T-TeleSec LineCryptConfig User's Guide
Contents
1. Sjaj ajeje os o iam Gray not activated Green activated Figure 9 Call numbers in Point to Point mode If you do not select any numbers in the end number plan the LineCrypt accepts every incoming call In operating mode 4 all incoming calls are encrypted DSL L L100 SOHO 20 Network configuration Before using your LineCrypt DSL L L100 or SOHO various network settings are necessary which you should adjust to your needs You can configure the parameters of the Ethernetports speed duplex on the dialog figure 10 Figure 10 Ethernet Network configuration CP IP Konfiguration 3 LineCryptConfig Configuration Logdata Options Extras Help TA SW Selection 8 Access Rights si Info detailed Logging Q Logdata Om Password TPP external e zintemal Figure 11 TCP IP Configuration The detailed logging option activates for the device the recording of events that are of relevance for startup and problem recovery DSL L SOHO Here you should note that for LineCrypt DSL L and SOHO after the configuration has been written to the LineCrypt detailed logging only remains active until the FLASH memory is half full with the log file in the LineCrypt DSL L L100 Local network configuration SOHO You can configure the parameters of the internal Ethernet interface using the TCP IP internal dialog 21 SOHO L2. SE LineCryptConfig Direcoryservice brach office 1 lt gt head office 192 168 2 1 192 168 1 1 192 168 2 1 192 168 1 1 feros x Ce SPH 1 Data brach offic l SP 2 Data brach offic aintemal Figure 44 branch office 1 Security Policy directory service The Policy entry in figure 44 allows the LineCrypt at branch office 1 to communicate with the directory service 61 62 SE LineCryptConfig Direcoryservice brach office 1 lt gt head office 192 168 2 1 192 168 1 1 192 168 2 1 192 168 1 1 eo Da SP 1 Data brach offic i SP 2 Data brach offic os esintermal Figure 45 branch office 1 Security Policy head office The Policy entry in figure 45 allows the LineCrypt at branch office 1 to communicate with the head office Since the central LineCrypt can be reached with a permanent IP address no certificate number is necessary for communication Configuration examples SE LineCryptConfig Data brach office 1 lt gt branch office 2 192 168 2 1 192 168 3 1 192 168 2 255 192 168 3 255 rem zl ano SP 0 Direcoryservice SP 1 Data brach offic EEIE brach offic aintemal Figure 46 branch office 1 Security Policy branch office 2 This Policy entry allows the LineCrypt at branch office 1 to communicate with branch office 2 For this the certificate number of branch office 2 is required 63 64 Configuration of the LineCrypt
3. r server for local directoryservice 1 NAT Timeout s BSP none internal explicitly 1200 TEP s SP 0 Branchoffice ipl G c c Dom 60 TCP fin eintemal s zz 600 UDP pz 3 9 9 p 120 2 ICMP ip3 oe c Cc fo 0 00 ip4 c Jao 0 0 Figure 14 External network Activate PPPoE The activate PPPoE switch activates DSL operation If PPPoE is active a PPP connection see page 26 must be entered for operation Activate local directory service The switch oca directoryservice activates the directory service server functionality integrated in the LineCrypt L Please note that the local directory service is only consulted if a PPP server for local directoryservice is set to interna or is explicitly set to its own internal address Store IP address from ppp 0 r in the directory service If you activate this function then for every successful PPP connection setup the LineCrypt will store the allocated IP address at all specified directory service servers Here you can choose the life time of the directory service entry 77L The LineCrypt will repeat the storage of the IP address after three quarters of the specified time Please note that a setting that has not been coordinated with PPP gt Connection inactivity timeout can result in continuous connections 25 SOHO DSL L 26 server for local directoryservice This is where you specify the IP
4. 38 incomming or outgoing connection own chipcard available Partner certificate valid Partner certificate in black list Certificate in system administator list Remote management Own certificate with closed user group attribute Partner certificate CUG attribute of the contains the same partner certificate CUG attribute in CUG list CUG attribute of the White list partner certificate j i available in CUG list The emphasized path shows the right examination on delivery Partner certificate in white list Connection rejected Connection established Figure 20 Procedure for checking rights Figure 20 shows the procedure for checking rights in detail Password Password Changes to the LineCrypt configuration can be password protected If you leave the field empty there is no password protection This password is not identical to the chip card PIN and is stored in the LineCrypt Fa LineCryptConfig Figure 21 Password Pay attention to spaces when making your entry Spaces are valid characters in the password Even passwords that consist entirely of spaces are valid although they should not be used If you want to use a LineCrypt password make a note of it and keep it in a safe place If you set up a LineCrypt password and lose it you will only be able to use your LineC
5. e PPP Connection gt Name e PPP Connection inactivity timeout e PPP PPP partner User and e PPP PPP partner Password LineCrypt DSL and LineCrypt L with activate PPPoE support only one PPP entry To configure a PPP connection the following details are generally necessary Network configuration Connection First enter a unique descriptive name of your choice for the PPP connection Select the Authentication type to be used for incoming connections You have the following selection options none No authentication PAP Transfer user name and password in plaintext for example for T Online CHAP The password is transferred encrypted Authentication is repeated every 60 seconds CHAP one Authentication is executed once only during connection setup EA LineCryptConfig Configuration Logdata Options Extras Help 0 x io Selection SP 1 location2 zintemal a Access Rights r Connection r Channel Bundling Info Dame Line1 passiv x Authentication PAP v Range for connect fe 70 Le ISDN inacitivity timeout hh mm ss 00 01 00 5 Range for disconnenct I Enks Mode it 7 p P f Q own MSN 123450 m Time hh mm ss 00 00 15 r49Phone numbers CS PPP callback m LineCrypt 7 PPP Partner A toadata IP address 10 0 0 1 IP address 10 0 0 2 O n Password User usem
6. a company internal four wire line to the SO interface for connecting ISDN terminals or a PABX Factory setting PAP Password Authentication Protocol Optional authentication protocol for the gt PPP connection setup Unlike for CHAP the user ID and password are transferred unencrypted PPP Point to Point Protocol The Point to Point Protocol PPP is designed to encapsulate datagrams over serial lines and supports the transfer of LAN protocols like the gt IP protocol preshared secret Secret character string used with gt IKE for authentication The preshared secret must only be known to authorized communication partners Private automatic branch exchange PABX A private switching system connected with the public telecommunications network for external communication PABXs are not restricted to the telephone service but offer transport services for all office communication voice text data and image transfer remote management Remote maintenance of your LineCrypt by an authorized system administrator via the ISDN channel or the network RIP Routing Information Protocol Protocol for exchanging routing tables between routers RSA Asymmetrical encryption method The LineCrypt devices use RSA for authentication and for exchanging the session keys 85 86 Security Policy Ina VPN protected by gt IPSec a Security Policy defines a range of IP addresses and how IP packets in this range are to be h
7. DSL L L100 SOHO L L100 SOHO 24 The following SNMP parameters can be set Name The device name usually the host name assigned to the LineCrypt internal IP address Contact The device contact for example telephone number or an e mail address of the appropriate group of people Location The device location for example the room number where the device is installed Community The SNMP community used to query the device If no entry is made here the name contact location and community standard values are used Remote network configuration You can configure the parameters of the external interface Ethernet or PPP using the TCP IP external dialog IP Enter the P address at which the LineCrypt can be reached from outside By specifying a Netmask you define which bits of the IP address determine the network s IP address range By specifying the Router you define where IP packets that do not lie within the address range resulting from the network mask and the IP address are forwarded Network configuration L SOHO EA LineCryptConfig j Configuration Logdata Options Extras Help A Selection E E Access Rights F IP IP address 212 1 1 1 I activate PPPoE lolx Ef Aus data Netmask 255 255 255 0 ER Tl local directoryservice Qn Password Router 212 1 1 254 E E rcrar F Store IP Address from in the directoryservice TTL Jeno
8. Supported encryption algorithms IDEA Triple DES and DES e Supported Hash algorithms for the Packet authentication MD5 and SHA 1 e Supported key lengths of the Diffie Hellman key generation 768 1024 and 1536 bit e Preshared secret The preshared secret is used for the authentication of the partner devices Both devices must use the same value Enter a 32 digit hexadecimal number here 33 34 Rights configuration When setting up an encrypted connection LineCrypt IT and I use the certificates stored on the chip card These certificates are used for the LineCrypt types DSL L and SOHO if you selected the encrypt option in the Handling list box for the relevant Security Policy in the dialog under TCP IP External SP on page 31 If you selected a different option not encrypt encrypt with IKE not encrypt NAT or reject the certificates are not used and the mechanisms described in this section are not deployed If an encrypted connection is to be set up between two LineCrypt the LineCrypt establishes an encrypted connection between authorized communication partners only For the partner s identification the certificate number stored on the chip card see also page 7 is used Rights configuration The CA list contains the keys used to check the partner certificates Partner certificates that were signed with keys not on the CA list are not accepted In the case you require an
9. enter the first and last address for which the rule is to apply If you want a rule to apply for all IP addresses set romto 0 0 0 0 and foto 299 299 299 250 If you want to select an individual address enter this address in the fromand fofields Options e Data volume limit Enter the maximum data quantity transported with a key in MB The largest data quantity that can be set is 34000 MB e Time limit You can define a key s validity period in this field The maximum validity period is 23 hours and 59 minutes that is 1439 minutes and can be set to the minute If the time given by the time restriction or the data quantity given by the volume restriction is reached the session key used becomes invalid A new authentication is performed just beforehand and a new session key is generated You can specify a Connection behaviortor the IPSec tunnel Network configuration L SOHO e f inactive terminate If no IP packets are transferred for 16 minutes the IPSec tunnel is terminated e Keep inactive connection The IPSec tunnel is not shut down within the key s life if the connection is inactive e Set up connection always An IPSec tunnel is set up spontaneously and is continually retained even if there are no IP packets to transport IKE Options You can perform the following settings for the IKE key exchange protocol These settings are only available if you selected the encrypt with KE action e Algorithm
10. s Edit access data mode You can select this mode under the Access data menu command on the Options menu see page 30 The access data is used if you enabled the Store access data on chip card switch in the dialog under TCP IP external PPP Read the access data from the connected LineCrypt by selecting the Read from device menu command on the Configuration menu Enter the following access data for the active connections Access name at the PPP partner for example 00012341231 23123545454545 0001 t online de password Telephone number to be called only relevant for LineCrypt SOHO List of certificate numbers of the system administrators who may view and change the access data via remote management Access data SE LineCryptConfig Figure 25 Access data configuration If you want a system administrator to be able to view and change the access data over the network enter the relevant certificate numbers in the dialog in figure 25 If this list remains empty the access data can only be viewed and changed via the serial interface 43 44 a LineCryptConfig Figure 26 Access data Administrator list The access data can be protected via a separate password This password is independent of the configuration password in the Password dialog on page 39 Transfer the access data back to the LineCrypt by selecting the Write to device menu command on the Configurationmenu Configuration exam
11. Branch office 2 security policy directory service The Policy entry in figure 50 allows the LineCrypt at branch office 2 to communicate with the directory service 67 68 SE LineCryptConfig Data branch office 2 lt gt head office 192 168 3 2 192 168 1 2 192 168 3 255 192 168 1 255 PPPH 0 branch office 2 SP SP 0 Directoryservice Data branch off SP 2 Data branch off Figure 51 Branch office 2 Security Policy head office The Policy entry in figure 51 allows the LineCrypt at branch office 1 to communicate with the head office The central LineCrypt can be reached with a permanent IP address so no certificate number is necessary for communication Configuration examples SE LineCryptConfig Data branch office 2 lt gt brach office 1 192 168 3 1 192 168 2 1 192 168 3 255 192 168 2 255 rem zl ano SP 0 Directorpservice SP 1 Data branch off os os aintemal Figure 52 Branch office 2 Security Policy branch office 1 This Policy entry 52 allows the LineCrypt at branch office 2 to communicate directly with branch office 1 For this the certificate number of branch office 1 is required 69 I IT I 70 LineCrypt I in point to multipoint mode Example LineCrypt oo RN MBN not configured in LCH Figure 53 LineCrypt I in point to multipoint mode In the configuration shown incoming calls with the call numbers 3322011 332
12. connections to the LineCrypt GSM Connections to the LineCrypt GSM are only possible with the Vocoder module Configuration SOHO encrypted modem Prefix number for encrypted V 32 connections V 32 connections are only possible with the Vocoder module PPP callback The PPP callback is only supported by the LineCrypt SOHO An external call to the LineCrypt can trigger the setting up of a PPP connection To create a new PPP callback entry click the Newbutton Enter the calling number in the external numberfield If you do not enter a number here the setting up of the PPP connection is triggered by a call irrespective of the calling number Now select the MSN or end number of the LineCrypt in the internal numberfield Finally select the PPP interface to be activated by the call EA LineCryptConfig Configuration Logdata Options Extras Help Is W Selection 8 Access Rights Info ISDN Q Mode r49 Phone numbers a Logdata O n Password a erar Es ertemnal B s PPP PPP 0 ppp connection 035433211 654321 ppp connection BSP SP 0 ISP 2intemal Figure 7 Callback I IT I SOHO Call numbers MSN If you selected Point to Multipoint in the dialog in figure 6 you can enter up to ten multiple subscriber numbers MSM here If you clicked Plaintext an incoming call is accepted as unencrypted when using operating mode 4 see page 17 otherwise i
13. permanent IP address In this case enter the certificate number of the partner device in the Certificate Dfield If you set the security gateway s IP address to 0 0 0 0 and the partner device s certificate number to 0 only incoming connections are possible Inthe Handling list box you define what is to happen with the selected data packets Here you have the following options encrypt Communication between the local and remote network side takes place over an encrypted IPSec tunnel For this the specification of the security gateway and the PPP entry to be used is necessary This mode is recommended if you want to establish encrypted connections with other LineCrypt 31 32 encrypt with IKE As for encrypt with the difference that the IKE key exchange protocol is used DES and Triple DES encryption are optionally available for the user data encryption not encrypt The data packets are forwarded unchanged Unencrypted communication is therefore possible reject The data packets are discarded that is they are neither forwarded nor processed in any way No communication is established The data packet s sender receives an ICMP message Destination unreachable not encrypt NAT The IP addresses of the data packets are translated using NAT No encryption takes place Local and remote side Under local side and remote side you can set the IP addresses for which the rule is to apply From the range of IP addresses
14. should deactivate the white list Partners entered in the system administrator list are authorized to configure the LineCrypt over the ISDN line types IT and I or over the network types L L100 SOHO and DSL If you leave this list empty the LineCrypt can only be configured via the serial interface Special chip cards Company Card contain a user group characteristic This enables the implementation of closed user groups The characteristic can be entered in the user group list and allows all cards that have this characteristic and are not on the black list to set up an encrypted connection Rights configuration Every entry in the white black and system administrator list can contain an alias name This alias name is used for log file analysis to make the entries more readable Alias names for certificates that are not used in any of the three lists specified can be stored in the alias list SE LineCryptConfig Figure 19 use White List If you want encrypted communication with just a few partners activate the white list see figure 19 and enter all the partners in the white list If you want encrypted communication with many partners of a group use a Company Card or enter the user group characteristic in the user group list If you basically want encrypted communication with anyone who has a valid chip card deactivate the white list and enter just the cards you want to exclude in the black list 37
15. 2013 and 3322015 or calls initiated by devices on the S internal bus of the LineCrypt I are protected by the LineCrypt I Incoming calls except for those with the call numbers 3322011 3322013 and 3322015 can be accepted by devices connected in parallel to the LineCrypt I These connections like the outgoing connections of these devices are then not secured by the LineCrypt I Configuration examples A LineCryptConfig Figure 54 MSN Configuration 71 12 Factory setting Your LineCrypt comes with some settings that have already been prepared for you To restore the LineCrypt to its configuration as when it left the factory select the Factory Settings menu command on the Configuration menu The current configuration is overwritten LineCrypt GSM The following settings are pre selected at the factory Authorizations White list deactivated Black list empty CUG list empty System administrator list empty LineCrypt I IT The following settings are pre selected at the factory ISDN IDSN access type multi terminal connection no MSN Authorizations White list deactivated Black list empty CUG list empty System administrator list empty Password No password protection Factory setting LineCrypt I The following settings are pre selected at the factory ISDN IDSN access type multi terminal connection no MSN Mode 3 encrypted an
16. CA keys used by the publisher to sign the certificates are stored in a special list the so called CA list This list is part of the LineCrypt configuration and is itself signed like a certificate Since the publisher changes the CA key for certificate authentication at regular intervals it may be that your LineCrypt CA list does not contain a valid CA key In this case the LineCrypt cannot check a certificate signed with such a key and therefore rejects the use of this certificate In order to use this certificate you require a current CA list which you can transfer to the LineCrypt with the configuration software In the course of authentication the communication partners exchange certificates and check that they are correct The RSA encryption method 1024 bit is used for authentication In the course of authentication the exchange of a 128 bit wide session key also takes place likewise secured through the RSA encryption This key is chosen randomly and is generated by the chip card Access control Access control is implemented using the rights file Within authentication the authentication partner s certificate is compared with the entries defined in the rights file and a decision is made on whether to set up or shut down the connection based on the strategy described on page 38 Encryption The 128 bit session key calculated during authentication is used to encrypt the transport data Encryption is based on the IDEA algor
17. L100 DSL 22 IP Enter the P address at which the LineCrypt is to be reached in your internal network By specifying a Netmask you define which bits of the IP address determine the network s IP address range By specifying the Router you define where IP packets that do not lie within the address range resulting from the network mask and the IP address are forwarded ioix Configuration Logdata Options Extras Help ia i Selection H E Access Rights IP H Info IP address 19216812 Qa toadata Netmask 252552550 Om Password Router fazies Qcrar 2 IPAdess 55687788 2 o Ei zeexternal SP sP 0 ISP Figure 12 TCP IP Setting Type L and L100 The 2 Padadress entry is used to pass a second IP address to the LineCrypt for the red side This is used by the LineCrypt for communication with the directory service If no second IP address is set the IP address entered in the first line is used for communication with the directory service The use of a second IP address for the directory service can be useful and necessary if it allows the balancing of the IP address space or the elimination of IP address conflicts on the red side in conjunction with directory service communication Routing Here you define the routing table for the internal network side A routing table entry defines a network area that is either e Routed via a router in the internal network or Network conf
18. T TeleSec LineCryptConfig User s Guide Deutsche T Telekom Contents SYSIEMTEDOIEMEN IS ee ee 9 Installation and program Slalcisci nus eher 9 ESERIMEN ABEL ee ee era 9 MOGETOHKINECHNDBESOHO Se essen 14 Mode for LineCrypt IT and ee ee 15 aaee Ley AE E E A E E T 17 Ealnumbeesinn a a a N 18 Network configuration TOT efans E 20 TOP P Konfigura tio Nsima aa N 21 Local network sonfigurationi a een 21 Remote network Configuration een ei 24 PPP configurati Neena N 26 Configuration Security Polieren 30 Configuration with directory service 1 head office 2 branch offices 51 LineCrypt I in point to multipoint mode Example 70 Registered trademarks trademarks and service names are used in this manual Even if they are not marked as such the relevant protection regulations apply IDEA is a trademark of Ascom Systec AG Notes I IT SOHO Notes You can perform all the settings on your LineCrypt simply and conveniently with the LineCryptConfig software We strongly recommend that you read this user manual before using the LineCryptConfig Deutsche Telekom cannot be held liable for any possible damage caused to the device or other facilities arising from the failure to follow the instructions in this manual This manual is valid for LineCryptConfig Version 2 4 x Overview of pictorial symbols Safety notes for averting risks to people and objects are marked with a warning t
19. The dialogs assigned appear in the right part The LineCrypt security concept Start up Start the LCC program using the Windows Start menu Check that your LineCrypt is ready for operation With the serial interface cable supplied connect your LineCrypt to a free serial interface of your PC On the Options menu click Serial interface and then select the interface you have chosen For fast operation the speed of the interface should be set to 115200 Baud 10 x Port El ICOM I ul 9600 COM2 C 38400 COM3 115200 COM4 ox Cancel Figure 2 Dialog interface Now test the connection to the LineCrypt To do this select the Read info menu command on the Extras menu The information displayed should now correspond to figure 2 the exact output depending on the type of LineCrypt the software version and the chip card If the message Device not responding is displayed check the connection to the LineCrypt as well as the settings you have performed SE Attention x i Action Failed Device not responding Figure 3 Device not responding D LineCryptConfig Figure 4 Info In order that the changes to the options you have made may be reapplied when you next start the LCC save the settings by selecting Save seftings on the Options menu Configuration Configuration The LineCrypt configuration software LCC distinguishes three operating modes 1 Edit
20. access data Access data is used by the LineCrypt DSL L and SOHO The access data contains the PPP connection data password user name and telephone number and can be stored separately from the remaining configuration on the LineCrypt chip card 2 Edit configuration In this operating mode the LineCrypt configuration can be changed The configuration is stored in the LineCrypt FLASH memory Whether the access data stored on the chip card or the access data that is part of the configuration is used for the PPP connection setup is also defined within the configuration 3 Expert mode This operating mode enables you to perform advanced settings for the LCC You should only use this mode if you have in depth knowledge of the configuration To configure the LineCrypt you carry out three steps On the Options menu select whether you want to change the access data or the configuration You can now read out the existing configuration from the LineCrypt To do this select the Read from device menu command on the Configuration menu If the configuration is password protected you will be prompted to make an entry Different passwords are used for the access data and the configuration Now alter the configuration as required To write the changed configuration to the LineCrypt select the Write to device menu command on the Configuration menu The new configuration takes effect immediately Active ISDN connections are not canceled TCP IP connec
21. addresses of the directory service servers The options are no directory service server the internal one or one that you specify explicitly If no directory service is to be consulted set all four servers to none If the activated local directory service is to be used set one of the four directory server entries to internal To use a particular directory service server enable the explicitbutton and enter the IP address in the field provided It is worth noting that the LineCrypt will inquire at all directory services however in the search for a certificate number the search is completed with the first successful answer NAT Timeout TCP UDP and CMP determine the time period in seconds in which the NAT context is retained for the respective connection after the last packet transferred TCP fin like the TCP timer determines the time period in which the NAT context is retained for the respective TCP connection This timer takes effect when the TCP connection is canceled by a connection partner but has not yet been acknowledged by the other side This makes it possible to release NAT contexts within a short time period even when the connection has not been correctly closed by both sides PPP configuration You can configure the PPP connections using the dialog under TCP IP gt external PPP If PPPoE is activated for LineCrypt L IP activate PPPoE or if your LineCrypt is type DSL you only need to configure the settings for
22. amel User username SQ TcRAP Password m Password Pm E e wextemal r Incomming Connection m Outgoing connections PPP I no incomming calls J no outgooing calls PPP 0 Linel VW check called party number PPP Partner number PPP 1 Line2 VW check calling party number J 123456 SP Calling party number SP 0 location 037654321 RE oee I Store accessdata on chipcard Figure 15 PPP Settings For every PPP connection you can set the time period after which the connection is to be shut down if no data is transferred Enter this time period in the inactivity timeoutfield 28 When using the directory service functionality please ensure that the time specified here is coordinated with the life time TTL of directory service storage Otherwise continuous connections can occur If you configure the ISDN access as Point to Multipoint see page 15 you can select from the own MSNlist box one of the MSN entered in the dialog under ISDN Phone numbers If configuring as an ISDN PABX line you can select the oca numberhere In this way you define the end number which is used in connection with the basic call number entered Outgoing ISDN connections are made under the selected MSN or end number If the button described later PPP Incoming connections calling party number number is not enabled the first PPP connection is used for an incoming connection If this button is enabled the firs
23. andled discard forward without handling or forward encrypted session keys Used for encryption of the user data New session keys are generated for every session with the random number generator on the chip card SHA 1 Secure Hash Algorithm 1 Hash algorithm that calculates a unique 160 bit long digital signature from a data stream of any length SHA 1 is used by IKE for packet authentication SNMP Simple Network Management Protocol Protocol for the management and monitoring of network devices UDP is normally used as the transport protocol SOHO Small Office Home Office Name for small branches that are linked to a company network via the Internet and dial up connections SPD Security Policy Database Table of gt Security Policies TCOS TeleSec Chipcard Operating System Operating system for processor controlled chip cards smart cards Factory setting TCP TCP is a connection oriented transport protocol for use in packet switched networks The protocol builds on the IP protocol supports the functions of the transport layer and establishes a reliable connection between the entities before data transfer TCP IP Internet Protocol and Transmission Control Protocol TCP and gt IP are protocol standards on which the Internet is based telework Any activity aided by information and communications technology that is always or only sometimes done at a workstation located outside the central workplac
24. ard 00 00 00 00 Own certificate 13258774 is used 00 00 00 00 CA Name NKS CA 12 PN 00 00 00 00 Card Type NetKey Card 00 00 00 00 Own certificate 13258738 is used 00 00 00 00 CA Name NKS CA 12 PN 00 00 00 00 Card Type NetKey Card v 2 Om Password Bead I short form IV Read alllogdata Figure 22 Logdata If the which Read all logdata is activated the whole logfile will be read If the L100 Switch is deactivated only previously unread logdata will be read 40 Softwareupdate Softwareupdate If there is new software you can transfer it to xl the LineCrypt by selecting the Software Whiting software to device Please wait update menu command on the Extrasmenu The new software only takes effect after a I 8 reset To trigger the reset select the Reset menu command on the Extrasmenu With a software update the log data is deleted Figure 23 Software update Only software whose version number is greater than or equal to the version number of the software in the LineCrypt can be imported o x During the programming of the LineCrypt the line voltage must not be interrupted or i Transfer ok programming device otherwise the new software will be inoperable and a chargeable service intervention will be necessary Figure 24 LineCrypt is programmed 41 SOHO DSL L 42 Access data To configure the access data you use the configuration software
25. at branch office 2 a LineCryptConfig 192 168 3 1 branch office 2 Directoryservice Data branch off Data branch off branch office 2 Figure 47 Branch office 2 TCP IP internal In this dialog you need to enter the IP address and the network mask of the local side To enable communication with other devices the entry shown in the routing table must be made Configuration examples SE LineCryptConfig branch office 2 Inte v y 2 192 168 1 1 ow ugeinternal os pooo Figure 48 Branch office 2 TCP IP external In the dialog in figure 48 the external side is set as a PPP connection according to the network scheme The directory service is not activated and the LineCrypt uses the internal IP address of the LineCrypt at the head office as the first directory service server 65 66 SE LineCryptConfig branch office 2 Intemet access 00 03 00 filiale2 isp Figure 49 Branch office 2 PPP Figure 49 describes the Internet access of branch office 2 The setting of the hold time to three minutes means that the LineCrypt can terminate the PPP connection before the repeated storage of the IP address as soon as no data is transported Configuration examples SE LineCryptConfig Directoryservice brach office 2 lt gt head office 192 168 3 1 192 168 1 1 192 168 3 1 192 168 1 1 feros x SP 2 Data branch off aintemal Figure 50
26. configuration The configuration of the access data is described on page 42 DSL L L100 Configuration Security Policies SOHO You can configure the Security Policy rules using the dialog under TCP IP External SP A Security Policy defines a range of IP addresses for the local and remote side and how IP packets that fulfill these IP addresses are to be handled by the LineCrypt forward encrypted or unencrypted or discard SE LineCryptConfig Taipi Configuration Logdata Options Extras Help a ca W Selection 9 Access Rights name JIPS Haupt PPP Connection PPP Haupt Info local side remote site from fioooo from fioot o Be SON to 10 0 0 255 to 10 0 1 255 A toadata O n Password Handling v Security Gateway 2121 11 SQ rcar Certificate ID 0 Es external l m Options eer Data volume limit 34000 PPPH 0 PPP s Time Limit 23 59 00 44 B sSP Connection behaviour If inactive terminate 5 SP 0 IPS internal Eaton Algorithm Packet Authentication Diffie Hellman VW IDEA VW MDS WV 768 V Triple DES VW SHAT VW 1024 W DES W 1536 Preshared Secret PATO Dece Figure 16 Security Policy Configuration Ve You should take into account the sequence of the Security Policies in the dialog box since the LineCrypt always applies the first suitable rule You can change the sequence using the arrow buttons in the lower part of the dial
27. ction is not established on account of incorrect user data you will find entries in the following form in the log data PPP 0 outgoing PAP authentication failed for 001234123123123545454545 0001 t online de PPP 0 outgoing CHAP authentication failed for 0001234123123123545454545 0001 t online de PPP Partner Enter the P address of the PPP partner If you want the IP address to be allocated enter 0 0 0 0 here For the authentication types PAP and CHAP a Username and Password are required for the logon on the opposite side You can enter them here The LineCrypt uses the user name and password if the remote side requests authentication Incoming connection If you do not want to allow any incoming calls enable the no incoming calls button In this case you do not need to perform any further settings If you enable the check called party numberbutton only calls to the LineCrypt own MSN or local number are accepted Using the check calling party numberbutton define whether the transferred call number is to be checked with the number configured in the calling party numberfield for incoming calls Outgoing connections If you enable the no outgoing calls switch no outgoing calls are allowed The PPP partner numberis used if the PPP connection is initiated by the local side 29 Store access data on chip card If this switch is enabled the access data stored on the chip card is used instead of the entries defined in the
28. d plaintext connections incoming calls with the service attribute voice are not encrypted outgoing calls with prefix number 0 ISDN encrypted 1 plaintext 4 modem encrypted 7 GSM encrypted Authorizations White list deactivated Black list empty CUG list empty System administrator list empty Password No password protection 13 LineCrypt L Before you can establish connections to other devices with your LineCrypt L you need to configure your device accordingly using the LineCryptConfig software This includes e The TCP IP settings of the network interface e Directory service settings e The configuration of authorized and unauthorized partner certificates You should adjust these settings to your specific requirements The following settings are pre selected at the factory TCP IP IP address of the red side 0 0 0 0 Network mask of the red side 0 0 0 0 IP address of the black side 0 0 0 0 Network mask of the black side 0 0 0 0 SP No Security Policies Directory service No servers storage of the current IP address deactivated Authorizations White list deactivated Black list empty CUG list empty System administrator list empty Password No password protection Factory setting LineCrypt L100 Before you can establish connections to other devices with your LineCrypt L100 you need to configure your device accordingly using the LineCry
29. e This workstation is connected with the central workplace electronically Triple DES Variant of the gt DES encryption method with improved security The key length is tripled to 168 bits and DES is executed three times in a row Trust Center CA Certification Authority trusted authority that generates keys and issues certificates TTL Time To Live Life of an entry in the directory service UDP User Datagram Protocol The User Datagram Protocol is a transport protocol layer 4 of the OSI reference model and supports connectionless data exchange between computers UDP was defined to also give application processes the direct possibility of sending datagrams and thus fulfill the requirements of transaction oriented traffic UDP builds directly on the gt IP protocol beneath 87 88 UDP User Datagram Protocol The User Datagram Protocol is a transport protocol layer 4 of the OSI reference model and supports connectionless data exchange between computers UDP was defined to also give application processes the direct possibility of sending datagrams and thus fulfill the requirements of transaction oriented traffic UDP builds directly on the gt IP protocol beneath user group list Closed user group list requires a LineCrypt Company Card white list List of certificate IDs of the users who are authorized for communication via the LineCrypt Factory setting Index alias name 37 authenticati
30. e you do not need to perform any further settings for these types E tinecrrptconna Te Configuration Logdata Options Extras Help Selection 8 Access Rights Info m ISDN Point to Multipoint Point to Point Mode of operation C encrypted ISDN mode Fr49Phone numbers A ogeste encrypted and transparent selected by BC O n Password C encrypted extended mode encrypted and transparent selected by phone number r Prefixes fi plaintext 0 x encypted ISDN 7 encrypted GSM Ja encrypted modem Figure 6 Mode 1 operating mode For a LineCrypt I you should now define the operating mode Please note that the compressed transfer of the voice data via the transport protocols V 110 and V 32 requires an optional Vocoder module in the LineCrypt I If your LineCrypt is not equipped with this module you cannot use the specified transport protocols In this case operating mode 2 is not available LineCrypt I supports four operating modes e Operating mode 1 encrypted ISDN mode In this operating mode the LineCrypt supports only encrypted HDLC connections to other LineCrypt via the ISDN channel In this operating mode the LineCrypt I behaves like a LineCrypt I You therefore do not have to use any prefix numbers for outgoing connections e Operating mode 2 encrypted extended mode Encrypted connections with all availabl
31. e acknowledgements on the IP layer IP network Network based on the Internet Protocol Every device in the network is addressed through an IP number IPSec IPSec is a standardization proposal of the IEFT in which methods and protocols are defined for cross manufacturer secure and protected data exchange using the IP protocol IP tunnel A connection between two subnetworks which conceals the precise addresses of the communication partners At the start of the tunnel all data packets receive an additional header that refers to the tunnel end Here the external frame is removed and the original data packet is forwarded to its actual receiver Factory setting ISDN Integrated Services Digital Network Integrated telecommunications services like telephone fax and data communications in a network ISDN basic access ISDN access comprising two speech data channels B channels each of 64 KB s and a control channel D channel at 16 KB s The two B channels can be used independently of one another for every service offered in the ISDN LAN Local Area Network A spatially restricted network The most widely used LAN standard is Ethernet LED light emitting diode For displaying the operational status ofthe device and ofthe connection LineCrypt Company Card Special chip cards with information on closed user groups Can be obtained from Deutsche Telekom if required log file Records the processes in the LineCryp
32. e granted for certificates for which the appropriate secret key is compromised Explanation of terms red zone the area of the terminals and the LineCrypt in which voice user and management data that merits protection exists in unencrypted form black zone the area in which voice user and management data that merits protection is transferred encrypted The NetKey Cards contain an operating error counter This counter registers every insertion of the card being plugged into a LineCrypt that is not intended for this After a certain number of operating errors the NetKey Card switches off and must be replaced by a new one The LineCrypt security concept The LineCrypt security concept Authentication During connection setup both LineCrypt identify and authenticate themselves using the certificates stored on the chip card A certificate is in simplified terms an electronic proof of identity LineCrypt uses X 509 certificates This kind of certificate always contains a unique certificate number and a public key which can be used to check signatures It may also contain information on the identity of a person such as name organization or address Every certificate is protected against tampering that go unnoticed through an electronic signature of the issuer publisher The publisher of a certificate is also called the Certificate Authority CA LineCrypt accepts only certificates published by Deutsche Telekom The keys
33. e transmission protocols are supported For outgoing calls the transmission protocol is selected via a prefix number Unencrypted connections are not supported in this operating mode e Operating mode 3 encrypted and transparent selection via BC bearer capability In this operating mode encrypted and unencrypted connections with all supported transport protocols are supported For outgoing calls the transport protocol is selected via a prefix number Incoming calls with the service identification voice are handled as unencrypted calls Calls with a different service identification data video fax G4 etc are handled as encrypted calls e Operating mode 4 encrypted and transparent selection by phone number This operating mode differs from the previous operating mode only in the behavior for incoming calls The LineCrypt decides whether an incoming call is to be handled as an encrypted or unencrypted call from the call number called For this it is possible to select individual end numbers or MSN for the plaintext in the call number dialog described below Prefixes In operating modes 2 3 and 4 the LineCrypt uses prefix numbers to determine the type of the outgoing call In operating mode 1 no prefix numbers are used plaintext Prefix number for unencrypted connections in operating modes 3 and 4 encrypted ISDN Prefix number for encrypted HDLC connections to other LineCrypt encrypted GSM Prefix number for encrypted V 110
34. hat operates a LineCrypt L at its head office A branch office with a LineCrypt DSL and a branch office with a LineCrypt SOHO are connected via this LineCrypt Both branch offices use Internet access with dynamic IP address allocation A VPN is established between all locations via a PPP connection head office 192 168 1 1 192 168 1 2 255 255 255 0 LineCrypt L fixed IP address 192 168 1 3 122 12 1 1 255 255 255 0 Festverbindung branch office 7 Router 122 12 1 254 filiale2 isp filiale2 isp password LineCrypt SOHO dynamic IP address Certifikate 12345678 A 192 168 3 1 branch office 2 255 255 255 0 filialel isp filialel isp password LineCrypt DSL dynamic IP address 192 168 2 2 E 192 168 3 2 192 168 2 1 255 255 255 0 192 168 2 3 192 168 3 3 Figure 34 Network diagram The head office s LineCrypt operates a directory service where the other LineCrypt store their IP address as soon as they have connected with the Internet The LineCrypt that want to communicate with another dynamically connected LineCrypt will consult this directory service about the IP address with the required certificate number 52 Configuration of the LineCrypt at the head office The configuration of the LineCrypt at the head office is shown first Both communication between the locations and the directory service function are only successful if the other LineC
35. iguration SOHO L DSL SOHO L DSL e Routed to the external black side To create such a routing entry enter external or 0 0 0 0 SE LineCryptConfig Configuration Logdata Options Extras Help 10 x lo kl Selection E 8 Access Rights IP Hro IP address 192 168 1 2 AL Netmask 255 255 255 0 ogdata 2 IP Adress 55 66 77 88 On Password a TcPaP Es extemnal E a PPP PPPH 0 ppp connection ESP sP 0 ISP internal New Delete m SMTP I activate RIP Contact contact Location location Name fname Community community Figure 13 TCP IP Setting SoHo Routing entries with a smaller network area limit those with a larger network area They are evaluated first by the LineCrypt firmware With the Exportoption you define whether the LineCrypt exports the route to other routers in the network using the RIP protocol To enable encrypted communication you must specify at least one route that has the entry 0 0 0 0 or externa in the Route column With the activate R Poption you activate deactivate RIP for all routing entries for which the Exportoption is set to Yes Only RIP 2 via Multicast is supported SNMP LineCrypt SOHO DSL and L support SNMP Simple Network Management Protocol This enables other devices in the network to query the LineCrypt device information 23
36. ithm An IKE compliant key exchange is supported by LineCrypt L and SOHO In this case the symmetrical encryption algorithms DES and Triple DES are also available for user data encryption The IKE compliant key exchange uses a oreshared secret for authentication This preshared secret is linked to a given IP address Therefore IKE cannot be used with dynamic IP addresses The certificates stored on the chip card are not used for IKE The LineCrypt security concept Installing the configuration software System requirements e PC with one of the following Windows operating systems Windows 95 98 ME NT 2000 or XP e Free serial interface RS 232 V 24 with a Sub D connector e CD ROM drive e LineCrypt IT I L L OO DSL SOHO or GSM Installation and program start Run the setup_de exe file for the German language installation or the setup_en exe file for the English language installation from the CD ROM provided and follow the instructions on your screen User Interface Use the LineCryptConfig LCC configuration software just as you would use any other Windows software That way you can keep to your usual method of working and move in your familiar desktop environment co SE LineCryptConfig Configuration from file z A londate Figure 1 user interface The user interface is divided into two parts In the left part you can select the various settings by clicking and expanding the icons
37. l In the dialog in figure 28 you need to enter the IP address and the network mask of the local LineCrypt To enable encrypted communication you must specify at least one route that has the entry external in the Route column Configuration examples SE LineCryptConfig 00 01 00 0 0 0 0 Figure 29 Branch office PPP The IP addresses and call numbers of the remote partner devices are configured in accordance with the network scheme shown The LineCrypt sets up the connection to the ISP independently No connections are set up from the ISP to the LineCrypt To prevent any other dial in incoming calls are prohibited 47 48 SE LineCryptConfig Fonar intemal W 1024 M 1536 Figure 30 Branch office Security Policy If the remote connection partner is a LineCrypt compulsory for encrypted connections without IKE a suitable Security Policy that authorizes the local LineCrypt SOHO for communication must be configured in the remote partner device Configuration examples Configuration of the head office s LineCrypt Figure 30 shows the configuration of the external Ethernet interface of the LineCrypt located at the head office TA LineCryptConfig Figure 31 Head office TCP IP external The configuration of the internal interface is shown in figure 31 For the branch office s LineCrypt to be able to communicate with the head office at least one Security Policy en
38. nch office 2 at the respective IP address you need to specify the certificate number of the chip card in the LineCrypt at branch office 2 57 58 Configuration of the LineCrypt at branch office 1 SE LineCryptConfig 192 168 2 1 255 255 255 0 branch office Ir Direcoryservice Data brach offic Data brach offic brach office 1 Figure 41 Branch office 1 TCP IP intemal In the dialog in figure 41 you need to enter the IP address and the network mask of the local side To enable communication with other devices the entry shown in the routing table must be made Configuration examples D LineCryptConfig branch office Inter os SPH 2 Data brach offic aintemal Figure 42 branch office 1 TCP IP external In this dialog figure 42 the external side is set as a PPP connection according to the network scheme The LineCrypt uses the head office s directory service That is why the red IP address of the head office s LineCrypt is used as the first directory service server 59 60 E LineCryptConfig Filiale1 Internetzugang 00 03 00 Figure 43 branch office 1 PPP The dialog in figure 43 describes the Internet access of branch office 1 The setting of the hold time to three minutes means that the LineCrypt can terminate the PPP connection before the repeated storage of the IP address as soon as no data is transported Configuration examples
39. og 30 Network configuration You should give every Security Policy a unique name For a LineCrypt SOHO you must specify the PPP connection over which data applicable to the Security Policy is to be sent LineCrypt L and DSL support PPP over Ethernet PPPoE only and allow only one PPP connection Any attempt to set up IP connections that do not fall into the IP address ranges defined by the Security Policies for the local side and remote side is rejected by the LineCrypt If the remote connection partner is a LineCrypt a suitable Security Policy that authorizes the local LineCrypt for communication must be configured in the remote partner device Whilst only the relevant IP address ranges of the local and remote side need to be specified for an unencrypted connection additional details are necessary for an encrypted connection The local tunnel end point is given through the local IP address of the local LineCrypt PPP connection used The specification of a Security Gateway detines the second tunnel end point Therefore enter the external IP address of the remote LineCrypt here In this case an additionally entered certificate number is not used by the LineCrypt If you do not know the security gateway s IP address and an inquiry first has to be made to the directory service set the security gateway s IP address to 0 0 0 0 This is generally the case if you want to communicate with a LineCrypt DSL or another LineCrypt with no
40. on 7f 27 29 32f 79f 84ff black list 36f 79 black zone 6 CA list T 35 79 certificate ID 79f 88 certificate numbers 36 42f chip card 7f 11 13 30 34 37 39 42 56f 80 86 Company Card 36f 80 83 88 Configuration Security Policies 30 CUG 36 72ff delivery 82 directory service 22 25f 28 31 51ff 59 61 65 67 end number 17 19 28 Ethernet 21 24 31 49 81 83 GSM 5 9 16 72f ICMP 26 32 81 IDEA 4 8 33 82 IKE 8 33 Internet Control Message Protocol 81 IP address 21ff 29ff 45ff 51f 54 56ff 62 64ff 68 74ff 84 86 IP network 77 81f IPSec 31ff 46 82 86 LAN 83ff LED 83 Local network configuration 21 log data 29 40f log file 21 35 37 40 83 MSN 17f 28f 72f 77 84 NAT 26 32 84 NetKey Card 6 84 network configuration 21 24 numbering plan 19 operating error counter 6 operating mode 13 15f 18f operating system 84 PABX 14f 19 28 84f partner certificates 35 74ff password 13 27 29 39 42 44 72ff 80 85 89 90 permanent IP address 31 45f 62 68 plaintext 27 73 PPP 13f 17 24ff 31 42 46 51 59f 65f 76f 85 prefixnumber 16 73 Prefixnumber 16f redzone 6 remote management 42 85 RIP 23 85 route 23 46 router 22 84 RSA 7 79 85 security gateway 31 Security Policy 30f 34 48f 77f 86 session key Tf 32 85f settings 5 10ff 20 26 29 33 72ff 80 SNMP 23f 86 softwa
41. ples Configuration examples SOHO Configuration of a virtual private network The network shown in the picture below serves as an example of the configuration of a VPN with permanent IP addresses 10 0 0 2 24 10 0 0 3 24 10 0 0 4 24 10 0 0 1 24 branch office 192 42 1 7 So Tel 54321 head office 10 0 1 1 24 10 0 1 2 24 10 0 1 3 24 Figure 27 Example VPN 45 46 The example shows a branch office which is connected via an ISDN line with an Internet Service Provider ISP that allocates permanent IP addresses A secure connection is to be established from the branch office to the principal establishment For this a PPP connection to the ISP is established Using this PPP connection a secure IPSec connection is established for the setting up of a VPN TCP IP configuration of the branch office s LineCrypt EA LineCryptConfig 2 Configuration Logdata Options Extras Help la x io Selection Air 8 Access Rights Hro IP address fio 0 0 1 Netmask 255 255 255 0 zZ ISDN A toadata ee On Password a rcar E a extenal E e PPP PPPH O PPP Main B s SP SsP 0 IPS Main 0 0 0 0 IP address Netmask Route external yes I activate RIP m SMTP Contact contact Name name Community community Location location Figure 28 Branch office TCP IP interna
42. ptConfig software This includes e The TCP IP settings of the network interface e The configuration of authorized and unauthorized partner certificates You should adjust these settings to your specific requirements The following settings are pre selected at the factory TCP IP IP address of the red side 0 0 0 0 Network mask of the red side 0 0 0 0 IP address of the black side 0 0 0 0 Network mask of the black side 0 0 0 0 SP No Security Policies Authorizations White list deactivated Black list empty CUG list empty System administrator list empty Password No password protection 15 76 LineCrypt DSL Before you can establish connections to other devices with your LineCrypt DSL you need to configure your device accordingly using the LineCryptConfig software This includes e The TCP IP settings of the network interface e PPP settings e Directory service settings e The configuration of authorized and unauthorized partner certificates You should adjust these settings to your specific requirements The following settings are pre selected at the factory TCP IP IP address of the red side 192 168 0 1 Network mask of the red side 255 255 0 0 SP No Security Policies PPP No PPP connection Directory service No servers storage of the current IP address deactivated Authorizations White list deactivated Black list empty CUG list empty System administrator li
43. re update 41 TCP 13 21 24 26 30 34 42 46 74ff 81 87 terminal 6 35 84 user group characteristic 36f user group list 36f 88 user interface 10 V 110 158 V 32 15 17 version number 41 VPN 45f 51 white list 36f 88 Important telephone numbers In the event of malfunctions Sales enquiries Please enter the telephone number when handing over the unit The LineCrypt fulfils the requirements of the following EU Directive 1999 5 EG For this reason the LineCrypt bears the CE mark Responsible for content T TeleSec Products Further information http www telekom de t telesec e mail to T Telesec telekom de or telephone at Freecall 0800 Telesec 0800 8353732 Issued by Deutsche Telekom AG Edition 16 09 03 Subject to change without notice Printed on environmentally friendly paper
44. receive at atime HDLC High Level Data Link Control Bit oriented transmission procedure within level 2 of the ISO OSI reference model and component of the X 25 recommendation HDLC is responsible for data link services and adds synchronizing signals to the data stream ICMP Internet Control Message Protocol The ICMP is a protocol for transferring status information and error messages of the IP TCP and UDP protocols between IP network nodes Gateways and hosts in particular use ICMP to return reports about problems with datagrams to the original source 81 82 IDEA International Data Encryption Algorithm IKE Encryption method with a128 bit key length LineCrypt uses IDEA to encrypt the user data Internet Key Exchange IKE is used within the framework of gt IPSec to transfer and negotiate information necessary for the encryption algorithm key key life etc Internet Protocol The task of the Internet Protocol IP layer 3 is to transport data packets from a sender to a receiver across several networks The transmission is packet oriented connectionless and non guaranteed The data packets also called datagrams are transported by the IP as independent data packets even in the case of identical senders and receivers IP guarantees neither observance of a particular sequence nor delivery to the receiver that is datagrams can be lost on account of network overload for example There are no receiv
45. riangle Important notes for data security are marked with the hand pictogram Important notes for LineCrypt operation are marked with the light bulb pictogram If the information contained within a section is only applicable to particular LineCrypt types the relevant types are specified LineCrypt types LineCryptConfig may be used to perform the settings for the LineCrypt types IT I L L100 DSL SOHO and GSM This manual describes the options and settings for all these LineCrypt types Not all options and settings are available in all versions of the various LineCrypt devices When configuring your device you may therefore find that what you see on your screen differs from the diagrams shown Data security The LineCrypt family s security objective is to guarantee authentic and confidential communication between two LineCrypt This security objective can only be achieved if the LineCrypt is configured to allow encrypted connections only For a LineCrypt to function correctly and securely compliance with the following organizational measures is required ORG1 The LineCrypt integration in the communication system must be such that only authorized users are able to use LineCrypt security functions from the red zone ORG2 Measures must be taken to prevent the possibility of a LineCrypt being used or manipulated by unauthorized persons or falling into unauthorized hands with the Netkey Card ORG3 No rights may b
46. rypt are configured appropriately 192 168 1 1 SPH O Ditectoyservice SPH 1 Ditectoyservice SPH 2 Data head offici co SPH 3 Data head offic EEE Figure 38 Head office TCP internal In the dialog in figure 35 you need to enter the IP address and the network mask of the local side To enable communication with other devices the entry shown must be made in the routing table Configuration examples SE LineCryptConfig 122 12 1 1 122 12 1 254 Figure 36 Head office TCP external In the dialog in figure 36 the external side is set according to the network scheme The directory service is activated and the LineCrypt uses the internal directory service first The head office consults its own directory service to determine the IP numbers of the branch offices 53 54 SE LineCryptConfig Directoryservice head office lt gt branch office 1 192 168 1 1 192 168 2 1 192 168 1 1 192 168 2 1 spa 0 MTE SP 1 Directoryservice SP 2 Data head offici SP 3 Data head offici Figure 37 Head office Security Policy directory service branch office 1 The Policy entry in figure 37 allows the LineCrypt at branch office 1 to communicate with the directory service Since the security gateway s IP address is set to 0 0 0 0 and the certificate number is set to 0 only incoming connections are possible Configuration examples SE LineCryptConfig Direc
47. rypt management functions again after a chargeable service intervention 39 Log data You can view information about the connections using the log data dialog The log file is deleted when a new configuration is written to the LineCrypt To delete the log file explicitly select the De ete Logdata menu command on the Logdatamenu EA LineCryptConfig 0 x Configuration Logdata Options Extras Help io Selection 8 Access Rights Eis Fe ISDN FOOT Card 2 Chipcard inserted PT 00 00 00 00 Card 3 Chipcard inserted 00 00 00 00 Card 4 Chipcard inserted 00 00 00 00 Card 5 Chipcard inserted 00 00 00 00 Card 6 Chipcard inserted 00 00 00 00 Card 7 Chipcard inserted 00 00 00 00 Card 8 Chipcard inserted 00 00 00 00 Siemens 66CX320P TCOS V2 Rel 3 00 00 00 00 Siemens 66CX320P TCOS V2 Rel 3 00 00 00 00 Siemens 66CX320P TCOS V2 Rel 3 00 00 00 00 Siemens 66CX320P TCOS V2 Rel 3 00 00 00 00 Siemens 66C 320P TCOS V2 Rel 3 00 00 00 00 Siemens 66CX320P TCOS V2 Rel 3 00 00 00 00 Siemens 66C 320P TCOS V2 Rel 3 00 00 00 00 Siemens 66CX320P TCOS V2 Rel 3 00 00 00 00 CA Name NKS CA 12 PN 00 00 00 00 Card Type NetKey Card 00 00 00 00 Own certificate 13258798 is used 00 00 00 00 CA Name NKS CA 12 PN 00 00 00 00 Card Type NetKey Card 00 00 00 00 Own certificate 13258720 is used 00 00 00 00 CA Name NKS CA 12 PN 00 00 00 00 Card Type NetKey C
48. st empty Password No password protection Factory setting LineCrypt SOHO Before you can establish connections to other devices with your LineCrypt SOHO you need to configure your device accordingly using the LineCryptConfig software This includes e The TCP IP settings of the network interface e PPP settings e Directory service settings e Security Policy settings for the authorized IP networks e The configuration of authorized and unauthorized partner certificates You should adjust these settings to your specific requirements The following settings are pre selected at the factory ISDN IDSN access type multi terminal connection no MSN TCP IP IP address of the red side 192 168 0 1 Network mask of the red side 255 255 0 0 PPP No PPP connection SP No Security Policies Directory service No servers deactivated storage of the current IP address deactivated Authorizations White list deactivated Black list empty CUG list empty System administrator list empty Password No password protection T 78 Standard values for a Security Policy rule The following settings are pre selected at the factory Name ips N Local side From 0 0 0 0 To 0 0 0 0 Remote side From 0 0 0 0 To 0 0 0 0 Security gateway 0 0 0 0 Certificate number 0 Action Encrypt Volume restriction 34000MB Time restriction 23 59 00 HH MM SS Connection beha
49. t local management Configuring the LineCrypt using a PC and the LineCryptConfig software via the serial interface 83 84 multi terminal connection ISDN basic access with three call numbers and two channels as standard for direct connection ofthe telecommunications terminals atthe NTBA MD5 Message Digest 5 Hash algorithm that calculates a 128 bit long digital signature from a data stream of any length MD5 is used by gt IKE for packet authentication MSN Multiple Subscriber Number Up to ten Multiple Subscriber Numbers can be allocated to a multi terminal connection The subscriber numbers are used for targeted addressing of the connected terminals Several Multiple Subscriber Numbers can be allocated to ISDN terminals NAT Abbreviation for Network Address Translation method of translating normally private IP addresses of a network to other normally public IP addresses of a different network NAT thus enables several PCs in a LAN to use the IP address of the Internet access router for Internet access and conceals the LAN behind the router s IP address registered on the Internet NetKey Card Smart card with gt TCOS operating system The private asymmetrical key and a certificate for gt authentication published by the Deutsche Telekom gt Trust Center are stored on the gt NetKey Card NTBA Network Termination Basic Access Network termination device small box for converting a two wire line into
50. t PPP connection whose own MSN corresponds to the called number is used Therefore if you configure several PPP connections with the same MSN you should take into account the sequence Channel Bundling Here you select whether you want to use ISDN channel bundling If you use channel bundling the second ISDN B channel is also used for data transmission when a defined bandwidth is exceeded You have the following selection options nochannel bundling channel bundling is not supported passive channel bundling channel bundling is supported if requested by the opposite side active channel bundling channel bundling is supported and initiated if required Range for connect Here you can define the bandwidth that triggers the setting up of the second B channel when it is exceeded Range for disconnect Here you can define the bandwidth that triggers the shutdown of the second B channel when it is fallen below Network configuration Time The bandwidth necessary to trigger the setting up or shutdown of a connection must be exceed or fallen below for a specific period of time You can define this time here LineCrypt In the IP address field enter the local IP address of the LineCrypt for the selected PPP connection If you requested authentication under PPP Connection Authentication the LineCrypt requires the remote side to enter the Username and Password Enter this data in the fields provided If the conne
51. t is encrypted Please note that LineCrypt I and IT do not Support unencrypted calls df no multiple subscriber numbers are specified the LineCrypt accepts every incoming call In operating mode 4 all incoming calls are handled as calls to be encrypted B aentemal Eu PPP 0 ppp connection SP ho SPH 0 ISP oo egeintenal Figure 8 Call numbers in Point to Multipoint mode Configuration l IT I Numbering plan If you selected Point to Point in the dialog in figure 6 you must first enter the PBX phone number also used by your PABX in the dialog in figure 9 In the extension numberplan you can select one or two digit numbers Here you should refer to the numbering plan of your PABX If you have selected a one digit end number in a row the two digit end numbers are hidden in this row Calls to end numbers shown in gray are not accepted Calls to end numbers shown in green are accepted and are encrypted according to the chosen operating mode Calls to end numbers show in red operating mode 4 only are put through unencrypted FETTE 10x Configuration Logdata Options Extras Help iol Selection a 8 Access Rights PBX phone number 776655 H Info m extension numbers DDI zZ ISDN SMod A ul is ie ades er EEn 7 2 PaPa dajaj ejej aj si sl aj els ET 0 E E E E E E e EE ml af E ml wf wl wl 7 Te ola ejej uj ejaj
52. tions are interrupted and immediately restarted according to the new rules I IT SOHO Configuring the ISDN interface You can define the parameters of the ISDN interface under the ISDN icon You perform the settings using three dialogs The first dialog Mode contains general settings In the second dialog you perform the settings for the PPP callback for the LineCrypt SOHO And in the last dialog you define the call numbers SOHO Mode for LineCrypt SOHO Connection type First define whether your LineCrypt is to be operated before a private branch exchange PABX line Point to Point at the multi terminal connection Point to Multipoint or at the ISDN fixed connection LineCrypt SOHO supports the digital Leased Line D64S 64 Kb s and the Leased Line D64S2 128 Kb s SE LineCryptConfig le Oo x Configuration Logdata Options Extras Help Selection 8 Access Rights ISDN Info Point to Mutipoint Point to Point C Leased Line D64 C Leased Line D6452 F4 Phone numbers QA Logdata O n Password a TCPAr Figure 5 Mode SOHO Configuration l IT I Mode for LineCrypt I IT and I Connection type First define whether your LineCrypt is to be operated before a private branch exchange PABX line Point to Point or at the multi terminal connection Point to Multipoint LineCrypt I and IT can only set up encrypted connections amongst themselves Therefor
53. toryservice head office lt gt branch office 2 192 168 1 1 192 168 3 1 192 168 1 1 192 168 3 1 l aintenal Diffie Hellman M 768 M 1024 M 1535 Figure 38 Head office Security Policy directory service branch office 2 This Policy entry figure 38 allows the LineCrypt at branch office 2 to communicate with the directory service 55 56 SE LineCryptConfig Data head office lt gt branch office 1 192 168 1 2 192 168 2 2 192 168 1 255 192 168 2255 SP 0 Directorservice SP 1 Directoryservice zz head offic SPH 3 Data head offic ooe sgintenal Figure 39 Head office Security Policy branch office 1 Figure 39 shows a Policy entry that allows the LineCrypt at branch office 1 to communicate with the head office In order that the head office may also reach branch office 1 at the respective IP address you need to specify the certificate number of the chip card in the LineCrypt at branch office 1 Configuration examples SE LineCryptConfig Data head office lt gt branch office 2 192 168 1 2 192 168 3 2 192 168 1 255 192 168 3 255 0000 12345678 SP 0 Directorservice SPH 1 Directoryservice SP 2 Data head offic 23 59 00 WW 1024 VW 1536 Figure 40 Head office Security Policy branch office 2 The Policy entry in figure 40 allows the LineCrypt at branch office 2 to communicate with the head office In order that the head office may also reach bra
54. try is necessary This type of entry is shown in figure 32 49 50 SE LineCryptConfig Jolxi Configuration Logdata Options Extras Help ia Selection Ay Access Rights IP Ei IP address 10 0 1 1 A landata Netmask 255 255 255 0 On Password 2 IP Adress 0 0 0 0 a rcPaP S Eam enemal IP address Netmask Raute Export E SP 0 0 0 0 0 0 0 0 external no SP 0 Branchoffice internal New Delete activate RIP Figure 32 Head office TCP IP internal SE LineCryptConfig Configuration Logdata Options Extras Help io Selection 8 Access Rights name Branchoffice Info local side remote site Qa Loadate from 10 0 1 0 fom foao ooo r O n Password to 10 0 1 255 to KIT 0 0 255 B E rcar Handling J encrypt z Security Gateway faszi oo E s extemal Certificate ID jf BSP BEE m Options r Data volume limit zintemal Time Limit 23 59 00 Connection behaviour If inactive terminate x m IKE options Algorithm Packet Authentication Diffie Hellman iV IDEA MV MDS WV 768 WV Triple DES V SHAI VW 1024 WV DES WV 1536 Preshared Secret E PRO oec Figure 33 Head office Security Policy Configuration examples DSL L SOHO Configuration with directory service 1 head office 2 branch offices The example shows a company t
55. updated CA list After receiving a new CA list you can transfer it to the configuration with the Load button The connection between two terminals is only established if both LineCrypt accept one another as authorized partners If there are problems you should view the log file LineCryptConfig taigi x Configuration Logdata Options Extras Help 8 Access Rights Alias List Black List System Administrator List Info EZ ISDN Qi Loadeta On Password Q crar Figure 17 CA List 35 36 Rights check procedure The certificate numbers of authorized partners are entered in the white list non authorized partners in the black list The black list takes precedence over all other lists If a certificate number can be found both in the white list and in the black list no connection Is set up Be Configuration Logdata Options Extras Help io Selection a a Access Rights Alias List Q Black List Bali we tis System Administrator List Certificate ID 123456789 Mr Miller 234567890 Dr Frank H Info FaN ISDN A logdata On Password Save selected entries Figure 18 White List If you do not use a Company Card the CUG list is empty and the activated white list has no entries no encrypted connections can be set up If you want all partners except for those on the black list to be accepted you
56. uthentication protocol for the gt PPP connection setup Unlike for PAP the user name and password are transferred encrypted Company Card TCOS chip card that unlike the gt NetKey Card contains information about a closed user group Company Cards can be obtained from Deutsche Telekom if required configuration The setting of parameters and the changing of preset values also the status of the parameter settings connection scheme Schematic diagram of possible connection variants contractual use Restricted area of use and application declared and explained by the manufacturer DES Data Encryption Standard Widely used symmetrical encryption method with a key length of 64 bits 56 bits effective See also gt Triple DES Factory setting EMC electromagnetic compatibility The ability of an appliance installation or system to function satisfactorily in the electromagnetic environment without introducing intolerable electromagnetic interference to any appliance or system in that environment quoted from the EC EMC guideline article 1 clause 4 Ethernet The most widely used gt LAN standard Local Area Network Supports data rates of up to 10 Mbps 10Base T or 100 Mbps 1 00Base T half duplex operation Data transmission method whereby terminal stations can send and receive The half duplex method allows two way alternate use of a transmission line At the interfaces it is only possible to send or
57. vior If inactive terminate Factory setting Glossary alias list List of names and certificate IDs of the administered users authentication Proof and verification of identity through proof of being in possession of a secret which the communication partner can check black list List of certificate IDs of the users who are excluded from communication via the LineCrypt CA Certification Authority The certificates exchanged during authentication are signed by the CA as a trusted authority The check is carried out with the CA s public key see also gt Trust Center CA lists CA Certification Authority Trust Centers sign certificates with secret RSA keys The CA lists contain the relevant public keys The LineCrypt use the CA list published by Deutsche Telekom s Trust Center to check that the certificates are valid certificate A certificate is an electronic identifier that contains a digital signature created by a certification center gt CA with a private key In addition to the digital signature a certificate contains the name of the issuer and the owner s identity details The authenticity of the keys is checked by the 79 80 recipients The format for the digital certificates used by the LineCrypt is defined in the ITU recommendation X 509v3 certificate ID certificate number Number in a certificate that uniquely identifies it CHAP Challenge Authentication Protocol Optional a
Download Pdf Manuals
Related Search