advertisement
![Policies. Novell Security Manager Powered by Astaro | Manualzz Policies. Novell Security Manager Powered by Astaro | Manualzz](http://s1.manualzz.com/store/data/007137896_1-a17efecedb9e2e8f08b58a95e42a20ae-360x466.png)
Using Novell Security Manager
4.7.2. Policies
In the Policies menu, you can customize parameters for IPSec connections and collect them into a policy. Policies are used to define IPSec connections, and contain the configuration of the selected key exchange method, IKE, and the IPSec connection.
The chosen key exchange method defines how the keys for the connection are to be managed.
The two exchange methods are:
• Manual Key Exchange
• Internet Key Exchange (IKE)
Because of the complexity of manual exchange, this system only supports the IKE key exchange method. Manual exchange is not allowed.
Configuring an IPSec Policy:
1. Under the IPSec VPN tab, open the Policies menu.
2. Click New to open the New IPSec Policy menu.
3. In the Name field, enter a name for the new policy:
Name: Enter a name describing the policy. It may be useful to include the encryption algorithm in the name. The name can also be defined as the last step in creating the policy.
Key Exchange: Only IKE is supported.
4. In the ISAKMP (IKE) Settings window, configure the settings for
IKE:
IKE Mode: The IKE mode is used to support key exchange. At the moment, only the Main Mode is supported.
Encryption Algorithm: The encryption algorithm is the algorithm used to encrypt IKE connections. The IPSec VPN function of Novell
Security Manager supports 1DES 56bit, 3DES 168bit, AES
(Rijndael) 128bit, AES Rijndael 192bit, AES Rijndael 256bit,
Blowfish, Serpent 128bit and Twofish.
232
Using Novell Security Manager
Authentication Algorithm: The hashing algorithm ensures the integrity of the IKE messages. The MD5 128bit, SHA1 160bit, SHA2
256bit and SHA2 512bit algorithms are supported. The algorithm used is determined by the remote endpoint of the IPSec connection.
Important Note:
The SHA2 256bit and SHA2 512bit algorithms require a great deal of system resources.
IKE DH Group: The IKE group (Diffie-Hellmann group) describes the kind of asymmetric encryption used during key exchange. The IPSec
VPN system on Novell Security Manager supports the Group 1
(MODP768), Group 2 (MODP 1024), Group 5 (MODP 1536),
Group X (MODP 2048), Group X (MODP 3072) and Group X
(MODP 4096) protocols. The group used is determined by the remote endpoint.
SA lifetime (secs): This option allows you to set the lifetime of IKE sessions in seconds. This is set by default to 7800 seconds (2h, 10 min).
In general, times between 60 and 28800 seconds (1 min to 8 hours) are allowed.
5. In the IPSec Settings window, configure the settings for the IPSec connection:
IPSec Mode: This system only supports tunnel mode.
IPSec Protocol: This system only supports ESP.
Encryption Algorithm: Choose the encryption algorithm to use here.
The IPSec VPN function of Novell Security Manager supports 1DES
56bit, 3DES 168bit, AES (Rijndael) 128bit, AES Rijndael 192bit,
AES Rijndael 256bit, Blowfish, Serpent 128bit and Twofish. If you wish to create IPSec connections without encryption, choose null here.
Enforce Algorithm: If an IPSec gateway makes a proposition with respect to an encryption algorithm and to the strength, it might happen, that the gateway of the receiver accepts this proposition, even though the IPSec Policy does not correspond to it. In order to avoid this, Enforce Algorithm must be enabled .
Example:
The IPSec Policy requires AES-256 as encryption. Whereas a road warrior with SSH Sentinel wants to connect with AES-128. Without
Enforce Algorithm the connection will be admitted, which constitutes a security risk.
Authentication Algorithm: The MD5 128bit, SHA1 160bit, SHA2
256bit and SHA2 512bit algorithms are supported. The algorithm used is determined by the remote endpoint of the IPSec connection.
233
Using Novell Security Manager
Important Note:
The SHA2 256bit and SHA2 512bit algorithms require a great deal of system resources.
SA Lifetime (secs): This option allows you to set the lifetime of the
IPSec connection. This is set by default to 3600 seconds (1h). In general, times between 60 and 28800 seconds (1 min to 8 hours) are allowed.
PFS: The IPSec key used for VPN connections is generated from random numbers. When Perfect Forwarding Secrecy (PFS) is enabled, the system will ensure that the numbers used have not already been used for another key, such as for an IKE key. If an attacker discovers or cracks an old key, he or she will have no way of guessing future keys.
The IPSec VPN system on Novell Security Manager supports the
Group 1 (MODP768), Group 2 (MODP 1024), Group 5 (MODP
1536), Group X (MODP 2048), Group X (MODP 3072) and Group
X (MODP 4096) protocols. If you do not wish to use PFS, select No
PFS.
By default, this is set to Group 5 (MODP 1536).
Important Note:
PFS requires a fair amount of processing power to complete the
Diffie-Hellmann key exchange. PFS is also often not 100% compatible between manufacturers. In case of problems with the firewall’s performance or with building connections to remote systems, you should disable this option.
Compression: This algorithm compresses IP-packets before they are encrypted, resulting in faster data speeds.
This system supports the Deflate algorithm.
6. If you have not yet named this policy, scroll back to the Name field and enter one now.
7. Create the new policy by clicking Add.
The new policy will appear in the IPSec Policies table.
234
advertisement
Related manuals
advertisement
Table of contents
- 9 Introduction to the Technology
- 15 Installation
- 16 System Requirements
- 18 Installation Instructions
- 18 Software Installation
- 22 Configuring Security Manager
- 27 WebAdmin
- 27 Info Box
- 27 Tab List
- 28 Menus
- 28 The Status Light
- 28 Selection Field
- 29 The Selection Table
- 30 Drop-down Menus
- 30 Lists
- 31 Online Help
- 31 Refresh
- 32 Using Novell Security Manager
- 34 Basic Settings (System)
- 34 Settings
- 38 Licensing
- 40 Up2Date Service
- 45 Backup
- 51 Remote Syslog Server
- 52 User Authentication
- 53 Novell eDirectory
- 55 RADIUS
- 58 SAM – NT/2000/XP
- 60 Active Directory/NT Domain Membership
- 62 LDAP Server
- 71 WebAdmin Settings
- 72 WebAdmin Site Certificate
- 74 High Availability
- 79 Shut down/Restart
- 80 Networks and Services (Definitions)
- 80 Networks
- 85 Services
- 88 Users
- 90 Time Events
- 92 Network Settings (Network)
- 92 Hostname/DynDNS
- 93 Interfaces
- 97 Standard Ethernet Interface
- 101 Additional Address on Ethernet Interface
- 103 Virtual LAN
- 107 PPPoE-DSL Connection
- 111 PPTPoE/PPPoA-DSL Connections
- 115 PPP over Serial Modem Line
- 119 Bridging
- 120 Routing
- 123 NAT/Masquerading
- 126 Masquerading
- 127 Load Balancing
- 128 DHCP Service
- 133 PPTP VPN Access
- 138 Accounting
- 139 Ping Check
- 140 Intrusion Protection
- 140 Settings
- 141 Rules
- 144 Portscan Detection
- 146 DoS/Flood Protection
- 150 Advanced
- 152 Packet Filter
- 152 Rules
- 163 Advanced
- 167 Application Gateways (Proxies)
- 174 Content Filter (Surf Protection)
- 196 Content Filter
- 199 Spam Protection
- 206 Content Filter
- 212 SOCKS
- 214 Ident
- 215 Proxy Content Manager
- 220 Virtual Private Networks (IPSec VPN)
- 226 Connections
- 232 Policies
- 235 Local Keys
- 237 Remote Keys
- 240 L2TP over IPSec
- 241 CA Management
- 244 Advanced
- 247 System Management (Reporting)
- 247 Administration
- 248 Virus
- 248 Hardware
- 249 Network
- 249 Packet Filter
- 249 Content Filter
- 250 PPTP/IPSec VPN
- 250 Intrusion Protection
- 250 HTTP Proxy Usage
- 250 Executive Report
- 251 Accounting
- 252 System Information
- 254 Remote Management (Remote Management)
- 254 Report Manager (RM)
- 257 Local Logs (Log Files)
- 257 Settings
- 260 Local Log File Query
- 261 Browse
- 264 Log Files
- 267 Error Codes
- 276 HTTP Proxy Messages
- 278 Online Help
- 279 Exiting Novell Security Manager
- 280 Glossary
- 285 Index