 250, 500, 650 Mbps, 1 Gbps
ET10000A
500, 650 Mbps, 1, 2.5, 5, 10 Gbps
You need to install a license on each PEP that you use. Licenses are linked to the serial number of the
PEP on which they are installed. You cannot install a license intended for one PEP on a different PEP.
Before you begin adding PEPs and using EncrypTight, contact Customer Support to acquire your license
key (see “Contacting Customer Support” on page 16). You need to provide the ETM ID.
To view the EncrypTight ID:
1 Choose Admin > License.
Figure 14
EncrypTight ID
If you upgrade from a command line-only installation to a full EncrypTight deployment, you can no
longer use the command line-only license and must acquire a EncrypTight license.
You cannot install licenses on your PEPs until you install a license for EncrypTight. The EncrypTight
license specifies the maximum number of PEPs that can be managed in your deployment and the speeds
at which they are licensed to run. The license specifically controls how many PEPs can be configured to
run at each throughput speed. For example, one EncrypTight deployment might run 10 ET0100As at 100
Mbps and an additional four ET0100As at 250 Mbps. When your needs change, you can easily upgrade
EncrypTight to support a larger number of PEPs.
Installing Licenses
You install and update licenses using the EncrypTight License Information view.
Black Box EncrypTight Manager User Guide
29
Working with the EncrypTight Manager User Interface
Figure 15
EncrypTight Manager License Information
To enter EncrypTight licenses:
1 Choose Admin > License.
2 Enter the license key in the New License box.
3 Click Enter License.
After you enter a license for EncrypTight, you can install licenses on your PEPs. The PEP license
specifies the speed at which the PEP can transmit traffic.
To install a license on the PEP:
1 In the PEPs View, select the PEPs on which you want to install licenses.
2 Click
and choose Install License.
3 When you prompted for confirmation, click Yes.
You can also install the license on the PEP when you apply configurations by selecting the Check to also
install a throughput license option.
NOTE
•
You can check to see if a license is installed and the throughput speed configuration by clicking Diff
Config.
•
Be aware that CLI commands that affect the file system such as restore-filesystem will erase the
currently installed license and you will need to re-install the license to regain full functionality.
Upgrading Licenses
When your needs change, you can easily upgrade the number of PEPs that EncrypTight can manage and
you can also upgrade your PEPs to run at faster throughput speeds.
30
Black Box EncrypTight Manager User Guide
Managing Licenses
Upgrading the EncrypTight License
When you upgrade the EncrypTight license, a new license replaces the old one. Contact Customer
Support to acquire a new license. When you receive the new license, follow the procedure for entering
EncrypTight licenses (see “To enter EncrypTight licenses:” on page 30).
For information on how to contact Customer Support, see “Contacting Customer Support” on page 12.
Upgrading PEP Licenses
You can upgrade PEP licenses in order to configure the PEPs to run at faster throughput speeds. After
you install a new EncrypTight license, use the same procedure for installing a license on the PEP to
upgrade the PEPs. After installing the licenses, open the appliance editor for each affected PEP and
change the Throughput Speed to the new value. For more information about configuring PEPs, see
“Provisioning PEPs” on page 35 and “Configuring PEPs” on page 113.
You can upgrade the PEP whenever you have unused licenses for speeds that a selected PEP can support.
Once a license for a specific throughput speed is installed on a specific PEP it cannot be used on any
other PEP.
Viewing License Summary
You can view both the CPU and Throughput License summaries by selecting the License Summary
pulldown and selecting either the CPU Licenses or Throughput Licenses.
Figure 16
CPU/Throughput License Summary
Black Box EncrypTight Manager User Guide
31
Working with the EncrypTight Manager User Interface
ETVEP Enterprise Licensing
For Enterprise customers, ETVEP licenses will be one-time perpetual licenses based on the number of
virtual appliances and number of vCPUs allocated to the virtual appliance. Customers will pay a license
fee for each ETVEP that they operate, and for each ETVEP, they can choose a ETVEP license that
specifies a maximum number of virtual CPUs supported for that appliance.
The following number of CPU licenses are supported in the ETM Release:
Table 6
vCPU Licences
ETVEP Virtual
Appliance
Max vCPUs
Supported
ETVEP-01
1
ETVEP-02
2
ETVEP-04
4
ETVEP-08
8
ETVEP-16
16
Users can manage ETVEP licenses in ETM simply and easily, while preventing fraud and abuse in a way
that is as consistent with existing bandwidth licensing as possible.
NOTE
An unlicensed copy of the ETVEP passes all traffic in the clear (i.e. acts as a wire).
ETM cannot manage an unlicensed ETVEP, except to add a license or to establish a trust by certificate
exchange. This model is slightly different than the existing bandwidth model in that there is no default
minimum-bandwidth license.
NOTE
Moving or cloning a ETVEP results in clearing the license of the ETVEP (it goes back to zero CPUs and
acts as a wire).
If a licensed ETVEP boots with more vCPUs allocated than are specified in its license, then it will
behave as if it has a zero CPU license until the number of allocated vCPUs <= licensed vCPUs.
NOTE
ETM will report the following PEP states as errors:
32
•
"License Oversubscribed": if the license is set for less CPUs than currently allocated to the ETVEP.
No encryption will happen in this case. Policy configuration changes should still be possible but will
not get pushed to the dataplane.
•
"License Undersubscribed": this means the license is set for more CPUs than currently allocated.
The ETEP will operate as normal, but at reduced throughput. This should be colored Orange.
•
"No License": ETVEP will act as a wire
Black Box EncrypTight Manager User Guide
Managing Licenses
Configuring ETVEP CPU Licenses
To configure ETVEP CPU licenses, a user would perform the following steps:
1 add a PEP
2 Fill in the IP address and configure the other PEP information such as PEP Type and Software
Version (for a ETVEP Type = ETVEP and software version = 2.2).
3 Select Add
4 Select the number of CPUs from the CPUs pulldown menu. For the ETM release, the maximum
number of CPUs supported are 1, 2, 4, 8, or 16.
Figure 17
Select Maximum Number of Virtual CPUs
ETVEP
Black Box EncrypTight Manager User Guide
ETEP 2.2
33
Working with the EncrypTight Manager User Interface
Figure 18
ETVEP CPU Licenses Tab
Logging Out
To maintain security, you should log out and close your browser when you stop working with the
EncrypTight software.
To log out:
1 Click Logout.
34
Black Box EncrypTight Manager User Guide
3
Provisioning PEPs
Provisioning Basics
EncrypTight Manager can be used to either adopt a PEP that is already installed in your network or to
add a pre-provisioned PEP. An adopted PEP is added to EncrypTight Manager with the configuration
saved on the appliance, while a pre-provisioned PEP is manually configured using the EncrypTight
Manager PEP editor. When pre-provisioning a new PEP, the first thing to do is select its product family
and software version. EncrypTight displays a tabbed configuration screen tailored to the specified model
and software version. On most models the Interfaces tab contains the fields required to identify an
appliance: its name and interface IP addressing information.
Many settings are optional, but to use a PEP with EncrypTight, there are specific settings that must be
configured. See “Configuring PEPs for Use with ETM” on page 39 for a list of these settings.
Select other tabs to configure additional items on the appliance, such as SNMP settings or logging. The
availability of specific tabs and configuration options varies depending on your appliance model and
software version.
Other than the interface IP addresses, many appliance settings will be the same for all Black Box
appliances in your network. For these cases you can customize the default configuration to use on your
appliances. This offers a significant time savings if you are provisioning a large number of appliances.
Another time-saving feature that is useful in large deployments is EncrypTight’s ability to import basic
configuration information from an excel spreadsheet or a comma-separated values (CSV) file.
Adopting a PEP
You can add a PEP that has been configured previously and copy the previous configuration settings into
EncrypTight. You cannot adopt a PEP that has a name or IP address that is already used in the system.
To adopt a PEP:
1 Click
on the PEPs menu and select Add PEP, or click
.
The Add PEP menu opens.
Black Box EncrypTight Manager User Guide
35
Provisioning PEPs
Figure 19
Add PEP Menu
ET0010A
ETEP2.3
2 In the PEP (mgmt IP address) box type the IP address of the management port.
3 In the Name box, enter a unique name for this PEP.
4 Enter a User ID and Password.
5 Check Adopt.
6 Click Add.
The EncrypTight queries the PEP to determine the configuration and then opens an editor where you
can make any necessary changes.
Figure 20
PEP Editor
test ETEP
7 When you finish making changes, click Save.
36
Black Box EncrypTight Manager User Guide
Provisioning Basics
NOTE
For PEP versions 2.2 and later, Remote In-Band Management is a selection from the Interfaces tab. If
Remote In-Band Management is enabled, the management IP must be IPv4 and not IPv6. The Remote InBand Management selection box only appears with PEP versions 2.2 and later.
Remote in-band management
ETM has added an in-band-management configuration attribute to the management interface. RIBM
allows devices to be managed remotely without using external switch ports to connect to the management
port. The PEP has a single management interface and single management IP address.
•
Either out-of-band management or RIBM must be enabled, and both cannot be enabled at the same
time
•
If RIBM is enabled, then the management IP interface of the ETEP is reachable only via the remote
port.
•
If RIBM is enabled, then the local port cannot be used to manage the device
RIBM traffic passes through the data plane, so the administrator must set “pass TLS in the clear” or
configure a policy to allow it to pass through the data plane
How RIBM affects ETM
With the release of 2.2 PEP software special policy design considerations must be taken into account for
ETM access to ETEP devices for protocols such as FTP and SSH. Before the release of 2.2, all PEPs
were managed Out of Band. The management port was typically connected to the Local port LAN
segment and followed the rules defined by the policy for that LAN segment. In most cases, TLS traffic
was always passed in the clear and other management protocols such as FTP were encrypted and
decrypted using the configured policy.
With the release of 2.2 ETEP code and the ET0005A, RIBM may change behavior depending on the
addressing scheme used for the management IP addresses of the ETEP. If the management network is
configured for a different IP subnet than that of the Customers LAN segments, protocols such as FTP and
SSH will be blocked since the RIBM IP address does not match the configured policy. In this scenario,
protocols such as FTP and SSH will be dropped by the remote ETEP and prevent upgrades, appliance log
file retrieval and SSH access to the remote device.
NOTE
Although this may be a corner case in transparent mode, it will always be the case when the ETEP is in
Non Transparent mode where the Management IP address will in most cases be the same IP address as
the Remote port and not match the customers encryption policy.
Any operation that only requires TLS and XMLRPC will not be affected. For example, refresh status,
policy deployments, statistic gathering etc..,
To prevent the potential problem defined above, an EZMesh Policy MUST be configured as the highest
priority policy or before any encrypt policy using the wildcard address of 0.0.0.0 and the IP address of
the ETM server. If ETM is configured as a cluster, include all /32 addresses of each node in the cluster.
Black Box EncrypTight Manager User Guide
37
Provisioning PEPs
Below is a screen shot of an example Easy Mesh policy that prevents the issue noted above. Also below
is a diagram depicting the topology or addressing scheme that would require the Easy Mesh policy.
Figure 21
Figure 22
Add Easy Mesh Policy Menu
Topology Requiring Easy Mesh Policy
Pre-Provisioning an Appliance
Adding a new appliance in EncrypTight is the first step in being able to manage it remotely. Configuration screens are
tailored to a particular combination of hardware and software, so it is important to select the correct product family
and software version when adding a new appliance.
38
Black Box EncrypTight Manager User Guide
Provisioning Basics
To Pre-Provision an Appliance:
1 Click PEPs to open the PEPs view.
2 Click
on the PEPs menu and select Add PEP, or click
.
3 The Add PEP box opens. In the PEP (mgmt IP address) type the IP address of the management port.
4 Ensure the Port is set to 8443. ETM must use 8443 as the default ETEP listening port for 2.3 or
greater appliances. To make Secure Mesh Internet easier for customers who cannot do port translation,
and whose internet providers block 443, we make the default 2.3 xml-rpc port 8443.
5 In the Name box, enter a unique name for this PEP.
6 Enter a User ID and Password.
7 In the Subnet Mask and Default Gateway boxes, enter the appropriate values.
8 From the PEP Type box, select the model.
9 From the PEP Software Version box, select the version of the software currently running on the PEP.
10 Click Add.
EncrypTight opens a PEP editor where you can configure other settings (see Figure 20).
Configuring PEPs for Use with ETM
While your network and deployment needs might call for a number of additional configuration options,
Table 7 lists the settings required to use a PEP in a ETM system.
Table 7
EncrypTight PEP configuration
Configuration
Description
Network interfaces
On the Interfaces tab, configure the management, local and remote port
settings of the PEP. If the PEP and the ETM servers are on different
subnets, specify a default gateway that the PEP can use for
communications.
Enable passing TLS in
the clear
On the Security tab, enable passing TLS in the clear. If this is not enabled,
communications between ETM components will not pass through this PEP.
Encryption Mode
On the Security tab, specify whether the PEP should operate as a Layer 2
(Ethernet) PEP or a Layer 3 (IP) PEP.
Enable SNTP for time
synchronization
On the Time Settings tab, click Enable SNTP Client and enter the IP
address of the NTP service.
If you enable an SNTP client on the PEP, provide a server address for the
most reliable source that retrieves time from a stratum 3 or higher clock
source. If the ETM components are not synchronized with a reliable clock
source and the time difference between components is significant, policies
and keys can expire before they would normally be renewed. Traffic can get
dropped or mistakenly passed in the clear. EncrypTight Manager has
support for clock skew detection during refresh. The PEP state will indicate if
the clock is out of sync with EncrypTight Manager by more than 10 minutes.
For complete information about PEP configuration, see “Configuring PEPs” on page 113.
Black Box EncrypTight Manager User Guide
39
Provisioning PEPs
Saving PEP Configurations
You can save an appliance configuration at any time during the configuration process. PEP configurations
are saved as part of the ETM database. A red dot on the editor tab indicates there are unsaved changes or
a field contains an invalid value. EncrypTight provides several ways to save PEP configurations
Table 8
Saving appliance configurations
Option
Description
OK
Saves the configuration and closes the PEP editor tab.
Save
Saves the configuration.
Save & New
Saves the current configuration, closes the PEP editor tab, and opens the
Add PEP menu.
NOTE
EncrypTight will not save a configuration that contains an error or an invalid entry..All three buttons (OK,
Save, and Save & New) are disabled if there are any errors. EncrypTight highlights fields that contain an
error in red, and additionally, there is hover text for the error fields, and a popup notification dialog in the
lower right corner that lists all of the errors on the form.
Applying Configurations
After you define the configuration for each PEP, you can apply the configuration to the targeted PEPs.
To apply configurations to PEPs:
1 In the PEPs view, select the target PEPs.
2 Click
to apply stored configurations to the selected PEPs, or right-click and select Apply Config.
3 When you are prompted for confirmation, click Yes.
Success/failure of the operation is indicated in the Management Activity panel, with a brief description.
ETM port configuration requirements for ET0005A
•
ET0005A port settings are not enabled initially. ET0005A port settings will be addressed with the
CLI.
•
ET0005A has 4 local switch ports, which will support: auto-negotiation, link speed (10 FD / HD
only), flow control, and enabled boolean (not exposed via UI).
•
The ET0005A does not support txEnable
•
The ET0005A does not support Flow Control, so that will be removed from the ETM UI for all ports.
NOTE
ETM does not support a throughput speed for ET0005A. Throughput speed should be empty. ET0005As
are not be able to be licensed from a VSE perspective. ETM expects a ET0005A to report a speed of null,
so the diff is correct.
40
Black Box EncrypTight Manager User Guide
Provisioning Basics
Viewing PEP Status
The PEPs view displays information about each PEP, such as its operational status, name, IP addresses,
product family, software version, and location (see Table 13 for a list of the available columns).
EncrypTight tracks three types of status related to each PEP:
•
Configuration state - Indicates whether the current configuration on the PEP matches the configuration
stored on the server. For more information, see Table 9.
•
PEP state - Indicates the operational status of the PEP. For more information, see Table 10.
•
Reachability state - Indicates if the PEP is reachable. For more information, see Table 10.
•
Policy state - Indicates whether the policies currently being enforced on the PEP match the policies
stored on the server. For more information, see Table 11.
You can always get the latest status of a PEP by clicking
and selecting a Refresh Status
command. For more information about options for refreshing status, see “Refreshing Status” on page 103.
Table 9
Configuration states
Status
Description
Indicates that the configuration stored in EncrypTight matches the current configuration on
the PEP. You can compare the configurations to view the discrepancies (see “Comparing
Configurations” on page 42)
Indicates that the configuration stored in EncrypTight is different from the current
configuration on the PEP.
Indicates that EncrypTight does not know the configuration of the PEP. EncrypTight has
not yet queried the PEP or the PEP has not responded.
Table 10
PEP states
Status
Description
Pre-Provisioned
Indicates that the configuration for this PEP has been saved in EncrypTight,
but not yet applied to the PEP. This allows you to create a configuration for
a PEP before it is installed and connected to your network.
Undefined Error
The PEP is in an error state. See the Installation Guide for the PEP for
information about error diagnostics and recovery.
Up and Operational
Indicates that the configuration stored in EncrypTight is the same as the
configuration on the PEP and the PEP is reachable.
Reboot Required
Indicates that the PEP must be rebooted to apply changes. You might see
this state after you have updated the software installed on a PEP, for
example.
Reload Required
Reload policies required for policies to take effect.
Control Plane Not
Responding
Indicates that you might not be able to communicate with or control the PEP.
You might need to physically power down the PEP and restart it.
Booting
The PEP is starting up.
Reloading Policies
Indicates that the PEP is in the process of reloading the policies.
Failure State
Indicates that the PEP has entered a failure state and might be discarding
traffic. You should shut down the PEP and contact Customer Support (see
“Contacting Customer Support” on page 12).
Stopped
Indicates that the PEP has been shut down. This is not an error state. Note
that although it is possible to shut down a PEP from within the EncrypTight
software, you must have physical access to the device to start it.
Black Box EncrypTight Manager User Guide
41
Provisioning PEPs
Table 10
PEP states
Status
Description
Upgrading
Indicates that the software on the PEP is in the process of being upgraded.
Deleting
Indicates that the PEP is being deleted from the system.
Unknown
EncrypTight does not know the status of the PEP. EncrypTight has not
queried the PEP or the PEP is not responding.
Table 11
Status
Policy states
Description
Indicates that the policies stored in EncrypTight match the current policies on the PEP.
Indicates that the policies stored in EncrypTight are different from the current policies on
the PEP.
Indicates that EncrypTight does not know the policy status of the PEP. EncrypTight has
not yet queried the PEP or the PEP has not responded.
Controlling the Status Refresh Interval
EncrypTight automatically refreshes the status of your PEPs at periodic intervals. Depending on your
needs, you might want to adjust the frequency of these checks. The basic refresh simply determines
whether the PEP is reachable.The checks for the status (health) and configuration state of a PEP take
longer and are controlled separately. They are expressed as multiples of the basic reachability check. The
frequency of the status refresh is controlled by three settings on the Configuration view:
Table 12
Auto Refresh Configuration Settings
Setting
Description
PEP Ping Interval Seconds
The interval or cycle at which EncrypTight checks the status of the
PEP. The default is every 300 seconds (or 5 minutes).
PEP Ping Diff Frequency
The interval at which EncrypTight queries the PEP for configuration
information. The default is every 10 cycles.
PEP Ping Status Frequency
The interval at which EncrypTight queries the PEP for status. The
default is every 5 cycles.
You must be logged on as an administrator to make these changes.
To configure the auto refresh interval:
1 Click Admin - EncrypTight Manager Configuration.
2 Locate the group PEP Auto Refresh Configuration.
3 To edit the values you need to change, double-click the item, enter the new value, and click Update.
For details on the settings, see Table 12.
Comparing Configurations
When the configuration of a PEP stored in EncrypTight differs from the configuration in operation on the
appliance, the appliance status is
. EncrypTight provides a side-by-side comparison so you can see
how the two configurations differ and determine which is correct. After determining the correct
42
Black Box EncrypTight Manager User Guide
Provisioning Basics
configuration, you can either copy settings from the appliance to EncrypTight or push the EncrypTight
configuration to the appliance.
You can also compare the configuration of two selected PEPs and copy settings between them. This can
be helpful in troubleshooting situations if you want to compare the settings between two PEPs to make
sure they are configured similarly.
Figure 23
Compare the EncrypTight and appliance configurations
ETVEP-53
ETVEP-53
ETVEP-ETEP 2.1
To compare and update configurations:
1 In the PEPs view, select the PEP or PEPs that you want to check.
2 Click
or right-click and select Diff Config.
The Config Diff window displays. The items that are different are listed first. Some configuration
items contain too much information to display on a single line. To view complete information for a
truncated item, double-click the line.
3 Do one of the following:
•
To copy specific configuration settings from a PEP to EncrypTight or a another PEP, select the
items to copy and click
. The status changes to
indicating that the configuration items are
synchronized.
•
To copy all configuration settings from a PEP, click
•
To revert a selection to a condition prior to changes being made, click Revert Selection
.
Clicking it will revert any previous changes made to the selected rows. It can be used to correct a
value pulled over in error or to streamline the process of pulling over all but one or two values
(otherwise, you'd have to close the window and start over, which is very time consuming). For
example, to pull over all of the values except for the throughput speed, the user could click the
Apply All Diffs button, select the throughput speed row and then click the Revert Selection
button before clicking Apply.
.
4 Click Apply to apply any changes you made in the Config Diff window and update the configuration
in EncrypTight.
Customizing the PEPs View
You can sort and filter the PEPs view to display the information in which you are most interested. You
can select the columns that you want to display.
Black Box EncrypTight Manager User Guide
43
Provisioning PEPs
To sort the PEPs view:
1 Click any column header. Click again to sort in the reverse order.
To filter the PEPs view:
1 Click in the header filter box (see Figure 10) for the column on which you want to filter and do one
of the following:
•
Type all or part of a value.
•
If the field has preset options, click
and select the values you want to include.
2 Repeat for each field that you want to include in the filter.
3 Click
.
To display or hide columns:
1 Click
on any column header.
From the menu, click Columns and then click the column that you want to display or hide. Clear the
check box to hide a column. Repeat for each column that you want to display or hide.
Table 13
44
Columns available in the PEPs view
Column
Description
Name
Indicates a unique name assigned to the PEP.
Config State
Indicates the configuration status of the PEP. For a list of possible
configuration states, see Table 9.
State
Indicates the operational status of the PEP (see Table 10).
Reachable
Indicates whether the system can communicate with the PEP.
Policy State
Indicates whether the policies being enforced by the PEP match those
stored in EncrypTight.
Mgmt IP Address
Indicates the IP address of the management port on the PEP. This is the
address that EncrypTight uses to communicate with the PEP.
Mgmt NAT IP Address
Indicates if a PEP has a NATed mgmt ip address. Displays "nat-ip-addr (real
mgmt ip addr)".
Mgmt IPv6 Address
Indicates the IPv6 address of the management port on the PEP.
Transparent Mode
Indicates the original packet header is used as the source.
Local IP
Indicates the IP address for the local port of the PEP, if assigned. The local
port connects to a trusted network.
Remote IP
Indicates the IP address of the remote port of the PEP, if assigned. The
remote port connects to an untrusted network.
Throughput Speed
Indicates the current throughput speed of the PEP.
Mode
Indicates whether the PEP is operating as a Layer 2 PEP (Ethernet) or a
Layer 3 PEP (IP).
Version
Indicates the version of the software installed on the PEP.
Type
Indicates the hardware model of the PEP.
Serial Number
Indicates the serial number of the PEP.
Admin User
Indicates the name of the Admin user
Tag
Indicates the user-assigned tag.
Location
Indicates the location of the PEP.
City
Indicates the city in which the PEP is located.
ST
Indicates the state in which the PEP is located.
Black Box EncrypTight Manager User Guide
Provisioning Large Numbers of PEPs
Table 13
Columns available in the PEPs view
Column
Description
SNMP Name
Indicates SNMP name information.
SNMP Contact
Indicates SNMP contact information.
SNMP Location
Indicates SNMP location information.
NTP?
Specifies whether the PEP synchronizes with an NTP server.
NTP Server
Indicates the IP address of the NTP server with which the PEP
synchronizes.
Install TLS Rule
Indicates TLS Rukle to be installed.
FIPS Enabled
Indicates FIPS has been enabled.
Strict Auth?
Indicates whether strict authentication is enabled on the PEP.
Last Config Sync
Indicates the date and time when the PEP config was in sync with
EncrypTight Manager server.
Create Time
Indicates the date and time the PEP was added.
Last Update
Indicates the date and time the PEP configuration was last updated.
Last Update By
Indicates the name of the user who last updated the PEP configuration.
OID
Indicates the Object Identifier of the PEP.
Rebooting PEPs
Occasionally, you might need to reboot a PEP. Because rebooting a PEP interrupts traffic processing, you
should plan the timing of any reboots carefully.
CAUTION
Rebooting halts all operations on a PEP and interrupts data traffic on its local and remote ports. Rebooting
takes several minutes and during this time all traffic is discarded.
To reboot PEPs:
1 In the PEPs view, select the target PEPs.
2 Right click and from the shortcut menu select Reboot.
3 At the confirmation prompt, click Yes.
After rebooting, you can check the status of a PEP by selecting a type of refresh by clicking Refresh
.
Provisioning Large Numbers of PEPs
If you have many PEPs to add to EncrypTight, entering each configuration individually can be timeconsuming. Fortunately, EncrypTight offers some tools to help streamline the provisioning of appliances
in large deployments. The general work flow is as follows:
1 Customize configuration templates for each PEP model and software version combination that you
need. You can use configuration templates to configure specific settings common to whole groups of
PEPs.
2 Enter the basic information for the PEPs into an excel spreadsheet or CSV file and import the file into
EncrypTight. At a minimum this can include the name and IP address of your PEPs.
Black Box EncrypTight Manager User Guide
45
Provisioning PEPs
Another timesaver is the ability to adopt a PEP. Adopting a PEP copies the existing configuration of the
PEP to EncrypTight. Unlike using a configuration template, when you adopt a PEP, the configuration
settings are those that existed previously on the PEP, not what was set up in the template. For more
information, see “Configuring PEPs for Use with ETM” on page 39.
Working with Configuration Templates
Each PEP requires a unique name and management port IP address, but many other settings will be the
same for all of your PEPs. EncrypTight allows you to define your own set of default settings to be used
in all appliances of a particular model and software version level. You can save these settings as a
template and whenever you add a new PEP of that model and software version, your default settings are
automatically included.
Creating PEP Templates
Using a customized default configuration offers a significant time savings when you are provisioning a
large number of appliances. Add settings that are common to all appliances of a particular model and
software version, such as the NTP server, EncrypTight settings, syslog servers, or the password that
EncrypTight uses to access the appliances.
To create a new template:
1 From the PEPs menu, select Templates.
2 In the PEP Templates view, click
.
3 In the Add PEP Template box, select the PEP Type and the PEP Software Version.
4 If necessary, enter a User ID and Password.
5 In the PEP Template editor, assign default values to the appropriate fields.
6 When you finish, click Save.
Customizing PEP Configuration Templates
You change the settings in a configuration template as needed. Changing a template has no effect on the
PEPs that are already deployed.
To customize the default configuration:
1 From the PEPs menu, select Templates.
2 In the PEP Templates view, select the Template that you want to customize and click
.
3 In the template editor, make the changes that you need on each tab.
4 Click OK.
NOTE
EncrypTight will not save a configuration template that contains an error or an invalid entry. The OK and
Save buttons are unavailable if an error is detected. EncrypTight highlights fields that contain an error in
red.
46
Black Box EncrypTight Manager User Guide
Provisioning Large Numbers of PEPs
Copying PEP Template Configurations
For a quick start, you can copy the configuration of an existing template and change it to meet your
needs. The copy must be a different model of PEP or have a different software version.
To copy a configuration:
1 Select the PEP Template with the settings that you want to reuse.
2 Click
.
3 In the Copy PEP Template box, select a different PEP Type or different PEP Software Version, or
both.
4 Click Copy.
All applicable settings from the existing template are copied to a new PEP template.
Comparing PEP Templates
If you have two PEP templates that are similar, it can be helpful to compare them to discover the
differences.
To compare PEP templates:
1 Select the templates that you want to compare and click
.
EncrypTight displays the settings for the two configuration templates side by side in one window.
Deleting PEP Templates
You can delete PEP templates that you no longer need. For example, if you have templates for PEPs that
used an older software version, you no longer need those templates. You can edit them to serve new
purposes, or delete them.
To delete a PEP template:
1 Select the PEP Template that you want to remove and click
.
2 Click Yes when you are prompted for confirmation.
Importing Configurations from an Excel File
When you have a large number of appliances to add to EncrypTight, you can save time by entering the
basic appliance information in an Excel file and then importing the data into EncrypTight.
Creating the Import File
To create the import file, enter the data in Excel and save. In the CSV file, commas are used to delineate
one field from the another. If the import file contains configuration information for PEPs that have
already been added to EncrypTight, you can choose to merge the new information with the existing
definitions. Otherwise, EncrypTight rejects the duplicate configurations.
Black Box EncrypTight Manager User Guide
47
Provisioning PEPs
To import appliance configurations via Excel to EncrypTight:
1 Create an excel file containing the new appliance configuration data. In EncrypTight Manager, click
.to Export grid to Excel.
2 Modify and/or add PEP configuration information as needed and save the Excel file.
3 In EncrypTight, click
Import PEPs.
4 In the Import PEPs box, click Browse and select the file to import.
Checking the Time on New Appliances
After importing configurations to EncrypTight and pushing them to the appliances, refresh the appliance
status. In the PEPs Configuration page check the date and time of the new appliances. If any of the new
appliances’ timestamps differ from the management system’s time by more than five minutes, edit the
appliance to correct the date and time. When the appliance time differs from actual time by more than
several minutes, the appliance can have trouble synchronizing with the NTP time server. Time
synchronization is essential for proper operation in a ETM deployment.
The SNTP Client Settings fieldset has been moved to a (new) Time Settings tab in the PEP Editor form.
Figure 24
Time Settings Tab
Also, a "Current PEP Time" fieldset was added that contains a toolbar for showing the current PEP time,
setting the PEP time (to the ETM server time), or manually editing the time via a separate form as was
previously done via the PEP multi-edit grid for Date.
48
Black Box EncrypTight Manager User Guide
Shutting Down Appliances
Finally, the capability to set the PEP time to the current ETM server time has also been added to the PEP
multi-edit grid for Date.
Shutting Down Appliances
It is important that a proper system shutdown is performed prior to powering off PEPs. The shutdown
operation halts all running tasks on the PEP and prepares it for being powered off. Failure to perform a
shutdown may lead to file system corruption and potential appliance failure.
Additional Configuration Options
While the basic settings needed to add and configure a PEP to be used in a ETM system will meet the
needs of many users, there are numerous other configuration options that you can take advantage of,
when needed (see Chapter 11, Configuring PEPs). These include, but are not limited to:
•
Using IPv6 addressing
•
Configuring the remote and local ports (non-transparent mode)
•
SNMP settings
•
Syslog reporting
•
FIPS mode
Black Box EncrypTight Manager User Guide
49
Provisioning PEPs
50
Black Box EncrypTight Manager User Guide
4
Managing Networks
In EncrypTight Manager, networks are the IP networks that you want to protect. One or more of these
networks are combined with one or more PEPs to make a network set. Network sets are treated as a
single network entity within IP policies. Networks are added, modified, and deleted using the networks
panel in the EncrypTight Policy view.
Figure 25
Networks used in a network set
Elements in Figure 25:
1A, 1B)
PEPs
2A, 2B)
PEPs
Adding Networks
When you add networks, you need to know the IP address and subnet mask of each network. If you have
a large number of networks to add, you can import a list from an Excel file (a CSV file may also be
utilized). For more information, see “Importing Networks and Network Sets” on page 57.
To add a network:
1 Display the Networks panel, if needed.
The Networks panel lists all of the networks that have been added. You can sort of the list of
networks by IP address or network mask by clicking a column header.
2 Click Add Network.
3 In IP Address box, type the IP address of the network.
4 In the Mask box, type the network mask. You can use non-contiguous masks on PEPs with software
version 1.4 or later.
5 Click Save.
Black Box EncrypTight Manager User Guide
51
Managing Networks
TIP
You can use a network mask of 255.255.255.255 to specify an individual address, or host. For example,
you might want to do this for traffic from devices such as a Lotus Notes server that needs to be sent in the
clear.
TIP
EncrypTight accepts non-contiguous network masks, which allow you to create policies between particular
addresses in your network. For example, a network of 10.0.0.1 with a mask of 255.0.0.255 allows all
devices with an IP address of 10.x.x.1 to be managed by a particular policy. See “Using Non-contiguous
Network Masks” on page 53 for more information.
Advanced Uses for Networks in Policies
If you are familiar with network addressing and network masks, you can use subnetting to make your
policies more efficient.
Use supernetting to reduce the number of SAs and keys on each PEP in large deployments.
Use non-contiguous network masks to apply policies to a specific IP address scheme.
Grouping Networks into Supernets
Working with large networks, a considerable number of security associations (SAs) and keys can result
on each PEP. One way to avoid this is to look for subnetworks within each network set that have
contiguous addressing. You can combine these subnets to reduce the number of SAs and keys on each
PEP.
In Figure 26, if you set up each of these networks as a separate network in EncrypTight, and the policy
encrypts traffic between these two networks and five other networks, the PEP for this network set would
contain 10 SAs and keys for each direction.
Figure 26
Two networks with contiguous addressing
As illustrated in Figure 27, the two networks 192.168.2.0 with subnet mask 255.255.255.0 and
192.168.3.0 with subnet mask 255.255.255.0 could be grouped into one network 192.168.2.0 with subnet
mask 255.255.254.0.
52
Black Box EncrypTight Manager User Guide
Advanced Uses for Networks in Policies
Figure 27
Two networks with contiguous addressing defined as a supernet
If you group the two networks into a supernet and the policy encrypts traffic between these two networks
and five other networks, the PEP for this network set would contain only five SAs and keys for each
direction, instead of 10.
NOTE
Where the subnetwork addresses are not completely contiguous, grouping these networks can result in the
inclusion of an unintended subnetwork
Using Non-contiguous Network Masks
Non-contiguous masks are useful when you want to create a policy for devices in a network that contain
a specific octet within an IP address. Non-contiguous network masks are available on PEPs version 1.4
and later.
The following example demonstrates the use of non-contiguous network masks to pass unencrypted
traffic from specific addresses while encrypting everything else. Figure 28 depicts a mesh network in
which all traffic on each subnet is encrypted. A router is located on each of the PEP’s remote ports,
which means that all traffic to it is encrypted. However, the router port that is connected to the PEP’s
remote port is the default gateway for the site. In order to manage the router, traffic from the laptop needs
to pass in the clear. VoIP traffic also needs to pass in the clear. Each site uses IP addresses of x.x.x.129
and x.x.x.1 for the default gateway.
Black Box EncrypTight Manager User Guide
53
Managing Networks
Figure 28
Networks with non-contiguous network masks are used in a bypass policy
that encompasses all the x.x.x.1 and x.x.x.129 addresses
Defining networks with non-contiguous masks allows you to create a single bypass policy that
encompasses all the .1 and .129 addresses, enabling the local sites on the 172.16.x.x network to manage
the devices on the remote port side of the PEP. By defining the networks as shown in Table 14, you
eliminate the need to create individual bypass policies for each subnet in the network.
Table 14
Networks definitions
IP Address
Network Mask
0.0.0.129 (laptops)
0.0.0.255
0.0.0.1 (VoIP phones)
0.0.0.255
172.16.0.0 (any traffic on this network)
255.255.0.0
NOTE
When you use non-contiguous network masks, the network set must include a PEP that supports the
feature (PEP v.1.4 and later). In addition, all network sets in a policy must include supporting PEPs.
EncrypTight prevents you from dragging non-supporting elements into a network set or policy when noncontiguous networks masks are in use.
Editing Networks
To edit an existing network:
1 In the Networks panel, select the network that you want to modify.
2 Right-click and choose Edit.
3 Make your changes and click Save.
54
Black Box EncrypTight Manager User Guide
Deleting Networks
Deleting Networks
Occasionally, you might want to delete a network. For example, if the structure of a network changes, the
network you set up in EncrypTight might not be needed.
CAUTION
Do not delete any networks currently used by any network sets. Prior to deleting a network, modify any
network sets using that network to use another network. If you delete a network that is currently used in a
policy or a network set, you can create configuration errors that might prevent you from deploying your
policies. In this case, check the Policy view to find the components with configuration errors. Correct the
errors and then redeploy the policies.
To delete a network:
1 In the Networks panel, select the network that you want to remove.
2 Right-click and choose Delete.
3 Click Yes at the confirmation prompt.
Black Box EncrypTight Manager User Guide
55
Managing Networks
56
Black Box EncrypTight Manager User Guide
5
Managing Network Sets
A network set is a collection of IP networks and the associated PEPs. A network set is treated as a single
entity in a policy.
Figure 29
Network Sets
Elements in Figure 29:
1A, 1B)
PEPs
2A, 2B)
PEPs
Figure 29 shows two network sets. Network Set A contains two networks protected by two PEPs and
Network Set B contains one network protected by two PEPs.
Types of Network Sets
The following examples illustrate the different types of network sets:
•
Subnet
•
Load balanced network
•
Collection of networks
•
A network set that does not contain any PEPs
Black Box EncrypTight Manager User Guide
57
Managing Network Sets
Figure 30
Network set for a subnet
Figure 30 illustrates a network set consisting of a single network and a single PEP. In EncrypTight
Manager, this network set would include PEP 1 and the network IP address and mask:
IP address
40.32.21.0
Figure 31
Mask
255.255.255.0
Network set for a load balanced or redundant network
Figure 31 illustrates a load balanced or redundant network with multiple access to a single network with
two PEPs. In the EncrypTight, this network set includes both PEP 1 and PEP 2, and the network IP
address and mask:
IP address
40.55.11.0
Figure 32
Mask
255.255.255.0
Network set for a collection of networks
Figure 32 illustrates a network set comprised of two networks and two PEPs. In the EncrypTight, this
network set includes both PEP 1 and PEP 2, and both network IP addresses and masks.
IP address
30.25.11.0
30.24.3.0
58
Mask
255.255.255.0
255.255.255.0
Black Box EncrypTight Manager User Guide
Adding a Network Set
Figure 33
Network set that does not include a PEP
A network set does not have to include any PEPs. This is useful if you have PEPs that are encrypting
traffic between two routers that need to exchange routing protocols. If the PEPs are encrypting all traffic,
the routers cannot see the information in the routing packets. To allow the routers to exchange routing
information create a clear policy for the routing protocol, for example OSPF (protocol 89). Create one
network set with a wildcarded network (0.0.0.0) that includes PEP 1 and PEP 2. Create a second network
set with a wildcarded network (0.0.0.0), but without any PEPs. Then using these two network sets, you
can create a point-to-point policy that passes protocol 89 packets in the clear.
Adding a Network Set
To add a Network Set:
1 In the Network Sets panel, click Add Network Set.
The Network Set editor displays (see Figure 35).
2 In the Name box, type a name for the network set.
3 Optionally, enter a location in the Location box.
4 From the PEPs panel, select the PEPs that you want to use in the network set and drag them to the
PEPs box in the Network Set editor.
5 From the Networks panel, select the networks that you want to use in the network set and drag them
to the Networks box in the Network Set editor.
6 Select the desired network address mode.
7 Click Save.
Table 15
Network Set fields
Field
Description
Name
Enter a unique name to identify the network set.
Names can be 1 - 40 characters in length. Alphanumeric characters and
spaces are valid. Names are not case sensitive.
Location
Enter a location.
PEPs
Click the PEPs panel and drag the appropriate PEPs to the PEPs box in the
Network Set editor.
To remove a PEP from this list, right-click the desired PEP and click
Remove Element. The PEP is removed only from this network set.
Black Box EncrypTight Manager User Guide
59
Managing Network Sets
Table 15
Network Set fields
Field
Description
Networks
Click the Networks panel drag the appropriate networks to the Networks box
in the Network Set editor.
You can also edit a network from this editor. Right-click the desired network
and click Edit.
To remove a network from this list, right-click the desired network and click
Remove Element. The network is removed only from this network set.
Network Addressing
Mode
Select the desired network addressing mode. The network addressing mode
specifies the source IP address used in the packet header.
•
Use Network Address
•
Specify Tunnel Inbound / Outbound SRC and DST IPs
•
•
Inbound DST IP - address to use for incoming packets from
other sites
•
Use PEP Remote IP Address
•
IP Address
Outbound SRC IP - address to use for outgoing packets to other
sites
•
Use PEP Remote IP Address
•
IP Address
This allows the use of the PEPs for encryption over the internet as long as
there is a firewall in place that can forward the ESP packets to the PEP.
Depending on the type of PEP selected and its configuration, some options
may not be available. PEPs preserve the original network address by default
and must be explicitly configured to use any other mode. For more
information on how to configure your PEP, see the configuration chapter for
your PEP.
This setting can be overridden by settings in a policy. For more information,
see “Addressing Mode” on page 71.
Figure 34
60
Network Addressing Mode
Black Box EncrypTight Manager User Guide
Importing Networks and Network Sets
Importing Networks and Network Sets
If you need to work with a large number of networks and network sets, you can save time by importing
the data. You can create an Excel spreadsheet (or CSV file) that lists the networks and network sets that
you need and import the file. The PEPs used in the network sets must have been added to the
EncrypTight previously or the import will fail.
To create the import file, enter the data in a spreadsheet and save it as an Excel file. You must adhere to
the formats shown. The first line in the file must be Version1.0, while the pound symbol (#) indicates a
comment line and is ignored during the import operation. In the Excel file, commas are used to delineate
one field or item from the next.
The format of the Excel file is as follows:
Version1.0
network,<networkid>,<ip address>,<mask>
networkSet,<name>, networkIds,<list of network IDs>,peps,<list of PEP names>
To import networks and network sets:
1 Create an Excel spreadsheet that identifies the networks and network sets.
2 In the Networks or Network Sets panel, click Import Networks
3 Click Browse, select the file, and click Import Data From File.
If EncrypTight detects an error in the file, none of the networks or network sets are imported.
EncrypTight displays an error message that includes the number of the line in the file that contains the
error along with a brief description of the problem. The message also indicates the column number
with the error, which is useful if you created a spreadsheet (the column number does not apply to the
CSV file in a text editor).
Editing a Network Set
To edit a Network Set:
1 Click the Network Sets panel and select the network set that you want to edit.
2 Right-click or double click and choose Edit.
3 Make your changes and click Save.
Black Box EncrypTight Manager User Guide
61
Managing Network Sets
Figure 35
Network Set Editor
Deleting a Network Set
You might need to delete a network set if the structure of a network changes or if the network set is
empty because the networks were removed.
To delete an existing network set:
1 Click the Network Set tab and select the network set that you want to remove.
2 Right-click and choose Delete.
3 Click Yes when you are prompted for confirmation.
Internet Encryption
The Network Addressing Mode changes in ETM 3.4 allow the use of the PEPs for encryption over the
internet as long as there is a firewall in place that can forward the ESP packets to the PEP. Below is an
illustration of encryption over the internet reflecting the following benefits:
62
•
Only one public IP address is required (must be static)
•
Improves performance (Full-mesh among branch sites)
Black Box EncrypTight Manager User Guide
Internet Encryption
•
No hairpinning
•
Only one encrypt/decrypt cycle vs two for hub-and-spoke
•
GW can send Internet traffic directly to the Internet (split tunnel)
•
GW need not support IPSec forwarding (ESP)
Figure 36
Encryption Over the Internet
Requirements for Over the Internet Encryption
Support for IPSEC Pass-through
Certain home or SOHO grade devices do not pass IPSEC traffic. Many such devices will only allow
proto TCP, UDP, or ICMP to pass. Generally, IPSEC support is identified by a feature called VPN passthrough or IPSEC pass-through. If you do not see one of these features listed on your device, there is a
good chance the device does not pass IPSEC traffic. Passing IPSEC traffic across any firewalls, routers,
or bridges in the encryption path is a requirement for Internet Encryption to work.
IPSEC NAT
Even if a device will pass IPSEC traffic, many times you cannot direct the IPSEC traffic via NAT to an
internal device. If a device is not able to have its own dedicated public IP address for the remote port,
you will require NAT to allow the ESP tunnel mode to work. Many home or SOHO devices are not
capable of performing NAT on ESP (protocol 50) packets. Make sure that and firewalls or routers in the
encrypted path can perform NAT on ESP packets if NAT is needed in your topology.
Black Box EncrypTight Manager User Guide
63
Managing Network Sets
Firewalls that perform packet Re-assembly
Any firewall that does deep packet inspection or supports PAT will need to reassemble incoming
fragments in order to either inspect them or to determine how to handle them for NAT/PAT. This feature
is sometimes called “packet scrubbing”. Tunnel mode packets are sent with the Don’t Fragment bit set.
This makes sure that the network does not attempt to double fragment a packet. How a firewall handles
incoming packets and fragments with the “Don't fragment” bit set can cause a problem for tunnel mode.
By default most firewalls that need to re-assemble will discard any fragments with the Do not Fragment
bit set. If your firewall needs to support PAT or deep packet inspection for other applications make sure
that you can tell the firewall to ignore the “Do not fragment bit” set in tunnel mode packets.
64
Black Box EncrypTight Manager User Guide
6
Creating VLAN ID Ranges
If the network uses VLAN ID tags, you have the option of creating policies that select traffic with
specific VLAN ID tags or within a range of VLAN ID tags. If you do not include VLAN ID tags in a
new Layer 2 policy, the policy is applied to all network traffic.
VLAN ID tags are used to create logical networks within a larger physical network. This is often used to
separate network traffic by departments, such as Finance or Human Resources. By creating policies that
act on specific VLAN ID tags or a range of VLAN ID tags, you can encrypt, pass in the clear, or drop
traffic at the logical level (in this case by department). Traffic that does not match the VLAN ID tag (or
range of tags) specified in the policy is dropped.
PEPs accept only single VLAN ID tags in policies.
Adding a VLAN ID Range
To add a new VLAN ID Range:
1 In the VLANs panel, click Add VLAN.
2 Create the VLAN range in the editor as described in Table 16.
3 Click Save when complete.
NOTE
VLAN ranges are now supported in EncrypTight Manager. VLAN ranges can be defined as a range and
not one by one.
Table 16
VLAN ID range entries
Field
Description
Name
Enter a unique name to identify this particular VLAN Range.
Names can be 1 - 40 characters in length. Alphanumeric characters
and spaces are valid. Names are not case sensitive.
Lower VLAN ID
Enter the lower range limit in the range 1 to 4094.
Upper VLAN ID
Enter the upper range limit in the range 1 to 4094.
Black Box EncrypTight Manager User Guide
65
Creating VLAN ID Ranges
Figure 37
VLAN ID Range
Editing a VLAN ID Range
To edit a VLAN ID range:
1 In the VLANs panel, select the VLAN ID range that you want to modify.
2 Right-click on the range and choose Edit.
3 Make your changes and click Save.
Deleting a VLAN ID Range
If changes are made to a network or VLAN, you might need to delete VLAN ID ranges.
To delete an existing VLAN ID range:
1 In the VLANs panel, select the VLAN ID range that you want to remove.
2 Right-click on the range and choose Delete.
3 Click Yes when you are prompted for confirmation.
66
Black Box EncrypTight Manager User Guide
7
Understanding Security Policies
A policy specifies what traffic to act on and what action to take. Each PEP can store a large number of
policies. As network traffic arrives, each packet or frame is examined by the PEP, and processed based
on selection criteria such as IP addresses, ports, protocols, or VLAN tags. When the PEP receives a
packet or frame that meets the criteria used in one of its policies, it takes one of three actions: it encrypts
the packet or frame, passes it in the clear, or drops it.
In addition to selection criteria and actions, each policy specifies:
•
What priority a policy has in relation to other policies
•
How often keys are renewed and policy lifetimes are refreshed
•
What encryption and authentication methods to use
•
Which addressing mode the PEPs in the policy should use
•
Whether to reduce the policy size for an IP policy
About Policies
A policy specifies what traffic to protect and how to protect it. Each packet or frame is inspected by the
PEP and processed based on the filtering criteria specified in the policy. You can create policies for traffic
at Layer 2, Layer 3, and Layer 4. Each policy specifies:
•
The PEPs to be used
•
The networks the PEPs will protect
•
The action that is to be performed (encrypt, send in the clear, or drop)
•
The kind of traffic the policy affects
Filtering criteria can be high level, such as “encrypt everything,” or more granular, specifying traffic
based on IP addresses, protocols, or VLAN ranges. After applying the traffic filters, the PEP takes one of
three actions: it encrypts the packet, passes it in the clear, or it drops the packet.
Ethernet Policies
In Layer 2 Ethernet, the supported topologies are mesh and point-to-point networks. If an Ethernet
network uses VLAN ID tags, a virtual point-to-point topology can also be established.
Black Box EncrypTight Manager User Guide
67
Understanding Security Policies
An Ethernet policy can be applied to all Layer 2 traffic or restricted to traffic that contains VLAN ID tags
that fall within a given range. Ethernet policies consist of two main components:
•
PEPs
•
VLAN ID ranges enable filtering based on VLAN ID tags (optional)
NOTE
If you do not include a VLAN ID or range in the policy, all Ethernet traffic is selected for enforcement.
IP Policies
Supported IP topologies are:
•
Hub and spoke
•
Mesh
•
Point-to-point
•
Multicast
Layer 3 IP policies protect IP traffic using PEPs.
IP policies consist of three main components:
•
PEPs
•
Networks identify the IP addresses of the networks included in the policy
•
Network sets associate the networks to the protecting PEPs
Layer 4 policies are Layer 3 policies that preserve the original addresses, protocls, and ports of the
packets received. You would use this option when you need to send the IP header information in the
clear. For more information, see “Addressing Mode” on page 71.
Policy Priority
You can assign a priority from 1 to 65000 to each policy that you create. The policy priority specifies the
order in which policies are processed on the PEP. For each incoming packet or frame the PEP searches
through the list of policies, starting with the policy that has the highest priority, until it finds a match.
When it finds a match, the PEP processes the packet or frame according to the settings in the policy. As
you create policies, carefully consider the policy priority that you choose.
If your policies are not being implemented as expected, check the priorities assigned to the policies.
Incorrect prioritization can produce unexpected results. For example, policy A is a clear policy for a
specific destination network for any protocol and has the highest priority. Policy B is an encrypt policy
for the same destination network with a particular protocol, but it has a lower priority. Because policy A
has the higher priority, all traffic passes and none of the traffic is encrypted.
68
Black Box EncrypTight Manager User Guide
Schedule for Renewing Keys and Refreshing Policy Lifetime
Schedule for Renewing Keys and Refreshing
Policy Lifetime
The Renew keys value specifies the length of time that the keys will be active. According to the schedule
specified, the EncrypTight Manager server sends new keys to the PEPs. The previous keys are maintained
on the PEP for up to five minutes to ensure that no traffic interruption occurs.
NOTE
EncrypTight Manager provides support for clock skew detection during refresh status. The PEP state will
indicate if the clock is out of sync with ETM by more than 10 minutes.
You schedule the key renewal in an interval of hours or set a daily renewal at a specified time.
•
Hours - enter the re-key interval in hours up to 65000 hours.
Clear the Renew Keys check box under IPSec if you want the keys to never expire. Most likely, you
will only do this if you are troubleshooting.
•
Daily - enter the re-key time using the 24 hour system clock set to the required local time of the
EncrypTight server. The re-key time will translate to the local times of other ETM servers and PEPs
that might be located in other time zones.
TIP
Management traffic increases during the policy rekey and renew lifetime process. This is true for both
manual and automatic rekeys. If you schedule all policies to rekey at the same time, the ETM servers will
send new keys to all of their PEPs at the same time, causing an increase in traffic throughout your
network. You can reduce the traffic and processing time by staggering the rekey schedule specified for
each policy. For example, one policy could be set to rekey at 1:00 AM while another policy could be set to
rekey at 1:30 AM. This significantly reduces the management traffic and PEP processing time.
TIP
Network connectivity problems can prevent new keys from being distributed to the PEPs before the old
keys expire.
NOTE
In fail-safe mode, EncrypTight will not update the keys of any device if any of the devices are unreachable.
Policy Types and Encryption Methods
The type of policy specifies the action applied to packets that match the protocol and networks included
in this policy. You can choose from the following types:
•
Drop - drops all packets matching this policy.
•
Clear - passes all packets matching this policy in the clear.
Black Box EncrypTight Manager User Guide
69
Understanding Security Policies
•
Encrypt - encrypts or decrypts all packets matching this policy.
Encapsulation
To provide encryption and authentication, the PEPs use the Black Box Encapsulating Security Payload
protocol (CN-ESP). CN-ESP is Black Box’ packet encapsulation protocol that is based on the IPSec ESP
protocol standards.
Layer 2: Ethernet payload encryption
In Layer 2 policies, the CN-ESP protocol preserves the original Ethernet header information and encrypts
only the Ethernet payload, as shown in Figure 38.
Figure 38
Ethernet payload encryption
Layer 3: IPSec Tunnel mode with original IP header preservation
In Layer 3 IP policies, a copy of the original IP header is used as the outer header and the original header
and payload are encrypted, as show in Figure 39.
Figure 39
IP packet encryption
Layer 4: IPSec Transport mode for Layer 4 payload encryption
PEPs have an option to encrypt only the TCP and UDP Layer 4 payload. The TCP and UDP header
information remains in the clear, as shown in Figure 40. All other Layer 4 headers are encrypted.
NOTE
If L4 encryption is active and the traffic type is other than TCP or UDP, traffic will be encrypted at L3.
Figure 40
Data payload encryption
Encryption and Authentication Algorithms
For Layer 3 IP policies, you can specify the encryption and authentication algorithms that you want to
use. The encryption algorithms include the Advanced Encryption Standard (AES) and Triple Data
Encryption Standard (3DES).
70
Black Box EncrypTight Manager User Guide
Addressing Mode
AES is a symmetric block cipher capable of using cryptographic keys of 128, 192, and 256 bits to
encrypt and decrypt data in blocks of 128 bits. Triple DES, or 3DES, is a more secure variant of DES.
3DES uses a key length of 168 bits. The Data Encryption Standard (DES) is a symmetric block cipher
with a block size of 64 bits and a key length of 56 bits.
The authentication algorithms available include Secure Hash Algorithm 1 (HMAC-SHA-1), (HMACSHA-2), and Message Digest #5 (HMAC-MD5). All are hash algorithms. HMAC-SHA-1 is the most
secure.
Layer 2 Ethernet encryption policies utilize AES with 256-bit keys to encrypt and decrypt the data and
HMAC-SHA-1 or HMAC-SHA-2 to provide data origin authentication and data integrity.
Layer 4 IP encryption policies use AES-256 for encryption and HMAC-SHA-1 or HMAC-SHA-2 for
authentication. The PEPs do not support 3DES or HMAC-MD5 at Layer 4.
ARIA Encryption
In addition to the standard encryption algorithms listed above, the ARIA encryption algorithm is available
on PEPs that are running PEP software version 1.4.1 or later. ARIA provides 256-bit encryption, and is
implemented in software.
Note the following usage guidelines and constraints:
•
ARIA-256 is available for use in Layer 3 and Layer 4 policies. Layer 2 Ethernet encryption policies
do not support ARIA.
•
ARIA-256 is incompatible with the PEP’s FIPS mode of operation. Disable FIPS mode on the PEP
prior to using ARIA in encryption policies.
Addressing Mode
When you create network sets in the network sets editor, you specify the IP address the PEPs will use in
the outer header of the encrypted packets. The options include the original IP address of the packets
received at the PEP’s local port (the default setting) or the user can specify tunnel WAN and LAN IPs
using either the remote port IP address of the PEP, or a custom IP address that is configured as part of a
network set. This allows the use of the PEPs for encryption over the internet as long as there is a firewall
in place that can forward the ESP packets to the PEP.
Even when you configure network sets to conceal the original source IP addresses, you might need to
preserve the original IP addresses for other traffic that is routed through the same network sets. For
example, you might need to transmit traffic that must comply with Service Level Agreements.
To handle these situations, you can create additional policies that use the same network sets, but override
the specified network addressing mode. In the policy editor, the network addressing mode can use one of
three options:
•
Preserve only the original internal network addresses. The source and destination addresses in the IP
header are sent in the clear. The protocol and port, as well as the payload of the packet are encrypted.
This is referred to as a Layer 3 policy.
•
Preserve the original internal network address, protocol, and port. The source and destination
addresses, protocol, and port in the IP header are sent in the clear. With this option, only the payload
of the packet is encrypted. This allows you to send the Layer 4 header information in the clear for
traffic engineering and Service Level Agreement management (for example, Quality of Service
controls or NetFlow statistics monitoring). This is referred to as a Layer 4 policy.
Black Box EncrypTight Manager User Guide
71
Understanding Security Policies
•
Tunnel Mode (Use PEP remote, Dynamic, or VIP address) - Specifies that the policy should use the
PEP’s remote port IP address, a dynamic address, or the virtual IP addresses of the included network
sets. Selection provided to use UDP Encapsulation for tunnel.
Using Encrypt All Policies with Exceptions
You can design your policies many different ways for the same results. If you design your policies based
on chunks of data such as which port or which source or destination address encrypts, drops, or passes in
the clear, a large number of policies can result. With a large number of policies, the policy management
overhead increases and keeping track of the priority of each policy can become difficult. You can
simplify this process by doing the following:
1 Create a policy to encrypt all data to and from all networks. Assign this policy a relatively low
priority to ensure that any missed data will at least pass encrypted.
2 Design a pass in the clear policy and a drop policy with a higher priorities.
Table 17 illustrates policies for a mesh network that will pass Protocol 17 (UDP) traffic in the clear, drop
all protocol 55 (IP mobile) traffic, and encrypt all other traffic.
Table 17
Encrypt all policy with exceptions
Policy
Policy Type
Priority
Action
Protocol Covered
1
Mesh
100
Encrypt
All
2
Mesh
200
Drop
55
3
Mesh
300
Pass in Clear
17
In this case, we started with the assumption that our main job was to encrypt traffic and then decide
which traffic to drop or pass in the clear. The PEP analyzes each packet starting with the highest priority
policy.
The alternative is to decide which traffic should be encrypted, which traffic should be passed in the clear,
and which traffic should be dropped. With this approach, you risk creating more policies to manage than
you need and increasing the management traffic on the network. You could also easily miss encrypting
important traffic.
Policy Size and PEP Operational Limits
Various combinations of factors can reach or exceed the operational limits of the PEP, including memory,
processor speed, and the size of the policy file. Another core issue is the number of security associations
(SAs) a PEP can support.
An SA identifies what traffic to act on, what kind of security to apply, and the device with which the
traffic is being exchanged. SAs typically exist in pairs, one for each direction (inbound and outbound).
The policies deployed from EncrypTight create SAs between the PEPs. A simple point-to-point policy
creates two SAs on each PEP. More complex configurations such as a mesh policy create more SAs.
The policy file is an XML file sent to each PEP that identifies the type of policy, the policy lifetime, and
the kind of traffic the policy affects. It also identifies the networks to be protected and the PEPs to be
used.
72
Black Box EncrypTight Manager User Guide
Minimizing Policy Size
The size of a policy file is determined by the type of policy, the number of PEPs, and the number of
networks protected. On the ET0010A, the maximum size for the policy file is 512 KB. For the ET0100A,
the maximum size is 1024 KB.
If the policy file is larger than the maximum size, the rekey processing time on the PEP can exceed the
system timeout parameters. For example, with the ET0010A the rekey processing time for a 512 KB
policy file is approximately three minutes. If the rekey processing takes longer than this, timeouts and
errors occur that severely affect overall system performance. When timeouts and errors occur, keys can
expire or a policy might not actually be deployed.
To prevent this from happening, PEPs generate error messages and reject policy files that are larger than
the maximum size.
Minimizing Policy Size
Using EncrypTight with large, complex networks with multiple subnets protected by separate PEPs can
result in a large number of SAs on each PEP. The increased management traffic for renewing keys and
refreshing policy lifetimes could adversely affect the performance of the ETM system. If you do not
require policy filtering based on subnets located with each PEP, use the minimize policy size feature to
avoid this. This feature is not applicable to Layer 2 Ethernet policies.
To utilize the Minimize Policy Size feature, select Ignore source IP address for any IP policy or mesh
policy.
When you enable the Ignore source IP address option:
•
The source network address for outbound traffic is replaced with an all networks wildcard address
(0.0.0.0/0)
•
The destination network address for inbound traffic is replaced with an all networks wildcard address
(0.0.0.0/0)
This results in a significant reduction in policy size and keys in each PEP associated with the policy.
If the policy specifies encryption, all PEPs associated with the policy use the same key set, reducing the
number of policy entries and SAs on each PEP.
NOTE
This option is only available for encryption policies.
Black Box EncrypTight Manager User Guide
73
Understanding Security Policies
74
Black Box EncrypTight Manager User Guide
8
Working with Policies
Creating Policies
To create a policy:
1 If you have not yet done so, click Policies on the main menu to switch to the Policies view.
2 From the Saved tab in the Policies panel, click Policy and choose Add Policy.
3 Select the type of policy you want to create.
4 Enter additional information and select the options you need for the type of policy you are creating.
Policy types and the options available for each are discussed in “Policy Options by Mode” on
page 75.
5 Click Save.
Policy Options by Mode
Layer 2 Policies
You can create Layer 2 policies for mesh and point-to-point networks. Layer 2 policies use PEPs that are
configured as Layer 2 PEPs. They do not use Network Sets.
In a Layer 2 mesh network, any network can send or receive data from any other network
Table 18
Layer 2 Mesh Policy Options
Option
Description
Policy Name
Enter a unique name for the policy.
Names can be 1 - 40 characters in length. Alphanumeric characters and
spaces are valid. Names are not case sensitive.
Priority
Specifies the order in which policies are processed in the PEPs. Enter the
priority for this policy from 1 to 65000. PEPs enforce policies in descending
priority order with the highest priority number processed first.
Description
Enter a brief description of the policy. For example, you might want to briefly
mention the purpose of policy.
Black Box EncrypTight Manager User Guide
75
Working with Policies
Table 18
Layer 2 Mesh Policy Options
Option
Description
Type
Specifies how the traffic affected by this policy will be handled.
Drop - drops all frames matching this policy.
Clear - passes all frames matching this policy in the clear.
Encrypt - encrypts or decrypts all frames matching this policy. Clear the
Renew Keys check box to specify that the encryption keys for this policy are
never renewed. Check the MPLS Encryption box to enable MPLS
Encryption and the Propagate TTL box if desired.
Renew Keys/Refresh
Lifetime
Specifies the lifetime of the keys and policies, and the frequency at which
the keys are regenerated and policies’ lifetimes are updated on the PEPs.
Regenerate keys and update policies either at a specified interval in hours or
daily at a specified time. Click either Hours or Daily. EncrypTight Manager
provides support for clock skew detection during refresh status. The PEP
state will indicate if the clock is out of sync with EncrypTight Manager by
more than 10 minutes.
•
Hours - enter the re-key interval in hours up to 65535 hours.
•
Daily - enter the re-key time using the 24 hour system clock set to the
required local time of the management workstation. The re-key time will
translate to the local times of the ETM servers and PEPs that might be
located in other time zones.
Encrypt
Enables Encryption selection of either AES or AES-128.
Policy Enforcement
Points
Lists the PEPs where the policies and keys are distributed. Click the PEPs
tab in the EncrypTight Resources panel and drag the appropriate Layer 2
PEP to the PEPs list on the Policy editor.
To remove a PEP from this list, right-click the desired PEP and click
Remove PEP. The PEP is removed only from this policy.
VLANs
Specifies a VLAN ID tag range for a policy. The policy affects only frames
with a VLAN ID tag within the specified range. Traffic that does not match
the VLAN ID tag (or range of tags) specified in the policy is dropped. If no
range is specified, the policy applies to all frames.
PEPs accept only single VLAN ID tags in policies.
Click the VLANs tab in the Resources panel and drag the appropriate VLAN
range to the VLAN Ranges list on the Policy editor.
76
•
You can also edit a VLAN Range from this editor. Right-click the desired
VLAN Range and click Edit.
•
To remove a VLAN Range from this list, right-click the desired VLAN
Range and click Remove VLAN. The VLAN range is removed only from
this policy.
Black Box EncrypTight Manager User Guide
Policy Options by Mode
Figure 41
Common L2 Policy Options (Mesh)
MPLS Encryption
The process for MPLS Encryption is:
•
Encrypt the MPLS payload, while leaving the Ethernet header and MPLS stack in the clear.
•
Insert a new “encrypt” label (reserved label 12) at the bottom of the MPLS stack
•
•
Clear the BOS bit on the previous BOS label
•
Set the BOS bit on the new label
Encrypt everything after the new “encrypt” label
•
Skip the MPLS PW control word (if configured):
•
If ‘skip-PWCW’ is configured, then pass the PWCW in the clear (skip 4 bytes after the BOS
before starting to encrypt)
Black Box EncrypTight Manager User Guide
77
Working with Policies
78
Figure 42
MPLS Encryption Process
Figure 43
MPLS Encrypted Frame Formats
Black Box EncrypTight Manager User Guide
Policy Options by Mode
Layer 2 point-to-point policies affect only the traffic between two defined endpoints.
Table 19
Layer 2 Point-to-Point Policy Options
Option
Description
Policy Name
Enter a unique name for the policy.
Names can be 1 - 40 characters in length. Alphanumeric characters and
spaces are valid. Names are not case sensitive.
Description
Enter a brief description of the policy. For example, you might want to briefly
mention the purpose of policy.
Preshared Key
Enter the preshared key to use for the point-to-point policy or click Generate
Preshared Key.
Generate Preshared
Key
Click to automatically generate a preshared key to use.
Group ID
Enter the group ID to use.
Traffic Handling
Specifies how the traffic affected by this policy will be handled.
Clear - passes all frames matching this policy in the clear.
Drop - drops all frames matching this policy.
Encrypt - encrypts or decrypts all frames matching this policy.
Point A and Point B
Click and drag the PEPs to be used for the policy to the Point A and Point
B boxes.
NOTE
EncrypTight Manager does not allow ETVEPs in layer 2 point-to-point policies. If a user tries to insert a
ETVEP onto a layer 2 point-to-point policy they will receive an error stating “ ETVEP PEPs do not support Layer 2 Point To Point Policies”.
Layer 3 Policies
You can create Layer 3 policies for hub and spoke, point-to-point, mesh, and multicast policies. Many
options are common to all Layer 3 policies, but some options are unique to each, as described in the
following tables:
Common Layer 3 Policy Options
The following options are available in all policy types except where noted (see Figure 38).
Table 20
Common Layer 3 Policy Options
Option
Description
Policy Name
Enter a unique name for the policy.
Names can be 1 - 40 characters in length. Alphanumeric characters and
spaces are valid. Names are not case sensitive.
Priority
Enter the priority for this policy from 1 to 65000. PEPs enforce policies in
descending priority order with the highest priority number processed first.
Description
Enter a brief description of the policy. For example, you might want to briefly
mention the purpose of policy.
Black Box EncrypTight Manager User Guide
79
Working with Policies
Table 20
Common Layer 3 Policy Options
Option
Description
Type
Specifies how the traffic affected by this policy will be handled.
Drop - drops all packets matching this policy.
Clear - passes all packets matching this policy in the clear.
Encrypt - encrypts or decrypts all packets matching this policy. Clear the
Renew Keys check box to specify that the encryption keys for this policy are
never renewed.
Renew Keys
Encryption
Specifies the lifetime of the keys and policies, and the frequency at which
the keys are regenerated and policies’ lifetimes are updated on the PEPs.
Regenerate keys and update policies either at a specified interval in hours or
daily at a specified time. Click either Hours or Daily. EncrypTight Manager
provides support for clock skew detection during refresh status. The PEP
state will indicate if the clock is out of sync with EncrypTight Manager by
more than 10 minutes.
•
Hours - enter the re-key interval in hours up to 65535 hours.
•
Daily - enter the re-key time using the 24 hour system clock set to the
required local time of the management workstation. The re-key time will
translate to the local times of the ETM servers and PEPs that might be
located in other time zones.
Specifies the encryption and authentication algorithms used in an Encrypt
policy.
Select the encryption algorithm from the Encryption Algorithms list:
•
AES - Advanced Encryption Standard (default)
•
3DES - a more secure variant of Data Encryption Standard
Select the authentication algorithm from the Authentication Algorithms list:
•
HMAC-SHA-1 - Secure Hash Algorithm
•
HMAC-SHA-2 - Secure Hash Algorithm
•
HMAC-MD5 - Message Digest 5
Note: Layer 4 policies require AES and HMAC-SHA-1/HMAC-SHA-2.
Addressing Mode
Override
80
Overrides the Network addressing setting for the network sets.
•
Layer 3 (Preserve internal network addresses) - This setting is always
enabled for multicast policies and cannot be disabled. By default,
multicast policies override network set’s network addressing mode and
preserve the network addressing of the protected networks. The IP
header contains the source address of the originating network.
•
Layer 4 (Preserve address, protocol and port) - This setting overrides
the network set’s addressing mode and preserves the network addressing
of the protected networks, as well as the specified protocol and port
numbers. The IP header includes the source address, protocol, and port
of the originating network. This allows you to send the Layer 4 header
information in the clear for traffic engineering and Service Level
Agreement (SLA) management (for example, Quality of Service controls).
•
Tunnel Mode (Use PEP remote, Dynamic, or VIP address)- Specifies
that the policy should use the PEP’s remote port IP address, the UDP
Encapsulation, or the virtual IP addresses of the included network sets.
Black Box EncrypTight Manager User Guide
Policy Options by Mode
Table 20
Common Layer 3 Policy Options
Option
Description
Minimize Policy
Size
Specifies a method for reducing the policy size.
•
Ignore source IP address - Reduces policy size by ignoring the network
addresses on the local port of the PEP. This limits the amount of network
traffic needed to renew keys and refresh policy lifetimes. If you select this
option, the source network address for outbound traffic and the
destination network address for inbound traffic are replaced with all
networks wildcard addresses (0.0.0.0/0).
For more information, see “Minimizing Policy Size” on page 73.
Protocol
Specifies the Layer 3 protocol affected by this policy. The action selected for
the policy is only applied to the traffic with the specified protocol.
•
Any - specifies all protocols
•
Only - specifies a particular protocol. Click to select and then enter the
required protocol in the range 0 to 255.
This option is not available for multicast policies.
Figure 44
Some Common Layer 3 Options (Mesh)
Black Box EncrypTight Manager User Guide
81
Working with Policies
Options Specific to Hub and Spoke Policies
In a hub and spoke network, all traffic either originates from a hub network and is received by a spoke
network, or it originates from one of the spoke networks and is received by the hub network
Table 21
Options Specific to Hub and Spoke Policies
Option
Description
Network Sets
Identifies the network sets included in this policy.
From the Network Sets panel, click and drag the appropriate network sets to
either Hubs or Spokes.
Hubs
Specifies the source and destination ports for the network set selected for
Hubs. In TCP and UDP, port numbers are used to identify well-known
services, such as FTP, e-mail and so on. Choosing a specific port limits the
action of the policy to traffic using that port.
This setting is only valid if the protocol is set to 6 (TCP) or 17 (UDP).
Spokes
Specifies the source and destination ports for the network set selected for
Spokes. In TCP and UDP, port numbers are used to identify well-known
services, such as FTP, e-mail and so on. Choosing a specific port limits the
action of the policy to traffic using that port.
This setting is only valid if the protocol is set to 6 (TCP) or 17 (UDP).
Figure 45
82
Hub and Spoke Policy Network Sets
Black Box EncrypTight Manager User Guide
Policy Options by Mode
Options Specific to Point-to-Point Policies
In a point-to-point network, one network or network set sends and receives data to and from one other
network or network set.
Table 22
Options Specific to Point-to-Point Policies
Option
Description
Point A - Network Set
Identifies the network set included in this policy for one side of the point-topoint network configuration.
From the Network Sets panel, click and drag the appropriate network set to
the Point A - Network Set.
Point A - Port
Specifies the source and destination ports for the network set selected for
Point A. In TCP and UDP, port numbers are used to identify well-known
services, such as FTP, e-mail and so on. Choosing a specific port limits the
action of the policy to traffic using that port.
This setting is only valid if the protocol is set to 6 (TCP) or 17 (UDP).
Point B - Network Set
Identifies the network set included in this policy for the other side of the
point-to-point network configuration.
From the Network Sets panel, click and drag the appropriate network set to
the Point B - Network Set.
Point B - Ports
Specifies the source and destination ports for the network set selected for
Point B. In TCP and UDP, port numbers are used to identify well-known
services, such as FTP, e-mail and so on. Choosing a specific port limits the
action of the policy to traffic using that port.
This setting is only valid if the protocol is set to 6 (TCP) or 17 (UDP).
Figure 46
Point-to-Point Policy Network Sets
Options Specific to Mesh Policies
In a mesh network, any network or network set can send and receive data from any other network or
network set.
Table 23
Options Specific to Mesh Policies
Option
Description
Network Sets
From the Network Sets panel, click and drag the appropriate network sets to
the Network Sets box.
Black Box EncrypTight Manager User Guide
83
Working with Policies
Figure 47
Mesh Network Sets box
Easy Mesh Policy
Easy Mesh Policy has a new policy editor panel. The panel has two drag and drop regions: one for
networks and one for PEPs. The policy file that ETM creates is the same for all PEPs and includes
inbound and outbound selectors for all the networks as both src and dest. The policy elements grid
representation is simply a single row with all networks in the networks column and all PEPs in the PEPs
column.
Note that users can then create an "apply to all" policy as it exists today with simply the 0.0.0.0 network
and whatever PEPs they want. They won't have to create or maintain networks sets.
This also has a beneficial effect of supporting mesh partial policy deployments. New PEPs can join this
policy by simply receiving the same policy file as all other members. No other PEPs will need to be
deployed to.
Figure 48
84
Easy Mesh Policy Editor
Black Box EncrypTight Manager User Guide
Creating Layer 4 Policies
Options Specific to Multicast Policies
In a multicast network, one or more networks send unidirectional streams to multiple destination
networks. Multicast routers detect the multicast transmission, determine which nodes have joined the
multicast network as destination networks and duplicate the packets as needed to reach all multicast
destination networks.
Table 24
Options Specific to Multicast Policies
Option
Description
Multicast Network
Identifies the multicast address range protected by this policy.
Network Sets
•
IP - multicast IP address
•
Mask - mask for the multicast IP address
Identifies the networks included in this policy.
From the Network Sets panel, click and drag the appropriate network sets to
the desired boxes.
•
Send - lists the networks that only send data
•
Receive - lists the networks that only receive data
•
Send/Receive - lists the networks that send and receive data
ETM supports technologies such as Protocol Independent Multicast (PIM) by
providing the ability to have multiple senders, receivers, and senders/
receivers in multicast policies.
Figure 49
Multicast Policy Network Sets
Creating Layer 4 Policies
Layer 4 policies encrypt only the payload of the packet. The source and destination addresses, protocol,
and port in the IP header are sent in the clear. With Layer 4 policies, the Layer 4 header information is
sent in the clear for traffic engineering and Service Level Agreement management (for example, Quality
of Service controls or NetFlow statistics monitoring). You can create Layer 4 policies for point-to-point,
hub and spoke, mesh, and multicast network topologies.
You create Layer 4 policies using PEPs that are configured to operate as Layer 3 PEPs. Create the
networks, network sets, and policies as you would for Layer 3 IP policies. In the policy editor, select the
option to preserve the address, protocol, and port. This option encrypts only the payload data, making the
policy a Layer 4 policy.
Layer 4 IP encryption policies use AES-256 for encryption and HMAC-SHA-1 or HMAC-SHA-2 for
authentication. PEPs do not support 3DES or HMAC-MD5 at Layer 4.
Black Box EncrypTight Manager User Guide
85
Working with Policies
To create a new Layer 4 policy:
1 Follow the instructions for creating policies as described in “Creating Policies” on page 75.
2 From the Addressing Mode Override section of the policy editor, select Preserve address, protocol
and port (see Figure 34).
3 Save the policy
Figure 50
Option to Encrypt the Packet Payload Only .
Activating and Deactivating Policies
New policies are listed in the Saved tab of the Policies panel. Saved policies can be considered works in
progress and are not yet active or deployed. When you activate a policy, it is removed from the Saved tab
and appears in the Active tab. You can only deploy active policies.
To activate a policy:
1 In the Saved tab, select the policy that you want to activate.
2 Click Policy > Activate Policy.
3 Click Yes when you are prompted for confirmation.
Policies that have been activated but not yet deployed are marked with a
. If you no longer need a
policy, you must deactivate it before you can delete it. Deactivating a policy does not immediately
remove the policy from the PEPs to which it was deployed. You must redeploy policies to remove the
policy from the PEPs. Unlike the Clear Policies CLI command, this allows you to remove a specific
policy rather than all policies.
To deactivate a policy:
1 In the Active tab of the Policies panel, select the policy.
2 Click Policy > Deactivate Policy.
3 Click Yes when you are prompted for confirmation.
4 Redeploy your policies.
Deploying Policies
When you deploy policies, the EncrypTight generates encryption keys and sends the keys and policies to
the PEPs. When you create or change policies, you have two options for deploying, Deploy Policies and
Force Deploy All Policies.
86
Black Box EncrypTight Manager User Guide
Rekeying Policies
Deploy Policies checks to see if any policy or element within a policy has been changed and deploys
only the new or changed policies. Among other things, this allows you to add or change elements in
existing policies and deploy only those changes instead of every active policy.
Force Deploy All Policies deploys all active policies, whether or not any changes have been made to the
policies or any elements included in the policies.
Before any changes are sent to the PEPs, EncrypTight prompts you for confirmation and displays a list of
the PEPs that will be contacted.
To deploy policies:
1 In the Active tab of the Policies panel, click Policy and choose one of the following:
•
Deploy Policies to deploy only new and changed policies.
•
Force Deploy All Policies to deploys all active policies
2 In the Confirm Deployment box, click Deploy Policies.
When the deployment operation completes, the policies are marked with a
.
If EncrypTight cannot communicate with a PEP used in a policy, it will keep retrying the deployment
action indefinitely. If this happens, you can cancel the deployment and troubleshoot the issues with the
unreachable PEP.
To cancel a deployment:
1 Click Admin > Task History.
2 Locate and select the incomplete Policy Deployment task and the corresponding Policy Set
Deployment task. Both will be marked with a status of In Progress.
3 Click
.
4 When you are prompted for confirmation, click Yes.
Rekeying Policies
When you create policies, you specify a rekey schedule that is either daily or periodically. However, you
can initiate a rekey at any time.
To rekey policies:
1 In the Active Policy tab, click Policy > Force Rekey Policies.
2 In the Confirm Rekey box, click Rekey Policies.
Failsafe Rekey Mode
Enhanced fail-safe rekeying is designed to delay the rekey rather than drop traffic in the data plane of the
network. The reason for this somewhat strict tradeoff is fundamental to group keying – if one or more
nodes that are participating in a group policy have a different key than the rest of the nodes in the
network, then the network will be split, and data plane traffic will be dropped because traffic encrypted
with one key cannot be decrypted with a different key (assuming symmetric encryption). Fail-safe rekey
avoids this bifurcation of the data plane at the cost of possibly delaying the rekey. Fail-safe rekey is
Black Box EncrypTight Manager User Guide
87
Working with Policies
resilient to MITM attacks on the management plane in that data plane traffic is not affected by the attack,
but it is vulnerable to a DOS attack against updating the keys.
In Failsafe Rekey mode, EncrypTight will not update the keys of any device if any of the devices are
unreachable. The intent is to prevent network outages due to inconsistent key updates that do not reach
all of the devices in the network. If the key update can't be completed, they will not attempt the key
update and try later. This would prevent loss of traffic or network segmentation due to partial key
updates.
The implicit trade-off with failsafe key updates is that key updates might fail. This configuration option
gives the user the ability to prioritize network availability over enforcing a strict key update interval. In
reality, if the network and all devices are functioning properly, key updates will proceed on schedule, and
only under exceptional circumstances will key updates be delayed.
The behavior is to do a lightweight ping of the PEPs involved before doing the rekey. The ping has a
short time-out set (4 seconds) If one or more PEPs are not reachable after 4 attempts, that rekey will be
skipped (the task will be marked as canceled due to “connectivity requirements not met: pep x,z ...").
We also support a time-based rekey mode in which rekeys occur according to the strict rekey schedule
specified in the policy. With this model, the rekey schedule is strict, so that even if some nodes have not
received the new keys, the nodes that have received the new keys will stop using the old keys after a
fixed time. The benefit of this is that it conforms to the strict rekey schedule, but the disadvantage is that
when some nodes stop receiving on the old inbound keys, other nodes may not have received the new
outbound key yet and in this case the data plane would be split. The time to start using the new outbound
key (n) and the time to stop receiving on the old inbound key (m) are programmable, and ETM will
keeps trying to send the key if it fails initially. The difference between m and n (m-n) is an overlap period
that allows time to program new outbound keys throughout the network while still receiving on either the
old or new inbound keys. Time-based rekey allows the nodes that are reachable to be rekeyed, but any
nodes that are not reachable between time t and t+m will continue to use the old keys while the rest of
the network is using the new keys, so the data plane will be split.
Figure 51
Set Failsafe Rekey Mode
Copying Policies
You can copy an existing policy to serve as a starting point for a new policy. This can be helpful if you
need to make a similar policy for different network sets, or use the same network sets in a policy
targeting different traffic, for example. The copy includes all of the network sets, PEPs, and other
configuration settings from the original. You can copy both active and saved policies. EncrypTight
appends “copy” to the policy name and increments the priority by one. The Policy Elements Grid shows
88
Black Box EncrypTight Manager User Guide
Editing Policies
a filterable table based layout of policies and elements so a user can see all network sets, networks and
PEPs in one view.
Figure 52
Policy Elements Grid
To copy a policy:
1 Select the policy that you want to copy.
2 Click Policy > Copy Policy.
The copy opens in a policy editor.
3 Make the changes that you need and click Save.
Editing Policies
You can modify both saved and active policies.
When you modify an active policy, EncrypTight marks the policy with a
to indicate that the changes
have not been deployed. If you do not want to keep the changes made to an active policy, you can undo
them before you deploy policies.
To edit a policy:
1 Double-click the policy that you want to change or select the policy and click Policy > Edit Policy.
2 Make your changes.
3 Click Save.
To undo edits to an active policy:
1 In the Active tab of the policies panel, click Policy > Restore to Deployed Policies.
This action restores all changes made to active policies and their network sets, networks, and VLANs.
2 Click Yes when prompted for confirmation.
Black Box EncrypTight Manager User Guide
89
Working with Policies
NOTE
When editing a policy, the policy resources are highlighted yellow in the resources panel.
Validating Policies
You can check your policies for conformance to the policy rules prior to deployment. This is the same
validation check on policies performed during a deploy operation and when you create your policies.
The Validate Policies command checks for features not universally supported across PEP models and
software versions. It looks for inconsistencies such as using a mixture of Layer 2 / 3 PEPs in a policy,
using contiguous and non-contiguous network masks in a network set, and the use of virtual IP addresses.
Validating policies prior to deployment is useful if you have done any of the following:
•
Made edits to any policy element since you last deployed policies: PEPs, networks, network sets, or
policy definitions.
•
Policies include a mix of appliance models.
•
The PEPs in a policy are running a mix of software versions, i.e., PEPs running versions 1.5 and 1.6.
To validate policies:
1 On the Active tab, Click Policy > Validate Policies. EncrypTight displays a confirmation message
indicating the results of the rules check.
2 If policies contain errors, go to the Policy panel to locate them. Expand the policy tree to find the
component with the configuration error. Double-click the component with the error to view the editor
and find the entry with the configuration error.
Deleting Policies
You can delete policies when they are no longer needed. You cannot delete active policies. You must
deactivate a policy before you can delete it. This helps to prevent you from deleting policies in error.
To delete a policy:
1 In the Active tab of the Policies panel, select the policy to remove.
2 Click Policy > Deactivate Policy.
3 Click Yes when prompted for confirmation.
4 In the Saved tab of the Policies panel, select the policy to remove.
5 Click Policy > Delete Policy.
6 Click Yes when prompted for confirmation .
NOTE
If deleting a PEP from a network set (L3, or policy, L2) and it is the last network set or policy for the PEP,
the PEP receives rules to either pass traffic in the clear or drop all traffic, depending on the configuration
setting in the Admin->EncrypTight Manager Configuration page.
90
Black Box EncrypTight Manager User Guide
9
Policy Design Examples
Basic Layer 2 Point-to-Point Policy Example
In this example, we secure a single point-to-point Layer 2 Ethernet link using only the EncrypTight
Manager software and two encryption appliances. This example focuses on the required settings and does
not discuss advanced and optional settings.
Figure 53
Point-to-point Layer 2 Ethernet link
1)
Layer 2 switch
2)
PEP - local site
3)
PEP - remote site
4)
EncrypTight server
L, R, M) Local, remote, and management ports
The requirement for this policy is to encrypt all traffic between the two points.
In EncrypTight Manager, configure the interfaces for both PEPs, then click the Security tab and do the
following:
1 Select Layer 2:Ethernet for the Encryption Policy Settings.
To set up the encryption policy between the two PEPs, click the Policy tab for each PEP and make the
selections as described in Table 25. Make sure that you use the same key for both PEPs.
Black Box EncrypTight Manager User Guide
91
Policy Design Examples
Table 25
Point-to-point Layer 2 encryption policy
Setting
PEP: 192.168.1.43
PEP: 192.168.1.44
Role
Primary
Secondary
IKE Authentication Method
PresharedKey
PresharedKey
IKE Preshared Key
zaq123edc
zaq123edc
Group ID
0
0
Traffic Handling
EthEncrypt
EthEncrypt
Once the PEP configurations have been saved, push the configuration to the remote PEP first, and then
push the configuration to the local PEP. For more information about creating Layer 2 point-to-point
policies, see the Configuration chapter for your PEPs.
NOTE
EncrypTight Manager does not allow ETVEPs in layer 2 point-to-point policies. If a user tries to insert a
ETVEP onto a layer 2 point-to-point policy they will receive an error stating “ ETVEP PEPs do not support Layer 2 Point To Point Policies”.
Layer 2 Ethernet Policy Using VLAN IDs
This example shows a more complicated Layer 2 Ethernet policy encrypting traffic using specific VLAN
IDs. Figure 54 shows a collection of networks for a company with a central headquarters and two branch
offices. The company has a partner that needs access to specific company data, but does not need access
to the branch offices.
Traffic between the headquarters and the branches is assigned a VLAN ID tag. This assures that
communications between headquarters and the branches are not accidentally broadcast to other parties,
such as the partner. Meanwhile, traffic between the partner and the partner portal server is assigned a
different VLAN ID tag.
Finally, for added security all traffic not using one of the designated VLAN ID tags is discarded.
In this case, three separate policies need to be created:
92
•
One Layer 2 Mesh encryption policy for traffic between the headquarters and each individual branch
using VLAN ID 10
•
One encryption policy for the traffic between the partner and partner portal server, using VLAN ID 20
•
One drop policy that discards all traffic not using one of the specified VLAN ID tags, which is
assigned a lower priority than the other policies
Black Box EncrypTight Manager User Guide
Layer 2 Ethernet Policy Using VLAN IDs
Figure 54
Using VLAN IDs
Policy Details
Policy 1: Headquarters and Branches
Name:
Priority:
Renew:
Type:
PEPs:
VLAN ID:
HQ/Branch Communications
60000
Once every 24 Hours
Encrypt
Headquarters, Branch 1, Branch 2
10
Policy 2: Partner and Partner Portal Server
Name:
Priority:
Renew:
Type:
PEPs:
VLAN ID:
Branch 2 Communications
60000
Once every 24 Hours
Encrypt
Headquarters, Partner
20
Policy 3: Discard All Other
Name:
Priority:
Renew:
Type:
PEPs:
VLAN ID:
Drop
20000
0 Hours
Drop
All
None
To create the policies:
1 In ETM, add and configure the PEPs to operate as Layer 2 PEPs.
2 Push the configurations to the PEPs.
3 In EncrypTight, add the VLAN ID tags.
Black Box EncrypTight Manager User Guide
93
Policy Design Examples
4 Create the policies using the settings described in “Policy Details” on page 93.
5 Deploy the policies.
Complex Layer 3 Policy Example
In this example, we have sixteen networks connecting to each other through a public WAN. Four of these
networks are considered regional centers. Each regional center has three branches.
Figure 55
Network example
Encrypt Traffic Between Regional Centers
In order to encrypt traffic between the four regional centers, create a Mesh IPSec policy with each
regional network in a different network set.
Figure 56
94
Regional mesh encryption policy
Black Box EncrypTight Manager User Guide
Complex Layer 3 Policy Example
The network sets required for this policy are:
Table 26
Network sets for mesh policy
Networks
PEPs
Network Set A
192.33.3.0 netmask 255.255.255.0
PEP A
Network Set B
192.44.0.0 netmask 255.255.255.0
PEP B
Network Set C
100.22.3.0 netmask 255.255.255.0
PEP C
Network Set D
100.33.1.0 netmask 255.255.255.0
PEP D
Using the four network sets, create the mesh policy as shown in the following table:
Table 27
Encrypt all mesh policy
Field
Setting
Name
Encrypt All Mesh
Priority
1000
Renew Keys/Refresh Lifetime
4 hours
Type
IPSec
IPSec
Encryption Algorithms - AES
Authentication Algorithms - HMAC-SHA-2
Key Generation
By Network Set
Addressing Mode Override
Layer 3 (Preserve Internal Network Addresses)
Minimize Policy Size
Disable
Network Sets
Network
Network
Network
Network
Protocol
Any
Black Box EncrypTight Manager User Guide
Set
Set
Set
Set
A
B
C
D
95
Policy Design Examples
Encrypt Traffic Between Regional Centers and Branches
In order to encrypt traffic between each regional center and its branches, four hub and spoke policies are
required. The following figure illustrates the hub and spoke policy between Regional Network A and its
branches: Branch A1, Branch A2, and Branch A3.
Figure 57
Regional center to branches hub and spoke policy
These hub and spoke policies require the four network sets created in “Encrypt Traffic Between Regional
Centers” on page 94 and twelve network sets for the branch networks.
Table 28
Network sets for the hub and spoke policies
Networks
PEPs
Network Set A1
192.33.5.0 netmask 255.255.255.0
PEP A1
Network Set A2
192.33.6.0 netmask 255.255.255.0
PEP A2
Network Set A3
192.33.9.0 netmask 255.255.255.0
PEP A3
Network Set B1
172.44.5.0 netmask 255.255.255.0
PEP B1
Network Set B2
172.44.6.0 netmask 255.255.255.0
PEP B2
Network Set B3
172.44.7.0 netmask 255.255.255.0
PEP B3
Network Set C1
100.22.5.0 netmask 255.255.255.0
PEP C1
Network Set C2
100.22.7.0 netmask 255.255.255.0
PEP C2
Network Set C3
100.22.9.0 netmask 255.255.255.0
PEP C3
Network Set D1
100.33.2.0 netmask 255.255.255.0
PEP D1
Network Set D2
100.33.3.0 netmask 255.255.255.0
PEP D2
Network Set D3
100.33.5.0 netmask 255.255.255.0
PEP D3
The next three tables show the four regional hub and spoke policies.
Using Network Sets A, A1, A2, and A3, create a hub and spoke policy for region A as shown in the
following table:
Table 29
96
Region A hub and spoke policy
Field
Setting
Name
Region A Hub and Spoke
Priority
900
Renew Keys/Refresh Lifetime
4 hours
Black Box EncrypTight Manager User Guide
Complex Layer 3 Policy Example
Table 29
Region A hub and spoke policy
Field
Setting
Type
IPSec
IPSec
Encryption Algorithm - AES
Authentication Algorithms - HMAC-SHA-2
Addressing Mode Override
Preserve internal network addresses
Minimize Policy Size
Disable
Hub
Network Set A
Spokes
Network Set A1
Network Set A2
Network Set A3
Protocol
Any
Using Network Sets B, B1, B2, and B3, create a hub and spoke policy for region B as shown in the
following table:
Table 30
Region B hub and spoke policy
Field
Setting
Name
Region B Hub and Spoke
Priority
901
Renew Keys/Refresh Lifetime
4 hours
Type
IPSec
IPSec
Encryption Algorithm - AES
Authentication Algorithms - HMAC-SHA-2
Addressing Mode Override
Layer 3 (Preserve Internal Network Addresses)
Minimize Policy Size
Disable
Hub
Network Set B
Spokes
Network Set B1
Network Set B2
Network Set B3
Protocol
Any
Using Network Sets C, C1, C2, and C3, create a hub and spoke policy for region C as shown in the
following table:
Table 31
Region C hub and spoke policy
Field
Setting
Name
Region C Hub and Spoke
Priority
902
Renew Keys/Refresh Lifetime
4 hours
Type
IPSec
IPSec
Encryption Algorithm - AES
Authentication Algorithms - HMAC-SHA-2
Addressing Mode Override
Layer 3 (Preserve Internal Network Addresses)
Minimize Policy Size
Disable
Hub
Network Set C
Black Box EncrypTight Manager User Guide
97
Policy Design Examples
Table 31
Region C hub and spoke policy
Field
Setting
Spokes
Network Set C1
Network Set C2
Network Set C3
Protocol
Any
Using Network Sets D, D1, D2, and D3, create a hub and spoke policy for region D as show in the
following table:
Table 32
Region D hub and spoke policy
Field
Setting
Name
Region D Hub and Spoke
Priority
903
Renew Keys/Refresh Lifetime
4 hours
Type
IPSec
IPSec
Encryption Algorithm - AES
Authentication Algorithms - HMAC-SHA-2
Addressing Mode Override
Layer 3 (Preserve Internal Network Addresses)
Minimize Policy Size
Disable
Hub
Network Set D
Spokes
Network Set D1
Network Set D2
Network Set D3
Protocol
Any
Passing Routing Protocols
With Layer 3 routed networks, you might need to pass routing protocols in the clear. This is normally
true when routers are placed behind the PEPs and when your WAN uses a private routed infrastructure.
With a public routed infrastructure, the ISP handles the routing.
To create policies to pass routing protocols in the clear, include the router interfaces or subnets that
participate in sharing the routing protocol. In our example, all the regional networks are Layer 3 routed
networks and all branches are switched networks. Each regional network shares routing information with
the other regional networks using EIGRP (protocol 88).
98
Black Box EncrypTight Manager User Guide
Complex Layer 3 Policy Example
Figure 58
Passing routing protocol in the clear
Using the four network sets created in “Encrypt Traffic Between Regional Centers” on page 94, create a
mesh policy as shown in the following table:
Table 33
Pass protocol 88 in the clear mesh policy
Field
Setting
Name
Clear EIGRP
Priority
2000
Renew Keys/Refresh Lifetime
4 hours
Type
Bypass
IPSec
Addressing Mode Override
Preserve internal network addresses
Minimize Policy Size
Disable
Network Sets
Network
Network
Network
Network
Protocol
88
Set
Set
Set
Set
A
B
C
D
This policy must be set to a higher priority than the mesh policy created in “Encrypt Traffic Between
Regional Centers” on page 94. If this policy is set to a lower priority, the mesh encryption policy will
override the bypass policy and the routing protocol will be encrypted.
Black Box EncrypTight Manager User Guide
99
Policy Design Examples
100
Black Box EncrypTight Manager User Guide
10
Managing PEPs
Editing Configurations
You can change the configuration of a single PEP as needed by opening the configuration editor for that
PEP. You can also change some settings for multiple PEPs in a single operation.
Security
A Security Tab has been added to consolidate PEP security features. The following items are now
configured on the ETM Security Tab:
•
Encryption Mode [L2: Ethernet, L3: IP/Layer 4: Payload]
•
Non-IP Traffic Handling [Clear, Discard, Discard Including ARP]
•
Safe Mode Traffic Policy: [Pass all traffic in the clear, Drop all clear traffic]
•
Enable passing TLS in the clear
•
Enable SSH
•
CLI Inactivity Timeout (minutes)
•
FIPS Mode Enabled
•
Strong password policy
•
Administrator Password
•
PEP Users
•
TACACS+ Configuration [Enable TACACS+ Authentication, Enable TACACS+ Accounting]
•
Enable strict client authentication
•
OCSP Settings
•
Certificate Policy Extensions
Black Box EncrypTight Manager User Guide
101
Managing PEPs
Figure 59
ETM Security Tab
Changing Settings on a Single Appliance
To edit the configuration of a single appliance:
1 In the PEPs view, select the PEP that you want to change.
2 Click Edit
.
3 In the editor, modify the configuration settings. To change all of the values to their defaults, click Use
Defaults.
4 When you are done, do one of the following:
•
Click OK to save your changes and close the appliance editor.
•
Click Save to save your changes and keep the appliance editor open.
5 Apply the new configuration to the appliance (click Apply
).
TIP
You can change some settings directly in the grid in the PEPs view. Double-click on the PEP that you
want to edit, change the settings you want to alter, and click Update.
102
Black Box EncrypTight Manager User Guide
Refreshing Status
Changing Settings on Multiple Appliances
When you edit a setting for a group of appliances, the editor displays the current data for the first
appliance selected. You can accept those values and apply them to all of the selected appliances or use
them as a starting point for as many changes as you would like. The settings that you can change for
multiple PEPs include:
•
PEP users
•
Date
•
Data port settings: auto-negotiation, flow control, and link speed
•
Policy Settings: L2/L3
•
L3 Policy Reassembly Mode Settings
•
SNMP Community String
•
SNMP Trap Host
•
SNMP Trap Mask
•
SNTP Client
•
Software Version
•
Syslog Server
•
Alert Thresholds
•
Heartbeat Configuration
•
TACACS+ Configuration
To update configuration settings on multiple PEPs:
1 In the PEPs view, select the PEPs that you want to change.
2 Right-click and choose Edt Multiple PEPs and click the setting that you want to change.
3 In the editing window, make the changes that you need and click Apply.
4 Click Apply
to apply the changes to the PEPs.
Refreshing Status
EncrypTight automatically checks the status of your PEPs at periodic intervals, but you can initiate a
status refresh as needed. There are two ways to refresh status:
•
Refresh PEP State - Refreshes the status of the PEP only.
•
Refresh All- Refreshes the PEP state, the configuration state, and the state of the policies on the PEP.
A full refresh takes longer than a quick refresh.
To refresh status:
1 Select the PEPs that you want to check.
2 Do one of the following:
•
Click
•
Click the
to refresh that status of the PEPs only.
next to the
and choose Refresh All.
For more information status indicators, see “Viewing PEP Status” on page 41.
Black Box EncrypTight Manager User Guide
103
Managing PEPs
Deleting PEPs
You can delete PEPs from EncrypTight Manager when you need to remove it from service. When you
delete a PEP, it is removed from the PEPs view and any network sets in which it was included. At this
point, the PEP cannot be configured or managed through EncrypTight.
To delete PEPs:
1 In the PEPs view, select the PEP that you want to remove.
2 Click Delete
.
3 Click Yes when you are prompted for confirmation. .
NOTE
If deleting a PEP from its last policy, the PEP receives rules to either pass traffic in the clear or drop all
traffic, depending on the configuration setting in the Admin->EncrypTight Manager Configuration page.
Connecting Directly to a PEP
You can connect directly to a PEP’s command line interface (CLI) using SSH to perform troubleshooting
and diagnostic tasks. You can also access a number of show commands through the EncrypTight
software.
NOTE
•
Secure Shell access has been implemented in EncrypTight Manager.
•
ETM is using shellinabox on the policy server to create the interactive secure shell in the browser. The
shellinabox software is GPL v2 code. Black Box makes our modifications to shellinabox available to all
of our customers. To acquire the source for shellinabox, please contact us at: [email protected]
To access the full CLI for a PEP, open an SSH client and log in. For complete details about commands
and using the CLI, see the PEP CLI User Guide.
To access show commands for a PEP through EncrypTight:
1 Select the PEP and click Remote Command
.
2 From the Command box, select the command to run.
3 Click Execute.
Upgrading PEP Software
Using EncrypTight, you can download new software from an FTP server to one or many PEPs. You can
upgrade a mix of PEP models, such as ET0010As, ET0100As, and ET1000As, in a single operation.
104
Black Box EncrypTight Manager User Guide
Upgrading PEP Software
About Upgrading PEP Software
When upgrading software on PEP 1.6 and later appliances, you have the option of using FTP or SFTP for
secure file transfer. If you choose SFTP as the connection method, all of the selected appliances must
support SFTP.
Software upgrades on multiple appliances are performed in parallel. By default, EncrypTight can upgrade
groups of 10 appliances at a time. If you select a larger number of appliances to upgrade, as each upgrade
completes, EncrypTight starts upgrading one of the remaining appliances. This continues until upgrades
have been initiated on all of the selected appliances. You can configure the number of PEPs EncrypTight
can upgrade concurrently.
The amount of time it takes to complete a software upgrade depends on the appliance model and speed of
the link. The upgrade time increases proportionately to the decrease in the link speed. If software is not
successfully loaded to any particular appliance in a predefined time frame, the connection times out. The
software upgrade timeout is user-configurable (Admin > Configuration).
If you experience a problem with an upgrade, you can restore the appliance’s file system from the backup
copy. A backup is created automatically on PEP appliances.
Upgrade remote appliances first when managing appliances in-line, where management traffic flows
through the data path.
Figure 60
Upgrade remote appliances
Elements of :
1)
Local site appliance
2)
Workstation
3)
ETM Server
4)
Remote site appliances
R, L, M Remote port (R), local port (L), and management port (M)
If you are managing your Black Box appliances in-line as shown in , we recommend performing a
software upgrade in two stages. First, upgrade all the appliances at remote sites and reboot them. When
the remote site appliances are up and operational, upgrade the local site appliance, which is co-located
with the EncrypTight server. Upgrading the local appliance at the same time as the remote appliances can
cause connectivity with the management system to be lost and the remote site upgrades to fail.
Black Box EncrypTight Manager User Guide
105
Managing PEPs
CAUTION
We recommend rebooting immediately after upgrading. Any configuration changes that are made between
the upgrade and subsequent reboot will be lost when the appliance reboots. This includes changes to
policies and keys (including rekeys), certificates, and appliance configuration. Rebooting an appliance
interrupts traffic on the data ports for several minutes. During the reboot operation all packets are
discarded.
Upgrading PEP Software
To upgrade PEP software using the EncrypTight FTP server:
1 In the PEPs view, select the target appliances. If you are managing the PEPs in-line, upgrade the
remote site appliances first before upgrading the data center appliance, as shown in .
2 Right-click on the PEPs and click Upgrade Software.
3 Select Use the EncrypTight FTP server.
4 From the User box, select the appropriate user account.
5 For the Upgrade Directory, click Browse, select the upgrade zip file.
6 Optionally, test the connection by clicking Verify.
7 Decide when to reboot the upgraded appliances. Appliances must be rebooted for the new software to
take effect. Select the Reboot appliances immediately after operations complete check box to
automatically reboot the appliances immediately following a successful upgrade. Clear the check box
to reboot the appliances at a later time, for example after working hours. See “Rebooting PEPs” on
page 45 for more information about rebooting appliances.
8 Click Submit. EncrypTight confirms that the FTP site is reachable before it begins the upgrade
operation. Upgrade results for each appliance are displayed in the Management activity area.
To use an external FTP server, you must have previously added one in the Admin - EncrypTight
Configuration view.
To upgrade PEP software using an external FTP server:
1 From the CD for the PEPs that you want to upgrade, copy the folder for your appliance model to your
default FTP directory.
2 In the PEPs view, select the target appliances. If you are managing the PEPs in-line, upgrade the
remote site appliances first before upgrading the data center appliance, as shown in .
3 Right-click on the PEPs and click Upgrade Software.
4 Select Use an external FTP server.
5 From the Alias box select the FTP server connection that you want to use.
6 For the Upgrade Directory, click Browse, select the folder you copied in step 1, and click Open.
7 To specify a folder on the FTP server to store the upgrade software, for New Software Archive, click
Browse, select a folder, and click Open.
8 From the Connection Method box, select FTP or SFTP, as needed.
9 Optionally, test the connection by clicking Verify.
10 Decide when to reboot the upgraded appliances. Appliances must be rebooted for the new software to
take effect. Select the Reboot appliances immediately after operations complete check box to
automatically reboot the appliances immediately following a successful upgrade. Clear the check box
106
Black Box EncrypTight Manager User Guide
Upgrading PEP Software
to reboot the appliances at a later time, for example after working hours. See “Rebooting PEPs” on
page 45 for more information about rebooting appliances.
11 Click Submit.
Table 34
FTP server information for appliance software upgrades
Field
Description
File
Specifies the software upgrade folder that you want to use. Click Browse to
select a folder.
Reboot appliances
immediately after
operations complete
Specifies that the PEPs should be rebooted once the software upgrade is
complete.
Stage upgrade only (do
not perform upgrade or
reboot)
Select this option if you are preparing for an eventual upgrade, but not yet
ready to upgrade your appliances. This option copies the software upgrade
files to the FTP server in preparation for an upgrade.
Use the EncrypTight
FTP server
Specifies that you want to use the default EncrypTight FTP server.
User
User ID of a user on the FTP server. Do not use the following characters: @
:?#<>&
Relative Path
The directory on the FTP server that contains the files of interest. Valid
entries are the default FTP directory and its subdirectories. Enter the
directory listing relative to the default directory. If the files are located in the
default directory, leave this field blank.
Use an external FTP
server
Specifies that you want to use an external FTP server. You must have
previously added an external FTP server from the Admin - EncrypTight
Configuration view.
Alias
Select a name for the FTP connection. EncrypTight completes the remaining
FTP server information for you based on the selected Alias.
Relative Path
The directory on the external FTP server that contains the files of interest.
Valid entries are the default FTP directory and its subdirectories. Enter the
directory listing relative to the default directory. If the files are located in the
default directory, leave this field blank.
Connection Method
As needed, select FTP or SFTP.
Black Box EncrypTight Manager User Guide
107
Managing PEPs
Figure 61
Upgrade PEPs
Upgrading PEP software can take a significant amount of time, especially if you have many PEPs to
upgrade. In this scenario, you might want to stage the upgrade ahead of time and rollout the actual
upgrades according to a schedule. Staging the upgrade copies the software upgrade files to the server but
does not actually install it on any PEPs.
What to do if an Upgrade is Interrupted
If the upgrade operation is interrupted or times out prior to completion, refer to the results table to see
which appliances were successfully upgraded and which were not. For appliances that were not
successfully upgraded do the following:
1 Make a note of the appliance name and problem description in the Result column.
2 Close the Upgrade Appliances window.
3 Fix the problem with the appliance.
4 Select the target appliances and restart the software upgrade operation.
Configuring the Upgrade Timeout
By default, if an upgrade does not complete in an hour, the system times out and cancels the upgrade.
Depending on you need, you might want to adjust the timeout period.
To configure the upgrade timeout:
1 Click Admin > Black Box EncrypTight Manager Configuration.
2 Under General Configuration, double-click Upgrade Timeout.
3 Enter a new value in the box and click Update.
108
Black Box EncrypTight Manager User Guide
Upgrading PEP Software
Checking Upgrade Status
You can check on the status of an upgrade using two methods:
•
In EncrypTight, configure a syslog server to receive events generated by the PEP. Several system log
events with a priority level of “notice” are generated by the PEP during the upgrade process.
•
The show upgrade-status and show system-log CLI commands provide status on the upgrade
process. During an upgrade the CLI is available from the serial port, but you cannot initiate an SSH
session until the upgrade is complete. The show commands are available in PEP 1.5 and later.
Configuring the Upgrade Concurrency Limit
You can configure the number of PEPs that EncrypTight can upgrade at the same time. The default is 10,
but you can increase or decrease the number as needed. Keep in mind that a a larger number of
concurrent upgrades could increase the traffic load on your network. You must be logged in as a platform
administrator to change this setting.
To configure the upgrade concurrency limit:
1 Click Admin > Black Box EncrypTight Manager Configuration.
2 Under General Configuration, double-click Upgrade Concurrency Limit.
3 Type a new limit in the box and click Update.
Configuring LDAP
You can configure the Lightweight Directory Access Protocol (LDAP) setting of a PEP from the LDAP
Configuration menu by selecting the Admin tab and selecting the EncrypTight Manager Configuration
tab.
To configure LDAP:
1 Click Admin > Black Box EncrypTight Manager Configuration.
2 Under Login Configuration, double-click LDAP Configuration for the PEP desired.
3 The LDAP Configuration screen appears
Black Box EncrypTight Manager User Guide
109
Managing PEPs
Figure 62
LDAP Configuration
Alarms and email notifications
An email alert feature has been developed to notify the ETM users when there is problem with a ETEP or
with ETM since we don't have separate network management system that collects traps and sends
notifications.
110
•
Alert reporting in ETM
•
ETM sends email notifications on failure
•
ETEP alarms (Alert, Critical, Error, Warning, Notice) using syslog severity levels and which
have equivalent ITU X.733 severity levels
•
Add support for ETM alerts and alert management within ETM
•
ETM email notification (immediate, hourly, daily)
Black Box EncrypTight Manager User Guide
Restoring the Backup Filesystem
Restoring the Backup Filesystem
The restore operation restores the backup copy of the appliance file system. As part of the software
upgrade process the PEP preserves a backup copy of the file system. The backup copy of the appliance
file system contains a software image, configuration files, policies and keys, certificates, log files, and
passwords. Restoring the backup file system replaces the current file system with the backup files.
The restore operation can be reversed. The restore operation essentially toggles between the current file
system and the backup image. Each time you issue the restore command, the appliance switches its
running image to whichever file system is not currently in use.
Review the following recommendations and cautions prior to restoring the file system:
•
Make sure that you know the passwords used in the backup configuration. Once the backup image is
restored on the appliance, you must use the passwords from the backup configuration to log in.
•
After restoring the file system, redeploy policies to the PEP to ensure that the appliance is using the
current set of policies and keys.
•
The restore operation replaces the current certificate with the backup certificate. If you replaced a
certificate after the backup image was created, you will need to reinstall that certificate after the file
system is restored. Failure to do so can result in a communication failure between the PEP and
EncrypTight.
Black Box EncrypTight Manager User Guide
111
Managing PEPs
To restore the appliance file system from a backup copy:
1 In the PEPs view, select the target appliances.
2 Right-click and choose Restore from Backup.
3 Click Yes to confirm the action. The appliance will automatically reboot to complete the restore
operation.
4 Redeploy policies to the PEP to ensure that the appliance uses the current set of policies and keys.
Backup and Restore of ETM
General Guidelines
There are a variety of failure scenarios that can occur in a production environment, and recovering from
these scenarios will not always involve the same procedures. The procedures to follow will be specific to
what type of failure occurred, and how much data loss there was as a result. The common failure cases,
addressed here are:
•
disk drive failures
•
other hardware component failures
•
damage to the ETM software or database
•
other filesystem damage
•
complete loss of the OS
Every IT organization will have policies or practices related to backing up servers, so we should learn
what a given customer does and ensure that they include the ETM servers in their procedures. We should
also ensure that their practices include creating, or already having, some form of bootable media (e.g.
DVD) so that they can access the disk drives of a ETM server in case some radical damage is done to the
OS (such as 'rm -rf /'). Common examples would be a bootable Linux CD/DVD, a recovery CD made
from Clonezilla, a Ghost recovery DVD, or a generic rescue CD (or even USB stick) such as this
Backup components provided by ETM
ETM provides mechanisms for backing up its database, and also for backing up the ETM software.
Customers who do not do full server backups regularly can use those tools to ensure that they can recover
as close to a point of failure as possible, while backing up the minimal amount of data necessary to
restore. They can schedule periodic backups using EncrypTight Manager. ETM also reduces the need for
frequent full system backups.
112
•
Database Backup: To capture a known good point in time configuration, users can take database
snapshots. It is recommended that this be done each time they deploy a production set of policies, at a
minimum. See procedure 5 below.
•
Database Restore: To restore to a known good point in time, a database backup can be used to restore
from. See procedure 6 below. If restoring an entire cluster, this only needs to be done on one node,
and then the other node should be sync'd via the UI.
•
ETM Backup: A full ETM backup does not need to be performed as frequently as the database
backup, as the changes to a ETM distribution are much less frequent than changes to the database.
However, whenever changes are made, it is advisable to take a backup. Users should keep backups in
a directory other than the log directory. Such changes would include:
Black Box EncrypTight Manager User Guide
Backup and Restore of ETM
•
•
Upgrading the ETM software
•
Staging new ETEP software on the ETM ftp server
•
Topology changes to a cluster (adding or removing a node)
ETM Restore: Restoring from a ETM backup would be necessary if some damage had occurred
within the ETM install directories, such as unintentional deletion of the policyserver config files or
binaries. The ETM backup includes a database backup within the archive (tar file), however, it may
not be necessary to restore the database. If the intention of the restore is to simply fix the filesystem,
the database does not need to be restored. If, however, a full system recovery is being performed, then
the most recent ETM backup and database backup should be used for restoration. If the most recent
database backup is that contained within the ETM backup, then that should be used.
Hardware Server specifics
Drive failures
A hardware ETM server has two possible configurations: a non-RAID dual drive system, or a RAID 1
dual drive system (mirroring).
•
RAID system
For a drive failure in a RAID configuration, simply replacing the failed drive is all that is necessary.
•
non-RAID system. There are two possibilities:
•
Failure of the main drive
Boot from the backup drive (change the BIOS order), and restore with either procedure 2., 4., or 6.
below, depending on how many changes were made outside of the ETM software. Then replace the
failed drive and dd the main drive to the new drive, which is now the new backup drive.
•
Failure of the backup drive
Replace the backup drive and repeat the dd operation to copy the main drive to the backup drive
Other hardware component failures
If some component other than a drive has failed, that component could be replaced in the field, or the
server could be RMA'd back to Black Box.
Damage to the ETM software or database
If some damage is done to the ETM installation, such as unintentional removal of key configuration files
or binaries under /opt/jboss/server/policyserver, then the ETM software should be restored. If that is all
that occurred, then the database does not need to be restored. See procedure 4 below for restoring the
ETM software.
Damage to the OS or filesystem
If damage is done to other areas of the filesystem, such as unintentional removal of OS files, or files
outside of the ETM root directory, then a restore from backup will be necessary. Depending on what was
damaged, either part of the backup or all of the backup may be necessary for the restore. For example, if
the only damage was to /etc, then only that portion of the backup would be needed to recover. If
something as drastic as 'rm -rf /' had occurred, then the full backup would be needed, and then a
Black Box EncrypTight Manager User Guide
113
Managing PEPs
subsequent ETM backup or database backup might also need to be applied. That would be necessary if
such a backup existed that was more recent than the full backup. See procedures 2, 4, and 6 below.
Example backup and restore procedures
Procedure 0. copying drives with dd (only for non-RAID systems!!!!)
An example command, run as root to copy drive a to drive b:
dd if=/dev/sda of=/dev/sdb bs=100M conv=notrunc,noerror
Be careful with order of if and of. You can write a blank disk to a good disk if you get confused.
More info on dd can be found on wikipedia, and also on linuxquestions.org
The above procedure could be run regularly to snapshot a drive as it is modified, to keep the backup as
current as desired.
This procedure can serve as a full filesystem backup (alternate for Procedure 1. below) for non-RAID
configured servers. However, it is subject to drive failure of this backup drive.
Procedure 1. Backing up the entire filesystem
As stated in the General Guidelines, each IT organization will/should have standardized backup practices.
At a minimum, they should grab a full snapshot of a ETM filesystem at least once, after the installation
script has been run and they have made whatever configuration changes they wanted to for a given site
(such as changes to files in /etc). There are many ways to accomplish this. One simple method is using
the tar command. An example is provided here (this should be run as root).
cd /
tar cvpzf backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/backup.tgz
--exclude=/mnt --exclude=/sys /
Please familiarize yourself with the tar command and its arguments. The man pages are included in the
ETM distro.
As noted above, the dd operation for non-RAID configured servers also serves as a full filesystem
backup. It can be performed at important milestones to keep the backup current.
Procedure 2. Restoring the complete filesystem, including the OS
Restoring the complete filesystem will depend on how the backup was taken. If it was via the example tar
command above, then restoring would involve untarring the backup like so:
cd /
tar xvpfz backup.tgz -C /
Note that, obviously, if restoring a completely destroyed filesystem on the boot partition, the server
bootup will have to be done via other media: either a CD/DVD/drive as mentioned at the beginning of
this document, or a secondary drive if the system is non-RAID and the secondary drive holds a backup.
If using a dd version of backup to restore from, the dd operation should be performed in the same manner
as was done initially, but the "if" and "of" arguments should be reversed. For example:
dd if=/dev/sdb of=/dev/sda bs=100M conv=notrunc,noerror
Alternative *nix backup methods
There are many other methods for backing up and restoring a *nix operating system. Methods include
dar, rsync, cp, scp, tar, dd, clonezilla, ghost, amanda, and many more. If scpHost is configured, scp
database should be backed up (as is done for server backups). As mentioned previously, it is expected
that a customer's IT organization will have already established backup policies and procedures. If not, or,
114
Black Box EncrypTight Manager User Guide
Backup and Restore of ETM
for general reference, there are many sites available on the internet that discuss this topic. For reference,
the following are listed here:
http://www.halfgaar.net/backing-up-unix
http://www.cyberciti.biz/faq/rhel-backup-linux-server/
http://www.linuxlinks.com/article/20090105114152803/Backup.html
http://stackoverflow.com/questions/15208/whats-the-best-linux-backup-solution
http://en.wikipedia.org/wiki/NetVault_Backup
Procedure 3. Backing up the ETM software and data
To backup the ETM software and data, navigate to the Platform->Utilities page, then the AppServer
Nodes tab, then select the server you are logged into, right-click, and choose Backup. This will perform a
database backup, and then create a tar archive file containing the ETM software, the root directory where
ETM is installed, the database backup, and other directories used by ETM, specifically the ftp dir and
filestore dir. The user should keep backups in a directory other than the log directory. It will also
optionally scp the backup to a remote server if those configuration properties are setup. They are named
as such in the Admin->ETM Config page:
•
Backup Server (ip)
•
Backup Server scp Directory
•
Backup Server scp User
•
Backup Server scp Password
Also note that the ETM root dir is /opt/jboss/server/policyserver, and that the /opt/scripts directory is a
symlink to /opt/jboss/server/policyserver/scripts, so that directory will be backed up. It contains the config
files that were used during installation.
Files in /etc/init.d are not included in this tar, so those should be backed up separately, after installation.
They should never change after installation.
Whether or not the backup is scp'd to a remote host, a copy will be left in the /opt/filestore dir, and can
be downloaded via the browser from the Admin->Server Files page (from the filestore folder). Double
clicking on it will download it. The database backup will also be located there. The user should keep
backups in a directory other than the log directory.
The names are of the following format:
<host ip address>-backup-YYYYMMDD-HH-MM.tar.gz
db-backup-YYYYMMDD-HH-MM.sql.gz
Procedure 4. Restoring the ETM software and data
To restore from a ETM server backup, obtain the backup that was taken for the particular host (note that
the ip address of the host is part of the backup file name), scp it to the ETM host, and untar it. (The
application server should be stopped before doing this: /etc/init.d/policyserver stop) For example:
scp 192.168.80.77-backup-20110101-16-35.tar.gz [email protected]:/
ssh [email protected]
cd /
gunzip -c 192.168.80.77-backup-20110101-16-35.tar.gz | tar xvpf -
At this point, the database backup that is located in /opt/jboss/server/policyserver/log can be used (only if
necessary) to restore the database. See procedure 6. Once completed, the application server can be
restarted, /etc/init.d/policyserver start. See the notes below on details related to cluster nodes and DR
servers.
Black Box EncrypTight Manager User Guide
115
Managing PEPs
Procedure 5. Backing up the ETM database
To backup just the ETM database, navigate to the Platform->Utilities page, then the DB Nodes tab, then
select the database for the server you are logged into, right-click, and choose Backup. This will create a
backup that can be downloaded from the Admin->Server Files page, in the filestore folder. It will be
named like db-backup-YYYYMMDD-HH-MM.sql.gz. Double clicking on it will download it to your
local disk, from where it should be safely archived.
Procedure 6. Restoring the ETM database
To restore the database from a backup, scp the backup to the host being restored, and execute the dbimport.sh script. If scpHost is configured, scp database should be backed up (as is done for server
backups). For example:
scp db-backup-20110915-15-14.sql.gz [email protected]:/opt/filestore
ssh [email protected]
cd /opt/filestore
gunzip db-backup-20110915-15-14.sql.gz
/opt/scripts/db-import.sh --importFile=db-backup-20110915-15-14.sql
If you changed the database userid or password, you will have to supply those options as well.
[[email protected] log]# /opt/scripts/db-import.sh --help
db-import.sh
--help
--dbUser=dbUser
--dbPass=dbPassword
--dbType=dbType
--importFile=importFile
--disasterServer=[true/false]
A disasterRekey override has been added to the policyserver-init.conf. If set to false the disaster server
will NOT start rekeys. Manual intervention is required to start rekeys on the DR in this situation.
NOTE
policyserver-init.conf has been modified to simplify certificate options and group HSM options in one place
(random number generation).
Cluster notes
Restoring a cluster node should not include restoring the database if another cluster node with a database
is still active. Instead, the database on the restored node should be synchronized via the ETM web
application. On the Platform->Utilities page, on the DB Nodes tab, find the inactive database, right click
on it and choose Activate. Server time has been added to the AppServer Nodes grid. Each server in a
cluster provides it’s time, which can be viewed and checked for clock skew. Server version information
has also been added to the AppServer Nodes grid.
DR notes
If restoring a DR datbase (which should really never be necessary, since the backup can be pushed from
the main ETM site via the UI), you must supply the --disasterServer=true command line option.
116
Black Box EncrypTight Manager User Guide
Backup and Restore of ETM
Restoring to factory defaults
If for some reason a server needs to be set back to the state in which it was delivered from Black Box,
the /opt/scripts/factory-restore.sh script can be run. The user will be prompted twice before proceeding.
This script will stop the ETM server, delete the database and reset all configuration files to their original
state. The installer can be re-run after performing this operation.
VM Server specifics
VMWare backup guide
http://www.vmware.com/pdf/vi3_301_201_vm_backup.pdf
Note that VMWare does not consider VM snapshots backups. For more information about snapshots, read
the following knowledge base articles.
Understanding VM snapshots
http://kb.vmware.com/selfservice/microsites/
search.do?language=en_US&cmd=displayKC&externalId=1015180
Best Practices for VM snapshots
http://kb.vmware.com/selfservice/microsites/
search.do?language=en_US&cmd=displayKC&externalId=1025279
Black Box EncrypTight Manager User Guide
117
Managing PEPs
118
Black Box EncrypTight Manager User Guide
11
Configuring PEPs
This chapter provides procedures and reference information for configuring PEP appliances.
To prepare the PEP for operation in your network, do the following:
•
In the PEPs view, click Add
to open the Appliance editor. Select the PEP appliance model from
the Product Family list (ET0010A, ET0100A, ET1000A), and select the software version loaded on
the PEP.
•
From the Interfaces tab:
•
•
Enter the appliance name, and password (password is needed for PEP software version 1.3)
•
Specify the throughput speed at which you want the PEP to run (PEP software version 1.6 and
later). The throughput speed is determined by the PEP model and license that you purchased. For
more information about throughput speeds and licenses, see “Managing Licenses” on page 61.
•
Enter the management port IP address, mask, and gateway.
Configure the settings appropriate to the type of policies that you will be creating:
•
For distributed key policies, see “Configuring PEPs for Use with ETM” on page 39
•
For point-to-point policies, see “Layer 2 Policies” on page 75
You can configure other items as desired, such as auto-negotiation, logging, SNMP trap hosts, or other
network interoperability settings. Configuration options vary among software revisions. For a listing of
options that are available for each software version and the default settings, see “Factory Defaults” on
page 158.
Changing the default password is an important step in maintaining the security of your network. You can
manage user accounts and passwords in the EncrypTight software or through the CLI. After adding and
configuring a new appliance, be sure to add users and passwords prior to pushing the configuration to the
appliance.
If you plan to operate the PEP in FIPS mode, we recommend enabling FIPS mode as one of your first
configuration tasks. Entering FIPS mode resets many configuration items, such as passwords, policies,
and certificates. To avoid having to reconfigure the PEP, enable FIPS mode and then perform the rest of
the appliance and policy configuration tasks. See “FIPS Mode” on page 155 for more information about
FIPS mode.
Black Box EncrypTight Manager User Guide
119
Configuring PEPs
Interfaces
Figure 63
ETM Interfaces Configuration Tab
Security
A Security Tab has been added to consolidate PEP security features. The following items are now
configured on the ETM Security Tab:
120
•
Encryption Mode [L2: Ethernet, L3: IP/Layer 4: Payload]
•
Non-IP Traffic Handling [Clear, Discard, Discard Including ARP]
•
Safe Mode Traffic Policy: [Pass all traffic in the clear, Drop all clear traffic]
•
Enable passing TLS in the clear
•
Enable SSH
•
CLI Inactivity Timeout (minutes)
•
FIPS Mode Enabled
•
Strong password policy
•
Administrator Password
Black Box EncrypTight Manager User Guide
Identifying an Appliance
•
PEP Users
•
TACACS+ Configuration [Enable TACACS+ Authentication, Enable TACACS+ Accounting]
•
Enable strict client authentication
•
OCSP Settings
•
Certificate Policy Extensions
Figure 64
ETM Security Tab
Identifying an Appliance
In order to add a PEP, you must:
•
Specify the product family and software version
•
Enter a unique name
Black Box EncrypTight Manager User Guide
121
Configuring PEPs
•
Enter the desired throughput speed (PEPs with software version 1.6 and later)
The Interfaces tab contains the fields that EncrypTight uses to identify an appliance and communicate
with it: appliance name, throughput speed, and management interface IP address.
Product Family and Software Version
When you configure a new appliance, you must select the product family–for example, ET0100A–and the
software version loaded on the appliance, such as PEP1.6. EncrypTight displays a configuration screen
tailored to the specified appliance model and software version.
Appliance Name
The appliance name is defined on the Interfaces tab. The appliance name identifies an appliance to
EncrypTight. Names must adhere to the following conventions:
•
Appliance names must be unique
•
Names can be 1-255 characters
•
Alphanumeric characters are valid (upper and lower case alpha characters and numbers 0-9)
•
Spaces are allowed within a name
•
The following special characters cannot be used: < > & “ * ? / \ : |
•
Names are not case sensitive
Because the appliance name is also the SNMP system name on the appliance, be aware of the following
restrictions when copying a name from the appliance to EncrypTight. Names with any of the
characteristics listed below cannot be copied from an appliance to EncrypTight:
•
Name with one or more invalid special characters
•
Blank name
•
Name that is already in use as an appliance name in the EncrypTight
To learn more about copying configurations from the appliance to EncrypTight, see “Comparing
Configurations” on page 42.
Throughput Speed
This section applies only to PEPs with software version 1.6 and later.
In the Throughput Speed box, enter the speed at which the PEP should run. The allowable throughput
speed depends on the PEP model and the license you purchased. EncrypTight will only allow you to run
a PEP at the speed for which it is licensed. For more information about licenses and throughput speeds,
see “Managing Licenses” on page 28.
Interface Configuration
The PEP management, local and remote ports are defined on the Interfaces tab (see Figure 65).
122
Black Box EncrypTight Manager User Guide
Interface Configuration
To configure appliance interfaces:
1 In the PEPs view, click Add
.
2 In the Add PEP box, type the IP address and enter a unique name for the PEP.
3 Click OK.
4 Configure the items on the Interfaces tab, which are described in the rest of this section.
5 When you have finished configuring the appliance interfaces, do one of the following:
•
Click one of the other tabs to configure additional parameters.
•
Click Save and New to save the appliance configuration and add another.
•
Click Save to save the appliance configuration.
•
Click OK to exit the editor.
Management Port Addressing
Management of the PEP is performed out-of-band or in-line through the Ethernet management port. The
PEP management port must have an assigned IP address in order to be managed remotely and
communicate with other devices. The IP address that you enter in EncrypTight must match the IP address
in effect on the appliance’s management port.
PEPs running software version 1.6 and later include support for IPv4 and IPv6 addresses on the
management port.
Management Port Behavior
EncrypTight Manager must use 8443 as the default ETEP listening port for versions 2.3 or greater
appliances and 443 for versions less than 2.3.
NOTE
When adopting pre-2.3 version ETEPs, you MUST ensure that the mgmt port is set to 443 instead of 8443
which is the new default for version 2.3 ETEPs. You can do this by either explicitly typing 443 in the Port
field, or by selecting a previous software version in the PEP Software Version drop down, which will set
the Port field to 443.
Black Box EncrypTight Manager User Guide
123
Configuring PEPs
Figure 65
Management Port Addressing Settings
IPv4 Addressing
The PEP requires an IPv4 address for proper operation, even when it is deployed in an IPv6 network.
Enter the IPv4 address, subnet mask, and gateway that is configured on the PEP’s management port.
Table 35
IPv4 management port addressing
Parameter
Description
IP Address and Subnet
Mask
Enter the IPv4 address and subnet mask that has been assigned to
the PEP management port, in dotted decimal notation.
Default Gateway
Specifies how to route traffic between the PEP management port and
the management system and/or other ETM servers.
When the management port is on a different subnet than the
management system or ETM server, specify the IP address of the
router’s local port that is on the same subnet as the PEP management
port. In Figure 66, the default gateway is 192.168.10.1 and the
management port IP address is 192.168.10.10.
If the other devices are on the same subnet as the management port,
you do not need to enter a default gateway.
NAT IP Address
If your network requires the use of allocated IP addresses when
communicating over a public network, enter the Network Address
Translation (NAT) IP address for EncrypTight to use when
communicating with the PEP. If you use a NAT address, you must still
configure the management port IP address, subnet mask, and default
gateway.
The NAT IP address is used only by EncrypTight. It is not pushed to
the PEP, therefore it does not appear when comparing the
EncrypTight and appliance configurations.
124
Black Box EncrypTight Manager User Guide
Interface Configuration
Figure 66
Management port default gateway on the PEP
Elements of Figure 66:
1)
PEP
2)
Router
3)
Management workstation
IPv6 Addressing
The use of IPv6 addressing is optional. If you select Use IPv6, ETM components will use IPv6 to
communicate with the PEP. When using IPv6, you must configure the PEP for dual-homed operation by
assigning an IPv4 and an IPv6 address to the management port.
To configure the PEP for operation in an IPv6 network, do the following:
1 Select Use IPv6. This tells the EncrypTight to use an IPv6 address when communicating with the
PEP.
2 Enter the IPv4 address, subnet mask, and default gateway that is configured on the PEP, if you
haven’t already.
3 Enter the IPv6 address and default gateway that is configured on the PEP.
Table 36
IPv6 management port addressing
Parameter
Description
IPv6 Address
<ip address>/<prefix-length>
IPv6 address of the PEP management port. This is a 128-bit address
consisting of eight hexadecimal groups that are separated by colons. Each
group is a 4-digit hexadecimal number. The hexadecimal letters in IPv6
addresses are not case sensitive.
The prefix length is a decimal value that indicates the number of contiguous,
higher-order bits of the address that make up the network portion of the
address. The decimal value is preceded by a forward slash (/). Valid values
are 0-128 inclusive.
IPv6 Default Gateway
IPv6 address of the router port that is on the same local network as the
PEP management port (see Figure 66).
Black Box EncrypTight Manager User Guide
125
Configuring PEPs
IPv6 addresses are typically composed of two logical parts: a network prefix (a block of address space,
like an IPv4 subnet mask), and a host part. The prefix length indicates the number of bits used for the
network portion of the address.
The following is an example of an IPv6 address with a 64-bit prefix:
2001:0DB8:0000:0000:0211:11FF:FE58:0743/64
IPv6 representation can be simplified by removing the leading zeros in any of the hexadecimal groups.
Trailing zeroes may not be removed. Each group must include at least one digit.
IPv6 addresses often contain consecutive groups of zeros. To further simplify address entry, you can use
two colons (::) to represent the consecutive groups of zeros when typing the IPv6 address. You can use
two colons (::) only once in an IPv6 address.
Table 37
IPv6 address representations
Address Format
Address Representation
Full format
2001:0DB8:0000:0000:0211:11FF:FE58:0743
Leading zeroes dropped
2001:DB8:0:0:211:11FF:FE58:743
Compressed format (two colons) with leading
zeroes dropped
2001:DB8::211:11FF:FE58:743
Related topics:
•
To learn how to set auto-negotiation on the management port, see “Auto-negotiation - All Ports” on
page 126.
•
To learn how to restrict access by specifying the hosts that are allowed to communicate with the
management port, see “Trusted Hosts” on page 139.
Auto-negotiation - All Ports
Auto-negotiation and flow control are configured on a per port basis. Management, local, and remote port
auto-negotiation settings are configured independently of each other. The default setting for the PEP
enables auto-negotiation, which negotiates the link speed, duplex setting, and flow control. If the device
to which the PEP connects from a particular port does not support auto-negotiation or flow control,
disable one or both of these functions on that port.
It is essential that the PEP port and the connecting device’s port are configured the same way. Both
devices should either auto-negotiate or be set manually to the same speed and duplex mode. Having one
device set manually and the other auto-negotiate can cause problems that make the link perform slowly.
When manually setting the PEP link speed, configure the speed and duplex mode to match that of the
other device.
When changing the auto-negotiation setting from the EncrypTight, there is a slight delay before the new
setting takes effect on the PEP. The delay is typically a few seconds, but can be as long as 30 seconds.
During this period, the old setting remains in effect.
126
Black Box EncrypTight Manager User Guide
Interface Configuration
On the management port, the PEPs support the speeds shown in Table 38.
Table 38
Link speeds on the management port
Link speed
10 Mbps Half-duplex
10 Mbps Full-duplex
100 Mbps Half-duplex
100 Mbps Full-duplex
1000 Mbps Full-duplex
1000 Mbps Half-duplex
Auto-negotiate
Auto-negotiate
Fixed Speed
ET0010A
ET0100A / ET0100A /
ET1000A
All PEPs














On the local and remote ports, the PEPs support the speeds shown in Table 39.
Table 39
Link speeds on the local and remote ports
Link speed
10 Mbps Half-duplex
10 Mbps Full-duplex
100 Mbps Half-duplex
100 Mbps Full-duplex
1000 Mbps Full-duplex
Auto-negotiate
Fixed Speed
Fixed Speed
All PEPs
ET0010A / ET0100A /
ET0100A
ET1000A










NOTE
If you are using copper SFP transceivers, auto-negotiation must be enabled on the ET1000A and on the
device that the ET1000A is connecting to. The recommended copper SFP transceivers negotiate only to 1
Gbps, even though they advertise other speeds. See the PEP Release Notes for a list of recommended
transceivers.
Remote and Local Port Settings
The remote port connects the PEP to an untrusted network, which is typically a WAN, campus LAN, or
MAN. The local port connects the PEP to a device on the local, trusted side of the network, such as a
server or a switch.
Black Box EncrypTight Manager User Guide
127
Configuring PEPs
Transparent Mode
Transparent mode is the PEP’s default mode of operation on the local and remote ports. It is appropriate
for Layer 2 policies and for most distributed key policies. When operating in transparent mode the PEP
preserves the network addressing of the protected network by copying the original source IP and MAC
addresses from the incoming packet to the outbound packet header.
In transparent mode the PEP’s remote and local ports are not viewable from a network standpoint. The
local and remote ports do not use user-assigned IP addresses. In Layer 3 IP networks the local and remote
ports cannot be contacted through an IP address, and they do not respond to ARPs. The PEP is also
transparent in Ethernet networks when configured as a Layer 2 encryptor.
If you want to conceal the original source IP address when sending encrypted traffic, configure the PEP
to operate in non-transparent mode. In non-transparent mode, the original source IP address in the
outbound packet header is replaced with either an IP address for the remote port or a virtual IP address.
The PEP port MAC address is used as the packet’s source MAC address. You must assign IP addresses to
the local and remote ports when configuring the PEP for this mode of operation.
Table 40
When to use transparent mode
Policy Type
Mode of operation
Layer 2 policies (distributed key mesh and stand-alone point-to-point)
Transparent mode
Layer 3 distributed key policy:
Copy the original source IP address to the encryption header
Transparent mode
Layer 3 distributed key policy:
Conceal the original source IP address and replace it with one of the
following:
Non-transparent mode
•
PEP remote port IP address. This forces traffic through a specific
PEP.
•
User defined virtual IP address. This is useful for load balanced traffic
over a private data network, or when sending traffic over the public
internet.
Local and Remote Port IP Addresses
When transparent mode is disabled, you need to assign an IP address, subnet mask, and default gateway
to the local and remote ports. The remote port connects the PEP to an untrusted network, which is
typically a WAN, campus LAN, or MAN. The local port IP address identifies the PEP to the device on
the local side of the network, such as a server or a switch.
NOTE
If you change the remote IP address on a PEP that is already deployed in a policy, you must redeploy
your policies after the new configuration is pushed to the appliance.
128
Black Box EncrypTight Manager User Guide
Interface Configuration
Figure 67
Local and Remote Port Settings
IP Address and Subnet Mask
Enter the IP address and subnet mask that you want to assign to the port, in dotted decimal notation.
Default Gateway
The default gateway identifies the router’s local access port, which is used to forward packets to their
destination. The gateway IP address must be on the same subnet as the port’s IP address. In Figure 68,
the remote default gateway is the router port 192.168.144.100. The local default gateway address is
192.168.144.1.
A default gateway IP address is required when the PEP is in a routed network. If the PEPs are in the
same subnet with no routers between them you may leave the default gateway field blank. The PEP
determines if the packet destination is on the same subnet as the port, and if so, uses ARP to resolve the
destination MAC address. If the packet destination IP address is on a different subnet, the PEP sends the
packet to the designated default gateway.
Black Box EncrypTight Manager User Guide
129
Configuring PEPs
Figure 68
Remote port default gateway in a routed network
Elements of Figure 68:
1)
PEP
2)
Router to untrusted network
3)
Router to trusted local network
Transmitter Enable
The PEP can be configured to propagate a loss of signal event detected at one of its data ports to the
device connected to its other data port. The PEP performs this function by monitoring for loss of signal at
the port’s receiver. For example, when the loss of signal is detected on the PEP’s remote port, the local
port transmitter is disabled, generating a loss of signal event in connecting device’s port. When the loss of
signal event clears on the remote port, the local port transmitter is enabled, clearing the event in the
connecting device’s port. Similarly, when a loss of signal is detected on the local port, the remote port
transmitter is disabled.
Alternatively, the PEP port transmitter can be configured to always remain enabled, regardless of the
other port’s link state. In this state the PEP can reliably recover from a link loss. But because the
transmitter is always on, the appliance may inadvertently mask cable or device failures in the network.
The transmitter behavior configuration should be the same on both the local and remote ports.
Table 41
130
Transmitter Enable settings on the PEP
Setting
Description
Follow receiver
The transmitter follows the behavior of the receiver. If loss of signal is detected
on the remote port, then the transmitter on the local port is disabled. Similarly, if
loss of signal is detected on the local port, the PEP disables the transmitter on
the remote port. When the lost signal is restored, the correlating transmitter is
enabled.
Always
The transmitter is always on regardless of whether a signal is received.
Black Box EncrypTight Manager User Guide
Interface Configuration
DHCP Relay IP Address
The DHCP Relay feature allows DHCP clients on the local port subnet to access a DHCP server that is
on a different subnet. The DHCP relay feature is applicable in Layer 3 IP networks.
Enable the DHCP Relay feature only on PEPs that have DHCP clients on the local port that require
access to a DHCP server that is on a different subnet from the local clients (see Figure 69). This feature
is not needed when DHCP servers or relay agents are on the same local network with the DHCP clients,
nor is it needed on the PEP at the remote site where the DHCP server is located.
Figure 69
DHCP Relay allows local clients to access a DHCP server on a remote subnet
Elements in Figure 69:
1)
PEP on local subnet with DHCP clients off the local port (L1). DHCP Relay feature is enabled.
2)
Remote site PEP, co-located with DHCP server. DHCP Relay feature disabled.
Local and remote port IP addresses are required for proper DHCP Relay Agent behavior. In order to use
local and remote port IP addresses, the PEP must be operating in non-transparent mode.
To use the DHCP Relay feature, configure the following items on the Interfaces tab:
1 Disable transparent mode.
2 Assign local and remote port IP addresses to the PEP.
3 In the DHCP Relay IP Address field, enter the IP address of the DHCP server.
Ignore DF Bit
When the PEP is configured for use in Layer 3 IP encryption policies, its default behavior is to enable DF
Bit handling on the local port. This tells the PEP to ignore the “do not fragment” (DF) bit in the IP
header, and fragment outbound packets that exceed the MTU of the system. This setting should be used
under the following conditions:
•
Reassembly mode is set to gateway
•
ICMP is blocked at the firewall
•
PMTU path discovery isn’t working
Black Box EncrypTight Manager User Guide
131
Configuring PEPs
A symptom of a PMTU problem is when the network operates normally when traffic passes in the
clear but loses packets when encryption is turned on.
You can override the default behavior by disabling the DF Bit handling on the local port. The PEP will
then discard packets in which the DF bit is set and the packet length, including the encryption header,
exceed the PMTU.
Table 42
Ignore DF Bit settings
Setting
Description
Enabled
The PEP ignores the DF bit in the IP header and fragments outbound packets
greater than the MTU of the system. This setting is automatically enabled
when the reassembly mode is set to gateway.
Disabled
The PEP acts in accordance with the DF bit setting in the IP header.
Reassembly Mode
The reassembly mode setting applies to packets entering the PEP’s local port that are subject to
fragmentation. This setting specifies whether packets are fragmented before or after they are encrypted
and who performs the reassembly of the fragmented packet: the destination host or gateway.
The reassembly mode option is available only when the PEP’s Encryption Policy Setting is set to Layer
3:IP. When the Encryption Policy Setting is set to Layer 2:Ethernet, packets that are subject to
fragmentation are encrypted prior to fragmentation. Layer 2 jumbo packets that exceed the PMTU are
discarded. The Encryption Policy Setting is configured on the Security tab.
Table 43
Reassembly mode settings
Setting
Description
Gateway
This setting is recommended for PEP-PEP encryption. Packets are
encrypted first and then fragmented based on the new packet size, which
includes the encryption header. This behavior is consistent with RFC 2401.
The gateway (PEP) performs the reassembly.
When the reassembly mode is set to gateway, the Ignore DFBit setting is
automatically enabled.
Host
This setting is required for the PEPs to interoperate successfully with Black
Box SGs. Packets are fragmented before they are encrypted, and the
encryption header is added to the packet fragments. The destination host
performs the reassembly.
Trusted Hosts
In its default state the PEP management port accepts all packets from any host. The trusted host feature
lets you restrict access by specifying the hosts that are allowed to communicate with the management
port. When the trusted host feature is enabled, packets that are received from non-trusted hosts are
discarded. An exception is SSH, which is a secure protocol. It is always allowed regardless of host.
NOTE
Trusted Hosts is disabled by default in PEP v1.5 and later.
132
Black Box EncrypTight Manager User Guide
Trusted Hosts
Figure 70
Trusted host list
All ETM servers must be included in the trusted host list when the trusted hosts feature is enabled, and at
least one trusted host must have HTTPS enabled. HTTPS (TLS) is required for EncrypTight to PEP
communications.
If you enter the IP address incorrectly, EncrypTight will be unable to communicate with the PEP. To
recover, you will need to log in to the CLI and issue the disable-trusted-hosts command. See
Troubleshooting for more information.
All ETM servers that communicate with this PEP must also be included in the trusted host list.
If you add a new ETM server after the trusted host feature is enabled on the PEP, you can add the server
to its trusted host list in one of the following ways:
•
Use the server in a policy definition
•
On each PEP that is using the trusted host feature, clear the Enable Trusted Hosts checkbox and then
select it again
In either case, you must apply the new configuration to the PEPs for the new trusted host list to become
effective. Until you apply the new configuration, the PEP’s status is displayed as not equal
in the
PEPs view.
The PEP interacts with two types of hosts:
•
Inbound hosts are the management system protocols used to communicate with the PEP: HTTPS,
ICMP, and SNMP.
•
Outbound hosts receive packets initiated by the PEP: SNMP trap hosts, syslog servers, and NTP
server hosts.
Inbound host protocols (HTTPS, ICMP, and SNMP) are enabled and disabled on the Trusted Host tab.
Inbound protocols are enabled by default for each host. Use caution when disabling these protocols as it
can affect the management system’s ability to communicate with the PEP.
Table 44
Inbound trusted host protocols used by the EncrypTight
Protocol
Description
HTTPS
Used for secure communication between the management system
and the PEP.
ICMP
Used for pings and other diagnostic and routing messages.
Black Box EncrypTight Manager User Guide
133
Configuring PEPs
Table 44
Inbound trusted host protocols used by the EncrypTight
Protocol
Description
SNMP
Used to get SNMP data from the PEP (name, location, and contact).
You cannot add, modify or delete an outbound host directly from the trusted host list. You must make
changes in the Appliance editor tab for that feature (Table 45). When you add an outbound host such as a
syslog server, NTP server or SNMP trap host to the appliance configuration, the host’s IP address is
automatically added to the trusted host list. For example, if you add a NTP server in the Appliance editor
Advanced tab, the NTP server is automatically added to the trusted host list as shown in Figure 70.
The process is similar when deleting an outbound host. Using the syslog server as an example, delete the
syslog server from the Logging tab. One of two outcomes occur:
•
If no other ports are enabled for that IP address, the trusted host entry is automatically deleted.
•
If other ports are enabled for that IP address the change is automatically reflected in the trusted host
list, which displays a status of “no” in the Syslog column for that IP address. You can then either
leave the modified entry as is, or you can select the trusted host entry and click Delete to remove it
from the trusted host list.
Table 45
Modify outbound trusted hosts on their respective Appliance editor tabs
Outbound host
Appliance Editor Tab
Syslog server
Logging
NTP
Advanced
SNMP traps
SNMP
To add a trusted host:
1 On the trusted Hosts tab, click Enable Trusted Hosts.
2 Click
.
3 In the box, type the IP address of the host.
4 Click the checkbox for the applicable protocols.
5 Click Update.
SNMP Configuration
The PEP includes an SNMP agent. When enabled, the SNMP agent in the PEP sends traps to one or
more management systems. Traps can be monitored and viewed using an SNMP network management
application.
The PEP supports the SNMP versions shown in Table 46. On PEPs that support SNMPv2 and SNMPv3,
you can configure the PEP to use both types of trap hosts.
Table 46
134
SNMP support in PEP software versions
PEP Software version
SNMPv2c
SNMPv3
PEP v1.2-1.5
yes
no
PEP v1.6 and later
yes
yes
Black Box EncrypTight Manager User Guide
SNMP Configuration
System Information
For managing a number of PEP appliances from a single management system, it is helpful to have some
basic housekeeping information about the SNMP agent in the PEP, such as its name, location, and a
contact person for the device. SNMP uses the Appliance Name as the MIB2 sysName.
Figure 71
SNMP configuration for system information, community strings, and traps
Take note of the following requirements when defining SNMP system information:
•
To set the system information on an appliance, the community string must be defined as read/write, as
described in “Community Strings” on page 135.
•
System information can contain alphanumeric characters and spaces. The following special characters
are not allowed: < > “ &
Table 47
SNMP system information
Setting
Definition
Name
Indicates the name assigned to the PEP.
Description
Provides a brief description of the PEP or other notes.
Location
Describes the location of the PEP in the network.
Contact
Defines the designated contact information for the device.
Community Strings
By default the PEP disregards SNMP requests from a network management system. A community name
must be defined for the network management system to monitor and collect statistics from the appliance.
Black Box EncrypTight Manager User Guide
135
Configuring PEPs
The community name identifies a group of devices and management systems running SMNP. An SNMP
device or agent can belong to more than one SNMP community. An appliance will not respond to
requests from management systems that do not belong to one of its communities.
To define a community name:
1 Under Community Strings, click
.
2 In the Access box, select an access option. A read-only community name allows queries of the SNMP
agent in the appliance. A read-write community name allows a network management system to
perform queries and limited set operations (system location and contact).
3 In the String box, enter an SNMP community name. The name is a text string of alphanumeric
characters, with a maximum length of 255. All printable characters are valid except: < > “ &
4 Click Update.
TRAPS
To configure SNMP traps, first select the trap types to be generated. All of the selected trap types will be
sent to the configured hosts. Traps cannot be configured on a per-host basis.
Table 48
Traps reported on the PEP
Trap
Description
Critical error
The following critical errors traps indicate that the PEP is in an error
state:
•
criticalFailure: Traffic on the device has been halted and the device
is in a failure state.
•
filesystemFailure: Inadequate free space in flash memory.
•
temperatureFailure: The PEP has exceeded the temperature
threshold for safe operation.
The following platform warning traps indicate issues that warrant
immediate attention, but do not put the PEP in an error state:
136
•
deployFailure: The PEP encountered a problem while replacing its
policies.
•
certificateManagementWarning: Security certificate management
encountered an issue of interest to network operators, such as
failed certificate generation, installation, or validation.
•
checkSystemClockWarning: The PEP detected clock skew that may
affect policies. System clock synchronization (NTP) should be
checked as soon as possible.
•
filesystemWarning: The file system is approaching memory space
limits or the syslog daemon is not running.
•
ntpMonitorWarning: The PEP is unable to synchronize with an NTP
server after trying for 30 minutes.
•
powerSupplyWarning: ET1000A only. The PEP detects problems in
one of two redundant power supplies.
•
rekeyFailure: The PEP encountered a problem while rekeying
current policies.
•
temperatureWarning: The operating temperature is approaching
unsafe limits. The device should be checked as soon as possible.
Black Box EncrypTight Manager User Guide
SNMP Configuration
Table 48
Traps reported on the PEP
Trap
Description
Generic
•
coldStart: the SNMP agent has been powered on.
•
notifyShutdown: the SNMP agent is in process of being shut down.
•
linkUp: one of the communication links has come up (local or
remote port).
•
linkDown: one of the communication links has failed (local or
remote port).
•
authenticationFailure: the SNMP agent received a packet with an
incorrect community string.
•
fan failed trap down: Fan failure detected. Fan is operating at less
than 75% of full speed.
•
fan failed trap up: Fans are operating normally.
•
Reports successful and failed log in and log out attempts.
Fan
Log in
NOTE
The coldStart and notifyShutdown traps are always generated, even when Generic traps are disabled
SNMPv2 Trap Hosts
After selecting the traps that the PEP will generate, specify the IP address of the trap hosts that will
receive the traps. All of the selected traps are sent to the defined trap hosts. Traps cannot be configured
on a per-host basis.
Figure 72
SNMPv2 Trap Hosts
To configure a trap host:
1 Under Trap Hosts, click
.
2 In the IP Address box, type the trap host’s IP address. Traps that are enabled on the appliance will be
sent to the designated host. Traps are enabled at the appliance level; they cannot be enabled or
disabled at the host level.
With PEP software version 1.6 and later, you can use either IPv4 or IPv6 addresses.
3 To finish configuring trap hosts, click Update.
Black Box EncrypTight Manager User Guide
137
Configuring PEPs
SNMPv3
PEP version 1.6 and later includes support for SNMPv3, in addition to SNMPv2c. You can use either
version of SNMP, or both simultaneously.
SNMPv3 enhances security by adding authentication and encryption features.
•
The engine ID identifies the PEP as a unique SNMP entity. The PEP’s engine ID must be configured
on every trap recipient before traps can be authenticated and processed by the trap host.
•
Three security levels are available to control access to the management information: no authentication
and no encryption, authentication and no encryption, and authentication and encryption.
•
Trap host users define the destination that receives the traps, plus security information about
communication between SNMPv3 entities. Trap host users are defined by a user name, security level,
IP address, and optional authentication and encryption parameters. The PEP supports IPv4 and IPv6
addresses.
In order to exchange messages between an SNMP manager and PEP agent, both parties have to be
configured with the same user. The manager also has to know the PEP’s engine ID. If you want to
authenticate communications, the authentication algorithm and authentication key must be known to both
parties. For encryption, two more pieces of information are necessary: the encryption algorithm and
encryption key. The keys are generated from the authentication and encryption passwords.
Other notes about the SNMPv3 implementation on the PEP:
•
Traps apply globally to all trap host users. The PEP does not support trap filtering to individual hosts.
•
The PEP supports SMNPv3 MIB walks when authentication is enabled (security level set to
authNoPriv or authPriv).
•
To use SNMPv3 with encryption when in FIPS mode, SNMP traffic for each trap host must be
secured in an IPsec tunnel.
When using SNMPv3 on the PEP, do the following:
1 Configure the system information and community string.
2 Select the traps to enable on the PEP.
3 Select a method for generating the engine ID.
4 Configure the SNMPv3 trap host users.
Generating the Engine ID
The engine ID is a unique local identifier for the SNMP agent in the PEP. The PEP automatically
generates its own engine ID upon startup, or you can manually enter an engine ID seed that the PEP will
use to generate the engine ID.
Each PEP must have a unique engine ID. Duplicate engine IDs can cause SNMP errors. To prevent
duplicate IDs, we recommend letting the PEP generate its own pseudo-random ID. To use the PEPgenerated seed, leave the Engine ID field blank.
If you manually enter an engine ID seed, be sure to use a different seed for each PEP. Manually entered
engine ID seeds must conform to the following conventions:
•
138
The engine ID seed is a string from 1-256 characters.
Black Box EncrypTight Manager User Guide
SNMP Configuration
•
Valid values in include upper and lower case alpha characters (a-z), numbers 0-9, spaces, and most
printable keyboard characters.
•
The following characters are not allowed: < > ” &
NOTE
Before the manager can authenticate and process traps generated by the PEP, you must copy the PEP’s
engine ID and trap host user information to the trap hosts.
Retrieving and Exporting Engine IDs
The PEP’s engine ID uniquely identifies the SNMP entity in that PEP. The PEP’s engine ID must also be
configured on every trap host before traps can be authenticated and processed by the trap host.
Using EncrypTight, you can retrieve and display the PEP engine ID. EncrypTight can export the engine
IDs to a text file. Alternatively, the SNMP engine ID can be viewed from the CLI by issuing the show
running-config command.
To retrieve engine IDs:
1 In the PEPs view, select the target appliances. EncrypTight can retrieve the engine IDs from multiple
appliances in a single operation.
2 Right-click and choose View SNMPv3 Engine Ids. The engine IDs are displayed.
Configuring the SNMPv3 Trap Host Users
Trap host users define the destination that receives the traps, plus security information about
communication between SNMPv3 entities. Trap host users are defined by a user name, security level,
authentication and encryption parameters, and an IP address. The PEP supports IPv4 and IPv6 addresses.
NOTE
If you plan to use SNMPv3 with encryption in FIPS mode, SNMP traffic for each trap host must be
secured in an IPsec tunnel.
Figure 73
SNMPv3 Trap Hosts
To configure a trap host user:
1 If you haven’t already done so, select the traps that the PEP will generate (see “Traps” on page 114).
2 Under SNMPv3 Trap Hosts, click
Black Box EncrypTight Manager User Guide
.
139
Configuring PEPs
3 Configure the trap host users as described in Table 49 and then click Update. Traps that are enabled
on the appliance will be sent to the designated host.The trap host user information must be configured
on both the PEP and trap recipient.
Table 49
SNMPv3 trap host users
Field
Description
IP Address
The IP address of the host that will receive the traps generated by the PEP.
With PEP software version 1.6 and later, you can use either IPv4 or IPv6
addresses.
User name
Name that identifies the PEP’s account to the trap host. The user name / IP
address combination must be unique.
The user name can be 1-255 characters in length. The following characters
are not allowed: < > & “ * ? / \ : |
Security level
•
noAuthNoPriv: provides no authentication and no privacy
•
authNoPriv: provides authentication but no encryption
•
authPriv: provides authentication and encryption
The default is noAuthNoPriv.
Authentication Type
SHA. Required for the authNoPriv and authPriv security levels.
Authentication
Password
The password is used to generate the authentication key. It is 8-256
characters in length. The following characters are not allowed: ? < > “ . ,
Encryption Type
AES. Required with the authPriv security level.
Encryption Password
The password is used to generated the encryption key. It is 8-256 characters
in length. The following characters are not allowed: ? < > “ . ,
Logging Configuration
The PEP log keeps track of messages and events generated by various processes, such as encryption,
certificates, rekeys, and SNMP.
All log messages are sent to a log file. You can select the level of information to record by setting the
priority for each log facility, which is a category, or grouping, of log messages. Log messages can be
viewed in the following ways:
140
•
Configure the PEP to send log messages to a syslog server
•
Use EncrypTight to retrieve the log files from an appliance, and view it on the management system as
a text file. EncrypTight retrieves the log files for each log facility and concatenates them into a single
file. It also saves the log files from each facility in separate files.
Black Box EncrypTight Manager User Guide
Logging Configuration
Figure 74
Logging tab
Log Event Settings
Categories of log messages are referred to as facilities, and they typically indicate which process
submitted a message. Each facility can be assigned a priority, which sets the level at which a log message
is triggered. Log events settings consist of a log facility and its priority level.
Five facilities are unique to the PEP. When messages from these facilities are sent to a syslog server,
syslog displays their source as Local 0 - Local 4. Table 50 describes each facility and provides a mapping
of the PEP facility name to its syslog counterpart. The Internals facility consists of several operating
system facilities.
Table 50
Log facilities
Facility
Description
Local0/System
Significant system events that are not associated with the other predefined facilities, including:
Local1/Data plane
•
NTP clock sync successes and failures (informational priority)
•
Appliance software upgrade status (notice priority)
•
ET1000A power supply status changes (informational priority)
•
XML-RPC calls from EncrypTight to the PEP (debug priority)
•
Messages about packet processing and encryption
•
PMTU changes (debug priority)
Local 2/DistKey
EncrypTight distributed key functionality, such as rekeys and policy
deployments (informational priority)
Local 3/PKI
Certificate messages
Local 4/SNMP
SNMP messages
Black Box EncrypTight Manager User Guide
141
Configuring PEPs
Table 50
Log facilities
Facility
Description
Internals
Operating system messages for the following Linux facilities: audit,
auth and authpriv, cron, daemon, kernel, syslog, user.
Audit log events are associated with a user name. The audit log
includes events such as the following:
•
Successful and unsuccessful log in attempts
•
Additions and deletions of PEP user accounts
•
Use of administrator functions, such as appliance configuration
changes and policy deployments.
The priority determines the amount of information that is recorded for a log facility. When you select a
priority for a facility, all messages at that priority and higher are logged; for example a priority of “error”
means “error + critical + alert + emergency.” The priorities shown in Table 51 are listed from lowest
(debug) to highest (emergency).
Table 51
Log priorities
Priority
Description
Debug
Detailed processing status. Not recommended during normal operations. The
volume of messages may negatively affect the performance of the
management port.
Informational
Information messages that do not relate to errors, warnings, audits, or
debugging.
Notice
Normal but important events.
Warning
A problem exists, but it doesn’t prevent the appliance from completing tasks.
Error
Error conditions and abnormal events.
Critical
Critical condition, for example the appliance is prevented from accomplishing a
task.
Alert
Immediate action required. The device will continue to run, but not all functions
are available.
Emergency
Emergency; system unusable.
Defining Syslog Servers
The PEP can send log messages to a syslog server. The PEP does not impose a limit on the number of
syslog servers that can be used. Syslog messages are sent from the management port using port 514 in
standard syslog format (RFC 3164). When the facilities are displayed at the syslog server, they appear as
Local 0 - Local 4, not as PEP-specific categories such as data plane, PKI, SNMP, or distkey. See Table 50
for a mapping of log facility names to the numeric syslog designation.
When you configure a syslog server, the messages from all of the facilities are sent to that server,
according to the configured priority for each facility. You cannot exclude specific facilities from the list.
To define a syslog server:
1 Under Syslog Servers, click
.
2 Enter the IP address of the server.
With PEP software version 1.6 and later, you can use either IPv4 or IPv6 addresses.
3 Click Update.
142
Black Box EncrypTight Manager User Guide
Logging Configuration
Log File Management
Each log file is a fixed length list of entries, as shown in Table 52. The log files rotate as they fill; they
do not wrap. The most recent events are always written to a .log file in the format <logname>.log.
When the first log file is full its contents are archived and rotated to logname.log.1.gz. New events
continue to be written to the file the .log file. When the logname.log file fills a second time, its
contents rotate to logname.log.1.gz and the contents of the previously designated .log.1.gz rotate
to .log.2.gz. The log files rotate until five log files have been filled (.log, .log.1.gz, .log.2.gz.,
.log.3.gz, .log.4.gz). At that point the contents of the oldest log file, .log.4.gz, are deleted.
Table 52
Log file sizes
Log name
File size
audit.log
200k
dataplane.log
250k
distkey.log
250k
pki.log
250k
snmp.log
250k
system.log
500K
Internals logs
auth.log
100k
cron.log
10k
daemon.log
10k
kern.log
100k
syslog.log
100k
user.log
100k
When EncrypTight retrieves the log files from the PEP, it gets the current and archived log files as
individual files. The concatenated file contains only the current log files. Archived log files are saved as
compressed .gz files. To view the archived files, use gzip, WinZip, or 7-zip to decompress them. ETM
will not automatically zip the ETEP log files.
Figure 75
Retrieve PEP Log Files
Use the Black Box EncrypTight Manager server
Black Box EncrypTight Manager User Guide
143
Configuring PEPs
Figure 76
Appliance Settings
Path Maximum Transmission Unit
The PMTU specifies the maximum payload size of a packet that can be transmitted by the PEP (see Table
53). The PMTU value excludes the Ethernet header, which is 14-18 bytes long, and the CRC. The PMTU
setting applies to the local and remote ports. On the management port the PMTU is hard-coded to 1400
bytes.
Table 53
Valid PMTU ranges on PEP appliances
Layer
PMTU range
Default
Layer 2
800-9300 bytes
1500
Layer 3
576-9300 bytes
1500
Before sending a packet from its remote or local port the PEP compares the packet payload size to the
configured PMTU. Depending on payload size and appliance configuration the PEP either discards the
packet, transmits the packet, or fragments the packet before transmitting, as described in Table 54.
Table 54
PMTU and fragmentation behavior on the PEP
Packet Payload Size
Layer 2 PEP
Layer 3 PEP
Less than or equal to PMTU
Passes the packet
Passes the packet
Exceeds PMTU
When operating in non-jumbo
mode (PMTU 1500), the PEP
fragments packets that exceed
the PMTU.
Fragments the packet if the
payload exceeds the PMTU by
less than 100 bytes, to allow for
encapsulation overhead.
When operating in jumbo mode
(PTMU 1501-9300), the PEP
discards packets that exceed
the PMTU.
Discards the packet under the
following circumstances:
- The payload exceeds the
PMTU by more than 100 bytes
- The DF bit is set in the IP
header.
Fragmentation resolves the problem of encryption overhead, which consists of the extra bytes that are
added to the packet as a result of security encapsulation. For example, a packet with a payload size of
1500 bytes may pass through the network without being discarded. But after encapsulation, the payload
144
Black Box EncrypTight Manager User Guide
Logging Configuration
size increases by 37-52 bytes. The resulting larger packet may be rejected by some equipment located in
the network between the two peer appliances. By fragmenting the packet, the separate fragments are not
rejected by the network.
The PEP can be configured to perform pre-encryption or post-encryption fragmentation when it is
operating as a Layer 3 encryptor. This feature is called Reassembly mode, and it is defined on the
Interfaces tab in the Appliance editor. Reassembly mode cannot be configured when the Encryption
Policy Setting is set to Layer 2:Ethernet. At Layer 2, packets that are subject to fragmentation are
encrypted prior to fragmentation. Jumbo packets that exceed the PMTU are discarded.
When the PEP is configured as a Layer 3 encryptor, the PEP discards packets that exceed the PMTU size
and have the DF (do not fragment) bit set in the IP header. You can override the DF bit in the IP header
using the Ignore DF Bit setting on the local port.
Non IP Traffic Handling
The non IP traffic handling setting is available when the PEP is configured for use in Layer 3 encryption
policies. This setting provides options for how to handle Layer 2 packets that are not IP at Layer 3. NonIP packets can be discarded or passed in the clear. When discarding non-IP traffic, you have the option of
passing ARP packets in the clear or discarding them as well. All packets that are IP at Layer 3 are
handled according the policies that are loaded on the appliance.
When the non-IP discard feature is enabled, the appliance looks at the packet’s Layer 3 protocol flag. If
the protocol flag is IP, then the appliance processes the packet normally. If the protocol flag is non-IP,
then the appliance discards the packet. This processing applies to both inbound and outbound packets.
The appliance’s default setting is clear, where non-IP packets are passed in the clear and IP packets are
processed according to the policies loaded on the appliance.
Table 55
Non IP traffic handling configuration
Setting
Description
clear
All packets that are non-IP at Layer 3 are passed in the clear.
discard
All packets that are non-IP at Layer 3 are discarded. ARP packets are
excluded from the discard action.
discardIncludingARP
All packets that are non-IP at Layer 3 are discarded, including ARP
packets.
CLI Inactivity Timeout
The CLI session is terminated if no activity is detected on the CLI in a specified amount of time. The
inactivity timer is set to 10 minutes by default. The timer applies to a CLI session initiated through the
serial port or through SSH.
The inactivity timer is specified in minutes, with valid values ranging from 0–1440 minutes (24 hours).
When the CLI inactivity timer is set to zero the session does not time out. Timers may be deleted outside
of development mode.
Setting the inactivity timer does not affect the current CLI session. The change is effective on all
subsequent CLI sessions.
Black Box EncrypTight Manager User Guide
145
Configuring PEPs
Password Strength Policy
The password strength policy affects the following items:
•
Password conventions
•
Password history exclusion, which limits the reuse of passwords
•
Password expirations, warnings, and grace periods
•
Maximum number of concurrent login sessions allowed per user
•
The number of login failures allowed before locking an account
The strong password policy enforces more stringent password rules and conventions than the default
password policy. The default password policy is enforced unless you explicitly enable the strong
password policy.
NOTE
Enabling strong password enforcement restarts the SSH daemon, closing any open SSH connections
between EncrypTight and the PEP. It can take up to 30 seconds to re-establish an SSH connection after
enabling strong passwords.
XML-RPC Certificate Authentication
The ETM system supports the use of smart cards such as the DoD Common Access Card (CAC). The use
of a CAC provides user authorization in addition to certificate-based authentication. When you use CACs,
ETM components use the certificates installed on the card to determine if a user is authorized to perform
a specific action.
Setting up the PEP to use a CAC involves several tasks:
1 Install certificates on the PEPs. This task is performed using the EncrypTight software.
2 Enable strict authentication on the PEPs.
3 Enable Common Access Card Authentication on the PEPs
4 Add common names to the existing user accounts on the PEPs, or add new user accounts with
common names. These names must match the common names used on the identity certificates
included on the CACs.
Additional steps are required to prepare the management workstation and the ETM servers to use strict
authentication with a CAC. Be sure to complete all of the required steps in order, as described in “Using
Enhanced Security Features” on page 175
SSH Access to the PEP
SSH is used for secure remote CLI management sessions through the Ethernet management port. SSH
access to the appliance is enabled by default.
To prevent remote access to the CLI, clear the Enable SSH checkbox. When SSH is disabled, CLI access
is limited to the serial port.
146
Black Box EncrypTight Manager User Guide
Logging Configuration
PEP Users
This section discusses user accounts for the PEP appliances. These accounts are unique to the PEP and
should not be confused with user accounts for the EncrypTight software.
You can manage user accounts for appliance users through EncrypTight or the CLI of the appliance.
PEP User Roles
The user role determines how a user can access the appliance and what tasks the user can perform once
logged in. Users are assigned a role and a password that allows them to access the functionality of the
appliance that is available to that role. The PEP can track appliance events based on user name, such as
user account activity and policy deployments.
The PEP has two roles: Administrator and Ops. The Administrator manages the appliance using the
EncrypTight software. The Administrator configures the appliance, and creates and deploys policies. The
Ops user is only able to log in to the CLI and has access to a limited set of commands.
Table 56
Appliance roles
Function
Administrator
Ops
Manage passwords and users
Yes
No
EncrypTight access
Yes
No
CLI access
Yes
Yes (subset of commands)
The Administrator assigns user names, passwords and roles for all users. When first installing the PEP,
use the default Administrator password to log in, as shown in Table 57. It is strongly recommended that
the Administrator change the default passwords before putting the PEP into operation in the network.
Table 57
Default user names and passwords on the PEP
Role
Default user name
Default password
Administrator
admin
admin
Ops
ops
ops
You must maintain at least one Administrator user account on the PEP in order to manage the appliance.
You can add as many user accounts to the PEP as you need. The PEP does not impose a cap on the
number of user accounts that can be added.
Configuring the Password Enforcement Policy
PEP 1.6 and later allows you to choose whether to use the default password enforcement policy or strong
password enforcement. This option is configured on the Advanced tab. Prior to adding appliance users,
configure the password policy on the target appliances. If you plan to configure users and passwords for
multiple appliances at once, make sure that the target appliances are enforcing the same password
strength policy (strong or default).
The password strength policy determines the following:
•
Strength of password rules and conventions
•
Password expiration period, expiration warning notification, and grace period
Black Box EncrypTight Manager User Guide
147
Configuring PEPs
•
Maximum number of concurrent user logins allowed
The default password controls are less stringent than the strong password controls, and use standard
values for password expiration and maximum number of user logins. The default password controls are
enforced on the PEP unless you explicitly enable strong enforcement.
Earlier version of PEP software enforce only the default password conventions.
User Name Conventions
Follow the guidelines below when creating user names. These conventions apply regardless of the
password strength policy.
•
User names can range from 1-32 characters.
•
Valid characters are alpha and numeric characters (a-z, 0-9), _ (underscore), and - (dash).
•
User names must start with an alpha character or an underscore. The first character cannot be a
numeric digit or a dash.
•
Only lower case alpha characters are accepted.
•
User names cannot contain a space.
Default Password Policy Conventions
The following guidelines apply to the default password strength policy.
•
Passwords must be a minimum of 8 characters.
•
Passwords are case-sensitive.
•
Standard alphanumeric characters and spaces are allowed. a-z A-Z 0-9 ! @ # % ^ * + = { } : . , _ ~ /
\-[]
•
Passwords must contain at least 2 characters from a mix of upper case letters, lower case letters,
numbers and non-alphanumeric symbols. For example, an acceptable password might contain an
upper case letter and a number, or a lower case letter and a symbol, or an upper case letter and a
lower case letter.
•
Do not use non-printable ASCII characters.
•
Do not use dictionary words. EncrypTight does prevent the use of dictionary words, but a password
containing a dictionary word will be rejected by the PEP.
EncrypTight and the PEP allow an unlimited number of failed login attempts without locking the user out
of the appliance.
Strong Password Policy Conventions
Passwords must conform to the following conventions when strong password enforcement is enabled on
the PEP. Strong password controls are available in PEP 1.6 and later.
148
•
Passwords must be at least 15–256 characters long.
•
Standard alphanumeric characters are allowed. a-z A-Z 0-9 ! @ # % ^ * + = { } : . , _ ~ / \ - [ ]
•
Passwords must contain a mix of upper case letters, lower case letters, numbers and special
characters, including at least two of each of the four types of characters (2 upper case, 2 lower case, 2
numbers, and 2 special characters).
Black Box EncrypTight Manager User Guide
Logging Configuration
•
When a password is changed, the new password must differ from the previous password by at least
four characters.
•
The password must not contain, repeat, or reverse the associated user ID.
•
The password must not contain three of the same characters used consecutively.
•
A user's password must not be identical to any other user's password.
•
A new password must be different from the previous 10 passwords used.
•
Do not use dictionary words. EncrypTight does prevent the use of dictionary words, but a password
containing a dictionary word will be rejected by the PEP.
In addition, the Administrator can place limits on the following:
•
Password expiration period, expiration warning notification, and grace period.
•
Maximum number of login sessions allowed per user
The PEP allows three consecutive failed login attempts in a 15 minute period prior to locking an account.
After the third failure the account is locked for 15 minutes. The Administrator can unlock a disabled
account from the CLI.
Cautions for Strong Password Enforcement
The password expiration feature puts you at risk for a lockout under certain circumstances. Review the
guidelines below to avoid unintended lockouts.
CAUTION
If the Administrators’ passwords expire, all Administrator functionality is lost, including the ability to assign
a new password. The only means of resetting the password is to reformat the PEP, which reverts all
configurations to their default shipping settings. Reformatting the PEP requires factory service.
Upgrading Software
To avoid having strong passwords expire during an upgrade process, we recommend minimizing the time
period between a software upgrade operation and reboot.
If you plan to wait a day or more between an upgrade and reboot, disable strong passwords prior to
performing the upgrade. After the upgrade and reboot are complete, re-enable strong passwords.
Note the following:
•
Passwords changes that are made between a software upgrade and subsequent reboot do not persist
through the reboot. The password expiration timer does not know if a password is changed during that
window, placing you at risk of a lockout. Timers may be deleted outside of development mode.
•
If all administrator account passwords expire, the unit must be returned to the factory.
Removing PEPs From Service
To avoid having strong passwords expire during a planned service outage or equipment redeployment,
disable strong passwords prior to removing the PEP from service.
If the password expiration and grace period is exceeded for all administrator accounts while the PEP is
out of service, all users will be locked out and the PEP must be returned to the factory.
Black Box EncrypTight Manager User Guide
149
Configuring PEPs
Managing Appliance Users
NOTE
This section applies only if you use EncrypTight to manage user accounts on PEPs running software
version 1.4 and later.
You can add, modify, and delete appliance users directly from EncrypTight. You can update user accounts
for a single appliance or for a group of appliances. When managing users, changes take effect
immediately. There is no need to push the user data to the PEP.
Changing appliance user names and passwords can affect the EncrypTight’s ability to communicate
directly with the PEP. See “How EncrypTight Users Work with PEP Users” on page 167to learn more
about the interaction between EncrypTight users and PEP users.
Adding PEP Users
For security purposes, we recommend replacing the default users and passwords on the PEP. To ensure
your ability to communicate with the PEP, set up the new users prior to deleting the default account. You
can add user accounts for a single appliance or for a group of appliances.
PEP 1.6 and later includes enhanced security options, including password expiration settings. These
settings apply when strong password enforcement is enabled on the Advanced tab of the appliance editor.
When the default password policy is enforced, the password expiration options are not visible. The
default password policy values shown in Table 58 cannot be modified by the Administrator.
To add a user to the PEP:
1 Select the target appliances in the PEPs view.
2 Click
and choose Other PEP User.
3 In the User Information window, click
.
4 In the Name box enter the user name conforming to the conventions listed in “User Name
Conventions” on page 148.
5 If EncrypTight is configured to use Common Access Card Authentication, enter the common name
from the Common Access Card’s identity certificate. You will not see this field if the feature is
disabled.
6 In the Password box, enter the password for the user, then reenter it in the Confirm Password box.
The password conventions are dependent on the password strength policy that is in effect for the PEP.
7 Select the role to be associated with the user. Admin is the only role that can manage PEPs from
EncrypTight.
8 On appliances that are enforcing strong passwords, configure the password expiration settings as
described in Table 58.
9 Click Apply to send the user credentials to the selected appliances. The change takes effect
immediately.
Table 58
150
Password policy values
Parameter
Default password
policy
Strong password policy
Password expiration
99999 days
Default is 60. Range is 1-60.
Black Box EncrypTight Manager User Guide
Logging Configuration
Table 58
Password policy values
Parameter
Default password
policy
Strong password policy
Notify before expiration
7 days
Default is 10. Range is 1-30.
Expiration grace period
0 days
Default is 10. Range is 1-30.
0 days
Default is 1. Range is 1-7.
Unlimited
Default is 2. Range is 1-5.
The number of days after expiration that a
user can login with the old password.
Password change waiting period
Minimum number of days a user must wait
before changing the password.
Max simultaneous log-in sessions
The maximum number of concurrent sessions
allowed for a user.
Modifying PEP User Credentials
You can update user accounts for a single appliance or for a group of appliances. If strong password
enforcement is enabled on the PEPs, you can also modify the password expiration settings.
To modify PEP user credentials:
1 In the PEPs view, select the target PEPs.
2 Click
and choose Other PEP User.
3 In the User Information window, select the user account that you want to edit and click
.
4 Make your changes and click Update.
Deleting PEP Users
You can delete an appliance user on a single appliance or on a group of appliances. The user is removed
immediately upon completing the procedure below.
The PEP prevents you from deleting the default Administrator account (admin/admin) until you have
established an alternate Administrator account. It also prevents you from deleting the only remaining
Administrator account on the appliance.
CAUTION
We recommend that you store your passwords in a safe place. If you are unable to log in to the PEP with
a valid Administrator user name and password, the PEP must be returned to the factory to be reset.
To delete a user from the PEP:
1 In the PEPs view, select the target PEPs.
2 Click
and choose Other PEP Users.
3 In the User Information window, select the user account that you want to remove.
4 Click
.
5 The user account is immediately removed.
Black Box EncrypTight Manager User Guide
151
Configuring PEPs
Viewing PEP Users
You can check the user accounts that are configured on a particular PEP by clicking
and selecting
Other PEP Users. The Users view lists the user name and role for each user on the appliance. Passwords
are not displayed.
Password expiration settings can be viewed from the CLI (user-config level show command).
SNTP Client Settings
The PEP includes a Network Time Protocol (NTP) client, which is used to synchronize the appliance
time with an NTP server. NTP is useful in minimizing or eliminating clock drift that can occur over time,
and keeping timestamps of log events consistent across appliances and other devices in the network.
The NTP client supports unicast client mode, in which the client (PEP) sends a request to a designated
NTP server and waits for a reply from the server. The PEP synchronizes with the NTP service at a
dynamic interval inherent in the operating system’s NTP client.
Time synchronization with the NTP time service overrides any manually set date and time. The UTC
offset is unaffected.
Figure 77
SNTP Settings
To configure the NTP client:
1 Click the Enable SNTP Client checkbox.
2 Enter the IP address of the NTP service.
With PEP software version 1.6 and later, you can use either IPv4 or IPv6 addresses.
NOTE
ETEPs v2.3 and above are pointing by default to the ETM NTP server.
152
Black Box EncrypTight Manager User Guide
Logging Configuration
ETM calling ntpdate with 2.2 appliances
If an appliance ends up in the CLOCKSKEWED state with NTP enabled, currently your only recourse is
to disable NTP so that you can perform a set date to get the clocks close enough to re-enable NTP. Since
a user is not allowed to disable NTP for the ET0005A, that presents a problem.
For 2.2 and beyond appliances, we can Execute NtpDate (without any server element if NTP is enabled,
or with the first NtpServer or ETM server IP address if NTP is disabled).
NOTE
This is especially critical for the ET0005A, which has no internal clock.
IKE VLAN Tags
When the PEP is configured for operation with Layer 2 point-to-point policies, the two PEPs must be
able to communicate with each other to exchange key information. In some Layer 2 networks, all frames
must have a VLAN tag to traverse the network. The PEP can be configured to add a VLAN tag to the
Ethernet frames used for PEP-to-PEP communications.
This setting has no effect when the PEP is configured for use in ETM distributed key policies.
The following settings are prerequisites for configuring this feature:
1 On the Security tab, set the Encryption Policy Setting to Layer 2:Ethernet.
2 On the Interfaces tab, select Enable IKE VLAN Tag.
Table 59
IKE VLAN Tags
Field
Description
IKE VLAN tag priority
Sets the VLAN priority. Valid values range from 0-7.
IKE VLAN tag identifier
Sets the VLAN ID. Valid values range from 0-4094.
Black Box EncrypTight Manager User Guide
153
Configuring PEPs
Figure 78
Enable IKE VLAN
ETEP2
OCSP Settings
Online Certificate Status Protocol (OCSP) provides a way for devices that use certificates to verify that a
received certificate is currently valid. OCSP is an alternative to using Certificate Revocation Lists
(CRLs). If your organization uses certificates to authenticate management communications in a ETM
deployment, you can use OCSP to check the validity of the certificates you install. Also, you can use a
batching task to install CRLs on multiple PEPs.
154
Black Box EncrypTight Manager User Guide
Logging Configuration
Certificate Policy Extensions
Certificate policy extensions indicate the purposes for which a certificate was issued, for example signing
e-mail or encryption. If your organization uses certificates and makes use of the certificate policy
extension, you can enable support for the extensions on the PEP and enter the allowable OIDs.
FIPS Mode
When operating in FIPS mode, the PEP must be configured to use FIPS-approved encryption and
authentication algorithms. FIPS approved algorithms are listed in Table 60. Note that some of the FIPSapproved algorithms are available for use only on the management port.
EncrypTight prevents the PEP from entering FIPS mode if it detects distributed key policies that contain
non-FIPS approved algorithms.
The PEP prevents entry into FIPS mode when any of the following conditions are true:
•
ETM distributed key policies are installed that use non-FIPS approved algorithms
•
IKE policies are configured on the management port interface that use non-FIPS approved algorithms
•
Manual key policies are installed on the management port interface. If you plan to use manual key
policies, deploy them after FIPS mode is enabled on the PEP.
•
SNMPv3 configuration uses cryptography for SNMP trap hosts, but no IPsec policy has been
configured to protect the SNMP traffic for each specific trap host
•
The debug shell is in use
•
Strict client authentication is enabled on the management port
If you plan to use strict authentication to secure management port communications, you must enable
FIPS mode prior to enabling strict authentication. To learn more about using strict authentication, see
the “Using Enhanced Security Features” on page 175and “Order of Operations” on page 177.
.
Table 60
FIPS approved encryption and authentication algorithms
Encryption algorithms
Authentication algorithms
3des-cbc
sha1-160-hmac
aes128-cbc
sha2-256-hmac
aes256-cbc
sha2-384-hmac
Enabling FIPS Mode
To configure the PEP for FIPS operation, select the FIPS Mode Enabled checkbox.
After pushing a FIPS-enabled configuration to the PEP, it takes several minutes for the PEP to enter FIPS
mode. Some communications services are reset when FIPS is enabled and disabled. SSH sessions are
terminated, and cannot be re-established until FIPS mode is fully operational. You may experience a brief
loss of connectivity between the PEP and EncrypTight.
When putting the PEP in FIPS mode, the PEP performs the following actions and self-tests:
•
Runs self-tests during the boot process and when entering FIPS mode that include cryptographic
algorithm tests, firmware integrity tests, and critical function tests
Black Box EncrypTight Manager User Guide
155
Configuring PEPs
•
Performs a software integrity test
•
Clears pre-existing polices and keys, as described in Table 61.
•
Generates a new self-signed certificate on the management interface
•
Removes all externally signed certificates
•
Resets passwords to the factory defaults
•
Closes remote SSH client sessions
Table 61
Effects of clearing policies and keys when entering FIPS mode
Policy Type
Action upon entering FIPS mode
Distributed key policies
Traffic passes in the clear until new encryption policies are
created and deployed to the PEP.
Point-to-point Layer 2 policies
Keys are automatically renegotiated. Traffic is discarded in the
interim.
Management port policies
Keys are automatically renegotiated. Traffic is discarded in the
interim.
Operational Notes
Entering FIPS mode may cause some delays when communicating with the PEP.
•
When the PEP is rebooted with FIPS mode enabled, the PEP does not become operational until 30-60
seconds after the login prompt is displayed. In the interim, attempts to communicate with the PEP
from EncrypTight or the CLI result in error messages (attempting to access a locked shared resource
or failure to create input stream). If you receive an error message, wait several seconds and retry.
•
The Ethernet management interface uses FIPS-approved cipher and authentication algorithms for SSL
and SSH connections. When operating in FIPS mode, it can take 30-60 seconds to establish an SSH
session. EncrypTight Manager also supports certificate-based client authentication (two-way SSL
authentication between the browser and EncrypTight Manager).
•
If you used SSH to manage the PEP prior to entering FIPS mode, you may not be able to establish an
SSH session after FIPS is enabled. To correct, clear the known host entry of the SSH client and retry.
Disabling FIPS
The PEP performs the following actions when exiting FIPS mode:
•
Existing policies continue to run until they are replaced or deleted.
•
SSH is reset when FIPS is disabled, terminating the current session.
Verifying FIPS Status on the PEP
You can verify that FIPS is enabled on the PEP in the following two ways:
156
•
In PEPs view, compare the stored and PEP configurations (select the PEP, right-click on it and choose
Diff Config).
•
Log in to the CLI and issue one of the following commands: show running-config or show fipsmode.
Black Box EncrypTight Manager User Guide
Logging Configuration
EncrypTight Settings
•
To configure Layer 2 or Layer 3 distributed key policies, select the encryption policy setting for Layer
2: Ethernet or Layer 3: IP/Layer 4: Payload policies.
•
To configure Layer 2 point-to-point policies, select the Layer 2: Ethernet encryption policy setting. .
Table 62
EncrypTight settings
Setting
Definition
Enable passing TLS traffic in
the clear
Passing TLS-based management traffic in the clear is required for
ETM distributed key policies, and when the PEP is managed in-line.
When the PEP is operating in Layer 2 distributed key mode, ARP
traffic is also passed in the clear when tls-clear is set to true.
Encryption Policy Settings
Specifies whether the PEP can be used in Layer 2 or Layer 3/Layer 4
policies.
Enable strict client
authentication
EncrypTight uses TLS to encrypt traffic between ETM components.
EncrypTight can use TLS with encryption only, or TLS with encryption
and strict authentication. When strict authentication is enabled, TLS
enforces certificate-based authentication among the ETM components
(all ETM servers and PEPs). See “Using Enhanced Security Features”
on page 175 for procedures to install certificates and enable strict
authentication on the various components of the ETM system.
CAUTION
Certificates must be installed on the PEP prior to pushing a configuration that enables strict client
authentication. Enabling strict authentication without first installing certificates locks up the PEP’s
management port.
Encryption Mode Settings
The Encryption Mode Setting determines the type of policies that the PEP can be used in: Layer 2
Ethernet policies or Layer 3 IP policies. Appliances that are configured for Layer 2 cannot be used in
Layer 3 policies, and vice versa. If you intend to create a Layer 4 policy to encrypt only the packet
payload, set the Encryption Policy Setting to Layer 3:IP/Layer 4 Payload.
Table 63
Encryption mode settings
Setting
Definition
Layer 2: Ethernet
Enable this setting to use the PEP in Layer 2 Ethernet policies.
Layer 3: IP/Layer 4 Payload
Enable this setting to use the PEP in Layer 3 IP policies, or if you
intend to create a policy to encrypt only the Layer 4 payload.
When you change the encryption policy setting of a PEP that is already in service, all encrypt and drop
policies currently installed on the PEP are removed and all traffic is sent in the clear until you create and
deploy new policies, or until the policies are rekeyed.
Black Box EncrypTight Manager User Guide
157
Configuring PEPs
If you are using EncrypTight, take the following steps to ensure proper enforcement of your distributed
key polices when you change the encryption policy setting:
1 In the Features tab, set the Encryption Policy Setting to Layer 2 or Layer 3/Layer 4 Payload.
2 Apply the new configuration to the PEP (click Apply config).
3 Remove pep from any policy or network set it is a member of
4 Create a new policy for the reconfigured PEP.
5 Deploy the new policy.
Factory Defaults
Factory settings are listed by appliance model and software version for the following categories:
•
Trusted Hosts
•
SNMP
•
Logging
•
Policy
•
Advanced
•
Features
•
Hard-coded Settings
Table 64
Interfaces defaults
Interfaces
PEP 1.5
PEP 1.6 and later
Remote user password
Not applicable
Not applicable
Appliance name
model number_version (e.g.,
ET0100A_ETEP1.5)
model number_version (e.g.,
ET0100A_ETEP1.6)
Throughput speed
Not available
Undefined
IPv4 address
Undefined
Undefined
Subnet mask
255.255.255.0
255.255.255.0
Appliance Identification
Management
IPv4 default gateway
None
None
Natted IP address
Undefined
Undefined
IPv6 address
Not available
Undefined
IPv6 default gateway
Not available
Undefined
Flow control
Negotiated
Negotiated
Link speed
Negotiated
Negotiated
Transparent mode
Enabled
Enabled
IP address
Undefined
Undefined
Subnet mask
255.255.255.0
255.255.255.0
Default gateway
None
None
Remote
158
Black Box EncrypTight Manager User Guide
Factory Defaults
Table 64
Interfaces defaults
Interfaces
PEP 1.5
PEP 1.6 and later
Flow control
Negotiated
Negotiated
Link speed
Negotiated
Negotiated
Transmitter enable
FollowRx
FollowRx
Local
IP address
Undefined
Undefined
Subnet mask
255.255.255.0
255.255.255.0
Default gateway
None
None
Flow control
Negotiated
Negotiated
Link speed
Negotiated
Negotiated
DHCP Relay IP Address
Undefined
Undefined
Ignore DF Bit
Enabled
Enabled
Reassembly mode
Gateway
Gateway
Transmitter enable
FollowRx
FollowRx
SNMP
PEP v1.5
PEP v1.6 and later
Contact
Undefined
Undefined
Location
Undefined
Undefined
Community string
Undefined
Undefined
Critical error trap
Enabled
Enabled
Fan trap
Enabled
Enabled
Generic trap
Enabled
Enabled
Login
Enabled
Enabled
SNMPv2 trap hosts
Undefined
Undefined
SNMPv3 trap hosts
Not available
Undefined
SNMP
Table 65
SNMP defaults
Traps
Trap Hosts
Black Box EncrypTight Manager User Guide
159
Configuring PEPs
Logging
Table 66
Logging defaults
Logging
Default Setting
Local 0 / System
Informational
Local 1 / Dataplane
Informational
Local 2 / DistKey
Informational
Local 3 / PKI
Informational
Local 4 / SNMP
Informational
Internal
Informational
Syslog server
None
Policy
Table 67
Policy defaults
Policy
PEP v1.4 and later
Role
Primary
IKE Authentication
Preshared key
IKE Preshared Key
01234567
Group ID
0
Traffic Handling
EthEncrypt
Advanced
Table 68
Advanced defaults
Advanced
160
PEP 1.5
PEP 1.6 and later
PMTU
1500
1500
Non IP traffic handling
Clear
Clear
CLI Inactivity Timer
15 minutes
10 minutes
Password Policy
Not available
Disabled
XML-RPC Certificate
Authentication
Not available
Disabled
SSH Enable
Not available
Enabled
SNTP Client
None
None
IKE VLAN tag
Disabled
Disabled
OCSP Settings
Not available
Disabled
Certificate Policy Extensions
Not available
Disabled
Black Box EncrypTight Manager User Guide
Factory Defaults
Features
Table 69
Features defaults
Features
PEP 1.5
PEP 1.6 and later
Enable FIPS Mode
Not available
Disabled
Enable TLS in the clear
Enabled
Enabled
Encryption Policy Settings
Layer 3:IP
Layer 3:IP
Enable strict client
authentication
Not available
Disabled
Hard-coded Settings
The following settings are hard-coded in the PEP:
•
Management port PMTU is 1500 bytes
•
Syslog server port is 514
•
Time zone is set to UTC 0
Safe Mode
Safe Mode allows the PEP to be managed and recovered when unexpected failures occur.
Allows PEP to be reachable even under failure conditions.
•
Software defect
•
Unreadable configuration
•
Configuration error
Safe Mode Recovery
PEP goes into safe mode when it detects a failure (e.g. can’t load the present or previous
policy or configuration)
When going into safe mode:
•
PEP sends an alert when entering safe mode
•
Load a policy to pass traffic – two supported policy modes (cfg. via ETM):
•
•
In “All traffic” mode, the PEP loads a policy rule to pass all traffic in the clear
•
This provides the best chance for recovery while the network continues to pass traffic
•
May require the administrator to push a temporary clear rule for other PEPs
In “Management traffic” mode, the PEP loads a policy rule to drop all traffic except management
traffic – no user traffic is passed in this mode
•
Favors security over availability – no plaintext traffic is allowed to pass (only mgmt. traffic)
To get out of safe mode, admin:
•
Provisions new policy and new configuration, and then restart the PEP
Black Box EncrypTight Manager User Guide
161
Configuring PEPs
•
Clears the PEP alarm
“Not Encrypting” alarm
Provide an alert if network traffic is not encrypted
Details:
•
Immediate alert whenever a ETEP is not encrypting
•
User specifies how much traffic should be encrypted, and the alarm is generated if the fraction of
encrypted traffic falls below the threshold (T1). Alarm clears when the fraction of encrypted traffic
goes above a threshold (T2).
•
Audit log entries generated for creating and clearing the “Not Encrypting” alert.
Updated cryptographic algorithms.
•
Added support for AES128_GCM and AES256_GCM as encryption algorithms for better
performance.
•
Algorithm name to be used in the CipherKey in TransformData aes-gcm and aes128-gcm
A new optional attribute in TransformData "Salt" is also added. With GCM,we need to ensure unique IVs
between rekeys for data security. ETM is already passing down a salt guaranteed to be unique per PEP,
we just need to use this in the control plane and dataplane to generate the IV.
TACACS+ AAA
In small network environment anybody can log-in into the network devices to make configuration
changes.For these devices to provide network access protection, username and password are stored locally
on device.
The main disadvantage of above localized credential is there is that, there is a minimum or no control of
such credential integrity. For example, someone could log in and make changes to the the password with
out others knowledge, This change will not allow others to log in anymore without knowing the new
password.
The best practice is to have more control through centralized AAA (Authentication, Authorization,
Accounting) server. This server is the sole location for storing the user credentials.
The AAA server can also be used to manage the list of commands is user is authorized to execute. When
such users try to do tasks or issue commands that are unauthorized, those tasks or commands will be
rejected. The AAA server can also perform accounting of all the operations.
TACACS+ (Terminal Access Controller Access-Control System Plus) is a remote authentication protocol
that is used to communicate with an AAA server.
TACACS+ allows a remote host to communicate with an authentication server in order to determine if the
user has any access to the network device.
TACACS+ support is added for ETM and all the ETEP platforms (ET0005A, ET0010A, ET0100A,
ET1000A, ET10000A, and ETVEP) for ETEP release 2.3 and ETM release 3.5.
162
Black Box EncrypTight Manager User Guide
Factory Defaults
Figure 79 TACACS Topology #1
Figure 80 TACACS Topology #2
Black Box EncrypTight Manager User Guide
163
Configuring PEPs
164
Black Box EncrypTight Manager User Guide
12
Managing EncrypTight Users
About EncrypTight User Accounts
This chapter discusses user accounts for the EncrypTight Manager software. These accounts are unique to
EncrypTight and should not be confused with user accounts on the PEPs.
EncrypTight is able to authenticate users when you first start EncrypTight. Log into EncrypTight
Manager using the default user name admin and password admin.
The following list summarizes how user accounts work:
•
EncrypTight user accounts can be granted roles with a variety of privileges, as outlined in
“EncrypTight User Account Roles” on page 165.
•
You must have at least one administrator account. If you have only one administrator account,
EncrypTight prevents you from deleting it until you create a replacement.
•
User names must be unique.
•
When authentication is enabled, the default password expiration period is set to zero, which means
“do not expire.”
When any user performs an action in the system such as configuring a PEP or deploying policies, that
action is tracked in an Audit Log entry that indicates the name of the user that initiated the action.
User account roles create a hierarchy of privileges as listed in “EncrypTight User Account Roles” on
page 165. You create and manage user accounts from the Users view.
To access the Users view:
1 On the main menu, click Admin > Users.
EncrypTight User Account Roles
Platform Administrator
The Platform Administrator role has complete access to the system, including the ability to change
configuration settings that affect the communications and interactions between all components in the
deployment. Platform Administrators can also create and manage multiple EncrypTight deployments. The
default EncrypTight user account (admin) has the Platform Administrator role.
Administrator
EncrypTight Administrators have full access to all features of the system, including the ability to create
and edit user accounts.
Black Box EncrypTight Manager User Guide
165
Managing EncrypTight Users
User
Users have access to the system but cannot create new user accounts. Users can also be assigned one or
more of the following roles:
Appliance Admin
Appliance Administrator accounts are user accounts that exist on the PEPs. In order to communicate with
the PEPs, EncrypTight must know the name and password of at least one valid appliance admin account.
Appliance Administrators cannot create new EncrypTight users or make configuration changes in the
EncrypTight software.
Appliance Operator
Appliance Operator accounts are user accounts that exist on the PEPs.
Policy Creator
Users assigned Policy Creator privileges can create policies but they cannot add or edit appliance
configurations, or create new user accounts.
Policy Deployer
Users assigned Policy Deployer privileges can view data and deploy policies, but they cannot edit
configurations or policies.
Managing EncrypTight User Accounts
Only platform administrator accounts and administrator accounts can create new user accounts and edit
all existing user accounts. Administrator accounts cannot create or edit platform administrator accounts.
Basic user accounts cannot create new user accounts or edit any account settings.
Table 70
EncrypTight user name and password conventions
Parameter
User Name
Password
Length
1-32 characters
Minimum of 8 characters
Case sensitive
Yes
Yes
Invalid characters
<>&“
<>&“
Spaces allowed
Yes
Yes
Must be unique
Yes
No
Other conventions
N/A
N/A
To add a EncrypTight user account:
1 In the Users view, click
to open the Create User box.
2 In the Create User dialog box, enter a Username and a User Display Name.
3 Enter a Password for the new user amd reenter it in the Confirm Password Box.
4 From the User Roles list, select the roles that you want to assign to this user.
5 Click Create.
166
Black Box EncrypTight Manager User Guide
Changing a Password
To modify a user account:
1 Select the user account that you want to modify.
2 Click
.
3 Make your changes.
4 Click Update.
To delete a user account:
1 Select the account that you want to delete.
2 Click
.
3 Click Yes when prompted for confirmation.
Changing a Password
Platform administrators and administrators can change their own passwords as well as the passwords for
any other user account. The platform administrator can also change the passwords of administrator
accounts.
User accounts that are not administrators or platform administrators cannot change their own passwords
or edit any other user account settings.
To change a password:
1 In the Users view, select the account that you want to modify.
2 Click
.
3 Make your changes.
4 Click Update. The password change takes effect immediately.
How EncrypTight Users Work with PEP Users
EncrypTight Manager manages user accounts on PEP version 1.5 and later appliances. In order for
EncrypTight Manager to communicate with the PEP, it needs to know an admin level user name and
password for the PEP. The default admin level user name and password on the PEP is admin/admin.
These credentials are initially set in EncrypTight Manager in the Add PEP form and can later be
modified in the Edit PEP form.
Black Box EncrypTight Manager User Guide
167
Managing EncrypTight Users
Figure 81
Add PEP Form
Figure 82
Edit PEP Form - Security Tab
ETVEP
ETVEP
ETEP2.3
Select the drop down icon on the Users button, and then choose EncrypTight Manager PEP Users.
168
Black Box EncrypTight Manager User Guide
How EncrypTight Users Work with PEP Users
Figure 83
Users Dropdown - Security Tab
ETVEP3
ETVEP
Figure 84
ETEP2.3
ETM PEP Users
A form will be presented that will allow you to change the user name and password that EncrypTight will
use when communicating with the PEP. You can optionally update the PEP when changing these values.
NOTE
The current user name and password (before the change) will be used to communicate to the PEP when
making the change, and so must be valid for that PEP.
You can also manage the PEP users (those users who can ssh into the PEP and access the CLI) from
EncrypTight Manager. To do so, select the drop down icon on the Users button in the Security tab of the
PEP edit form, and then choose Other PEP Users. This will retrieve the current users and their roles
from the PEP and allow you to add, modify, or delete user accounts.
Black Box EncrypTight Manager User Guide
169
Managing EncrypTight Users
Figure 85
170
Other PEP Users
Black Box EncrypTight Manager User Guide
13
Working with Logs
About Logs
EncrypTight tracks system actions and user activity in several logs:
•
Audit Log - Tracks user and system activity such as log ins and log outs, configuration changes, and
policy changes. The audit log also records all interactions with the PEPs.
•
Task History - Tracks all EncrypTight Manager operations, PEP-related tasks, including policy
deployments, rekeys, certificate actions, license installation, and so on. This provides more of a view
of system activity than user activity and includes items such as the number of attempts made to
accomplish a given task. ETM only fail rekeys to the policies that are affected by the unreachable
PEP, instead of all policies in that interval.
•
Activity Messages - Tracks all messages provided to EncrypTight users during the process of
performing a task. For example, during a rekey operation a user could see messages tracking the start,
failure, retry, and completion of the task.
About the Audit Log
Use the Audit log when you need to examine the changes a specific user has made in the system. The
Audit log tracks every action performed by EncrypTight users and all interactions with the PEPs whether
they are initiated by a user or by the system. The data is presented in a grid and each record includes the
following information:
•
User name - the name of the user that initiated the action.
•
Time of the action - the date and time at which the action was performed.
•
ID - the database ID (key) of the entity involved in the event. For entities that are not related to a
database, this field displays “null.”
•
Type - the type of entity involved in the event.
•
Action - the type of action of the event being recorded.
•
Name - the name of the item involved in the event. In many cases, this will be the name of a PEP, but
it can also be the name of a type of task, such as PEP status refresh.
•
Details - a description of the event.
Black Box EncrypTight Manager User Guide
171
Working with Logs
About the Task History
Use the Task history to focus on interactions with the PEPs. For each record, the view includes the
following information:
•
Message - the type of task
•
User - the name of the user account that initiated the task.
•
PEP - the name of the PEP associated with the task.
•
IP Address - the IP address of the PEP.
•
Status - the status of the task.
•
Details - details describing the task, if available
•
Create Time - the date and time the task was created.
•
Started - the date and time the task was started.
•
Completed - the date and time the task was completed.
•
Processing - the time from task start through task completion.
•
Duration - the time from task creation through task completion (total time it took to complete the
task).
•
Failures - the number of times this task failed.
•
Attempts - the number of times this task was attempted.
About Activity Messages
Activity Messages lists all of the messages provided to a user including all of the intermediate tasks
performed during the process of an operation. For example, a rekey operation can entail multiple tasks,
such as start, fail, retry, and complete.
For each entry, the Activity Messages view includes the following information:
•
User Name - the name of the user that initiated the operation.
•
Status - the status of the task.
•
Message - the text of the message.
•
Action - the type of operation or task involved.
•
Activity Time - the time at which the system generated the message, tracked to the millisecond.
•
Create Time - the time the record was created in the database.
Viewing Logs
•
172
From the Admin menu, choose Audit Log, Task History, or Activity Messages.
Black Box EncrypTight Manager User Guide
Log Actions
Log Actions
Depending on the type of logs you are accessing, you can sort and filter the view, cancel tasks, and purge
older records. You can also view technical details of many events.
You can sort and filter the list of events by any field. For instructions on sorting and filtering, see
“Sorting and Filtering” on page 23.
To view details for an event:
•
Double-click on a record to view a detailed entry that might provide technical information helpful to
Customer Support.
You can purge records older than a certain date and time from the view.
To purge records:
1 Click
.
2 In the interval box, enter the maximum number of days or the maximum number of hours worth of
records to keep.
•
Type the number of days, followed by d. For example, type 7d to keep 7 days of records.
•
Type the number of hours, followed by h. For example, type 12h to keep 12 hours of records.
3 Click OK.
In the Task History view, you can also cancel tasks that are in progress or queued.
To cancel a task:
1 In the list, select the task.
2 Click Cancel
.
Logging Configuration
You can access a number of settings that control auditing and logging behavior from the Configuration
window. You must be logged in with Administrative privileges to make these changes.
Auditing and Logging Controls
Although you most likely will not need to make changes, you can turn auditing off and and on as needed.
You can also specify whether or not to audit all XML-RPC calls between the servers and the PEPs.
Configuring Auditing for XML-RPC Calls
By default, the system does not track all XML-RPC calls between components. You might want to enable
this for troubleshooting purposes, but be aware that it causes an increase in network traffic.
Black Box EncrypTight Manager User Guide
173
Working with Logs
To audit XML-RPC calls:
1 Click Admin > Black Box EncrypTight Manager Configuration.
2 Double-click Audit XML-RPC Calls and click the check box to select it.
3 Click Update.
Configuring System Auditing
By default, auditing is activated. All changes and operations by every system user are tracked and
recorded in log files. In addition to turning auditing on and off, you can specify how many days of
records to keep and how often the system checks for records to purge.
To turn auditing on and off:
1 Click Admin > Black Box EncrypTight Manager Configuration.
2 Double-click Auditing and select the check box to activate auditing. Clear the check box to deactivate
auditing.
3 Click Update.
To configure record retention:
1 Click Admin > Black Box EncrypTight Manager Configuration.
2 Double-click Days Worth of History Records to Keep and type the number of days in the box.
3 Click Update.
4 Double-click Maintenance Interval in Hours and type the number of hours between log file purges.
5 Click Update.
Configuring the Syslog Server
You can configure your PEPs to send messages to a Syslog server running on the EncrypTight. In order
to do so, you must assign an IP address to the syslog server in the configuration view.
To assign an IP address to the syslog server:
1 Click Admin > Black Box EncrypTight Manager Configuration.
2 Double-click Syslog Server and type the IP address in the box.
3 Click Update.
174
Black Box EncrypTight Manager User Guide
14
Using Enhanced Security Features
About Enhanced Security Features
EncrypTight Manager provides a number of features that you can use to increase system security. These
features are disabled by default, but available for your use. Some of these features are specific to the
operation of the PEPs, while others affect system-wide ETM operations. Enhanced security features
include:
•
FIPS mode
Federal Information Processing Standards are security standards that govern the use of computer
systems in non-military U.S. government agencies and contractors. When PEPs operate in FIPS mode,
only specific encryption and authentication algorithms are accepted. To learn more about PEPs and
FIPS mode, see “FIPS Mode” on page 155.
•
Strong password enforcement
PEPs with software version 1.6 or later can be configured to use strong password enforcement. The
conventions used with strong password enforcement are far more stringent than those used with the
default password management. To learn more about strong password enforcement, see “Configuring
the Password Enforcement Policy” on page 147.
•
Strict authentication
With strict authentication, all communications between ETM components is authenticated using
certificates. To learn more about strict authentication and using certificates see “About Strict
Authentication” on page 175.
•
Hardware Security Module
A hardware security module (HSM) is available as an option for your EncrypTight servers. Currently
with EncrypTight Manager, HSMs are used for random number generation.
NOTE
policyserver-init.conf has been modified to simplify certificate options and group HSM options in one place
(random number generation).
About Strict Authentication
The ETM system uses the Transport Layer Security (TLS) protocol for secure communication between
the different components of the system (the management workstation and the PEPs). EncrypTight can use
either:
Black Box EncrypTight Manager User Guide
175
Using Enhanced Security Features
•
TLS with encryption only
•
TLS with encryption and strict authentication enabled
When strict authentication is enabled, all TLS communications between ETM components is
authenticated using certificates. Authenticating the communications between components provides an
extra level of security. Optionally, you can also set up the system to validate certificates by checking
Certificate Revocation Lists (CRLs) or by using the Online Certificate Status Protocol (OCSP).
Strict authentication is available for PEPs with software version 1.6 or later. Strict authentication is
disabled by default. After you install certificates on all of the devices that you are going to use, you can
enable strict authentication.
CAUTION
Do not enable strict authentication before you install certificates on all of the ETM components. Doing so
can lead to errors and communication failures.
A certificate is an electronic document that contains a public key that corresponds to the private key of
the entity named as the subject of the certificate. Certificates can be generated by the entity itself (selfsigned) or they can be issued by a certificate authority (CA).
A CA is a trusted organization that authenticates certificate applications, issues and revokes certificates,
and maintains status information about certificates. CA-signed certificates help establish a chain of trust.
ETM servers include a CA that you can use to sign certificate requests for your PEPs. Keys and
certificates are stored in an encrypted, password-protected keystore.
Prerequisites
An important prerequisite to installing new certificates is identifying the certificate authority you plan to
use. Your organization may have a standard CA that everyone uses, or you may need to select one for
this particular security application. The information in this chapter assumes that you have established a
relationship with a certificate authority.
In order to follow the procedures discussed in this section and work with certificates in a ETM system,
you need to understand how to do several tasks covered in more detail in other sections. Cross references
to those sections are provided in Table 71.
Table 71
Prerequisites for Using Certificates with EncrypTight
How to:
Reference:
Navigate and work with EncrypTight
“Working with the EncrypTight Manager User
Interface” on page 21
Add and configure PEPs
“Provisioning PEPs” on page 29
Access the command line interface for a PEP
See the configuration chapter for the model of
PEP that you are using.
NOTE
If you plan to operate in FIPS mode, make sure you enable FIPS mode first and push the configuration to
the PEPs before you begin to install certificates and set up strict authentication. If you enable FIPS mode
after strict authentication has been activated, you will need to reinstall your certificates.
176
Black Box EncrypTight Manager User Guide
About Strict Authentication
Order of Operations
You should proceed with caution as you enable strict authentication in your deployment. Among the
issues you could encounter are invalid, misconfigured, or expired certificates that cause communication
failures. The following order of operations is recommended:
1 If you plan to operate in FIPS mode, enable FIPS mode on your PEPs before you make other
changes.
2 Install a few PEP certificates into EncrypTight and the EncrypTight server certificates onto PEPs.
3 Temporarily enable strict authentication in the EncrypTight Manager and make sure that you can still
communicate with the PEPs (refresh status for the PEPs that you used in step 3). If the PEPs respond
appropriately, continue with the next step. If you cannot communicate with the PEPs, troubleshoot and
fix the problems found.
4 If step 4 was successful, enable strict authentication on the PEPs that you used in step 3 and retest
communications. If EncrypTight Manager can still communicate with the PEPs, then the EncrypTight
Manager has certificates that can be used. At this point, you can disable strict authentication and
continue to provision more of the network.
5 When you have installed certificates on all of the devices in the system (including all EncrypTight
servers and all of your PEPs), you can reenable strict authentication in EncrypTight Manager.
6 Refresh status for all devices to verify that EncrypTight Manager can still communicate with all
devices. If you cannot communicate with a device, it probably has an invalid or misconfigured
certificate. Fix any issues discovered and proceed.
7 Enable strict authentication on all of the PEPs.
8 Enable strict authentication in EncrypTight Manager in the Admin->EncrypTight
NOTE
If you need to add a new PEP after you have enabled strict authentication, temporarily disable strict
authentication in the EncrypTight configuration window first, and then add the PEP. Configure the PEP as
needed. After you push the configuration, install certificates on the PEP and re-enable strict authentication
in EncrypTight. Refresh status to test the communications and if everything is successful, enable strict
authentication on the new PEP.
Certificate Information
When you generate a keypair and create certificate requests, you must provide information that uniquely
identifies the device. This information is referred to as a distinguished name and consists of the values
described in Table 72. When you generate a keypair using the keytool utility, this information is specified
as part of the -dname parameter.
Table 72
Distinguished name information
Setting
Description
Common Name (CN)
A name that identifies the device or person. Length: 0-64 characters.
Organizational Unit (OU)
Name of a sub-section of the organization, such as a department or
division. Length: 0-64 characters.
Organization (O)
Organization or company name. Length: 0-64 characters.
Locality (L)
City, town, or geographical area where the organizational unit is
located. Length: 0-128 characters.
Black Box EncrypTight Manager User Guide
177
Using Enhanced Security Features
Table 72
Distinguished name information
Setting
Description
State/Province (S)
State or province where the organizational unit is located. Length: 0128 characters.
Country (C)
Two letter country abbreviation (optional).
In usage, you type this string as follows:
-dname “cn=<common name>, ou=<organization unit>, o=<organization name>,
l=<location>, s=<state/province>, c=<country>”
The information must be entered in the order shown. For example:
-dname “cn=John Doe, ou=customer support, o=my company, l=raleigh, s=NC,
c=US”
Using Certificates in a ETM System
ETM components ship with self-signed identity certificates. You can continue to use these certificates, or
you can replace them with certificates acquired from a trusted CA. By default, the ETM system uses the
Transport Layer Security (TLS) protocol for communications between components. This encrypts
communications, but does not automatically provide authentication. If you enable strict authentication,
you can use certificates to authenticate identities and set up encrypted communications for management
traffic between components.
To authenticate the communications, each component needs one of the following:
•
A copy of the identity certificate for every component with which it communicates.
•
A trusted root CA.
Manually exporting and installing certificates for a large number of devices can be burdensome. In larger
deployments it is more efficient to use a CA certificate than to install individual certificates for each
component with which a device might need to communicate.
When you replace the self-signed certificates, each component in a ETM system needs at least an identity
certificate for itself and a copy of the trusted CA certificate. The CA certificate is used to validate the
identity certificate when communication sessions are initiated. You might also need certificates for any
intermediate CAs in the chain.
Configuring the Certificate Policies Extension
EncrypTight supports the use of the certificate policies extension in certificates. CAs use this extension to
indicate the purposes for which a certificate was issued, for example, digitally signing e-mail or
encryption. If a certificate is being used for a purpose that is not indicated by the extension, it can be
rejected.
In a certificate, the certificate policies extension indicates the purposes for which a certificate was issued
with one or more registered Object Identifiers (OIDs), which are values that can vary by organization and
178
Black Box EncrypTight Manager User Guide
Configuring the Certificate Policies Extension
industry. If the CA that issues the certificate does not want to limit the purposes for which the certificate
can be used, they can use a special OID that indicates it can be used for any policy.
If your organization uses the certificate policies extension in certificates, you need to specify the OIDs
that will be accepted by the EncrypTight software and each PEP before you begin requesting and
installing certificates. The OIDs are ignored until you enable strict authentication.
You can configure the certificate policies extension for PEPs on the Advanced tab of the Appliance
Editor. The changes do not take effect until you push the configurations to the PEPs.
To configure the certificate policies extension for PEPs:
1 In Appliance editor for the PEP, click the Advanced tab.
2 Click Enable Policy Extensions.
3 For each OID, click
, type the OID and click Update.
•
If you make a mistake, select the OID in the list and click
•
If you need to remove an OID, select it and click
to change it.
.
TIP
If you are deploying numerous PEPs, you can save time by modifying the template for the PEP models
that you use. For more information about modifying default configurations, see “Working with Configuration
Templates” on page 46.
You can enable the certificate policies extension for EncrypTight in the EncrypTight Configuration view.
Add the OIDs in the Certificate Policy Extension OIDs view. These changes take effect immediately.
To configure certificate policies extension for EncrypTight:
1 In EncrypTight, select Admin > Black Box EncrypTight Manager Configuration.
2 Double-click Certificate Policy Extension OIDs Enabled.
3 Click the checkbox and click Update.
4 Click Certificates > Certificate Policy Extension OIDs.
5 For each OID, click
and type the OID. To edit an existing item, select it and click
.
6 Click Update.
About the Policy Constraints Extension
The certificate policies extension can be used in conjunction with the policy constraint extension. This
extension is configured by your CA and requires no setup in EncrypTight components. It places
additional controls on how certificates can be used. The policy constraints extension can:
•
Prohibit policy mapping
Policy mapping is the practice by which one OID is considered equivalent to a different OID. When
policy mapping is prohibited, a value in the extension indicates the number of additional certificates
in the chain that can be checked before policy mapping is prohibited. Beyond that point, policy
mapping is not allowed and authentication can fail.
•
Require that every certificate in the certificate chain include acceptable policy identifiers, as specified
in the certificate policies extension
Black Box EncrypTight Manager User Guide
179
Using Enhanced Security Features
With this option, a value in the extension indicates the number of additional certificates in the chain
that can be checked before all certificates in the chain must include acceptable policy identifiers,
either an exact match to an OID configured in the device or an OID considered equivalent through
policy mapping. If the next certificate in the chain does not include acceptable OIDs, authentication
can fail.
Your CAs can provide information about their practice for using these extensions.
Importing PEP Certificates into EncrypTight
Before you enable strict authentication, the ETM server must have a copy of the certificate for each PEP
you use.
To import PEP certificates into EncrypTight:
1 In EncrypTight, from the Certificates menu, choose EncrypTight Certificates.
2 In the keystore Certificates section, click Browse.
3 Locate the certificates file that you want to import, select it, and click Open.
TIP
For larger deployments, you can save time by importing certificates from a ZIP file. Export the certificates
from the PEPs, create a ZIP file, and select it in step 3.
Working with Certificates for the PEPs
You can use the PEP Certificates page to manage certificates for your PEPs.
To open the PEP Certificates page:
1 On the menu bar, click the
on the Certificates menu.
2 Click PEP Certificates.
Understanding the PEP Certificates Page
The PEP Certificates page provides toolbars and shortcut menus for working with certificate-related
functions. It includes the following elements:
Table 73
180
PEP Certificates Page Elements
Element
Description
PEPs list
Lists the available PEPs. For each PEP, the list indicates whether it is
configured for strict authentication and if it has a pending certificate signing
request. To perform a certificate-related task on a PEP, select it in the list
and use the short
Certificates tab
Lists the certificates installed on the selected PEPs.
Certificate Requests
tab
Lists the pending certificate signing requests for the selected PEPs.
Certificate Revocations
tab
Lists the certificate revocation lists installed on the selected PEPs.
Black Box EncrypTight Manager User Guide
Working with Certificates for the PEPs
Table 73
PEP Certificates Page Elements
Element
Certificate Details
Displays the details of the selected certificate.
Certificate Request
Details
Displays the details of the selected certificate signing request.
Figure 86
•
Description
PEP Certificates Page
PEPs list
The PEPs list displays the available PEPs. For each PEP, the list indicates whether it is configured for
strict authentication and if it has a pending certificate signing request. To perform a certificate-related
task on a PEP, select it in the list and use the shortcut menu or a toolbar button to select an action.
•
Certificates tab
The Certificates tab lists the certificates installed on the selected PEPs. using toolbar buttons, you can
delete certificates or export them.
•
Certificate Requests tab
The Certificate Requests tab lists the pending certificate signing requests for the selected PEPs. You
can manage certificate signing requests using the toolbar buttons or the shortcut menu.
•
Certificate Revocations tab
The Certificate Revocations tab lists the Certificate Revocation Lists (CRLs) installed on the selected
PEPs. You can delete and export CRLs using toolbar buttons or the shortcut menu. You can also use a
batching task to install CRLs on multiple PEPs.
•
Certificate Details
The Certificate Details tab displays the details of a selected certificate.
•
Certificate Request Details
The Certificate Request Details tab displays the details of a selected certificate signing request.
Black Box EncrypTight Manager User Guide
181
Using Enhanced Security Features
Certificates Workflow
EncrypTight Manager (ETM) certificate management has several aspects. The server accepts SSL
connections from clients, providing it's own certificate chain to those clients. The ETM server also acts as
a TLS client to PEPs, optionally using OCSP and/or CRL checking for the PEP certificate chain. Finally,
it can also serve as a Certificate Authority (CA) for PEPs, accepting their Certificate Signing Requests
(CSR), signing them with it's own CA certificate and installing the resulting certificate on the appropriate
appliance. Additionally, certificates and CSRs can be exported as PEM-encoded text files. Underlying
support is provided by openssl for generating the PolicyServer CA and server certificates, and by the
Bouncy Castle Cryptography Library for CA and basic X509 certificate and CSR support. By default, the
PolicyServer CA and server credentials are stored in a password-protected JCEKS keystore, while PEP
certificates are stored in a separate password-protected JCEKS keystore. The PolicyServer certificate
chain can be downloaded from the EncrypTight Manager Certificates page of the application, as a PEMencoded text file.
By default, during installation ETM creates two (openssl-generated) certificates on the first cluster node:
a self-signed CA certificate and a server certificate used for authentication. If desired, either one (or both)
may be replaced with a certificate signed by a different CA. How to do this is described in more detail in
the Customization section below. When installing a PolicyServer cluster, subsequent nodes will generate
only their own server certificate; the CA credentials will be copied from the first PolicyServer node
installed. EncrypTight Manager supports certificate based client authentication (two-way SSL
authentication between the browser and ETM).
PolicyServer CA Certificate
The CA certificate is a self-signed X509 certificate, issued and signed by Black Box. When requested, the
CA certificate is used to sign the PolicyServer server certificate and to sign PEP certificate signing
requests (CSRs) when an external CA is not being used.
PolicyServer Certificate
The PolicyServer certificate is the leaf certificate presented to SSL clients of ETM, typically with the CA
certificate as the only other certificate in the chain. The default server certificate contains it's IP address
as the CN, with PolicyServer CA as the issuer. Optionally, during installation, a new server CSR can be
generated for a specific CN and subject name using openssl and signed with the CA certificate. Specific
instructions are provided in the Customization section below.
PolicyServer TLS Client
The ETM server always uses TLS to communicate (using XML-RPC) with PEPs. By default, the client
does not perform server authentication; rather, it only uses the TLS connection for encryption of the
communication between ETM and the PEP. However, when strict certificate authentication is enabled, a
PKIX EncrypTight Manager is used to enable (if configured) OCSP and/or (if configured) CRL checks as
part of the SSL socket connection initialization. When FIPS mode is not enabled, the default EncrypTight
Manager is wrapped with a custom EncrypTight Manager to check (any) CRL extension point obtained
from the PEP certificate and/or a static configured file when OCSP is not enabled or (optionally) when
the OCSP responder fails.
182
Black Box EncrypTight Manager User Guide
Working with Certificates for the PEPs
PolicyServer Certificate Authority
By default, PEPs are delivered with a self-signed certificate already installed on the appliance. If desired,
this certificate can be replaced with one signed by the PolicyServer Certificate Authority, or any other
CA. Certificates created by the PolicyServer CA are X509 Version 3 certificates, signed with the
PolicyServer CA certificate, and contain the following standard extensions:
•
Authority Key Identifier: the public key of the signing authority
•
Subject Key Identifier: the public key of the requesting entity
•
Basic Constraints: false - the certificate will not be used for signing
•
Key Usage: non-repudiation, digital signature, key encipherment
The serial number will be a randomly generated eight-octet number. By default, the certificate will expire
in ten years, but this is configurable via the EncrypTight Manager Configuration page in the application.
Other configurable aspects of the CSR include: the distinguished name parts (C, O, OU, ST, L), the
public key length, and the timeout (in seconds) for generating the CSR on the PEP.
Certificate Distribution
EncrypTight Manager provides a grid for all PEPs, and separate grids for the certificate(s), CSR, and
(optionally) Certificate Revocation Lists (CRLs) installed on each PEP. The details of each certificate or
CSR can be viewed and/or exported individually. Additionally, multiple CSRs can be downloaded as a
zip archive file to facilitate distribution to an external CA. You can also use a batching task to install
CRLs on multiple PEPs. External trusted certificates and CRLs can be installed to one or more appliances
by uploading the appropriate PEM-encoded text file. A CSR can be generated for individual PEPs and
may be optionally signed by the PolicyServer CA and installed immediately after generation.
NOTE
Currently, only the certificate of the ETM server used to sign the CSR is automatically installed on the
PEP. When a ETM cluster is used, the certificate(s) of the other cluster member(s) will all need to be
installed on the PEP before mutual certificate authentication is enabled.
Directory Structure
The PolicyServer CA and server credentials are originally created as password-protected PKCS12 files in
a private subdirectory of the jboss application server's configuration directory (jboss_home/server/
policyserver/conf/private), named as root.p12 and server.p12, respectively by default. During installation,
they are loaded into the PolicyServer JCEKS keystore file, which also resides in the private subdirectory.
Customizing
NOTE
When a user changes the TimeZone on the policyserver, either through the command line or through the
blue screen, ETM needs to be restarted.
/etc/init.d/policyserver restart
Black Box EncrypTight Manager User Guide
183
Using Enhanced Security Features
Generating the PolicyServer CA and Server Certificates
During installation, PolicyServer CA and server certificates are generated, with appropriate options for
overriding default values for the subject DN (or just the server CN part) and the password used to protect
the key and PKCS12 files. CSRs are generated by openssl using the corresponding key file in the
application server's private configuration directory. The PolicyServer CA CSR is self-signed and the
server CSR is signed using the PolicyServer CA credentials, with a serial number based on the root.srl
file. If desired, the create-certs.sh script can be run subsequent to installation (separately, or in
conjunction with policyserver-install) to generate new PolicyServer CA and/or server credentials. New
credentials are generated if the corresponding private PKCS12 file is not present. To use existing
credentials, copy the desired PKCS12 files containing the desired private key and certificate chain to the
policyserver/conf/private directory prior to running the policyserver-install script.
NOTE
For a cluster configuration, the installation must be completed on the first node so that the PolicyServer
CA credentials can be copied to subsequent nodes during their installation. A unique server certificate
should be generated for each PolicyServer node.
Replacing the PolicyServer CA and Server Certificates
At any time, the PolicyServer CA and Server credentials (certificates and private keys) can be replaced
by importing new PKCS12 files to replace the existing keystore entries. The alias of the PolicyServer
entry must match the configured value (which is also referenced in jboss_home/server/policyserver/
deploy/jbossweb.sar/server.xml) and the alias of the PolicyServer CA entry must match the lowercased
value of the PolicyServer CA certificate's CN (e.g. the default value is "policyserver ca", derived from the
default CN=PolicyServer CA) if it is to be used for signing PEP CSRs. Furthermore, to be acceptable for
use in signing, the certificate would most likely be an intermediary certificate signed by a trusted
certificate authority that has been created with appropriate values (e.g. Basic Constraint true).
Working with Certificate Requests
The workflow for requesting and installing an identity certificate on a Black Box appliance is as follows:
1 Generate a certificate signing request.
2 Send the request to a CA. If the request is approved, the CA returns a signed certificate.
3 Install the signed certificate on the appliance.
You can use an external CA or the included ETM CA. If you use the ETM CA, you can generate a
request, submit it, and install the resulting signed certificate in one operation.
Only one certificate request is allowed on the appliance. Prior to creating a new certificate request you
must remove the existing one.
Requesting a Certificate
Complete the following procedure to create a certificate signing request.
184
Black Box EncrypTight Manager User Guide
Working with Certificates for the PEPs
Figure 87
Generate a certificate signing request
To generate a certificate signing request:
1 In the PEPs list, right-click the target appliance and click Generate in the shortcut menu.
2 Complete the Subject Name fields (see Table 72).
3 From the Public Key Length box, select the size of the key that you want to use. The key is generated
using the RSA algorithm. The key size typically refers to the size of the modulus. A larger modulus is
more secure, but the algorithm operations are slower. You can select from:
•
512: Offers little security. Use only for very short-term security needs.
•
768: Suitable for less valuable information.
•
1024: Recommended for most corporate use.
•
2048: Provides a higher level of security for more valuable information.
•
4096: Provides the highest level of security
EncrypTight generates a certificate request in Privacy Enhanced Mail (PEM) format.
4 When prompted, save the file. The file is saved with a .csr extension.
5 Send the certificate request to a certificate authority, following their instructions for completing the
request. If the request is successful, the certificate authority will send back an identity certificate that
has been digitally signed with the private key of the certificate authority.
NOTE
EncrypTight lets you set default values to be used when generating a certificate request. Many values are
common for all certificate requests from a company or division. Setting preferences for these fields can
save time when submitting a request. See “Setting Certificate Request Preferences” on page 187 for more
information.
Installing a Signed Certificate
When a certificate authority accepts a certificate request, it issues a digitally signed identity certificate
and returns it electronically. The certificate must be a PEM-formatted X.509 certificate.
Black Box EncrypTight Manager User Guide
185
Using Enhanced Security Features
Figure 88
Select a certificate file and its usage
To install a signed certificate on a Black Box appliance:
1 In the PEPs list, select the target appliance.
2 Click the Certificate Requests tab.
3 Click
to install the signed certificate.
4 In the Import Signed Certificate box, click Browse, select the certificate file, and click Open.
5 Click Submit.
Viewing a Pending Certificate Request
Pending certificate requests are displayed in the Certificate Request view.
To view a pending certificate signing request:
1 In the PEPs list, select the target appliance.
1 Click the Certificate Requests tab.
2 To view the details of a particular request, select it. The details of the request display in the Certificate
Request Details tab.
Figure 89
View pending certificate signing requests
Canceling a Pending Certificate Request
The Black Box appliance allows for only one pending certificate request. In order to replace the pending
request with a new one, you must cancel the pending request.
To cancel a pending certificate request:
•
186
On the Certificate Request tab, select the certificate request and click
deleted and you can create a new certificate request.
. The certificate request is
Black Box EncrypTight Manager User Guide
Working with Certificates for the PEPs
Setting Certificate Request Preferences
EncrypTight lets you set default values that will be used when generating a certificate request. Many
values are common for all certificate requests from a company or division. Setting preferences for these
fields can save time when generating a request. Any field set in the preferences can be overridden when a
certificate request is generated.
To set certificate request preferences:
1 Click Admin > Black Box EncrypTight Configuration.
2 Double-click Certificate Signing Request.
3 In the Certificate Signing Request Configuration box, set the desired default values and click OK.
The Common Name (CN) defaults to the appliance name; it cannot be set as a preference and does
not appear in the Subject Name box. For information about other distinguished name fields, see Table
72. Other certificate requests preferences are described in Table 74.
Table 74
Certificate request preference fields
Setting
Description
Subject Name
Specify default values for the distinguished name information to be
used for most certificate signing requests (see Table 72).
Public Key Length
The key is generated using the RSA algorithm. The RSA key size
typically refers to the size of the modulus. A larger modulus is more
secure, but the algorithm operations are slower.
Communication timeout
•
512: Offers little security. Use only for very short-term security
needs.
•
768: Suitable for less valuable information.
•
1024: Recommended for most corporate use.
•
2048: Provides the highest level of security.
The timeout for generating a certificate signing request. The timeout is
specified in seconds. Valid values range from 30 - 300 (5 minutes).
The larger the key size, the longer it takes to generate a certificate
request.
NOTE
The larger the key size, the longer it takes the Black Box appliance to generate the certificate request due
to the complexity of the algorithm’s operations. A certificate request with a key size of 2048 bits can take
several minutes to generate.
Exporting Certificates
This procedure describes how to export an installed certificate from the Black Box appliance. The
exported certificate can then be installed as a peer certificate on another device, such as the ETM server.
To export an installed certificate:
1 In the PEPs list, select the appliance with the certificate that you want to export and click
2 On the Certificates tab, select the certificate that you want to export and click
.
.
3 Open or save the file when your browser prompts you.
Black Box EncrypTight Manager User Guide
187
Using Enhanced Security Features
Deleting Certificates
Delete external certificates if they have expired or are no longer used. External certificates are the only
type of certificate that you can delete from the Black Box appliance. You can overwrite existing
management ID certificates to replace them, but you cannot explicitly delete them.
CAUTION
You must have at least one external certificate installed on the Black Box appliance. Deleting an external
certificate that is currently being used for authentication will cause management communications to fail.
To delete an external certificate:
1 Turn off strict authentication on the PEP in the configuration editor and push the new configuration,
or use the strict client authentication disable CLI command. (For more information, see “Enabling and
Disabling Strict Authentication” on page 192.)
2 Switch to the PEP Certificates view.
3 In the PEPs list, select the appliance with the certificate that you want to delete and click
.
4 On the Certificates tab, select the target certificate and click
. The certificate is removed from the
Certificates tab and is no longer available to authenticate peers.
Validating Certificates
Generally, certificates are considered valid until they expire. However, certificates can be revoked by CAs
when necessary. Devices can check the validity of a certificate using certificate revocation lists (CRLs) or
the online certificate status protocol (OCSP).
Validating Certificates Using CRLs
Certificate authorities publish certificate revocation lists (CRLs) to identify certificates that it considers
invalid. Certificates include a field called a CRL Distribution Point extension, which provides a URL for
the certificate authority that has its CRL.
By default, EncrypTight examines received certificates to determine the URL to use and checks this
location for CRLs. You must obtain and install a copy of the CRL on the PEPs that you use.
In EncrypTight, you can specify a local directory to check for CRLs. All ETM components check the
CRLs the first time a device initiates communication and then stores the CRL until it expires.
Storing the CRLs locally can accelerate the process of checking CRLs and helps minimize false
authentication failures due to revocation check failures. If you choose to store CRLs locally, you must
remember to periodically retrieve updated copies of the CRL and install it on each ETM component.
NOTE
CRLs are only supported in PEPs with software version 1.6 or later. You must upgrade PEPs with earlier
software versions in order to use this feature. To learn more about upgrading the software on PEPs, see
“Installing Software Updates” on page 77.
188
Black Box EncrypTight Manager User Guide
Validating Certificates
Configuring CRL Usage in EncrypTight
By default EncrypTight reads installed certificates to find the location of the CRL. You can override this
behavior and specify a local directory for the CRL instead.
To use CRLs with the EncrypTight software:
1 On the management workstation, create a directory where you want to store the CRL files.
2 In EncrypTight, select Admin > Black Box EncrypTight Manager Configuration.
3 Double-click CRL File.
4 In the Upload file box, click Browse, navigate to the file location and select the CRL file.
5 Click Open.
6 Do one of the following:
•
To copy the file to the server, click Copy file to file store.
•
To remove the file from the server, click Remove file from file store.
7 Click Submit.
NOTE
This setting does not take effect until you enable strict authentication.
Configuring CRL Usage on PEPs
You manage CRLs for the PEPs using the Certificates view in the EncrypTight software.
To install a CRL on the PEP:
1 Switch to the Certificates view.
2 In the PEPs view, right-click on the target PEP and choose Install CRL.
3 Navigate to the appropriate directory and select the CRL file that you want to install.
4 Click Open.
5 Push the modified configuration to the PEP in order to complete the installation
NOTE
You can also use a batching task to install CRLs on multiple PEPs.
To view CRLs
1 In the PEPs view, right-click the target PEP and click View CRLs in the shortcut menu. A list of
installed CRLs is displayed in the CRLs view.
To delete CRLs
1 In the PEPs view, select the target PEP.
2 Click the CRLs tab.
3 Right-click on the CRL that you want to remove and select Delete.
Black Box EncrypTight Manager User Guide
189
Using Enhanced Security Features
Handling Revocation Check Failures
Not being able to check a CRL does not automatically indicate that a certificate is expired or revoked,
especially if the CRL is stored on a server on a different network. By default, if a ETM component
cannot check a CRL for any reason, it logs the failure, but still allows a secure communication session to
be created. You can change this behavior to fail the authentication instead.
To change the default EncrypTight action when a CRL cannot be checked:
1 In EncrypTight, select Admin > Black Box EncrypTight Manager Configuration.
2 Double-click the Ignore CRL access failure item.
3 Click Ignore CRL access failure to clear the check box.
4 Click Update.
Validating Certificates Using OCSP
As an alternative to using CRLs, you can validate certificates with the online certificate status protocol
(OCSP). With OCSP, the device that wants to check the validity of a certificate reads the certificate to
determine the URL of the OCSP responder and sends a request that identifies the certificate in question.
Organizations can also explicitly specify a URL to use for the OCSP responder. The OCSP responder
returns a signed OCSP response indicating the validity of the certificate.
In order to use OCSP, you must enable it on each ETM component.
PEPs can read the URL from the certificate itself, but you can specify a URL to use if needed.
EncrypTight provides additional options that allow you to specify the default action if no OCSP
responder can be located or if the URL cannot be contacted. When OCSP is enabled, EncrypTight tries to
check the revocation status using OCSP.
•
If no default OCSP responder is defined, then EncrypTight checks the certificate to determine the
URL to use to contact an OCSP responder.
•
If there is no OCSP URL defined in the certificate, you can specify that EncrypTight checks the
certificate for the URL of a CRL Distribution Point as a fallback.
•
If the CRL Distribution Point URL is not present or if the URL cannot be reached, the validation
fails. Unlike using CRLs only, there is no option to ignore revocation check failures in this scenario.
By default, the system assumes that OCSP responses are signed by the issuer of the certificate whose
status is being checked. You can override this and specify an alternative signer by entering the subject
name of the signer’s certificate.
In addition, in order to verify the response from the OCSP responder, you need to install the certificate
from the OCSP responder. For more information about installing certificates, see “Installing an External
Certificate” on page 160.
Configuring OCSP for EncrypTight
In EncrypTight, you must be logged in with Platform Administrator privileges in order to configure
OCSP. In addition, on PEPs you must enable strict authentication before you can configure OCSP (see
“Enabling and Disabling Strict Authentication” on page 192).
190
Black Box EncrypTight Manager User Guide
Validating Certificates
To set up OCSP in EncrypTight:
1 Log into EncrypTight as a platform administrator.
2 In EncrypTight, click Admin > Black Box EncrypTight Manager Configuration.
3 Double-click Online Certificate Status Protocol (OCSP).
4 In the OCSP Configuration box, click Enable Online Certificate Status Protocol (OCSP).
5 Configure other options as needed (see Table 75).
6 Click OK.
Table 75
EncrypTight OCSP Options
Options
Description
Enable Online Certificate
Status Protocol (OCSP)
Enables and disables the use of OCSP in EncrypTight . By default, this
is disabled.
Responder DN
Specifies the subject name of the certificate for the OCSP responder.
OCSP URL
Specifies the URL to use for OCSP checking. This option overrides the
use of any OCSP URL that might be indicated in certificates.
Revert to CRL on
Responder Failure
Specifies that if the OCSP responder does not reply or cannot be
reached, EncrypTight should read the certificate to determine the
location of the CRL to use to validate the certificate. Note that
authentication fails when OCSP is enabled and a CRL cannot be
accessed as a fallback.
NOTE
For enhanced security, if you want to validate certificates using OCSP only, disable Revert to CRL on
OCSP Responder Failure.
Figure 90
OCSP Configuration
Configuring OCSP for PEPs
To set up OCSP on the PEPs:
1 In the PEPs view, select the appliance that you want to change and click
.
2 Click the Features tab.
3 Click Enable strict authentication.
4 Click the Advanced tab.
Black Box EncrypTight Manager User Guide
191
Using Enhanced Security Features
5 Click Enable OCSP.
6 In the Responder URL box, enter the URL of the OCSP responder.
7 Make other selections as needed. See Table 76 for an explanation of the OCSP settings.
8 Click OK.
Table 76
OCSP Settings
Option
Description
Enable OCSP
When checked, enables the use of OCSP. The default is
unchecked.
Verify OCSP Response
Verifies OCSP responses by authenticating the response with the
installed certificate. The default is to verify the OCSP response.
Ignore Failure to Respond
Not receiving a response does not indicate that a certificate has
expired or that it has been revoked. This option allows the PEP to
proceed when a response to an OCSP query is not received in a
timely manner. The default is to ignore the failure to respond.
Check Certificate Chain
When checked, this option instructs the PEP to use OCSP to check
the validity of every certificate in the responder’s chain of trust. The
default is unchecked.
Responder URL
Specifies the URL to use for the OCSP responder.
Enabling and Disabling Strict Authentication
After you have installed certificates on each ETM component, you can enable strict authentication. Strict
authentication is a setting that affects communications between all ETM components. Once you enable
strict authentication on a component, it begins to use certificates to authenticate communications from
devices that attempt to communicate with it. To use strict authentication system-wide, you must
specifically enable it in EncrypTight and on each PEP in use.
NOTE
Strict authentication is available for PEPs with software version 1.6 and later.
To enable strict authentication in EncrypTight:
1 In EncrypTight, select Admin > Black Box EncrypTight Manager Configuration.
2 Double-click Use Strict Certificate Authentication.
3 Click the Use Strict Certificate Authentication check box.
4 Click Update.
To enable strict authentication on PEPs:
1 For each PEP, in the PEPs view select the PEP and click
.
2 Click the Security tab.
3 Click Enable Strict Client Authentication.
4 Click OK.
5 In the PEPs view, select all of the PEPs that you changed.
6 Click
192
.
Black Box EncrypTight Manager User Guide
Enabling and Disabling Strict Authentication
7 Click Submit to close the Provision PEP dialog box and apply the changed configurations to the
PEPs
If you need to remove a PEP from service and use it elsewhere, you need to disable strict authentication
and remove all certificates and policies.
To disable strict authentication:
1 In the PEPs view, select the target PEP and click
.
2 Click the Security tab.
3 Clear the Enable Strict Client Authentication box.
If certificates expire or if you enable strict authentication before installing certificates, you might not be
able to communicate with the PEP from the management workstation. In this case, you can connect a
serial cable to the PEP and disable strict authentication from the command line.
To disable strict authentication from the command line:
1 Connect to the serial port of the appliance and open a terminal session.
2 Log in and type configure to enter configuration mode.
3 Type management-interface to enter management interface configuration mode.
4 Enter strict-client-authentication disable.
For example:
admin> configure
Entering configuration mode...
config> management-interface
Entering management interface configuration mode...
man-if> strict-client-authentication disable
For more information about using the strict-client-authentication command, see the CLI User
Guide for the PEP.
Two-factor Authentication
•
Require the user to use a second factor to authenticate to ETM
•
The two factors are: “Something you know” and “Something you have”
•
The second factor is typically a smartphone that generates a one-time password
•
Details:
•
Two use cases:
•
1. If the user has a device that can generate a one time password (OTP), he enters his
username into ETM, and enters a PIN into his device, and the device generates a OTP and the
user enters the OTP as his password into ETM
•
2. If the user does not have a device that can generate a OTP, he enters his username and ETM
password into ETM, and if ETM accepts the username/password, then ETM emails the user a
OTP. The user then enters his username and the OTP from the email to log in
•
The platform administrator can unlock a tenant by entering only the ETM password
Black Box EncrypTight Manager User Guide
193
Using Enhanced Security Features
•
Based on open source Mobile-OTP implementation
Figure 91 ETM Server Configuration for OTP
[email protected]
194
Black Box EncrypTight Manager User Guide
Removing Certificates
Figure 92 ETM Server Login (email)
[email protected]
Removing Certificates
You can remove certificates when they are no longer needed or when they have expired. However, you
can only remove external certificates and you must disable strict authentication first. In EncrypTight, you
can remove individual certificates from a PEP or a group of selected certificates.
From a command line window, you can remove all certificates on a PEP. When you remove all
certificates, the appliance regenerates a self-signed certificate. For information on using CLI commands,
see the PEP CLI User Guide.
To remove certificates:
1 Select the PEP in the PEPs list and click
.
2 In the Certificates view, select the certificates that you want to remove.
3 Click
.
4 Click OK when you are prompted for confirmation.
CAUTION
Do not use this function if strict authentication is enabled. Doing so can cause errors and prevent
communication between the management workstation and the appliance. Disable strict authentication first
and then remove the certificates.
Black Box EncrypTight Manager User Guide
195
Using Enhanced Security Features
196
Black Box EncrypTight Manager User Guide
15
Using A Disaster Recovery Server
About Disaster Recovery Servers
You can set up a secondary server to use as a Disaster Recovery Server. The Disaster Recovery Server
can take over operations in the event that the primary ETM Server becomes unavailable.
Most often, the Disaster Recovery Server and the main server are not located together. The Disaster
Recovery Server expects a heartbeat signal from the main servers at a configurable interval (every 30
seconds by default). If that signal is not received for five consecutive intervals, the Disaster Recovery
Server begins to take over operations and does the following:
•
Determines what policies are deployed and which ones are encryption policies.
•
Starts the rekey interval for each encryption policy.
•
Listens for a heartbeat signal from any main server
•
Updates after policies are flushed
•
The disaster recovery server is updated after a flush policies has been performed on a PEP.
As soon as a signal from a main server is detected, the Disaster Recovery Server ceases activity and stops
any rekey timers.
You must be logged in as a Platform Administrator in order to configure EncrypTight to use a Disaster
Recovery Server. To use a Disaster Recovery Server in a ETM system, you need to configure settings on
the Disaster Recovery Server and on each Main ETM Server.
NOTE
A disasterRekey override has been added to the policyserver-init.conf. If set to false the disaster server will
NOT start rekeys. Manual intervention is required to start rekeys on the DR in this situation.
Configuring a Disaster Recovery Server
You need to configure the Disaster Recovery Server to act as one and specify the main servers that it
should monitor.
To configure the Disaster Recovery Server:
1 Select Admin > Configuration.
2 Changing to be the Disaster Recovery Server requires a restart.
Black Box EncrypTight Manager User Guide
197
Using A Disaster Recovery Server
3 If you need to make changes to the list, double-click Heartbeat Server Check Hosts and enter the
hostnames or IP addresses for the main servers that you want the Disaster Recovery Server to
monitor. Separate multiple servers with commas. This field would ordinarily include values that you
set when you first installed and set up the server.
4 Click Update.
5 If necessary, you can change the values for Heartbeat Server Check Interval and Heartbeat Server
Check Port.
6 Double-click This Is The Disaster Recovery Server, click the check box, and click Update.
Configuring the Main Servers
The main servers need to know the IP address of the Disaster Recovery Server. Every time you deploy
policies, the main servers copy the EncrypTight database to the Disaster Recovery Server. Log in and
perform these steps on the main server.
To configure the main servers to use a Disaster Recovery Server:
1 In the Main Server Configuration group, enter the Database Backup Password and Database
Backup User name.
2 Double-click Disaster Recovery Host and enter the IP address of the Disaster Recovery server.
3 Click Update.
4 Enter the Disaster Recovery Host SSH Password and username.
5 Double-click Heartbeat Server Enabled and click the check box to activate it.
6 Click Update.
Backup and Restore of EncrypTight Manager
General Guidelines
There are a variety of failure scenarios that can occur in a production environment, and recovering from
these scenarios will not always involve the same procedures. The procedures to follow will be specific to
what type of failure occurred, and how much data loss there was as a result. The common failure cases,
addressed here are:
•
disk drive failures
•
other hardware component failures
•
damage to the ETM software or database
•
other filesystem damage
•
complete loss of the OS
Every IT organization will have policies or practices related to backing up servers, so we should learn
what a given customer does and ensure that they include the ETM servers in their procedures. We should
also ensure that their practices include creating, or already having, some form of bootable media (e.g.
DVD) so that they can access the disk drives of a ETM server in case some radical damage is done to the
OS (such as 'rm -rf /'). Common examples would be a bootable Linux CD/DVD, a recovery CD made
from Clonezilla, a Ghost recovery DVD, or a generic rescue CD (or even USB stick) such as this
198
Black Box EncrypTight Manager User Guide
About Disaster Recovery Servers
Backup components provided by ETM
ETM provides mechanisms for backing up its database, and also for backing up the ETM software.
Customers who do not do full server backups regularly can use those tools to ensure that they can recover
as close to a point of failure as possible, while backing up the minimal amount of data necessary to
restore. Using these tools also reduces the need for frequent full system backups.
•
Database Backup: To capture a known good point in time configuration, users can take database
snapshots. It is recommended that this be done each time they deploy a production set of policies, at a
minimum. See procedure 5 below.
•
Database Restore: To restore to a known good point in time, a database backup can be used to restore
from. See procedure 6 below. If restoring an entire cluster, this only needs to be done on one node,
and then the other node should be sync'd via the UI.
•
ETM Backup: A full ETM backup does not need to be performed as frequently as the database
backup, as the changes to a ETM distribution are much less frequent than changes to the database.
However, whenever changes are made, it is advisable to take a backup. Such changes would include:
•
•
Upgrading the ETM software
•
Staging new ETEP software on the ETM ftp server
•
Topology changes to a cluster (adding or removing a node)
ETM Restore: Restoring from a ETM backup would be necessary if some damage had occurred
within the ETM install directories, such as unintentional deletion of the policyserver config files or
binaries. The ETM backup includes a database backup within the archive (tar file), however, it may
not be necessary to restore the database. If the intention of the restore is to simply fix the filesystem,
the database does not need to be restored. If, however, a full system recovery is being performed, then
the most recent ETM backup and database backup should be used for restoration. If the most recent
database backup is that contained within the ETM backup, then that should be used.
Hardware Server specifics
Drive failures
A hardware ETM server has two possible configurations: a non-RAID dual drive system, or a RAID 1
dual drive system (mirroring).
•
RAID system
For a drive failure in a RAID configuration, simply replacing the failed drive is all that is necessary.
non-RAID system. There are two possibilities:
•
•
Failure of the main drive
Boot from the backup drive (change the BIOS order), and restore with either procedure 2., 4., or 6.
below, depending on how many changes were made outside of the ETM software. Then replace the
failed drive and dd the main drive to the new drive, which is now the new backup drive.
•
Failure of the backup drive
Replace the backup drive and repeat the dd operation to copy the main drive to the backup drive
Other hardware component failures
If some component other than a drive has failed, that component could be replaced in the field, or the
server could be RMA'd back to Black Box.
Black Box EncrypTight Manager User Guide
199
Using A Disaster Recovery Server
Damage to the ETM software or database
If some damage is done to the ETM installation, such as unintentional removal of key configuration files
or binaries under /opt/jboss/server/policyserver, then the ETM software should be restored. If that is all
that occurred, then the database does not need to be restored. See procedure 4 below for restoring the
ETM software.
Damage to the OS or filesystem
If damage is done to other areas of the filesystem, such as unintentional removal of OS files, or files
outside of the ETM root directory, then a restore from backup will be necessary. Depending on what was
damaged, either part of the backup or all of the backup may be necessary for the restore. For example, if
the only damage was to /etc, then only that portion of the backup would be needed to recover. If
something as drastic as 'rm -rf /' had occurred, then the full backup would be needed, and then a
subsequent ETM backup or database backup might also need to be applied. That would be necessary if
such a backup existed that was more recent than the full backup. See procedure 2 and procedures 4 and 6
below.
Example backup and restore procedures
Procedure 0. copying drives with dd (only for non-RAID systems!!!!)
An example command, run as root to copy drive a to drive b:
dd if=/dev/sda of=/dev/sdb bs=100M conv=notrunc,noerror
Be careful with order of if and of. You can write a blank disk to a good disk if you get confused.
More info on dd can be found on wikipedia, and also on linuxquestions.org
The above procedure could be run regularly to snapshot a drive as it is modified, to keep the backup as
current as desired.
This procedure can serve as a full filesystem backup (alternate for Procedure 1. below) for non-RAID
configured servers. However, it is subject to drive failure of this backup drive.
Procedure 1. Backing up the entire filesystem
As stated in the General Guidelines, each IT organization will/should have standardized backup practices.
At a minimum, they should retain a full snapshot of a ETM filesystem at least once, after the installation
script has been run and they have made whatever configuration changes they wanted to for a given site
(such as changes to files in /etc). There are many ways to accomplish this. One simple method is using
the tar command. An example is provided here (this should be run as root).
cd /
tar cvpzf backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/backup.tgz
--exclude=/mnt --exclude=/sys /
Please familiarize yourself with the tar command and its arguments. The man pages are included in the
ETM distro.
As noted above, the dd operation for non-RAID configured servers also serves as a full filesystem
backup. It can be performed at important milestones to keep the backup current.
200
Black Box EncrypTight Manager User Guide
About Disaster Recovery Servers
Procedure 2. Restoring the complete filesystem, including the OS
Restoring the complete filesystem will depend on how the backup was taken. If it was via the example tar
command above, then restoring would involve untarring the backup like so:
cd /
tar xvpfz backup.tgz -C /
NOTE
If restoring a completely destroyed filesystem on the boot partition, the server bootup will have to be done
via other media: either a CD/DVD/drive as mentioned at the beginning of this document, or a secondary
drive if the system is non-RAID and the secondary drive holds a backup.
If using a dd version of backup to restore from, the dd operation should be performed in the same manner
as was done initially, but the "if" and "of" arguments should be reversed. For example:
dd if=/dev/sdb of=/dev/sda bs=100M conv=notrunc,noerror
Alternative *nix backup methods
There are many other methods for backing up and restoring a *nix operating system. Methods include
dar, rsync, cp, scp, tar, dd, clonezilla, ghost, amanda, and many more. As mentioned previously, it is
expected that a customer's IT organization will have already established backup policies and procedures.
If not, or, for general reference, there are many sites available on the internet that discuss this topic. For
reference, the following are listed here:
http://www.halfgaar.net/backing-up-unix
http://www.cyberciti.biz/faq/rhel-backup-linux-server/
http://www.linuxlinks.com/article/20090105114152803/Backup.html
http://stackoverflow.com/questions/15208/whats-the-best-linux-backup-solution
http://en.wikipedia.org/wiki/NetVault_Backup
Procedure 3. Backing up the ETM software and data
To backup the ETM software and data, navigate to the Platform->Utilities page, then the AppServer
Nodes tab, then select the server you are logged into, right-click, and choose Backup. This will perform a
database backup, and then create a tar archive file containing the ETM software, the root directory where
ETM is installed, the database backup, and other directories used by ETM, specifically the ftp dir and
filestore dir. It will also optionally scp the backup to a remote server if those configuration properties are
setup. They are named as such in the Admin->ETM Config page:
•
Backup Server (ip)
•
Backup Server scp Directory
•
Backup Server scp User
•
Backup Server scp Password
Also note that the ETM root dir is /opt/jboss/server/policyserver, and that the /opt/scripts directory is a
symlink to /opt/jboss/server/policyserver/scripts, so that directory will be backed up. It contains the config
files that were used during installation.
Black Box EncrypTight Manager User Guide
201
Using A Disaster Recovery Server
Files in /etc/init.d are not included in this tar, so those should be backed up separately, after installation.
They should never change after installation.
Whether or not the backup is scp'd to a remote host, a copy will be left in the /opt/filestore dir, and can
be downloaded via the browser from the Admin->Server Files page (from the filestore folder). Double
clicking on it will download it. The database backup will also be located there.
The names are of the following format:
<host ip address>-backup-YYYYMMDD-HH-MM.tar.gz
db-backup-YYYYMMDD-HH-MM.sql.gz
Procedure 4. Restoring the ETM software and data
To restore from a ETM server backup, obtain the backup that was taken for the particular host (note that
the ip address of the host is part of the backup file name), scp it to the ETM host, and untar it. (The
application server should be stopped before doing this: /etc/init.d/policyserver stop) For example:
scp 192.168.80.77-backup-20110101-16-35.tar.gz [email protected]:/
ssh [email protected]
cd /
gunzip -c 192.168.80.77-backup-20110101-16-35.tar.gz | tar xvpf -
At this point, the database backup that is located in /opt/jboss/server/policyserver/log can be used (only if
necessary) to restore the database. See procedure 6. Once completed, the application server can be
restarted, /etc/init.d/policyserver start. See the notes below on details related to cluster nodes and DR
servers.
Procedure 5. Backing up the ETM database
To backup just the ETM database, navigate to the Platform->Utilities page, then the DB Nodes tab, then
select the database for the server you are logged into, right-click, and choose Backup. This will create a
backup that can be downloaded from the Admin->Server Files page, in the filestore folder. It will be
named like db-backup-YYYYMMDD-HH-MM.sql.gz. Double clicking on it will download it to your
local disk, from where it should be safely archived.
Procedure 6. Restoring the ETM database
To restore the database from a backup, scp the backup to the host being restored, and execute the dbimport.sh script. For example:
scp db-backup-20110915-15-14.sql.gz [email protected]:/opt/filestore
ssh [email protected]
cd /opt/filestore
gunzip db-backup-20110915-15-14.sql.gz
/opt/scripts/db-import.sh --importFile=db-backup-20110915-15-14.sql
If you changed the database userid or password, you will have to supply those options as well.
[[email protected] log]# /opt/scripts/db-import.sh --help
db-import.sh
--help
--dbUser=dbUser
--dbPass=dbPassword
202
Black Box EncrypTight Manager User Guide
About Disaster Recovery Servers
--dbType=dbType
--importFile=importFile
--disasterServer=[true/false]
Cluster notes
Restoring a cluster node should not include restoring the database if another cluster node with a database
is still active. Instead, the database on the restored node should be synchronized via the ETM web
application. On the Platform->Utilities page, on the DB Nodes tab, find the inactive database, right click
on it and choose Activate.
DR notes
If restoring a DR datbase (which should really never be necessary, since the backup can be pushed from
the main ETM site via the UI), you must supply the --disasterServer=true command line option.
Restoring to factory defaults
If for some reason a server needs to be set back to the state in which it was delivered from Black Box,
the /opt/scripts/factory-restore.sh script can be run. The user will be prompted twice before proceeding.
This script will stop the ETM server, delete the database and reset all configuration files to their original
state. The installer can be re-run after performing this operation.
VM Server specifics
VMware specific information is found on the VMware website.
VMWare backup guide
http://www.vmware.com/pdf/vi3_301_201_vm_backup.pdf
NOTE
Note that VMWare does not consider VM snapshots backups. For more information about snapshots, read
the following knowledge base articles.
Understanding VM snapshots
http://kb.vmware.com/selfservice/microsites/
search.do?language=en_US&cmd=displayKC&externalId=1015180
Best Practices for VM snapshots
http://kb.vmware.com/selfservice/microsites/
search.do?language=en_US&cmd=displayKC&externalId=1025279
Black Box EncrypTight Manager User Guide
203
Using A Disaster Recovery Server
204
Black Box EncrypTight Manager User Guide
Index
Numerics
3DES 70
A
addressing mode 71
advanced configuration
ETEP 152–153
Advanced Encryption Standard 70
AES 70
Alarms and email notifications 110
appliance configuration
ETEP 160–161
appliance users See user accounts
appliance-level tasks
managing ETEP user accounts 150
appliances
shutting down 49
ARIA encryption 71
authentication
algorithms 71
auto-negotiation configuration
ETEP 126
B
backing up
appliance file system 104
Backup and Restore of EncrypTight Manager
198
C
Certificate Distribution 183
Certificate Manager
cancelling a pending certificate request 186
certificate request preferences, setting 187
CRLs
deleting from ETEPs 189
installing on ETEPs 189
viewing on ETEPs 189
deleting external certificates 188
exporting certificates 187
generating certificate requests 184
installing a signed certificate 185
viewing pending certificate requests 186
certificate policy extensions 178
configuring in EncrypTight Manager 179
configuring on ETEPs 179
Black Box EncrypTight Manager User Guide
certificate revocation lists (CRLs), see CRLs
188
certificates
about 176
certificate policy extensions 178
certificate revocation lists (CRLs) 188
configuring CRL usage 188
configuring CRL usage in EncrypTight
Manager 189
deleting all on an ETEP 195
deleting specific certificates from an ETEP
188
distinguished name 177
handling revocation check failures 190
OCSP configuration 190
policy constraint extension 179
policy mapping 179
prerequisites 176
recommended order of operations 177
strict authentication 175
disabling 193
enabling 192
using in a EncrypTight system 178
clear policy action 67
CLI inactivity timer
ETEP 145
clock synchronization using SNTP
ETEP 152
Community Strings 135
configuration
comparing configurations 42
templates 46
creating 46
modifying defaults 46
configuring an appliance
ETEP 160–161
Configuring LDAP 109
Configuring PEPs 119
Configuring the Main Servers 198
CRLs
about 188
configuring usage in EncrypTight Manager
189
deleting from ETEPs 189
installing on ETEP 189
viewing on ETEPs 189
205
customer support 12
D
default gateway configuration
ETEP management port 123
ETEP remote and local ports 129
Deleting PEPs 104
deploy policies 86
DES 71
DF bit configuration
ETEP 131
DHCP Relay, configuring on the ETEP 131
Directory Structure 183
Disaster Recovery Servers 197
distinguished name 177
downloading
software upgrades 104
drop policy action 67
E
Easy Mesh Policy 84
Easy Mesh Policy Editor 84
Edit menu commands
Preferences
Certificate Manager 187
editing
configuration templates 46
network set 61
networks 54
VLAN ID range 66
Element Management 15
Encapsulation 70
encapsulation method used in the EncrypTight
system 70
encrypt all policies with exceptions, defining
72
encrypt policy action 67
encryption
algorithms in the EncrypTight system 70
policy settings
changing on the ETEP 157
Encryption over the Internet 62, 63
ETEP
throughput 122
Ethernet policies 67
ETVEP 15
206
exporting
certificates from the appliance 187
external certificates
deleting 188
F
factory settings
defaults
ETEP 158–161
failed login 21
filtering
filtering criteria in policies 67
FIPS Mode 155
FIPS mode, enabling on the ETEP 155
flow control configuration
ETEP 126
fragmentation
ETEP
setting the PMTU 144
FTP server
configuring for software upgrades 106
G
grouping networks 52
I
ignore DF bit
ETEP 131
ignore source IP address 73
IKE VLAN tag, enabling 153
Importing Configurations from an Excel File
47
Importing Networks and Network Sets 61
importing networks and network sets from an
Excel file 61
inactivity timer
ETEP 145
in-line management
appliance upgrade considerations 105
installation
appliance software upgrades 104
interface configuration
ETEP 122–132
Internet Encryption 18
internet encryption, requirements 63
IP policies 68
Black Box EncrypTight Manager User Guide
IPSEC NAT 63
K
Key Generation and Distribution 15
minimize policy size 73
MPLS Encrypted Frame Formats 78
MPLS Encryption 76
MPLS Encryption checkbox 77
L
Layer 2
mesh policy options 75
point-to-point policy example 91
point-to-point policy options 79
Layer 3
common policy options 79
hub and spoke policy options 82
mesh policy options 83
multicast policy options 85
point-to-point policy options 83
Layer 4
adding a new Layer 4 policy 85
encapsulation method 70
multicast policy addressing mode override
80
payload encryption policy 71
license
ETEP 30
EncrypTight Manager 30
upgrading 30
License Summary
CPU 31
Throughput 31
License Summary, Viewing 31
link speed configuration
ETEP 126
loading
software updates 106
logging configuration
ETEP 140–??
N
naming the appliance
ETEP 122
NAT on the ETEP management port, configuring 124
negotiated key topology 16
negotiated point-to-point policy 16
network
adding 51
addressing methods 60
deleting 55
grouping into supernets 52
modifying 54
using non-contiguous network masks 53
network masks, non-contiguous 53
network set 57
adding 59
addressing mode 71
deleting 62
modifying 61
network topology
for distributed key policies
hub and spoke 14
mesh 14
multicast 14
point to point 14
for negotiated policies 16
non-contiguous network masks, using in network sets 53
non-IP traffic handling, configuring on the
ETEP 145
M
management port
configuration
auto-negotiation 126
ETEP 123
NAT 124
Management Port Behavior 123
MD5 71
Message Digest #5 71
O
OCSP
about 190
enabling in EncrypTight Manager 191
enabling in ETEPs 191
OCSP Settings 154
Black Box EncrypTight Manager User Guide
P
password
207
configuring the ETEP password strength
policy 146
default password conventions on the ETEP
148
setting on ETEPs 150
strong password conventions on the ETEP
148
payload only encryption 71
PEP
adding new PEPs and using strict authentication 177
overview 15
PEP User Roles 147
PEP Users 147
PEPs
adding new PEPs 38
applying configurations 40
comparing configurations 42
configuration for EncrypTight 39
configuration status 41
configuration templates 46
customizing the PEPs view 43
rebooting 45
status 41
PMTU configuration
ETEP 144
point-to-point policy
Layer 2 example 91
policies
See also policy management
ETEP
clearing policies on the ETEP 157
setting L2 or L3 encryption 157
policies description 67
policy
concepts 67
creating 75
priority 68
policy constraint extension 179
Policy Enforcement Point, see PEP
Policy Generation and Management 15
policy management
activating policies 86
cancelling a deployment task 87
copying policies 88
creating policies 75
208
deleting policies 90
deploying policies 86
editing policies 89
encapsulation method 70
encrypt all policy with exceptions, creating
72
encryption algorithms 70
encryption methods 69
Layer 2
mesh policy options 75
point-to-point policy options 79
Layer 2 Ethernet policies, overview 68
Layer 3
common policy options 79
hub and spoke policy options 82
mesh policy options 83
multicast policy options 85
point-to-point policy options 83
Layer 3 IP policies, overview 68
Layer 4 payload encryption 71
Layer 4 policy, creating 85
lifetime, defining 69
minimizing policy size 73
priority, setting 68
rekey interval, defining 69
rekeying policies 87
scheduling rekey interval and policy lifetime refresh 69
validating policies 90
policy management with MAP
policy design examples 94
PolicyServer CA Certificate 182
PolicyServer Certificate 182
PolicyServer Certificate Authority 183
PolicyServer TLS Client 182
port configuration See interface configuration
preferences
certificate policy extensions 179
certificate requests 187
priority, for policy processing 68
pushing
software updates to appliances 106
R
reassembling fragmented packets, ETEP 132
Black Box EncrypTight Manager User Guide
reboot after a software upgrade 106
rebooting a PEP 45
refresh
policy lifetime 69
rekey policies 87
remote port 127
Removing Certificates 195
renew keys, scheduling 69
restoring
appliance software from a backup copy 111
S
Safe Mode 161
scheduling renew keys and refreshing lifetime
69
Secure Hash Algorithm 71
Secure Key Storage 18
Secure Mesh Internet 19
Secure Mesh Internet Features 19
Security Tab, Configure 101, 120
SHA-1 71
shared key example 15
shutdown
procedure for ETEPs 49
SNMP Configuration 134
SNMPv3 configuration
concepts 138
engine ID
generating 138
viewing and exporting 139
trap host users 139
SNTP configuration
ETEP 152
for EncrypTight PEPs 39
software updates
appliance software
checking status 109
logging upgrade status 141
overview 104
staging upgrades 108
ssh
enabling and disabling on the ETEP 146
status
automatic refresh, controlling 42
strict authentication
See also certificates
Black Box EncrypTight Manager User Guide
about 175
adding new PEPs 177
CRLs 188
disabling 193
enabling 192
OCSP 190
TLS with encryption and 175
supernetting 52
support for IPSEC pass-through 63
syslog
configuring on the ETEP 142
syslog server 174
T
technical support 12
templates 46
throughput
configuring on ETEPs 122
licensed ETEP speeds 29
Timezone, changing on a policyserver 183
ETM Security Tab 102
Tools menu commands
Appliance Users 150
topologies
distributed key Ethernet 67
distributed key IP 68
transmitter behavior configuration
ETEP 130
transparent mode operation on the ETEP
enabling and disabling 128
local and remote port IP addressing 128
Transport Layer Security (TLS) 17
See also TLS
TRAPS 136
Triple Data Encryption Standard 70
troubleshooting
clearing policies on the ETEP 157
trusted hosts
configuring on ETEPs 132
EncrypTight Manager 13
Two-factor Authentication 193
U
unlicensed ETVEP 32
upgrading
appliance software 106
209
checking status 109
concurrency limit 109
staging appliance upgrades 108
user accounts
ETEP
adding a ETEP user 150
viewing users 152
EncrypTight Manager
adding 166
changing passwords 167
deleting 167
modifying 167
ETEP
deleting ETEP users 151
password enforcement policy 147
user name conventions 148
EncrypTight Manager
name and password conventions 166
overview 165
user roles
EncrypTight Manager roles 165
ETEP roles 147
V
validating policies 90
ETVEP CPU Licenses 33
View menu commands
Appliance Users 152
VLAN ID 65
adding 65
deleting 66
editing 66
VLAN tagging 153
VM Server specifics 203
210
Black Box EncrypTight Manager User Guide
Black Box Tech Support: FREE! Live. 24/7.
Tech support the
way it should be.
Great tech support is just 30 seconds away at 724-746-5500 or blackbox.com.
About Black Box
Black Box Network Services is your source for an extensive range of networking and infrastructure products. You’ll find everything
from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by
free, live 24/7 Tech support available in 30 seconds or less.
© Copyright 2012. All rights reserved. Black Box and the Double Diamond logo are registered trademarks, and EncrypTight is a
trademark, of BB Technologies, Inc. Any third-party trademarks appearing in this manual are acknowledged to be the property of
their respective owners.
ET0010A User Guide,
version User
2
ET0010A
Manager
Guide, Version 3.5
724-746-5500 | blackbox.com
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement