advertisement
Using Novell Security Manager
4.7.2. Policies
In the Policies menu, you can customize parameters for IPSec connections and collect them into a policy. Policies are used to define IPSec connections, and contain the configuration of the selected key exchange method, IKE, and the IPSec connection.
The chosen key exchange method defines how the keys for the connection are to be managed.
The two exchange methods are:
• Manual Key Exchange
• Internet Key Exchange (IKE)
Because of the complexity of manual exchange, this system only supports the IKE key exchange method. Manual exchange is not allowed.
Configuring an IPSec Policy:
1. Under the IPSec VPN tab, open the Policies menu.
2. Click New to open the New IPSec Policy menu.
3. In the Name field, enter a name for the new policy:
Name: Enter a name describing the policy. It may be useful to include the encryption algorithm in the name. The name can also be defined as the last step in creating the policy.
Key Exchange: Only IKE is supported.
4. In the ISAKMP (IKE) Settings window, configure the settings for
IKE:
IKE Mode: The IKE mode is used to support key exchange. At the moment, only the Main Mode is supported.
Encryption Algorithm: The encryption algorithm is the algorithm used to encrypt IKE connections. The IPSec VPN function of Novell
Security Manager supports 1DES 56bit, 3DES 168bit, AES
(Rijndael) 128bit, AES Rijndael 192bit, AES Rijndael 256bit,
Blowfish, Serpent 128bit and Twofish.
232
Using Novell Security Manager
Authentication Algorithm: The hashing algorithm ensures the integrity of the IKE messages. The MD5 128bit, SHA1 160bit, SHA2
256bit and SHA2 512bit algorithms are supported. The algorithm used is determined by the remote endpoint of the IPSec connection.
Important Note:
The SHA2 256bit and SHA2 512bit algorithms require a great deal of system resources.
IKE DH Group: The IKE group (Diffie-Hellmann group) describes the kind of asymmetric encryption used during key exchange. The IPSec
VPN system on Novell Security Manager supports the Group 1
(MODP768), Group 2 (MODP 1024), Group 5 (MODP 1536),
Group X (MODP 2048), Group X (MODP 3072) and Group X
(MODP 4096) protocols. The group used is determined by the remote endpoint.
SA lifetime (secs): This option allows you to set the lifetime of IKE sessions in seconds. This is set by default to 7800 seconds (2h, 10 min).
In general, times between 60 and 28800 seconds (1 min to 8 hours) are allowed.
5. In the IPSec Settings window, configure the settings for the IPSec connection:
IPSec Mode: This system only supports tunnel mode.
IPSec Protocol: This system only supports ESP.
Encryption Algorithm: Choose the encryption algorithm to use here.
The IPSec VPN function of Novell Security Manager supports 1DES
56bit, 3DES 168bit, AES (Rijndael) 128bit, AES Rijndael 192bit,
AES Rijndael 256bit, Blowfish, Serpent 128bit and Twofish. If you wish to create IPSec connections without encryption, choose null here.
Enforce Algorithm: If an IPSec gateway makes a proposition with respect to an encryption algorithm and to the strength, it might happen, that the gateway of the receiver accepts this proposition, even though the IPSec Policy does not correspond to it. In order to avoid this, Enforce Algorithm must be enabled .
Example:
The IPSec Policy requires AES-256 as encryption. Whereas a road warrior with SSH Sentinel wants to connect with AES-128. Without
Enforce Algorithm the connection will be admitted, which constitutes a security risk.
Authentication Algorithm: The MD5 128bit, SHA1 160bit, SHA2
256bit and SHA2 512bit algorithms are supported. The algorithm used is determined by the remote endpoint of the IPSec connection.
233
Using Novell Security Manager
Important Note:
The SHA2 256bit and SHA2 512bit algorithms require a great deal of system resources.
SA Lifetime (secs): This option allows you to set the lifetime of the
IPSec connection. This is set by default to 3600 seconds (1h). In general, times between 60 and 28800 seconds (1 min to 8 hours) are allowed.
PFS: The IPSec key used for VPN connections is generated from random numbers. When Perfect Forwarding Secrecy (PFS) is enabled, the system will ensure that the numbers used have not already been used for another key, such as for an IKE key. If an attacker discovers or cracks an old key, he or she will have no way of guessing future keys.
The IPSec VPN system on Novell Security Manager supports the
Group 1 (MODP768), Group 2 (MODP 1024), Group 5 (MODP
1536), Group X (MODP 2048), Group X (MODP 3072) and Group
X (MODP 4096) protocols. If you do not wish to use PFS, select No
PFS.
By default, this is set to Group 5 (MODP 1536).
Important Note:
PFS requires a fair amount of processing power to complete the
Diffie-Hellmann key exchange. PFS is also often not 100% compatible between manufacturers. In case of problems with the firewall’s performance or with building connections to remote systems, you should disable this option.
Compression: This algorithm compresses IP-packets before they are encrypted, resulting in faster data speeds.
This system supports the Deflate algorithm.
6. If you have not yet named this policy, scroll back to the Name field and enter one now.
7. Create the new policy by clicking Add.
The new policy will appear in the IPSec Policies table.
234
advertisement
