Home

Distrix 4.2 User Guide - justSay

1. else tf 1 ag default values are assumed for all attributes There are seven logging levels in order of increasing verbosity each level logs all preceding levels If not oth erwise specified the log level defaults to info 148 EYdistr IX Distrix 4 2 User Guide July 2014 Levels Logs MOREM Doesn t log at all regardless of any other settings Only those errors that cause catastrophic failure warning Potential issues which haven t progressed to c Memm a Usage Information about the normal operation of L k 2 3 debug Detailed information about the normal operation Information about every operation performed by Dist D Syntax level loglevel Example level info Log Outputs Distrix 4 2 ca ing outputs or none if all are disabled Default Values nabled Undefined variable VersionNumbers Version1 logs to a syslog false er when a target syslog server hostname or IP address is specified disabled enabled Undefined variable VersionNumbers Version1 logs to one or more logfiles The following values must be specified m name The file path as a quoted string m maxSize The maximum size in bytes of any one log file m maxFiles The maximum number of rollover files a numerical suffix is appended e g output og 2 Gaistrix Distrix 4 2 User Guide July 2014 149 When the maximum number of files is reached the oldest log file
2. DX meelest 30 Zeie Op Response Example include dx apptun include Distrix Abs incl GE in lt stdlib h gt mi eme gt 1 l port atol argv l 31 Q distr x Distrix 4 2 User Guide July 2014 DX connect 1 port DX TunnelConfig 1 config memset amp 1 config 0 sizeof l config l config neme Hepocest orocdcast Teew Lamae Vomoneleasie 1 comic maacata elle DX Stream 1 stream DX broadcast open amp l config 0 KENI sem printf Failed to create broadca stream n erurki chong loxuritexe Self uasigaed I mecyCoumi Qr pro I scale waile l recyCount lt 1 ll o x s JL em lt 20000 int l recy DX l butter sizeor 1 but mea El 2000 p ne L burren intf stream deleted n eeu i return 1 recvCoune gt 10 0 a Distrix 4 2 User Guide July 2014 w To Use Interface Security Certificates Introduction A Distrix network uses public key encryption for its security which is implemented through the use of cer tificates Public key encryption also called asymmetric encryption involves using a pair of keys a public and a private key in association with an entity requiring either electronic authentication of its identity or the ability to sign or encrypt data While each public key is published the corresponding privat is kept secret and hidden from pu
3. Gaistrix Distrix 4 2 User Guide July 2014 76 either does not receive any data in either direction the connection is closed within the timeout period Parameters An IP address and optional port on which to listen for UDP data destAddr TCP The TCP tunnel can only be used in point to point mode The host and port to which traffic emerging from this tunnel a overrides Remote Destination from the other side The host and port to which traffic emerging from this tunnel on the tc overridden by Destination Address on the other side A length of time in milliseconds in which to sh the virtual connection data is received Only applies to point to point tun CA wv If en the bindAddr option is set This node forms a connectic 2 dr 5 set on the node or remoteDest if it was set on the first node or reiee e connectioi gt he TCP connection is established data flows bi directionally between the two ur40ne of the connections is closed at which point the tunnel is closed Para sters Lei p Y The host J port to which traffic emerging from this tunnel at this end is sent overrides Remo estination from the other side ss ai 4 optional port on which to listen for incoming connections remoteDest ost and port to which traffic emerging from this tunnel on the far end is sent over ridden by Destination Address on the other side
4. distrix Distrix User GUIDE The content of this publication is provided for informational use only is subject to change without notice and should not be construed as a commitment by Distrix Inc nor does Distrix assume responsibility or liability for any errors or inaccuracies that may appear in this document Distrix Inc may make improvements and or changes in the software programs descrihed in this publication at any time These changes will be incorporated into new editions of this publication ost up to date doc umentation will always be found in the online knowledge base which can be ac d through our website Published 20 08 2014 Copyright 2014 Spark Integration Technologies Inc All rights reserved Please contact us at Toll Free 1 855 657 7275 General info distrix com Products sales distrix com Support support distrix com Canada Copyright c 2012 Rodrigo Moraes Allrights reserved Abbot Go HTTP Auth This module is developed under d can be used for open and proprietary projects Copyright 2012 2013 Lev Shamardin libecc Copyright c 2013 one js Copyright c 2010 2013 Jeremy Ashkenas DocumentCloud bootstrap The MIT License MIT Copyright c itter Inc handlebars js Copyright C 2011 by Yehuda Katz jquery Copyright 2014 jQuery Foundation and other con tributors jquery cookie Copyright 2013 Klaus Hartl LESS Apache License Version 2 0 January 2004 Copyright c 2009 2010 Alexis Sellie
5. ported Policies can be added to the tunnel endpoints for data analysis or mor Tunnels are m Group Click to select from a list Ortype the name of the secur ity group to be i his specifies which certificate is being employed for communicati n arrow to select from a list Set to True if encryption is An encrypted tunnel instance does not connect to iority range is from 31 highest priority to 31 lowest If congestion e tunnel leave the default value of zero A lower value in the neg y a higher priority so for example a value of 5 is sent before 5 eorder Timeout Type the timeout number in milliseconds to wait for missing pack ets from Distrix before sending them to the destination or 0 default value to not reorder any packets This only applies to packets with the reorder attribute e g TCP packets ent over an Ethernet tunnel ompression Click the drop down arrow to select from a list Set to True if com pression is being used otherwise set to False Create A message displays that the tunnel was created successfully The screen opens to le editing of the new tunnel TIP Use the Clone button to simplify building multiple tunnels that have similar attributes Ejdistrix Distrix 4 2 User Guide July 2014 74 Create Endpoints When the tunnel has been created add the endpoints the specific logical points where external data can enter or exit the Distrix network T
6. 0 Eedem Ip DX _msleep 50 Lons ime Time h ehori arcam igned shore Wiper 0 ni egge gt db f l port euo argv iLi strelen d ela Q distr x Distrix 4 2 User Guide July 2014 DX connect 1 port DX TunnelConfig 1 config memset amp l config 0 sizeof l config l Genie neme l comig acl Voraaeasi 5 D Suman JL saa aif Ui trezni printen Tania ice return lp cha JE bwkters ee unsigned I mecyCoumt Uiaebd tl tags while l recvCount lt 10 1 ime 1 zeewy feri 1 20100 Pp printf receive iiL recy gt 0 1 ieewCowuE gt 91 DX regeive l vapptestibroadceastireevin 1 contic metadeze hello DX broadcast open amp l config 0 create broadcast stream 0 DX getTimeMs amp amp DX getTime Io 2 O Li Ch tartTime lt 20000 size I ang Distrix 4 2 User Guide July 2014 Tunnel Connections nnel Instance Status Node Connection List Link Connection List Link Status Monitor Network Topology The administrator as part of the network configuration establishes the norms or conditions that can be expected for the type of network set up Once this baseline is formed then other users can monitor the nodes iles Location on eters attributes and val connections tunnels and links for any changes The configuration
7. mechanism to transfer data The TC that the Distrix gateway listens on can be controlled by setting the port value in the AppTunnel cfg ion fi ted at the fol lowing Linux opt distrix etc AppTunnel cfg Windows C Program Files Distrix 4 etc AppTunnel NOTE App tunnel clients can only conne 8 a Distrix g way on th machine For security reasons app tunnel clients must be runn Ms the sam Ser as the Disthx gateway or as root ad ministrator in order to connect Guidelines Installation the Distrix gateway must be running the App tunnel plugin which is included with the core Distrix 4 1 installer developing new App tunnel clients the Distrix developer package must be installed to provides the necessary header files and libraries to build App tunnel client applic ations To use the App tunnel functionality the client application must include m the App tunnel header file and m link in the client library Both the header file and the client library are included in the Distrix developer s dev package They are installed at the following locations Gaistrix Distrix 4 2 User Guide July 2014 28 DX Stream l streem DX broadcast een ul contig 7 zip Ab stream printf Failed to create broadcast stream n return ip Char Il cara broadcast vest for ime l gent DX seme l stream 1 Gata sit 0 p printi sene Sela 1 sem if JL sent lt 0 weicwiein lp
8. name instances whose value is 2 Configuration in the API Control Gui NOTE When configurfee a tunnel using nodes which are to by adpoints in ord face Ul to configure Vi hels amp otial endpe L 142 SON ob in this file consists of a single anel instances See Tunnel Instance ponfigurate Miles Tunnels cfg must be modified on all 2 establish the tunnel If using the Distrix user inter 5 can be selected and configured at once Distrix 4 2 User Guide July 2014 Example instances Distrix 4 2 User Guide July 2014 Mewes VIDI uuid 1D4142A8 B6B856B8 3ED35CDC name UDPBroadcast Vic s uppBroadeast Narrow g Trunaels Die linkType broadcast reorderTimeout Worei esiey s DO encrypted true lasieAcklie s 127 0 0 i13 3000 MonlinclivelcheYg 127 0 0 Is Veype s une uuid 091C4214 names tense Ub vies Tue Morovia W linkType sorderTimeout 10 Mone oue acie v g encrypted Oi WVisalimelAeclelie e Easter enee anu gig Udpe2e Gie g Uam edis Die linkType p2p sorderTimeout 100 Mario By encrypted false Vodnelkdok 3 VIA O 0 AO MeenocaDasie s LS OO 1s Wisiaexoune e 1199100 gj distrix 143 App Tunnel Connector Distrix s application tunnel connector enables building client applications that connect directly to a local Distrix ga
9. the FIPS security vents the use of any other security modules ule into the Distrix lib directory and Distrix automatically loads it on start up and pre When the FIPS security module is installed Distrix calls the FIPS mode set function on startup Then the string IN FIPS MODE is printed to the Distrix log 52 Gaistrix Distrix 4 2 User Guide July 2014 CA Public Ke Every node in the network is identically c ity is concerned Every node bas zk Reciprocal rate logical groups and demonstrates how bid rix node to node communication NOT recom If the node on the left is establishing communication with the node on the right and possesses only the appropriate X signer certificate it will send the cer tificate and associated evidence to the node on the right The node on the right Gaistrix Distrix 4 2 User Guide July 2014 55 Segregated CAs checks the certificate against its CA determines that X was derived from X and sends its own signer certificate again assuming that this is the only signer cer tificate it has back for the reciprocal operation At that point communications are established If X and Y were not the only signer certificates available to the left and right nodes respectively then the choice of common name when generating the certificate becomes important A certificate intended to establish a connection between Distrix nodes should a common name in
10. 10 0 20 10 10 0 50 Add Targets The selected made is displayed pame ant default network 1 tu Target andty athe Target name or IP address 2 Ci sethe I DP or TCP Click the drop down arrow to select from a list 3 The san Juontoty inthe Network name if required for specific identification lt name gt lt net work gt arget name without the optional network or group name and it acts as a wildcard ned to any target e g distrix com applies to multiple targets or use distrix net to apply specifically to networkone NOTE It s not possible to add two targets with the same IP address but you can add a target with a hostname that resolves to the same IP as an existing target If a hostname and a matching IP are provided as targets or multiple hostnames targeting the same IP addresses only one will connect Since the association between a hostname and IP may change this does not necessarily mean that this configuration is invalid Distrix 4 2 User Guide July 2014 63 Create Tunnels Tunnels are established by first identifying a device and the required connections i e endpoints and then determining the network interface type needed to transport the data e g UDP The data exchange is bid irectional specifying which ports are listening receiving and acknowledging the rece and return of data The tunnel acts like a cable connecting two networks and is oblivious to the cont the data being trans
11. cases notably for SOAP and REST services an API comes as j i exposed to the API consumers An API differs from an application binary source code based while an ABl is a binary interface For instance POSIX i ard Base is an ABI Asynchronous Not occurring at the same time operating witha Asynchronous Transfer Mode ATM A standard defined in the 1980 s ana i lecommunicaton and computer networks It was designed for a network that must handle al high throughput data traffic e g file transfers d video ATM is a core protocol used over the phone network PSTN and Integrated Services Digital all IP ATM provides functionality that is similar to both circuit switching and packet swi i es asynchronous time division multiplexing and encodes data into small fixed siz es called cells This differs from approaches such as the Inter 1 3 iable sized packets and frames ATM uses a con i i i aust be established between two endpoints before the actual data exc i s may be permanent i e dedicated connections that provider or switched i e set up on a per call basis using sig erminated tunnel data sent over the Distrix network from one endpointis delivered to all other end unnel that are configured to receive data Note Data is only delivered to the members of the ot broadcast throughout the Distrix network Broadcast tunnel endpoints may be configured ceive data or both A broadcast
12. en Signer Key X Network ExampleNet What is a Common Name received the common name scription of how it is being used i e Network oring Distrix In Full security mode and in Basic ent common names if the trust value specifies a par omething other than then the CN of the ere Distrix the Signer cert s CN would The common name CN is intrinsic to the is received along with it The common name be Monitoring etc and ends with a ne there might be a need for different Si ticular pattem on the corresponding C Signer certificate must match it i e if th have to be lt somethin j Advanced Settings ode is required then multiple Signer certs are required for each secur Save Otherwise leave unchecked Full Secu igure gt Distrix Nodes Next to the listed Node Name on the Actions column click o to Configure gt Certificates er Certificates tab go to Add Signer Cert and Choose File to browse for the public d private key of your Signer cert located in a specified directory on your system Once selec e keys display in the File fields Name There is the option to type a new name otherwise it defaults to the file names Click Add The Signer certificate displays in the list as being applied to the node along with these details Name The new name otherwise it defaults to the file name m Type The type of certificate whether OpenSSL or Elliptic Curve Certificate ECC Common Name T
13. policies that apply to data entering the tunnel from an outside source via the instance From Distrix The policies that apply to data leaving the tunnel Both can be a JSON object specifying a type attribute and any policy specific configuration or an array of strings designating policy types Click the arrow in the drop down box to select the policies to add Click the drop down arrow for a list of policies Click to Add From Distrix Policies Bandwidth H go Tua SSS Bandwidth Use Remote Determine whether this side of the tunnel uses the remote DNS DNS server if available Configuration Example server true useDNS false pushDNS false sharedNetworks excludedNetworks remap name IpTunnel orig 192 16898 040 24 mapped Serial RS232 Distrix 4 2 User Guide July 2014 NO DL 0 24 de If the bindAddr option is set the node s When a request is received the destination s at all other nodes that are members of the tunnel sts list that matches the destination host A tunnel nd the destination node attempts to open a Serial con established data flows bidirectionally over the tunnel 82 Configuration File Description greater than 9 require the prefix while those with lower numbers may have itomitted as in COM2 This is a required value baudrate Baud Rate An integer which determi nection and is depe
14. the format lt usage gt lt networkname gt where the suffi network name shared by the two nodes In this configuration different Signer certs and CAs are emnloyed for different tasks asymmetrically CA Public Key X d blic Key X Trust S 7 c Network CA Public Key Y Trust Monitoring Signer Key X N Network ExampleNet Signer Key Y N SS S jner Key X Monitoring Example Network ExampleNet name and i the node ont ferent signer certificates to establish com 56 Eddistr Ix Distrix 4 2 User Guide July 2014 Full Security Mode Use Multiple CA Certs 8 Signer Certs The advantage to using Full Security mode with multiple CA certificates and Signer certificates is the enhanced security that can be obtained by segregating the permissions required for actions on each node The disadvantage is that it takes more pre planning and adds complexity in multiple laya and tiered author izations which must be rigorously tracked As a first step in this advanced mode ynsider keeping the secur ity simple with a single CA cert but create multiple Signer certs that are applis 9 every nodaf nr each security purpose The trust is set to a wildcard or for more granular control you c specify a ty with a wildcard and add a company or product name for example Distrix Then if required yc ould tion by networks for example the common name may be in the format usage ne
15. tunnel endpoint that is configured to send data consumes ore network resources even if no data is being sent over it er routine or storage medium used in telecommunications compensates for a difference in rate of w of data or time of occurrence of events when transferring data from one device to another A buffer is primarily used for input output and sometimes very temporary storage of data that is either en route between other media or data that may be modified in a non sequential manner before it is written or read in a sequential manner A Disk Cache or File Cache keeps statistics on the data contained within itand commits data within a time out period in write back modes A buffer does none of this Gaistrix Distrix 4 2 User Guide July 2014 163 L Latency In a packet switched network latency is the delay between the sender and the receiver dec mainly a function of the signal s travel and processing time at nodes the information traver switched network it is measured from the source sending a packet to the destination re source to destination plus the one way latency from the destination back to the sour pounded by traffic congestion some network protocols and electromagnetic interf LDAP to provide a single sign on where one password for a user is shar applying a company login code to web pages so that staff log in only then are automatically logged into the company intranet A cli
16. 000000000000000000000aaa a00 aaa daadaa naaa a arano anaona annann 101 Node Connection Let 103 Link Connection List SS 104 Link Status ioc eee ALY a NDI A EENS 106 Gdistrix Distrix 4 2 User Guide July 2014 3 Trouble shooting NN 110 Beiler Gl 5 oc AP TUI T 112 License Expired 0 I s eee cece RR rrr erre rrr reel ei 113 Linux Reverse Path Filtering IR esee snl 114 Multiple Links Not Forming 00 02 22 ccc cccc cece cece cece cece cece cece ceceeeeeeeeeceeeeees 115 Nodes Not Connecting 220 c coc cece eee eee eee e sn eeeee eens 116 UDP or TCP Tunnel Not Working 117 Ne ON File Libraries e RII File Libraries For Windows D AN se se Configuration Files Location Z Z HTTP Server Configuration Communication Configuration Security Configuration Link Modules Configuration Link Modules List Tunnels Configuration App Tunnel Connector ia GD JIN 144 Hardening Ubuntu Linux MM BN eee eee eee 153 Hardening Windows ff QO TA 160 Glossary BD Nose 163 n Gjaistr IX Distrix 4 2 User Guide July 2014 m Installation Requirements How To Set up User Profiles How To Change Password System Requirements These are the system requirements necessary for Distrix 4 2 deployme
17. View is not access EJ distrix Distrix 4 2 User Guide July 2014 94 Action Description there is another a dark blue line is drawn between them node in the net This may be on top of a connection line work which has an 2 endpoint for that i d tunnel there is a single tunnel shared between the nodes b d there is more the one tunnel Tunnels 3 ifi Monitor Topology m all tunnels or m alltunnels of a specific connector type work name connection number of links and Use the hyperlinks to drill down to monitor and configure Sonn Tunnel View Q zoom out all tunnels T resetvwiew resetlayout tunnels Tunnels 5 Distrix B Monitor e ena Gadistrix Distrix 4 2 User Guide July 2014 96 Filename Filepath App tunnel opt distrix lib App tunnel distrix httpapiserver Filename Filepath Distrix REST API Server opt distrix bin dxhttp Distrix htpasswd Authorization Plugin Distrix Ida pauth Author ization Plugin Default htpas Configuratio aiStrix etc dxhttp cfg File 123 Gaistrix Description Installed Uninstalled w Package w Package Distrix App tun nel support pro vider Used when inter nodal App calls are made Installed Package Use Idapauth to protect the Distrix node web interface Used by Distrix htpasswd plugin to protect the Distrix node web interface Replaced by administrator D
18. an LDAP server called a Directory System Agent DSA Least Required Access Least permission or least required access are securi to know and only when you need to know i ou only getto know what you need Link Distrix Link Module A plugin that provi UDP link modu en protocol Distrix has a TCP link module and a Long Polling est ofthe server which may wait for data to be available before n contain encoded data typically XML or JSON or Javascript to be e end ofthe processing ofthe response the browser creates and sends xt event Thus the browser always keeps a request outstanding with the h event occurs ching uses the Media Access Control Address MAC address from the host s network inter face cards NICs to decide where to forward frames Layer 2 switching is hardware based which means switches use application specific integrated circuit ASICs to build and maintain filter tables also known as MAC address tables or CAM tables One way to think of a layer 2 switch is as a multiport bridge Layer 2 switching is highly efficient because there is no modification to the data packet only to the frame encap sulation of the packet and only when the data packet is passing through dissimilar media such as from Ethernet to FDDI 166 Gjaistr IX Distrix 4 2 User Guide July 2014
19. ault password distrix They are both case d displays a default noa Pre paration 2 Log in to your Dis account and select from the software download section Dov Ubur XPac es splatform tar gz loac 3 When unpa 2d the archive contains these packages Unpack NARC ulstrix 4 r arch deb distrix core 4 r arch deb distrix dev 4 r arch deb distrix http 4 arch deb distrix tunnels 4 r arch deb Distrix 4 2 User Guide July 2014 User Profile Setup The administrator ensures that users permissions and groups are set up and managed for the appropriate tasks To facilitate the user profile set up within the Distrix 4 2 management console application Distrix interface if the plugin being used permits it e g if ldapauth is being used the password The plugins and configuration files are as follows htpasswdauth This plugin authenticates users against an htpasswd file It should be pas figuration file as an argument using the userAuthArgs HTTP server setting tain the following parameters The filesystem path to the htpasswd file for whi groups A dictionary containing usernames as key as values The duration in seconds for which ens sho st Configuration File topowe ta d userA Configure br ionge ed ichobecheakionaS Sie Maps users against permissions using its configuration file but doesn t pull group permission informat
20. blic view as any data encrypted with the public key can be decry nly with the private key Important Facts m Any algorithm supported by OpenSSL can be employed to sec m The Distrix method generates Elliptic Curve Cryptography ECC a ECC is a newer algorithm which uses a much shorter key than the RS i the same level of protection m The Distrix method is a much simpler procedure i ompared to using OpenSSL How it Works A Certificate Authority is the master certifica or fi i i ic key and is used to gen erate all other certificates The public key o i I signature on the Signer cer tificate being presented in a trust request Ino atched and authenticated it treats the certificate as a letter of introduction from that 4 he Signer certificate is valid and then proceeds with the request Example Receiver Node administrator sets up security for the network by applying certificates to the des each one must have a certificate and different types can either identify net works or capabilities In order for a connection between Distrix nodes to be made bi directional trust must be established between the nodes The node establishing the connection sends its Signer certificate to the receiving node which then val idates the Signer certificate against the CA certificate resident on that node However bidirectional trust is required for a connection to be established so once the connecting node s Signer certificate ha
21. e new CA cert should be written Generate a Signer Certificate from a CA Certificate This is a multi step process so both the key and CA certificate should be in a common folder that is sub ordinate to the folder in which the other certificates are generated EJ distrix Distrix 4 2 User Guide July 2014 59 1 Before the CA cert can be employed these items must be added to the folder m Anempty database file m Aserial file containing 01 An OpenSSL configuration file Configuration File Example ca default ca CA default CA default m T newcerts een Geier Clie database Sears s index text default md uade serial cafiles serial policy policy amy default days 365 policy any countryName stateOrProvinceName organizationName organizationalUnitName commonName emailAddress ation of the Signer cert ile gt lt bits gt 9 The path to the generated key The length of the key in bits Example openssl genrsa out Network Network key 2048 3 Request a new certificate from the CA cert 60 EYdistr IX Distrix 4 2 User Guide July 2014 Syntax openssl req new nodes subj subject string key lt path to key gt out lt path to cert gt Parameters subject string A list of name attributes of the format Eva luel type value sa The most important attribute he attribute which as in Distrix gene CA trust validat
22. ed CA cert Association between actions requiring Signer certs monitoring security provisioning networking and configuration and their respective certificates A whole number representing the number of days before the certificate expires The value should be less than its parent CA cert 58 GJaistr IX Distrix 4 2 User Guide July 2014 OpenSSL Method To Generate Certificates Distrix supports the es their method of gen Distrix provides the option to use OpenSSL X 509 certificates for trust and encrypt use of Online Certificate Status Protocol OCSP on page 62 This section d Generate a CA Cert Syntax openssl req x509 nodes days lt days ring newkey lt alg bits gt keyout lt path to keyfile Example openssl req x509 nodes d CA ST British Columbi a L Vancouver CN GeneriCo co 48 keyout newca cacert key out new ca cacert pem Parameters generated certificates this is a whole number representing s before the certificate expires ification of the encryption algorithm and key size in bits of the new key e g rsa 1024 RSA is a popular algorithm used with OpenSSL Popular key lengths are 1024 2048 and 4096 bits longer keys are more secure but slightly more expensive computationally The path relative or absolute to which the private key of the new CA cert should be written The path relative or absolute to which the public key of th
23. ed together and multiple non switch car anectto gle switch NOTE When runni over the tunnelled Ethe TCP traffic sar an Ethene el is marked as being reordered This means that if the reorder timeout configuratio or the instance zero TCP packets that arrive at the other end of the tunnel out of order will be q ved for tr tar timeout or until the missing packets are received over the tunnel This can help TU p srmance in situations where packets are frequently reordered for example if you are Ser tg data ove ultiple links with rapidly varying latencies such as wireless links However in a wired or single link scenaric ordering typically causes TCP traffic to be slower Parse LN vice The ethernet interface to tunnel data to from switch Whether or not this end point should act as a switch for multiple incoming tunnels Configuration Velawilees Tan Vene sae ule Distrix 4 2 User Guide July 2014 78 IP The IP tunnel connector allows Distrix 4 2 to tunnel IP traffic between different IP networks IPv4 and IPv6 Acting at the IP rather than Ethernet layer it is similar to a traditional virtual private network VPN node as the gateway for the remote networks To achieve this use one of the following m Run the Distrix node on the regular network gateway m Configure local machines to specify the Distrix node as the gateway for tunnelled re works Configure the regular netwo
24. eding to manage a socket connection Internally App tunnel clients use a TCP socket to initially discover the local Distrix gateway an faster inter process communication IPC mechanism to transfer data The TCP port that th listens on can be controlled by setting the port value in the AppTunnel cfg configuration fi lowing Linux opt distrix etc AppTunnel cfg Windows C Program Files Distrix 4 etc AppTunnel cfg NOTE App tunnel clients can only connect to a Distrix feway on the ime machi Security reasons app tunnel clients must be running as the sar ser as thed trix gateway vas root ad ministrator in order to connect Guidelines Installation the Distrix gateway must be running the App tunnel plugin which is included with the core Distrix 4 1 installer ing new App tunnel clients the Distrix developer package must be installed to provides the necessary header files and libraries to build App tunnel client applic ations Building a Client To use the App tunnel functionality the client application must include m the App tunnel header file and wm link in the client library Both the header file and the client library are included in the Distrix developer s dev package They are installed at the following locations 87 Gjaistr IX Distrix 4 2 User Guide July 2014 Header File Linux opt distrix include dx apptunnel h Windows C Program Files Distrix 4 inc dx apptu
25. es object which can contain an 137 nee s Wiot local Aessen unsa maxQueueSize 10485760 modules MODE f accept true accs Patterns es ies failoverOrder 0 spillOrder 0 heartbeatInterval 500 maximumSegmentSize 1472 Hs eme eleme sacr bandwidthEstimate O listenPort 24444 minConnectRetr maxConnectRetryInterval 2000 requireHelloCookie true Meraelollecl s wick aris 3 1 Jeer NG VTL work null Meet ale 3 muli II linkSpecific ROO ailoverO E 7 terns WD 0 500 maximumSegmentSize 2920 eChecksum false bandwidthEstimate O VlinsitembPort s 25444 connectTimeout 2000 handshakeTimeout 5000 enabled o dee Wieeieom ies 8 i 138 GJaistr IX Distrix 4 2 User Guide July 2014 Mergers 192 16O 40 LIB Wiot moral nala vesmiig s II tte Eeer A Security Configuration uses for authentication authorization and ignerCerts The file Security cfg is used to configure the c encryption It contains one list of ca Gaistrix Distrix 4 2 User Guide July 2014 139 gee g BELL Neos Gre GAS UNE EI Ug wp caer type ecc name ca ecc pub VETE s PA ae Vea eee joule ho type openssl name CAs pem AS New o file CAs pem II signerCerts type OCC name ucene ece purpose Net
26. es are provided Distrix attempts a check with each se return an ok response for the connection to be accepted and any to be rejected There are four components to an OCSP entry ert This is the URL of the OCSP NEL required EN timeout A TS OCSP settings are a comp gt lowing example ca pem LE kl V example com nonce true timeout 1000 Targets Targets are the destinations to which connections are made They are indicated by an array of strings spe cifying the remote target nodes to which they connect Link modules without any targets configured may accept incoming connection attempts depending on other properties but won t attempt to initiate connections themselves Each entry in the array may be 62 E9distr IX Distrix 4 2 User Guide July 2014 astring just the target destination m an object containing a target string m anoptional network string and an optional config object containing configuration specific to the link tha created for the target The following shows the complete syntax for a target specification along with sc string examples Syntax lt target IP address gt port interface interface ac ass String Example 10 10 0 20 10 10 0 20 5000 10 10 0 20 5000 eth1 10 10 0 20 5000 eth1 10 10 0 50 This last string examp ds as C ct to the Distrix node at 10 10 0 20 on port 50 using the the in fe addressu 10 0 50 on eth1 10
27. files Configurati page 135 and those found in the Control API Guide provide descriptions of the ues There are several functions that can be monitored for each network m Node status m Point to point connections between nodes m End to end tunnel stream status and capacity utilization Networks all Distrix nodes and thei Tunnels the selected node and g with nodes linked by tun nel endpoints to this node Click the drop down arrow to select o i s as follows Network View Action bescription D Na The Network View is the default view that displays when the page loads The system automatically determ ines the position of all nodes each with its associated label and displays the network by default in the clean est layout as possible Zou Use the mouse scroll wheel or click to the right of the displayed network to zoom Click and drag in the white space to pan Click the circulating arrows beneath the zoom buttons to reset the pan and zoom By default the local node is selected and is highlighted in blue Click on any node to select it the selection is indicated by changing the node from gray to blue When a node is selected the name network and version are displayed Use the hyperlinks to drill down to mon itor the node associated tunnels or connections Click the drop down arrow to select Tunnel View Click in the white space to deselect ALL nodes If ALL nodes are deselected the Tunnel
28. he HTTP API The server reads its configuration from a file named dxhttp cfg which is in the etc directory at etc relative to the bin directory The configuration file contains a JSON object The following parameters may be specified Parameters webListenAddress A string containing an IP address and port on whi to listen for HTTP con v nections Default localhost 4000 certPath A path to an SSL certificate If ver wi HTTP keyPath A path to the corresponding ke ificate Req aif certPath is specified Default empty staticPath A local filesystem path 3 dU files i e HTML Javascript images etc Default st e The base URL from which tc ic files t ault static a LA zent path ie file to use for authentication token storage Default NG a 136 Eddistr IX Distrix 4 2 User Guide July 2014 Configuration Communication Configuration The file Communication cfg is used are a number of top level configuratio entry for each available link module Distrix 4 2 User Guide July 2014 vapiAddressu ui 1 22597 webListenAddress localhost 4000 Vesten enes WW Static US parene baka 2 mi Zeta ie Veeres q enabled true allowedHosts null keyPath 149 certPath m userAuthPlugin bin htpasswdauth userAuthArgs conf htpasswd conf tokenFile conf tokens conf communication links between Distrix nodes There iect and a modul
29. he common name of the generated Signer cert When using Full Security mode the common name is used for two purposes I aaa ee Ejdistrix 51 Distrix 4 2 User Guide July 2014 m Comparison against the trust field of the associated CA cert m Association between actions requiring Signer certs monitoring security provisioning networking and configuration and their respective cer tificates Trust Usually set to the default which applies to all NOTE Signer certs generated by the Distrix method include both the private and pubi file Upload that single file to the File public key field S distrix Security Distrix 4 mg local CA Celuncates Signer Certificates Name Type Common Names defaultnetwork ecc ecc Network Distrix Add Signer Cert File public key Private key Choose File No file chosen Choose File No file chosen coo Ei Advanced Settings D Enable full security mode O FIPS 14 ay in a si The on Processing Standards FIPS are government security standards that ptography modules for both software and hardware components The Distrix FIPS se curity plugin contains an embedded FIPS 140 2 validated cryptographic mod t Module v2 0 5 When the FIPS security module is installed the only cryp tographic imp istrix uses are those provided by the FIPS Object Module The installer places
30. here may be many endpoints or none at all on each Distrix node or there may be many endpoints on a given Distrix node for each supported tunnel type 1 Select a node Click the drop down arrow to select from a list Check the box if t enabled 2 Next to the selected node type in the attribute values required by the tunnel attribute fields display according to the tunnel type that has been selected Clic additional attribute fields Click Add The new end point displays in the list by Node name and attributes Click Save This only saves the properties defined for that spe of the page to save all edits A dialog box displays to confirm the page and there are unsaved changes Edit Tunnel Instance myudp Tunnel Type UDP Broadcast Group Network Distrix Encryption Priority Compression 0 Endpoints No available nodes EMHabc1 van be tunnelled through Distrix 4 2 their description attributes and para The HTTP tunnel can only be used in point to point mode If the bi ndadar option is set the node listens for incoming HTTP connections on the specified address When a request is received the destination host from the Host header is examined The node looks at all other nodes that are members of the tunnel and selects the first one which contains an entry in the hosts list that matches the destination host A tunnel connection is formed between these two nodes and the destinati
31. ictates REST API server and web interface behavior Spe cify the use of an authentication plugin here Uninstalled we Package Must use purge Must use purge Distrix 4 2 User Guide July 2014 ing Ubuntu Linux nfiguration Files Location Server Configuration Link Modules Configuration Link Modules List Tunnels Configuration Log Levels Log Outputs Logging Configuration Configuration Files Location The configuration files can be modified to adjust node behaviour and to configure and connect to other Distrix 4 2 nodes All configuration files are In JSON format Stored by default in a directory called etc NOTE The Distrix process must be rest Nd before ang anges made w the configuration files take effect a a Linux lindows opt distrix etc NE N typica Configura Systems Location amData Distrix 4 etc where ProgramData is y C ProgramData Logging configuration for the Distrix node Encryption and grouping configuration for securing communication between Distrix figuration nodes b 129 Tunnels Con Configuration of tunnels from the specified node figuration on page 142 Gaistrix Distrix 4 2 User Guide July 2014 135 HTTP Server Configuration The Distrix HTTP API server is an application which contains an HTTP server and communicates with the local Distrix process to provide t
32. ion and for per actio mode on in Full sec Example openssl req new nodes subj couver CN Network key Network Network key out Network Net A cert Syntax Paramete bu a al V 9 The path to the CA key a AN The path to the requested certificate SEA ii The path to the CA configuration file in step 1 ca batch cert newca cacert pem keyfile newca cacert key in Net The path to the CA certificate work Network csr config newca config cnf out Network Network pem These keys are uploaded in Configure gt Distrix Nodes gt Security gt Add Signer Cert Network Network key Private Key Network Network pem Public Key Gadistrix Distrix 4 2 User Guide July 2014 61 Online Certificate Status Protocol OCSP Online Certificate Status Protocol OCSP is an Internet protocol used for obtaining the revocation status of an X 509 digital certificate It was created as an alternative to certificate revocation lists CRL specifically addressing certain problems associated with using CRLs in a public key infrastructure PKI Si response contains less information than a typical CRL certificate revocation list OCSP ca and client resources more efficiently NOTE OCSP is supported for OpenSSL generated certificates but not for Distrix gener Aces tificates A list of OCSP responders can be specified in Security cfg to validate ce nodes If multiple entri
33. ion from LDAP An LDAP user cannot be added through the Distrix interface unless they already exist in the LDAP database Maps Users Only Add User 23 Ejdistrix Distrix 4 2 User Guide July 2014 In the Distrix Add User entry form leave the password field blank as it s ignored Adding the user just adds an entry into the groups dictionary of the con figuration file which associates the specified permissions for that user kaaa figuration file as an argument use the userAuthArgs HTTP tain the following parameters The Distrix user list only displays users with entries in the nlugin configuration and not all of the users in the LDAP server The IP address or hostname of the arver L It dap ex e com p 3 The base path containing u e Set people dc example dc com b d 2Dn when binding to the dap server Should contain dap e ple com ou people dc example dc com n uid es Tage 3 Monitoring n aers Comtiguration Security duration 3600 gj distrix Distrix 4 2 User Guide July2014 24 Application Tunnel Connector Distrix s application tunnel connector enables building client applications that connect directly to a local Distrix gateway without needing to manage a socket connection Internally App tunnel clients use a TCP socket to initially discover the local Distri way and then use a faster inter process communication IPC
34. is overwritten Log roll over can be induced before maxSize is reached by sending sicHur to the Gateway process Syntax outputs option value Example ouitsucs I printf true syeloge leocelhmosit file name var log distrix out maxFiles 2 Logging Configuration The file Logging cfg controls the log output of the Di i be used for debugging or troubleshooting purposes The top level entries contro printf is true the output is printed c Logging cfg a typical install 150 Gjaistr IX Distrix 4 2 User Guide July 2014 Example lewel s elg outputs 3 1 api Distrix 4 2 User Guide July 2014 prin true syslog localhost hostname of syslog server file put leg maxSize 10000 maxkiles 2 path is re support directory opt Distrix on linux maxSize is in bytes maxFiles indicates rollover f ical suffix eg output log 1 Can cause log rollove SIGHUP to the Gateway process level info outputs printf true syslog syslog server file name relative to the directory opt Distrix on linux maxSize is in i dicates rollover files Outpur tog 10000 maxFiles 2 path is 151 Glossary A Application Programming Interface API Specifies how some software components should interact with each o library that includes specifications for routines data structures obje es In some other
35. ix Distrix 4 2 User Guide July 2014 49 NX distrix Security Distrix4 Demo Cloud CA Certificates Signer Certificates Name Type Common Name Trust Actions default ecc pub ecc default Add CA Cert File Name Trust Choose File No fiie chosen OCSP Settings OpenSSL only Server Required Nonce Timeout cme E Signer Certificates ar control to distinguish and sep arate different permissions i e groups compani ecurity mode A Certificate Authority has two separate components the NOTE Signer certs ad by the Distrix 3thod include both the private and public key in a single file Decide in advance elfe ate genera Wwmethod to use before creating Signer certs as the methods and types carie combik istrix nodes to be made bi directional trust must be established between c place in a Distrix network without trust established between every node s there is trust between each pair of adjacent nodes on the route The node ds its Signer certificate to the receiving node which then validates the Signer ificate resident on that node However bidirectional trust is required for a con once the connecting node s Signer certificate has been validated the receiving certificate and evidence for similar validation certificate against the CA nection to be i node provides it 50 amp distr IX Distrix 4 2 User Guide July 2014 Connecting Node Receiver Node CA Public Key X Trust MI
36. ndent on application or device connectea default is 145200 Bd NOTE The erating system requires that the te b of a set of Zrete values and the v liis suppow bby ad En device are usually 4 a sub of these var rence on supported values go to the following web umber of data bits per serial frame This is determ ined by the properties of the device being connected though in a majority of cases the default value of 8 bits is correct Permitted values are in the range 5 to 9 The number of stop bits per serial frame 0 1 or 2 This parameter is also determined by the requirements of the device being connected The default value is 1 bit Parity The parity setting is determined by the properties of the attached device and may be one of three values even lick th eder odd or none The default is none down arrow to select from a list Hw flow con This boolean value determines whether or not the serial trol port s RTS ready to send and CTS clear to send lines Check the box are used to manage the data flow if true When turned on the serial port hardware at both ends of the cable start and stop the transfer as needed to prevent the overflow of hardware serial data buffers Gaistrix Distrix 4 2 User Guide July 2014 84 Application Tunnel Connector Distrix s application tunnel connector enables building client applications that connect directly to a local Distrix gateway without ne
37. nnel h Client Library Linux opt distrix lib libdx apptunnel Windows System Libraries Linux use tf Makefile Wall Wextra Wno unused parameter Werror fPIC IS INCDIR FLAGS LIBDIR LDADD apptunnel lpthread lrt lm S OBJS brecv o bsend o ecv c bsend c all brecv bsend brecv brecv o Gadistrix Distrix 4 2 User Guide July 2014 88 S CC S CFLAGS S LDFLAGS o LDADD bsend bsend o S CC S CFLAGS S LDFLAGS o LDADD 008 woe CC CPPFLAGS CFLAGS o c lt clean rm f brecv bsend S OBJS PHONY all clean Request Example include dx apptunnel h include Distrix Abstractions Time Time h include lt string h gt include lt stdio h gt include lt stdlib h gt include lt signal h gt static void signalHandler int p sig exit 0 aum Wellin AME are signal SIGINT andler Op ait large i Dunne le omr Jb Comrie mnenses Kife onager eo Age one l contig meme spes broadcast JL contig id bhr sdeasit l Comiig meradata helle 89 gj distrix Distrix 4 2 User Guide July 2014 DX Stream 1 stream DX broadcast open amp l config 0 Lie UL stream printf Failed to create broadcast stream n Eegen 17 Char Il cara broadcast vest for ime dL gent DX seme ll stream 0 printf sent d n 1 sent ii seme lt
38. nt and operation The basic require ments are listed along with our recommendations to achieve optimal performance The platform com patibilities are also listed NOTE These requirements are separate from the requirements of the ung is possible to run Distrix 4 2 on hardware not meeting these requiremer particularly for production environments Basic System Requirements atium 4 1 G valent Penti 30 MB 27 MB Platform Compatibility Hardware Architecture Communication Protocols Third party Encryption Libraries Intel 32 Al xc Windt 7 32 and 64 bit DTLS Intel 64 AMi 4 x86 o Windows server 2008 32 and 64 OpenSSL Ubuntu Linux 12 04 32 and 64 bit RedHat Enterprise Linux 6 2 64 bit Distrix 4 2 User Guide July 2014 12 How to Install Distrix The procedure to install Distrix begins with the download of the installation package from the dowloads sec tion of our website During the installation process there is the option to install and run Distrix as a service or to run manually for more control as required See Appendix B for a detailed list of all the installed fit and their exact location If you plan to use Ethernet tunnels Linux Ubuntu only be sure to read the about the download of the dependent files Installation Procedures Windows The installation procedure is as follows 1 Log in to your Distrix account and select from the soft download section Download m DistrixInstaller
39. on node attempts to open an HTTP connection to the des tination host If the connection is established data flows bi directionally over the tunnel 75 Ejdistrix Distrix 4 2 User Guide July 2014 Parameters An IP address and optional port on which to listen for HTTP connections A length of time in milliseconds to be used as the timeout when forming an outgoing HTTP connection A list of HTTP hosts for which this node can proxy requests Ma ain wildcards es for the dia UDP In Broadcast mode both the bindaAg a member of the tunnel listens on bi ings must be supplied Each Distrix node which is tata received from other nodes to destAddr In Point to point mode none of the op listens on that address for new UDP pa being created ad Any node with the bindAddr option set a unique source results in a tunnel connection Options and the resulting lt lie Then the renot remote DOG y e ae it is associated with the tunnel the first available node which is also a member of the tunnel is used for the other end of the connection this node has the scAadr option set UDP packets are forwarded to this address NOTE This over rides a remoteDest setting and the remoteDest option was set at remoteDest is used as the destination address the other end of the tunnel the connection is established both sides of the connection sends data bi dir ectionally
40. r morris js Copyright c 2012 Olly Smith All rights reserved raphael js Copyright 2008 Dmitry Baranovskiy The New BSD License Copyright c 2010 2013 The Dojo Foundation All rights reserved spin js The MIT License Copyright c 2011 Felix Gnass fgnass at neteye dot de underscore js Copyright c 2009 2013 Jeremy Ashkenas DocumentCloud and Investigative Reporters amp Editors NSSM NSSM is public domain Distrix 4 2 User Guide July 2014 5 Contents About Distrix Gateway Routers cece cece cece cee cece ce cece cee eee rronin rrenan 7 Concept Overview 0 0 ccc ccc ec eee ccc eececeececeececteceeeecs Getting Started AA System Requirements How to Install Distrix 220 2000 a Uninstall Distrix How To Login aaaaaaaaaaaaaaaaaa000aa0aaaaannnM Licenses H User Profile Setup Change Password Automate TAP amp Bridge Utilities Application Tunnel Connector V FIPS 140 Security Module Zon Distrix User Interface GE CA AA 36 Overview ff P Eb aa 38 Configure N n NAA AA 41 Monitor Network Topology 94 Monitor a Node List 0 000000000 c cece cece cece cece eect ee eeeeeeeeees 97 Detail Node Status 000000000000000000a00 aaao anaia aa oraaa annona anaana n nanon raoran nrnna 98 Tunnel Connechons 100 Tunnel Instance Status
41. reate the Signer certs as asame name configuration keeps the match up and verification process simple 48 Ejdistrix Distrix 4 2 User Guide July 2014 Installa CA Certificate 1 Goto Configure gt Distrix Nodes Next to the listed Node Name on the Actions column click Security to go to Configure gt Certificates 2 Onthe CA Certificates tab go to Add CA cert and Choose File to browse for the public key of your CA cert located in a specified directory on your system Once selecte the key displays in the File field Name There is the option to type a new name otherwis 4efaults to the file name Trust For most purposes leave it set to the default vhich applies all b d Online Certificate Status Protocol OCSP on page 62 OpenSSL c settings type the following required i T d if none of the listed i de If true behavior is as nonce using theses arity ether or not the OC SP request should use nonce string used only once Optional if omitted it 3 A certifi displays in the list as being applied to the node along with these 1me The ew name otherwise it defaults to the file name Type The type of certificate whether OpenSSL or Elliptic Curve Certificate ECC ommon Name The common name of the generated CA cert wm rust Usually set to the default which applies to all MATT ne Distrix default CA cert can be left in the list or deleted Gadistr
42. rk gateway to route traffic destined ae tunne to the local Distrix node hod 2 loca aii Bii NOTE If using Windows then Distrix must be pan as an ainis cor to use the nector Setup a Network Address Translation NAT met the tunnelled remote network This method allow machines on the local network but not vice vers SX distrix Tunnel Type Group Reorder timeout Priority Distri4 Demo Cloud Use Remote DNS Excluded Networks Policies are listed here Click To Distrix From Distrix to Add Modify or Delete Iled remote net ix node be en it and wor access IP tunnel con Selecting the tunnel type automatically displays the endpoint attribute fields for that particular type Click More to see additional fields The following list of tunnel attributes have been mapped to the config file API for your information only and are as follows 79 gj distrix Distrix 4 2 User Guide July 2014 Parameters Configuration File Server sharedNetworks tunnelPolicy_ bobistrix tunnelPoli fromDist useDNS Distrix 4 2 User Guide July 2014 Description Server Determine whether this endpoint accepts incoming tunnel con nections Select and check the box if true Local Net works x ne the Local Network Click Plus to add h e N ick the text link to open the dialog box to select and apply policies To Distrix The
43. s 4 2 zip The installer files are applicable for both 3 2 the installation process Unpack p Archive 1 DistrixCorelnsta Name 17 DistrixCorelnstaller 4 2 0 The required files are selected by default Click Next to begin and then Finish the install ation 13 Gjaistr IX Distrix 4 2 User Guide July 2014 Distrix Core Bundle Setup Choose Choose which features of Distrix Core Bunde you want to install Check the components you want to install and uncheck the components you don t want to install Cick Next to continue Select components to instal Choose Choose which features of Distrix Http API Server you want to install Check the components you want to install and uncheck the components you don t want to Install Och Next to continue Select components to instal 4 ix configuration page Browse to e Windows machine where Distrix is installed Or manually 9 your browser assword distrix Ej distrix Distrix 4 2 User Guide July 2014 14 Gistrx Login The application opens to the Monitor gt Topology scree named for the local machine NOTE Windows configuration files save to more than non administrative user The administrator either con configuration file and or the configuration file diregtory to Ubuntu Linux The installation procedures as follows 1 Preparea di tory ich to extrat 2 Distrix package files Default username Def
44. s been validated the receiving node provides its Signer certificate and evidence for similar validation Gjaistrix Distrix 4 2 User Guide July 2014 47 Flexible Security Models Distrix provides flexibility in how you plan and set up your network security ranging from very a simple less secure mode to a multi layered and more robust approach The Distrix installation package includes a default Certificate Authority Certificate the master certificate or file with both a private and public key used out of the box to implement basic security This gives you time to decide whether a m Basic Security Mode on page 54 or m Full Security Mode on page 57 enhanced is required as you deploy your network structure determining common names permissions and advanced Full security setting requires Signer Certificates on a pertask is and allows the gran corresponding CA Certificates to any level Distrix Default Certificates Reading Resource Public key C CA Certificates A Distrix default CA cert de sfault Signer cert defaultnetwork ecc are installed on nodes as yo k abasic security mode Though this basic out of the box set up is con o Generate Certificates on page 59 The Certificate CA cert has a private and a public key and both are used to generate Signer cer tificates The public key of the CA cert must be distributed to all nodes It s recommended to use the same CA cert to c
45. strix bin distrix create ca filename common name expiry days from now gt Distrix 4 2 User Guide July 2014 57 Example opt distrix bin distrix create ca exampleca ecc ExampleNetwork 730 Parameters The filename of the generated CA cert Two files filename the and filename pub the public key are produced filename common name The common name of the generated CA cert though it s elevant to cert for its use in Distrix A whole number representing the number of days before the ce expires expiry Generate a Signer Certificate from a CA Certificate Once a CA cert is available Signer certs can be derived fros i trix execut able include both the private and public key in a single file and use the parameter create cert as follows Syntax opt distrix bin distrix create cert lt fil key common name expiry days from now Example opt distrix bin distrix create i ar ecc exampleca ecc Network Distrix 565 Parameters ann generated cert One file a combined public and private ill be generated with this filename gt path of the private key of the CA from which this cert is to be derived vith which trust is to be established This should be the file previously The common name of the generated Signer cert When using Full Security mode the common name is used for two purposes m Comparison against the trust field of the associat
46. teway without needing to manage a socket connection Internally App tunnel clients use a TCP socket to initially discover the local Distrix gateway and t faster inter process communication IPC mechanism to transfer data The TCP port that the Di listens on can be controlled by setting the port value in the AppTunnel cfg configuration file lowing Linux opt distrix etc AppTunnel cfg Windows C Program Files Distrix 4 etc AppTunnel cfg NOTE App tunnel clients can only connect to a Distrix gail Vay on thy ame maru Ne Fos Ccurity reasons app tunnel clients must be running as the sam d Ser as the D ix gateway 7 root ad ministrator in order to connect Guidelines strix gateway must be running the App tunnel plugin which is included with the core Distrix 4 1 installer v AN a v a e dee the Distrix developer package must be installed to provides the necessary header files and libraries to build App tunnel client applications eader File opt distrix include dx apptunnel h Windows 144 EY distr IX Distrix 4 2 User Guide July 2014 Che JL bukter 256 5 unsigned 1 recvCount 0 uint64 t 1 startTime DX getTimeMs while l recvCount 10 amp amp DX getTimeMs 1 startTime 20000 ime JL ee DX receive uL sura IL Josee sizeof 1 buffer 1 2000 printf received d n 1 recv KEI weey gt 0 i jowrrer Ll resv NOT prime EF SN 1 ourer 1 recvCount
47. timeout A length of time in milliseconds to be used as the timeout when forming an outgoing TCP connection 77 Gjaistr Ix Distrix 4 2 User Guide July 2014 Ethernet Currently only available for Linux In an Ethernet tunnel entire frames are encapsulated and passed through the Distrix network it essentially acts as an extended Ethernet cable with routing capabilities For each net work tunnelled a Tap device and a Linux software bridge must be configured The latter bridges between the TAP device and the interface on the network being tunnelled In order to preserve Ethe met packet headers Distrix connects to the TAP device which with the bridge in place allows effectiv ad write from the phys ical Ethernet interface packages are installed using apt from the command line as follows sudo apt utils uml utilities See Automate TAP amp Bridge Utilities on page 27 to configure mation of the interface set up The Ethernet tunnel can only be used in Point point mode atunnelir is acting as a switch it will accept connections from other Ethernet unt stances s ch and non sw ch and route the traffic it receives from its interface to the appronriate oth nne using a MAC table At least one part of the tunnel needs anfigureo a switch In Distrix 4 2 set switch to true in the tunnel config file Previous versions sth 1 has sy 3b default to true Multiple switches can be con nect
48. tworkname sre the suffix j enet work name shared by the two nodes The common name is the important value b RECOMMENDATION The security granularity can be hn ased by using a different cert for every single task on every node and distributing the Signer cc as appropriate to the other nodes that are meant to be connected The common types sates tt nage authori tasks on a net work are network or communications conf ation p sioning kurity itoring and tunnels Every node must have a Signer cert for eaf unction i e onitoring oning Distrix Meu Wanerate Cert lates Certificates amp usedto communications throughout and in the administration of a Distrix network The Distrix installa packs zinc default CA certificate default ecc pub and a default Signer cert fg ofaultnetwork f nich is used out of the box to enable the set up of your network in a basic security mou To enhanc scurity the network administrator replaces these default certificates and can either use Distrix s method to yerate an Elliptic Curve Certificate ECC or use an OpenSSL method in advance which certificate generation method to use before creating Signer certs as the methog And types can t be combined Generate a CA Certificate The Distrix executable file includes a function to generate CAs employing ECC Use the command line and enter the parameter create ca as follows Syntax opt di
49. work Distr NG A eno Vece name purpose nnels ecc oring ecc iguration ecc purpose Con Zeene e security ecc purpose Security file security ecc iran g Meee Hoeltgen ece purpose ero 140 GJaistr IX Distrix 4 2 User Guide July 2014 visioniag i ile ierat ce Link Modules Configuration Distrix 4 2 includes TCP and UDP Link Modules which can be specifically config with braces and preceded by the link module s name and a colon Example modules MUD BMS f enabled true D I TCP enabled t a file to specify configurations for Link Modules that require differentiation from those with iguration settings must be inside the top level modules parameter NOTE By Fault any link module present in the opt distrix LinkModule folder is loaded and run with their defay alues oy There are two ways a Link Module can be disabled or explicitly enabled m Specify false or true as the entirety of the link module configuration avoiding the use of the enabled option altogether m Specify enabled false or true within the body of the specific module s configuration Gadistrix Distrix 4 2 User Guide July 2014 141 Disabled modules UDP false WNC TS CI Enabled modules BERN enabled false D I Tunnels Configuration The file Tunnels cfg is used for configuring Distrix tun

Distrix 4.2 User Guide - justSay

Contents

Download Pdf Manuals

Related Search

Related Contents