advertisement
![4.7.2.Policies. Novell Security Manager Powered by Astaro | Manualzz 4.7.2.Policies. Novell Security Manager Powered by Astaro | Manualzz](http://s1.manualzz.com/store/data/007116078_1-68b41cd2fe8a32c21e6dd4864d4de512-360x466.png)
4.7.2.
Policies
Using the Security System
In the Policies menu, you can customize parameters for IPSec connections and collect them into a policy.
Policies are used to define
IPSec connections, and contain the configuration of the selected key ex-
change method, IKE, and the IPSec connection.
The chosen key exchange method defines how the keys for the connection are to be managed.
The two exchange methods are:
• Manual Key Exchange
• Internet Key Exchange (IKE)
Because of the complexity of manual exchange, this system only supports the IKE key exchange method. Manual exchange is not allowed.
297
Using the Security System
Configuring an IPSec Policy:
1Under the IPSec VPN tab, open the Policies menu.
2Click New to open the New IPSec Policy menu.
294.
In the Name field, enter a name for the new policy:
Name: Enter a name describing the policy. It may be useful to include the encryption algorithm in the name. The name can also be defined as the last step in creating the policy.
Key Exchange: Only IKE is supported.
295.
In the ISAKMP (IKE) Settings window, configure the settings for IKE:
IKE Mode: The IKE mode is used to support key exchange. At the moment, only the Main Mode is supported.
Encryption Algorithm: The encryption algorithm is the algorithm used to encrypt IKE connections. The IPSec VPN function of this security system supports 1DES 56bit, 3DES 168bit, AES
(Rijndael) 128bit, AES Rijndael 192bit, AES Rijndael
256bit, Blowfish, Serpent 128bit and Twofish.
Authentication Algorithm: The hashing algorithm ensures the integrity of the IKE messages. The MD5 128bit, SHA1 160bit,
SHA2 256bit and SHA2 512bit algorithms are supported. The algorithm used is determined by the remote endpoint of the
IPSec connection.
Important Note:
The SHA2 256bit and SHA2 512bit algorithms require a great deal of system resources.
IKE DH Group: The IKE group (Diffie-Hellmann group) describes the kind of asymmetric encryption used during key exchange. The IPSec VPN system on this security system supports the Group 1 (MODP768), Group 2 (MODP 1024),
Group 5 (MODP 1536), Group X (MODP 2048), Group X
298
Using the Security System
(MODP 3072) and Group X (MODP 4096) protocols. The group used is determined by the remote endpoint.
SA lifetime (secs): This option allows you to set the lifetime of
IKE sessions in seconds. This is set by default to 7800 seconds
(2h, 10 min).
In general, times between 60 and 28800 seconds (1 min to 8 hours) are allowed.
296.
In the IPSec Settings window, configure the settings for the
IPSec connection:
IPSec Mode: This system only supports tunnel mode.
IPSec Protocol: This system only supports ESP.
Encryption Algorithm: Choose the encryption algorithm to use here. The IPSec VPN function of this security system supports
1DES 56bit, 3DES 168bit, AES (Rijndael) 128bit, AES
Rijndael 192bit, AES Rijndael 256bit, Blowfish, Serpent
128bit and Twofish. If you wish to create IPSec connections without encryption, choose null here.
Enforce Algorithm: If an IPSec gateway makes a proposition with respect to an encryption algorithm and to the strength, it might happen, that the gateway of the receiver accepts this proposition, even though the IPSec Policy does not correspond to it. In order to avoid this, Enforce Algorithm must be enabled .
Example:
The IPSec Policy requires AES-256 as encryption. Whereas a road warrior with SSH Sentinel wants to connect with AES-128.
Without Enforce Algorithm the connection will be admitted, which constitutes a security risk.
Authentication Algorithm: The MD5 128bit, SHA1 160bit,
SHA2 256bit and SHA2 512bit algorithms are supported. The algorithm used is determined by the remote endpoint of the
IPSec connection.
299
Using the Security System
Important Note:
The SHA2 256bit and SHA2 512bit algorithms require a great deal of system resources.
SA Lifetime (secs): This option allows you to set the lifetime of the IPSec connection. This is set by default to 3600 seconds
(1h). In general, times between 60 and 28800 seconds (1 min to
8 hours) are allowed.
PFS: The IPSec key used for VPN connections is generated from random numbers. When Perfect Forwarding Secrecy (PFS) is enabled, the system will ensure that the numbers used have not already been used for another key, such as for an IKE key. If an attacker discovers or cracks an old key, he or she will have no way of guessing future keys.
The IPSec VPN system on this security system supports the
Group 1 (MODP768), Group 2 (MODP 1024), Group 5
(MODP 1536), Group X (MODP 2048), Group X (MODP
3072) and Group X (MODP 4096) protocols. If you do not wish to use PFS, select No PFS.
By default, this is set to Group 5 (MODP 1536).
Important Note:
PFS requires a fair amount of processing power to complete the
Diffie-Hellmann key exchange. PFS is also often not 100% compatible between manufacturers. In case of problems with the firewall’s performance or with building connections to remote systems, you should disable this option.
Compression: This algorithm compresses IP-packets before they are encrypted, resulting in faster data speeds.
This system supports the Deflate algorithm.
297.
If you have not yet named this policy, scroll back to the
Name field and enter one now.
298.
Create the new policy by clicking Add.
300
advertisement
Related manuals
advertisement
Table of contents
- 10 1.Introduction to the Technology
- 17 2.Installation
- 18 2.1.System Requirements
- 21 2.2.Installation Instructions
- 21 2.2.1.Software Installation
- 26 2.2.2.Configuring the Security System
- 34 3.WebAdmin
- 35 3.1.Info Box
- 35 3.2.Tab List
- 36 3.3.1.The Status Light
- 36 3.3.2.Selection Field
- 37 3.3.3.The Selection Table
- 38 3.3.4.Drop-down Menus
- 40 3.4.Online Help
- 41 3.5.Refresh
- 42 4.Using the Security System
- 44 4.1.Basic Settings (System)
- 44 4.1.1.Settings
- 49 4.1.2.Licensing
- 53 4.1.3.Up2Date Service
- 60 4.1.4.Backup
- 67 4.1.5.SNMP
- 69 4.1.6.Remote Syslog Server
- 71 4.1.7.User Authentication
- 72 4.1.7.1.RADIUS
- 77 4.1.7.2.SAM – NT/2000/XP
- 79 4.1.7.3.Active Directory/NT Domain Membership
- 81 4.1.7.4.LDAP Server
- 97 4.1.8.WebAdmin Settings
- 100 4.1.9.WebAdmin Site Certificate
- 103 4.1.10.High Availability
- 110 4.1.11.Shut down/Restart
- 110 4.2.Networks and Services (Definitions)
- 111 4.2.1.Networks
- 118 4.2.2.Services
- 122 4.2.3.Users
- 126 4.3.Network Settings (Network)
- 126 4.3.1.Hostname/DynDNS
- 127 4.3.2.Interfaces
- 132 4.3.2.1.Standard Ethernet Interface
- 138 4.3.2.2.Additional Address on Ethernet Interface
- 140 4.3.2.3.Wireless LAN
- 150 4.3.2.4.Virtual LAN
- 155 4.3.2.5.PPPoE-DSL Connection
- 160 4.3.2.6.PPTPoE/PPPoA-DSL Connections
- 165 4.3.2.7.PPP over Serial Modem Line
- 171 4.3.3.Routing
- 173 4.3.4.NAT/Masquerading
- 173 4.3.4.1.NAT
- 177 4.3.4.2.Masquerading
- 178 4.3.4.3.Load Balancing
- 181 4.3.5.DHCP Server
- 185 4.3.6.PPTP VPN
- 191 4.3.7.Accounting
- 193 4.3.8.Ping Check
- 195 4.4.Intrusion Protection
- 195 4.4.1.Settings
- 197 4.4.2.Rules
- 202 4.4.3.Advanced
- 204 4.5.Packet Filter
- 204 4.5.1.Rules
- 216 4.5.2.ICMP
- 219 4.5.3.Advanced
- 225 4.6.Application Gateways (Proxies)
- 226 4.6.1.HTTP
- 234 4.6.1.1.Content Filter (Surf Protection)
- 248 4.6.3.SOCKS
- 250 4.6.4.POP
- 255 4.6.5.Ident
- 256 4.6.6.SMTP
- 265 4.6.6.1.Content Filter
- 270 4.6.6.2.Spam Protection
- 279 4.6.7.Proxy Content Manager
- 285 4.7.Virtual Private Networks (IPSec VPN)
- 293 4.7.1.Connections
- 302 4.7.2.Policies
- 306 4.7.3.Local Keys
- 309 4.7.4.Remote Keys
- 312 4.7.5.L2TP over IPSec
- 314 4.7.6.CA Management
- 319 4.7.7.Advanced
- 322 4.8.System Management (Reporting)
- 322 4.8.1.Administration
- 323 4.8.2.Virus
- 323 4.8.3.Hardware
- 324 4.8.4.Network
- 325 4.8.5.Packet Filter
- 325 4.8.6.Content Filter
- 326 4.8.7.PPTP/IPSec VPN
- 326 4.8.8.Intrusion Protection
- 326 4.8.10.HTTP Proxy Usage
- 326 4.8.11.Executive Report
- 327 4.8.12.Accounting
- 329 4.8.13.System Information
- 331 4.9.Remote Management (Remote Management)
- 331 4.9.1.Report Manager (RM)
- 336 4.10.Local Logs (Log Files)
- 336 4.10.1.Settings
- 340 4.10.2.Local Log File Query
- 341 4.10.3.Browse
- 345 4.10.3.1.Log Files
- 349 4.10.3.2.Error Codes
- 363 4.11.Online Help
- 364 4.12.Exiting the Security System
- 365 Glossary
- 372 Index
- 386 Notes