Avaya 3.7 Network Router User Manual
Contents
1. 189 Localing this filtering policy 10 c s es co eh ee a a A gale 189 The filtering policy iN progress as lt lt oso Rs serra ies eses EO 189 Running the packet filtering policy Wizard o a 189 Running the Policy Manager for packet filtering lt 190 Starting and stopping filtering services ooo 0000002 ee eee 190 Managing tE AGL a i id a ae k a de he A hk ao a a eels oe ede ay eds Ge Sede 190 Configuring advanced filtering options o oa a 191 Marking packets for differentiated services QoS o oo a a 192 About Differentiated Services ooa ee 193 Howa VSU maiks pACKElS o o 44664 caaea EDR ERE RO ERE 193 Types of marking rulos 2 riera de RARA Ge Se hs 194 How to create a packet marking rule lt lt sarsan saua 194 Packet filtering firewall 4 lt 5 40486 4 80 e 8 e e a Re a 196 Ada mewal DOGY a s hat ke a A AR AAA oe TS 197 Chapter 9 Using advanced features o et 199 DS POG ee Bred Bh Gy he Sh es hk a Be ke hoe A Ee Ge A 199 ARP Str a A A o ds ERR OES EER OE RR Em A A 200 Path MTU Discovery ss sa 5 6 4 ea a A A oh AAA 201 a VSN nd e MOE A eR oR SSO R eK OES GK eR 203 Issue 4 May 2005 11 Contents Port for dyna policy download os daw dow dee dee Eee ERE BE eS tika 204 Port for Secure Authentication 2 e 204 Private IP Address VPNOS 3X s 04 604 248 20 be 608 RE we ERR OE 204 Send2. 127 public backup zone ooo ooo 68 Password text box VPNremote Client when creatinganew TS Path MTU Q detailed description 201 Perfect Forward Secrecy 145 o is e e A a Perfect Forward Secrecy drop down list 153 QOS Mark ia o a a a a 187 MASA ee gieo A A ee ai 193 QOS Mark drop down list 195 prione SUPPO lt ge a ae Ae enoet eraan 19 QoS bandwidth allocation ooo aoaaa 180 a of death ae a O 28 pia QoS DUIS 2 isa ae a ee o 181 PKCS Number for VSU certificates 234 es ares SUI 2 CA GAS ESS bl Ole Quality of Service 2 2 0 2 2004 192 Client Attributes 2 0 122 Inheriting a mark 195 Firewall s sos soe eM ee a a e 196 ON aA E tga Se oe Policies_RADIUS ooo aa aaa 124 dia Rule parameters PES OK ua sana i bo Policies RADIUSUseforauth configDB 124 AF 195 Policy Manager A een ne ease oe Firewall Rules 2 164 EF O 0 0 195 Policy Manager for Packet Filtering running the 190 Inherit A 195 port mapping NAT o 88 a OA BOWNAT e e rd Goa 29 85 User Defined 195 port redirection 004 29 85 PPPE inace ORR e bE Bee See Be eel e A x 126 R PPPoE 2 ee 71 predefined firewall rules 297 RADIUS Predefined marks whatare 193 authentication mechanisms 126 Preferences property sheet for CCD 113 backup servers con
3. 112 Send VSU Names control 205 server list managing 211 Servers tab detailed description 210 SHA1 authentication selecting 153 shared secret for VSU RADIUS communication 127 RADIUS 22 eb cee ee nm 126 Signed Certificates a oaoa o 235 SKIP a S oeae a n RR ad 135 269 318 SKIP radio button a aoa oaa a a 136 SKIP VPN ABOU 00 aa ri aw ea ee A 133 authentication algorithm configuringa 151 compression configuring ina SKIP VPN 151 configuring s ses dawaa ratata 150 creating a NEW ooa 136 encryption level configuring the 151 smurf attack a oaoa a a a a a a a a 28 174 SNMP caviar to a e a a ain e a a a a 17 VPN active sessions 247 SNMP AgentonaVSU 247 Split Tunneling definition 108 Split Tunneling disabling 2 108 SSL check box for a specific VPNmanager Server 211 SSL Port text box for CCD 204 Stac compression SKIP selecting 151 standards electromagnetic compatibility 2 Start Time for Syslog Messages textbox 114 static addressing 2 eee ee ees 70 static mapping NAT 5 88 static NAT occ 29 85 statistics attack log e a moa oa d a ee es 252 SYSLOG event log messages sending to VPNmanager Console o oo aa a ee a 249 monitoring VPNRemote Clien
4. Config The Config button is a shortcut to the View gt Configuration command that opens the Configuration Console dialog From this dialog you can configure new objects modify and view existing content and details about the domain Monitor The Monitor button is a shortcut to the View gt Monitor Screen command to open the monitoring wizard for the domain that is open Update Devices Update Device is a shortcut to Too s gt Update Devices used to update the security gateway configuration with the configuration currently in the Directory Server database Issue 4 May 2005 41 Using VPNmanager VPN view pane The VPN view pane is empty until you define your VPN As devices are configured and added to the VPN they are displayed in the view pane The VPN view pane automatically selects one of three presentation types network diagram view tiled view or tree view The VPN view is determined by the complexity of the VPN When the VPN contains fewer than six security gateways a familiar network diagram view is presented When more than five security gateways exist the view switches to a tiled display in a vertically scrolling window Alternately a third presentation style the tree view can also be selected to deal with complex VPNs In addition to displaying the individual security gateways in the VPN a list of Remote Access Users associated with each security gateway is also displayed providing a comprehensive V
5. Note For VSUs with firmware version VPNos 4 x Dynamic mapping cannot be configured 86 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway To add a NAT rule VPNos 4 31 1 From the Configuration Console Contents column select the Policy tab to bring it to the front Select NAT from the list Click GO The NAT Rules dialog is displayed and the selected device s name should be visible in the Object Names list From the Type list select either static port or redirection See Policies tab NAT services on page 85 Note The screen displays only the fields that must be configured according to the zone and the translation type that you select In the Original area complete the available or active areas Option Select from the list of predefined network objects and user defined network objects or select Specified e IP Address Type the original from address e Mask Type the mask e Port Type the from TCP UDP port number This port number can be from 1 to 65535 In the Translation area complete the areas that are not grayed out e Option Select from the list e IP Address Type the translated to address e Start Port Type in the Start port This port number can be from 5000 to 65535 e End Port Type in the End port This port number can be from 5000 to 65535 6 To enable this NAT rule select Enable Rule 7 Click Save Close the Policy
6. 2 From the Contents column select the User Object that needs to be configured 3 From the General tab select the DES check box if the VPNremote Client is limited single DES Data Encryption Standard Note A remote user using single DES encryption can only connect to a VPN using single DES encryption 4 Optional Click the Memo tab to bring it to the front then in the Memo text box type in some information about the user For example where the user will be dialing from or the location their headquarters 118 Avaya VPNmanager Configuration Guide Release 3 7 Information for VPNremote Client users 5 Click the Dyna Policy tab to bring it to the front If you do not want the default Dyna Policy settings select Do Not Use Default Dyna Policy Then configure a customized method for storing the VPN configuration for the user e Select None to store the VPN session parameters locally on the remote user s computer The policy is automatically downloaded to the user s computer the first time that the VPNremote Client is initially connected The policy is not password protected e Select Download configuration when remote starts to automatically download the VPN session parameters at the beginning of every session The policy is removed when VPNremote client is disconnected e Select Secure Dyna Policy with a user defined key password to have the VPN session parameters reside on the user s hard disk and be activated by a pas
7. 215 Heartbeat Retry Limit 215 Help System online 1 2 eee 1 High Availability 221 Creating o 224 Deleting s 20244282286 be eR ek es 225 Enabling a e ioe o o a 221 HMAC MD5 as an IPSec parameter 155 HMAC SHA as an IPSec parameter 155 Hold Down Time 215 Hold Up Time 2 2 eee ee 215 Index l IKE Certificate Usage 240 IKE Identifier a a a a a 100 IKE identifier user a aoao aa TIF IKE Identifier drop down list 103 IKE radio button 136 IKE VPN ABOUCA a aa aean a Re a 134 adding IP Group Objects aooo 152 adding User and User Group Objects 152 authentication method configuring the 153 Certificate Based radio button 152 compression configuring 153 configuring o o 152 Creating a NEW 136 Diffie Hellman Group drop down list 154 encryption level configuringthe 152 IPSec see IPSec Key Lifetime configuring 153 keying algorithm modulus configuring the 154 perfect forward secrecy configuring 153 Preshared Secret radio button 152 shared secret changing the 153 import configuration 281 intranet SUPPOM cc e eg E Be ed 16 IP Internet Protocol Packet s ac a a
8. Federal Communications Commission Statement Part 15 Note This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense Canadian Department of Communications DOC Interference Information This Class A digital apparatus complies with Canadian ICES 003 Cet appareil num rique de la classe A est conforme a la norme NMB 003 du Canada This equipment meets the applicable Industry Canada Terminal Equipment Technical Specifications This is confirmed by the registration number The abbreviation IC before the registration number signifies that registration was performed based on a Declaration of Conformity indicating that Industry Canada technical specifications were met It does not imply that Industry Canada approved the equipment DECLARATIONS OF CONFORMITY United States FCC Part 68 Supplier s Declaration of Conformity SDoC Av
9. HTTP HTTPS DNS TCP DNS UDP NETBIOS N S TCP UDP NETBIOS D GM TCP UDP NETBIOS S SN TCP UDP POP3 IMAP SMTP NNTP Public Yes Permit incoming traffic to DMZ network InBoundPu blicBlockAll Deny Any Any ANY Public No Deny the rest of traffic OutBoundP ublicAccess Permit PublicIP Any IKE OUT IKE AVAYA OUT IPSEC NAT T OUT AH ESP ICMPDEST UNREACH ABLE Out Public no Permit outgoing VPN traffic 1 of 2 Issue 4 May 2005 299 Firewall rules template Table 31 Public high and medium security firewall rules continued Rule Name Action Source Destination Service Direction Zone Keep State Description OutBoundP Permit Any Any ICMPECHO Out Public Yes Permit ublicGenera REQUEST traffic with lAccess SSH the services TELNET to go out FTP CTRL The traffic PASSIVEFT can come P from any HTTP network HTTPS DNS TCP DNS UDP NETBIOS N S TCP UDP NETBIOS D GM TCP UDP NETBIOS S SN TCP UDP POP3 IMAP SMTP NNTP OutboundP Permit DMZNet Any ActiveF TP Out Public Yes Permit ublicActiveF active FTP TPActive data connection from FTP server on DMZNet to any FTP client on INATERNE T OutboundP Permit PublicIP Any DYNAMICP Out Public Yes Permit ublicNATed ORTS NAT ed FTPActiveF active FTP TPActive data connection from FTP server on DMZNet to any FTP client on INATERNE T OutBoundP Deny A
10. The Contents pane displays a list of all available members of the object type currently selected Details pane The Details pane displays specific information about the selected object Details are organized into categories presented as tabs across the top of the screen Update Devices Located in the upper right hand corner of the VPNmanager Console window is the Update Devices button Use it whenever you make changes to your VPN To update the security gateway devices 1 Make your changes to the VPN 2 Click Update Devices to open the Update Devices dialog 3 Select the security gateways to be updated 4 Click OK to view the status of the update Issue 4 May 2005 47 Using VPNmanager 5 If the Update Configuration dialog appears do the following e Inthe User Name text box type in the superuser name you configured through the Console Quick Setup Menu when the device was being installed If the device had a firmware upgrade from 3 x type in root e In the Password text box type in the Superuser password configured at the Console Quick Setup Menu when the device was being installed If the device had a firmware upgrade from 3 x and had an existing security gateway Console password type in that password If the security gateway did not have an existing security gateway Console password type in password e Click OK 6 The Update Devices dialog will tell you when the update is completed Preferences Preferences pro
11. This section describes the features to configure a basic device See Establishing security and Using advanced features for a description of the other tabs that can be configured The tabs displayed are dependent on the VPNos release for the device Table 5 lists the tabs by release Table 5 Device tabs by release Tab All VPNos VPNos VPNos VPNos VPNos VPNos VPNos Releases 4 0 and 4 2 and 4 3 and 4 4 and 4 5 and 4 6 earlier later later later later Actions X Advanced X Advanced X Action Connectivity X Denial of X Service Device X Users Diagnostics X Directory X Servers DNS Failover X X TEP 1 of 2 Issue 4 May 2005 59 Setting up the network Table 5 Device tabs by release continued Tab All VPNos VPNos VPNos VPNos VPNos VPNos VPNos Releases 4 0 and 4 2 and 4 3 and 4 4 and 4 5 and 4 6 earlier later later later later General X High X Availability Interfaces X Memo X Network X Objects Policies X Private port X Resilient X Tunnel Routing X SNMP X Static Route Upgrade VolP X 2of2 General tab The Device General tab Figure 17 displays information specific to the security gateway highlighted in the Contents list From the General tab you can change the IP address VPNmanager uses to communicate with the sec
12. 2 Click the Policies tab to bring it to the front 3 From the drop down list select then click GO to open the Policy Manager for My Certificates Issue 4 May 2005 237 Using advanced features 4 From the Maintain Certificates list select the certificate that you want the VPNmanager Console to use 5 The default VSU certificate is identified by an asterisk in the MGR column Although a specific certificate may have other targets as assigned through the IKE Certificate Usage tab See IKE Certificate Usage on page 240 the VPNmanager Console can still use it 6 Click Use as Manager Certificate to make the VPNmanager Console a target of the certificate Issuer certificates Targets use an ssuer Certificate to authenticate a Signed Certificate VSU targets can dynamically store up to eight ssuer Certificates Storage on VPNremote Client targets is only limited by the amount of physical memory of the computer ssuer Certificates must be installed on targets before they are needed to authenticate a Signed Certificate This section explains how to retrieve and install ssuer Certificates for VSU targets For information about installing Issuer Certificates on VPNremote clients see the VPNremote Administrator s Guide About Issuer Certificates The Signed Certificates stored in VSUs are X 509 public key certificates They re used for distributing a public key of the VSU to targets other VSUs VPNremote Clients and IKE compa
13. Device List For VPN Domain This drop down menu allows you to select a specific domain or all domains to monitor Select Device s A list of all available network objects available for monitoring You can select a single device or select all devices displayed Select Monitoring Group This window displays a list of all possible preconfigured groups you may wish to monitor These groups are constructed from one or more logically related items from MIB II and the VPNet Enterprise MIB The groups include Log Group provides details about attack events including time attack type anda description System Group provides security gateway CPU Utilization Active Sessions provides various details about the session in progress on the selected security gateway Current Active Sessions provides the number of VPN tunnels actively sending traffic to and from this VPN gateway Address Table displays information provided from the atTable in the MIB II IPRouteTable displays information provided from the ipRouteTable in the MIB II Filter Stats provides detailed reporting on filtering statistics for the current security gateway Filter Rules provides details about filter rules in effect and the traffic through the rules Active Port provides the number of physical ports on the unit physically connected to the network Traffic Rate Tables displays information provided from the traffRateTable in the MIB Unit Statistics displays informa
14. Note The export RADIUS Users file created by VPNmanager contains no entries in the authentication password field Consequently after creating the file you must edit it to add the authentication password field to each Client Additionally the security of cryptographic keys used to secure VPNs are not compromised during the VPNmanager to RADIUS transfer All VPN keys are encrypted with Triple DES encryption 56 bit DES encryption for the DES only version of VPNmanager This completes the process for configuring RADIUS support If any Clients are rekeyed they must be re exported to the RADIUS server to reflect the new key Note Telnet sends traffic including the login password in the clear Remember to disable telnet after you use it 286 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 12 Upgrading firmware and licenses You can upgrade the VPNos firmware and license from the VPNmanager and set encryption strength and remote access for VSU100s Centralized firmware management The VPNmanager centralized firmware management allows you to upgrade the firmware for one or many security gateways at one time You can quickly verify the firmware release for any security gateway or VSU model VPNmanager validates that the firmware image is correct before upgrading the device The available firmware images are stored in the policy server Before upgrading the firmware using the centralized firmware management feature you must do
15. e Port NAT With port NAT addresses from internal nonroutable networks are translated to one routable address in Port NAT e Port Redirection With port redirection addresses from a specific IP address and a specific port are redirected to another IP address and port By default NAT is enabled and the Share public address to reach the Internet feature is selected NAT affects only clear traffic SNMP The VPNmanager uses the SNMP protocol to monitor the security gateway The security gateway includes a SNMP agent that supports MIB II and a proprietary MIB This agent is read only and cannot be used to configure the security gateway The agent can send traps to a list of trap agents that you configure SNMPv1 SNMPv2c or VNMPv3 can be selected Issue 4 May 2005 29 Overview of implementation Syslog The security gateway has a syslog messaging facility for logging system error messages The message can be automatically sent to a destination running a Syslog server Client IP address pooling Access control devices ACD such as firewalls guard networks from unauthorized users Analyzing source addresses is one method ACDs use to decide which packets can enter a network The addresses that ISPs dynamically assign to VPNremote Client users is naturally blocked because it is impossible to know ahead of time which address is assigned You need to configure the VPNremote Client IP address pools feature with the source IP addresses that
16. Bede TINA 125 RADIUS SOMEeplS 22 paa OE DS eee da A 125 The RADIUS prot cal ke eR AES ER RE SR RS AA AAA 126 Add RADIUSIACE SAVED oc ne c eke ERROR SR me Om ee 126 Authenticating secret password aoao a o 126 RADIUS serer dala oca ca a Oa So Ok WHR Se SR EROS He RS SS Bee EEG 126 Toda RADIUS Sees pda oe Se a SEE EMER SESH ORES 127 Chapter 6 Configuring user groupS et 129 ESSE OY e o ea eee a de es Ee Se es A a Ee oe Be 129 User Graup General ID e e 64484 4659 OO EEG HOWE ARREST Ea HG KR RES 130 User Group Memo tabe e s sa sa 58684 te ee e a A SERED eS 130 User Group Actions tab circa ras Ra OR we a e ewe EER es 131 GAmiqgurina a Vser group lt 4 a 4 0 628 ERE SER SSE OER EEE ER ESE OH TEES G 131 Chapter 7 Configuring VPN objects lt lt 133 TypEs Of VPN ODOR eoor mc we OR REA 133 APPS us ook Be AR amp OY HOR oR A ee ee oe Hae 133 Ke Vea a cae des ss Oe a EEE oe eS RRR AAA i 134 VPN packet processing Modes ocre essa RE eS 134 Detaukt VPN DONY s s aor w ek we EO oh AR A a a 135 Crating a new VPN ODJECI oa a a Sk ic rd ds A dae as dd de atc A 136 Greatng adefault VEN can ek ed E A Ses OR OEE e a ORS PE RE ee G 136 ainia a designated VPN 24444224 484 2 POS ee ESOS OP SLE GE OEY OSs 137 Issue 4 May 2005 9 Contents Uspha ho YPN TS e ar A A we a ae Sale a a A AAA sek GENRE 2 ca ee oR oe we Ee we ee AR Rm Om Kam OER amp AR General tab with IKE 2 o Genera
17. Click Open to install the update bin file 16 When installation is complete a message box appears asking if you want to reboot the security gateway e If the subdirectory has an upstage2 bin file click NO Do not reboot the security gateway You need to install the upstage2 bin file Follow the instructions starting from Step 9 in step 14 select the upstage2 bin file e Ifthe security gateway subdirectory does not have an upstage2 bin file click YES If you answered YES to rebooting the security gateway your upgrade is complete 17 Click OK to return to the VPNmanager Console 18 The task summary is displayed 19 Close the task summary window and check the security gateway status The security gateway status should be success 20 If you have not communicated with the target security gateway the security gateway logon screen appears enter your login credentials to complete the download 21 When the download is finished click Reboot Device to reboot the security gateway Note A security gateway takes at least two minutes to reboot License Beginning with VPNos 4 2 you can obtain additional licenses to increase the number of remote users and site to site VPN connections that are allowed during a secure session When you purchase additional licenses you receive a file with the encrypted information This file is created based on the serial number of the security gateway and the number of licenses that are available on that security g
18. Encryption Standard e The user then runs VPNremote Client to install the dyna policy file The RSA SecurlD New PIN and Next Token CCD modes are supported Figure 32 User Dyna Policy tab aj Fie go View Tools Heip New Object v X Deote pasto Dowices Upgrade Firmware su SHER am BS Oe Ba rs Gonoral Memo Dyna Pokey mona Avance Dyna Policy Do not Use Detour Dyna Poticy Socurity options for storing VPN Configuration in VPN Remota Workstation Nowe e Downtoad configuration when remote starts Secure Dyna Poly win a wier dedned key password Disasia Spie Tunneling VPNrammata wil drop all non VINParhets Local Database is being used for dma policy aumenticaton VPNs evt using RADIUS or LOAP Authondcabon Paseweed Fete ik a 106 Avaya VPNmanager Configuration Guide Release 3 7 Configuring a global dyna policy Configuring a global dyna policy You configure the global CCD from the Preferences property sheet You should set up the default global CCD before you configure user objects The parameters can be changed any time You configure the following Preferences property tabs to create a global dyna policy e Dyna Policy Defaults User Dyna Policy Defaults Global e Dyna Policy Authentication e Remote Client The following describes each of the tabs For the procedure to configure a default CCD see Configure a default CCD with global dyna policy on page 113 Dyna Policy Defaults User
19. In the File name text box type in a name for the file and use VPN as the file name extension Click Save to create the file You can now deliver the data file using e mail floppy disk or FTP to the extranet administrator The extranet administrator can use the instructions described by the Importing a VPN object from an extranet section to import the data file Importing a VPN object from an extranet To import a VPN Object data file 1 a A O N o ON O Copy the VPN Object data file created during the Export procedure into the computer running the VPNmanager Console Open the Configuration Console window From the Icon toolbar click VPN to list all VPN Objects in the Contents column From the Tools menu select Import VPN to open the Export VPN password dialog box In the Password text box type in the password created during Step 7 of the Export procedure Click OK to open the Open dialog Use the controls in the Open dialog box to navigate to the VPN Object data file Select the data file then click Open to import the data file After it is imported the extranet VPN Object appears in the Contents column Issue 4 May 2005 161 Configuring VPN objects Rekeying a VPN object Use the Rekey command to create a new key that SKIP VPN tunnel endpoints security gateways and VPNremote Clients must use for encryption tasks To rekey a SKIP VPN Object 1 From the Icon toolbar
20. Issue 4 May 2005 15 Preface Network wide Visibility and Control The logical VPNmanager representation of virtual private networks simplifies their installation and control From a single workstation network managers can assign users anywhere on the network to one or more logical Groups and integrate local and remote Groups into VPNs The VPNmanager software provides global level VPN level group level client level and equipment level monitoring and control capabilities and automates the task of managing configurations across multiple security gateways and Avaya VPNremote Clients Extensive alarm reporting and statistics gathering capabilities allow network managers to respond in real time to hardware network and security problems and to plan the efficient growth and evolution of their networks Intranet and Extranet Support The VPNmanager software makes it easy to extend intranet services to remote sites and users securely In addition the VPNmanager s sophisticated import and export capabilities enable network managers from different organizations to securely link with one another into private wide area extranets Companies can quickly link and unlink to their suppliers customers consultants and other business associates with flexibility and soeed unmatched by traditional communications services Secure VPN Configuration Several mechanisms are employed to insure security when managing VPNs Industry standard
21. The IP address of our partner company s security gateway is entered here The IKE Identifier box is also activated when Extranet devices selected Zones This is the zone that is used The default is public For Avaya SG203 and SG208 security gateways if the semi private zone is configured it can be selected Issue 4 May 2005 99 Configuring IP Groups IKE Identifier Extranet security gateway using IKE key management can be based on the following IKE Identifier types e IP Address e DNS Name e Directory Name e Email Name When one of the above is selected an appropriate field appears in which the information is entered Add IP Group member The Add IP Group Member dialog appears when Add is clicked New member can be added to the current IP Group list Depending on the release of VPNos two options are available in this pane IP Network address and Mask or IP Range For the IP Range enter the starting and ending IP addresses Table 8 Deriving the Group Mask To specify a contiguous range of this many addresses Start from an IP address that meets these specifications And use this mask 1 HHH HHH HHH HHH any IP address 255 255 255 255 130 57 4 64 or 130 57 4 128 2 H HHH n n multiple of 2 e g 255 255 255 254 130 57 4 2 or 130 57 4 4 4 HHH HHH H N n multiple of 4 e g 255 255 255 252 130 57 4 4 or 130 57 4 8 8 HHH HHH HHH n n multiple
22. The VSU is configured to protect several LANs on the other side of Ro the router on the private side of the VSU In this topology the administrator configures R4 as the default gateway of the VSU and Ro as the Default Gateway for VPN Traffic with the decrypted box checked Using this configuration and checking the decrypted traffic box all decrypted VPN traffic would be forwarded to R and all encrypted traffic would be forwarded to R4 In this application the Default Gateway for VPN Traffic removes the need for a configured static route on the VSU for each protected LAN Note Configured static routes take precedence over the Default Gateway for VPN Traffic Issue 4 May 2005 83 Setting up the network If the security gateway is in a network with many routers gateways to other TCP IP networks there can be more than one possible path to a specific router In that case routers are probably building routing tables from the information exchanged by a routing protocol Security gateways can use such protocols to dynamically build a routing table To build a RIP table 1 From the Configuration Console Contents column select the security gateway you want to configure 2 Click the Routing tab to bring it to the front 3 Configure the Listen Learn and Advertise options that apply to your configuration e Routes Select if you want the security gateway to dynamically build a routing table using RIP updates e Site to site
23. VPN Certificate Based 138 VPN_CreatingDefault 136 VPNmanager Administrators oaoa oa a 200 33 Console to VSU communication 204 Help System online noa oa o a a 17 Server IP Address or DNS Name 211 portnumber 211 VPNremote Client 04 111 aggressive connection mode turningon 155 authentication 0 119 Enable Redirection Support check box 114 if User and User Group Objects can communicate with IP Group Objects but IP Group Objects can t communicate with each other 155 information that must be given to users 119 Password text box 2 eee ee 115 VSU Advanced tab aooaa ee ee 85 certificate name finding the 61 certificates about 234 firmware version how to find 61 identifying themselves to other VSUs 205 memo for creatinga 62 name distribution method 205 ODECE raros a aa Gee tee 204 High Availability 221 private address configuringa 204 Setup Wizard starting 57 Setup Wizard startingthe 173 SNMP Agent 2 02 247 Ww WinNuke attack 2 28 175 world wide web support 19 Issue 4 May 2005 325 Index X Mice ee eee a a ae ee Be oe 169 Z zone public s s eca sapea mo a a a 22 2 68
24. Wogodntimme Som 28600 806 5658 09 BB 4 cd Mombers Groups Secunty HE Gecurwarseq Advanced anaes Memo awo VPN Members IP Groups Members Avattabie 19 208 4 pg 5 gt Status Security IKE tab The Security IKE tab is used for configuring the encryption and authentication algorithms used at the end points of a VPN tunnel The configuration procedure involves setting a lifetime for public keys and a specific Diffie Hellman Group for automatically generating keys of a specific strength For additional protection unique new keys are automatically generated and exchanged between all security gateways and VPNremote Clients in the VPN Object based on their lifetime Issue 4 May 2005 141 Configuring VPN objects In the ISAKMP IKE area you set up the key exchange parameters that you want used for the VPN Field Description Encryption Select one of the following types Algorithm e DES Acommon encryption algorithm that is not subject to export regulations e 3DES A robust encryption algorithm 3DES is subject to government regulation Contact Avaya for a current list of controlled and uncontrolled application and territories e Any Accepts any encryption proposal that is made by the device on the other side IKE VPNs use ESP to encrypt IP packets as defined in RFC2406 You can choose either DES CBC or 3DES CBC Domestic U S Canada only encryption Note The use of 3DES is subject
25. area apply to the IP Address that is currently highlighted 1 From the Configuration Console Contents column select the security gateway to be configured Click the DNS tab to bring it to the front 2 In the DNS Relay Configuration area click Add 3 Enter the Domain name and the Primary IP address of the DNS server The secondary IP address is optional Figure 19 Add DNS relay configuration i DNS Relay Configuration x DNS Relay Domain Primary IP Secondary IP E ok Cancel 4 Click OK 64 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway To add a static DNS server 1 From the Configuration Console Contents column select the security gateway to be configured Click the DNS tab to bring it to the front 2 In the Static DNS Servers area click Add Enter the IP address of the DNS server and enable the back up link if required 3 The backup link is the DNS server that is used when backup ethernet is in use Only one of the interfaces either public or public backup can be in use at the same time 4 Click OK 5 The maximum number of Static DNS servers is four Configuring the DNS tab for VSU at VPNos 4 2 or earlier The VSU can resolve addressing for traffic using the Domain Name Service DNS However the security gateways must know the DNS Server IP address Up to three server address
26. or used to monitor security gateway activity In addition standard MIBs available with the VSUs enable monitoring from standard SNMP management stations Using VPNmanager Help The VPNmanager comes with a context sensitive Help system Use the Help system for getting information about a specific command in the VPNmanager graphical user interface GUI Related Documentation Be sure to read the VPNos Configuration Guide It contains important information on the proper procedure for setting up your VSUs which is a prerequisite to setting up a Virtual Private Network VPNremote Client software installation and usage information is found in the VPNremote Client Administrator s Guide This software allows the network administrator to pre configure the VPNremote client software for distribution to end users via the web or on portable storage media such as a CD or floppy disk You can download these documents from www avaya com Click on Product Documentation select VPN and Security How This Book Is Organized With this release of VPNmanager the administrator s guide was redesigned to present information in the order that you use VPNmanager to configure a secure network Note Depending on the VPNmanager version some features described in this guide may not apply Issue 4 May 2005 17 Preface Chapter 1 Overview of implementation provides an overview of how to use VPNmanger for centralized administration of your VPN and se
27. page 35 Administrators that the super user creates can log in To log in 1 In the User Name field type the administrator name if it is not displayed 2 Type the password that was configured when the VPNmanager software was installed 3 The IP address or name of the policy server is listed in the Policy Servers list Select the Policy Server if it is not highlighted and click Connect to log into the server Add a policy server The policy server is installed during the installation of the VPNmanager Console The policy server distributes configuration and security policies The VPNmanager console is a client that communicates with the policy server to retrieve security policies The policy server then communicates with the directory server You add the policy server address the first time you login into the VPNmanager Console 1 From the VPNmanager Login dialog click Add 2 Enter the name that identifies the Policy Server if available This is the user friendly name Issue 4 May 2005 35 Using VPNmanager 3 Enter the IP address of the Policy Server 4 Enter the port The default is 443 5 Click OK The name or address is displayed on the login screen You can edit or delete the policy server information Open Domain When you connect to the directory server an Open Domain screen appears A list of all domains is displayed with the last selected domain highlighted Note The Open Domain screen does not
28. select Enable Log If you do not select Enable Log this rule does not appear in the Monitor gt Firewall Log display If the filter rule set for the intended traffic is also to be applied to the reply packets select Keep State This function can be applied to TCP UDP and ICMP packets If you want to change the default time out settings for the TCP state UDP state or ICMP state click Advanced Note Keep State sets up a state table with each entry set up by the sending side Reply packets pass through a matching filter that is based on the respective state table entry A state entry is not created for packets that are denied Issue 4 May 2005 165 Establishing security 14 15 Note Although UDP is connectionless if a packet is first sent out from a given port a reply is expected in the reverse direction on the same port Keep State remembers the port and ensures that the replying packet enters in the same port Select the position of the firewall policy in the template Click Finish to return to the Firewall tab Device level firewall rules Device level firewall rules apply to specific devices within the domain Along with the device specific rules the security gateway also inherits the firewall rules that are defined at the domain level If firewall rules are defined on the security gateway these device level rules have the highest priority and will take precedence over domain level firewall rules To crea
29. tab The Preferences Dyna Policy Defaults User tab is used to define how the remote user s computer handles the dyna policy configuration data VPN session parameters Figure 33 Preferences Dyna Policy Defaults User tab Advanced Remote Client Alarm Monitoring TEP Policy General K Dyna Policy Defaults User Dyna Policy Defaults Global Dyna Policy Authentication Dyna Policy Defaults User VPN Configuration Files on Remote User s PCs None e Download configuration when remote starts O Secure Dyna Policy with a user defined key password Network configuration data can be a security risk on traveling PCs J Disable Split Tunneling PNremote will drop all non VPNPackets Cancer Issue 4 May 2005 107 Configuring remote access users VPN configuration files on remote user s computer e None The VPN session parameter information is stored locally on the remote users computer No password is required when VPNremote is subsequently launched e Download configuration when remote starts VPN session parameter data is downloaded over the network to the remote computer at the beginning of every session and purged when the session is terminated most secure method e Secure Dyna Policy with a user defined key password VPN session parameter data resides on the remote users hard disk and are activated by a password at the start of a VPN session The remote user is resp
30. the IP endpoints e Gatekeeper Zone The zone where the gatekeeper is located with respect to the SG e g public when the gatekeeper is on the public side of the SG e Gatekeeper IP address The gatekeeper configured IP address The Proxy IP and Proxy Port in the Add Gatekeeper dialog are used typically when the Gatekeeper is on the private side of the SG and is getting NATed by the SG In that case the Proxy IP and Proxy Port would be configured to be the IP address and port by which the Gatekeeper is known to IP endpoints wanting to register with that Gatekeeper If the Gatekeeper IP address is not being NATed by the SG the Proxy IP and Proxy Port do not need to be configured 178 Avaya VPNmanager Configuration Guide Release 3 7 Voice Over IP Add gatekeeper settings When you add a gatekeeper you include the gatekeeper name or IP address the location of the gatekeeper with respect to the firewall the registration authentication status protocol and time out Click Add to configure gatekeeper settings for the VoIP configuration Only one gatekeeper can be configured for a device Figure 57 Add gatekeeper setting for VoIP x VoIP Rule v Enable Rule Name Call Model Gatekeeper Routed Y Service Pot 1719 1 65535 Timeout 90 0 90 7200 seconds Cancel Next To enable VolP and add gatekeeper settings 1 From the Configuration Console Contents column select the device to be configured Click
31. the VolP tab to bring it to the front 2 Click Add The Add Gatekeeper Settings dialog is displayed In the Name field enter a descriptive unique name to identify the gatekeeper Once the name is saved the name cannot be changed 4 In the Call Model field select Gatekeeper Routed from the drop down menu 5 In the Service Port field specify the H 225 RAS protocol port The default is 1719 6 In the Time out seconds field specify the idle time out for the connection Time out is the number of seconds that the security gateway allows for inactivity on the connection If the inactivity continues beyond the specified time out the connection is closed The default is 90 seconds Click Next The source endpoints dialog appears e Inthe Zone field select the zone which the source endpoints are connected to For example if the endpoints are connected to the public zone select public zone for this field e Inthe IP Groups field specify the source endpoint network object This should be defined as a network object or network objects with IP addresses equal to the Issue 4 May 2005 179 Establishing security Note If the network object does not exist cancel the configuration and create one 8 Click Next The Gatekeeper s dialog appears e Inthe Zone field select the zone which the destination endpoints are connected to For example if the endpoints are connected to the private zone select private zone for this fi
32. type the IP address of the security gateway that belongs to the extranet 10 From the IKE Identifier drop down list select a method for identifying the extranets device The device must be an IKE IPSec compatible device e Select IP Address if the extranet s device identifies itself by using an IP address In the Location text boxes type in its IP address e Select DNS Name if the extranet s device identifies itself by using a DNS name In the Name text box type in the host name of the device e Select Directory Name if the extranet s device identifies itself by using a Directory Server name In the Name text box type in the directory name of the device e Select E mail ID if the extranet s device identifies itself by using an IP address In the Name text box type in the e mail address of the extranet s device 11 Click Save to save your work 12 Optional Use the Memo tab to make a note about this IP Group Delete Click Delete to delete the highlighted IP Group from the Contents list Issue 4 May 2005 103 Configuring IP Groups Memo Memo can be used to record notes about the IP Group such as change history where the group is located etc Information entered here is associated only with the security gateway in focus This information is stored only in the database and not downloaded to the security gateway 104 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 5 Configuring remote access user
33. A predefined mark is also known as a Behavior Aggregate Note For additional information about Differentiated Services see the following documents e Your router s documentation e RFC 1812 Requirements for IP Version 4 Routers e RFC 2474 Definition of the Differentiated Services Field in the IPv4 and IPv6 Headers e RFC 2475 An Architecture for Differentiated Services How a VSU marks packets Before a VSU can run marking services it s loaded with a list of Packet Marking Rules As packets move through the VSU it examines the header fields of every packet The information gathered from the header is compared to the list of rules If the comparison results in a match the Type of Service ToS field of the header is marked Marking can be performed on packets entering and or exiting the VSU Be aware that only IPv4 packets can be analyzed and marked Issue 4 May 2005 193 Establishing security Types of marking rules Two kinds of packet marking rules can be created e Arule can be made to examine the ToS field of a header and copy the existing mark to the TOS field of the new packet which is entering or exiting the VSU This is known as inheriting a mark e A rule can be made to skip the ToS field but examine the remaining fields of the header If a match is made then the ToS field is appropriately marked How to create a packet marking rule The Packet Filtering Policy wizard is used to creat
34. Alarm User Defined Action Upon Alarm E Cancel OK Alarm Type Description Cold Start VPNmanager Indicates a security gateway was restarted via a power cycle the security gateway console or SKIP Parse Error from a cryptographic attack Indicates a packet that had an incorrect SKIP header was received This alarm could result Ns Out of Order cryptographic attack Indicates a packet that contained an expired key was received This alarm could result from a 1 of 2 Issue 4 May 2005 269 Monitoring your network Table 29 Alarm Descriptions continued Alarm Type Description SKIP Algorithm Mismatch Indicates that a packet for which one of the three algorithms compression encryption or authentication used to secure it did not match the VPN configuration within the security gateway where it was received This alarm could result from a cryptographic attack Invalid Packet Signature Indicates a packet that failed authentication was received May indicate that the packet s source is using invalid encryption keys This alarm could result from a cryptographic attack Packet Parse Error Indicates the receipt of a packet that could not be properly decrypted Usually due to an incorrect IP packer header Improper Encryption Encapsulation Indicates a packet that could not be properly decrypted was received This alarm could result from a cryptogra
35. Alarm Monitoring TEP Policy General Dyna Policy Defaults User Dyna Policy Defaults Global Dima Policy Authentication Dyna Policy Defaults Global Number of allowable login attempts by client 3 Client will be locked out for 1 minutes if all login attempts fail Cancel OK Dyna Policy Authentication tab The Preferences Dyna Policy Authentication tab is used to define how user authentication and Client Configuration Download CCD are performed Choices are Local security gateway based RADIUS or LDAP Whichever method you selected becomes the global used across the entire VPN Figure 35 Preferences Dyna Policy Authentication Tab x Advanced Remote Client Alarm Monitoring TEP Policy General Dyna Policy Defaults User Dyna Policy Defaults Global Dyna Policy Authentication Dyna Policy Authentication 8 Local Authentication RADIUS Authentication O LDAP Authentication Cancel oK Issue 4 May 2005 109 Configuring remote access users Local authentication Local authentication is used in non dynamic VPNs that is VPNs that are not using RADIUS or a directory server as the authentication database The user is authenticated from the database stored in the security gateway s flash memory This is the default RADIUS authentication VPNos 3 x and VPNos 4 31 RADIUS authentication uses an existing
36. CTR3 Basic Rate Interface BRI and CTR4 Primary Rate Interface PRI and subsets thereof in CTR12 and CTR13 as applicable Copies of these Declarations of Conformity DoCs can be obtained by contacting your local sales representative and are available on the following Web site http www avaya com support Japan This is a Class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment VCCI If this equipment is used in a domestic environment radio disturbance may occur in which case the user may be required to take corrective actions COMES PALES BRS A ERM VCCI OM E CHSC TFAATPRIRAPRE CH ORES FERCA BK HEL XMIFILLABHVESF LOBSIIEAFRBIRMRKEET ZBEDGBRENZIEMBHVET China BMSI Chinese Warning Label AA APA WIA gt ACARREAR A BF gt TORE PE RISA gt EEA OLE RMA SH A RAR HK He HY HY HR o Hardware including technical data is subject to U S export control laws including the U S Export Administration Act and its associated regulations and may be subject to export or import regulations in other countries Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export re export or import hardware Acknowledgments This product includes software developed by the Apache Software Foundation http www apache org Environmental Health and Safety AR WARNING R
37. Configuring VPN objects Members Users tab The Members Users tab is used to establish the user membership of the VPN A list of currently assigned users appears in the Current VPN Members list Use the right and left arrows to move the users to the desired column Figure 46 VPN Members Users tab E VPNmanager Configuration Censele Ello Edt View Tools Help I tew Object y DX Quiete Update Dewices Upgrade Ferrera _ sm BHOG AD ME aam meen _MemboreIP Groupe Socu KE Secun QFSe Advanced Genet A Members Users VPN Members Users Curreet VPN Member ue sor S Avalatis gt Note When a remote user is removed from a VPN and the security gateway is updated all non RADIUS enabled security gateways that are affected by the removal of the remote user are updated For RADIUS enabled security gateways the remote user is not removed from the VPN until the configuration record is removed from the RADIUS database Members IP Groups tab The Members IP Groups tab is used to establish the IP Group membership for this VPN A list of currently assigned members appears in the Members list while all available IP Groups appear in the Available list Use the right and left arrows to move the IP Groups to the desired column 140 Avaya VPNmanager Configuration Guide Release 3 7 Using the VPN tabs Figure 47 VPN Members IP Groups Tab x Ele gm View Tools Help Dienot v X Gen isanos
38. Displays the date and time stamp of the configuration update of the HA group VPNmanager handles the different time zones for you In whatever time zone the update configuration occurred VPNmanager always displays the time stamp in GMT confirming the last update All configuration updates are saved in GMT e Index Displays the current configuration revision number of all members This allows the administrator to confirm that all the members have the same configuration A successful configuration revision revises the index number The member with the highest index number is eligible to become the active member in the HA group If the active member has the highest index number and a passive member is revised to also have the highest index number the active member maintains the active status The passive member that has been updated to the highest index number does not replace the active member e Status Displays the active or passive status of the devices in the HA group Issue 4 May 2005 223 Using advanced features By selecting the member in the table the following actions can be performed Edit This action allows the member to be edited Update This action allows the selected member configuration to be updated If you suspect that a passive member does not have the most current configuration for the HA group use the Update button to update the passive member s configuration Using Update revises the configuration on the passive
39. Email vonsupport avaya com e Web http www support avaya com International Support e For regional support telephone numbers go to http www avayanetwork com site GSO default htm Issue 4 May 2005 19 Preface 20 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 1 Overview of implementation Planning how your virtual private network should be configured is critical to the successful deployment of a secure virtual private network This chapter provides an overview of the major features that you will configure Note This chapter does not explain how to set up a VPN or how to determine what type of security policies are required You should understand about networking establishing firewall policies and VPNs before implementing a VPN using VPNmanager Components of the Avaya security solution The Avaya security solution consists of the following e Avaya VPNmanager e Avaya SG security gateways and VPN Service Units VSU Note Beginning with VPNmanager 3 4 this configuration guide uses security gateway to refer to both the security gateway and the VSU The VPNmanager application uses the word Device to refer to both of these components e Avaya VPNremote Client Security gateways The security gateways are designed to provide firewall coverage and VPN gateway functionality for enterprises migrating towards converged network environments The security gateway performs cryptography authen
40. Figure 60 Policy Manager Packet Filtering QoS Packet Filtering Q0S i Enable Packet Filtering All Interfaces Y Advance d Action Trafic Type From Where ToWhere int Dir Log Enabled Dery Any null nully Any Any Public In No v Add Packet Filtering Clicking on the Edit or Add buttons launches a Packet Filtering Policy Wizard that guides you through configuration of the desired packet filtering Advanced The Advanced tab accesses specific types of filters that are activated through checkboxes Permit Deny non VPN traffic Radio Buttons The Radio Buttons at the top of the Packet Filter Rule Advanced screen are set according to your security policy They include e Permit all non VPN traffic When checked all non VPN traffic is allowed to pass through the VSU e Deny all IP non VPN traffic When checked all non IP traffic is prevented from passing through the VSU All non VPN IP traffic is dropped except for the following ICMP IGMP GGP EGP IGP DGP EIGRP and OSPF Note This mode should be used when the VSU dedicated to VPN traffic and is the only device between the private and the public networks e Deny all non VPN traffic When checked all non VPN traffic is prevented from passing through the VSU This mode blocks non IP traffic and non VPN traffic including broadcast traffic IP multicast traffic and other traffic containing routing information 186 Avaya VPNmanager Configuration Gu
41. General Dyna Policy Defaults User Dyna Policy Defaults Global Dyna Policy Authentication Dyna Policy Authentication 8 Local Authentication RADIUS Authentication LDAP Authentication Cancel OK 50 Avaya VPNmanager Configuration Guide Release 3 7 Preferences Advanced The Advanced tab is used to either hide or display the LDAP directory context field that appears in anumber of places throughout the VPNmanager Console Users familiar with the LDAP directory structure may prefer having this field displayed Figure 13 Preferences Advanced Tab E Advanced Remote Client AlarmiMonitoring TEP Policy General Dyna Policy Defaults Usen Dyna PolicyDefaults Global Dyna Policy Authentication Advanced VPNmanager server context information vi Hide directory context field The context field will be displayed or hidden in all New object dialog boxes Cancel OK Remote Client The Remote Client tab is used to establish a path tunnel to a secure DNS server to resolve client DNS names as opposed to using a public DNS server and to set the remote client user idle time out period See Remote Client tab on page 111 Figure 14 Preferences Remote Client Tab x Advanced Remote Client Alarm Monitoring TEP Policy General Dyna Policy Defaults User Dyna Policy Defaults Global j Dyna Policy Authentication Remot
42. Guide Release 3 7 Private zone firewall templates Table 33 Public VPN only firewall rules continued OutBoundPublic Permit Public IP Any IKE IN Out Public IP Yes AccessVPNKey IKE AVAYA IN Mgmt InBoundPublicl Permit Any Public IP ICMPDESTUNREACHAB In Public IP_ No CMP LE ICMPTIMEEXCEEDED OutBoundPublic Permit Public IP Any ICMPDESTUNREACHAB Out Public IP_ No ICMP LE InBoundPublicB Block Any Any Any In Public No lockAll OutBoundPublic Block Any Any Any Out Public No BlockAll 2 of 2 Private zone firewall templates The private network interface provides connection to the private corporate LAN Private zones are considered trusted networks and because of this most traffic is allowed The private high security rules are enforced for both incoming and outgoing packets as follows Any incoming traffic from the private zone is allowed except traffic that is destined to the management zone For outgoing traffic to the private zone traffic initiated from DMZ is strictly denied All other traffic is allowed Issue 4 May 2005 303 Firewall rules template The private medium security rules and the low security rules are the same as the private high security rules Table 34 Private high security firewall rules Rule Name Action Sour Destinati Service Direc Zone Keep Description ce on tion State InBoundPrivateToMg Deny Any Managem Any In Privat No
43. IP address and subnet mask Note If the security gateway is configured in VPN gateway mode it must have VPNs configured in order to populate the list of configured VPN local members ip addresses and subnet masks If the security gateway is configured in user VPN mode only the private zone subnet is displayed in the available list In the Translation area Enter the translation IP address Note If Static NAT is selected the subnet mask is automatically populated and is the same as the original subnet mask Click OK and then click Save 96 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 4 Configuring IP Groups An IP Group is composed of a set of hosts workstations and servers that are located behind a common security gateway The hosts are defined by their IP address and mask The security gateway must exist prior to creating IP Groups Virtual private networks VPNs are made up of IP Groups at multiple locations linked across a public IP network Assigning workstations and servers to different IP Groups offers a powerful way to limit VPN traffic to specifically designated users About IP Groups Data Terminal Equipment DTE such as computers printers and network servers are devices that can be members of a VPN Two methods are used for creating members One involves User Objects which is described in Configuring remote access users but is reserved for creating members that are remote and have to dial i
44. In Semi Pri Yes ccessVPNData IP IPSEC_NAT_T_IN vate OutBoundSemi Permit Semi Privat Any ESP Out Semi Pri Yes PrivateAcessVP e IP IPSEC_NAT_T_IN vate NData InBoundSemiPri Permit Any Semi Private IKE IN In Semi Pri Yes vateAccessVPN IP IKE AVAYA vate KeyMgmt OutBoundSemi Permit Semi Privat Any IKE IN Out Semi Pri Yes PrivateAccessV e IP IKE AVAYA vate PNKeyMgmt 1 of 2 308 Avaya VPNmanager Configuration Guide Release 3 7 DMZ zone firewall templates Table 40 Semi private VPN only security firewall rules continued InBoundSemiPri Permit Any Semi Private ICMPDESTUNREACHAB In Semi Pri No vateAccessICM IP LE vate P ICMPTIMEEXCEEDED OutBoundSemi Permit Semi Privat Any ICMPDESTUNREACHAB Out Semi Pri No PrivateAccessl e IP LE vate CMP InBoundSemiPri Block Any Any Any In Semi Pri No vateBlockAll vate OutBoundSemi Block Any Any Any Out Semi Pri No PrivateBlockAll vate 2 of 2 DMZ zone firewall templates The Demilitarized Zone DMZ network interface is typically used to allow Internet users access to some corporate services without compromising the private network where sensitive information is stored For all the services setup in the DMZ access is allowed from any network including Public Private Management and Semi private Because the DMZ is not a trusted network all outgoing traffic is blocked The same security rules are enforced for high security medium s
45. Release 3 7 Packet Filtering About Differentiated Services IP packets move from router to router by using Routing and Packet Forwarding processes The routing process involves building and maintaining a routing table The packet forwarding process involves comparing the destination address of a packet with entries in a routing table to determine where to send the packet Furthermore there is a component of the forwarding process that can be used for controlling the behavior of a specific type of packet The component is called Differentiated Services which is also known as DiffServ or Quality of Service QoS Differentiated Services involves using an identification system to mark IP packets When the marked packet is processed by a router that is running Differentiated Services the router compares the mark with a list of Packet Forwarding Behavior PFB rules If a packet matches a specific rule the rule is used to the forward the packet A PFB rule defines specific forwarding characteristics such as minimum bandwidth requirements and the transmission precedence of one type of packet relative to other packets The identification system involves two kinds of marks User Defined and Predefined The user defined mark is in the form of a number where the number can be from 0 to 63 and identifies a customized PFB rule The predefined mark is in the form of alpha numeric characters and it identifies generic PFB rules that come with your router
46. The level of security increases as the DH group number increases Using a higher level DH group results in longer key exchange times e Group 1 Key strength 768 bit Platform support SG5 SG5x SG200 SG203 and SG208 e Group 2 Key strength 1024 bit Platform support SG5 SG5X SG200 SG203 and SG208 e Group 5 Key strength 1536 bit Platform support SG5 SG5X SG200 SG203 and SG208 e Group 14 Key strength 2048 bit Platform support SG203 and SG208 See RFC2409 for more information on Diffie Hellman Groups Issue 4 May 2005 143 Configuring VPN objects Pre Shared Secret The Pre Shared Secret area appears only when the VPN type is IKE with Preshared Secret selected The preshared secret appears in the Secret field as either ASCII or hexadecimal Select Modify Secret to change the preshared secret Both the local and the remote security gateway must have the identical preshared secrete text or a secure tunnel cannot be established between them Enter the secret character string up to 64 hexadecimal characters or 16 ASCII characters Use Autogenerate to generate a random character sequence Select either ASCII or hexidecimal to display the secret Security IPSec In IKE VPNs VPN traffic flows in tunnel mode Therefore the Security IPSec tab is used for configuring the parameters used for encapsulating the original packet header and payload into the payload of an IPSec packet Packet level secu
47. Traversal and Port for Dyna Policy Download Note The Private IP Address and the local DHCP server IP address are combined beginning with VPNos 4 2 Previously the Private IP Address was located on the Advanced tab Figure 62 Security gateway Advanced tab E Vesemanager Conty ation Console z Fie Edn View Tools Heip UI Mew Objott v XX Oooo pasto Dowioes Upgrade Firmware sw SHER EAA BE uM BOO Upgrade Denial ct Berne VAP Managomont Hign Avalan wa f co s nce Advanced Select a property to display ts associated values Value s On on Path MTU Timeout 1000 1000 minuies Fragmontadon Control for Eneapeutatod VPN tae Dom Fragment tit DF bet im the IP hoador e Copy DF tit trom the source packai ARP Determines the VSU use of its MAC addresses In the default mode Bind one IP address to each port the Primary IP address is bound to the MAC address of the public port If a private IP address is configured that address is bound to the MAC address of the private port of the VSU In this mode all packets originating from the VSU destined for the public network uses the public port s MAC address as the packets source MAC address Examples of public network destined traffic are e IPSec packets being tunneled to a member VSU e SNMP Get Responses being sent to a VPNmanager console residing on the public side of the VSU e Traps sent to a VPNmanager console residing on t
48. Using the Connectivity tab to ping the security gateway e Using the Device Actions tab to reboot the device set the device time and import a device configuration Importing and exporting VPN configurations to a device Exporting RADIUS Using the Management tab The Device gt Management tab is used to set up the SSH Telnet feature and to change the administrator s password for the security gateway Setting Up SSH and Telnet Beginning with VPNos 4 31 SSH Secure Shell and Telnet can be used to access the security gateway s CLI When you use SSH to transfer data the entire log in session including transmission of the password is encrypted If you use Telnet to communicate with the security gateway data transfer is not encrypted You can turn on both SSH and Telnet and you can specify the port to use and the allowed IP addresses that can access the security gateway The default is the following e SSH is enabled for Any network objects on the private zone all other zones are disabled Only the root and the monitor users can use SSH to access the security gateway e Telnet is disabled on all zones Use the Device gt Management tab to change the defaults and to configure or change the security gateway SSH Telnet feature When you log in to the security gateway using either SSH or Telnet the security gateway s CLI interface is displayed You can then use the CLI commands to troubleshoot the security gateway To
49. VPN can be the default VPN in a domain Default VPN is an alternative method of user authentication suited for large IKE based VPNs Directory Name In the VPN information area the unique VPN name is displayed along with the directory server context This area also shows the security key exchange protocol that the VPN uses globally General tab with SKIP If the VPN type you selected is SKIP the following General tab appears When SKIP is selected from the General tab you can configure the following information Tunnel Select the tunnel mode if IP packets between members are secured by encrypting and authenticating the entire packet including the addressing header Transport Select the transport mode if VPN services are applied to the IP packet payload sent between VPN member The original addressing header is unchanged Enable VPN When this box is checked and the security gateway has been updated the VPN is active Unchecking the box disables the VPN and is typically used during the troubleshooting process Directory Name In the VPN information area the unique VPN name is displayed along with the directory server context This area also shows the security key exchange protocol that the VPN uses globally Memo tab The Memo tab can be used to record notes about the VPN such as change history VPN type etc Information entered here is associated only with this VPN and is stored in the database Issue 4 May 2005 139
50. VPNmanager Console Issue 4 May 2005 213 Using advanced features 6 After VSUA establishes a connection with VSU the resilient tunnel is used for VPN traffic 7 On a periodic basis VSUA continues to request a heartbeat from VSUp The period is called Dead Primary Poll Interval 8 If VSU reconnects with VSUp VSUA waits for a specific time before it switches traffic back to VSUg The waiting period is called Hold down Time Note If packet filtering is used be sure the heartbeat packets are not filtered The security gateway heartbeat listening port 1643 using UDP protocol Creating a resilient tunnel Resilient tunnels are configured from the Resilient Tunnel tab Figure 69 The Resilient Tunnel tab for a security gateway Object Canoes wearer sen nager Severs Upgrade Advancedacton High Availability fons if Advanced Resilient Tunnel General Memo DNS SNMP StaicRoute Routing Rip Resilient Tunnel Add vi Enable SNMP Traps Dead Poll interval 60 seconds Status e Enable SNMP Traps Check this box if you want SNMP traps enabled for the resilient tunnel e Dead Poll Intervals The number of seconds between heartbeat poll requests to a dead primary This is different from the normal Heartbeat Interval because the primary security gateway is believed to be inactive and no response is expected Therefore the interval is much longer
51. a specific security gateway Reset Device Time Click Reset Time to synchronize the security gateway and VPNmanager workstation to Greenwich Mean Time Reboot Device To restart a security gateway at any time click Reboot A Cold Start alarm is logged by VPNmanager and any other trap targets specified Note that any existing VPN connections are dropped and are re established following the security gateway reboot sequence Reboot should normally not be necessary except when the fundamental configuration changes such as changing the security gateway s IP address are made The time for the reboot process to complete varies with each security gateway series The VSU 1200 7500 series taking up to approximately two minutes during which VPN connections through this security gateway are down For this reason security gateway reboots should be performed during scheduled maintenance whenever possible 280 Avaya VPNmanager Configuration Guide Release 3 7 Using the Device Actions tab Re setup Device Allows a complete re setup of the security gateway This is normally done when the security gateway created did not exist in the network or when the security gateway has been replaced with a new unit Import Device Configuration You can use the Import Device Configuration feature in VPNmanager to import configuration data from security gateways running VPNos 4 31 for use in VPNmanager While it is feasible to configure a smal
52. address and Port Click Close to return to the SNMP tab or Apply to add an other address When finished click Save N O OA OOD When you want to send the configuration to one or more security gateways click Update Devices 246 Avaya VPNmanager Configuration Guide Release 3 7 Using SNMP to monitor the device To add an SNMP Trap Target for security gateway s running versions prior to VPNos 4 2 do the following 1 From the Contents column select the security gateway you want to configure Click the SNMP tab to bring it to the front In the Trap Community text box type in a unique community name Click Add to open the Add SNMP Trap Target dialog box In the SNMP Trap Target text boxes type in the SNMP Target IP address Click Close to return to the SNMP tab or Apply to add another address When finished click Save 0 N DO oO A W PY When you want to send the configuration to one or more security gateways click Update Devices To delete SNMP trap targets 1 From the Contents column select the security gateway you want to configure 2 Click the SNMP tab to bring it to the front 3 From the Trap Target list select the target you want to delete 4 Click Delete to remove the target 5 Click Save Adding Admin Users for SNMPv3 Configuring SNMP for a security gateway 1 In the SNMP tab choose the version as SNMPv3 2 A list of Admin users who were configured for SNMPv3 are displayed in t
53. advanced features e Send VSU s names that are involved in CCD only Select this option if you want the remote client to query only those VSUs that are performing Dyna Policy services This is useful if a domain contains many VSUs that are not used for authenticating remote clients This saves time for the remote client because they don t have to query every VSU to build a complete Dyna Policy e Send no VSU names Select this option if a Directory Server or RADIUS Server is used for storing Dyna Policies No VSUs are use for locally storing the polices e Customize Select this option if you wish to specify individual VSU names to be sent 5 When finished click Save 6 When you want to send the configuration to one or more VSUs click Update Details SuperUser Password VPNos 3 x This function allows you to disable the SuperUser password allowing only LDAP based communication in the future Normally used in conjunction with role based management This feature consists of two options for authenticating into a VSU to perform configuration changes e VSU Advanced SuperUser Password ON default e VSU Advanced SuperUser Password OFF Advanced SuperUser Password ON default both SuperUser and LDAP authentication are allowed The VSU attempts to authenticate VPNmanager via SuperUser account first If this fails the VSU then attempts to authenticate via the VPNmanager user s LDAP account A successful connection requires that the VSU
54. ae Gk e oe wine de wie 134 PKS number used 08 234 Revocation List CRL 155 signed example 236 VPNmanager Console switching for 237 Certificate Based radio button 152 Changing s e s e os w o Ea ae a a 127 changing network interfaces 73 CHAP oi 0d ee Sok BRA a 126 Client Attributes ClientLegalMessage 122 Client Configuration Download 106 Client Configuration Download CCD 50 109 Client DNS Resolution Redirection T2 Client IP Configuration 120 Issue 4 May 2005 319 Index clients DNS resolution redirection 111 CNA enable ways bk we we EK Ae 231 compression configuring in an IKE VPN 153 how much can the LZS algorithm do 153 compression IPSEC 146 Compression Algorithm drop down list SKIP 151 Configuration Console aoa oao oa 45 configuring client DNS resolution redirection 111 NAT ade aaa a BY a 86 NAT Network Address Translation 94 network interfaces T3 network zones 1 2 eee ee es 67 tunnel NAT 2 2 ee 95 connectivity tab 277 contacting VPNet 2004 19 Converged network analyzer enables sik ee ee eee ee he a 231 Converged network analyzer test plug detailed description 230 CRL Checking o 15
55. and likewise if Throughput expires before the Time based value e Use the Locate this Proposal options to select where to put your new proposal in the Priority Proposal List Security gateways always start from the top of the list when making a query Click the Advanced tab to bring it to the front Select Apply VPN to clients only if you have created a VPN Object where User and User Group Objects can communicate with P Group Objects but IP Group Objects cannot communicate with each other Note This is an advanced control used for a rare case The default setting will apply to most configurations Select Use aggressive mode for clients if you want to speed up the time needed for VPNremote Clients to establish a secure connection with the VPN Select CRL Checking if you want to automatically track certificates that have been revoked by a specific Certificate Authority CA Note This control is only available for certificate based VPNs Tunnel endpoints VPNRemote Clients and security gateways that use certificates shown by a Certificate Revocation List CRL are denied access to the VPN To use this feature you must obtain a CRL from your Certificate Authority then manually install it in the directory server on a periodic basis See Enabling CRL checking on page 156 for more information If you use CRL Checking in the Directory Name of Certificate Authority text box type in the distinguished name DN of the certificateauth
56. applies the default policy to the packet The default policy is to permit the packet To edit change the sequence or delete a filtering policy 1 Move to the Configuration Console window From the Contents column select the VSU where you want to modify the ACL 2 3 Click the Policies tab to bring it to the front 4 From the drop down list select Packet Filtering then click GO to open the Policy Manager for Packet Filtering al From the ACL select a specific filtering policy 6 Use Table 11 for performing specific ACL management tasks Table 11 ACL commands Command Description Edit Use this command to modify the filter policy through the Packet Filtering Policy Wizard Move UP N this button to move the filter policy higher in the ACL Move Down Click this button to move the filter policy lower in the ACL Delete Click this button to remove the filter policy from the ACL 7 When finished click Save to save your work Configuring advanced filtering options To configure advanced filtering options 1 Move to the Configuration Console window 2 From the Contents column select the VSU where the new filtering policy needs to be located 3 Click the Policies tab to bring it to the front Issue 4 May 2005 191 Establishing security 4 From the drop down list select Packet Filtering then click GO to open the Policy Manager for Packet Filte
57. checked against the firewall rules at the interface where they are defined In the Direction list select In or Out The direction is in respect to the security gateway rule does not appear in the Monitor gt Firewall Log display 166 Avaya VPNmanager Configuration Guide Release 3 7 Firewall rules set up 12 If the filter rule set for the intended traffic is also to be applied to the reply packets select Keep State This function can be applied to TCP UDP and ICMP packets 13 If you want to change the default time out settings for the TCP state UDP state or ICMP state click Advanced Note Keep State sets up a state table with each entry set up by the sending side Reply packets pass through a matching filter that is based on the respective state table entry A state entry is not created for packets that are denied Note Although UDP is connectionless if a packet is first sent out from a given port a reply is expected in the reverse direction on the same port Keep State remembers the port and ensures that the replying packet enters in the same port 14 Select the position of the firewall policy in the template 15 Click Finish to return to the Firewall tab Priority of Firewall rules versus NAT rules When packets pass through zones that have both Firewall rules and NAT rules set up NAT rules are applied before the firewall rules are applied Depending on the type of NAT rule static port NAT or redirect
58. considered part of the protected network but the media may be vulnerable to attack The semi private zone provides the additional security measure of IPSec encryption to prevent compromise to the network for example VPN over wireless protection DMZ zone DMZ Demilitarized zone is used for an area in the company network that needs to be accessible from the public networks for example email FTP and Web servers but the area is not considered part of the internal private network Servers in the DMZ typically have publicly routable IP addresses or should use advanced NAT within the security gateway Management zone Management zone is used to simplify network deployments to eliminate enterprise network dependencies on switches or routers The management network interface is usually used as an access point for a dedicated VPNmanager management station or as a dedicated interface for dumping log messages to a syslog server Table 1 Network zones Media type SG5 and SG5X SG200 SG203 SG208 EthernetO Public Public Private Private Ethernet1 Private Private Public Public Ethernet2 NA e Unused e Unused e Public backup e Public backup e Private e Private e Semiprivate e Semiprivate e DMZ e DMZ e Management e Management Ethernet3 to NA NA e Unused e Unused OS e Public backup e Public backup e Private e Private e Semiprivate e Semiprivate e DMZ e DMZ e Management e Management Issue 4 May 2005
59. direction inbound outbound and types of allowed FTP traffic but does have the potential to expose a large number of ports behind the firewall to outside snooping An example of a fairly safe configuration would be that of allowing FTP clients on the private zone network to perform passive FTP For example two outbound firewall permit rules one for FTP Ctrl and the other for Passive FTP Both control and data connection are initiated from within the protected network An unsafe configuration would be to allow unprotected external FTP servers to initiate Active F TP connections one outbound FTP Ctrl firewall permit rule and one inbound Active FTP firewall permit rule in this case Active FTP allows the full range of ports within the protected network to be accessed by the outside network FTP Proxy service can be incorporated into a firewall rule to concurrently support both passive active FTP for protected FTP clients or FTP servers Configuring an FTP Proxy rule actually creates one firewall rule to allow the initial FTP control connection and a second redirection rule for the FTP control channel Upon receiving FTP traffic the proxy intercepts the control channel exchanges and discovers the type of data connection to be established It then dynamically creates the appropriate firewall pinhole rule to restrict the protected network ports to which a data connection can be established The firewall pinholes are removed within a short period of ti
60. displayed e From the IP Config Mode list select the IP addressing mode Depending on your selection complete the required information e f public backup is selected complete the Idle Timer Settings configuration if failover is enabled 5 Click Save when you finish To add an IP device to the security gateway 1 From the Configuration Console Contents column select the security gateway to be configured Click the Interface tab to bring it to the front property select the media interface that is configured with private DHCP Server Click Edit The Media Interface Configuration dialog is displayed 2 Click IP Devices The IP Device Configuration dialog is displayed 3 Enter the following information e The MAC address of the IP device If the device is an Avaya IP telephone the MAC address is on the back of the telephone 74 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway e The IP address This IP address must be within the same subnet as the DHCP server Avaya recommends that you use an IP address for the device that falls into the DHCP subnet but not in the DHCP range 4 Click Add and then click OK To add an IP telephony device to the security gateway 1 Click IP Telephony The IP Telephony Settings dialog is displayed 2 Enter the following information TFTP File Path Name The TFTP file path name is used when the TFTP file path is other than the def
61. do not contain voice traffic can affect the availability of bandwidth to voice traffic DSCP values are assigned The valid range of values is 0 63 The default value is 0 This indicates that DSCP is not used for classification Non zero DSCP values must be unique among all the classes for one zone because the DSCP value is the only distinguishing factor once a packet is encrypted and sent of the VPN For example if DSCP value 10 is assigned to the High class for media interface Ethernet0 DSCP value 10 cannot be assigned to Highest Medium or Low for Ethernet1 It can be assigned to the High class for Ethernet 1 When DSCP value of 0 is specified during configuration the security gateway generates an internal non zero DSCP value within the range of 1 63 The non zero DSCP value generated by the security gateway cannot be used in other classes Source Network Objects Traffic originating from specific networks hosts can be selected from existing Network Objects The source network object specifies the source IP address of the IP packets in this class Destination Network Objects Traffic destined to specific networks hosts can be selected from existing network objects The destination network object specifies the destination IP address of the IP packets in this class Service Traffic can be specified by predefined or user configured services A service specifies the IP protocol TCP UDP source and destination ports to describe the traffic in
62. domain to which it is assigned Current VPN Membership This section lists VPNs to which the currently highlighted user is assigned membership Current User Groups This displays a list of the User Groups to which the user belongs Memo tab Memo can be used to record notes about the user such as change history specific computer type etc Information entered here is associated only with this user This information is stored only in the database and not downloaded to the security gateway Dyna Policy tab The Dyna Policy tab is used to define an individual remote user s dyna policy to specify the security options for how the VPN configuration information is handled on the user s computer See Dyna Policy Defaults User tab on page 107 for how to configure 116 Avaya VPNmanager Configuration Guide Release 3 7 About creating individual dynamic policy Actions tab The User Actions tab is used for non dyna policy alternatives Figure 38 User s Action tab Fie Edt View Tools Heip z UI Mew Object v X Ooto wanders vegeta sa 2600 EAE MS A B E eer Gonoral Memo Dyna Potty Actons Advanced io User Actions Export My Contgurabos 159 Lan Epon your Dyna Pobey to a f n You ean then tranepon ine Me Y a remote Ugars machina Rey User VENS pe Bekey Roku the preehared secr for Mis Users VEN Reset User Directory Password Regal Reset me User Directory Password Status Es
63. drop down list select a unit of time e In the Hold Up Time text box type in a duration that the controlling end point may have to wait for a response from the secondary end point 11 From the Properties list click on Hold Down Time so the hold down time values appears e In the Hold Down Time drop down list select a unit of time e In the Hold Down Time text box type in a duration that the controlling end point must wait before it switches VPN traffic from the secondary end point to the primary end point The wait begins after the controlling end point reconnects with the primary end point 12 Click OK to return to the Resilient Tunnel tab Your new secondary end point appears in the Resilient Tunnel list 13 Click Save to save your work Managing the resilient tunnel list The secondary end points shown in the Resilient Tunnel List can be edited have their sequence changed or even deleted The list organizes the secondary end points in the sequence in which they must be used where the one at the top of the list is always used first To edit change the sequence or delete a filtering policy 1 Move to the Configuration Console window 2 From the Device gt Contents column select the security gateway that acts as the primary end point for a tunnel 3 Click the Resilient Tunnel tab to bring it to the front 4 From the Resilient Tunnel List select a specific secondary end point 216 Avaya VPNmanager Configuration Gu
64. e Whether the security gateway dynamically builds a routing table using RIP updates See Routing on page 81 e Static routes if more than one router exists on a network to which the security gateway forwards traffic Creating a new security gateway Before you create and configure the security gateway make sure that you understand how the features work Review the information in this chapter and in Chapter 8 Establishing security To create a new security gateway 1 From the VPNmanager Console main window menu select New Object gt Device The Device Setup Wizard dialog is displayed 2 In the Public IP Configuration section enter the following information e The name of the new device e The IP address of the new device Select one of the following e Unknown if the address is not known The General tab can be used to configure this address at a later time e IP Address to enter the primary IP address of the new security gateway Optional add a secondary address if VPNmanager is located on the public network If VPNmanager is located on the private network the secondary address is required Issue 4 May 2005 57 Setting up the network e DNS Name to enter the name of the Domain Name Service of the new security gateway See DNS tab on page 63 If the device is already in the network select the Detect Device checkbox The default is selected In the Private IP Configuration section enter the following info
65. for starting and stopping filtering services managing the ACL and for configuring advanced filtering options Figure 60 shows Policy Manager for packet filtering Starting and stopping filtering services To start or stop filtering services 1 Move to the Configuration Console window 2 From the Contents column select the VSU where the services need to be started or stopped 3 Click the Policies tab to bring it to the front 4 From the drop down list select Packet Filtering then click GO to open the Policy Manager for Packet Filtering window 5 Select the Enable Packet Filtering check box to start the filtering services or clear it to stop the services 6 Click Save to save your work Managing the ACL The filtering policies in the Access Control List ACL can be edited have their sequence changed or even deleted A VSU starts from the top of the ACL when it begins to filter a specific packet Keep the first policy you want to apply to the packet first at the top of the list 190 Avaya VPNmanager Configuration Guide Release 3 7 Note Packet Filtering A packet is filtered against the ACL policies defined in the ACL list in the list order The packet is matched against policy number 1 first then policy number 2 then policy number 3 and so on until the packet finds a match or it exhausts the list If a match is found the VSU applies the action specified in the policy to the packet If no match is found the VSU
66. for the target type e Locate This IKE Certificate Policy Allows you to specify the placement of the IKE Certificate Policy in the IKE Certificate Usage list To assign a target for a certificate 1 From the Device gt Contents column select the VSU containing the certificate needing a target 2 Click the Policies tab to bring it to the front 3 From the drop down list select IKE Certificate Usage then click GO to open the Policy Manager for IKE Certificate Usage 4 Click Add to open the Add IKE Certificate Policy 5 From the Number drop down list select which VSU certificate you want to configure Note A VSU can dynamically store up to eight certificates To identify how many certificates exist click Cancel to return to the IKE Certificate Usage window then from the Type of Policy drop down list select My Certificates 6 In the Description text box type in information about the target If the target is a VSU typing in its name could be useful 242 Avaya VPNmanager Configuration Guide Release 3 7 Policy Manager My Certificates 7 From the Target Type drop down select the type of target for the certificate IP Address Select to show the Enter Target Address text boxes Type in the address of any IKE compatible device as a target Typically this is a VSU VPN Select to show the Select Target VPN list VPN objects that have been created appears in the list Select a specific VPN to be a target for the cert
67. hosts This feature provides a fault tolerant infrastructure that minimizes the downtime of the protected network Fault tolerant infrastructure is achieved by pairing two like VSUs together to form a HA group The HA group is comprised of a primary or active security gateway and secondary or passive security gateway Only one instance of the security gateway is visible in the security gateway contents list The active security gateway is listed with the passive security gateway visible in the Members pane of the High Availability tab Because configuration within the HA group is identical only the primary security gateway of the HA group is displayed Figure 72 High Availability B VPNmanager C File Edit view Tools Help I New Object y XX Delete Update Devices Ungrade Firmware Save Haco aa 58 oe a a veut VPNmanagerSemers Upgrade Aavanced Action High Availability i ol i Resilient Tunnel General Memo DNS SNMP StatcRoutle Routing Rip High Availability Add E Status Preparing devices for high availability VPNos 3 x This check box is used to prepare devices running VPNos 3 x for high availability HA Use this check box after you have confirmed the public and private VSUs in the HA group have been configured to deny all non VPN traffic Beginning with VPNmanager 3 2 Deny all Non VPN Traffic is the default selection For additional information about configuring the security gatew
68. how the Dyna Policy configuration data VPN session parameters are handled on the remote user s computer See Dyna Policy Defaults User tab on page 107 Dyna Policy Defaults Global The Dyna Policy Defaults Global tab is used to define the Dyna Policy defaults for the maximum number of login attempts a remote client can make before being locked out for a predetermined time in minutes See Dyna Policy Defaults Global tab on page 108 Issue 4 May 2005 49 Using VPNmanager Figure 11 Preferences Dyna Policy Global Tab zi Advanced Remote Client Alarm Monitoring TEP Policy E Dyna Policy Defaults User Dyna m an Dyna Policy Authentication Dyna Policy Defaults Global Number of allowable login attempts by client 3 Client will be locked out for 1 minutes if all login attempts fail Cancel OK Dyna Policy Authentication The Dyna Policy Authenticating tab offers a selection of how user authentication and Client Configuration Download CCD are performed Choices are Local security gateway based RADIUS or LDAP Whichever method selected is global across the entire VPN Selection is made by clicking on the desired radio button See Configuring a remote user object on page 118 for details about configuring Dyna Policy Figure 12 Preferences Dyna Policy Authentication Tab Advanced Remote Client AlarmiMonitoring TEP Policy
69. if your router s are marking packets with the predefined Expedited Forwarding mark The EF mark assures that a packet does not get promoted or demoted to a specific packet forwarding behavior 8 Continue to use the Packet Filtering Policy Wizard to define the remaining parameters of your packet marking rule Some of the parameters are listed in Table 14 the table Packets which match the values of these parameters get their ToS field changed to the QoS Mark selected in Step 7 Table 14 Parameters used in a Packet Marking Rule Parameter Description Traffic Type Use the Traffic Type controls to configure which IP protocol the rule must contain Source Use the From Where controls to configure Address which source address the rule must contain 1 of 2 Issue 4 May 2005 195 Establishing security Table 14 Parameters used in a Packet Marking Rule continued Parameter Description Destination Use the To Where controls to configure Address which destination address the rule must contain VSU Interface Use the Interface drop down list to apply the rule to the VSU public private or Tunnel interface Direction Use the Direction drop down list to apply the rule to packets that are entering or exiting the VSU 2 of 2 9 Continue using any remaining controls in the wizard to complete your new rule 10 Click Finished to return the Policy Manager for Packet Filtering window 11
70. it to the front From the Properties column select Private IP Address to display the address controls Select the Enable Private IP Address check box In the Private IP Address text boxes type in the second address assigned to the VSU In the Private IP Mask text boxes type in a subnet mask for the address N OORA Y PD Select the Use this address when directly communicating with this device check box if you want the VPNmanager Console to use this address for communicating with the VSU 8 Click Save or if you want to send the configuration to the VSU click Update Devices Send Device Names Send VSU Names is an advanced control for managing how remote clients get their Dyna Policies The Dyna Policy can be stored locally on one or more VSUs the Directory Server or a RADIUS Server If the policies are stored locally on VSUs the VSUs in the domain must identify themselves to each other so they can share their database of Dyna Policies To select a VSU name distribution method 1 From the Device gt Contents column select the VSU you want to configure 2 Click the Advanced tab to bring it to the front 3 From the Properties column select Send VSU Names to display the sending options 4 Select the one of the options e Send all VSU names Select this option so each VSU in the domain identifies themselves to other VSUs Use this option if one or more VSUs are storing Dyna Policies locally Issue 4 May 2005 205 Using
71. la To 192 Irea lh ce Config aon MacAddress IPASSess TFTP Server P FaePath DesneyCien iP Defevtyctan Port E States If you plan to use the security gateway s private port local DHCP server capability to support the IP devices connected to your LAN default be sure to complete the DHCP setup under the local DHCP Server portion of the screen Local DHCP Server This portion of the screen is used to configure the security gateway as a DHCP server on the private port The IP Address range must be configured and should fall within the range of the private IP Address subnet The domain name is provided and the WINS server can be configured When deploying the security gateway you need a unique DHCP range for each security gateway on the VPN 76 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway Note Changing the DHCP Server IP address may result in losing connectivity to the security gateway if the VPNmanager is on the private side of the security gateway Also all active DHCP clients may require renewal through an OS utility e g using winipcfg or ipconfig in Windows or rebooting Note When changing the DHCP IP address range execute an ipconfig release and renew command IP Devices Configuration The table displays a list of all IP devices currently supported by the DHCP server The device MAC Address and IP Address are listed along with information r
72. lifetime defines the extent to which a single set of cryptographic keys is used when applying VPN services to IP packets Lifetimes are either time based or based on throughput Time based lifetimes are based on the amount of time that the keys are used without a key change Throughput lifetimes are defined by the amount of data that is acted on by a set of keys Enter a numerical value and select a unit of measure for both time based and throughput lifetimes Whichever occurs first triggers the new key Note For time based lifetime the following are the minimum values in each category Day 1 Minutes 1 and Seconds 60 DH Group Diffie Hellman Group Diffie Hellman groups define the cryptographic key strengths used during IPSEC negotiations The level of security increases as the DH group number increases Using a higher level DH group results in longer key exchange times e Group 1 Key strength 768 bit Platform support SG5 SG5x SG200 SG203 and SG208 e Group 2 Key strength 1024 bit Platform support SG5 SG5X SG200 SG203 and SG208 e Group 5 Key strength 1536 bit Platform support SG5 SG5X SG200 SG203 and SG208 e Group 14 Key strength 2048 bit Platform support SG203 and SG208 See RFC2409 for more information on Diffie Hellman Groups Locate This IPSec Proposal Establishes the IPSec proposal rank in the negotiating list The first proposal in the list is the first attempted to be ne
73. method used Issue 4 May 2005 119 Configuring remote access users Using local authentication If the security gateway uses authenticating remote users for CCD deliver the following pairs to the respective users e NAME The name created in Step 2 e PASSWORD The password created in Step 3 Using RADIUS authentication VPNos 3 X and VPNos 4 31 If a RADIUS server is used for authenticating remote users for CCD deliver the following pairs to the respective users e NAME The name created in Step 2 e PASSWORD The password stored in the user s record of the RADIUS server Using LDAP authentication VPnos 3 X only If the directory server is used authenticating remote users for CCD deliver the following pairs to the respective users e NAME The name created in Step 2 e PASSWORD The password created in Step 2 Using Policy Manager for user configuration From the VPNmanager Policy Manager property you can configure the client IP address pool for the remote users and define to users when they log on VPNos 3 x and VPNos 4 31 only You can configure the RADIUS ACE services Client IP address pool configuration Access control devices ACD such as firewalls guard the networks from unauthorized users Analyzing source addresses is one method ACDs use to decide which packets can enter the network ACD is a problem for VPNremote Client users The addresses which ISPs dynamically assign to VPNremote Clients is naturally blocked bec
74. more hosts with fewer public addresses e Hide host addresses for security reasons This configuration allows up to 254 private addresses from the 10 0 0 0 8 network to be dynamically mapped to public addresses from the N1 N2 N3 0 24 network Each NAT mapping is assigned to an interface The rules for applying address translations to a packet entering or leaving an interface are e When a packet is routed out on an interface away from the security gateway the source address of the packet is modified e Conversely when a packet comes in on an interface toward the security gateway the destination address of the packet is modified Issue 4 May 2005 89 Setting up the network In the example shown in Figure 28 when client 10 1 2 101 initially sends a packet to a host on the public network the security gateway dynamically maps the client s private address 10 1 2 101 to a public address selected from the N1 N2 N3 0 24 address pool Since the packet is going out the public interface the security gateway changes the packet s source address 10 1 2 101 to its assigned public address N1 N2 N3 X When the public host receives the packet it sends a reply to N1 N2 N3 X The reply packet is routed into the security gateway through the public interface the security gateway changes the packet s destination address back to the client s private address 10 1 2 101 before sending the packet back to the client The public address assigned to
75. n a a io p 134 private addresses o 135 IP addressing by zone 4 70 IP Group ADOUL i 2 ap oh th age See Se vee Sah de ace a 97 address mask pair described 97 configuring o o 101 Cheating A ee ae a eo 97 extranet howtoconnecttoan 102 finding which are associated with a VSU 62 IKE Identifier drop down list 103 terminal equipment to a VPN about adding 97 When to create 97 IP Group definition 97 IP Group deriving the Group Mask 100 IP spoofing s o 28 174 IP telephone adding device to security gateway 74 75 IP telephone configuration 72 ipRouteTable parameters 254 IPSec headers to packets adding IPSec 154 Proposal ABOUT xo ee he Boh Gee ae ae 154 authentication parameters configuring 155 encryption parameters configuring 154 lifetime options key 155 Issue 4 May 2005 321 Index IPSec engine status 00 284 IPSec ProposalS o 145 ISAKMP i o o A a we 135 Issuer Certificates about 238 K Keep alive detailed description 232 Keep State o 188 key management protocols 135 keying algorithm modulus in an IKE VPN 154 L LDAP Authentication 110 313 LDAP directory
76. necessary to verify the VPNmanager Certificate the Signing Certificates are for the VPNmanager Console to verify the security gateway Certificate Certificate Revocation List checking looks to a directory server maintained by CAs to validate a new certificate by searching a list of no longer valid digital certificates Direct Configuration Interface is a Avaya Inc proprietary protocol developed to facilitate passing setup and configuration data between the VPNmanager console and the security gateway DCI traffic can pass in the clear if the LAN on which they both reside is behind a firewall or over SSL if not Data Encryption Standard DES is a block cipher algorithm created by IBM used to rapidly encrypt large amounts of data at one time The technique uses a 56 bit key and operates on blocks of 64 bits See Triple DES on page 318 A popular mechanism used to define the mathematical parameters used during IKE negotiations Group 1 specifies use of a 768 bit modulus Group 2 a 1024 bit modulus Group 2 is more secure An electronic document used to establish a company s identity by verifying its public key Digital Certificates are issued by a certificate authority The network service that converts text based names into numeric IP addresses and vice versa A VPN Domain is a collection of Virtual Private Network devices that compose a Virtual Private Network 314 Avaya VPNmanager Configuration Guide Release 3 7 Dyn
77. of 8 e g 255 255 255 248 130 57 4 8 or 130 57 4 16 16 HHH HHH n multiple of 16 e g 255 255 255 240 130 57 4 16 or 130 57 4 32 32 HHH HHH n n multiple of 32 e g 255 255 255 224 130 57 4 32 or 130 57 4 64 64 HHH HHH H N n multiple of 64 e g 255 255 255 192 1 of 2 100 Avaya VPNmanager Configuration Guide Release 3 7 Table 8 Deriving the Group Mask continued Add IP Group member To specify a contiguous range of this many addresses Start from an IP address that meets these specifications And use this mask 128 HHH HHH HH N n zero or 128 e g 255 255 255 128 130 57 4 128 256 HHH HHH HH O n zero 255 255 255 0 e g 130 57 4 0 512 H N 0 N ae of 2 e g 255 255 254 0 130 57 2 0 or 130 57 4 0 1024 n 0 n multiple of 4 e g 255 255 252 0 130 57 4 0 or 130 57 8 0 2048 n 0 n multiple of 8 e g 255 255 248 0 130 57 8 0 or 130 57 16 0 4096 n 0 n multiple of 16 e g 255 255 240 0 130 57 16 0 or 130 57 32 0 8192 n 0 n multiple of 32 e g 255 255 224 0 130 57 32 0 or 130 57 64 0 16384 H n 0 n multiple of 64 e g 255 255 192 0 130 57 64 0 or 130 57 128 0 32768 HHH cel 0 n zero or 128 255 255 128 0 e g 57 128 0 65536 n 0 n zero 255 255 0 0 e g 130 57 0 0 Etc 2of2 Configuring an IP Group To co
78. of general firewall rules or templates Which set of rules you select depends on the interface zones that are configured and your general network requirements The firewall templates can be used in their default state or as the basis from which a user defined template can be created A brief description of the firewall templates is included in this chapter Firewall rules Firewall rules can be defined at the domain level for all devices for a specific device or for a device group The security gateway uses a rules based method of packet inspection where the priority of each rule is determined by its position in the list highest is top priority The first match determines the fate of the packet permit or deny If no matching rule is found the default action is to permit the packet Domain level firewall rules Domain or global level firewall rules apply to all devices to device groups and specific devices within the domain 164 Avaya VPNmanager Configuration Guide Release 3 7 Firewall rules set up You select View gt Firewall to add domain firewall rules You can apply common rules to all or some of the devices within the domain when firewall rules are added at the domain level When firewall rules are applied at the domain level they can be applied to several devices at the same time which can reduce the complexity of defining security for each device To create domain level firewall rules 1 From the Firewall tab
79. of the next router that leads to your other LANs Click Add to List to put the router s address into the IP Address of Next Hop list box Click Next to move to the Add Network Mask Ranges for this Next Hop Address options In the Network field type in the network address for the LAN that is beyond the next hop router In the Mask text boxes type in the subnet mask for the network address 82 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway 13 Click Add to List to put the address mask pair into the Current Network Mask Pairs for this Hop list box which also associates the pair with the IP address of the next hop router 14 Click Finished to return to the Static Route tab 15 Click Save 16 When you want to send the configuration to one or more security gateways click Update Devices Default Gateway for VPN Traffic VPNos 3 X The default gateway for VPN traffic policy allows the administrator to specify a gateway that is used for either decrypted traffic encrypted traffic or both Beginning with VPNos 4 5 the default gateway for VPN traffic policy allows the administrator to specify a gateway that is used for decrypted traffic only This configuration is commonly applied to a VSU in the following topology Figure 27 Common Default Gateway for VPN Traffic topology Ethernet Figure 27 shows the default gateway of the VSU as R4 the Internet gateway
80. other VRRP implementations on the network The values for the Group ID can range from 0 to 255 Pass Phrase Beginning with VPNos 4 5 the pass phrase value is a character text string used as the authentication key to generate the SHA1 message that is used to verify the CARP advertisements The maximum length of the pass phrase character string is 20 characters Third point of reference hosts If the network requirements do not permit having the private interface and the public interface plugged into the same network device configure a Third Point of Reference Hosts TPRH In this network configuration and before a passive member can become active the passive member must be able to ping the TPRHs on both the private and public interfaces The TPRH connectivity is configurable from the High Availability Advance dialog box One TPRH must be configured and up to 8 hosts can be configured for each interface Members The Members table displays all configured members in the HA group By default the primary member displays an active status while the secondary and remaining members display a passive status The Member table also displays the primary secondary last update current config and status of each member in the HA group e Refresh Displays the current status of each member of the HA group e Public Displays the public IP address of the HA group e Private Displays the private IP address of the HA group e Last Update
81. outgoing packets as follows Incoming traffic to the public zone allowed include e VPN packets from private DMZ Management or Semi private zones e ICMP unreachable packets e Publicly accessible DMZ services allowed include ping FTP SSH Telnet HTTP HTTPS POP3 IMAP SMTP NNTP and DNS All other incoming traffic is blocked Outgoing traffic from the public zone allowed include e Outgoing VPN traffic e ICMP unreachable e Ping from any IP to any 298 Avaya VPNmanager Configuration Guide Release 3 7 e DNS from any IP to any All other outgoing traffic is blocked Public zone firewall templates e Common services originating from all internal networks private DMZ management and semi private The medium security policy for the public zone is the same as that of the high security policy The low security policy allows all the traffic allowed for medium security In addition all TCP UDP packets from all networks are allowed to go out Table 31 Public high and medium security firewall rules Rule Name Action Source Destination Service Direction Zone Keep State Description InBoundPu blicAccess Permit Any PublicIP IKE IN IKE AVAYA IN IPSEC NAT T IN AH ESP ICMPDEST UNREACH ABLE In Public no Permit incoming VPN traffic and ICMP unreachable packet InBoundPu blictoDMZA ccess Permit Any DMZNet ICMPECHO REQUEST SSH TELNET FTP CTRL BERT
82. protocol is documented in an Internet Engineering Task Force IETF Request for Comment RFC specifically RFC 2058 e Client Server Model A Network Access Server NAS operates as a client of RADIUS The client is responsible for passing user information to designated RADIUS servers and then acting on the response that is returned RADIUS servers are responsible for receiving user connection requests authenticating the user and then returning all configuration information necessary for the client to deliver service to the user A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers e Network Security Transactions between the client and RADIUS server are authenticated through the use of a shared secret which is never sent over the network Additionally user passwords are sent encrypted between the client and RADIUS server to eliminate the possibility that someone snooping on an unsecure network could determine a user s password e Flexible Authentication Mechanisms The RADIUS server can support a variety of methods to authenticate a user when given the user name and the original user password it can support PPP PAP or CHAP UNIX login and other authentication mechanisms some of which include the use of cryptographically strong tokens These tokens use a two factor approach to authentication the first is a Personal Identification Number PIN the second is a value taken from
83. requests from the network behind the device to the DHCP server s on the public network The IP devices are supported in the case of DHCP relay To configure the IP devices from the local DHCP Server configure the IP devices Return to the DHCP Relay and save 78 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway Note When the security gateway is acting as a DHCP Relay the security gateway cannot be a DHCP server at the same time DHCP Relay and DHCP Server services are mutually exclusive When the DHCP Relay agent receives DHCP client requests from the private port the DHCP server s creates new DHCP messages and forwards the messages to the DHCP server s on the public network The DHCP server s on the public network sends DHCP offer messages that contain the IP addresses to the DCHP Relay agent The agent broadcasts the DHCP offer messages to the DHCP clients A Important The remote DHCP server s and the device s private port IP addresses must be part of the VPN in order for the DHCP Relay process to begin The Fallback to Local DHCP Server option allows the DHCP server to revert or fallback to the Local DHCP Server if the DHCP Relay is not functioning Note In order for the security gateway to support the DHCP Relay Fallback feature Local DHCP Server must be configured IP Devices are not supported in Fallback mode None Select None to configure the security ga
84. rules for each zone are enforced according to the type of zone being protected How the template rules are applied to a zone are described in this appendix The Firewall engine uses a rule based method of packet filtering where the priority of the rule is determined by its position in the list first is highest priority Note The common services referred to in this appendix include all of the following e Ping e FTP control Passive Data FTP e SSH TELNET e HTTP HTTPS e POPS IMAP SMTP and NNTP High Security Selecting high security enforces a set of rules that try to protect the security gateway itself and the internal network zones For high security the following policy is defined e Private networks and management networks are considered internal networks and can initiate connections to access common services on the Internet e Except for access to the DMZ zone traffic initiated from the Internet is denied e VPN outgoing and incoming traffic is allowed e DMZ common services can be accessed from all interfaces The DMZ network cannot initiate any traffic e The semi private zone is not considered completely trusted Access from semi private to private zones is allowed only if it is VPN traffic All other incoming traffic is blocked Issue 4 May 2005 297 Firewall rules template Medium Security Selecting medium security enforces the same security policy as high security for all zones except the semi private zone T
85. s authorization provider be set to LDAP user or SuperUser LDAPuser default When a new configuration is downloaded to the VSU the VSU authorization provider is reset to SuperUser LDAPuser regardless of the previous setting The next time VPNmanager attempts to connect it may use either SuperUser account or the VPNmanager user s LDAP account Advanced SuperUser Password OFF only LDAP authentication is allowed The VSU only attempts to authenticate VPNmanager via the user s LDAP account A successful connection requires that the VSU authorization provider be set to LDAPuser or SuperUser LDAPuser default When a new configuration is downloaded to the VSU the VSU authorization provider is reset to LDAPuser no matter the previous setting The next time VPNmanager attempts to connect it must use the VPNmanager user s LDAP account If VPNmanager has been incorrectly set with VSU Advanced SuperUser Password OFF and no LDAP server user account is configured or available you must access the VSU console and reset the authorization provider Before re attempting to connect the VPNmanager must set VSU Advanced SuperUser Password back to ON or only a single connection is authenticated and with SuperUser password left in the OFF position the VSU only allows LDAP authentication on the next attempt 206 Avaya VPNmanager Configuration Guide Release 3 7 Device Advanced Note The VSU determines what type of authentication it permits but this is de
86. selected IKE or SKIP General tab with IKE If the VPN type selected is IKE the following General tab appears Figure 45 VPN General Tab IKE E Wamanager Configuration Consate 3 Ello Ede View Toots Help Damon Conga an Caw Object y Derete BEOGD RAT BE 09 Y a non Members iP Groupg Secunt oE Bocurty OFC Advanced Genes 5 emoi O anons Members Users i VPN IKE ADE Encryuton Aigonitnen 2065 Aubanticaton agoni SHa Liteume Time Based ows Y Liteeme Mroughoud lo ov Oitie Hetman Group v 8502990044553503 Ex From the General tab you can configure the following information Certificate Based Certificate based authentication is the most secure key management method used to construct a VPN but requires greater setup effort than with the Preshared Secret method Preshared Secret Preshared Secret authentication is the simplest key management method used to construct a VPN Authentication key exchanges between security gateways in the VPN are based on a single pre shared secret known to all security gateways in the VPN 138 Avaya VPNmanager Configuration Guide Release 3 7 Using the VPN tabs Enable VPN When this box is checked and the security gateway has been updated the VPN is active Unchecking the box disables the VPN and is typically used during the troubleshooting process Default VPN When this box is checked this VPN is the default VPN for the domain Only one
87. split tunneling option and the security option You can configure User Groups to setup and maintain logical groups of users VPN A VPN object is the method used to link security gateways remote terminals and LAN terminals in a fully configured virtual private network Creating a VPN involves naming each VPN adding users and user groups and adjusting the IKE and IPSec security protocols for VPN traffic 26 Avaya VPNmanager Configuration Guide Release 3 7 Preparing to configure your network Security policies VPNmanager security policy management provides the following security features that can be configured e Firewall rules e Denial of Service DoS categories e Quality of Service QoS rules e Bandwidth management In addition encryption security options include Internet Key Exchange IKE with IPSecuirty protocol IPSec It applies globally to the VPN Firewall policies VPNmanager firewall policy management includes domain firewall rules device firewall rules and firewall templates The VPNmanager software provides multiple firewall templates that can be used as a general rule set or as a Starting point for creating a customized firewall template You can apply these templates at the domain level for all security gateways for a specific gateway or for a defined group The integrated SMLI Stateful Multi Layer Inspection Firewall supports firewall rules criteria based on the following e Source Destination IP add
88. the Icon tool bar click Devices to list all security gateways in the Contents column 3 From the Contents column select the security gateway that requires the administrator passwords reset 4 Click the Management tab to bring it to the front 5 Select Reset Password to see the configuration reset buttons You can reset the super user root user or monitor user password 6 Click Reset for the administrator user that should be changed The Reset Password dialog is displayed 7 Enter the new password The password must be a minimum of six characters 8 Click OK The new password is automatically reset on the security gateway Using the Connectivity tab The Device gt Connectivity tab provides basic communications testing Ping between the VPNmanager workstation and a security gateway or the VPNmanager and an address or DNS server Issue 4 May 2005 277 Device management Figure 85 The Connectivity tab for a security gateway Object Ebo Edt Yow Tools Holp ew Ott X Ena ETA leew SHOG 86 05 09 Bg H sons Podes Cormetro Upgrade Denial ot Semice Va Management Gwent Momo ONS Inteco MetworkObject SNMP SC Rout Acad Gonmessivny ck CONNER by ping 99200 Ping Renan Chock Connect by Prony Ping Ping P Address ONS Host Name Prony Ping results Two methods for testing the connectivity of a security gateway are e Ping between the VPNmanager workstation and a security gat
89. the Internet usually by way of a wide area network WAN When VPN manager is used the security gateway must be configured with a static IP address Only one public zone is configured on the security gateway and the configuration for this zone cannot be changed from VPNmanager Public backup The public backup network interface is used in conjunction with the Failover function on some security gateway models see Failover on page 226 to configure failover If a public backup network interface is configured and the public primary network interface cannot reach the Internet the failover module deactivates the public primary interface activates the public backup interface and then redirects all encrypted traffic to this link Only one public backup zone can be configured on the security gateway Note If the public zone and the public backup zone are both configured only one zone can operate at a given time To have the interface automatically revert to public you can configure the Idle Timer Settings When you enable the idle timer if no VPN or other traffic flows through the public backup in the configured amount of time the public primary interface is automatically reestablished If the idle timer is enabled select Ignore Non VPN Traffic if you do not want non VPN traffic to reset the idle timer Only one public backup zone can be configured on the security gateway 68 Avaya VPNmanager Configuration Guide Release 3 7 Using Devic
90. the front Select NAT from the list Click GO The NAT Rules dialog is displayed 2 Click the Add to open the Add NAT Rule dialog box 94 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway 3 From the Translation Type list select a translation type 4 From the Translation will be applied on list select which interface needs the NAT rule 5 In the Original Address and Original Mask text boxes type in the original address and mask 6 Do one of the following e Inthe Translated Address and Translated Mask text boxes type in the translated address and mask e If the Translation Type is port type in the Port Range in the enabled boxes 7 From the Locate This Translation Rule options do one of the following e Select Beginning of List to put the new rule at the beginning of the NAT Rule list shown in the Policy Manager for NAT window e Select End of List to put the new rule at the end of the NAT Rule list shown in the Policy Manager for NAT window e Select After Selected Item to put the new rule after a specific rule that was selected from the NAT Rule list shown in the Policy Manager for NAT window 8 If you want in the Memo text box type in a comment about this rule 9 If you want to create this rule without making it active select the Add this translation rule without enabling it check box 10 Click OK to return to the Policy Manager for NAT window 11 If you
91. the network interfaces in the security gateway Flow Table Shows secure traffic packet flow information for the VPN SA Table Shows secure traffic security association information for the VPN Interface Shows MAC address information for all network Table interfaces in the security gateway Interface Configuration Socket Table Shows the active connection UDP and TCP state table of the security gateway Each entry contains the IP address and port information for the connection Network Shows network memory usage information and Memory any errors that occur in network memory allocation System Shows the memory table for the kernel processes Memory that are running in the security gateway Interrupts Shows the interrupt counters that the security Stats gateway handles 1 of 2 Issue 4 May 2005 273 Monitoring your network Table 30 Diagnostic Reports Report Type Description Firewall State Shows information about each firewall rule configured in the security gateway Firewall Shows firewall timer information for the various IP Timers protocols Process Shows information about all user processes that Table are currently running in the security gateway Protocol Stats Shows information about the network traffic that the security gateway handles Information is presented according to the type of protocol Route Stats Shows network routing table statistics System Stats S
92. the original TEP Beginning in release VPNos 4 4 failover reconnect option can be set using the failover advanced settings The failover advanced settings include preserve current remote tunnel end point RTEP and restore primary remote tunnel end point RTEP If a system reboot occurs the failover proxy inspects the failover reconnect value If the value is set to preserve current RTEP the failover proxy remains at the current value allowing the security gateway to remain connected to the RTEP in use prior to the system reboot If the value is set to restore primary RTEP the failover proxy retrieves the information for the original RTEP and restores the RTEP to the original values To set up failover reconnect 1 From the VPNmanager Configuration Console select the Failover object The Failover tab appears 2 From the Failover gt Contents column select the device to configure 3 Select the appropriate failover reconnect option e Preserve current RTEP In the event of tunnel failover leave the current remote tunnel endpoint in effect following a system reboot Issue 4 May 2005 229 Using advanced features In previous releases of VPNos 4 x a system reboot would not restore the original RTEP e Restore primary RTEP In the event of tunnel failover restore the original primary remote tunnel endpoint in effect following a system reboot Beginning with VPNos 4 4 restore primary RTEP is the default setting If restore pr
93. the same VPN domain However IP Groups can also be associated with security gateways that belong to other VPN domains For example IP Groups can be associated with your organization s customers suppliers or to other IKE IPSec compatible devices Note For a detailed explanation about extranets see Exporting a VPN object to an extranet on page 158 To configure an IP Group that is associated with an extranet 1 2 3 From the VPNmanager Console main window click the IP Group icon from the Icon toolbar The Contents column displays a list of existing IP Groups From the Contents column select the IP Group to be configured Click the General tab to bring it to the front Click Add The Add IP Group dialog is displayed 102 Avaya VPNmanager Configuration Guide Release 3 7 Add IP Group member 4 Configure the address mask pair e New IP Network Type in the network address for a LAN e New IP Mask Type in a mask to define the range of addresses that will become members of the IP Group The larger the mask the smaller and more focused the address range will be The method is just like masking a subnet Click Apply then Close to return to the General tab Your new pair appears in the Members list From the Associate this group with area select Extranet device 0 N O O The security gateway selected should be one that is protecting the LAN containing the IP Group 9 In the Extranet IP Address box
94. the token An example of a two factor authentication mechanism is the SecurlID token card and ACE Server AccessManager by RSA Security Some RADIUS server implementations use several files to manage the database of information needed to provide Client authentication A number of these files must be modified to use the VSUs as an NAS within a RADIUS environment Add RADIUS ACE server Authenticating secret password Enter the authenticating password followed by a retype RADIUS server data IP Address Enter the IP address of the RADIUS ACE server UDP Port Enter the UDP port of the server The default value is 1645 Check your RADIUS server documentation to verify the value for this field 126 Avaya VPNmanager Configuration Guide Release 3 7 RADIUS ACE Services Use this as my Select the role you wish this server to perform Primary Server Secondary Server or Tertiary Server To add a RADIUS server 1 From the Contents column select the security gateway you want to configure 2 Click the Policies tab to bring it to the front From the drop down list select RADIUS ACE then click GO to open the Policy Manager for RADIUS ACE Select the Enable RADIUS ACE check box so the security gateway uses RADIUS services 5 Click Add to open the Add RADIUS ACE dialog box 6 In the Password text box type in the shared secret that the security gateway uses to authenticate itself to the RADIUS server N
95. this class Note ESP or IKE cannot be assigned with a class as these encrypted packets are assigned to all the classes based on the DSCP value of the packet Note It is not recommended that a user creates a class with DSCP Services ANY and Networks ANY because it is an ambiguous configuration All traffic not assigned to classes is treated as default traffic Hence it is not necessary to create such a class Issue 4 May 2005 181 Establishing security Note It is not recommended to assign similar traffic in different classes Example One class containing any FTP and another class containing ANY TCP This would be ambiguous because ANT YTCP would include FTP also Similar cases might cause ambiguity in classification Note It is not recommended to use Services containing ICMP or port ranges QoS does not support port ranges When the View gt QoS is selected the screen displays the QoS policies that have been created and their configuration Figure 58 QoS policy 3 ie goe View Toss Heis jon cet y X pewa WpauteDewces Unrate rumwe gwe SHOG 288 85 98 Bg E 00 ruwt CtassType Bandera Atocaten CUY Burst poor Source Networks Orsinaton Networ paest 2 mo ANO PUBLICA To add a QoS policy 1 Select NewObject gt QoS The QoS Policy dialog is displayed 2 In the QoS Policy Name text box enter a unique QoS policy name Click Apply Click Close to go to the QoS General tab 3 Next
96. this port Indices are Private 0 or 2 Public 1 or 3 2 and 3 appear only for the security gateway 100 Traffic Port Interface Index The iflndex value from the MIB II if Table Summary Interval A time interval used to average this traffic rate Packets From Port The average rate in packets per second at which packets have been transmitted from this port over the last lt Summary Interval gt seconds Packets To Port The average rate in packets per second at which packets have been received on this port over the last lt Summary Interval gt seconds 1 of 2 264 Avaya VPNmanager Configuration Guide Release 3 7 Table 26 Traffic Rate Table Parameters continued Parameter Description KBits From The average rate in KBits per second at Port which packets have been transmitted from this port over the last lt Summary Interval gt seconds KBits To Port The average rate in KBits per second at which packets have been received on this port over the last lt Summary Interval gt seconds 2 of 2 Table 27 Overview Statistics Table Parameters Parameter Description Overview Port A description of each port Description LAN Frames The number of LAN frames received on this Received port LAN Frames The number of LAN frames transmitted from Xmitted this port LAN Frames The total number of LAN frames discar
97. through the route the route transitions from initial to active In the Inactive Metric text box enter the metric value for inactive route traffic flow Click OK to exit the RIP Advanced Settings window Click Save When you want to send the configuration to one or more VSUs click Update Devices 84 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway Policies tab NAT services Network Address Translation NAT is an Internet standard that allows private nonroutable networks to connect to public routable networks To connect private networks and public networks address mapping is performed on a security gateway that is located between the private network and the public network Note Beginning with the VPNmanager 3 2 and the VPNos 4 2 releases the VPNremote Client 4 1 is supported behind a NAT device DSL or Broadband Router About NAT types for VPNos 4 31 Beginning with VPNos 4 31 you can set the following three types of NAT mapping on the security gateway e Static NAT With Static NAT addresses from one network are permanently mapped to addresses on another network One private IP address can be translated to one public IP address Static NAT is bidirectional that is for outgoing packets Static NAT translates the source IP address of the packets For incoming packets Static NAT translates the destination address of the packets You must specify both the
98. to the system that the receiving system cannot reassemble and the system can crash Flood Attack This attack floods the system with TCP connection requests which exhausts the memory and the processing resources of the firewall Flood attacks also attack the UDP ports This attack attempts to flood the network by exhausting the available network bandwidth WinNuke Attack This attack attempts to completely disable networking on computers that are running Windows 95 or Windows NT This attack can be swift and crippling because it uses common Microsoft NetBIOS services Buffer Overflow This attack overflows the internal buffers of the application by sending more traffic than the buffers can process QoS Quality of Service QoS allows you to classify and prioritize traffic based on DHCP values and TCP IP services and networks The bandwidth available to a class of traffic can be allotted to a specific percentage of the total upstream bandwidth Configuring QoS allows VoIP traffic to receive a higher priority If QoS is disabled all traffic receives the same priority VoIP The security gateway can be configured to protect and enable the communication of VoIP telephones either within a VPN or firewall The security gateway can be configured to secure Avaya Multivantage and IP Office VoIP solutions as follows e Secure site to site voice trunks such as between headquarters and branch offices or between main offices and home of
99. tunnels If selected the security gateway broadcasts VPN routing information from its private port The information tells listeners to send packets to this security gateway if the destinations are to remote members of the VPN The security gateway encrypts the packets then sends them to remote members e VPNremote and user VPN tunnels If selected the security gateway broadcasts routing information about remote client address pools This information tells listeners to send packets to the security gateway if the address is a mapped address The security gateway translates the mapped address Note Select VPNremote and user VPN tunnels if Client IP address pools are created For additional information see Client IP address pool configuration on page 120 4 Click the Advanced button to configure the RIP advanced settings 5 In the Aging Intervalr text box enter the time in seconds that the route will transition from active to idle The aging interval is between active and idle and is configurable from 5 to 86400 seconds In the Initial Metric text box enter the metric value for initial route traffic flow When the VPN route is added to the route table and before traffic begins to flow the initial value is applied to the route Set the initial value higher than the idle metric value yet lower than the active metric value In the Active Metric text box enter the metric value for active route traffic flow As traffic flows
100. uniquely identifies the local interface through which the next hop of this route should be reached The interface identified by a particular value of this index is the same interface as identified by the same value of iflndex Metric 1 The primary routing metric for this route The semantics of this metric are determined by the routing protocol specified in the route s ipRouteProto value If this metric is not used its value should be set to 1 Metric 2 An alternate routing metric for this route The semantics of this metric are determined by the routing protocol specified in the route s ipRouteProto value If this metric is not used its value should be set to 1 1 of 4 254 Avaya VPNmanager Configuration Guide Release 3 7 Using Monitor Table 22 ipRouteTable Parameters continued Parameter Description Metric 3 An alternate routing metric for this route The semantics of this metric are determined by the routing protocol specified in the route s ipRouteProto value If this metric is not used its value should be set to 1 Metric 4 An alternate routing metric for this route The semantics of this metric are determined by the routing protocol specified in the route s ipRouteProto value If this metric is not used its value should be set to 1 Next Hop The IP address of the next hop of this route In the case of a route bound to an interface which is realized via a bro
101. unlimited number of security gateways and VPNremote Clients e VPNmanager Service Provider Client Use the Service Provider Client version to manage an unlimited number of security gateways and VPNremote Clients The Service Provider also supports multiple VPN domains Overview of the VPN management hierarchy With the VPNmanager software you can configure and manage VPNs and firewalls from a central location By focusing on security policy instead of individual device management administration of large scale networks is simplified Central management allows you to make configuration updates automatically to all affected security gateways This distributed approach also applies to firewall management The VPNmanager software is built on a policy based architecture that allows the administrator to start at a high level with a VPN domain then move down the hierarchy to create user groups IP groups for protected resources and security groups that define membership and policies of the VPN Figure 1 Domain hierarchy VPN Domain VPN User Group IP Group Gateway At the peak of the hierarchy is the VPN domain A domain is assigned a name to identify it from other domains Usually one domain is configured for an entire organization A domain is built of one or more VPNs Each VPN is built of users user groups and IP groups VPNs are assigned names These names can associate the VPN to a regional location or purpose Us
102. use CLI commands see the VPNos Configuration Guide Issue 4 May 2005 275 Device management Note To restrict access to hosts or networks Firewall rules limit access from specific zones See Appendix B Firewall rules template on page 297 To set up SSH or Telnet 1 2 Move to the Configuration Console window From the Icon tool bar click Devices to list all security gateways in the Contents column 3 From the Contents column select the security gateway to configure for SSH or Telnet connection Click the Management tab to bring it to the front The SSH Telnet page is displayed 5 By default SSH is enabled and the port 22 is configured and Telnet is disabled Make the appropriate changes to enable or disable either or both of these and to change the port if required Inthe Allowed area select Zones to set which zones can be used The SSH Telnet Zones Configuration dialog is displayed and the zones that are configured as listed For SSH by default the private zone is allowed 8 For Telnet you must select a zone as all zones are disabled by default 9 Move the zones from Blocked to Allowed Click OK Select Networks to configure the IP address to use to access the security gateway e To add an IP address click Add enter the address and click OK e To add network objects from Available list select the network object and click Move Left to the Allowed column Click OK For SSH by defaul
103. which are independent of past values e Select Yes to use PFS e Select No to not use PFS Use the AH ESP list to create packets containing IPSec headers The payloads contain the entire original packet header and payload e Select AH Header to authenticate the entire packet This inserts an Authentication Header and Encapsulating Security Payload ESP Header into packets and perform encryption on the payload e Select ESP Trailer to authenticate the entire packet except for the IP header This will insert an ESP Header and ESP Trailer into packets and perform encryption on the payload Use the Diffie Hellman Group list to select which modulus to use for the keying algorithm e Select 1 to use a 768 bit modulus e Select 2 to use a 1024 bit modulus For detailed information about Group 1 and Group 2 algorithms see section 6 2 of IETF RFC 2395 Use the IPSec Proposals options to create one or more proposals A proposal defines which IPSec parameters all the security gateways of a VPN must use If all the security gateways are of the same type only one proposal needs to be created If an extranet a VPN belonging to another organization is going to connect to your VPN and its proposal is different or unknown additional proposals can be added to the Proposal Listto accommodate that unique security gateway The security gateways will automatically go through the list and negotiate on which proposal to use at the appropriate
104. which your ISP ID assigns Password Account password Note Avoid resetting the security gateway by power cycling the unit when PPPoE is configured as this method requires a proper shutdown in order to avoid a lockout condition during reconnection This lockout period can last for a few minutes time varies from ISP to ISP Local DHCP Server The local DHCP server private port configuration is the default configuration to support the IP devices that are connected to your LAN In the local DHCP server mode the protected devices are automatically provided with an IP address a default route a domain name the security gateway and WINS To configure the local DHCP server complete the following information Field Description IP Address The IP address assigned The default IP address is 192 168 1 1 for the private interface If multiple interfaces ona security gateway have DHCP server configured their IP addresses must be unique IP Range From To The range of IP addresses that the DHCP server that runs on the interface assigns to DHCP clients The default DHCP address range for the private interface is 192 168 1 32 to 192 168 1 127 Each security gateway on the VPN requires a unique DHCP range In addition if multiple interfaces on a security gateway have DHCP server configured the DHCP range on each also must be unique Domain Name The domain assigned to the interface This is only appli
105. zone public backup 68 zones IP addressing o 70 NEIWOTK co ee gow le Mg e e id We ee 67 PEO a oe sae aha ee ee es 25 67 326 Avaya VPNmanager Configuration Guide Release 3 7
106. 1000 Mbps in full duplex mode In full duplex mode the Ethernet port is capable of sending and receiving packets simultaneously over the network at 1000 Mbps 1000 Mbps Half Duplex This option allows the VPNmanager to configure the security gateway s Ethernet port speed to 1000 Mbps in half duplex mode In half duplex mode the Ethernet port is capable of either sending or receiving packets over the network at 1000 Mbps 282 Avaya VPNmanager Configuration Guide Release 3 7 Using the Device Actions tab 100 Mbps Full Duplex This option allows the VPNmanager to configure the security gateway s Ethernet port speed to 100 Mbps in full duplex mode In full duplex mode the Ethernet port is capable of sending and receiving packets simultaneously over the network at 100 Mbps 100 Mbps Half Duplex This option allows the VPNmanager to configure the security gateway s Ethernet port speed to 100 Mbps in half duplex mode In half duplex mode the Ethernet port is capable of sending or receiving packets over the network at 100 Mbps 10 Mbps Full Duplex This option allows the VPNmanager to configure the security gateway s Ethernet port speed to 10 Mbps in full duplex mode In full duplex mode the Ethernet port is capable of sending and receiving packets simultaneously over the network at 10 Mbps 10 Mbps Half Duplex This option allows the VPNmanager to configure the security gateway s Ethernet port speed to 10 Mbps in half dup
107. 14 Remote Tunnel option for One armed VPNs 84 Report Wizard o 270 FOSET TIME ute a e rt ene A 280 Resilient Tunneling Dead Primary Poll Interval 2 214 detailed description 212 heartbeat o oo a a es 213 Heartbeat Interval 213 Heartbeat Retry Limit 213 Hold down Time 214 Hold up Time 220 eee 213 Managing the Resilient Tunnel List 216 prerequisites 04 215 219 primary tunnel 2 2 0 212 stopping and starting tunnel services 217 tunnel switching about 213 RIP active metric 2 eee 84 aging interval 0 84 inactive metric o o ooo a 84 initial metric 84 Role Based Management 33 route default soa uo a an i a e 83 Routing RIP turning on aa aa 84 routing listen learn options advertise options 84 static configuring 81 S Secondary IP Address creatinga 1 2 a ee 204 SecurlD se wc e a x aa ee eo 106 126 Security IKE tab 152 Security IPSec tab noaoo a 153 Security SKIP tab 6 ee a 151 security gateway import configuration 281 security gateway zones 25 67 semi private zone 00 08 eae 69 Send no VSU names radio button 206 Send Syslog messages o
108. 25 Overview of implementation Static Routes Static routes are specified when more than one router exists on a network to which the security gateway must forward either VPN traffic or non VPN traffic You can build a static route table with up to 32 network address mask pairs IP groups Data Terminal Equipment DTE such as computers printers and network servers are devices that can be members of a VPN To make these devices members you create IP Groups An IP Group is composed of a set of hosts workstations and servers that are located behind a common security gateway The hosts are defined by their IP address and mask VPNs are made up of IP groups at multiple locations linked across a public IP network Internet Assigning workstations and servers to different IP groups offers a powerful way to limit VPN traffic to specifically designated users Remote users and user groups VPNremote Client users who log in to the VPN through the security gateway must have their user authentication configured on that security gateway If RADIUS is not used you must configure the user name and the password for each remote user With RADIUS you can configure a remote user as a default user When a remote user is configured as a default user the user password is not required to log in The user is authenticated by a third party authentication server such as RADIUS You can also change the default Internet Key Exchange IKE identity the
109. 251 MTU Drop all IP Fragments check box 192 path discovery configuring 202 N naming VENS a i aoe we eran com Rac Wek a ake A a 55 NAT about NAT services 2 85 and Packet Filtering 185 CONfIQUIINd 24 a i hee a a 86 POMS io a ee dl ee eee ee Bae Bee i 29 85 port redirection 04 29 85 S lt a e amp A ew See 29 85 translation types 95 NAT Network Address Translation address mappingrules 89 applications o ee 88 configuring o o 94 dynamic mapping 88 limitation 2 2 2 90 port mapping o e e 88 private addresses o 88 static mapping 88 UNNE aaa a e ee ate ES 95 use existing groups 94 NAT consideration for setting up with firewall rules 167 network inteterface to Change 73 network zones 2 2 2 2 eee ee ee 67 network zones table by security gateway 25 67 New PIN mode o o e 0 106 New VPN dialog box 55 97 115 129 136 Next Token mode o e 106 Non VPN traffic filtering out all 192 Non IP traffic filtering outall 192 P Packet Filtering Access Control List ACL using the 190 Denying all Non VPN Traffic 192 Denying all Non IP Traffic 1
110. 297 297 298 303 305 309 311 311 313 319 Preface This Avaya VPNmanager Configuration Guide is written for individuals who have an understanding of how computer networks are installed configured and managed It provides detailed information about using the Avaya VPNmanager solution to build small medium or large scale Virtual Private Networks VPNs VPNmanager is a Java based software application that brings convenience ease of use extended functionality and platform independence to the management of VPNs What Products are Covered Avaya s solution is a line of three products that are used for managing Virtual Private Networks Each one listed below has been designed to meet the needs and requirements of either a small medium or large network e VPNmanager Service Provider e VPNmanager Enterprise VPNmanager Overview The VPNmanager application lets network managers define configure and manage Virtual Private Networks VPNs from any location equipped with a computer running Window NT Window 2000 Windows 2003 Server or Solaris Network managers can configure and check the status of Avaya security gateways and VPN Service Units VSU add or remove remote sites and dial in users to a VPN configure user authentication servers using LDAP directory servers or RADIUS servers and monitor the state of all security gateways as well as the performance of private data transmissions using Java interface technology
111. 3 VSU Tunnel Persistence VPN1 SGA 8 SGg_ VPN2 SGA SG SGp VPN3 SGg8SGp Figure 64 illustrates tunnel persistence between SGs and remote users RUser The addition of SGp to VPN SGa SGc SGp and Remote User interrupts tunnel persistence in VPN thus breaking the remote connection Once the configuration update is complete the remote connection will be restored Because modifications have not been made in VPN SGa and SGp and VPN3 SGp and SGp tunnels remain persistent Figure 64 Remote User Tunnel Persistence VPN1 SGa amp SGg VPN2 SG4 SG SGp RUser VPN3 SGg amp SGp 208 Avaya VPNmanager Configuration Guide Release 3 7 TEP Policy TEP Policy The Tunnel End Point TEP Policy tab provides control of the security policy applied to the traffic that flows between the end points of a tunnel The default is off or Do not apply configured VPN policies to TEP traffic Figure 65 Tunnel End Point Policy EXA Advanced Remote Client AlarmiMonitoring TEP Policy General Dyna PolicyDefaults User Dyna PolicyDefaults Global Dyna Policy Authentication Tunnel End Point Policy TEP Policy Apply configured VPN policies to TEP traffic e Do not apply configured VPN policies to TEP traffic pena NENE re Ss secures the traffic to an omin nele appoi nts per a configured icy TI only supported by VPNware 3 1 o a off if you ur VPN Hae inclu H Bee WSUS runt fin wPNware 3 0 E Enabling apply co
112. 4 AOU ROUS is DS eo OR ae ae Oe OR 26 VP SIPS 00 da Po ky Bale eR ale a Re a a RO AAA 26 Remote users and user groups ak sas sa ee ae dO e a 26 MP Ce Bk bee BREESE RA A oe ee oe eee IA AA BS 26 CTO DENCIA ks Ewe Soe Bk Be a ee AA we RA 27 SIDO hei cis ke a AAA ES Bo 27 DEAL SERIES 2 tra a di amp dik rd a Bom Bod Hoek BS oa 27 ETE AE Se a hose gee E E EE E Sees Gree E E E E E E E he EEE 28 MOP cca dd ea atea e ds aea a A a A 28 POS ial FEST lt 2 aa oh AAA a lh we aaa e BGS 29 INU ee Get ee ee ee We ie ee Gee Slee a ee Sie a eo Se E dd 29 IIA 2 a Aa Se ie ks A o Ee a RR AAA BAS 29 NS a ge We wh de Ae wh A EB BN wh ROR RR te oh I tt ot Hee 30 Client IP address pooling 2a oa a RRR ew 30 SSL for Directory Server i ac ieee eee a ew Rhee eR ERE REE EHS a 30 Sequence to configure your VPN s 4 6 eae ea rr 30 Issue 4 May 2005 5 Contents Chapter 2 Using VPNmanager ee About VPNmanager administrators 2 2 0 0 ee ee Role Based Management lt sa seresa sierici em oe me ew ee Lag nto The YPNimanager console s aa s aam ee a a we I a a Add a DON SIE aca ce OME Re KE SDE OReR EERE EEE ESHER et Dom a as BOR oh ATA RS A Be ee SS ed See we we AS Navigating the Main WiINGOW 4 a s eS ee hee dk ew dew ew de dk ee wee dos Feme Mic cand rs 44 2S Oh EE RAKES ar AAA ENE o a 2i ae ee Ale ae Be a teers ah OR eh eR OR Be de OR ah a Gh ae Rt a a E ews ae Boe a ale Bokeh hac ek ke ok Sh er WOME
113. 5 CRL checking o 150 CRL enabling 156 CRL manual installation of Certification Revocation A E es ek ee 156 D Dead Poll Interval a a a a 214 default certificate scs s so soa ee ee ee 234 Gateway for VPN traffic 83 IP Route of gatway router 2 61 Default VPNs m a ea ek be hw a a eo 136 Denial of Service tab DOS ease ce a doe ee Bw eal oad 173 DER for certificates 236 DES g es Ge eer ot ede Ss asta ea Ot a SE ok N 142 DES check box for a VPNremote Client 118 encryption level setting the IKEVPNs o a 152 SKIP VPNS o 151 IPSec encryption parameter asan 154 Designated VPN o 137 Device Setup Wizard starting 57 device actions tab o o ooo a 279 DHCP addressing o 70 DHCP Relay isso tea a eee es 73 DHCP Server configure 76 79 Differentiated Services ADOUE s t ea e a a ew ee An a 192 Diffie Hellman Group 143 Diffie Hellman Group drop down list 154 Diffie Hellman Groups 145 DITSOIV ios a d o ae Ba oe e Bo See dee 193 Directory Name of Certificate Authority text box 155 Distinguishing Encoding Rules 236 DMZ zone 2 00 ee eee eee 69 DNS resolution redirection 111 DNS Server address 65 Do Not Use Default Dyna Po
114. 92 detailed explanation 184 Drop all IP Fragments option 192 Filter Statistics 0 192 Managing the ACL 190 Packet Filtering Policy Wizard running the 189 Permitting all Non VPN Traffic 192 Policy Manager for Packet Filtering running the 190 Short IP Packets 192 Packet Filtering QOS a aooaa aa 186 322 Avaya VPNmanager Configuration Guide Release 3 7 Index Packet Fowarding Behavior whatis 193 protocols Packet Marking Rule creatinga 194 GHAP ju se aa er ae dk Sta eT ard wae SD 126 packet Mode o 134 IPS a A a 134 135 PARE oa que otras e ik de Ser Jeu o Geet eee O 126 ISAKMP oa ds e e a ee N 135 password keymanagement 135 configuring for a specific User Object for Local PAP sos fk Seca ae cae ee Git ot ee we 126 Authentication 4 119 PPP 2 24 126 for importing VPNdata 161 SKIPA fo aea ed wee 135 269 318 for protecting exported VPN data 160 SNMP eee a aa 17 User Object VPNremote Client for a proxy PINQ 279 when using LDAP Authentication 120 public interface NAT o o 93 when using Local Authentication 120 Public zone ee ee ee a a a 68 when using RADIUS Authentication 120 Public backup 2 00004 68 VSU to RADIUS authenticate
115. A Coe Bad 78 RORE ca amp Ae Bre eh ee a de i ee A ee a eB 79 Device users lab res RRR RRR RRA ER EDR ERR EDR HR OES RES RRR KRESS 79 Network Object tab 2 1 e 80 EUA e ate Ber ts id ira sd o e Aen goes a aos 81 Default Gateway for VPN Traffic VPNOS3B X o o e 83 Policies tab NAT SENICES cansar AAA 85 About NAT types for VPNos4 31 2 0 o o e es 85 Configuring NAT VPNO0S4 31 lt r een ew A eS 86 About NAT types for VPNOS 3A ca a Sow ad a ad A a a 88 MAr P EOS y de E D A RoE Ba ES 88 Accessing the Internet from private networks aoao a a 89 Setting up VPN with overlapping private addresses 90 Using NAT to support multiple gateway configurations 92 Interface for VPNos4 2 ee 93 Add NAT Rule VPNos 4 2 or earlier 24 5 2c eee edhe eee Re Re HR oS 94 CHOiial oe FER 2 ona HE RE Sew OE EEE EEE Se PRE ES ERS 94 eT PS oh ek a eh ay eh eek Ge he A eae dit e Be 95 Issue 4 May 2005 7 Contents Chapter 4 Configuring IP Groups ee 97 Aboul F EMSS ca Beh Ewe BOSE KROES AR CORT AA BOS 97 Creating a New IP Group lt 1 4444 48 484 664 HEP OEE OER ER RR ES 97 PEEP TO ik se Sete a danas Me ae So ah Stee el ee he wee BE ee hee Bh ek be lB es 98 IP Group General iab 225254 RRR GRE SEEAS REEDS PE ER ESSE ERR ESS 98 AGG IF Group Member 2a ices oso een Ped dee eee A eae BES RS Bae 100 COMUN am IP GOUD 244 2k eo eae de do
116. AVAYA VPNmanager Configuration Guide Release 3 7 670 100 600 Issue 4 May 2005 Copyright 2005 Avaya Inc All Rights Reserved Notice Every effort was made to ensure that the information in this document was complete and accurate at the time of release However information is subject to change Warranty Avaya Inc provides a limited warranty on this product Refer to your sales agreement to establish the terms of the limited warranty In addition Avaya s standard warranty language as well as information regarding support for this product while under warranty is available through the following website http vwww avaya com support Preventing Toll Fraud Toll fraud is the unauthorized use of your telecommunications system by an unauthorized party for example a person who is not a corporate employee agent subcontractor or is not working on your company s behalf Be aware that there may be a risk of toll fraud associated with your system and that if toll fraud occurs it can result in substantial additional charges for your telecommunications services Avaya Fraud Intervention If you suspect that you are being victimized by toll fraud and you need technical assistance or support in the United States and Canada call the Technical Service Center s Toll Fraud Intervention Hotline at 1 800 643 2353 Disclaimer Avaya is not responsible for any modifications additions or deletions to the original publish
117. About VPNmanager Note Many of the VPNmanager screens display a icon that when selected opens a Help topic relevant to the screen Toolbar The toolbar on the main VPNmanager screen contains buttons that are shortcuts for the tasks on the Menu bar and the Device Update button 40 Avaya VPNmanager Configuration Guide Release 3 7 Navigating the main window Figure 5 Icons on toolbar BOO MAA E Device Users ervices Freval Device QoS Failover Keep Alive Template Group Mapping CNA IP GroUP VPN Firewall QoS Admin naer Policy Group Table 3 Toolbar commands Toolbar Description commands New Object The New Object button is a shortcut to the File gt New Object command to create new objects within any of the categories listed in Table 2 When you select one of these commands either a dialog or a wizard is opened to configure the information Modify The Modify command is used to modify objects from the network diagram view To use Modify first select the object to be modified from the network diagram view in the monitor pane and then click Modify Delete Delete is used to delete objects from the network diagram view To use this Delete first select the object to be deleted from the network diagram view in the monitor pane and then click Delete Report The Report button is a shortcut to the View gt Report Wizard command that guides you through the steps to create a report about your network
118. Connectivity by Proxy Ping Ping this Address DNS name Enter the IP address or DNS name Results are displayed in the Proxy Ping Results window To proxy ping a specific security gateway 1 Move to the Configuration Console window 2 From the Contents column select the security gateway that you want to ping 3 Click the Connectivity tab to bring it to the front 4 In the Ping IP Address DNS Host Name type in an address or host name of the proxy 5 Click Proxy Ping to start the ping 6 Information about the ping appears in the Ping Results text box Using the Device Actions tab The Device Actions tab is used to perform basic functions on the security gateway Basic functions include Update Configuration Reset Device Time Reboot Device Re setup device Import Configuration and Ethernet Speed Note The Import Configuration and Ethernet Speed features are visible and only on some models Issue 4 May 2005 279 Device management Figure 86 The Actions tab for a security gateway Object r fie Edt yew Tools Help U New onact y X Delete Update Des Upgrade Firmware sm BHAT EE BS OB 8 E mm duno POMO Connermay Upgrade Deniatof sence VoiP Management zai Genera Mamo DNG memices Network Object SNMP State Rowe Advanced Actions Update Contguraton Update Configuration When changes are made to a Device Object use the Update Configuration button to send the changes from the server to
119. Device NAMES aa ak wad wake Be a Ree De ee oe ee 205 SuperUser Password VPNOS 3X 2 22 ee nnan 206 Tommel PESEE 20 og 2 ie BRS RS A ew AAA A BES 207 TEPPI ek de th ee ees he a ks ee ee Eee Se Be A So SB ee BS 209 UT ha E oh ee OS doko ee pe OS oS E we ee dt heme Eres Hoes 210 ia CA 210 Managing ine Server liSl sure e a ARA 211 Recent TUMMEL cece taae eed eka Rd ew Red A 212 TOS TUS suas a a BE A ae eee AA ORS 213 Creating a resilient tunnel o ee 214 Add resiiem Une 2244244644 be eRe OO a a a A Sere 215 PRETSQUISISS sdk a ee ara dde do de dd de a an we ce a we deh 215 Managing the resilient tunnel list o o e ee 216 Stopping and starting resilient tunnel Services eee 217 Primary end point service xica daa daa A A 217 Secondary end point service 2 ea 217 Falava TEP nce ke eR eee ARA OR RR wh wR eo E oA 218 A a SAA 219 Advanced ACION lt 2 iaa EA E AAA ARA RR BES 219 SIE PIS y a Gad AA A A 220 Feast Peso 0 dae a A A 220 OBRAS CIS 2 4 5 dd Ar ds e da sa A 220 Pon PVM ioaea e A me ae Al me Br ae Beale ce eRe Re i Bs hs Se ate vale 8 221 il o 6 nk kd eee OK Awe EDK Ode ee RO Mee ke Ew BES 222 Advanced parameters s 2 5 48 ee ee ee rc Re aaa 222 MEMES a cd o Seek A a A ee ek A 223 Configuring high availability 0 o o ee 224 Creating a High Availability Group o o ee 224 Updating a high availability
120. Export My Configuration Exports your dyna policy to a file for conveyance to the remote user s machine Enter a password and retype the password Note If Default User is configured this button is disabled Rekey User VPNs Clicking the Rekey button causes the preshared secret to be rekeyed for this users VPNs Reset User Directory Password The user s password is reset Note If Default User is configured this button is disabled Advanced tab The Advanced tab allows you to define the type of IKE identifier associated with the user currently highlighted Internet Key Exchange IKE is a protocol by which a security association secure tunnel is established between the security gateway and the remote client Issue 4 May 2005 117 Configuring remote access users Figure 39 User Advanced tab e connouration Consaie xl Ebo Edt View Tools Help gencia y X pow pmp tego som 65600 A MA OB eB pre General Memo Dima Paky Actions Advances Advanced T Four types of identifiers can exist in the certificate generated for the remote user e Directory Name e IP Address e DNS Name e Email Name RFC 822 Configuring a remote user object If you remote users use the default CCD you only need to complete steps 1 through 5 If a individual dyna policy should be created continue with step 6 1 From the Configuration Console window click Users to list all User Objects in the Contents column
121. Failure trap which shows up on the VPNmanager as Invalid Authentication Signature e 6 SKIP Encryption Header error The packet s ESP trailer wasn t correct e 7 Remote client has exceeded the configured number on login attempts Packet Header The first 48 bytes of the packet header Hex Table 19 System Group Parameters Parameter Description CPU Utilization A number from 1 to 100 representing CPU utilization in this security gateway 252 Avaya VPNmanager Configuration Guide Release 3 7 Using Monitor Table 20 ActiveSessions Parameters Parameter Description ActiveSessions A VPNremote client name or a security Name gateway name as defined in VPNmanager Length Length of this session in seconds Original IP VPNremote client s originating IP address or remote security gateway IP address Xlated IP VPNremote client s assigned address from the Client IP Address pool if configured If the Client IP Address pool is not configured or this session is from a security gateway then this attribute is empty Description Textual description of this VPN indicating what key management is being used and what encryption authentication and compression algorithms are being used For example IKE 3DES MD5 Compression Pkts In Number of packets sent to this security gateway from the VPNremote Client or remote security gateway identified by Name during this
122. Firewall Global and Device area click Domain Pb W N From the Configuration Console window select View gt Firewall Click Add to start the Firewall Policy wizard Complete the Firewall Wizard dialog e Inthe Name text box type a unique name that identifies the rule e By default the Status is Enabled and the Action is Permit Change these if they are not the correct settings e Inthe Memo area type notes to describe the firewall optional Click Next to display the Device dialog Select the devices to apply the rule Click Move Left to move the selected members to the Device s for this Rule column Click Next to display the Source dialog Select the sources click Move Left to move the selected source to the Source column Click Next From the Available Destination s column select the destination click Move Left Click Next 8 From the Available Service column select the services click Move Left Click Next 9 The Firewall Wizard Configuration dialog is displayed From the Zone list select the zone to 10 11 12 13 which you want to apply this rule For maximum flexibility and capability the firewall rules for the security gateway can be specified for a particular zone The packets are checked against the firewall rules at the interface where they are defined In the Direction list select In or Out The direction is in respect to the security gateway If you want this rule to be logged
123. If you select Use existing groups the original address and masks are replaced with the Group selection list Original The IP address of the original address and Network Mask Pair Translated Enter the translated address and mask or port range in the Translated fields Note The appropriate fields to use for this translation are enabled based on the Translation Type selected earlier Choose where the translation should be inserted in the list on the main Network Translation pane Add NAT Rule VPNos 4 2 or earlier This function is used to add a new NAT rule to the list Translation Type Choices are Static Dynamic and Port Translation will be applied on Choices are public Interface private Interface and Tunnel Interface Original Network Mask When the Network Mask Pair selection is made the IP address of the original address and Network Mask Pair must be entered Translation Enter the Translated Address and port if the Translated Type is set to port Enter the Translated Mask Locate This Translation Rule Beginning of List End of List After Selected Item Add this translation rule without enabling it Checking this box allows you to construct a series of rules before actually enabling them Memo This area allows you to record notes about this NAT rule in the space provided To configure a NAT rule 1 From the Configuration Console gt Device Contents pane select the Policy tab to bring it to
124. MP Configuration section enter the following information e Select the SNMP version e Enter the SNMP community string name to which the new security gateway reports SNMP information The default is the public community string If an existing security gateway is being added to the VPN enter the new community string name to which the security gateway is to send its SNMP information In the Static Route area click Configure Static Route to configure the static route destination address Select Add to enter the P address of the Next Hop for the static route Up to 32 network address mask pairs can be configured for the destination network Click Ok Click Next Select either to Setup Now or to Setup Later Set up later sends the configuration information to the directory server but not to the security gateway 58 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway 13 Click Finish to save the configuration information to the directory serve to poll security gateway and to exit the Setup Wizard When you want to send configurations to one or more security gateway click Update Devices from the Configuration Console window or use the Action tab to send the configuration to the security gateway Using Device tabs to configure the security gateway After the security gateway is set up the VPNmanager displays the tabs you can use to make changes to the security gateway configuration
125. Manager dialog 8 From the Configuration Console click Update Device to send the configured information to the security gateway To edit a NAT rule 1 From the Configuration Console Contents column select the rule that you want to modify Click Edit The Edit NAT Rule dialog displays 2 Change the information following the steps in To add a NAT rule VPNos 4 31 section 3 Click OK and then click Save To delete a NAT rule 1 From the Configuration Console Contents column select the rule that you want to delete Click Delete An information box appears to verify the deletion 2 Click OK and then click Save Issue 4 May 2005 87 Setting up the network About NAT types for VPNos 3 X For VPNos 3 X you can set the following types of NAT mapping on the VSU e Static Mapping Addresses from one network are permanently mapped to addresses on another network Static mapping works when traffic is initiated either inside or outside of the private network e Dynamic Mapping Addresses from one network are temporarily mapped to an address from another network When traffic is initiated from a client on the private network its address is temporarily mapped to an address selected from a pool of public addresses When the client traffic is idle for a specified period of time the mapped address is returned to the pool of available addresses When all public addresses have been assigned no other private clients can i
126. Me DO A 7 Routing Routing is specified when more than one router exists on a network to which the security gateway must forward either VPN or non VPN traffic The Routing tab shows the VPN traffic default routes including the IP address of the hop and the IP address of the network mask pairs for this hop You can add modify and delete routes Figure 26 The routing tab for a security gateway object x Ehe Edt View Tools Hol 7 New Objott y XX Dette Update Devices Upgrade Hrmware sm SSO MAR HBS 0 a a 1 i 80200 Usa mis gateway for Decnpted trate Delete T NODEN tac IZ Enable VPN Trafe Auto Forwarding Re Listando Amos C gies Sms Tunnets Routes VP rremetu aed User VPN Tunas The IP Address Next Hop is a list that displays the IP address of the next hop routers from the security gateway in focus Issue 4 May 2005 81 Setting up the network The Network Mask Pairs for this Hop list indicates the static route destination address You can build a static route table with up to 32 network address mask paris This limit allows for any combination ranging from a single router with 32 network address mask pairs to 32 routers with a single address mask pairs To build a routing table using the default gateway 1 2 3 4 5 10 11 12 From the Configuration Console Contents column select the security gateway you want to configure Click the Routing tab to bring it
127. N 24 Co ee Gd SS AeA SEE EOE MEHTA OW EERO SES ERE EWS HEM a oa eee oe Ee eb ee A eee TIES fae Bs eee ee BS SSS Oo Oe AGH ora ee She oe ee ES VPN VIEW PANG a e cod eos wh eee a de Gh GREE EE A oars Network Diagram View s e s ss ar Bote a a ee ae eg a ol ede i ee wd ee MAA ROU ir as Bs eS a ON ERS oe kes a I Hh AAA A MES di A a WG AAA AR bras aR ed Wi we Bere SIAN monitorning PANE iso i am dae hE RA Ow Bee a ee Rw RR OO oe he we G Configuration Console window 1 2 a Configuration Console Menubar 2 2 e a RN spin thsi aie Gap aos he ea is Oe Ge Me ee Bs ec ie ae oleate che ise dh ow cae nee gee ee del EQNIMNEAW lt 4 oe Ce eo he Sw Ree RRS EERE ERE RES ORE OHS VIVES 3 e Aisi dk ie Ae GE RR a Ri de Rs ee ke OR oe ES a hare TOS MEN sasn 66 46 ORES OD SERS Ow AA AAA TOMA 6 2s 4402S A 4H Be SERS BORE a de Hee OH GBS COMO carat Pes eke hi Shes me E ot hale Sok re DESH Sawa nd de a da RIDE amp SK oie EE Hides OE ESR EaG paste DEVICES 02d RE BS WEE AA He He Syed Feee S ar ed ee ee oe we ee he A ke Ee oe ee he Goneral tD occ RAK REA AS AAA REE ORK GE DES Dyna Policy Defaults Use so e ra ornato ee ee eS Dyna Policy Defaults Global a sios somado bt ak ek ek a a a Dyna Policy Authentication 25028068 eee eRe RE netute a AREA EN eS Se ee Fae Remote Chem e s og eK KG RRA KR ERE RAK RRKRRPRERB ERS OER A 8 Alam MOniiornng sa setea 2445662 ESR DEH ERR TRAE Em a EE TEFFO AA A She keen eo dee ete E eto ee ee er h
128. PN overview at a glance Double clicking on an object automatically opens the configuration console details window At the top of the VPN View pane is the VPN View selection bar VPN view selection toolbar The VPN View selection bar contains two elements a list from which the desired VPN is selected and two radio buttons to select the view styles Diagram or Tree Note If more than five security gateways are present in the VPN only the tiled or tree views are available All security gateways in the selected VPN selected are displayed however only one security gateway can be in focus at any time The security gateway in focus is indicated by a dashed line around the box and a yellow background Remote clients associated with the VPN currently in focus are displayed in a two column scrolling list box This list always appears at the top of the Tiled View pane Clients are listed alphabetically Status Icons The functional status of each security gateway in the VPN is indicated with an icon on the security gateway graphic A green dot with a checkmark in it means full functionality while a red dot with an x indicates an alarm Network Diagram View In this view all security gateways their IP address associated IP Groups and a list of all remote client users in the currently selected VPN are displayed in a circular pattern around the Internet cloud which appears in the center The security gateways are displayed graph
129. PRR OO eG SP HER De ee See 250 TIO WZA y ae ie aes hh ae ea A A E A he Hoh Eh A 250 Deine CUSIOM 24 4 224 48 4484 a RE EES CEP RS RHR Om HEH OES 267 Monitoring wizard Presentation 2 0 o e eo 268 PESANDO 1 a a E AAA a HG 268 Momiornng Alarme y sara AAA ARA Be EMS 268 PE IES ud ad dd e dl e ee 269 Popo War a A Oe OD A e a a OS 270 Generaling ME Ip 24 424 sede we ER a a a a A 272 Device MAGNOSUIES ss e raras RAR A 273 Chapter 11 Device management 275 Using the Management tab s m as wes e eke Be wed a aed 275 Setting Up SSH and Telnet sas ee RR A 275 Changing device administrator s passwords 1 0 00 eee ees 276 Using ihe Connectivity tab i cc cacce ce Se ORR EMR ETRE RK ER ES HES OES oD 277 Check connectivily bY PING se qc s45 220 dce ae ame De eee AA RE B o 278 Check Connectivity by Proxy Ping 2 2 ce ee 279 Using ihe Device Actions tab dhe a racer BS Ge SRR HR AA 279 Update Conliguration o gt sesers Ee EMER RE ERR ERE EM SR EWE ERS 280 Reset Device TMe 25 2a ok Gs hes hes hee kee dee dee doe ke ke ee oe 280 POOD OWS 642 6 eke o REE A A EK ee AAA Re RHO 280 Issue 4 May 2005 13 Contents Re setup Device o Import Device Configuration Ethernet Speed o a Ao A Network Interface Status SWEN A de oh a Be ae a a Importing and exporting VPN configurations to a device EXPOR VPN 2 224246 He e
130. RADIUS database for user authentication When this option is selected you must choose how the remote client configuration download CCD is handled e by the security gateway Use local database for configuration e by the RADIUS server Use RADIUS for configuration VPnos 3 x only e by the directory server Use LDAP for configuration VPNos 3 x only LDAP authentication Note This feature is only available for VPNos 3 x when iPlanet Directory Server is supported LDAP authentication uses the designated directory server database for user authentication As with RADIUS you must also choose how the remote client configuration download CCD is handled e By the security gateway Use local database for configuration e By the directory server Use LDAP for configuration Dynamic VPNs VPNos 3 x Dynamic VPNs is a term given to VPNs that are readily scalable by maintaining the remote client database on a RADIUS server as opposed to maintaining this data in the local security gateway This method avoids any size limitations on the number of remote users due to security gateway Flash memory restrictions Depending on your security policy you may wish to have the VPN session client configuration download file CCD part of dyna policy reside in the security gateway while remote client authentication occurs via the RADIUS database 110 Avaya VPNmanager Configuration Guide Release 3 7 Configuring a global dyn
131. Release 3 7 Glossary A Aggressive mode AH ESP Alarms Authentication Brute Force Attack C CCD An IKE mechanism used in the first phase of establishing a security association Aggressive mode accomplishes the same authentication negotiating goal between clients as Main mode but faster three packets versus six In an IPSec packet the Authentication Header AH and Encapsulation Security Payload ESP header IKE VPNs authenticate IP packets using either an ESP header as defined in draft ietf ipsec esp v2 03 txt or AH as defined in IETF draft ietf ipsec auth header 04 txt When a security gateway in the VPN reports an alarm condition details about the alarm including type timestamp and the originating security gateway can be found in the VPNmanager main screen Alarm pane Generic The process of ensuring that the data received is the same data that was sent from the source Local Local Authentication is used in non dynamic VPNs VPNs not using RADIUS or a directory server LDAP as the authentication database Here the user is authenticated from the database stored in the security gateway s flash memory RADIUS RADIUS Authentication uses an external RADIUS server and database for user authentication LDAP LDAP Authentication uses the designated directory server database for user authentication A hack attack that attempts to recover a cryptographic key by trying all reasonable possibilities Client C
132. Release 3 7 Resilient Tunnel Figure 67 Primary and Resilient Tunnels Resilient Tunnels are used for backing up Primary Tunnels Should a Primary Tunnel go out of service the Resilient Tunnel will automatically be used for VPN traffic Primary Tunne Tokyo LAN San Francisco LAN High speed Router VSU VSU Router HUB Routey VSU ow speed Resilient Tunn Tunnel Switching The switching mechanism involves time and a packet called a Heartbeat Figure 68 illustrates how tunnels are switched Figure 68 Tunnel Switching Control End point i i Primary tunnel switching is a 6 in controlled here a igh speed Router VSU VSU Route HUB Router VSU ow speed Y e 4 Secondary pd End point Explanation for Figure 68 1 VSU listens to VSUg s heartbeat The heartbeat has a configurable period called a Heartbeat Interval 2 If VSUA realizes a dead heartbeat it asks VSUg for a heartbeat 3 The number of times that VSU can make a request is configurable and is called the Heartbeat Retry Limit 4 If the number of requests exceeds the Heartbeat Retry Limit VSU then begins to establish a connection with VSUc 5 Since VSUc uses a low speed connection VSU must anticipate a delayed response from VSUc That delay is called Hold up Time and is configurable with
133. S to divide VPN traffic into 64 bit blocks and encrypt each block three times with three different keys e Select DES to divide VPN traffic into 64 bit blocks and encrypt each block with a 56 bit key e Select NONE to not encrypt VPN traffic From the Authentication Algorithm drop down list do one of the following e Select Keyed MD5 if you want VPN tunnel end points to authenticate themselves using the Message Digest 5 hash function e Tunnel end points are security gateways and VPNremote Clients e Select NONE if you do not want tunnel end point to authenticate themselves From the Compression Algorithm list do one of the following e Select Stac if you want the payloads of VPN packets to be compressed using the STAC Lempel Zif standard compression Since encryption is time consuming compression speeds up the entire process e Select NONE you do not want payloads of VPN packets to be compressed Click Save to save your work Issue 4 May 2005 151 Configuring VPN objects Configuring an IKE VPN Note security gateways at each end of a tunnel must use the same IKE settings To configure a new IKE VPN Object 1 a A Y N Move to the Configuration Console window From the Icon toolbar click VPN to list all VPN Objects in the Contents column From the Contents column select the VPN Object that needs to be configured Click the General tab to bring it to the front Select one of the following to control ho
134. Save to save the change When you want to send the configuration to one or more VSUs click Update Devices To delete a DNS server address 1 2 3 4 5 6 From the Contents column select the security gateway you want to delete Click the DNS tab to bring it to the front From the Current DNS Servers list select the address you want to delete Click Delete to remove the address Click Save to save the change When you want to send the configuration to one or more VSUs click Update Devices Interfaces tab For security gateways with VPNos 4 31 or later the Interface tab is used to edit the configuration of the media interfaces on a security gateway When you select the Interfaces tab the screen displays the available media interfaces with a summary of their configuration and current status Scroll to see all the information The name of the media interface The zone that is assigned to the media interface The IP configuration mode The status Status identifies if the physical link is up or down and if the interface is being used by network applications The IP address The mask The default route if relevant The MAC address 66 Avaya VPNmanager Configuration Guide Release 3 7 Figure 20 Interface tab Using Device tabs to configure the security gateway zi Fie Edt View Tools Help Upstate Devices Upgrade Firmware sw I New Object X Doete SHES EA BS 8H B E 19200 Policies Connact
135. Secure Socket Layer SSL technology is used to keep configuration traffic between the VPNmanager and VSUs private In addition X 509 certificates are used by both VSUs and the VPNmanager console providing an authentication capability thus allowing only authorized administrators to configure VSUs Once authenticated administrators can configure modify restart or upgrade any security gateway in the corporate network Finally sensitive cryptographic keying information stored in the VPNmanager database is encrypted using a password key to prevent compromising secure network traffic No Special Consoles Required The VPNmanager software runs on host environments that support the Java Virtual Machine see the VPNmanager README file for a current list of supported platforms Expensive management consoles and proprietary management interfaces are not needed Regardless of the host platform the VPNmanager software presents the same appearance and user controls 16 Avaya VPNmanager Configuration Guide Release 3 7 Related Documentation Complementary to SNMP Management Tools The VPNmanager software is designed specifically for securely defining configuring monitoring and upgrading VPNs The VPNmanager software is required to configure and modify VPNs Secure traffic running between VSUs or between VSUs and VPNremote Clients does not require an active VPNmanager After configuring the required VPNs the VPNmanager can be shutdown if desired
136. St 159 ExportProcedure 160 IKE Identifier drop down list 103 Importing o o 200 161 320 Avaya VPNmanager Configuration Guide Release 3 7 Extranet continued IP Address text boxes 103 IP Group configuringan 102 IPSec Proposals About 154 support i a T ee es 16 VSU e Se de ot Soe oe we doe A eS ee 99 extranet creating 284 F Failover TEP detailed description 218 Failover reconnect 2 04 229 failover connectivity check example 227 FAX SUPPO a s a iodo ee Bre a 19 Filter Rules parameters 263 264 265 FilterStats parameters aoa aoa a a ee 257 Firewall gt era praia la at a wise ra eh ed 196 POlGIGS auzas sis a a Sate es aa a 196 RuUleS ai a ai a a aa ee a ae do 164 Firewall Policy Management Firewall Templates 169 firewall templates 297 firewall considerations for NAT 167 firewall setting FTP rules 167 firmware version how to find 61 flood attack o 28 174 FTP setting firewall rules for 167 G General tab SKIP VPN Objects for 150 User Objects for 2 2005 118 VPN Objects for aoaaa a 152 groups private addresses 135 H Heartbeat Interval
137. TP SSH Telnet HTTP HTTPS POP3 IMAP or ICMPechorequest All other incoming traffic is blocked Outgoing traffic to the semi private zone that is allowed includes e Any allowed traffic from other zones e VPN traffic Table 37 Semi private high security firewall rules Rule Name Action Source Destination Service Direc Zone Keep Keep State tion State InBoundSe Permit Any SemiPrivate IKE_IN In SemiP No Permit incoming miPrivateV IPSEC_NAT_T_IN rivate VPN and ICMP PNAccess PublicIP AH ESP unreachable ICMPDestUnreach InBoundSe Permit Any SemiPrivate ICMPEchoReq PING In SemiP Yes Permit incoming miPrivatePi IP rivate PING ngAccess PubliclP InBoundSe Permit Any DMZNet ICMPEchoReq PING In SemiP Yes Permit incoming miPrivateto FTP Ctrl PassiveF TP rivate services to DMZNet DMZAcces SSH TELNET S HTTP HTTPS DNS TCP DNS UDP POP3 IMAP SMTP NNTP InBoundSe Deny Any DMZNet Any In SemiP No Deny traffic to miPrivateD PrivateNet rivate PrivateNet enyAccess Manageme ManagementNet ntNet and DMZNet SemiPrivate IP InBoundSe Permit Any Any ICMPEchoReq PING In SemiP Yes Permit clear traffic miPrivateto FTP Ctrl PassiveFTP rivate to Public network PublicAcce SSH TELNET VPN traffic with ss HTTP HTTPS Public IP as tunnel DNS TCP DNS UDP endpoint POP3 IMAP SMTP NNTP InBoundSe Deny Any Any Any In SemiP No Deny the rest of miPrivateBl rivate traffic ockAll 1
138. To create a resilient tunnel 1 From the Device gt Contents column select the device that is operating as the primary O a A O Move to the Configuration Console window The Device tabs are displayed end point see Figure 68 Click the Resilient Tunnel tab to bring it to the front Click Add to open the Add Resilient Tunnel Device dialog box From the Select a Device list select the security gateway that is the secondary end point Select the Save as Enabled check box so Resilient Tunnel services begins as soon as the VSUs are updated Issue 4 May 2005 215 Using advanced features 7 From the Properties list click on Heartbeat Interval so the heartbeat interval values appears e In the Heartbeat Interval drop down list select a unit of time e In the Heartbeat Interval text box type in a duration that defines the period of the primary end point s heartbeat 8 From the Properties list click on Heartbeat Retry Limit so the heartbeat retry limit values appears e Inthe Times text box type in the number of times a heartbeat must be requested by the controlling end point before it switches traffic to the secondary end point 9 lf the secondary end point uses a slower circuit than the primary end point the controlling end point must be aware of the expected delay That delay is called Hold Up Time 10 From the Properties list click on Hold Up Time so the Hold Up Time values appears e In the Hold Up Time
139. Traffic to mtDenyAccess entNet e ManagementNet is denied InBoundPrivatePermit Permit Any Any Any In Privat Yes Permit VI VMGR All e and VP clear traffic to PUBLIC OutBoundPrivateDM Deny DMZ Any Any Out Privat No Deny traffic from ZSemiPriDenyAccess Net e DMZNet and SemiPrivateNet OutBoundPrivatePer Permit Any Any Any Out Privat Yes Permit incoming mitAll e VPN Table 35 Private medium security firewall rules Rule Name Action Sour Destinatio Service Direc Zone Keep Descriptio ce n tion State n InBoundPrivateDeny Deny Any Manageme Any In Private No Traffic to Access ntNet Manageme ntNet is denied InBoundPrivatePermit Permit Any Any Any In Private Yes Permit WI All VMGR and VPN clear traffic to PUBLIC OutBoundPrivateDen Deny DMZ Any Any Out Private No Deny yAccess Net traffic from and SemiPrivat eNet OutBoundPrivatePer Permit Any Any Any Out Private Yes Permit mitAll incoming VPN 304 Avaya VPNmanager Configuration Guide Release 3 7 Semi private zone firewall templates Table 36 Private low security firewall rules Rule Name Action Source Destination Servi Direction Zone Keep Description ce State InBoundPriv Deny Any ManagementNet Any In Private No Traffic to ateDenyAcc Managemen ess tNet is denied InBoundPriv Permit Any Any Any In Private Yes Permit WI atePermitAll VMGR and VPN clear tra
140. User Group to list all the user groups in the Contents column 3 From the Contents column select the user group that needs to be configured Issue 4 May 2005 131 Configuring user groups 4 Use the General tab to populate the group with specific users e From the Available Users column select one or more users To select multiple users which are listed adjacently hold the SHIFT key To select multiple users which are not adjacently listed hold the CTRL key e Click Move Left to move your selected users to the Current Users column 5 Optional Click the Memo tab to bring it to the front then type in a message about the group such as its purpose or who it serves 6 Click Save 132 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 7 Configuring VPN objects A VPN object is the method used for linking security gateways remote terminals and LAN terminals in a fully configured virtual private network To create a VPN you name the VPN select a key management method and optionally designate it as the Default VPN After that you can configure the VPN using VPNmanager using the tabs associated with the created VPN When you configure the VPN you add users and user groups and further define the IKE IPSec and SKIP security protocols for VPN traffic Types of VPN objects Two types of VPN objects can be built e SKIP based VPN e IKE based VPN Both types use P Security Protocol IPSec for encrypting and decryptin
141. VPN to clients only check box 155 Associate this Group with VSU drop down list 102 103 attack logi a aa a a a a a o 252 Attributes Client aoa aoa a a 122 authentication ao oa o a 142 configuring IKE VPN te ae a Bh A a rda 153 SKIP VPN oi a a A a A 151 Passwordtextbox 119 RADIUS i a 3 ae nd A ae i 126 authentication IPSec 146 Index Authentication Algorithm drop down list IKE VPN wae dete a ee cae eet Se a SR SEG ee 153 IPSEC eee ok de we aa a E 155 SKIP VPN i ee scn a aoe os a oka a 0084 151 B backup VPN Tunnel see Resilient Tunneling bandwidth allocation 180 Behavior Aggregate whatisa 193 broadcasting the address pool 84 buffer overflow 28 175 C CCD ADOUE iaca a bak ee ee ge A 106 custom about a oaoa a 114 default about a ao oa a a 114 VPNremote Clients querying VSUs 206 CE MAIKS s aona wb eae ee Bee Owe eS A ek 3 Certificate assigning to a target VSU 242 B nde soe a 00 ace Se ee ee ew Ae a 241 Certificate Revocation List 156 creating a signed fora VSU 235 default fora VSU so oia Re we he 234 period of validity 234 DER format ic sos sa mo ewe hw eo we ed 236 exchanging among VSUs about 240 TOP VSUS i ia aia eat A a eS 241 manual installation of Certificate Revocation List 156 MOJE s ian d
142. Y1 Y2 Y3 X by sending its own MAC address in response to an ARP request from Host B When security gateway B receives a reply packet on the private interface it changes the packet s destination address Y1 Y2 Y3 X back to the original address X1 X2 X3 11 before sending the reply to Host A through the VPN tunnel A possible alternative to configuring a NAT rule on the private interface of security gateway B shown in Using NAT to Support Multiple Gateways is to add a static route to the default router which sends packets destined for the X1 X2 X3 0 24 network through security gateway B 92 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway Figure 30 Using NAT to Support Multiple Gateways af Host A X1 X2 X3 11 X1 X2 X3 0 24 Public Network Private Interface NAT Rule a 0 0 0 0 0 gt Y1 Y2 Y3 240 28 VPN Tunnel Default Router Y1 Y2 Y3 0 24 Ea 1 Host B Bt Y1 Y2 Y3 22 Interface for VPNos 4 2 The following three interface choices are available for devices with VPNos 4 2 e Public Primarily used to allow clients on a private network to access hosts on the Internet and for transport mode VPNs e Private Used to support multiple gateways Issue 4 May 2005 93 Setting up the network e Tunnel This is a special interface used to support tunneling between overlapping private networks while still allowing connections to the Internet Group
143. Your new rule appears in the Access Control List 12 Click Save to save your work Packet filtering firewall The security gateway uses a rules based method of packet inspection where the priority of each rule is determined by its position in the list highest is top priority The first match determines the fate of the packet permit or deny If no matching rule is found the default action is to permit the packet Figure 61 Policy Manager for firewalls New Object y 2X Delete Update Devices Upgrade Firmware EN aa ama re a a Add Template Rules Select the Device vsu2 x Enable Firewall Name action Source s Destination s Senice s Enabl_ Zone Oireen Permit ANY ANY ANY Wes public ln Done getting object fist 196 Avaya VPNmanager Configuration Guide Release 3 7 Packet Filtering To use the firewall policy management 1 2 3 4 5 Move to the Configuration Console window From the Contents column select the security gateway that the policy is applied Click the Policies tab to bring it to the front Select Firewall from the Policies drop down list Click Go to open the policy manager for firewall Add firewall policy To add a firewall policy 1 O O ON OA 13 14 15 16 Click Add to open the firewall policy wizard 2 Type a name for the new rule in the Name text box 3 4 Select Permit or Deny in the Action drop down list to control the flow of packets for th
144. a Se See be eee Geta Se 101 Configuring an IP Group that connects to an extranet 2 oaa ee ee 102 Dl sp sala BB a Bm eS A Rm em Oe A RR ee Hs 103 o sect packs oe tb SE ies fans Bt ee ede Sts an acre Set wee Bikes ate Be ok oh oe ee ee 104 Chapter 5 Configuring remote access users 2 2 ee eee ee es 105 Default cient GOMMGUNAUON sede Bek ee BOR Oa A ow 105 Using AMA PONGY 222 onde Oke who whe PRES we ERE REY ESSERE BES 106 Conguring a global dyna Paley coords rra PEERS CG ESS 107 Dyna Policy Defaults User tab 2 wc ew ke A a RS 107 VPN configuration files on remote user s computer 0 108 Disable split tunneling lt o da doii 4 e 108 Dyna Policy Defaults Global tab o o 108 Dyna Policy Authentication tab e ee 109 LOSA authentication s ta wae koe he das ds EDS eS 110 RADIUS authentication lt ac sa eee ese AW RRR RK ES 110 LDAP authentication as sas ed aloe Bm a Bm ge Rom Sh koe Bode ARA 110 Dynami NSO PA A eae eee a A Wee a eae etek eet 110 Remote Client tab cea eek eRe eee Dew ee yee ee ERE Oe A ed Bae 111 Client DNS resolution redirection 2 2 ee 111 Client DNS resolution redirection o oo aoa a ee 112 Remote Client inactivity connection time out VPNos 3 x 112 Send Syslog Messages ke a nanna a ae a a ae 112 Configure a default CCD with global dyna policy soa a
145. a policy Remote Client tab The Preferences Remote Client tab is used to establish a path tunnel to a secure DNS server to resolve client DNS names as opposed to using a public DNS server and to set the remote client idle time out period Figure 36 Preferences Remote Client Tab x Advanced ai _Remote Client AlarmiMonitoring TEP Policy i fi Dyna Policy Defaults User li Dyna Policy Defaults Global Dyna Policy Authentication Remote Client Client DNS Resolution Redirection C Enable redirection support Amount of Client inactivity time before session times out 24 Hours v Send Syslog messages to receiving hosts after VPN session is inactive for 10 minutes E Cancel OK Client DNS resolution redirection By using the Client DNS Resolution Redirection feature VPNremote Client initiated DNS name resolution requests for specific subdomains can be directed to private DNS servers residing on a network protected by a security gateway This allows VPNremote Clients to use host names in place of IP addresses when accessing corporate network resources without exposing corporate DNS servers and name resolution databases to the public Thus a VPNremote Client can use public DNS servers to resolve public resources and private DNS servers to resolve private resources Note DNS name resolution requests are redirected at the user side by VPNremote Client The remote Client must be runn
146. access the Internet without needing additional registered network addresses e Hide host addresses for security reasons Network administrators may choose to use address mapping to hide actual host addresses from the public e Set up VPNs that include overlapping private addresses Address mapping allows network administrators to set up VPNs between two sites that use the same private network addresses For example both sites may be using 10 0 0 0 private network addresses 88 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway e Provide support for multi gateway network configurations Address mapping can be used to ensure that request and reply packets enter and exit the network through the same security gateway Accessing the Internet from private networks Figure 28 shows an example of using NAT to allow hosts on a private non routable or non registered network to access the Internet Figure 28 Access the Internet from private Networks The VEU dynamically mapas private L p 12 1 2 401 hoai addresses from fe 10 0 0 0 8 nebwore do publia addresses on thi AaB Ae 0 24 nabwcrk TRO Da Private Inlertace NAT Rula 00 0000 Ni A2 0024 a NAN Pubic TE a Mad The above example can be used for the following three applications described in the previous section NAT applications e Allow access to the Internet from private networks e Provide support for
147. acket Filtering Policy wizard is used for creating filtering policies To create a filtering policy 1 Move to the Configuration Console window 2 From the Contents column select the VSU where the new rule has to be located 3 Click the Policies tab to bring it to the front 4 From the drop down list select Packet Filtering then click GO to open the Policy Manager for Packet Filtering Click the Add button to start the Packet Filtering Policy Wizard 6 From the Action drop down list select Permit or Deny to control the flow of packets for this policy al Issue 4 May 2005 189 Establishing security Note As you build your policy its parameters populate the Filtering Policy in Progress text box which is located at the bottom of the wizard 7 If you want to make a note about this policy in the Memo text box type in a note 8 From the IP Protocol Type drop down list select the type of traffic you want to control 9 Controls appear in the Traffic Type options box after you select an item from the list 10 Use the controls to configure the parameters for the policy 11 Click Next to continue using the wizard until your policy has been built then click Finished to return the Policy Manager for Packet Filtering window 12 Your new policy appears in the Access Control List 13 Click Save to save your work Running the Policy Manager for packet filtering The Policy Manager for Packet Filtering is used
148. ackets that match the rule cause a State table entry to be allocated This allows expected return packets to bypass other filtering rules that might normally block them Cache Hit In Number of cache hits for inbound packets on this interface Each inbound packet is examined to see if a packet with identical characteristics exists in the outbound cache for this interface If a match is found the resulting rule match applied to the previous packet is applied to the current one bypassing the rest of the filtering mechanism 5 of 7 Using Monitor Issue 4 May 2005 261 Monitoring your network Table 23 FilterStats Parameters continued Parameter Description Cache Hit Out Number of cache hits for inbound packets on this interface Each outbound packet is examined to see if a packet with identical characteristics exists in the outbound cache for this interface If a match is found the resulting rule match applied to the previous packet is applied to the current one bypassing the rest of the filtering mechanism Good Pullup In Number of failed pullup operations occurring for inbound packets These occur when a packet is fragmented across multiple internal memory buffers and there is insufficient information available to properly process the packet Successive memory buffers are read until there is enough information to process the packet Good Pullup Out Number of failed pullup ope
149. acks ports 135 to port 139 on platforms that are based on Windows 95 and Windows NT Buffer Overflow This attack overflows the internal buffers of the application by sending more traffic than the buffers can process This attack can contain a program at the end of a packet which can run and attack the system To select or deselect DOS categories 1 To set DOS rules from the Configure Console window select View gt Firewall Select the DOS tab 2 Select the rules that should be enabled and select to log details about attack attempts if the log function is available 3 Click Save Voice Over IP For servers running VPNos 4 2 or later use the VoIP tab to enable or disable Voice over IP VoIP and to configure the gatekeeper properties Definition of the gatekeeper location is with respect to the internal or external firewall definition Beginning with VPNos Feature Pack 4 31 use the VoIP property to configure the IP trunking properties You can add modify or delete IP trunking configurations Voice over IP uses the Internet Protocol to transmit voice as packets over an IP network So VoIP can be achieved on any data network that uses IP Internet Intranets and Local Area Networks Here the voice signal is digitized compressed and converted to IP packets and then transmitted over the IP network Signaling protocols are used to set up and tear down calls carry information required to locate users and negotiate capabilities One o
150. adcast media the value of this field is the agent s IP address on that interface Route Type The type of route Note that the values direct 3 and indirect 4 refer to the notion of direct and indirect routing in the IP architecture Setting this object to the value invalid 2 has the effect of invalidating the corresponding entry in the ipRoute Table object That is it effectively disassociates the destination identified with said entry from the route identified with said entry It is an implementation specific matter as to whether the agent removes an invalidated entry from the table Accordingly management stations must be prepared to receive tabular information from agents that corresponds to entries not currently in use Proper interpretation of such entries requires examination of the relevant ipRouteType object Enumerated values 1 other 2 invalid 3 direct 4 indirect 20f4 Issue 4 May 2005 255 Monitoring your network Table 22 ipRouteTable Parameters continued Parameter Description Route Proto The routing mechanism via which this route was learned Inclusion of values for gateway routing protocols is not intended to imply that hosts should support those protocols Enumerated values other local netmgmt icmp egp ggp hello rip is is 10 es is 11 ciscolgrp 12 bbnSpflgp 13 ospf 14 bgp OONA UON E Route Age The number of seconds since
151. ade firmware and manage remote user access policies The VPNmanager graphical interface is modularized by functions and tasks to make configuring a VPN fast and easy This chapter describes how to e Login e Navigate the VPNmanager Console interface e Configure Preferences for the VPNmanager Console e How to communicate with the security gateway About VPNmanager administrators When the VPNmanager software was installed during the policy server login configuration you configured the centralized management VPNmanager login ID and password A VPNmanager administrator can also be set up as a SNMPv3 administrator In previous releases of VPNmanager the super user administrator was supported Beginning with VPNmanager 3 5 the super user administrator function has been expanded and in now included in the role based management feature Role Based Management This features allows network administrator s to assign one or more management role s Additionally using role based access control RBAC in conjunction with corporate security guidelines the network administrator can more effectively and efficiently manage the security of the corporate network Beginning with VPNmanager 3 5 the role based management feature will support three classes of users as follows 1 Super User 2 One super user is configurable The super user has unlimited access control over all VPN domains and is the user configured from the policy server 3 O
152. administrator sends the Certificate Request to a Public Key Infrastructure PKI System 3 The PKI System sends a Signed Certificate to the administrator 4 The administrator uses VPNmanager Console to install the Signed Certificate into the VSU Creating and Installing a Signed Certificate Shown in Figure 76 is the Policy Manager for My Certificates Use it for generating certificate requests installing signed certificates in a VSU and for selecting which certificate the VPNmanager Console must be configured as the target Issue 4 May 2005 235 Using advanced features Figure 76 The Policy Manager for My Certificates 1 Policy Manager Lx Selected Type of Object Object Name vsu out El Type of Policy My Certificates y My Certificates You can choose the certificate that 1 is used to authenticate network devices to the VPNmanager Regularly changing certificates ensures a secure network GR tatus Subject name issuer name erial number ls j Default y y 1 Eror Refresh Certificate information completely read To install a signed certificate into a VSU 1 From the Device gt Contents column select the VSU that needs a Signed Certificate 2 Click the Policies tab to bring it to the front From the drop down list select My Certificates then click GO to open the Policy Manager for My Certificates 4 Click Generate Certificate Request to open the Save as dialog b
153. age Mapping QoS policies After the QoS policies are created they can be mapped to either public public backup or a semi private zone at the domain or device level 1 Select View gt QoS Mapping The QoS General tab is displayed Click Add Select either Domain or Device The QoS dialog is displayed 2 For Domain QoS mapping select the devices that are to be members for this QoS mapping 3 Select the Zone to be configured 4 Select the QoS policy that should be applied 5 Click OK and then click Save Packet Filtering The Packet Filtering feature is available for devices with VPNos 3 x VSUs have a multiprotocol filtering service that analyzes packets also known as frames at the Application Transport and Network Layers The headers of the packets can be examined then compared to filter rules organized in an Access Control List ACL Filters can be specifically created for inbound and or outbound traffic and the state of a connection Additionally reports about filtering activity can be sent to a common SNMP manager for viewing The ACL can hold up to 200 policies The default policy is to permit the packet The default policy is automatically applied if no other policy is configured or if configured policies do not match The ACL can be organized in a specific sequence so that one policy has a precedence over another All policies can be customized to meet your needs and they can be turned off or on at any time Policies
154. always OFF When Path MTU disabled Off the clear DF bit property is a configurable behavior 7 When finished click Save 8 When you want to send the configuration to one or more VSUs click Update Devices NAT Traversal Configurable NAT traversal is available for VPNos 4 31 and later Note For VPNos 3 2 NAT Traversal is enabled by default You cannot change or disable it When a NAT device exists in a network path between security gateways that are part of a VPN NAT Traversal allows the VPN traffic to successfully pass from one device to another The default is NAT traversal is enabled You can do the following e Disable NAT traversal Avaya recommends that you do not disable NAT traversal even if a NAT device does not exist in the network path of two VPNs e Set the value for KeepAlive The time configured here is used when the security gateway is in the private network of a NAT device The security gateway behind the NAT device sends a keep alive packet to reserve the dynamic source port The default is 20 seconds Because NAT devices can clear port assignments after a period of inactivity a still open VPN session may be broken When a new packet arrives after a certain period of inactivity a NAT device can assign a new dynamic source port for the packet which causes the VPN connection to fail To avoid this problem keep alive packets are sent from the VPN peer which is behind the NAT device Issue 4 May 2005 203 Usi
155. ame Type of Policy vou ai Client Attributes me Discard Changes Save 392005 Chont Lega Message Enforce Brong Nome Enable Client Legal Message Allow any brand Require Acceptance Yoo no Allow ony Ihe following Ba f i brand specie cients Mesvoge Tea ee 3 Oent Attributes Enable Client Legal Message The check box is used to enable the Client legal message The default is disabled Require Acceptance Select Yes to require the remote user to accept the message before log on is authenticated Select No if the message is to be displayed but the remote user is not required to accept the message to authenticate to the security gateway The default is No Message Text In the Message Text box type the message that should be displayed Default messages are not included in the VPNmanager software Enforce brand name VPNmanager allows administrators to restrict access to remote users by specifying client brands The default is Allow any brand The Administrator can allow any brand name or can restrict access by specifying a brand name However in order for this feature to work correctly the brand name must be specified in VPNmanager and in the Avaya VPNremote Client To customize the Avaya Remote Client contact your sales representative e Allow Any Brand allows any brand client to be authenticated by the security gateway during CCD This radio button is the default e Allow Only the Following Brand Specific C
156. amic VPNs Dyna Policy E Encapsulation Extranet security gateway F Firewall H Heartbeat IKE Internet Key Exchange IP Groups IPSec ISAKMP Issuer Certificates Issuer Certificates Dynamic VPNs are VPNs that can be readily scaled as dictated by business demands As the remote client user population grows the authentication and session configuration information for each new user must necessarily also grow By maintaining this information not in the security gateway s flash memory but on a dedicated network host device the number of users becomes unlimited Two techniques of achieving this functionality normally used are LDAP or RADIUS An Avaya VPN term relating to a dynamic configuration download of VPN session security parameters to the remote client computer upon connection to a security gateway This technique assures maximum security in a VPN session The process of placing the contents of one packet into that of payload of another packet It is possible to create a Group associated with a security gateway that is not managed by your company s VPNmanager This happens when creating extranets or VPNs between partner corporations In an extranet each corporate network uses VPN components that are managed separately by each company s system administrator A network device acting as a filter to restrict access to private network resources from the public Filtering typically is based on the type
157. an IP telephone secure tunnels are created for TFTP and Definity Clan However if only VPN users are connected the secure tunnels are created on demand That is the secure tunnels are created only when traffic exists on the associated tunnel Issue 4 May 2005 75 Setting up the network Private port tab For SGs with VPNos 4 2 or VPNos 4 3 the Private Port tab is used to configure of the private IP address In addition you can configure the device to act as a DHCP server on the private port or you can configure a DHCP relay Note For SGs with VPNos 4 4 and higher configure the private port address using the Interfaces tab If a local DHCP server is configured the security gateway assigns IP addresses to the computers or the IP telephones that are behind the security gateway If your DHCP server is on the public side a DHCP relay can be configured to obtain IP addresses from this DHCP server If the DHCP server is unreachable the relay can be made to fall back to the local DHCP server Figure 22 Private port tab with VPNos 4 2 or VPNos 4 3 manager Con te ep Now onmect y X Quete paste Dewees Upp ae Heer soe BRO AB SBS OB BE ig s 9200 tne t Upprese Doni ef semco VolP sg r A oy Private Pot f ae Stabe Rowe Ant Private Port Privite Agaress 192 1160 11 1 Neowore mask 255 255 55 o Local DHCP Server DHCP Relay None DHCP Server Domain Name preste wns IPAddress Range 102 168 fi
158. anager Enterprise domain File Edit View Tools Help New object 1 modify X Delete 2 Repon Th contig E monitor Update Devices AVAYA O Diagram Tree Alarm Q Intemet BD ni ar Q OF Remote Clients k usergroup useri 9 su 9 ED IP Groups E Ipgroupi 9 IP Address Info 9 P1 0 0 0 0 Q M1 255 285 255 255 16944 y ipproup2 IP Address Info 9 P1 0000 255 255 255 255 192 168 14 3 M2 255 255 255 0 OR 00 00 By vous Q E IP Groups E iporoup3 DP Address into Properties Internet Alarm monitoring pane To the right of the VPN view pane is the alarm monitor pane The alarm monitor pane contains summary alarm information including a time stamp security gateway name and alarm type Alarm information is presented in a vertically scrolling list A rotating red beacon appears at the top of this screen when a critical alarm is received See Monitoring alarms on page 268 Configuration Console window You select View gt Configuration or click the Config icon on the tool bar to open the Configuration Console window From this window you configure and modify the VPN network configuration The Configuration Console window includes a menu bar toolbars contents pane and a details pane 44 Avaya VPNmanager Configuration Guide Release 3 7 Configuration Console window Figure 9 Configuration console window W Verne anager Configuration Come x Ene Edt Wow Tools How Lew ob
159. aos 50007 1010101 Appi above confguraton la have Dereces n Pe domain Desa petting eejoct ist 230 Avaya VPNmanager Configuration Guide Release 3 7 Converged Network Analyzer Test Plug Typically one CNA unit is configured in the network operations center and another CNA unit is configured in the corporate network The CNA unit in the network operations center NOC is used to set up network topologies configure network tests and schedule network tests Multiple CNA units can be configured in the network to monitor network topology and test results The following network tests are available using the CNA test plug e Ping test The ping test includes unary and binary test The ping test sends an ICMP echo message to a target IP address and reports whether or not a response was returned The binary test plug requires a pair of test plugs e RIP test The real time transport protocol RTP test measures delay packet loss and jitter to another test plug by sending a simulated RTP data stream that is echoed back The test provides data regarding the VoIP performance over the network To enable CNA test plug 1 From the VPNmanager Console main window select CNA as a New Object The CNA general tab appears 2 Select Enable to enable the CNA test plug in the network 3 Select the CNA Test Plug Services interface The public interface provides connection to the internet usually by way of a wide area network WAN By def
160. appear if you add a context and then click Connect on the first logon dialog At this point the main console display screen appears and the selected VPN appears in the View VPN window Navigating the main window The VPNmanager Console consists of the console main window the Configuration Console window and dialogs to configure and monitor domains VPNs and the security gateway and network configurations related to them When you log in to VPNmanager for the first time the main window is blank The title bar shows No Domain Open When you open a domain the title bar shows the name of the domain that is opened The main window includes a menu bar a toolbar the view VPN pane and the alarms monitoring pane 36 Avaya VPNmanager Configuration Guide Release 3 7 Navigating the main window Figure 3 VPNmanager console main window Header with Menu bar Icon toolbar domain name Y PNmanager Ent prise iplanet62 fw no File Edit View Tools Help l New Object E Modify X Delete B Report MA Config Monitor Update Devices AVAYA 4 VPN View Diagram O Tree Alarm 7128 2003 20 19 18pm 59208 Device Unreachable Primary 100 1 1 20 7 28 2003 20 16 42pm Juask 255 255 255 0 s9208 Device Reachable Route 100 1 1 1 7 28 2003 19 23 58pm 59208 Device Unreachable 7 28 2003 19 23 52pm 96x Device Unreachable 7128 2003 19 9 50pm 59208 Device Unreachable 7 28 2003 18 42 19pm 595x D
161. ardless of whether or not the packet was ultimately passed or blocked per the interface s default rule 20f7 258 Avaya VPNmanager Configuration Guide Release 3 7 Table 23 FilterStats Parameters continued Parameter Description Packets Logged In Total number of inbound packets that should have been logged This number includes packets that matched filtering rules declared using either the log option or the log action Packets Logged Out Total number of outbound packets that should have been logged This number includes packets that matched filtering rules declared using either the log option or the log action Skip Log In Number of inbound packets that should have been logged but the log buffer was full Log records are stored in a fixed size non circular buffer When the buffer is full no new log records are written until the buffer is drained via either the security gateway console or the VPNmanager Skip Log Out Number of outbound packets that should have been logged but the log buffer was full Log records are stored in a fixed size non circular buffer When the buffer is full no new log records are written until the buffer is drained via either the security gateway console or the VPNmanager Return In Number of inbound packets that matched a rule requiring that a TCP Reset or ICMP packet be sent in response Return Out Number of outb
162. are semi automatically created one at a time by using the Packet Filtering Policy Wizard As an auxiliary method policies can also be created at the VSU Console not explained in this guide 184 Avaya VPNmanager Configuration Guide Release 3 7 Packet Filtering What can be filtered Table 10 lists the specific types of traffic that can be filtered Table 10 Traffic types that can be filtered User defined TCP Exec Netware IP TCP VPN AuthGW User defined IP Finger Netware IP UDP VPN KeepAlive User defined UDP FTP Nettimep VPtunnel AURP FTP data NFS Who Bootpc Gopher NFS TCP WWW HTTP Bootps Gopher UDP NNTP WWW HTTP UDP Bordergw ICMP NNTP UDP XDMCP Chargen IDIRACCP NWIP DSS TCP Chargen UDP IPX TCP NWIP DSS UDP CMD IPX UDP Printer Discard IPrelay Relaychat Domain IPtunnel SMTP Domain TCP Kerberos SNMP Discard UDP Login SNMP Trap Dynamic TCP Nameserver Telnet Dynamic UDP Nameserver TCP TFTP Echo NetBlOS TCP UUCP Echo UDP NetBIOS UDP UUCP Path Packet Filtering and NAT Network address translation NAT and packet filtering services can be run simultaneously Depending on the direction of the traffic the VSU automatically determines which sequence the services will run For inbound packets to the WAN NAT is run first then filtering For outbound packets filtering is run first followed by NAT Issue 4 May 2005 185 Establishing security
163. at the Advanced Filter setting be Permit all non VPN packets This allows ARPs for the VSU s primary IP address that come in the private port remember it is the only port plugged in to be resolved The Bind Both Primary and Private IP Address to the Private Port setting is available for legacy support In particular with this setting the VSU always ARPs out both ports independent of the Advanced Filter setting and it always uses the private port s MAC address for all packets originating from the VSU Use this setting if you need a VSU running VPNOS 3 1 xx or later to support this legacy behavior Generally only if the VSU firmware is earlier than 3 1 and the VSU is the only device between the internet and the private network not in parallel with a firewall is Bind both Primary and Private IP addresses to private port checked Path MTU Discovery When a device communicates with another network device it attempts to discover the largest packet it can transmit to the other network device The largest packet the network can transmit is called maximum transmission unit MTU Issue 4 May 2005 201 Using advanced features As a packet is routed through different networks it may be necessary for a router to divide the packet into smaller pieces because it might be too large to transmit as a single packet on a different network This may occur at the interfaces of physically different networks The MTU of a security gateway
164. ates The predefined templates can be used as a basis for user defined templates however the predefined templates cannot be modified For detailed information regarding the predefined templates see Firewall rules template on page 297 Figure 53 Predefined firewall template high x Pie gm yew Toots Hew O how Oblect y X peior _WpameDowoss Urmrade rmwere swe BHOG ROR BS 2B Y y 4 i High Low Daang complates wen ne errare User defined templates The VPNmanager firewall templates can be used as a general rule set or as a starting point for creating a customized firewall policy or user defined template that conforms to the corporate security requirements The template rules are enforced on the public interface the interface through which the security gateway directly connects to the outside world To create a user defined firewall template 1 Move to the Configuration Console window 2 From the Objects column select Firewall Template 3 Click New Object to start the New Firewall Template wizard 4 In the Name text box type in a name for your new firewall template 170 Avaya VPNmanager Configuration Guide Release 3 7 5 Firewall rules set up Select Template Device or None Parameter Description Template The user defined template is created using a predefined template high medium or low Select the template from the drop down list Device The user defined templa
165. ateway This file cannot be applied to another security gateway 290 Avaya VPNmanager Configuration Guide Release 3 7 Device Upgrade tab Use the License button to upload the licenses from the VPNmanager Console Once you have received the license file from your sales representative upload the license file to the security gateway as follows 1 Save the license file to a directory on the computer 2 From the security gateway object Upgrade tab click License 3 Navigate to the directory where the license was saved and select the license file Click Open 4 Choose the security gateway for which the license needs to be updated Click OK The license is uploaded to the security gateway and the status of the upload is shown Encryption Strength This button launches the Encryption Strength screen through which DES or 3DES encryption can be activated When initially launched the security gateway is polled for the current status of this feature which is displayed on the first line DES or 3DES Click on the radio button for the desired encryption method Click OK after you have selected the encryption Note You are required to enter a valid license registration number to activate this option Should you miskey the number a Registration number invalid message appears Other error messages may also appear if the security gateway is not reachable Remote Access VSU 100 Only While the VSU 100 is designed for site
166. ateway for Voice over IP and how to create and map Quality of Service Qos rules Chapter 9 Using advanced features describes about using certificates configuring the Directory Server resilient tunnels and high availability groups Chapter 10 Monitoring your network describes the monitoring and reporting features of the VPNmanager software This includes SNMP Syslog Services Reports and Alarms These features allow virtual real time monitoring of the VPN performance and specific security gateways Chapter 11 Device management describes how to optimize the VPNmanager check connectivity reset the device time reboot resetup a security gateway and how to import a VPN Chapter 12 Upgrading firmware and licenses describes how to use the automatic upgrade feature to upgrade the firmware for a security gateway or for a group of secruity gateways and how to add new licenses to your security gateway Appendix A Using SSL with Directory Server describes the benefit of using secure socket layer SSL with the Directory Server Appendix B Firewall rules template describes the predefined firewall templates that are included in the VPNmanager 18 Avaya VPNmanager Configuration Guide Release 3 7 Contacting Technical Support Contacting Technical Support Technical Support is available to support contract holders of Avaya VPN products Domestic support e Toll free telephone support 866 462 8292 24x7 e
167. ault DHCP client is used to configure the public IP address Only one public zone can be configured on the security gateway The private interface provides connection to the private local area network LAN or your corporate LAN By default the private network interface is configured with the DHCP server The private interface is the default setting for CNA 4 Enter the test request port value The test request port value is the port that the test plug receives a test request The test request includes authentication and a validly formatted request from the CNA test plug scheduler The value for the test report port ranges from 1 to 65535 The default value is 50000 A Important When the default test request port value is modified you must create a new CNA service to use the new test request destination port If the security gateway is configured to allow CNA traffic be sure to update the firewall rule to use the new CNA service 5 Enter the RTP test port value The RTP test port value is the value of the real time transport protocol The value for the RTP test port ranges from 1 to 65535 The default value is 50001 Issue 4 May 2005 231 Using advanced features 6 10 A Important When the default RTP test port value is modified you must create a new CNA service to use the new RTP test destination port If the security gateway is configured to allow CNA traffic be sure to update the firewall rule to use the new CNA s
168. ault path Definity CLAN Port The port number for the Definity server The default port is 1719 The port range is 1 to 65535 Option 66 The standard DHCP option for TFTP server IP Telephony Domain This is the domain name that the IP telephone device is assigned A Important When symbolic host names are included in the TFTP server or CLAN lists the IP telephone will append the IP Telephony Domain name if entered to the list entry in order to create a fully qualified domain name FQDN You can however enter host names using the FQDN form of lt myhost gt lt mydomain gt lt toplevel domain gt in which case you should leave the IP Telephone Domain name field empty Also be aware that the current version of IP telephone firmware will truncate the TFTP and CLAN lists to a maximum of 255 characters each Thus when using the FQDN form of host name entries it would be possible to exceed that limitation very quickly TFTP Server This is the server on which the latest version of the IP telephone firmware is maintained for upgrade purposes A maximum of five TFTP servers with IP addresses or symbolic host names can be configured on security gateways running VPNos 4 6 and higher Definity CLAN List The IP address of the Definity Clan server A maximum of 20 CLAN IP addresses or symbolic host names can be configured on security gateways running VPNos 4 6 and higher 3 Click OK and then click Save Note When you configure
169. ause it is impossible to know ahead of time which address is assigned The security gateway solves this problem by using Client IP Address Pools 120 Avaya VPNmanager Configuration Guide Release 3 7 Using Policy Manager for user configuration A Client IP Address Pool is a range of source IP addresses that is recognized by an ACD The pool is stored in the security gateway so when it recognizes an inbound packet from a VPNremote Client it swaps the source address with one from the pool When the security gateway recognizes an outbound packet having a pooled address it changes the destination address to the remote client s address A security gateway can be configured with multiple pools When selecting a list of source addresses to pool choose ranges that are not used by the destination network Figure 40 Policy Manager Client IP address pool s Typa of Object Object Name Type of Policy su v 9208 y Client Cont Chent iP Configurabon Current CBent IP Address Poot Client ONS 3 Add o Client INS E Secondary WINE Address gt Add Client IP Configuration i Primary WINS Address Add Client IP address pool From the Policy Manager properties you select Client IP Configuration to make add new client IP addresses At the top of the screen is the target security gateway to which this address pool resides For VPNos 4 2 and earlier you enter the starting address of the range in the Client IP Address Range Start f
170. ay to deny all non VPN traffic through the security gateway console refer to Preparing the security gateway for Configuration of the security gateway User s Guide For additional information on how to configure the security gateway to deny all non VPN traffic through the initial security gateway Quick Setup refer to the Configuring a security gateway Issue 4 May 2005 221 Using advanced features To configure the security gateway to deny all non VPN traffic through the VPNmanager 1 Move to the Configuration Console window Select Devices From the Device gt Contents column select the security gateway you want to configure Click the Policies tab to bring it to the front Pb W N From the drop down list select Packet Filtering then click GO to open the Policy Manager for Packet Filtering Click Advanced to display the Packet Filter Rule Advanced window Select the Deny all non VPN traffic radio button Click OK Click Save From the upper right hand of the window click the close button to return to the Configuration Console window oO ON OOA 10 When you want to send the configuration to the security gateway click Update Devices Virtual addresses Once you enabled High Availability by selecting the check box configure the public and private Virtual Addresses The configured Virtual Addresses are shared among all members in the HA group The public Virtual Address is used as the tunnel en
171. aya Inc in the United States of America hereby certifies that the equipment described in this document and bearing a TIA TSB 168 label identification number complies with the FCC s Rules and Regulations 47 CFR Part 68 and the Administrative Council on Terminal Attachments ACTA adopted technical criteria Avaya further asserts that Avaya handset equipped terminal equipment described in this document complies with Paragraph 68 316 of the FCC Rules and Regulations defining Hearing Aid Compatibility and is deemed compatible with hearing aids Copies of SDoCs signed by the Responsible Party in the U S can be obtained by contacting your local sales representative and are available on the following Web site http www avaya com support All Avaya media servers and media gateways are compliant with FCC Part 68 but many have been registered with the FCC before the SDoC process was available A list of all Avaya registered products may be found at http www part68 org by conducting a search using Avaya as manufacturer European Union Declarations of Conformity CE Avaya Inc declares that the equipment specified in this document bearing the CE Conformit Europe nne mark conforms to the European Union Radio and Telecommunications Terminal Equipment Directive 1999 5 EC including the Electromagnetic Compatibility Directive 89 336 EEC and Low Voltage Directive 73 23 EEC This equipment has been certified to meet
172. aya com and select the security gateway type to be downloaded follow the links to the Readme file Note Because the upgrade procedure removes the security gateway from service firmware upgrades should be a scheduled maintenance activity To upgrade a security gateway s firmware 1 Once you have received your password go to the Avaya Support Technical Database Web page at http support avaya com click VPN and Security and select the appropriate security gateway type to download 2 Click Software Downloads and follow the links Click the security gateway type link to begin the download process 3 Select Save this file to disk Click OK 4 Browse to the directory where the VPNos download files should be saved Click Save 5 Navigate to the directory where the VPNos file was saved Issue 4 May 2005 289 Upgrading firmware and licenses 6 Double click the firmware zip file to begin extracting the VPNos image The Password screen appears 7 Enter the password from technical support 8 Go to the VPNmanager Console then move to the Configuration Console window 9 Click View gt Device to list all the security gateway in the Contents column 10 From the Contents column select the security gateway to upgrade 11 Click the Upgrade tab to bring it to the front 12 Click Upgrade Firmware the Open dialog box appears 13 Navigate to the directory where the VPNos firmware image was saved 14 Select the update bin file 15
173. ayload of a new packet with a new addressing header This new addressing header specifies the IP addresses of packet s source and destination whether they be two security gateways or a VPNremote Client and a security gateway Original IP Packet Source Dest Address Address Payload a a A Src VSU Dest VSU or Client or Client IPSec SKIP Overhead IP Packet with Applied VPN Services Address Address Tunnel Mode Secured VPN IP Packet The choice between using transport and tunnel mode involves many factors including the use of private IP addresses for Groups and security concerns about the visibility of member workstation IP addresses The following key management and packet mode combinations are supported e SKIP in Transport or Tunnel mode e IKE in Tunnel mode only Default VPN policy Default VPN applies only to the IKE VPN and is used in conjunction with RADIUS authentication Only one VPN can be the default VPN in a domain When you create a VPN you can enable this function Default Policy is an alternative method of external user authentication This feature is suited for large IKE based VPNs where hundreds or even thousands of users are authenticated or where the ability to scale the VPN to large numbers of authenticated users is required This default VPN policy is applied to any remote user authenticated successfully by the external RADIUS server When a
174. bit blocks and encrypt each block with a 56 bit key 152 Avaya VPNmanager Configuration Guide Release 3 7 12 13 14 15 16 17 18 19 20 21 Configuring an IKE VPN e Select 3DES to divide VPN traffic into 64 bit blocks and encrypt each block three times with three different keys Use the Authentication Algorithm list to select a specific type of algorithm that each security gateway must use to authenticate each other e Select Any if you want the security gateways to automatically negotiate which algorithm to use e Select MD5 if you want each security gateway to authenticate each other using the Message Digest 5 MD5 hash function e Select SHA1 if you want each security gateway to authenticate each other using the Secure Hash Algorithm 1 SHA 1 SHA1 is considered to be a stronger hash function than MD5 and may be required for US Federal applications that do not require a digital signature From the Lifetime text boxes and lists to configure the time limit for creating and exchanging a new set of unique keys If the Time based value expires before the Throughput value key creation and exchange is performed and likewise if Throughput expires before the Time based value Click Modify Secret to open the Modify Secret dialog Create a shared secret for authenticating security gateways and members of the VPN e To manually create a secret type in an alphanumeric string in the text box e To au
175. c address is applied to the public port If you specified a private IP address during the VSU Console Quick Setup and the VPNmanager VSU Setup wizard this address should match that address A VSU does not need a private IP address to operate but some networks may require that a VSU use two addresses For example the VPNmanager Console may be running on a machine that is on the private side of the VSU having a single address VPNmanager Console to VSU communication then has to be routed to the public port of the VSU which may not be a direct path The direct path would be to the private port 204 Avaya VPNmanager Configuration Guide Release 3 7 Device Advanced A typical use of the private IP address is when the VSU s private side IP network is a different network different network number and or mask from the VSU s public side IP network For example when you deploy the VSU in parallel with a firewall or other access device If you are using the VSU s primary IP address as the management IP address use caution when changing it from the VPNmanager Modifying the private IP address when it is used as the management IP address may cause loss of connectivity between the VSU and the VPNmanager Note The VSU s private and public IP address may be used as a gateway IP address for VPN traffic To add a private IP address 1 From the Device gt Contents column select the VSU you want to configure Click the Advanced tab to bring
176. cable to the private interface The default for domain name is private Issue 4 May 2005 71 Setting up the network Field Description Primary This is optional Configure primary WINS when delivering WINS network configuration information to DHCP clients The security gateway will deliver the primary WINS server information before the secondary WINS server information This order of delivery will ensure that DHCP clients will use the WINS servers in the specified configuration order Secondary This is optional Configure secondary WINS when delivering WINS network configuration information to DHCP clients The security gateway will deliver the secondary WINS server information after the primary WINS server information This order of delivery will ensure that DHCP clients will use the WINS servers in the specified configuration order IP Device This is configured to add support for additional IP devices to Configuration the DHCP Server IP Telephony This is optional Configure IP Telephony when IP telephones Settings are connected to the security gateway See IP Telephony Configuration below When DHCP server is configured you can configure the IP Device and the IP Telephony settings Click IP Devices to display a list of all IP devices that the DHCP server currently supports The MAC address and IP address are listed along with information that relates to IP telephony devices Note Chan
177. can be recognized by an ACD so that user access is not blocked SSL for Directory Server As an added benefit all communications with the directory server can be secured by SSL Secure Sockets Layer You can configure your VPN to run SSL at any time However it is recommended that you configure SSL before you put the VPN into service so that the VPN services do not have to be stopped Sequence to configure your VPN The suggested order to set up your VPN is as follows Refer to the chapters in this VPNmanager Administrator s Guide for details about how to create and configure these features 1 Create a VPN domain Create the VPN Create a security gateway Configure needed static routes on the gateway Create IP groups Associate IP groups with the security gateway Associate IP groups with the VPN Create new users Associate users with VPNs O O ON OO KF WO PY mk Create a VPNremote Client address pool on the gateway 30 Avaya VPNmanager Configuration Guide Release 3 7 Sequence to configure your VPN 11 Configure firewall rules 12 Associate firewall rules with the correct gateway and security zone 13 Configure other features such as QoS VoIP gateway DHCP NAT routing etc Issue 4 May 2005 31 Overview of implementation 32 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 2 Using VPNmanager With Avaya VPNmanager you can define configure and manage VPNs and firewall policies upgr
178. ces 6 Click Save to save your work 7 To send the configuration to the device click Update Devices Issue 4 May 2005 217 Using advanced features Failover TEP Failover TEP is used to protect site to site VPN traffic that moves through the public networks The endpoints for tunnels are located in SGs Up to four head end devices can be configured to backup a specific security gateway Upon completion of the Failover TEP configuration the VPNmanager will download identical VPN configuration to the alternate head end devices When a remote device fails at the primary head end the alternate head end device will provide the same VPN services The most desirable configuration would include the same devices however this is not required as long as each device has a license to service the number of VPNs configured on the primary head end device For example if the head end device is an SG203 and supports 8000 tunnels the alternate head end devices should be SG203 support 8000 tunnels If the head end device is a VSU100 the alternated head end devices should be VSU100s For more information regarding configuring VSUs with a similar Failover TEP configuration see Resilient Tunnel on page 212 Note Beginning with VPNmanager 3 6 Failover TEP is configurable on security gateways running VPNos 4 5 Figure 70 The Failover TEP tab for a security gateway object manages Configar atico Console filo gat Yew Tooke Heip LD New Ooju
179. ces and directions that the FTP server opens a data connection to the client For example if the FTP client is on the private side of the security gateway and the FTP server is on the public side of the security gateway define the interface and direction as Public In or Private Out 2 Click Next to display the Source Network Objects dialog Select FTP Client 3 Click Next to display the Destination Network Objects dialog Select the FTP Server 4 Click Next to display the Services dialog Select FTP Control and select Passive FTP 5 Click Finish to complete the set up of the firewall rules Click Save To add a new firewall rule for active FTP 1 Complete Steps 1 through 12 for adding a new rule Enter the required firewall information in the wizard 2 Click Next to display the Source Network Objects dialog Select FTP Server 3 Click Next to display the Destination Network Objects dialog Select the FTP Client 4 Click Next to display the Services dialog Select Active FTP 5 Click Finish to complete the set up of the firewall rules Click Save Firewall templates VPNmanager includes predefined firewall templates high medium and low allowing network administrators to conveniently build secure policies and use the templates as the security foundation in many different network locations Administrators can also create their own user defined templates Issue 4 May 2005 169 Establishing security Predefined templ
180. chanism that allows private non routable networks to connect to public routable networks If you are creating an extranet choose Not My security gateway as the Group s associated security gateway Doing this enables the IP Address of Extranet security gateway entry field Enter the IP address of the your partner company s security gateway This is required if any VPNs serviced by a VSU 1100 VSU 1010 or VSU 10 are in tunnel mode 316 Avaya VPNmanager Configuration Guide Release 3 7 Oakley P Packet Filter Perfect Forward Secrecy PKI Preshared Secret Public Key Certificate R RADIUS Resilient Tunnel SA Session Key Signing Certificates Signing Certificates A key exchange protocol used in IPSec as part of the Internet Key Exchange protocol Hardware or software mechanism used in firewalls to discards packets based on the contents of the packet headers Perfect Forward Secrecy defines a parameter of ISAKMP in which disclosure of long term secret keying material does not compromise the secrecy of the exchanged keys from previous communications Enabling Perfect Forward Secrecy is more secure See the IETF draft ietf ipsec oakley 02 txt for more information on Perfect Forward Secrecy Public Key Infrastructure is the organization of certificate issuers and certificate management processes Preshared Secret is the simplest key management method used to construct a VPN Authentication k
181. cify the IP address of the called trunk endpoint In the Proxy IP field specify the public IP address that is being shared In the Proxy Port field enter the proxy port The default is 1720 If this is a Gatekeeper routed call the default is 1719 Click Finish Issue 4 May 2005 177 Establishing security Figure 56 Voice over IP tab ie VPrmanger Configuration Conse Eto Eat Yew Jools Heip Dion objec v Dee iupesvenes veterana sei 65600 HEBS OB 2A f 3 a sons Pelcies Connect Upgrade DemlerS neo vor Managennent General Memo ONG Infemaces MatwemcORject SNMP Stati Route asvantad VoIP w Enabio Using the Gatekeeper Routed Call Model The Gatekeeper Routed call model should be used when there is an SG in the network path between IP endpoints e g IP hard phones and IP soft phones and the Gatekeeper with which those IP endpoints register and 1 either the IP endpoints or the Gatekeeper is being NATed by the SG or 2 the SG s Firewall function is enabled When using Gatekeeper Routed Call Model configure the following e Service Port The port to which the IP endpoints will send Registration Access Status RAS messages e Source Endpoints Zone The zone where the IP endpoints are located with respect to the SG e g private when the IP endpoints are on private side of the SG e Source Endpoints Network Objects The IP networks that define the IP address space of
182. click VPN to list all VPN Objects in the Contents column N OOA ODI Open the Configuration Console window From the Contents column select the VPN Object that needs to be rekeyed Click the Actions tab to bring it to the front Click Rekey to create the new key and open the Rekey message box Click OK to return to the Configuration Console window Click Update security gateways to send the key to all security gateways in the VPN 162 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 8 Establishing security This chapter describes the VPNmanager security measures you can configure to establish a secure domain Included in this chapter is how to set up the following e Firewall rules set up 4 2 and later e Denial of Service 4 X e Services e Voice Over IP controls 4 X only QoS policy and QoS mapping 4 31 e Packet Filtering 8 x only Firewall rules set up Use the Firewall Rules feature to manage the firewall rules that the domain and the security gateway uses VPNmanager firewall policy management minimizes configuration complexity and increases scalability The firewall policy allows deployment of a secure network infrastructure in a relatively short amount of time The security gateway uses a rules based method of packet inspection where the priority of each rule is determined by its position in the list highest is top priority The first match determines the fate of the packet
183. configure each class setting with associated values Click the row for the type to be configured The Class Based Queuing dialog appears 182 Avaya VPNmanager Configuration Guide Release 3 7 QoS policy and QoS mapping Figure 59 Modify QoS bandwidth burst and DSCP value screen 10 11 12 x Class Based Queuing Type HIGHEST Bandwidth Allocation 9 0 Burst NO v DSCP 0 Allowed DSCP values 0 63 Enter DSCP values separated by commas For example 5 8 62 Cancel Next Finish Configure bandwidth burst and DSCP values e Enter the percentage of bandwidth to be allocated for this type When classes are configured it is recommended that the sum total allocation of all the classes be less than 98 and allow bursting to take advantage of the unused bandwidth 2 is always internally allocated to control traffic e Burst is set to No Change to Yes if bursting should be allowed If bursting is configured when this class becomes over limit it tries to borrow from the unused bandwidth If there is no unused bandwidth then the packets are dropped when the class becomes over limit e The same DSCP value cannot be assigned in multiple classes for one interface Do not specify the same DSCP Services Network combination in multiple classes If DSCP will not be specified as a criteria in a class leave the DSCP default value of 0 In this case it is recommended to assign unique services networks to this class Do not a
184. configured a dynamic NAT rule do the following e From the NAT Rule list select your new rule to highlight it e Inthe Translated Address will age out in text box type in the number of minutes of undetected traffic that must pass before the assigned translation address is returned to the pool of available addresses 12 If necessary use the Move Down and Move Up buttons to rearrange the position of the new rule in the NAT list 13 Click Save 14 Close the Policy Manager dialog box 15 From the Configuration Console click Update Devices to end configured information to the security gateway Tunnel NAT rules Tunnel NAT rules are applied to VPN traffic before encapsulation and encryption During VPN setup tunnel NAT rules are applied Issue 4 May 2005 95 Setting up the network To add a tunnel NAT rule 1 From the Configuration Console gt Device Contents pane select the Policy tab to bring it to the front Select NAT from the list Click GO The NAT Rules dialog is displayed Click the Add to open the Add NAT Rule dialog box 3 Select the tunnel zone for the NAT rule The Media Interface field displays the media that corresponds to the zone that you select From the Type list select either static or port Note Redirection NAT rule cannot be applied to the tunnel zone In the Original area complete the available or active areas e Option From the list select a pair of configured VPN local members
185. context field 51 license Upgrade o 290 lifetime a aeisi a iia a tao ae e hy A 143 lifetime IPSEC oo ee ee 147 Lifetime options IPSec rekeying 155 Lifetime options key o 153 limitation NAT Network Address Translation 90 Local Authentication 110 local DHCP Server 2 eee ee 71 Log Group parameters 050 252 LRQ learn request 2 eee es 177 VARAS 145 LZSdrop downlist 204 153 M management zone 245 69 marking packets about 192 MD5 authentication SKIP selecting 151 MD5 authentication selecting 153 Members IP Groups tab 152 Members IP Groups tab SKIP VPN Object 151 Members Userstab 2 204 152 Members Users tab SKIP VPN Object 151 Memo tab for User Objects 118 Memo tab SKIP VPN Object 150 Memo tab VPN Object 152 MIBS SNMP 2 17 mode Certificate 134 New PIN os 24 4 4 le a es 106 Next Tokens as 4 we a we Ew ee 106 Preshared Secret 134 Transport lt eana a wa fae aan aa a 133 TUNE au P55 ee oe fa ek oe a a E 133 Modify Secretbutton 153 modulus in IKE VPNs keying algorithm 154 Monitor Monitor Wizard 24 250 Monitoring Groups
186. ct Failover as a New Object The Failover tab appears 10 From the Failover gt Contents column select the device to configure for Failover 11 In the Remote TEP field click Add to enter the tunnel endpoints TEP for the central site that the remote VPN device establishes a network connection If the network path failure criteria is met while the remote security gateway is trying to establish a network connection the remote VPN tries to alternate TEPs until a network connection is made For more information regarding Failover see Failover on page 226 Advanced Action The Device Advanced Action tab provides access to advanced security gateway functions including switching the NOS execution from flash 0 to flash 1 or back resetting the security gateway s password or disabling FIPS on the selected security gateway Issue 4 May 2005 219 Using advanced features Figure 71 Advanced Action tab 3 O New Object y X Delete Update Devices UpgradeFirmuraro Save Banco ava G8 7 haan VPNmanager Servers Upgrade Advances Action High Availability hor Advanced Actions Policies ResilientTunnel General Memo DNS SNMP StabcRoute Routing Rip Advanced Action Switch Flash Switch flash is used to switch the flash chip from which the security gateway is executing its NOS Normally a duplicate image of the NOS is loaded into the second flash bank however a new or previou
187. ction is used to setup and maintain logical groups in which the individual VPN users reside User groups have a single level hierarchy you cannot have a user group within another user group A User Group Object is a method for simultaneously managing many user objects remote users For example all remote users who are in sales can be consolidated into a single user group Then that group can be associated with one or more VPN objects Without user groups remote users would have to be individually associated with a VPN object User groups are easy to create and configure You give them a name then populate them with user objects Users can belong to more than one user group When this is the case and policy conflicts exist permit wins over deny user group settings override individual user settings User groups can be created at anytime But since they are configured with user objects you should configure users before configuring user groups New user group To create a user group 1 From the VPNmanager console main page Click New Object and select User Group The New User Group dialog is displayed 2 In the Name text box type in a name for the new group Any characters can be used except a comma 3 If you want to create more groups press ENTER then type in another name 4 Click Apply then Close to return to the Configuration Console window 5 Click Save You now configure your new user group Note Renami
188. curity gateway It includes a checklist for implmeneting the network Chapter 2 Using VPNmanager explains how to log in to VPNmanager It also explains how to use the VPNmanager interface including the VPNmanager main console and the configuration console The VPNmanager Preferences are described here Chapter 3 Setting up the network explains how to create a domain and create and configure a security gateway This chapter explains how to configure the Device object including multiple zones NAT services DNS and Static Route Chapter 4 Configuring IP Groups describes how to configure IP Group Objects for Data Terminal Equipment DTE such as computers printers and network servers as members of your VPN Chapter 5 Configuring remote access users describes how to setup and maintain individual remote access users in the VPN This chapter includes Dyna Policy configuration and information about the Policies tab including Client IP configuration RADIUS ACE services and client attributes Chapter 6 Configuring user groups describes how to setup and maintain logical groups that the individual VPN remote users reside Chapter 7 Configuring VPN objects explains VPN Objects as the method for linking VSUs remote terminals and LAN terminals in a fully configured VPN Chapter 8 Establishing security describes the levels of Firewall policy management and Denial of Service available how to configure the security g
189. curity gateway can also be shown All alarm information is stored locally on the VPNmanager Console 268 Avaya VPNmanager Configuration Guide Release 3 7 Monitoring alarms This window provides detailed information about the alarm including a time stamp the security gateway generating the alarm alarm definition first and last occurrence This window appears even if it does not contain any content The most recent entry is at the top of the list e Properties The Alarm Properties screen displays a list of specific alarm types and their corresponding disposition action ignore or take action Refer to Table 29 for Alarm Type descriptions The default is Take action on Alarm e Delete A Delete button appears at the bottom of the window The highlighted alarm s is deleted when the Delete button is clicked Figure 83 VPNmanager Alarm Pane Properties Alarm Types Table 29 Alarm Descriptions W Alarm Properties xj Alarm Properties Alarm Type Disposition Cold Start Ignore Alarm Take action on Alarm SKIP Parse Errors Ignore Alarm Take action on Alarm Ns Out Of Order Ignore Alarm Take action on Alarm SKIP Algorithm Mismatch Ignore Alarm Take action on Alarm Invalid Packet Signature Ignore Alarm Take action on Alarm Packet Parse Errors Ignore Alarm 8 Take action on Alarm Improper Encryption Encapsulation Ignore Alarm 8 Take action on Alarm Unable to reach YSU Ignore Alarm Take action on
190. curity gateway periodically checks connectivity to designated devices to evaluate the availability of the network path to the central site resources These devices can be within the VPN such as the corporate e mail server at the central site These devices can also be outside the VPN such as a public DNS server When a network path fails the remote security gateway tries to establish a network path through an alternate central site If the remote security gateway cannot use that second central site TEP to establish a network path the remote security gateway continues through the list of configured TEPs and tries to establish a usable network path to the central site resources If none of the configured tunnels can establish a network path and the remote security gateway is configured with a public backup interface the remote device tries to establish a path through this alternate link When the public backup zone is in use the security gateway does not perform failover connectivity checks to the designated hosts When the idle timer is enabled and as long as there is traffic this alternate network link is used If the configured idle time elapses the public backup interface is taken down The security gateway then tries to reestablish the network connectivity through the primary network path 226 Avaya VPNmanager Configuration Guide Release 3 7 Failover Note If the public backup interface idle timer is disabled the security gateway conti
191. curity gateways to verify that they are running If a security gateway fails to respond an error message is displayed in the Alarm Console TEP Policy The Tunnel End Point TEP Policy tab lets you control the security policy applied to the traffic that flows between the end points of a tunnel The default is off that is do not apply configured VPN policies to TEP traffic See TEP Policy on page 209 52 Avaya VPNmanager Configuration Guide Release 3 7 Preferences Figure 16 Tunnel End Point Policy Issue 4 May 2005 53 Using VPNmanager 54 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 3 Setting up the network This chapter describes the following features that are configured for the domain and the security gateway e New VPN domain e Security gateway including e Domain name system resolution e Zone interfaces e NAT policies e Static route table e Routing information protocol RIP New VPN Domain A domain can be created to meet the networking needs of an entire organization or a domain can be created to meet the needs of specific departments of an organization Existing VPN configurations can be imported into other domains creating interconnected domains When you log in to the VPNmanager Console the first time you must create a domain You create a domain name and select firewall rules to be applied to the domain see Chapter 8 Establishing security After the domain is created you can c
192. d certificate storage Payload key lifetime defines the extent to which a single set of cryptographic keys is used when applying VPN services to IP packets Key lifetimes can be defined by either the amount of data acted on by this single set of cryptographic keys or the amount of time these keys are used before a key change The more often a key is changed the more secure the system although performance may be affected by frequent key changes Lempel Ziv Stac a compression algorithm A network address and network mask Two 4 byte pairs For example 1 1 1 0 and 255 255 255 0 The enterprise specific Management Information Base in the Avaya Inc security gateways The Enterprise MIB information allows the administrator to obtain basic monitoring information such as the network table packet counter and general information regarding the security gateway using third party software The non enterprise specific Management Information Base in the Avaya Inc security gateways The MIB II allows the administrator to obtain basic monitoring information such as device ethernet information routing and ARP tables SNMP traps packet statistics and other general information regarding the security gateway using third party software A utility by which an existing VPNmanager database is converted into an LDAP database for compatibility with VPNmanager 3 0 or later See Certificates My Certificates Network Address Translation NAT is a me
193. d certificaterevocationlist binary paragraphs to a new file 9 Save the new CRL as crl Idif Add a certificate dn header to the crl idif file Use the following dn header format Note dn cacertificate lssuerCRL ou VPN Domain o DNS Domain objectclass certificationAuthority Note dn specifies where the CRL file is filed 156 Avaya VPNmanager Configuration Guide Release 3 7 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 Enabling CRL checking Import the crl Idif file by opening the Netscape Console login dialog box e Solaris OS In the server root enter startconsole e Windows NT From the windows Taskbar click Start Programs Netscape Server Family Netscape Console In the User ID text box type in the Administrative ID string used during the server installation procedure In the Password text box type in the Password string used during the server installation procedure Click OK to open the Console window From the left pane select the directory server containing your VPN data Double click to open the console window for that server Click the Configuration tab to bring it to the front From the left pane select Database Click the right mouse button to select Import to import the crl Idif file In the Import Database window browse to locate the crl Idif file Click Open to import the crl Idif file The Import Database message box ap
194. d footer Note The alignment of the right side of the certificate must be even justified so if the certificate was sent to you in a web page where the last line may run past the right side just place a carriage return in the appropriate place of the line to even it up Also place a carriage return at the end of the footer line 12 Return to the Policy Manager for My Certificates for the specific VSU 13 From the Maintain Certificates list select the item identifying the requested certificate 14 Click Download Fulfilled Request to VSU to open the Open dialog box 15 Use the Look in drop down list for navigating to the location of the signed certificate file The manager uses DER as the default filename extension but TXT can be used 16 Select the signed certificate file then click Open to return to the Policy Manager window After the VSU has received the signed certificate the Status column changes from Request Ready to Cert Accepted Switching certificates used by VPNmanager Console VPNmanager Console uses the default certificate of the VSU for establishing a secure connection with a VSU The default certificate can be used until it expires 6 years or until the VPNmanager Console is made to use a different certificate The VSU certificate used by VPNmanager Console can be changed anytime To switch certificates 1 From the Device gt Contents column select the VSU you want to configure
195. d point while the private Virtual Address can be used as the default route for the network behind the security gateway Configuring the Virtual Addresses in this manner ensures that any member in the HA group has the same configuration and that this configuration does not change Advanced parameters The Advanced Parameters are displayed by clicking the Advanced button Once configured the Advanced Parameters are common to all members in the HA group Advertisement interval in seconds The time interval the passive member must detect before it becomes the active member in the HA group The passive member must detect the elapsed time interval three times before it forces the election to become the active member The Advertisement Interval range is 1 to 255 seconds Missed Advertisements Before Becoming Active The missed advertisements before becoming active value determines the number of advertisement intervals At least one advertisement must be received by the passive member from the active member If the passive member does not receive the advertisement the passive member assumes that the active 222 Avaya VPNmanager Configuration Guide Release 3 7 High Availability member is down and will force the election to become the active member The value for missed advertisement ranges from 3 to 16 Group ID The Group ID allows configuration of a unique identifier for the HA group By using the Group ID the HA group avoids conflicts with
196. d to the same network segment as this port Total Frames Discarded Total number of frames discarded on this port because of some error Local Frames Received Total number of frames received on this port destined for the this unit s IP address Local Frames Xmitted Total number of frames transmitted from this port with the unit s MAC address as the source MAC address Available Xmit Buffers Total available VPNos transmit buffers on this port No Receive B uffer Errors The number of packets dropped on this port because no VPNos receive buffers were available Missed Frames The number of frames dropped on this port because the Ethernet chip had no receive buffers available 1 of 2 266 Avaya VPNmanager Configuration Guide Release 3 7 Define Custom Table 28 Ethernet Statistics Table Parameters continued Parameter Description CRC Errors The number of packets dropped on this port because of CRC errors Frame Errors The number of packets dropped on this port because of frame errors Overflow Errors The number of packets dropped on this port because of overflow errors No Xmit Buffer Errors The number of packets not transmitted on this port because no VPNos transmit buffers were available Lost Carrier Errors The number of packets not transmitted on this port because of lost carrier errors Xmit Collisions Th
197. ded on Discard this port because of errors Ethernet The number LAN frames discarded on this Header Errors port because of Ethernet header errors Non IP The number of non IP packets received on this Packets port Received VPN Packets The number of VPN packets received on this Received port Non VPN IP The number of non VPN IP packets received Packets on this port Received Non VPN The number of non VPN packets blocked on Packets this port Blocked Tunnel Config Errors The number of packets dropped on this port because of tunnel configuration problems 1 of 2 Using Monitor Issue 4 May 2005 265 Monitoring your network Table 27 Overview Statistics Table Parameters continued Parameter Description IP Header Length Errors The number of packets dropped on this port because of an invalid IP header length Address Map Discards The number of packets dropped because of IP Address Map errors 2 of 2 Table 28 Ethernet Statistics Table Parameters Parameter Description EtherStat Port Description A description of each port Total Frames Received Total number of frames received on this port Total Frames Xmitted Total number of frames transmitted from this port Total Frames Filtered Total number of frames discarded on this port because the destination MAC address of the frame was determined by the bridge logic to be attache
198. destination location and filename 148 Avaya VPNmanager Configuration Guide Release 3 7 Advanced VPN tab Rekey site to site VPN Rekey Used to change the preshared secret key of a site to site VPN This should be done regularly to ensure maximum security Only SKIP and Preshared Secret IKE VPNs can be manually rekeyed In the case of SKIP rekeying generates and distributes a new master key to all security gateways associated with the VPN This SKIP master key is used to generate session keys used for cryptographic functions In the case of Preshared Secret IKE VPNs rekeying generates and distributes a new negotiation key to all security gateways associated with the VPN This negotiation key is used to provide authentication during IKE negotiations in which the actual session key is dynamically generated Manual Keyed VPNs can be rekeyed by manually editing the relevant keys Advanced VPN tab The Advanced tab is used to set up advanced VPN options Generally the defaults do not need to be changed Figure 50 VPN Advanced tab A E Fle Edt Mew Tools Help TI New Otat e X Dente pate Devers Upgrade firmerare smm SHOG EAS BS 00 B E iken VPN Advanced Apply VPN lo cihurits oniy Pachanga fe Staas Apply VPN to clients only provides VPN access to users and ignores the site to site mesh or relationships between security gateways This is a usability feature that can be used in VPNs with complex rul
199. dministrator creates VPN Object Creating a new VPN object and configures it with IP Group Object and IP Group Objectg Administrator exports VPN Object data to Administrator Exporting a VPN object to an extranet on page 158 Administratorg imports VPN Object data into Domaing Importing a VPN object from an extranet on page 161 2 of 2 Export procedure Exporting a VPN Object involves copying the object data to a file then sending the file to the extranet administrator who will import the file into their VPN Domain To export a VPN Object is From the Icon toolbar click VPN to list all VPN Objects in the Contents column oO ON Oo hb 0 PY Move to the Configuration Console window From the Contents column select the VPN Object that needs to be configured From the Tools menu select Export VPN to open the Export VPN dialog From the list box select the VPN Object you want to export Click OK to open the Export VPN password dialog In the Password text box type in a password to protect the exported data From 1 to 16 characters can be used In the Retype text box type in your password to confirm it 160 Avaya VPNmanager Configuration Guide Release 3 7 10 11 12 13 Importing a VPN object from an extranet Click OK to open the Save dialog Use the controls in the Save dialog to select a location for the VPN Object data file
200. dresses for the public and the private interfaces Configuring the virtual addresses in this manner ensures that any member in the HA group has the same configuration 224 Avaya VPNmanager Configuration Guide Release 3 7 High Availability Note Virtual Addresses must be valid routable addresses 6 Click the Add button to add members to the HA group 7 Enter the private IP addresses of the Active security gateway 8 The private IP address may have been entered during the initial creation of the security gateway object If the private IP address has already been entered confirm the IP address is correct and move to the next step 9 Enter the public and private IP addresses of the Passive security gateway s 10 Click the Update security gateway button to update the HA configuration Updating a high availability group using Update Device High Availability groups can be updated using the Update security gateway button in the VPNmanager Configuration Console window When using the Update Device VPNmanager displays the selected security gateway to be updated If the selected security gateway is a HA member the Member Update screen displays By default all members in the HA group are selected for update To update HA VSUs 1 Move to the Configuration Console window Select Device Select the security gateway to be updated Click the High Availability tab to bring it to the front Click Update security gateway from the Confi
201. dynamic VPN for future scalability It is however expected that LDAP will be the preferred method of building dynamic VPNs Policies Manager The Policies Manager displays a list from which specific policy services can be selected Select a service and click GO to start the Policy Manager for the selected service The types of policies that can be configured depend on the firmware version of the security gateway Only policies that can be configured are displayed Table 4 lists the policies that could be configured Table 4 Policy Services e Client IP Configuration e Syslog e My Certificates e NAT e Issuer Certificates e Packet Filtering 1 of 2 46 Avaya VPNmanager Configuration Guide Release 3 7 Update Devices Table 4 Policy Services continued e IKE Certificate Usage e Firewall e RADIUS ACE e Client Attributes 20f2 a Policies that can be configured for security gateways with VPNos 4 x Beginning with VPNos 4 31 the Firewall configuration is not part of Policy Manager Toolbar The toolbar includes the following shortcut buttons e New Object You can select one of the icons in the toolbar below New Object and then click New Object to launch the appropriate configuration dialog or you can click the arrow tip next to New Object and select one of the object types to launch the appropriate configuration dialog e Delete deletes the selected object Contents pane
202. e 4 May 2005 45 Using VPNmanager View menu From the View menu you can view the configured objects and you can refresh the screen Tools menu The Tools menu consists of functions used for normal VPN maintenance These functions include the following Update Devices To update the selected security gateway configuration click Update Devices You select the security gateway to update This will reconfigure all security gateway parameters for the selected gateway and can take several minutes to complete This function is the same as the Update Devices button on the far right side of the toolbar on the VPNmanager main screen See Update Devices on page 47 Upgrade Devices Firmware This function is used to download new firmware to selected devices See Upgrading a security gateway s firmware on page 289 Import VPN A secure inter company extranet can be created by exporting a VPN configuration to a file that is then imported by other VPNmanager installations See the Importing and exporting VPN configurations to a device on page 284 Export VPN Export VPN can be used to export the VPN configuration which in turn can be imported into other VPNmanager installations Export RADIUS This function is used to export VPN information to an existing RADIUS database This is primarily for backwards compatibility but also useful if you wish to convert your existing VPN using local security gateway based user authentication into a
203. e Client Client DNS Resolution Redirection C Enable redirection support Amount of Client inactivity time before session times out 24 Hours v Send Syslog messages to receiving hosts after VPN session is inactive for 10 minutes E Cancel OK Issue 4 May 2005 51 Using VPNmanager Alarm Monitoring The Alarm Monitoring tab is used to define high level functions of the alarm console See Monitoring alarms on page 268 Figure 15 Preference Alarm Monitoring Advanced Remote Client Alarm Monitoring TEP Policy General Dyna Policy Defaults User Dyna Policy Defaults Global Dyna Policy Authentication Alarm Monitoring Resolve IPAddress to VSU Name e Enable Disable Alarm When Device is Unreachable Enable Disable Cancel OK Resolve IP Address to Device Name Enable Disable When enabled the IP address of the alarming security gateway is translated into the security gateway name for display in the Alarm Console When disabled only the alarming IP address is shown Functionally all security gateways in all domains are scanned and a map file is created to cross reference the security gateway IP addresses to their respective security gateway names Default is enabled Alarm When Device is Unreachable Enable Disable When enabled this function causes the VPNmanager to continuously send SNMP packets to all se
204. e a Marking Rule VPNmanager Console is then used to update a specific VSU with the new rule The different types of marks used ina rule are briefly described in Step 7 Before marking any packets you must gather the information described in Table 13 Basically the type of marks type of packets and the direction of packet flow in and or out of the VSU is needed to create a marking rule Table 13 IP packet marking information Item Description User defined marks Identify which user defined marks are being read by your routers Packet type associated with a specific user defined mark Examine the PFB rule associated with a specific user defined mark to identify the type of IP packet being marked Predefined marks Identify which predefined marks are being read by your routers Packet type associated with a specific predefined mark Examine the PFB rule associated with a specific predefined mark to identify the type of IP packet being marked To create a packet marking rule 1 Move to the Configuration Console window 2 From the Contents column select the VSU where the new rule has to be located 3 From the GO menu select Policy Manager to open the Policy Manager window 4 From the Type of Policy drop down list select Packet Filtering to view the Policy Manager for Packet Filtering 5 Click the Add button to start the Packet Filtering Policy Wizard 194 Avaya VPNmanage
205. e eee eee eke 6 Avaya VPNmanager Configuration Guide Release 3 7 33 33 33 35 35 36 36 37 39 39 40 40 40 42 42 43 43 44 44 45 45 45 46 46 47 47 47 47 48 48 49 49 50 51 51 52 52 Contents Chapter 3 Setting up the network lt lt 55 New VENDEN ras o AA ic AR ES a A BSS 55 Configuring a security gateway o oo a 57 Creating a new security gateway aooaa a a 57 Using Device tabs to configure the security gateway aoa ooa 002 ae 59 E EEEE OS ERS Re ES OER E E E E E EEE EE 60 MEMOS ad ee So A oe a dl e ae A a 62 DNS ADe kk OOS ed AA RE KS a Ce eR RAR Re 63 Configuring the DNS tab for security gateways at4 3orlater 63 Configuring the DNS tab for VSU at VPNos 4 2 or earlier 65 menaces IAD cs car ESE AAEM AR RED ORR RRR Oe EEE EES 66 Options for IP addressing for interface zones o 70 Static addressing siria ARA RRR ERE AA A 70 DHCP ACOSO ci a e Oe ee g o a a A eee 70 Point to Point Protocol Over Ethernet PPPoE Client Zi Local DHCP Server e saes eh ke RK eM ORRADRE ADEA A 71 DOF Rely 0 a ai BAG Aa GR a eS BS Ore Gres 73 EA ad aa ate hee be ek ah oe a da Soe a ca ica 73 Changing network interfaces o e e 73 Piles pon a ss rara a AAA A A AA Ad 76 Adding an IP Device Configuration 0002 a e fit DHCP REY sad a gad eed beeen be A de
206. e number of packets not transmitted on this port because time collisions Time Underflow Errors The number of packets not transmitted on this port because of time underflow errors Timeout Errors The number of packets not transmitted on this port because of time out errors Retry Overflow Errors The number of packets not transmitted on this port because of retry overflow errors Miscellaneous Errors The number of packets dropped on this port because of other miscellaneous errors 2 of 2 Using Monitor The Define Custom screen allows you to define a custom monitoring group that only collects the data you specify You select the desired MIB parameters from the Available Data column then moving them into the Current Data in Group column All of the available MIB II and VPNet Enterprise parameters in the Monitoring Groups are available e Name Enter the name you wish to call your custom group e Current Data in Group This is a list of the individual enterprise MIB parameters that compose your new Group e Available Data This is a list of all possible enterprise MIB parameters you may select to monitor Use the Move Left arrow to transfer the highlighted parameter into the Current Data in Group column Issue 4 May 2005 267 Monitoring your network Monitoring wizard Presentation The Monitoring presentation screen is used to select the display type for the monitored data The u
207. e tabs to configure the security gateway To set the amount of time delay to switch from a secondary interface to the primary interface once the primary link has been detected configure the Hold Down Timer This delay provides the necessary time for the primary interface to stabilize The Hold Down Timer applies to failover conditions occurring due to a link level failure on the public primary interface only The Hold Down Time value is expressed in seconds The value range is 0 to 3600 seconds The default value is 60 seconds Note There is a scenario in which the switchover from the public backup interface to the public interface will occur before the hold down timer has expired If the idle timer is set to a value less than that of the hold down timer and the public primary interface link becomes available while at roughly the same time traffic ceases to flow through the public backup interface the switchover will occur when the idle time expires rather than when the hold down timer expires Private The private network interface usually provides connection to your private local area network LAN or your corporate LAN The private network interface can be configured with Static DHCP Server or DHCP Relay Semi private The semi private network interface provides connection to a network whose equipment can be made physically secure but whose medium is vulnerable to attack such as a wireless network used within a corporation s priva
208. e the media interface configuration 1 From the Configuration Console Contents column select the security gateway to be configured Click the Interfaces tab to bring it to the front 2 Click on the media interface that you want to modify Click Edit The Interface Configuration dialog is displayed Issue 4 May 2005 73 Setting up the network Figure 21 Media interface configuration dialog xi Media Interface ethernetO Media Option Auto Negotiate wi MAC Address 00 60 a1 00 c8 64 QoS Bandwidth 100 Mbps IP Configuration Zone private Y IP Configuration Mode DHCP Server DHCP Server Static DHCP Server 3 IPAddress 192 hres 13 h MasHDHCP Relay y IP Range 192 168 ha fo To 192 fies J 13 51 Domain Name private wins 192 hes J 13 f201 IP Devices IP Telephony El Ok Cancel Note The fields displayed in the screen are based on the type of zone selected 3 The media option choices depend on the media type selected and the capabilities of the underlying device hardware and driver QoS is used by the QoS module to restrict the bandwidth of the interface to the upstream limit of the network For example to allow QoS to regulate maximum bandwidth of a 100 mbps to 25 mbps enter 25 mbps 4 In the IP Configuration area make the required changes e From the Zone list select the zone Only the zones that apply to that media interface are
209. e your iPlanet Directory Server documentation for instructions The following procedure only establishes it as a backup server The Directory Servers tab is shown in Figure 66 Figure 66 The Directory Servers tab z Ele Edt View Tools Heip I Naw Object v XX Detoto upaso Dewces Upgrade Firmware sw SHORE EAN O a B E ness Done gating object ist Servers list presents a list of available directory servers Three columns appear which include IP address or DNS Name port and SSL state Move Up Down arrows are provided to change the position of the highlighted server Edit Delete Add buttons are provided at the bottom of the pane Add servers Brings up a dialog box to add additional servers Enter the new server s IP address or DNS Name The Locate This Server box contains three radio buttons used to place the new server e Beginning of List e End of List default e After Selected Item 210 Avaya VPNmanager Configuration Guide Release 3 7 Servers To create a backup server 1 Move to the Configuration Console window 2 From the Device gt Contents column select the security gateway that needs to have the backup server 3 Click the Directory Servers tab to bring it to the front 4 Click Add to open the Add Directory Server dialog box 5 Use Table 15 configuring a connection to a server Table 15 Add Directory Server Commands Item Description Enter IP Address or DNS Name Type
210. ect is selected a list of objects that can be created are displayed When you select one of these commands either a dialog or a wizard is opened to configure the information Table 2 describes the new objects that can be configured e Logoff Logoff closes the current directory server without exiting VPNmanager The Login screen appears immediately after you log off e Exit Exit closes the VPNmanager console Figure 4 File Menu gt New Object list File Edit View Tools Help Domain P Modify X Delete amp New Object E Device Logoff fg iPoroup Exit 6 User VPN Service Firewall Template User Group Device Group Qos Admin Failover CNA Test Plug Table 2 New object Objects Description Device You create a new security gateway within a domain and configure the port interfaces IPGroup You configure new IP groups to assign workstations and servers User For each remote user you configure the name and password for authentication VPN To create a virtual private network you give it a name and select a key management method Service You create services to specify different traffic types User Group You can set up logical groups in which the individual VPN users reside 1 of 2 38 Avaya VPNmanager Configuration Guide Release 3 7 Navigating the main window Table 2 New object continued Objects Descrip
211. ectory 4 Type in the following command to install the certificate The filename is a name of the certificate file and aliasname is the alias you choose for the certificate file 5 sh importcert bat aliasname filename To view all the installed issuer s certificates 1 Open a Console window 2 Move to the opt Avaya VPNmanager Console directory 3 Type in the following command to list all installed issuer certificates 4 sh listcert bat To delete an installed issuer s certificates 1 Open a Console window 2 Move to the opt Avaya VPNmanager Console directory 3 Type the following command line to view all installed certificates where aliasname is the alias you gave the certificate when it was installed 4 sh deletecert bat aliasname Installing the Issuer s Certificate into a security gateway To create a Device object refer to Chapter 3 Setting up the network Once the Device object has been created perform the following procedure To install the issuer s certificate into a security gateway 1 From the Tools menu select Policy Manager to open the Policy Manager Window 2 From the Object Name list select the Device object that you just created 3 From the Type of Policy list select Issuer Certificates to open the Policy Manager for Issuer Certificates Issue 4 May 2005 295 Using SSL with Directory Server 4 From the Issuer Certificates list select a row where the new issuer certificate will be ins
212. ecurity and low security The DMZ high security rules are enforced for both incoming and outgoing packets as follows Incoming traffic from the DMZ zone is denied Outgoing traffic to the DMZ zone allowed includes e Packets from the following networks private management semi private and the destination is the servers with the common services Table 41 DMZ high and medium security firewall rules Rule Name Action Source Destination Service Direction Zone Keep Description State InBoundDMZ Permit DMZNet Any ActiveFTP In DMZ Yes Permit active FTP ActiveFTPAc data connection cess from FTP server on DMZNet to any FTP client on INATERNET this works for both NAT Non NAT setup InBoundDMZ Deny Any Any Any In DMZ No Deny the rest of BlockAll traffic 1 of 2 Issue 4 May 2005 309 Firewall rules template Table 41 DMZ high and medium security firewall rules continued OutBoundD Permit Any DMZNet ICMPECHOREQUEST Out DMZ Yes Permit outgoing MZAccess SSH TELNET traffic with FTP CTRL common services PASSIVEFTP HTTP HTTPS DNS TCP DNS UDP NETBIOS NS TCP UDP NETBIOS DGM TCP UDP NETBIOS SSN TCP UDP POP3 IMAP SMTP NNTP OutBoundD Deny Any Any Any Out DMZ No Deny the rest of MZBlockAll the traffic 2 of 2 Table 42 DMZ low security firewall rules Rule Name Action Source Destina
213. ed from the VPNmanager an alarm is logged in the Alarm Console For VPNmanager 4 2 and 4 3 if SNMPv3 is configured the ability to poll the security gateway is disabled Issue 4 May 2005 245 Monitoring your network The traps that are generated by the security gateway are sent to the list of trap targets that are configured The version of the trap that is sent is the same as the version of the SNMP Agent that is if the security gateway is configured for SNMPv1 a SNMPv1 trap is sent A maximum of five trap targets can be specified and one of these can be the Directory Server In large enterprises the security gateways might also report to a network monitoring application such as HP Open View Figure 81 The SNMP Tab for a security gateway Object Y VP maneger Configuration Consale Eto gm yew Jools Helo Now Onjoct y X Dette Update Devices Upgrade Firmware sme 56600 BHF BSB OB 8 5 3 E i x Gateway 1 na Polesa Cooney T sme eating Staus To add SNMP trap targets To add an SNMP Trap Target for security gateway s at version VPNos 4 2 or later do the following Note To configure SNMPv3 see Adding Admin Users for SNMPv3 on page 247 1 From the Contents column select the security gateway you want to configure Click the SNMP tab to bring it to the front Click Add to open the Add SNMP Trap Target dialog box In the SNMP Trap Target text boxes type in the SNMP Trap Target IP
214. ed version of this documentation unless such modifications additions or deletions were performed by Avaya Customer and or End User agree to indemnify and hold harmless Avaya Avaya s agents servants and employees against all claims lawsuits demands and judgements arising out of or in connection with subsequent modifications additions or deletions to this documentation to the extent made by the Customer or End User How to Get Help For additional support telephone numbers go to the Avaya Web site http www avaya com support If you are Within the United States click Escalation Management link Then click the appropriate link for the type of support you need Outside the United States click Escalation Management link Then click International Services link that includes telephone numbers for the International Centers of Excellence Providing Telecommunications Security Telecommunications security of voice data and or video communications is the prevention of any type of intrusion to that is either unauthorized or malicious access to or use of your company s telecommunications equipment by some party Your company s telecommunications equipment includes both this Avaya product and any other voice data video equipment that could be accessed via this Avaya product that is networked equipment An outside party is anyone who is not a corporate employee agent subcontractor or is not working on y
215. eded New Frag Alloc Out Number of successful attempts to allocate a Fragment table entry for outbound packets This occurs when a filter rule is declared using the keep frag option A packets matching this rule cause a Fragment table entry to be allocated This value does not reflect the size of the table only the number of entry allocations which succeeded Unneeded Frag Alloc In Number of successful but unnecessary attempts to allocate Fragment table entries for inbound packets When a filter rule is declared using the keep frag option matching packets cause a Fragment table entry to be allocated This allocation takes place before the determination is made that the packet is indeed a fragment If the packet is later determined NOT to be a fragment the table entry is de allocated and this counter is incremented Unneeded Frag Alloc Out Number of successful but unnecessary attempts to allocate Fragment table entries for outbound packets When a filter rule is declared using the keep frag option matching packets cause a Fragment table entry to be allocated This allocation takes place before the determination is made that the packet is indeed a fragment If the packet is later determined NOT to be a fragment the table entry is de allocated and this counter is incremented 4 of 7 260 Avaya VPNmanager Configuration Guide Release 3 7 Table 23 FilterStats Parameters contin
216. ee subdomain names along with the IP address of the DNS server that will resolve DNS requests for the corresponding subdomain name Remote Client inactivity connection time out VPNos 3 x You can set the amount of time that a VPNremote Client can be idle before its assigned IP address is returned to the Client IP Address Pool This is useful if you have VPNremote Client users that typically use TCP based applications e g Telnet FTP Web traffic and leave those applications idle for long periods of time Units can be seconds or minutes The maximum idle time is 65 535 minutes Send Syslog messages Send Syslog messages to receiving hosts after VPN session is inactive for XX minutes enables you to set the session inactivity time before issuing a Syslog message The default time is 10 minutes 112 Avaya VPNmanager Configuration Guide Release 3 7 Configure a default CCD with global dyna policy Configure a default CCD with global dyna policy The following procedure describes how to configure default dyna policy parameters These commands control how CCD automatically delivers dyna policies to VPNremote Clients By default all user adopt these settings but they can be rejected and custom configured from the Dyna Policy tab of a specific user 1 From the VPNmanager Console main window or from the Configuration Console window select Edit Preferences to open the Preferences property sheet 2 Click the Dyna Policy Defaults Us
217. elating to IP telephony devices such as the Avaya Definity IP telephone device information Adding an IP Device Configuration This dialog is used to add IP devices to the virtual DHCP server The dialog contains a group of fields for IP telephony configuration when IP telephones are connected to the security gateway Figure 23 IP Device Configuration with VPNos 4 2 or VPNos 4 3 amp IP Device Configuration x IP Device MAC Address IP Device IP Address MN i i IP Telephony Configuration TFTP Server IP TFTP File Path Definity Clan IP Definity Clan Port 1719 E Cancel Ok IP Device MAC Address Enter the MAC address of the IP device If the device is an Avaya IP telephone the MAC address can be found on the back of the phone IP Device IP Address This IP address must be within the same subnet as the DHCP server lt is recommended that the IP device address fall in the DHCP subnet but not in the DHCP range Also each IP device should have an unique IP address IP Telephony Configuration This section is used to enter configuration information for an IP telephone connected to the security gateway This information is sent in response to the IP telephone s DHCP request this information can also be configured locally in the IP telephone Issue 4 May 2005 77 Setting up the network The Avaya DEFINITY series of IP telephones requi
218. eld 9 Click Add The Add Gatekeeper dialog appears In the Gatekeeper IP field specify the IP address of the endpoint 10 In the Proxy IP field specify the public IP address that is being shared 11 In the Proxy Port field enter the proxy port The default is 1719 12 Click OK and then click Finish QoS policy and QoS mapping The Quality of Service QoS function allows the administrator to classify and prioritize traffic based on a DSCP value and or TCP IP services and networks The bandwidth available to a class of traffic can be restricted or rate limited to a specific percentage of the total upstream bandwidth This restriction or rate limiting of bandwidth is only applicable to upstream or outgoing traffic on the interface A QoS policy can be created with up to four classes highest high medium and low Attributes that can be assigned to these classes are percentage of bandwidth allocation type of services network objects DSCP and burst QoS policies can be mapped to public public backup and semi private zones By default QoS is enabled and VoIP is given the highest priority and there is no restriction of bandwidth or rate limiting In the default configuration VoIP is identified solely by IP precedence values of three and five This corresponds to the following DSCP values 24 31 and 40 47 If QoS is disabled all traffic receives the same priority VoIP is treated the same as data traffic QoS Policy This prope
219. er tab to bring it to the front Select how the VPN session parameters are handled on the user s computer e Select None to store the VPN session parameters locally on the remote user s computer The policy is automatically downloaded to the user s computer the first time that the VPNremote Client is initially connected The policy is not password protected e Select Download configuration when remote starts to automatically download the VPN session parameters at the beginning of every session The policy is removed when VPNremote client is disconnected This is the most secure method e Select Secure Dyna Policy with a user defined key password to have the VPN session parameters reside on the user s hard disk and be activated by a password at the start of a VPN session The user is prompted to create a password to protect the policy e Check Disable Split Tunneling if users cannot browse the Internet while they are connected to the VPN 3 Click the Dyna Policy Defaults Global tab to bring it to the front e Enter the number of times a remote user can incorrectly login before they are locked out The default is 3 e Enter the number of minutes a remote user is locked out if all login attempts fail The default is 1 minute 4 Click the Dyna Policy Authentication tab to bring it to the front 5 Before CCD begins remote users must have a user name and password pair to authenticate themselves From here you configure the aut
220. erefore traffic to Domain will automatically use Device Object for VPN services VPN Object export checklist Table 9 lists what to do before you export a VPN Object The terms used by Figure 51 are used for orientation Table 9 VPN Object Export Checklist Task For certificate based IKE VPNs administrators of Domain and Domaing assure that all security gateways which are participating in the extranet connection are using the correct certificates IKE Certificate Usage on page 240 Administrators of Domain and Domaing agree that Administrator create the VPN Object that is exported to Domaing 1 of 2 Issue 4 May 2005 159 Configuring VPN objects Table 9 VPN Object Export Checklist continued Task Administratorg creates security gateway Objectg and supplies the IP address of that object to Administrator Administrator creates IP Group Objectg Creating a New IP Group on page 97 and configures it with an extranet device To configure an IP Group that is associated with an extranet on page 102 having the IP address supplied by Administrator Administrator creates security gateway Object Configuring a security gateway on page 57 Administrator creates IP Group Object New IP Group on page 98 and configures it with security gateway Objecta A
221. ers are the individual remote access users who log in to the VPN through a security gateway The VPNremote Client software is used to connect to the VPN services A User Group contains or organizes user accounts These accounts are assigned to remote VPN members who dial in to the network and run VPNremote Client software to access the VPN Issue 4 May 2005 23 Overview of implementation An IP Group contains the IP addresses that belong to a specific LAN Any device connected to the LAN can use these addresses A VPN can have many IP Groups so addresses can be consolidated to meet the needs of an organization The security gateway is configured to provide VPN gateway functionally and firewall coverage VPNmanager security management includes creating domain level firewall rules and device level firewall rules VPNmanager provides multiple firewall templates that can be used as a general rule set or as a starting point for creating a customized firewall template You can apply these templates at the domain level for all security gateways for a specific security gateway device level or for a defined device group Preparing to configure your network Before you use VPNmanager to build your VPN and establish your VPN security policies you need to know how the VPN should be implemented This section gives a overview of what information you should know before you begin The following are functions or tasks that need to be addressed e How t
222. ertificate based VPNs cannot be manually rekeyed Preshared Secret mode involves the Diffie Hellman algorithm for creating a shared secret key that is used for authenticating VPN traffic Large prime numbers and modular arithmetic equations are exchanged between endpoints Each endpoint uses the equations and numbers to calculate the same shared secret key The tunnel endpoints then use the shared secret key to authenticate each other s traffic Even if the prime numbers and equations become publicly known the protocol still protects the shared secret key As an added security measure preshared secret can be manually rekeyed at any time VPN packet processing modes There are two ways to process packets when forming VPNs transport mode and tunnel mode In transport mode IP packets sent between VPN members are secured by applying VPN services to the IP packet payload leaving the original addressing header unchanged Original IP Packet Source Dest Address Address Payload x N N N x Re aioe IPSec SKIP Overhead Payload with Applied VPN Services Transport Mode Secured VPN IP Packet 134 Avaya VPNmanager Configuration Guide Release 3 7 Default VPN policy In tunnel mode security gateways and VPNremote Client only IP packets between members are secured by encrypting and authenticating the entire packet including the addressing header The encrypted and authenticated packet is then used as the p
223. ervice In the CNA Hive s area click Add to enter the CNA hive configuration information The CNA hive information includes the following e CNA hive name The CNA hive name identifies the CNA hive deployment The CNA hive can have a maximum of 25 hives configured with each hive containing a maximum of 5 CNA units e CNA unit port The CNA unit port for registration is the value of the CNA registration port The value for the CNA registration port ranges from 1 to 65535 The default value is 50002 In the CNA Unit s for registration area enter the CNA registration unit IP address of the security gateway in the network Use the Move To Top button to adjust the hive priority Click OK The first hive configured in the CNA Unit s for registration area is pushed down to devices running VPNos 4 5 Adjust the CNA hive configuration priority to include devices running VPNos 4 5 in the first configured hive In the Apply above configuration to these devices in the domain area select the device in the list and click Add The Select Devices window appears Confirm that the appropriate device s is select to receive the CNA test plug configuration Click OK Click Save to save this configuration Keep Alive The Keep Alive feature allows the security gateway to send keep alive packets ICMP to the configured host at every configured interval in the network Keep alive hosts can be configured anywhere in the network This featu
224. es If the receiving Gatekeeper is not being NATed by the SG the Proxy IP and Proxy Port should not be configured Using the LRQ Required checkbox of the IP Trunking Call Model When a Gatekeeper of an IP Trunk is not pre configured with translations to map phone extensions to Gatekeepers but rather uses Location Request LRQ and Location Confirm LCF messages to determine the Gatekeeper to which call signaling messages will be sent check the LRQ Required checkbox This will direct the SG to translate the IP addresses and ports embedded within LRQ messages sent by the Gatekeeper so that the receiver of those LRQ messages will respond to the NATed address A Important The LRQ functionality is available on Security Gateways running VPNos 4 6 and higher To enable VoIP and add IP Trunking 1 From the Configuration Console window select View gt Device Click the VoIP tab to bring it to the front 2 Click Add The VoIP Configuration dialog is displayed 3 Select Enable to enable the VoIP Rule configuration 4 In the Name field enter a descriptive unique name to identify the IP trunk 5 In the Call Model field select IP Trunking from the drop down menu 176 Avaya VPNmanager Configuration Guide Release 3 7 Voice Over IP Select LRQ Required to enable the location request When learn request LRQ is enabled the voice packets are routed using domain names The security gateway uses LRQ to locate the destination and return
225. es can be referenced by a security gateway DNS servers can be edited or deleted To add a DNS server address Use Add to enter the initial or backup DNS server s Enter the IP address of the DNS server in the Resolve DNS name with this address field so that the targeted security gateway can register itself with the DNS server Click Apply to add the new DNS server entry 1 From the Contents column select the VSU you want to configure Click the DNS tab to bring it to the front Click Add to open the Add DNS Rule dialog box Type the IP address Click Apply to add the IP address to the DNS servers list Click Close to return to the DNS tab or Apply to add another address When finished click Save ON DO oO A W PY When you want to send the configuration to one or more VSUs click Update Devices To edit an existing server address 1 From the Contents column select the security gateway you want to edit Click the DNS tab to bring it to the front From the Current DNS Servers list select the address you want to change Click Edit to open the Add DNS Rule dialog box Change the IP address Click Apply to add the edited IP address to the DNS servers list The Add DNS Rule dialog box automatically closes oa Aa WO DY Issue 4 May 2005 65 Setting up the network 7 8 9 Click Close to return to the DNS tab Clicking close ignores any changes made in the Add DNS Rule dialog box Click
226. es to only mesh the users In a normal VPN the IP Groups are meshed together and the users are meshed with the groups When the Apply VPN to clients only check box is check only the users are meshed Issue 4 May 2005 149 Configuring VPN objects In the Exchange area check Use Aggressive mode for clients to enable the IKE Aggressive mode between a user and then security gateway which accomplishes the same goals as Main mode only faster Note Aggressive mode must be used when Preshared Secret is being used for the remote client users When certificate based key exchange is used either Main mode or Aggressive mode may be used CRL checking enables certificate revocation list checking which looks to a directory server to obtain a CRL to validate a newly arrived certificate In the Directory Name of Certificate Authority box enter the DNS name of the CA server Configuring a SKIP VPN Note Security gateways at each end of a tunnel must use the same SKIP settings To configure a new SKIP VPN object 1 Move to the Configuration Console window 2 From the Icon toolbar click VPN to list all VPN Objects in the Contents column 3 From the Contents column select the VPN Object that needs to be configured 4 Click the General tab to bring it to the front 5 Select one of the following to control how VPN traffic must be protected e Select the Tunnel radio button so entire IP packets header and payload are encrypted a
227. et y DX Dalt Update Devices Upgrade Fic erremae smm BHOG HAA BS OB BEB 4 rgo T aaaea B ay Fano Sa Crear Memo DNG miaon GNMP Rosg Oca Users Failover TEP Y nata Fatover TEP Fatover TEP A Copy User VPNs to the Fatovor TEPS 218 Avaya VPNmanager Configuration Guide Release 3 7 Advanced Action Configuring failover TEP Failover TEP is configured from the Failover TEP tab To configure failover TEP 1 Move to the Configuration Console window The Device tabs are displayed 2 From the Device gt Contents column select the device that is operating as the head end device 3 Click the Failover TEP tab to bring it to the front 4 Select the Enable checkbox to enable failover TEP on the device The enable checkbox allows the configured device to download all user VPNs to the selected alternate head end devices The checkbox default is not selected 5 Click Add to open the Failover TEP dialog box 6 From the Failover TEP Device drop down menu select the security gateway that will be the alternate head end device 7 Click OK to return to the Failover TEP tab Your alternate head end device appears in the Failover TEP s list 8 Click Save to save the Failover TEP configuration To complete the Failover TEP configuration you must enter the Failover Remote TEP information in the Failover tab 9 To configure the Failover Remote TEP go to the VPNmanager Console main window sele
228. ete the device s upgrade Device Upgrade tab The Upgrade tab provides access to security gateway upgrade facilities including firmware upgrades and optional feature activation For devices with firmware version 4 2 or later license files can be uploaded from the Upgrade tab 288 Avaya VPNmanager Configuration Guide Release 3 7 Device Upgrade tab Figure 87 Device Upgrade tab File Help LO New Object y X Delete UpdatoDevices Upgrade Firmware Saw Baoc asra na maam 4 Contents Details wsul VeNmanaper Servers Upgrade Agvaneea Action High Availability ced Actions Policies Connectivity Resilient Tunnel General Memo DNS SNMP StatcRoute Routing Rip Upgrade 3 4 Upgrade Firmware ysy gu S Encryption Strength Upgrading a security gateway s firmware Use the Upgrade Firmware button for upgrading the firmware of a specific security gateway Before upgrading firmware from the VPNmanager you must download the latest firmware from Avaya Inc The security gateway firmware download is password protected Contact technical support at vpnsupport avaya com to request a password prior to beginning the download Read the latest security gateway product readme file before beginning the upgrade For the latest version of the file for all security gateways go the VPN and Security page from the Avaya Support Technical Database Web site at http support av
229. ety Upgrade D ke YOR Management Bis General Memo ONE imertaces E Sher Sabie Rowe Advanced Interfaces Intartace Configuration Madia intectacd Zone IPConig Status Address Mask DefautiRouie MAC sve 160 131 255 255 255 0 Uno Rohesh intertace Use mis ss management imetece pubic gt Config Media interfaces can be assigned to one of six different network uses called zones The number of zones that can be configured depends on the security gateway model Table 6 Ethernet0 and Ethernet are present in all models and are assigned to the public and the private zones The media interfaces that remain are unused and can be configured as required Table 6 Network zones Media SG5 and SG200 SG203 SG208 type SG5X EthernetO Public Public Private Private Ethernet1 Private Private Public Public 1 of 2 Issue 4 May 2005 67 Setting up the network Table 6 Network zones continued Media SG5 and SG200 SG203 SG208 type SG5X Ethernet2 NA NA e Unused Unused e Public backup Public backup e Private Private e Semiprivate Semiprivate e DMZ DMZ e Management Management Ethernet3 NA NA e Unused Unused sd e Public backup Public backup e Private Private e Semiprivate Semiprivate e DMZ DMZ e Management Management 20f2 The following section describes the six network zones Public The public network interface provides connection to
230. evice Unreachable E paper alte ED 7 28 2003 18 11 52pm sg5x Device Unreachable Juask 255 255 255 0 Route 172 20 6 1 7 28 2003 18 11 47 pm 39208 j IP Groups lipg_5x Properties A 4 gt View pane Alarm pane The menu bar on the main VPNmanager screen includes the following commands File Edit View Tools and Help File menu The File menu includes the following commands e Domain You can create a new domain open close or delete an existing domain and select from a list of recent domains that were accessed When you select to create New a dialog to create a new domain name is displayed This name is the unique name assigned to an overall virtual private network A VPN domain is a collection of VPN devices that compose a VPN network See This chapter describes the following features that are configured for the domain and the security gateway on page 55 When you select Delete a list of all available domains is displayed You can delete just the users within the domain just the user groups within the domain or all objects with the domain Issue 4 May 2005 37 Using VPNmanager Note When you delete VPNs that include groups associated with RADIUS enabled security gateways the VPNremote Client configuration records should be removed from the RADIUS database See RADIUS ACE Services on page 124 e New Object When New Obj
231. eway e Proxy ping which has been initiated by the VPNmanager from a security gateway to any node A ping between the VPNmanager workstation and a security gateway is useful for verifying that the security gateway is powered on and operational and that an IP network connection from the VPNmanager workstation to the security gateway exists The Ping This Device button initiates a clear text non VPN traffic ping from the VPNmanager workstation to the security gateway Check connectivity by ping To execute this ping e Select a security gateway from the Contents list then click on the Ping This Device button e The ping results are displayed in the Ping Results window The Ping Results window indicates that connectivity to the security gateway s IP address is being checked A result of lt IP address of security gateway gt is alive indicates a reply was received from the IP address of this security gateway A result of security gateway unreachable indicates no reply was received 278 Avaya VPNmanager Configuration Guide Release 3 7 Using the Device Actions tab To directly ping a specific security gateway 1 Move to the Configuration Console window 2 From the Contents column select the security gateway that you want to ping 3 Click the Connectivity tab to bring it to the front 4 Click Ping This Device to start the ping 5 Information about the ping appears in the Ping Results text box Check
232. ey exchanges between security gateways in the VPN are based on a single pre shared secret known to all security gateways A special block of data used to identify the owner of a particular public key It describes the value of a public key the key s owner and the digital signature of the issuing authority Remote Authentication Dial In User Service is a client server remote user authentication protocol in widespread use A mechanism of providing automatic backup of a secure tunnel between two endpoints In practical application a primary security gateway sends a heartbeat packets to a secondary security gateway every few seconds configurable Should the primary security gateway fail the secondary security gateway will stop receiving the heartbeat packets When this happens the secondary security gateway switches over and takes on the role of primary security gateway Security Association is an IPSec agreement between to communicating devices on which authentication and encryption algorithms including key lifetimes are used A cryptographic key that has a finite life expectancy typically for a single session See Certificates Signing Issue 4 May 2005 317 SKIP SKIP Smart Card Split Tunneling SSL Syslog T Triple DES U User Groups VPN Simple Key Management for Internet Protocol SKIP differs from ISAKMP in the area of negotiation In SKIP all of the security parameters are identified with
233. f the main motivations for Internet telephone is the low cost involved Using the IP Trunking Call Model The IP Trunking call model should be used when there is an IP Trunk configured between gatekeepers at separate locations and the call signaling messages i e H 225 and Q 931 packets between those gatekeepers is NATed by the device Issue 4 May 2005 175 Establishing security When using the IP Trunking Call Model configure the following e Service Port The port to which the gatekeeper sends call signaling messages e Source Trunk Zone The zone where the gatekeeper is located with respect to the SG e g private when the gatekeeper is on private side of the SG e Source Trunk Network Objects The IP networks that define the IP address space of the gatekeeper e Destination Trunk Zone The zone where the gatekeeper receiving call signaling messages is located with respect to the SG e g public when the receiving gatekeeper is on the public side of the SG e Trunk IP address The receiving gatekeeper configured IP address The Proxy IP and Proxy Port in the Add Destination Trunk dialog are used typically when the Gatekeeper receiving call signaling messages is on the private side of the SG and is getting NATed by the SG In that case the Proxy IP and Proxy Port would be configured to be the IP address and port by which the receiving Gatekeeper is known to the Gatekeeper wanting to send call signaling messag
234. ffic to PUBLIC OutBoundPri Deny DMZNet Any Any Out Private No Deny traffic vateDenyAcc from and ess SemiPrivate Net OutBoundPri Permit Any Any Any Out Private Yes Permit vateDenyAll incoming VPN Semi private zone firewall templates A semi private network interface provides connection to a network whose equipment can be made physically secure but whose medium is vulnerable to attack such as a Wireless network used within a corporation s Private network infrastructure Because wireless connections cannot be easily controlled strict firewall policy should be enforced on the semi private interface to limit the access from the semi private zone to VPN traffic Clear traffic to Private and Management zones is not allowed Common services to DMZ are allowed and clear traffic to Public is allowed The semi private high security rules are enforced for both incoming and outgoing packets as follows Incoming traffic to the semi private zone allowed includes e VPN traffic The VPN tunnel endpoints could be semi private IP or Public IP e Ping DNS e ICMP unreachable packets The following clear traffic is allowed e The source is semi private and the destination is DMZ servers with the following common services PING FTP control Passive Data FTP SSH Telnet HTTP HT TPs POPS IMAP SMTP and NNTP Issue 4 May 2005 305 Firewall rules template e The destination is Public and the services are F
235. fices using VPNs e Secure VoIP servers or endpoints IP telephones by providing perimeter security using the VoIP aware firewall filtering that is able to dynamically open and close all ports required to pass VoIP communication between servers and endpoints 28 Avaya VPNmanager Configuration Guide Release 3 7 Preparing to configure your network e Allow voice secure communication with Avaya s IP Softphone and IP Office Phone Manager Pro using VPNremote Client e Enable NAT traversal of H 323 VoIP traffic e Optimize bandwidth for VoIP traffic using the security gateway s Quality of Service QoS policies In order to successfully use VoIP it is important to thoroughly plan the implementation of the feature Avaya suggests that you read the Avaya IP Telephony Implementation Guide before implementing VoIP Additional features The following is a list of some of features that can be configured depending on your VPN networking requirements NAT Network Address Translation NAT is an Internet standard that allows private nonroutable networks to connect to public routable networks To connect private networks and public networks address mapping is performed on a security gateway that is located between the private network and the public network You can set up three types of NAT mapping on the security gateway e Static NAT With static NAT addresses from one network are permanently mapped to addresses on another network
236. figuring 127 Preferences Advanced Tab 51 Concepts a ee ee 125 Preferences General Tab 49 database 126 Preferences Remote Client Tab 51 111 Protocol cs Dat 126 Presentation monitoring 268 Send no VSU Names radio button if using 206 Preshared Secret oo 138 BEVIS d aiqi a A A ES A A 126 Preshared Secret IKE 144 services configuring for 124 Preshared Secretmode 134 shared Secret 126 127 Preshared Secret radio button 152 UDP Port private addresses NAT 88 default E 127 private interface NAT 0 93 RADIUS attempts before assuming failure 125 privatezone 2 a ee ee 69 RADIUS time out before assuming failure 125 Products which are covered 15 RADIUS Authentication aaa 110 RADIUS IP Address oaoa 124 RADIUS UDP Port 124 RADIUS export 46 285 Issue 4 May 2005 323 Index RADIUS Settings o 125 RC5 as an IPSec encryption parameter 154 reboot 2 5 ek Go A So A e ee ae a 280 redundancy VSU 1200 283 Rekey User VPNS 1 2 a 2 ae 117 rekeying a VPN 0 162 Remote Client Address Pool broadcasting the 84 Remote Client inactivity timeout 112 Remote Clienttab o ee 1
237. for convenience Click Next In the Show Report Title text box type the report title Report format details including date and time report title author page numbering and the type font and font size 8 The available font types are Arial Times Roman and Helvetica The available font sizes range from 8 points to 72 points 9 Click Next 10 Depending on the objects selected in the initial screen each object is displayed as part of 12 13 14 15 16 the report wizard Select the desired object groups to be included in the report Note The Summary button presents a single screen overview of all the currently set report selections and options Advanced users may wish to jump to this screen immediately Click Next Select additional information for the object group to be included in the report Click Next Click Finished when all report information has been selected You then have a choice of the output file type HTML or PDF The output file may be viewed on the screen then sent to a printer if hardcopy is desired Be sure you have an Adobe Acrobat reader to view the PDF file or a web browser to view the HTML file Issue 4 May 2005 271 Monitoring your network Generating the report When you are satisfied with the report selections made click on the Finished button to generate the report The report window appears after a short pause If a hardcopy is desired you may save the report as a PDF
238. g VPN traffic The main difference between the two VPN types are the methods used for creating the encryption key When you create a VPN object you select which protocol to use SKIP VPNs Note SKIP VPNs are supported in VPNremote Client 2 5 only Simple Key management for IP SKIP is a protocol that stores authentication and security information in every packet SKIP VPNs can operate in Tunnel or Transport modes Tunnel mode involves encrypting the entire original IP packet before it goes out to the public networks Transport mode involves encrypting only the payload of the original packet Also SKIP VPNs can be manually rekeyed at any time Issue 4 May 2005 133 Configuring VPN objects IKE VPNs Note IKE VPNs are supported in VPNremote Client 3 0 and later An IKE VPN can run in certificate or preshared secret authentication mode Also IKE VPNs always operate in tunnel mode which means the entire original packet header and payload is encrypted and inserted in the payload of an IPSec packet before it goes out to the public networks Certificate mode involves the exchange of X 509 public key certificates between endpoints of a VPN tunnel to authenticate VPN tunnel end points A certificate belonging to a specific endpoint is authenticated by a third party certificate called an issuer s certificate Certificates can be obtained from a third party Public Key Infrastructure PKI See for more information about using a PKI C
239. g a new VPN object on page 136 Add the default user and IPGroup s to the new VPN Use the Policy Manager to configure the RADIUS Server Attributes and Settings The RADIUS attributes and setting can remain as default Click Edit gt Preferences on the main screen of VPNmanager Console and enable RADIUS Authentication Local Configuration Update this configuration to the security gateway s The security gateway s should now have the designated VPN in its configuration On the RADIUS server add a user Enter the user credentials and the attribute type amp tag to match to the one you entered in the VPNmanager for that security gateway Now login into the security gateway through the VPNremote client using the credentials entered in the RADIUS server The user should be authenticated successfully by the RADIUS server The RADIUS server returns the VPN name to the security gateway The user then gets the designated VPN policy from the security gateway Issue 4 May 2005 137 Configuring VPN objects Using the VPN tabs After you have created a VPN object you can use the VPN tabs to change the default settings or modify configuration The tabs displayed are dependent on the VPNos release for the device General tab The General tab provides high level control of the VPN A check box enables the VPN This allows VPNs to be built before being activated The contents of this screen depends on what VPN type you have
240. ging the DHCP Server IP address can result in losing current connectivity with the security gateway IP telephone configuration If you are using the security gateway with the Avaya Definity series of IP Telephones you must configure the TFTP server IP the TFTP file path the Definity Clan IP and the Definity Clan port See the Definity documentation for further information Non Avaya IP telephones require at a minimum the TFTP server IP address The following IP telephone DHCP options are supported e Option 150 Proprietary to Avaya IP telephones This option is for the TFTP server IP address e Option 176 Proprietary to Avaya IP telephones Definity Clan IP address and port along with optional TFTP server IP address all four fields in the IP Telephony Configuration section must contain entries e Option 66 The standard DHCP option for TFTP server Note When you add an IP device you must also configure the Device Account User 72 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway DHCP Relay This functionality allows the DHCP Relay agent to bind to the device s private and semi private interface zones and forward only DHCP requests from the network behind the device to the DHCP server s on the public network DHCP Relay server can reside on either the private semiprivate public zones or another remote network The DHCP Relay area on the Interface Configuration dia
241. gotiated with the device on the other side e Beginning of list e End of list e After Selected Item Issue 4 May 2005 147 Configuring VPN objects Actions tab The Actions tab is used to export the VPN without keys and to change the VPN security key Rekey Figure 49 VPN Actions tab Es Ello Ede View Tools Help ee Xt Cos e oom 25600 505 ME 09 Y 5 ike ven MembesiP Groups Securtty QKE ae i ances 3 Genera i Memo Acbont Memears users VPN Actions VPN Corfiguraton i Rupert Exports Ceafpura on to a fie Tre can be impones to a partners VPN for quick integration pe Reyrey stw toane VPN Bohey Rohays a Preshared secret for Pa ens to ane VPN E VPN configuration Export Exports the VPN to another VPN domain without the keys Typically used to create an extranet Creating an extranet of Avaya VPN devices is a cooperative effort between system administrators running independent copies of VPNmanager and involves the same steps as creating any other VPN create the device then the groups and users and finally the VPN The names chosen for VPN components must be unique and synchronized within each corporation s VPNmanager This requires close coordination between the system administrators during the VPN component creation process Once OK is clicked a password screen appears After the password is entered and OK is clicked the Save screen that is displayed shows the
242. group using Update Device 225 Deleting a high availability group 2 o o e eo 225 Payer 3 0 RR BEAR Be RR AR A A da 226 Failover FTSCOMMESOA ica a Ge ls ow a a A ho AA eS 229 Converged Network Analyzer Test Plug o o e 0 o 230 PO AIVE oe hee A A A e RRA ed eg 232 12 Avaya VPNmanager Configuration Guide Release 3 7 Contents Policy Manager My Certificates 2 ee 234 About VSU certificates lt o ce osia d cede Rome REED RR Rw 234 Creating and Installing a Signed Certificate 2 a oa 0 a 235 Switching certificates used by VPNmanager Console 4 237 Issuer centilicales soo ceret twee whe SRE AAA 238 About suer Certificates o as ayra pia eA RARE ERR ee SRR we kA 238 Installing an issuer certificate o ee 239 IKE Certificate Usage ec s toa ma zoo a a a O RR A A A ee 240 About Certificate Usage Exchange a a 241 Assigning a Target for a Certificate 2 a a 241 Chapter 10 Monitoring your network 2 2 2 ee eee ee ee 245 Using SNMP to monitor the device 24 4424 82 06505 be SRE DET a Ew HS 245 Adding Admin Users forSNMPv3 2 654 6 lt lt lt ce a 247 VPN ACUVe SESSIONS 2 224444 44055624852 CHEER ROKR SEH OEE OE RO Hoe 247 e sae a A A a REO ee eR he 248 AOT UO ON e Se eae Se ee E i Re a 249 USING MONON cs de ea A CARE RR EERE PERSE SSEESE GEESE WOR GES 250 ENDS MIB 2 4 64 8 oad a OG KBR WR
243. guration Console a A O N The Member Update window appears By default all members in the HA group that are part of the site to site VPN configuration are selected for update 6 Click OK to complete update Deleting a high availability group Use the following procedure to delete High Availability HA groups 1 Click the High Availability tab to bring it to the front 2 Click the Refresh button in the Members section of the screen to refresh the status of the HA groups members 3 From the Members section select the security gateway to be deleted 4 Click the Delete button to delete the security gateway from the HA group Issue 4 May 2005 225 Using advanced features 5 Click the Enable High Availability check box to disable High Availability on the remaining security gateway 6 Click Update Devices from the Configuration Console Click OK to complete update Failover Use the Failover object to configure up to five IP addresses for tunnel endpoint TEP for the security gateways These IP addresses are used for failover locations in the case of VPN or clear traffic failure Figure 73 Failover Tab o Eto Edt Yow Tools Help Piro bute pza pan a 28605 EXE DS 09 8 Y Y POOP allover General Restor ha Remote TEP on reboot C Preserve the last Remote TEP on reboot Hosts Remoto TEPS Add Add DencevPN Mappings Device ven Add Done geting object ist When Failover is configured a se
244. h component failed Refer to the VSU 1200 User Guide for instructions on how to replace the failed component Issue 4 May 2005 283 Device management IPSec Engine Status The IPSec Engine Status section shows the current state of the VSU 1200 s two packet processor engines PPE If either PPE fails a FAILED status is displayed indicating which PPE failed Both PPEs must be functional for the VSU 1200 to operate correcting The PPEs and Ethernet cards are enclosed in a tamper evident case and can only be serviced by an authorized technician Contact your customer service representative for instructions on getting the VSU 1200 repaired Switching To individually switch the active public or private ports select which active ports to switch from and which passive ports to switch to then click the Switch Ports button Note that the active public and private ports can only be switched to passive ports of the same type A public port cannot be switched to a private port or vice versa Importing and exporting VPN configurations to a device A secure inter company extranet can be created by exporting a VPN configuration to a file that is then imported by other VPNmanager installations Select Import VPN when you receive your exported VPN file and have it copied to a local directory You will need the password from the exporting administrator Export VPN Creating an extranet is a cooperative effort between system administrators running inde
245. h created the VSUA s Signed Certificate Installing an issuer certificate Use the Policy Manager for installing Issuer Certificates in a specific VSU The VSU then uses the Issuer Certificate to authenticate certificates received from other VSUs The process is explained in Figure 78 To install an Issuer Certificate into a VSU target 1 Get an Issuer Certificate from a PKI System Use the same PKI System that created the Signed Certificate 2 The PKI System must use the Distinguishing Encoding Rules DER format for creating the Issuer Certificate Figure 79 shows what a certificate looks like its body has been shortened for the example Issue 4 May 2005 239 Using advanced features Figure 79 An Example of an Issuer Certificate qa AS Header nfi897rho987fb mht gt ci s25hgj98iJop kjh GrDfgyui987jg55dJ99KJY6 3 Sd5 43dbi0oMIl _ mhjuuhJ8 amp tfeEckiooplkjghf hkjhyytuUTffRgYyYUy 6676 RgLoOIOL ee Footer 3 Cut the issuer certificate from whatever file the PKI system sent it in then paste it into a text file The file can have a DER or TXT file name extension Note The alignment of the right side of the certificate must be even justified so if the certificate was sent to you in a web page where the last line may run past the right side just place a carriage return in the appropriate place of the line to even it up Also place a carriage return at the end of the footer line Return to the Policy Manage
246. he Export RADIUS function is used to export VPN information to an existing RADIUS database This is primarily for backwards compatibility but also useful if you wish to convert your existing VPN using local security gateway based user authentication into a dynamic VPN for future scalability It is however expected that LDAP will be the preferred method of building dynamic VPNs In this procedure your existing client configuration information is migrated to the RADIUS database through a RADIUS compatible export file The Export RADIUS pane appears with a list of all users you wish to include in the export When you click OK VPNmanager creates a text file The saved text file consists of entries that must be added to the RADIUS server users file Issue 4 May 2005 285 Device management The Users file variable parameters are e lt Client_name gt The name of the Client as entered in VPNmanager Case and spelling are significant This parameter is written by VPNmanager e lt authentication password gt The response required from the Client to the authentication challenge sent through the security gateway by the RADIUS server Case and spelling are significant This field must be entered by the system administrator e lt VPN specific algorithm and key information gt Information specific to the VPNs for which the Client is a member There may be one or more of these entries These parameters are written by VPNmanager
247. he address to communicate with the security gateway This address does not change the security gateway s address You change the security gateway s address and subnet mask from the security gateway console IP Default Route IP default route is the IP address to the gateway router on the wide area network WAN IP Mask This is the address mask for the security gateway MAC Address Security gateway MAC Address Device Type This shows the model number for the device Device Firmware Version This is the version of firmware running on the device Certificate Name Name of the certificate issuer Issue 4 May 2005 61 Setting up the network Associated IP Groups area This area lists the names of the IP groups associated with this security gateway You can select an IP group from the list and click Go to go to the IP Group tab to view the group information For VSUs running VPNos 4 0 or earlier the following additional information is shown Export Type Export type indicates the level of encryption used Serial Number A unique number assigned during manufacturing for each security gateway The serial number can be viewed from the security gateway and modified through the VPNmanager When replacing a security gateway in an existing VPN configuration use the serial number edit button in the VPNmanager to modify the replacement security gateway s serial number Modifying the security gateway s serial number allows t
248. he flexibility to replace devices while maintaining the configuration Flash Version Version of the currently executing NOS from one of two possible flash chips FIPS Mode Federal Information Processing Standards FIPS mode indicates if the security gateway is running in the normal or FIPS Level 2 mode It is recommended that this mode be used only if an organization s policy requires FIPS 140 1 Level 2 certification for cryptographic devices The following are not supported in FIPS mode e SKIP VPNs e VPNremote Clients e Any algorithm other than DES or 3DES e Any authentication algorithm other than SHA 1 RAS For VSU 100R only This option is used when dial in VPNremote users are going to access a security gateway 100R When enabled this feature allows the security gateway 100R to support remote clients using VPNremote remote access client software as shipped from the factory The feature is either enabled or disabled Memo tab The Memo tab is used to record notes about the security gateway such as change history physical location firmware version etc This information is stored only in the database and is not downloaded to the security gateway To create a memo 1 From the Contents column select the security gateway you want to configure 2 Click the Memo tab to bring it to the front 62 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway 3 In the Memo tex
249. he list Select one of the admin users 3 Click Save VPN active sessions Active VPN sessions are defined as remote client traffic and security gateway to security gateway traffic An SNMP Agent running on a security gateway is used to collect information about these sessions This information is private in nature and can be viewed by VPNmanager Console using its monitoring feature or common SNMP Management software running on another computer The agent sends the information in clear text Use Active security gateway Sessions for controlling the flow of session information The VPN active session option is shown in Figure 81 Issue 4 May 2005 247 Monitoring your network Note If your organization s security policy dictates that this traffic be secure TEP Policy in the Main Console Preferences tab can be turned on to encrypt this traffic For additional information about using third party SNMP Manager see Using SNMP to monitor the device on page 245 Syslog Services Security gateways have a syslog messaging facility for logging system error messages The messages can be automatically sent to a destination running a Syslog server Use Policy Manager to configure and enable Syslog services then move to your computer s command prompt and type in a start command Figure 82 The Policy Manager for Syslog Services Selected Object Name Type of Object veu Mba 13 Bmlog m Enable SYOLOO Send From pr
250. he public side of the VSU Also in the default mode all packets originating from the VSU destined for the private network use the private ports MAC address as the packets source address 200 Avaya VPNmanager Configuration Guide Release 3 7 Device Advanced Examples of traffic destined for the private network are e Decapsulated IPSec packets destined for the private network e SNMP Get Responses being sent to a VPNmanager console residing on the private side of the VSU e Traps sent to a VPNmanager console residing on the private side of the VSU Note It is important to remember that ARP often works in conjunction with the Advanced Filter setting Device in parallel with firewall or router For example if you setup a VSU in parallel with a network device that provides firewall and routing services and you only want the VSU to e send ARPs for addresses in its primary IP address space out the public interface and e send ARPs for addresses in its private IP address space out the private interface you would then want to 1 Set the above to Bind one IP address to each port and 2 Set the Advanced Filter to Deny all non VPN traffic The latter prevents a ARP from going out both interfaces Device in One Arm Mode Suppose you have deployed the VSU in one arm mode which requires that only the private port be plugged into the network and you have used the Bind one IP address to each port setting This topology requires th
251. he security gateway includes a SNMP agent that supports MIB II and a proprietary MIB This agent is read only and cannot be used to configure the security gateway The agent can also send traps to a list of trap targets You configure the SNMP properties from the Device Object SNMP tab Use this tab to configure the SNMP target devices or SNMP destination devices to which all security gateways report their status and alarm information SNMPv1 SNMPv2c or beginning with VPNos 4 2 SNMPv3 can be selected You configure the trap and monitor strings and trap targets for SNMPv1 and SNMPv2c You configure the trap targets and the SNMP user for SNMPv3 Since SNMPv1 and SNMPv2c send data in the clear you can disable access to sensitive data including Filter Statistics VPN Active Session and the Event Log To configure SNMPv3 an Admin User with the required SNMPv3 privacy and authentication settings must be created The same admin user can be used in the SNMP settings of different security gateways This version of the VPNmanager does not have the capability to monitor security gateways using SNMPv3 These devices can be monitored using third party monitoring tools or MIB browsers that support SNMPv3 If you select None SNMP is disabled on the security gateway If you check poll this security gateway for either SNMPv1 or SNMPv2c the VPNmanager actively monitors the device to see if the security gateway can be reached If the device cannot be reach
252. he security gateway will be configured for your network e Which remote users will be configured on a security gateway e What IP addresses to configure and group e What type of security policies you want to implement e What VPN services to use e What advanced features such as VoIP Failover or SNMP will be implemented Security gateway The security gateway is preconfigured with default settings for the media interface zones and Network Address Translation NAT You may need to change default configuration for your specific network environment Up to six media interfaces can be configured with different zone interfaces The number of zones that can be configured depends on the security gateway model Table 1 EthernetO and Ethernet1 are present in all models and are assigned to the public and the private zones The media interfaces that remain are unused and can be configured as required e Public zone Public zone provides connection to the Internet usually by way of a wide area network WAN e Private zone Private zone is used to provide connection to your private local area network LAN or to your corporate LAN 24 Avaya VPNmanager Configuration Guide Release 3 7 Preparing to configure your network Public backup zone Public backup zone is the backup interface to the primary public interface for use when Failover is configured Semiprivate zone Semiprivate zone is used for media such as wireless LAN where the network is
253. he semi private zone with medium security is trusted the same as the private zone That is the same security policy that is enforced on the private zone is enforced on the semi private zone In medium security semi private zone can also access all the resources in the private zone Low Security Selecting low security enforces the same security policy as specified for medium and the access from the internal network to the Internet is not limited to only the common services Access to all TCP and UDP services are allowed VPN only Security Selecting VPN only security enforces the security policies as specified at the domain and device levels The security policies are enforced at the tunnel end point Using VPN traffic is given a higher inbound and outbound priority than IKE traffic None Selecting None as the firewall template allows all traffic VPN and non VPN through the gateway Security gateway policies are not enforced The details about rules and what types of traffic are allowed and denied for each level and zone are in the following tables Public zone firewall templates The public network interface provides connection to the Internet and the security gateway functions as the firewall VPN gateway Usually the public interface has the strongest firewall policy Few incoming packets are allowed and outgoing packets are allowed only for commonly used services The public high security rules are enforced for both incoming and
254. hentication method to use and where the authentication dyna policy is stored e Select Local Authentication to have the security gateway authenticate the users and to store the authentication policy on the security gateway e Select RADIUS Authentication to use a RADIUS server to authenticate users Select a RADIUS method to store the policy e Select Use local database for configuration to store the Dyna Policies on the security gateway Issue 4 May 2005 113 Configuring remote access users Note This is the only choice for VPNos 4 31 e Select Use RADIUS configuration to store the Dyna Policies on a dedicated RADIUS server e Select Use LDAP for configuration to store the Dyna Policies on the Directory Server e Only with VPNos 3 x with iPlanet Directory Server Select LDAP Authentication to use the directory server to authenticate remote users Select a method to store the policy e Select Use local database for configuration to store the Dyna Policies on VSUs e Select Use LDAP for configuration to store the Dyna Policies on the Directory Server 6 Click the Remote Client tab to bring it to the front Configure the pat tunnel to a secure DNS server to resolve client DNS names and to set the remote client idle time out period e Check Enable Redirection Support if remote clients use private domain names such as accounting avaya com for navigating their VPN Then enter the Domain and Protected DNS server address e En
255. hows statistics regarding system resources System State Shows a snapshot of all system resources Security Shows the statistics for the Hifn chip These Processor statistics are only applicable for SG200 SG203 Statistics and SG208 Flush Deletes existing firewall VPN QoS failover Configuration SNMP DNS relay NAT VoIP remote access and static routes configuration on the security gateway The settings are returned to the factory defaults Caution Use this operation only as a last resort to recover lost administrator connectivity with the security gateway Reset Deletes all existing configuration except the Configuration license All configuration parameters are returned to Factory to the factory default configuration except for the Defaults license parameters Unless the security gateway device is in an inconsistent state that is if the configd process in not running the license parameter is also returned to the factory default setting Caution Use this operation only as a last resort to recover lost administrator connectivity with the security gateway 2 of 2 274 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 11 Device management From the VPNmanager Console you can manage and check that status of the security gateways This chapter describes e Using the Management tab to change administrative passwords and set up SSH and Telnet to connect to a security gateway
256. ically along with a device status icon directly over the security gateway graphic 42 Avaya VPNmanager Configuration Guide Release 3 7 Navigating the main window Figure 6 VPNmanager Network Diagram View Flo Edt View Tools Help Cow Object E mece X Deere Report cong El merito Devices AVAYA ke ven gt Diagrurr Tiled View When six or more security gateways are present in the selected VPN the presentation automatically switches from the diagram view to the tiled view Figure 7 VPNmanager Tiled View File Edit View Tools Help New Object uost X Delete E Report Th config E monitor _ Update Devices AVAYA Alarm A a E usen Ob usergroup Sp Rimet Charts an i i E i E ui IP Groups E mm A Re mr Jure assassassas la E 1 Pore 0900 f pA t i SEE 000 fpgroup2 EA RT E pe 0090 1 u SETA oaao jipproups 4 as an arsarszesaes foma am 0000 1 1 Properties mo oono lpgroup EEES gt Internet Tree View An alternative presentation style to the diagram and tiled views the tree view mimics the Windows style vertical directory presentation lts main benefit is that in large or complex VPNs sections can be collapsed to simplify the view A or box is displayed to the left of an entry indicating that the entry is collapsed or expanded Issue 4 May 2005 43 Using VPNmanager Figure 8 VPNmanager Tree View Y VPNm
257. ick Advanced to change the default keepstate values to TCP UDP or ICMP 20 Click Finish to return to the Policy Manager for Firewall 198 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 9 Using advanced features This chapter explains about the advanced functions of VPNmanager The following tabs can be used to configure advanced functions for domains and for security gateways e Device Advanced e TEP Policy e Servers e Resilient Tunnel e Failover TEP e Advanced Action e High Availability e Failover e Converged Network Analyzer Test Plug e Keep Alive e Policy Manager My Certificates Device Advanced The Device Advanced tab contains properties that are used to configure security gateway parameters for unique circumstances Note The properties displayed within the Device Advanced tab are determined by the release of VPNos the device is running e VPNos 3 x includes all options described e VPNos 4 0 and 4 1 include MTU Path and Private IP Address e VPNos 4 2 includes MTU Path Discovery e VPNos 4 31 includes MTU Path Discovery NAT Traversal and Port for Dyna Policy Download Note Beginning with VPNos 4 31 the Private IP Address property is part of the interface configuration on the Interfaces Tab Issue 4 May 2005 199 Using advanced features e VPNos 4 4 includes MTU Path Discovery NAT Traversal and Port for Dyna Policy Download e VPNos 4 5 includes Path MTU Discovery NAT
258. ide Release 3 7 Packet Filtering Note This mode should be used when the VSU is dedicated to VPN traffic and is in parallel with another device such as a router or firewall that can resolve ARPs from the private network to the Internet gateway This mode should not be used when the VSU is the only path between network devices and a router with which those devices need to communicate Drop all fragments When checked discards all non expected IP packet fragments Normally used to prevent tiny fragment attacks RFC1858 Drop all short packets When checked this function drops all packets that are not a valid size Keep filter statistics SNMP When checked statistics for this filter are reported via SNMP Memo Use this area to record comments or notes about your filter Add Packet Filtering Policy This screen performs two basic functions selection of the desired action and selection of the traffic type for which a filter is constructed Additional buttons are provided for Advanced functions Close Next and Finished Action Two basic actions may be selected Permit or Deny As you would expect Permit allows all packets of the Traffic type selected to pass while Deny blocks all packets of the Traffic type selected QoS Mark QoS Mark is a drop down menu of choices used when differentiated levels of priority IP packet routing is used This allows Quality of Service markings to be placed in the outer IP header when app
259. ide Release 3 7 Resilient Tunnel 5 You can edit move up move down or delete 6 When finished click Save to save your work Stopping and starting resilient tunnel services Resilient tunnel services for a specific primary end point or secondary end point can be stopped or started at any time Primary end point service To stop or start resilient tunnel services for a primary end point 1 2 Move to the Configuration Console window Select Devices From the Device gt Contents column select the device that acts as the primary end point for a tunnel 3 Click the Resilient Tunnel tab to bring it to the front 4 Do one of the following e Select the Enable Resilient Tunnel check box to start services e Clear the Enable Resilient Tunnel check box to stop services 5 Click Save to save your work 6 To send the configuration to the device click Update Devices Secondary end point service To stop or start resilient tunnel services for a secondary end point 1 Move to the Configuration Console window Select Devices 2 From the Device gt Contents column select the security gateway that acts as the secondary end point for a tunnel 3 Click the Resilient Tunnel tab to bring it to the front 4 From the Resilient Tunnel List select a specific secondary end point 5 From the Enabled column do one of the following e Select the check box to start services e Clear the check box to stop servi
260. ield followed by the ending address of the range in the Range End field Up to 20 non contiguous IP address ranges of any size may be entered depends on security gateway memory available For VPNos 4 31 you enter the IP address and mask Add Client DNS The Client DNS address entered here is sent to the security gateway that is used for the VPNremote virtual adapter configuration This information is then sent to the VPNremote Client through CCD Three Client DNS addresses can be configured in the VPNmanager Issue 4 May 2005 121 Configuring remote access users Add Client WINS The Client WINS address entered here is sent to the security gateway that is used for the VPNremote virtual adapter configuration This information is then sent to the VPNremote Client through CCD Two Client WINS address can be configured in the VPNmanager To configure the Client IP configuration 1 From the Select Object Name list select the security gateway to be configured N OOA OD 00 From the Configure Console window go to Tools gt Policy Manager From the Type of Policy list select IP Client Configuration In the Current Client IP Address Pool Policy area click Add In the Range Start text boxes type in the address for lower boundary of the address pool In the Range End text boxes type in the address for upper boundary of the address pool Click Apply The contents are then cleared from the Add screen allowing for the ne
261. ificate This only applies to Avaya Inc VSUs of Version 3 0 and higher FQDN Select to show the Enter Target Information text box Type in the Fully Qualified Domain Name FQDN to identify the target by its absolute name For example a target having the name xyz and a root of vpnet com has an absolute name of xyz vpnet com The DNS Server that is used is configured from the DNS tab on page 63 e mail Select this item to show the Enter Target Information text box Type in an e mail address to identify the target by an e mail address Directory Name Select this item to show the Enter Target Information text box Type in an e mail address to identify the target by an e mail address Any Select this item for general purpose situations For example if you do not have enough certificates to configure 8 From the Locate this IKE Certificate Policy options select a queue position for the bundle 9 VSUs use bundles on an as needed basis Issue 4 May 2005 243 Using advanced features 244 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 10 Monitoring your network This chapter describes the real time monitoring facilities that the VPNmanager application provides This includes the following e Using SNMP to monitor the device e Syslog Services e Using Monitor e Monitoring alarms e Report Wizard Using SNMP to monitor the device The VPNmanager uses the SNMP protocol to monitor the security gateway T
262. igure 88 1 An administrator uses Directory Server to send a Certificate Requestto a PKI 2 The PKI responds with a Signed Certificate 3 The Issuer s Certificate is sometimes called a Certificate Authority CA Certificate and can be freely obtained from anyone running a PKI 4 An Issuer s Certificate is installed in the policy server and the VPNmanager Console 5 The administrator uses VPNmanager to install an ssuer s Certificate into the devices When to Configure your VPNmanager for SSL You can configure your VPNmanager to use SSL at anytime however it s recommended that it be done before being put into service Issue 4 May 2005 293 Using SSL with Directory Server Installing the issuer s certificate in the policy server and the VPNmanager Console Installing an Issuer s Certificate into VPNmanager Console is done from the command line The same Issuer s Certificate that was installed in the server can be used here Since the console can run on Windows NT or Solaris OS the following two sub sections cover the procedures Note After a certificate is installed it cannot be seen in the Issuer Certificates list of the Policy Manager for Issuer Certificates These certificates are specifically used for running SSL services not for anything else Windows NT and Windows 2000 Computers To install a certificate in VPNmanager Console 1 Copy the certificate to the C Program Files Avaya VPNmanager Console director
263. imary RTEP is configured and the system reboots failover reconnect will attempt to connect to the first entry of the failover RTEP list 4 Confirm that the RTEP and TEP in IP address format and are the same and that they are first in the list Click OK Converged Network Analyzer Test Plug The converged network analyzer CNA test plug feature provides a distributed system tool for real time network monitoring that detects and diagnoses converged network related issues When enabled this monitoring tool is proactive and can identify network conditions or impairment that can degrade the overall network performance and diagnose if a security gateway is experiencing difficulty Within the CNA the test plugs are independent software modules that are injected into the fault tolerant network to collect and analyze the network test data If potential network problems are detected they are escalated using standards based alarms and notification This feature includes enabling CNA setting the test plug services configuring the RTP test port and CNA unit port and adding CNA units for registration 3 le Est Yew Toots teip New Object X Delete Update Devices Upgrade Frmware save apor HHS OS OB a a fo ortunt N ont General CNA Converged Network Analyzer Test Plug Y Enable CNA Tast prag Santes Manae Private Tasi Request Pon 50000 1 055309 RTP TeetPort s000 165539 Mame COMUNI Pon CNA Unas fos registration
264. in each SKIP secured packet in the form of a SKIP header The cryptographic algorithms defining the VPN services in a SKIP VPN are predefined instead of negotiated dynamically as in ISAKMP A special type of credit card like authentication device assigned to an individual user that offers a greater degree of private network access security Split tunneling allows the remote client to simultaneously maintain both a VPN secure connection and a clear connection This function is active by default however disabling Split Tunneling turns it off allowing only secure VPN traffic from the remote client s computer Control of Split Tunneling is normally set when the Dyna Policy configuration download to the remote client s computer occurs Secure Sockets Layer is a protocol that provides authentication for servers and browsers as well as secure communications between a web server and browser Used by the VPNmanager Console to communication with the security gateways and the Directory Server Syslog enables each security gateway in the VPN to provide logging data to a specified destination for historical purposes A cryptographic algorithm based on DES that encrypts a block of data three times with different keys User Groups are logical groups in which individual VPN user members reside User Groups have a single level hierarchy Users can belong to more than one User Group Virtual Private Network A VPN allows the sending of sensitive secu
265. in the IP address or host name used by the server Locate This Server Use these options to insert the server into a specific position in the Directory Servers list Port Type in the port number of the server default is 389 To verify the number move to the computer running iPlanet Directory Server then start the iPlanet Console the number can be seen from the Console tab Use SSL Select this check box to protect the communication between the VPNmanager Console and the Directory Server with a Secure Socket Layer SSL Read Appendix A Using SSL with Directory Server before making this selection 6 Click OK to return to the Directory Servers tab The new backup server appears in the Directory Servers list 7 When finished click Save to save your work Managing the server list The backup servers shown in the Servers list can be edited have their sequence changed or even deleted The list organizes the servers in the sequence in which they must be used where the one at the top of the list is always used first To edit change the sequence or delete a backup server 1 Move to the Configuration Console window 2 From the Device gt Contents column select the security gateway that has the backup server that needs to be changed 3 Click the Servers tab to bring it to the front Issue 4 May 2005 211 Using advanced features 4 From the Servers list select a specific secondary end poi
266. ing a version of VPNremote Client software which supports Client DNS Resolution Redirection Check with Avaya Technologies for version support information You can enable Client DNS Resolution Redirection and enter up to three subdomain names along with the IP address of the DNS server that will resolve DNS requests for the corresponding subdomain name Issue 4 May 2005 111 Configuring remote access users To configure Client DNS Resolution Redirection for all VPNremote Clients e Enter a subdomain name in the Domain Name field for example finance mycompany com e Enter the IP address of the DNS server that will resolve DNS requests for the corresponding subdomain name in the Protected DNS Server field e Repeat this procedure for up to two additional subdomains then click Apply These settings apply to all Clients in all VPNs Client DNS Resolution Redirection cannot be set uniquely for each Client For proper operation a VPN protecting the specified DNS servers must be configured between the VPNremote Client and the security gateway This VPN must contain a Group that includes the IP addresses of the DNS servers defined within the Client DNS Resolution Redirection The VPN services of the DNS server VPN will be applied to any DNS requests made by the Client to the subdomains defined within the Client DNS Resolution Redirection Client DNS resolution redirection Enable Client DNS Resolution Redirection and enter up to thr
267. interval in seconds that packets will be sent to configured hosts The default is 10 seconds In the Hosts area click Add and enter the network host IP address or the network host DNS name that you want to monitor connectivity You can define up to five DNS names or IP addresses These hosts can be either within the VPN or outside the VPN If the host is within the VPN the host information is encapsulated in the associated VPN policy If the host is outside the VPN the host information is sent in the clear In the Apply this configuration to these devices area click Add and select the device s that the configured keep alive interval will be applied Use the left and right arrows to move the highlighted devices from one column to the other Issue 4 May 2005 233 Using advanced features 8 In the Traceroute Criteria area select Initiate Traceroute when criteria are met and complete the following a In the Number of Failed Hosts field enter the number of hosts from the configured keep alive hosts that can fail to receive keep alive responses If multiple hosts are configured and all hosts are critical enter 1 If any one of the configured hosts failed to respond network path failover occurs b In the Consecutive No Responses field enter the number of consecutive connectivity checks without a keep alive response before traceroute is initiated The default is 10 c In the Target Host area select the host type 1 Fi
268. invalid lengths When the receiving system attempts to rebuild the packets the system crashes because the packet length exhausts the available memory IP Spoofing This attack sends an IP packet with an invalid IP address If the system accepts this IP address the attacker appears to reside on the private side of the security gateway The attacker is actually on the public side and bypasses the firewall rules of the private side Smurf Attack This attack floods the system with broadcast IP packet pings If the flood is large enough and long enough the attacked host is unable to receive or distinguish real traffic Tear Drop This attack sends IP fragments to the system that the receiving system cannot reassemble and the system can crash Flood Attack This attack floods the system with TCP connection requests which exhausts the memory and the processing resources of the firewall Flood attacks also attack the UDP ports This attack attempts to flood the network by exhausting the available network bandwidth Note When you enable Flood Attack you must also enable the Keep State feature in the Firewall Rules Setup in the Security tab 174 Avaya VPNmanager Configuration Guide Release 3 7 Voice Over IP WinNuke Attack This attack attempts to completely disable networking on computers that are running Windows 95 or Windows NT This attack can be swift and crippling because it uses common Microsoft NetBIOS services WinNuke att
269. ion either the source IP address or the destination IP address of packets are changed When you set up your firewall rules you need to consider the type of NAT configured as you must create the firewall rule to filter on the translated IP address and ports not on the original address and ports Setting up firewall rules for FTP FTP and Firewall NAT Operation The File Transfer Protocol FTP uses two TCP connections one for control and another for data The primary methods for establishing the data connection are passive FTP and active FTP In the passive FTP case the FTP client makes the data connection to an IP address port the FTP server has specified An active F TP data connection is initiated by the FTP server using information specified by the FTP client If the FTP client and FTP server are separated by a firewall control and or data connections will normally be blocked For FTP to function properly state must be maintained for control and data connections to complete Typically a wide range of ports behind the firewall also must be exposed to the external network in order for an external FTP client passive FTP or external FTP server active FTP data connection to be established So the location of client server as well as mode of operation active passive FTP dictates the type of firewall issues Issue 4 May 2005 167 Establishing security Active FTP is beneficial to the FTP server administrator but detrimental to the c
270. is rule Select Enabled or Disabled in the Status drop down list to enable or disable the new rule Parameter Description Permit Allows all packets of the selected traffic type to pass Deny Blocks all packets of the selected traffic type Click Next Select the set of sources from the available source list Click Next Select the set of destinations from the available destination list Click Next Select the set of services from the available services list Select the Interface from the drop down list 12 For maximum flexibility and capability the firewall rules can be specified on each interface public private or Tunnel The packets are checked against the firewall rules at the interface where they are defined Select the Direction from the drop down list Direction is in respect to the security gateway in or out If this rule is to be logged select the Log Enable check box If this rule is to keepstate select the KeepState Enable check box Issue 4 May 2005 197 Establishing security 17 The keepstate function allows a rule set for the intended traffic to also be applied to the reply packets The function can be applied to TCP UDP and ICMP packets 18 Keepstate sets up a state table with each entry set up by the sending side Reply packets pass through a matching filter based on the respective state table entry A state entry is not created for packets that are denied 19 Cl
271. isk of explosion if battery is replaced by an incorrect type Dispose of used batteries according to Avaya Environmental Health and Safety guidelines Documentation For the most current versions of documentation go to the Avaya support Web site http www avaya com support Contents Prelate kee wde dee beatae we chee dele de Ee ww Se ew ee 15 What Products are Covered a 15 VPNmanagerOveinigw es s ca cee bb HORE AA OHHH RR HER EES 15 Network wide Visibility and Control a aoaaa a a 16 Iitranetand Extranet SUPpolL 2 4 oa cde don ead He RARE ERE AER EY 16 Secure a s sso as eos as bode ke oe A Oe a A oe a ee 16 No Special Consoles Required 2 1 o 16 Complementary to SNMP Management Tools 0 0005 ee eee i7 Using VPNmanager Help aaau 17 Related Documentation e a s acria a Sk a we a oe a la a ak dk Be we iz How This Book Is Organized aoaaa a 17 Gonacing Technical SUPPO 34 46 022 8a EPS ee DES RS OP SE ee OS 4S 8 19 Chapter 1 Overview of implementation 02 0028 eee eee 21 Components of the Avaya security solution o o e 21 Security gateways ca KK AKA mara a RARA AR ARA 21 VPNremote Client software 1 e 22 SEIS SORNAS y a a de a ar ee ced 22 Overview of the VPN management hierarchy 0 0 2 2 2 e 23 Preparing to configure your network 2 2 ee ee 24 Secunty gateway soo ew we ke ek A ee ke hoe he ee 2
272. it Manage Any Any Out Management No cess mentlP OutBoundManagementBlockAll Deny Any Any Any Out Management No Converged Network Anaylyzer template The converged network analyzer CNA template is a set of firewall rules that can be configured to allow CNA traffic to travel through the network when the security gateway is setup as a firewall device Typically the security gateway will not allow CNA traffic to travel through the device however when the CNA template is configured and added to existing firewall rules CNA traffic is allowed Issue 4 May 2005 311 Firewall rules template The CNA template can be combined with any other preconfigured firewall template security level high medium low or none Table 44 Converged network analyzer firewall rules achable Rule Name Action Source Destination Service Direct Zone Keep ion State InBoundCNAPing Permit Any Public IP ICMP Ec In Public Yes hoReque st InBoundCNARTP Permit Any Public IP CNA RT In Public No P InBoundCNATestPlug Permit Any Public IP CNA Tes In Public No tPlug OutBoundCNAPing Permit Public IP Any ICMP Ec Out Public Yes hoReque st OutBoundCNAALLTCP Permit Public IP Any Any TCP Out Public Yes OutBoundCNAALLUDP Permit Public IP Any And UDP Out Public Yes InBoundCNABlockUDPICMPUnre Deny Any Public IP Any UDP In Public No 312 Avaya VPNmanager Configuration Guide
273. ither an ESP trailer as defined in RFC2406 IP Protocol 51 or AH as defined in RFC2402 IP Protocol 52 Perfect Forward Secrecy Perfect Forward Secrecy defines a parameter of IKE that discloses long term secret keying material that does not compromise the secrecy of the exchanged keys from previous communications Enabling Perfect Forward Secrecy is more secure but involves more overhead It is recommended that your VPN use this option if your VPN encryption algorithm is DES See RFC2409 for additional information on Perfect Forward Secrecy When enabled Yes a Diffie Hellman Group number must be selected Diffie Hellman Group Diffie Hellman Group defines mathematical parameters used during IKE negotiations Group 1 specifies use of a 768 bit modulus Group 2 specifies use of a 1024 bit modulus Group 2 is more secure See RFC2409 for additional information on Diffie Hellman Groups IPSec Proposals The IPSec proposals area displays a list of all currently defined proposals ranked by priority of negotiation You can add edit or delete new IPSec proposals and you can relocate them in the list A maximum of four IPSEC proposals are allowed in the IPSEC Proposal Priority Proposal list An extranet is an example of when several proposals are desirable By having several choices the odds of a finding a mutually common proposal on both sides is increased Another example is where international security gateways DES only and a domestic
274. ivate Y Host Name or IP Address Pod Enabled Add Log denug event Sysop Enable SYSLOG When this box is checked Syslog reporting to the target hosts in the list occurs e The number here is the order by rank of the target host to which Syslog data is sent e Host Name or IP Address The domain name or IP address of the target logging archive machine e Type UDP e Port The port number of the Syslog host e Send From Public private any 248 Avaya VPNmanager Configuration Guide Release 3 7 Syslog Services Add Syslog Policy The Add Syslog Policy screen allows you to designate the host to which syslog messages are sent by the selected security gateway or all devices It also enables syslog messages to be sent to the VPNmanager through a designated UDP port e Hosts to receive log messages Enter the name or the IP Address of the target machine you are designating to receive syslog data e Send event log message via Enter the port service UDP and number through which syslog messages are reported To run Syslog services 1 2 From the Device gt Contents column select the security gateway you want to configure Click the Policies tab to bring it to the front Select Syslog then click GO to open the Policy Manager for Syslog 3 Select the Enable SYSLOG check box so the security gateway will run Syslog services 4 Click Add to open the Add Syslog Policy dialog box 5 Use the Hosts to receive
275. ive encrypted traffic from an IKE compatible device the target is viewed as an owner because it must send its certificate to the IKE device The concept of owners and targets is illustrated in Figure 80 It s important to understand that a target must have an owner s certificate before it can send encrypted traffic to the owner Figure 80 Certificate exchange between VSUs VSUA s A ge a vs vs A B Encrypted traffic to VSUA Before VSUA can receive encrypted traffic from VSUB a certificate owned by VSUA must be sent to VSUB the target of VSUA s certificate The roles and process is reversed when VSUB needs to receive encrypted traffic from VSUA Assigning a Target for a Certificate After a certificate is installed in a VSU as described in Policy Manager My Certificates on page 234 it must be assigned a target A Bundle is used to define a certificate having a specific target type address description and queue position The Policy Manager for IKE Certificate Usage lists all the bundles for a specific VSU The Bundle Numbers identify which VSU Certificate is associated with the bundle For example Bundle Number 3 means that VSU Certificate number 3 is associated with the bundle Up to eight bundles can be created which directly relates to the number of signed certificates that can be dynamically stored in a VSU The certificates stored on a specific VSU can be viewed from the Policy Ma
276. ject and select Users The New User dialog is displayed In the Name text box type the name of a remote user Any character except a comma can be used Note If you plan on using RADIUS as an authentication method this name must match the name used in the RADIUS server In the Password text box type the user password for the local RADIUS and directory servers 4 In the Confirm Password text box retype the password 5 Press Apply to save the user name 6 You can continue to add users or you can click Close to return to the Configuration Console window About creating individual dynamic policy You configure the individual user object from Configuration Console gt User Object User General tab The User General tab displays information about the user highlighted in the Contents column including which VPNs and User Groups the user is a member of Issue 4 May 2005 115 Configuring remote access users Figure 37 User General tab Es Eto Edt Yow Toots Holp LO rw object y X Dolute Uplate Dorens Upgrade Firmware Sw CEIM eae Y 3 i rre Gereral Memo Oma Polly Actans Adana User Diructory Name ths aks 2 0u USers ounielunut2 fw none de ypnutdcsceen Default User VPN Remote Software Type DES Only Current VPN Membership even Done geting object list Directory Name This is the unique users name within the directory structure It is not duplicated anywhere within the VPN
277. ject y X peite UodmaDonces Upgradoremmmaro saw smon AR 85 GG BA armas fein Polities Connecty Upgrade Denial ofBenke VoIP Manageme ome General Memo DNS iertacos Nutwork Objwct SNMP Guate Rowe Avances Device S0s0utn SOwest Directory Name on BGeastou Devices u doma de sv dara detom Deco Data P Address ONS Name 0 0 0 0 a P Detail Routa 0000 P Mask 255 255 255 245 MAC Addresa Unica Henan upon Type Ueanown Cartticate Nama Unknown IP Group Associated with this Device Status Configuration Console Menu bar The menu bar on the Configuration Console window includes the following commands File Edit View Tools and Help File menu The File menu includes the following commands e New Object You can create new objects within any of the categories listed in Table 2 New object on page 38 e Save Changes This command saves any changes made through the Configuration Console e Discard changes This command clears any changes you have made and reverts the configuration to the last saved version e Close This command closes the Configuration Console window Edit menu The Edit menu includes the following commands e Delete Object This command deletes the currently selected object e Preferences Preferences provides access to global settings for both the machine on which the VPNmanager resides and the domain currently in focus See Preferences on page 48 Issu
278. k Add to enter the network host or hosts for which you want to monitor connectivity You can define up to five DNS names or IP addresses These hosts can be either within the VPN or outside the VPN If the host is within the VPN the host information is encapsulated in the associated VPN policy If the host is outside the VPN the host information is sent in the clear 11 In the Remote TEP field click Add to enter the tunnel endpoints TEP for the central site that the remote VPN device establishes a network connection If the network path failure criteria is met while the remote security gateway is trying to establish a network connection the remote VPN tries to alternate TEPs until a network connection is made For more information regard Failover TEP see Failover TEP on page 218 12 In the Device VPN Mappings area click Add to enter the device type and configured VPN information Click OK 13 Click Save Failover reconnect When failover is configured on the security gateway the security gateway is enabled to detect connectivity failures to the configured TEPs If failover is detected the security gateway will attempt to connect to an alternate TEP In some network configurations alternate TEPs are considered temporary and the expected behavior is that a system reboot would revert to the original TEP However the security gateway remains connected to the alternate TEP until the administrator switches the connection back to
279. l number of security gateways using the VPNos Web interface or the security gateway s CLI it quickly becomes impractical for larger installations When switching to VPNmanager for centralized management of devices which have already been configured the Import Device Configuration feature allows the devices existing configuration data to be easily migrated to VPNmanager When a device configuration is imported into VPNmanager only the device level configuration settings are imported The domain level settings e g VPNs Firewall templates Users and Failover are not imported The configuration settings that are imported apply only to the specified device Note If VPNmanager already has any configuration data for a particular device the retrieved data overwrites the existing data for that device In VPNmanager 3 4 the Import Device Configuration feature supports importing of the following configuration settings e Interfaces e Static Routes e Network Objects e Services e VoIP e DNS e NAT e NAT Traversal e DoS e SSH Telnet e Management Access Issue 4 May 2005 281 Device management To import configuration data for a device 1 Select Devices on the Configuration window in VPNmanager 2 Select the device from which configuration data will be imported If the device entry does not yet exist in VPNmanager simply create a new device specifying its IP address and selecting Set Up Later in the Device Set
280. l tab with SKIP eres oras cierra RR RRA MEMO y carr Member Used wh cack ad Bek aa AE AAA Members IP Groups tab ses crese cee ewe eR RETR RRR ess SEQUE TUE 2 0203 20220 we By we dl Rae RRA Boe uk A A eS Pre Shared SEGGE y sica Se ae dodo a BE esa hms ewe SO eee ek Gee See get SEGUI POEG i ced eck ee ce ew Rew dee eet eee eh oe d ee EE Se EES JP Seo Prmpesdie 5 462 oak oO Oe eRe eS ADA ade ree os Add PSec proposal kaa eee cee a EL OE KEES ESOS PEDONSTED ina ias as RE REDE OR RS Ee A A A Coniiguring A SKRIP VPM a s siui ee as BE Baw a Pm RR Em eS RO CRTC CNN an IEA a ens dt ra a he he as oh coh RB es ely ls as we el Enabling GRL NSERIES He Ee Exporting a VPN object to an extranet 2 2 ee VPN Object export Checkiet 4 oc 2 od ee amp ordi d MS ae Gare EXP PESQUISE OH ESE ORO Re A RR AN Importing a VPN object from an extranet 2 2 a Rekeying a VPN SDE 25 4 2 5 4 4 4 eG ren Ra we Rw RRR Oe A wee Chapter 8 Establishing security 1 0 ee et Firewall A kc is Seta a A het ge a a Levels of firewall policy management 2 ee PREIS 02 Aide a ee Bt A RAR AA Se 3 Domain level firewall rules 2 0 e Device level firewall rules lt Priority of Firewall rules versus NAT rules o setting up firewall rulestorETP oo coros ra wR EE RO FTP and FirewallNAT Gperaias 4 4824 ranr 08 4 rr ES eee Hes Sec
281. lex mode In half duplex mode the Ethernet port is capable of sending or receiving packets over the network at 10 Mbps Redundancy This button only appears when a VSU 1200 7500 is the selected device This screen appears when the Redundancy button on the security gateway Action tab is clicked It is used to set up specific redundancy attributes when two VSU 1200 7500s are being used to backup each other This function also allows you to check the status of the redundant systems in the VSU 1200 7500 and allows you to manually switch over the active Ethernet ports from the primary to secondary ports or vice versa This switch over function can be performed for both ports ona single card or for an individual active port Network Interface Status Card 1 Card 2 Shows the current status of the public and private Ethernet ports located on the primary and secondary Ethernet interface cards The port names are shown next to three icons indicating the current port status The first box indicates whether the port is on off or defective The second box indicates if the port is connected and at what speed its operating 100 or 10 megabits per second and the last box indicates Full or Half duplex Fan Power Status Indicates the power supply fan status The Fan Power Status section shows the current state of the redundant cooling fans and power supply modules If a fan or power supply modules fails a FAILED status is displayed indicating whic
282. licy check box 119 Domain Open screen 36 Download configuration when remote starts radio button for all User Objects 113 119 Dyna Policy defaults Global 49 108 Dyna Policy defaults User 49 107 dynamic mapping NAT 88 Dynamic VPNs 045 51 110 Dyna Policy controlling the CCD query method 206 described 106 Do Not Use Default Dyna Policy check box 119 download PO o 204 if stored on multiple VSUs 205 User Object VPNremote Client for a specifc 119 Dyna Policy Authentication 50 109 E electromagnetic compatibility standards 2 email support soa oao a a a 19 Enable Secondary IP Address check box 205 Enable SYSLOG check box 249 encryption o 142 3DES IKE parameter asan 153 IPSec parameter asan 154 SKIP parameter asa 151 configuring IKEVPN inan 0 152 SKIP VPN ina 151 level determining the 62 encryption IPSec 146 Encryption Algorithm drop down list IKE VPNs 204 152 IPSEC s ars SS ee ja A a 154 SKIP VPNs 2 22 2005 151 Enterprise MIB aoaaa 250 ESP Trailer a sos do atu u moa eee i 154 export type whatisthe 62 Extranet ABOUT 6 60220400 Sie ee a Ee a eee 158 Export Checkli
283. lient side adman If the FTP server attempts to make connections to random high ports on the client these packets would almost certainly be blocked by a firewall on the client side Passive FTP is beneficial to the client but detrimental to the FTP server adman Even if the client makes both connections to the server the one random high port would almost certainly be blocked by a firewall on the server side Typically administrators running FTP servers will need to make their servers accessible to the greatest number of clients so they will almost certainly need to support passive FTP Applications do not consistently use passive FTP or active FTP Modern FTP clients and Internet browsers support a variety of choices There are additional problems when the FTP client and FTP server are located on opposite sides of a NAT gateway Active FTP clients attempting to gain access to FTP servers from behind a NAT gateway will fail because the data connection received from the FTP server has no address mapping For example FTP server attempts to connect to external address of NAT gateway Security Gateways and FTP Two different approaches are available for supporting FTP within the SG environment One allows the administrator to individually manage each control data connection through the firewall FTP Ctrl Active FTP Passive FTP services The other recommended uses the FTP Proxy service The first approach allows the administrator to restrict the
284. lients allows clients that have registered brand names with the security gateway to be authenticated during CCD The Administrator can enter up to five brand specific names for the Client Legal Message to be displayed Issue 4 May 2005 123 Configuring remote access users RADIUS ACE Services VPNos 3 x and VPNos 4 31 only Note If a RADIUS server is used the name assigned to a VPNremote Client must be identical to the one used in the RADIUS server A popular tool for managing authentication and accounting for remote access has been Remote Authentication Dial In User Service RADIUS Use the Policy Manager for RADIUS ACE if you want to use one or more RADIUS servers to authenticate remote users A security gateway can query up to three RADIUS servers where two of the servers is recognized as backups Figure 42 The Policy Manager for RADIUS ACE a Selected Type of Object Type of Poucy Seay aF a ne marr Discard Changes gave w Enable RADIUS JACE IP Address VOP Port Semngs Rotry A ompts 2 RADIUS Server Connection Timeout 6 Seconds RADIUS Attribute RADIUS Atribute for VPN Polity Cisse Tag for RADIUS atribute Saying completed with no errors Note The security gateway must authenticate itself to the RADIUS server with a shared secret before they can exchange information Therefore the RADIUS server must be configured with a shared secret for the security gateway Enable RADIUS ACE Whe
285. lock ports 1024 through 1250 you would enter Action Deny from 1024 to 1250 and select as the comparator value From Where e Type Choices are Network Mask Pair or Any e IP Network Mask Pair Identify the source IP address to which the filter rule applies 188 Avaya VPNmanager Configuration Guide Release 3 7 Packet Filtering To Where e Type NetworkMask Pair or Any e IP Network Mask Pair Identify the source IP address to which the filter rule applies The Filtering Policy in progress This area presents a dynamically updated summary of the filter parameters based on the current selections e Interface Select the private public or Tunnel interface of the VSU to which this filter is applied e Direction In or Out e Log Yes or No If yes the maximum number of bytes per entry can be specific Locating this filtering policy Establishes the position of this filter rule in the Policy Filter list Selections are Beginning of List End of List and After Selected ltem The filtering policy in progress This area presents a dynamically updated summary of the filter parameters currently selected When you are satisfied with your filter configuration click on the Finished button to build the filter The filter is then automatically placed in the main Packet Filtering window list according to the order indicated by the Locate This Filtering Policy radio button Running the packet filtering policy wizard The P
286. lockA rest of traffic Issue 4 May 2005 301 Firewall rules template Table 32 Public low security firewall rules Rule Name Action Source Destination Service Direc Interface Keep tion State InBoundPublicA Permit Any PubliclP IKE_IN In Public no ccess IPSEC_NAT_T_IN AH ESP ICMPDestUnreach InBoundPublicto Permit Any DMZNet HTTP HTTPS In Public Yes DMZAccess POP3 IMAP SMTP InBoundPublicB Deny Any Any Any In Public No lockAll OutBoundPublic Permit PubliclP Any IKE_OUT Out Public no Access IPSEC_NAT_T_OUT AH ESP ICMPDestUnreach OutBoundPublic Permit PubliclP Any ICMPEchoRequest Out Public Yes PingAccess DMZNet PrivateNet SemiPrivate Net Managemen tNet OutBoundPublic Permit Any Any ICMPEchoRequest PING Out Public Yes GeneralAccess ALL TCP ALL UDP OutBoundPublic Deny PubliclP Any Any Out Public No BlockAll DMZNet PrivateNet SemiPrivate Net Managemen tNet Table 33 Public VPN only firewall rules Rule Name Action Source Destination Service Direc Interfac Keep tion e State InBoundPublicA Permit Any Public IP ESP In Public IP Yes ccessVPNData IPSEC_NAT_T_IN OutBoundPublic Permit Public IP Any ESP Out Public IP Yes AccessVPNDat IPSEC_NAT_T_IN a InBoundPublicA Permit Any Public IP IKE IN In Public IP Yes ccessVPNKeyM IKE AVAYA IN gmt 1 of 2 302 Avaya VPNmanager Configuration
287. log is used to configure the security gateway to support DHCP Relay functionality Note DHCP relay and DHCP server services are mutually exclusive When the security gateway acts as a DHCP relay the security gateway cannot also be a DHCP server at the same time When the DHCP relay agent receives DHCP client requests from the private or semiprivate interface zones the DHCP server s creates new DHCP messages and forwards the messages to the DHCP server s on the public private semiprivate zones or remote networks The DHCP servers on the public network send DHCP offer messages that contain the IP addresses to the DCHP relay agent The agent broadcasts the DHCP offer messages to the DHCP clients If the DHCP server resides on the remote network the DHCP server and the DHCP clients must be part of the VPN so that the client can obtain the IP address from the DHCP server Static When you select Static the security gateway is configured with a static IP address and Mask This is the default configuration If Static is selected and the VPNmanager is on the private side then the IP address of the computer running VPNmanager should be statically or dynamically configured through other DHCP server Changing network interfaces From the VPNmanager Console Device Interfaces tab you can modify the media settings change the IP information add an IP device and configure IP telephony settings You can configure any zone but Public To chang
288. log messages options to configure the address of the Syslog Server e To use a DNS name of the server select the Host Name radio button then type in a name e To use the IP address of the server select the IP Address radio button then type in an address If you want the security gateway to send syslog messages to VPNmanager Console configure the Send event log message via option e To send the messages to a UDP Port select the UDP Port then type a number into the Port Number text box The default number is 514 Click OK to return to the Policy Manager for Syslog window 8 Click the Log debugging event log management messages checkbox to log the messages 9 Click Save From the upper right hand of the window click the close button to return to the Configuration Console window Move to the command prompt for your MS Windows computer Issue 4 May 2005 249 Monitoring your network 12 Type in the following command line to create a directory for the syslog file its size limit protocol used port number Directory Program Files Avaya VPNmanger Console Syslog jre bin java SyslogServer Lc ProgramFiles AvayaVPN Syslog Ssize Ppor Nnumber e f you want the size of the log file to be limited to a specific size type in a specific size in kilobytes otherwise the 8000 KB 8 MB default size will be used e f the default UDP port numbers were not used in Step 6 type in the number
289. lying the IPSec tunnel mode thereby allowing QoS aware devices within an MPLS cloud to maintain the desired level of priority in handling the packets Packets to be marked at the VSU are indicated further specification in the filtering criteria A comprehensive list of QoS preset markers are provided in the drop down menu For information on the use of these markers or constructing user defined markers please refer to the following for details e RFC 2474 Definition of the Differentiated Services Field DS Field in the IPv4 and IPv6 Headers http www ietf org rfc ric2474 txt number 2474 e RFC 2598 An Expedited Forwarding PHB http www ietf org rfc rfc2598 txt number 2598 e You may also wish to check out http Awww ietf org html charters diffserv charter html which contains a set of links to relevant related RFC s including 2497 and 2598 Issue 4 May 2005 187 Establishing security Traffic Type The fields and drop down lists in this section change according to the IP Protocol type selected Depending on the traffic type selected user defined TCP and user defined UDP Source and Destination fields appear to collect additional parameters If the Traffic Type selected is user defined IP a Protocol ID field appears A comprehensive suite of UDP TCP and ICMP filter options are provided Keep State Appears when user defined TCP or user defined UDP traffic type is selected This function allows a filter rule set for
290. m the Settings options use the following to configure the connection expiration times for the server RADIUS Attempts The number of times a RADIUS server is contacted before failure is assumed and the next RADIUS server is used The default is 3 attempts Time to assume failure The time that should pass when a RADIUS server is not responding and the next RADIUS server is used The default value is 6 seconds Designated RADIUS attribute for policy Designates the VPN Policy to the security gateway that is delivered to the remote client when the remote client authenticates throughout the security gateway to the RADIUS Server The VPNmanager provides the following attributes for the remote client to choose from e Filter ID e Replay Message e Class default set by Administrator e Vendor Specified e User Defined User defined RADIUS attribute ID ID text field is enabled and the user provides the attribute ID If the user does not provide the ID an error message is displayed This field can be used with less common attribute IDs Use this tag for RADIUS attribute The tag must contain the letters a to z or Ato Z The tag can be up to 15 characters in length 15 Click Close to return to the Configuration Console window 16 Click Save 17 When you want to send the configuration to the security gateway click Update Devices 128 Avaya VPNmanager Configuration Guide Release 3 7 Chapter 6 Configuring user groups The User Group fun
291. me after the data connection Thus FTP Proxy significantly improves network security as compared to the Passive FTP protected FTP server or Active FTP protected FTP client service cases It is important to remember that the FTP Proxy service is applied to a specific zone interface If network address translation or filter rules are applied to other zone interfaces on the SG that are the source or destination of the FTP traffic these rules can impact the ability of the proxy to function 168 Avaya VPNmanager Configuration Guide Release 3 7 Firewall rules set up FTP Proxy does have some issues when operating within a NAT gateway A protected FTP server must have a routable address and the router on the unprotected side of the gateway must have static route to it the security gateway interface address is the route Because this is a proxy application FTP TCP packets destined for external FTP servers or clients will typically have as source address the address of the interface to which the FTP Proxy rule was applied This shows that FTP Proxy employs some internal address translation Note FTP Ctrl Active FTP Passive FTP and FTP Proxy services are intended for use with the keep state firewall rule option To add a new firewall rule for FTP control or passive FTP 1 Complete Steps 1 through 12 for adding a new rule Enter the required firewall information in the wizard Note Be sure to define the firewall rule at the interfa
292. member to match the active member s index number Active This action allows a passive member to become active A trap is generated when there is a change in status in the HA group VPNmanager is notified through the trap that a change in status has occurred and updates the Member table accordingly Delete This action allows the member to be deleted from the HA group VPNmanager notifies the member that it is no longer part of the HA group Add This action allows a new member to be added to the HA group The minimum configuration of a new member is the public and private IP addresses By default the primary IP address is used as the management address when communicating to the member Configuring high availability Creating a High Availability Group Use the following procedure to create High Availability HA groups dy Create a new security gateway Object that includes in the HA group For additional information on creating a new security gateway object see Configuring a security gateway on page 57 Note Because configuration within the HA group is identical only the primary security gateway of the HA group is displayed After the security gateway is created select the security gateway from the Device gt Contents column 3 Click the High Availability tab to bring it to the front 4 Click the Enable High Availability check box to enable High Availability on the security gateway Enter the Virtual Ad
293. n address from 172 16 0 17 to 10 1 1 17 and the private interface NAT rule changes the packet s source address from 172 16 1 20 to 10 0 88 20 before the packet is sent out to the SF_Sales_Group client through the private interface The NAT rule applied to the public interface on each of the VSUs allows clients on the private networks to access the Internet by mapping their private addresses to public address as described in the previous section Accessing the Internet from private networks Using NAT to support multiple gateway configurations Figure 30 shows an example of using NAT to ensure that all replies to packets entering the network through a security gateway exit the network through the same security gateway The NAT rule applied to the security gateway B private interface dynamically maps the source IP address of packets sent out the private interface of the security gateway B to one of 16 addresses assigned to the security gateway B address pool Note that the IP address 0 0 0 0 0 matches any packet entering or leaving the security gateway through the designated interface When a packet is initially sent from Host A to Host B through the VPN tunnel security gateway B dynamically maps the packet source address X1 X2 X3 11 to an IP address selected from the address pool Y1 Y2 Y3 X before sending the packet out the private interface As a result reply packets destined for Host A are sent to Y1 Y2 Y3 X security gateway B proxy ARPs for
294. n checked RADIUS is enabled as the authentication and configuration database Rank in group of this particular RADIUS server IP Address IP Address of the RADIUS server UDP Port UDP port of the RADIUS server The default value is 1645 124 Avaya VPNmanager Configuration Guide Release 3 7 RADIUS ACE Services Settings RADIUS attempts before assuming failure Integer from 1 to 10 indicating the number of attempts the security gateway makes before timing out with a failure The default is 3 RADIUS time out before assuming failure Time in seconds from 10 to 500 This value is the total number of seconds that the security gateway waits for a response from any specified RADIUS server before timing out with a failure The default is 6 seconds RADIUS concepts For additional user authentication the VSUs support the Remote Authentication Dial In User Services RADIUS protocol thus providing stronger Client authentication and accounting mechanisms via third party products such as Ascend Access Control and RSA Security ACE Server AccessManager Using RADIUS remote users must pass the RADIUS server s authentication mechanism in order to connect to a corporate network This authentication process is summarized as follows e First the user initiates communication with a VPN member e The VPN traffic is processed by VPNremote and then sent to the target security gateway e The security gateway identifies then incomi
295. n click Close To configure an administrator to be an SNMPv3 admin 1 From the Configuration Console gt Admin Contents column select the admin to be configured as an SNMPv3 admin Select the SNMP tab to bring it to the front 2 Check Enable 3 For the Security Level select either e Authentication and Privacy e Authentication and No Privacy 4 Based on the selection the privacy settings are enable or disabled 5 In the Authentication Protocol field select either the default HMAC_SHA1or HMAC_MD5 and enter a password 6 For the privacy settings the only available value is DES_CBC Enter the privacy password 7 When finished click Save When you configure SNMPv3 for a device the admin name is listed 34 Avaya VPNmanager Configuration Guide Release 3 7 Log into the VPNmanager console Log into the VPNmanager console You log in to the VPNmanager from your computer s Start menu Programs gt Avaya gt VPNmanager gt Console You use the super user name and password that were configured when the VPNmanager software was installed Figure 2 VPNmanager login screen amp PNmanager Login d x Identity User Name admin Password Policy Servers E iplanet active directory 59 Add Delete EM E om The first time you log in to the VPNmanager Console you log in as the super user and add the policy server address or the name associated with the address See Add a policy server on
296. n entries exist the security gateway tries to find the match of the DNS request domain with the entries domains If a match is found the security gateway only forwards the query to name servers associated with that domain If no match occurs the security gateway sequentially forwards the query to the specified static DNS servers If no static DNS servers exist queries go to Internet name servers Note that once static DNS servers are added Internet root name servers are no longer referenced Issue 4 May 2005 63 Setting up the network When a DNS server is selected to send the DNS query and no response is received within a short time another DNS server is selected by continuing the process as described in the previous paragraph But if the previous server replies to the DNS query another DNS server is not selected regardless of whether response is positive or negative By default when a DHCP client in the private zone sends requests for an IP address and the private zone DHCP server is being used the DHCP server on the private zone sends its interface IP address as the DNS server in the DHCP response In this way all of the DNS queries are automatically forwarded to the security gateway To add a DNS Relay To set up DNS Relay Configuration and the static DNS servers The maximum number of DNS relay rules is 100 You cannot configure Dynamic DNS servers Note The Delete Move Up and Move Down buttons in the DNS Relay Configuration
297. n menu to select the user 3 In the VPN Authentication Profile area enter the following information e VSU SG Address Select the primary device from the drop down menu or enter the DNS name of the device e Optional Backup VSU SG Address Enter a backup device address to be used from the drop down menu e Port Enter the number of the port to use The default is 1443 e Authentication Select the authentication type to use either Standard CHAP or Rechallenge PAP 4 Click Save to complete the configuration To use this configuration on another device click the Clone To button Select the device to configure click OK to clone the configuration to the selected device Network Object tab The Device gt Network Object tab displays the hosts or networks that are located behind the security gateway The type of predefined network objects that are listed depends on the type of zones that are configured for the security gateway By default the network object includes the IP address and mask that have been configured for the corresponding zone Besides this address you can add additional addresses 80 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway Select a network object and click Add to configure additional IP addresses and mask Figure 25 Device Network Objects tab TEIE ee Fle Edt Vew Tools Help Diwana y X Dei Update ences Upgrade tmare Som 25600 AN
298. nager for My Certificates See Policy Manager My Certificates on page 234 The target of a bundle is usually another VSU but it can be any IKE compatible device A target can be configured as an IP address VPN object fully qualified domain name e mail address or director server name Issue 4 May 2005 241 Using advanced features When a VSU recognizes that an target wants to communicate the VSU uses the IKE Certificate Usage list to determine which bundle to send to the target The search always starts at the top of the list so it s important to put the most frequently used bundles at the top of the list There can be cases when you have to make a general purpose bundle that applies to any type of target Always place that bundle at the bottom of the KE Certificate Usage list e Add IKE Certificate Policy This screen is used to add a new IKE Certificate Policy to the IKE Usage Certificate list e Bundle Combo box listing bundle numbers 1 through 8 0 is the VPNet factory default bundle e Memo Use this area to record notes about this IKE Certificate policy e Target Type Identification of the remote tunnel endpoint Used to determine which certificate to present to the other side Target Type may be e IP Address e VPN e FQDN Fully Qualified Domain Name e email e Directory Name e Any target endpoint Depending on the selection made an appropriate field type appears to capture the respective information
299. nd put it into the payload of a VPN packet e Select the Transport radio button so only the payload of IP packets is encrypted and the entire IP packet is put into the payload of a VPN packet Note If you plan on defining the VPN Object with IP Group Objects Transport mode must be used 6 Optional Click the Memo tab to bring it to the front then type in a note about this specific VPN Object 150 Avaya VPNmanager Configuration Guide Release 3 7 7 Configuring a SKIP VPN If you want to add User Objects or User Group Objects as members of this VPN Object do the following e Click the Members Users tab to bring it to the front e From the Available list select specific User Objects and User Group Objects User Group Objects are always located at the bottom of the list Note Tip Hold the Shift key to simultaneously select many adjacent items or hold the Crtl key to simultaneously select many non adjacent items e Click Move Left to move the selected items to the Current Members list If you want to add P Group Objects as members of this VPN Object do the following e Click the Members IP Groups tab to bring it to the front e From the Available list select specific IP Group Objects e Click Move Left to move the selected items to the Current Members list 9 Click the Security SKIP tab to bring it to the front 12 13 From the Encryption Algorithm list do one of the following e Select Triple DE
300. ned eee ES Exporting RADIUS 24 45 eee ane be Chapter 12 Upgrading firmware and licenses Centralized firmware management Device Upgrade tab 4 224624 4028 PE PRE RRG AAA Upgrading a security gateway s firmware LENSE lt a kA RS Dew SG OSES RE ES EPETPOTON SUE 224 6m eee eo GRRE E RHE DAE dm Oe He HES Remote Access VSU 100 Only a ss sa s sam Sh Maa a ad eh ae Appendix A Using SSL with Directory Server When to Configure your VPNmanager for SSL aaa aaa e Installing the issuer s certificate in the policy server and the YPNmanager Console sne sal ee ar ae le he de ck ke ak aa od de do a hd wey Windows NT and Windows 2000 Computers o e e gdans OS COMPUS ir Bede tar te Be Aa Os Sieh Sees SE Heed Installing the Issuer s Certificate into a security gateway o o Appendix B Firewall rules template o A NN Public zone firewall templates Private zone firewall templates o 0 Semi private zone firewall templates DMZ zone firewall templates Management zone security Converged Network Anaylyzer template A cc che dete ew dment 468684 idak ae was edad LG we RAG RHR GR 14 Avaya VPNmanager Configuration Guide Release 3 7 287 287 288 289 290 291 291 293 293 294 294 295 299
301. nfigure an IP Group that communicates within its own VPN domain 1 Select the IP Group to be configured Click the General tab to bring it to the front 2 Click Add The Add IP Group dialog is displayed Issue 4 May 2005 101 Configuring IP Groups Configure the address mask pair e New IP Network Type in the network address for a LAN e New IP Mask Type in a mask to define the range of addresses that will become members of the IP Group The larger the mask the smaller and more focused the address range will be The method is just like masking a subnet The address mask pair can be as simple as the network address for a specific LAN and its subnet mask In that case all the addresses in the LAN become members of the IP Group Or the pair can use the network address but with a larger mask more bits to reduce the range of the address space so that a smaller range of addresses become members 5 Click Apply then Close to return to the General tab 6 Your new pair appears in the Members list 7 From the Associate this group with area select a security gateway that the group must 9 10 be associated with The security gateway selected should be one that is protecting the LAN containing the IP Group Click Save Optional Go to the Memo tab to make a note about this IP Group Configuring an IP Group that connects to an extranet Typically IP Groups are associated with security gateways that belong to
302. nfigured VPN policies to TEP traffic encrypts the traffic destined to and from tunnel end points when the following conditions are met e Primary IP address of VSUs in your VPN domain must be included in the IP group they are protecting e SKIP tunnel mode or IKE is being used SKIP Transport mode NOT being used Failing to meet these conditions packets be subject to the non VPN traffic policy Permit or Deny selected in the VSU Packet Filtering Advanced tab A typical example of when enabling Apply configured VPN policies to TEP traffic is desired is in the situation of remotely reading an Active Sessions MIB object of a VSU The information returned here includes the user name or IP address for each session currently active on the selected VSU Obviously having this SNMP information pass over the internet in the clear is not desirable This feature is not supported in releases of VPNmanager prior to 3 1 Because both tunnel end points must have Apply configured VPN policies to TEP traffic enabled the VSUs on each end must also be running VPN NOS 3 1 or later Issue 4 May 2005 209 Using advanced features Servers The Servers tab is used for adding backup directory servers to a specific security gateway There is no practical limit on how many backups you can configure Backup servers can be added at anytime and they can be organized so that when one fails a specific one can be used as a backup To install additional servers se
303. ng and monitoring one or more VPNs The console is a Java application that can be run anywhere and is used as a front end to the policy server and the directory server e The policy server distributes configuration and security policies The VPNmanager console is a client that communicates with the policy server to retrieve security policies The policy server then communicates with the directory server The VPNmanager Console and the directory server can reside on separate dedicated servers within the network to provide better performance for updating and configuring large numbers of security gateways You can use either an existing Sun One Server or Microsoft Active Directory Server to store the policies that are created VPNmanager software consists of different versions to meet the needs of various networks e VPNmanager Small Office Use the small office version for managing up to five security gateways and unlimited VPNremote Clients e VPNmanager Enterprise Use the VPNmanager Enterprise version for managing an unlimited number of devices and VPNremote Clients e VPNmanager Service Provider Use this version to manage an unlimited number of devices and VPNremote Clients The Service Provider also supports multiple VPN domains which meets the needs of ISPs 22 Avaya VPNmanager Configuration Guide Release 3 7 Overview of the VPN management hierarchy e VPNmanager Enterprise Client Use the Enterprise Client version for managing an
304. ng eVPNAcce PublicIP T_T_OUT VPN traffic ss AH ESP ICMPDest Unreach OutBound Permit Any Any Any Out SemiPrivat Yes Permit SemiPrivat e incoming eDenyAll VPN Issue 4 May 2005 307 Firewall rules template Table 39 Semi private low security firewall rules Rule Name Action Source Destination Service Direction Zone Keep Description State InBoundSem Deny Any Manageme Any In Semi No Traffic to iPrivateDeny ntNet Private Management Access Net is denied InBoundSem Permit Any SemiPrivate IKE_IN In Semi no Permit iPrivateVPN IP IPSEC_N Private incoming Access PubliclP AT_T_IN VPN traffic AH ESP and ICMP ICMPDest unreachable Unreach packet InBoundSem Permit Any Any Any In Semi Yes Permit WI iPrivatePerm Private VMGR and itAll VPN clear traffic to PUBLIC OutBoundSe Deny DMZNet Any Any Out Semi No Deny traffic miPrivateDe Private from nyAccess DMZNet OutBoundSe Permit SemiPri Any IKE_OUT Out Semi no Permit miPrivateVP vatelP IPSEC_N Private outgoing NAccess PublicIP AT_T_OU VPN traffic T AH ESP ICMPDest Unreach OutBoundSe Permit Any Any Any Out Semi Yes Permit miPrivateDe Private incoming nyAll VPN Table 40 Semi private VPN only security firewall rules Rule Name Action Source Destination Service Direc Interface Keep tion State InBoundPublicA Permit Any Semi Private ESP
305. ng advanced features Port for dyna policy download If a VSU is configured to receive dyna policies from a remote server instead of storing them locally it uses a specific port for listening to the remote server The port uses the Secure Sockets Layer SSL for protection and its default number is 1443 The port number can be changed if necessary To change the port number 1 From the Device gt Contents column select the VSU you want to configure 2 Click the Advanced tab to bring it to the front 3 From the Properties column select Port for Dyna Policy Download to display the SSL Port text box 4 In the SSL Port text box type in a port number 5 Click Save 6 When you want to send the configuration to the VSU click Update Devices Port for Secure Authentication Text field for the port number on which the VSU listens for a response from a VPNremote client over an SSL connection after the client has been issued an authentication challenge default port 2444 A response received on this port is then forwarded to the external LDAP or RADIUS server for authentication Private IP Address VPNos 3 x Beginning with VPNos 4 5 private IP address is configurable as part of the interface configuration on the Interfaces Tab A VSU may have two IP addresses assigned to it The private IP address is used and ARP is set to Bind one IP address to each port it is applied to the private port of the VSU and the publi
306. ng traffic as new VPN traffic and initiates a request to the RADIUS server for user authentication requirements e The RADIUS server responds to the security gateway indicating authentication is required e The security gateway challenges the user to provide the required authentication information e The user enters the required authentication information via a prompt displayed by VPNremote This challenge response is sent back to the security gateway e The security gateway forwards the challenge response to the RADIUS server e The RADIUS server decides if the user has met the challenge and if so informs the security gateway that the user is authorized The RADIUS server also forwards the user configuration details known as user attributes to the security gateway These attributes specify VPN specific information including the cryptographic keys used for encryption e The security gateway then allows VPN traffic to flow between the VPNremote Client and the VPN members Two methods of user authentication simple passwords and one time passwords based on two factor authentication mechanisms can be used to meet a variety of security cost and convenience requirements All RADIUS implementations support standard password authentication and many can be used in conjunction with RSA Security ACE Server for SecurlD Token requirements Issue 4 May 2005 125 Configuring remote access users The RADIUS protocol The RADIUS
307. ng user groups is not currently supported Issue 4 May 2005 129 Configuring user groups User Group General tab The User Group General tab is used to manage your users and their respective user group assignments Figure 43 User Group General tab a Pie gm yew Toots Hew O Now Object y X Delo Update Devices Upgrade Femwere sawe SHOG HAR BE Ge BB usergroup Generar Mema T Actions User Group Drem Name cnewsergroup ousUserGroups AN fer none Apa coN irent Vaara Awanabie Users lt gt Status All existing user groups are displayed in the Contents list The highlighted user group is displayed in the General tab window Directory Name This is the unique User Group name It is unique in that it is not duplicated anywhere within the VPN domain to which it is assigned Current Users This area contains the names of all individual Users currently assigned to this User Group A second pane titled Available Users lists all existing VPN users The left and right arrows are used to move the highlighted users from one column to the other Available Users This pane is a list of all available users The highlighted user may be moved into the Current User Members list by using the left arrow Only one default user can be added to a User Group User Group Memo tab Memo can be used to record notes about the User Group such as change history function of this group such as all administrat
308. nitiate traffic until a public address becomes available Dynamic mapping works only for connections initiated from the private network e Port Mapping This option is similar to dynamic mapping except that only one public IP address is required The security gateway maps every packet from the private network to the public IP address and a source port selected from a predefined range of TCP and UDP port numbers When traffic is initiated from a client on the private network it is dynamically mapped to the public IP address and an available port number When the client traffic is idle for a specified period of time the port number is returned to the pool of available port numbers When all port numbers have been allocated no other private clients can initiate traffic until a port number becomes available Port mapping works only for connections initiated from the private network In addition port mapping works only for TCP and UDP traffic NAT applications Network administrators may choose to use the NAT mechanism for any of the following reasons e Allow access to the Internet from private networks Networks which are assigned private addresses such as 10 0 0 0 RFC 1918 or addresses that have not been registered must be mapped to public addresses to allow users access to the Internet e Provide support for more hosts with fewer public addresses Address mapping allows network administrators to increase the number of hosts that can
309. nly the super user can create VPN domains create administrators define RBACs for the administrators and change administrator passwords Issue 4 May 2005 33 Using VPNmanager 4 Administrator with full access 5 An administrator with full access can modify the configuration for VPN domains change their password and be part of multiple VPN domains 6 VPNmanager allows full access administrator to modify objects and devices that are saved by VPNmanager RBAC full access administrators can create or delete objects update or upgrade devices and modify or import configuration 7 Full access administrators are not able to create new VPN domains create new administrators or change other administrator s passwords 8 Administrator with read only access 9 An administrator with read only access can view the configuration for VPN domains change their password and be part of multiple VPN domains 10 Read only administrators cannot create modify or delete objects Additionally read only administrators cannot update or upgrade devices modify or import configuration reboot or reset devices import or apply licenses or change other administrator s passwords To add an administrator The Admin object is used to change the super user password and to create administrators 1 Select Admin from the New Objects list The New Admin dialog opens 2 Enter the administrator s name and the admin directory password 3 Click Apply and the
310. nt 5 Use Table 16 for performing specific management tasks Table 16 Servers list commands Command Description Edit Use this command to edit the server with the Add Directory Server dialog box Move Up Click this button to move the server higher in the list Move Down Click this button to move the server lower in the list Delete Click this button to remove the server from the list When finished click Save to save your work Resilient Tunnel Tunnels are used to protect VPN traffic that moves through the public networks The endpoints for tunnels are located in VSUs Resilient Tunnels are used for backing up a specific primary tunnel Up to three resilient tunnels can be created to backup a specific security gateway VSUs can report tunnel switching to a common SNMP manager See Using SNMP to monitor the device on page 245 Note Resilient tunnels are configurable on VSUs running VPNos 3 x Figure 67 illustrates a simple example San Francisco LAN has two gateways to the WAN The high speed route is used by the primary tunnel and the low speed route is used by the resilient tunnel If the circuit in which VSUg is located goes out of service traffic automatically switches to VSUc Once VSUs is back in service VPN traffic then switches to the primary tunnel The switching is controlled by VSUA which is located in the Tokyo LAN 212 Avaya VPNmanager Configuration Guide
311. nto the VPN The other method involves P Group Objects or IP Groups which is reserved for DTEs that are connected to a LAN An IP Group contains an P address and IP mask An IP Group can be configured with many of these address mask pairs The address mask pair is used to create an address space range Pairs are used for identifying a range of addresses used in a LAN Therefore a DTE that has an address within the range of the pair belongs to a specific IP Group IP Groups can be created and edited at anytime However since IP Groups are associated with a security gateway it s recommended that IP Groups are defined after the security gateways is created and configured Creating a New IP Group To create a new IP Group 1 From the VPNmanager Console main window click New Object and select IP Group The New IP Group dialog is displayed 2 In the Name text box type in a name for your new IP Group Any characters can be used except a comma forward slash and backward slash 3 A good practice is to incorporate identifiers in a name so they can be easily managed For example a LAN used by an accounting department in San Francisco that is made into an IP Group can be named SF Accounting LAN Using this scheme clearly identifies who are the members of an IP Group 4 Click Apply then click Close to go to the Configuration Console window Issue 4 May 2005 97 Configuring IP Groups 5 Your new IP Group appea
312. nues to use the alternate network interface Network path failure is defined as the configured number of consecutive connectivity checks without a response from the number of hosts that need to fail The following is an example of a network path failure criteria The configuration is as follows e The number of consecutive no responses is five e The idle time between each connectivity check is 10 seconds e The number of hosts to monitor is three e The number of hosts that must fail to respond out of the hosts configured is two Table 17 shows which hosts respond Y and which hosts do not respond N during the 10 second interval connectivity check Table 17 Failover connectivity checks in 10 second intervals 10 20 30 40 50 60 70 80 90 100 110 120 130 Host 1 Y Y Y N 2 Y Y Y Y N N N N 3 N N N N The network path failure criteria are met only when both hosts 2 and 3 concurrently fail to respond five times at the 130 second mark to the connectivity checks Host 3 failed to respond five consecutive times between the 10 second interval and the 50 second interval Host 2 failed to respond five consecutive times between the 50 second interval and the 90 second interval But only when host 2 and host 3 both fail to respond to the same five consecutive security checks are the failure criteria met To configure failover 1 From the VPNmanager C
313. ny Any Any Out Public No Deny the rest of traffic ublicBlockAl l 2of2 300 Avaya VPNmanager Configuration Guide Release 3 7 Public zone firewall templates Rule Name Action Source Destination Service Direction Zone Keep Description State InBoundPu Permit Any PubliclP IKE_IN In Public no Permit blicAccess IPSEC_NAT_T_IN incoming AH ESP VPN traffic ICMPDestUnreach and ICMP unreachable packet InBoundPu Permit Any DMZNet ICMPEchoReq PING In Public Yes Permit blictoDMZA FTP Ctrl PassiveFTP incoming AS SSH TELNET traffic to HTTP HTTPS ee DNS TCP DNS UDP newer POP3 IMAP SMTP NNTP InBoundPu Deny Any Any Any In Public No Deny the blicBlockAll rest of traffic OutBoundP Permit PublicIP Any IKE_OUT Out Public no Permit ublicAcces IPSEC_NAT_T_OUT outgoing s AH ESP VPN traffic ICMPDestUnreach OutBoundP Permit DNZNet Any ICMPEchoRequest Out Public Yes Permit ublickPing PrivateN outgoing Access et ping access SemiPriv ateNat Manage mentNet OutBoundP Permit PublicIP Any DNS TCP Out Public Yes Permit ublicDNSA DMZNet DNS UDP outgoing ccess PrivateN DNS et access SemiPriv ateNet Manage mentNet OutBoundP Permit Any Any ICMPEchoReq PING Out Public Yes Permit traffic ublicGener FTP Ctrl PassiveF TP with the alAccess SSH TELNET services to HTTP HTTPS go out The SRS Hae come for 3 any network OutBoundP Deny Any Any Any Out Public No Deny the ublicB
314. o o e 113 Creating new user object 114 DEIS 2 dad ek ee es e ke a ee ak a So 118 About creating individual dynamic policy 2 2 o e o 115 User General taD e srd 4825 bb ee rc de OE ER RR A 115 aa AA ie ete ea E E sie os Ee E E ee 116 Ghee GP IDs ias ORS Oe ESPs Be Gad eu ead 116 Pe Ta Bio AAA oe Rs AA PAE das are 117 Configuring a remote user object oaoa 2 118 8 Avaya VPNmanager Configuration Guide Release 3 7 Contents Information for VPNremote Client users ooa aa ee 119 Using local authentication 1 4 60 ete q tm mt a 120 Using RADIUS authentication VPNos 3 X and VPNos 4 31 120 Using LDAP authentication VPnos 3 X only aoaaa aaa 120 Using Policy Manager for user configuration 2 2 2200002 ee eae 120 Client IP address pool Configuration 24 42 2002 4 ee e866 eee 044 4 8 120 Add Client IP address pool 2 2 ee 121 Add Client DNG si i 62 cena be bebe eh PGES RRO LR ERS EER RR HS 121 ORIG EI WOU sca Si as steeds Suc Dd Mac kee de oh Ue ah ok Be ah E E hy ab ae vhs ee wie aed 122 To configure the Client IP configuration o o 122 Conigornng clem Sinusa exonera HS Shah HES 122 Creating AMESSADO cu cores dad as dra a we wd 122 Enloe brand NAMIG 224 446 1 4 e 2 se i a Mm ee 123 RADIUS ACE Services a a 124 Enable RADIUS AQE 6 erate a Sete taa Be ke do hei de oh de ld de ales wi ce 124
315. ocal Configuration or LDAP Local Configuration from the Preferences screen on the VPNmanager You can go to the preferences screen by clicking the Edit Preferences menu on the First screen of VPNmanager Console Update this configuration to the security gateway s The security gateway s should now have a default VPN in its configuration On the RADIUS server add a user Enter the user credentials 136 Avaya VPNmanager Configuration Guide Release 3 7 9 10 Creating a designated VPN On the LDAP server a local server or an external server with a different context add user Enter the user credentials Log in to the security gateway through the VPNremote client using the credentials entered in the RADIUS LDAP server The user should be authenticated successfully by the RADIUS LDAP server The RADIUS LDAP server returns the VPN name to the security gateway The user then gets the default VPN policy from the security gateway Creating a designated VPN RADIUS attributes enable the VPN administrator to define what VPN policy is delivered to the remote client by the security gateway during the authentication process To set up a designated VPN within a selected domain perform the following steps 1 N OORA OOD 10 Add the security gateway s Add an IPGroup s and associate this group with this security gateway Create a default user or default user group in the VPNmanager Create a new VPN Object see Creatin
316. of 2 306 Avaya VPNmanager Configuration Guide Release 3 7 Semi private zone firewall templates Table 37 Semi private high security firewall rules continued Rule Name Action Source Destination Service Direc Zone Keep Keep State tion State OutBoundS Permit SemiPriv Any IKE_OUT Out SemiP No Permit outgoing emiPrivate atelP IPSEC_NAT_T_OUT rivate VPN traffic VPNAcces PubliclP AH s ESP ICMPDestUnreach OutBoundS Permit Any Any Any Out SemiP Yes Permit everything emiPrivate rivate with Keep state PermitAll For any traffic initiated from Private ManagementNET 2of2 Table 38 Semi private medium security firewall rules Rule Name Action Source Destination Service Direction Zone Keep Description State InBoundSe Deny Any Manageme Any In SemiPrivat No Traffic to miPrivateD ntNet e Manageme enyAccess ntNet is denied InBoundSe Permit Any SemiPrivat IKE_IN In SemiPrivat no Permit miPrivateV elP IPSEC NA e incoming PNAccess PublicIP T_T_IN VPN traffic AH ESP and ICMP ICMPDest unreachabl Unreach e packet InBoundSe Permit Any Any Any In SemiPrivat Yes Permit WI miPrivateP e VMGR and ermitAll VPN clear traffic to PUBLIC OutBound Deny DMZNet Any Any Out SemiPrivat No Deny SemiPrivat e traffic from eDenyAcc DMZNet ess OutBound Permit SemiPrivat Any IKE_OUT Out SemiPrivat no Permit SemiPrivat elP IPSEC NA e outgoi
317. olicy Default Global and Dyna Policy Authentication that are configured with the dyna policy parameters The parameters can be changed any time This configuration is the default dyna policy for all users When you create new users if the user should not use the CCD you must check Do not use default Dyna Policy on the User Dyna Policy tab Issue 4 May 2005 105 Configuring remote access users Using dyna policy The VPNremote client uses a Dyna Policy when communicating with a VPN The dyna policy tells the VPNremote client which authentication and dyna policy must be used and the topology of the VPN A dyna policy can be configured for either globally for all users on the domain or for individual users The global dyna policy is configured from the VPNmanager Preferences property and is automatically distributed to the VPNremote Client The automatic distribution method is called Client Configuration Download CCD The security gateways distributes the Dyna Policy when VPNremote Client connects to the VPN An individual dyna policy is configured from the user object dyna policy tab and is manually distributed to the VPNremote Client The manual distribution method involves a three step process From within a specific User object you create a dyna policy file e The file is then delivered for example by e mail to the user of the VPNremote Client Although the file can be password protected the file is encrypted using DES Data
318. om a variety of sources including but not limited to Installation documents System administration documents Security documents Hardware software based security tools Shared information between you and your peers Telecommunications security experts To prevent intrusions to your telecommunications equipment you and your peers should carefully program and configure Your Avaya provided telecommunications systems and their interfaces Your Avaya provided software applications as well as their underlying hardware software platforms and interfaces Any other equipment networked to your Avaya products TCP IP Facilities Customers may experience differences in product performance reliability and security depending upon network configurations design and topologies even when the product performs as warranted Standards Compliance Avaya Inc is not responsible for any radio or television interference caused by unauthorized modifications of this equipment or the substitution or attachment of connecting cables and equipment other than those specified by Avaya Inc The correction of interference caused by such unauthorized modifications substitution or attachment will be the responsibility of the user Pursuant to Part 15 of the Federal Communications Commission FCC Rules the user is cautioned that changes or modifications not expressly approved by Avaya Inc could void the user s authority to operate this equipmen
319. on address from 172 16 1 20 to 10 1 2 20 which is the IP address of the LA_Sales_Group server Before the packet is sent out of the private interface the NAT rule on the private interface changes the packet s source address from 172 16 0 17 to 10 0 89 17 Figure 29 Setting Up a VPN with Overlapping private Addresses DNS lookup for LA Sales Group Member of w 1 Server produces 10 0 88 20 SF_Sales_Group 10 1 1 17 Private Interface NAT Rule 172 16 1 0 24 gt 10 0 88 0 24 10 0 0 0 8 SF_VSU Tunnel NAT Rule 10 1 1 0 24 gt 172 16 0 0 24 Public Interface NAT Rule 10 0 0 0 8 Public Addr Pool 1 Public les_V A Tunnel Intertace Public Interface NAT Rule 10 0 0 0 8 Public Addr Pool 2 LA_VSU Private Interface NAT Rule 172 16 0 0 24 gt 10 0 89 0 24 10 0 0 0 8 10 1 2 20 Server in LA_Sales_Group When a reply packet is sent from the LA_Sales_Group server to the LA_VSU the private interface NAT rule changes the packet s destination address from 10 0 89 17 to 172 16 0 17 and the tunnel NAT rule changes the packet s source address from 10 1 2 20 to 172 16 1 20 before tunneling the packet across the public network to the SF_VSU At this point the reply packet s source and destination addresses are 172 16 1 20 gt 172 16 0 17 Issue 4 May 2005 91 Setting up the network When the SF_VSU receives the reply packet through the tunnel the tunnel NAT rule changes the packet s destinatio
320. on is not present its value should be set to the OBJECT IDENTIFIER 0 0 which is a syntactically valid object identifier and any conformant implementation of ASN 1 and BER must be able to generate and recognize this value 4 of 4 Table 23 FilterStats Parameters Parameter Description FilterStatsName Interface name to which the filtering stats apply Pass In Number of inbound packets allowed to pass through this interface Pass Out Number of outbound packets allowed to pass through this interface Block In Number of inbound packets not allowed to pass through this interface Block Out Number of outbound packets not allowed to pass through this interface No Match In Number of inbound packets that did not match any rule This count includes all non rule matching packets regardless of whether the packets were ultimately passed or blocked per the default rule 1 of 7 Using Monitor Issue 4 May 2005 257 Monitoring your network Table 23 FilterStats Parameters continued Parameter Description No Match Out Number of outbound packets that did not match any rule This count includes all non rule matching packets regardless of whether the packets were ultimately passed or blocked per the default rule Pass Log In Number of inbound packets that were allowed to pass which have been logged When a filtering rule is declared using the log op
321. onfiguration Download The protocol used to download the VPN session parameter configuration file from the security gateway to the remote client as part of a successful authentication when the security gateway is configured for Local Authentication Issue 4 May 2005 313 Certificate Authority Certificate Authority Certificates Certificate Revocation List CRL checking D DCI DES Diffie Hellman Digital Certificate Domain Name Service DNS Domains VPN A trusted company or organization that serves as a repository of digital certificates Once a CA accepts your public key with some other proof of identity others can then request verification of your public key Issuer Issuer Certificates also reside in the security gateway and are used to authenticate the other side For example if the Directory Server presents a certificate for an SSL session the security gateway must have an Issuer Certificate that can verify the VPNmanager s certificate is valid Devices wishing to use IKE must be validated with an Issuer Certificate All Issuer certificates are public My Certificates My Certificates is a list of nine 0 through 8 certificates that exist inside the security gateway and are used to identify the security gateway to an opposite endpoint Requires generation of a public private key pair where the private key never leaves the security gateway Signing Similar to the security gateways Issuer Certificates
322. onfigure all the objects that are contained in the domain To create a new domain 1 From the VPNmanager Console main window menu select File gt Domain gt New The New Domain dialog is displayed 2 In the Name text box type in a name for the domain Note Names can be up to 255 characters and can use any characters except a comma Note All VPN components must have unique names To prevent naming conflicts e Check the names of existing VPNs to avoid duplication Issue 4 May 2005 55 Setting up the network e Use organization names for example WorldWideSales VPN or ApplicationsEngineering_VPN since VPNs usually represent functional organizations within a corporation Note Once the domain name is created you cannot change it 3 In the Security text box select the firewall template to be applied to this domain For detailed information regarding the security policies included in this template see Chapter 8 Establishing security Select Level of security High The high security template enforces very strict security policies on the traffic going to and from the security gateway Medium The medium security template enforces strict security policies on the traffic going to and from the security gateway Low The low security template enforces security policies on the traffic going to and from the security gateway VPN Only The VPN only security template enforces secu
323. onitoring Screen Select View gt Monitoring Screen to open the Monitoring wizard for the domain that is opened or you can click the Monitor icon on the toolbar The Monitor wizard assists you in selecting the various VPN objects you wish to monitor A number of prebuilt MIB II and VPNet Enterprise MIB parameter groups can be selected to monitor desired VPN functions or you can build a custom monitoring group from a comprehensive Issue 4 May 2005 39 Using VPNmanager list of enterprise MIB objects Examples of ready to use groups include an Attack log Traffic log security gateway CPU usage and throughput You select a type of group to monitor or you can define a customer group to monitor See Using Monitor on page 250 e Report Wizard Select View gt Report Wizard to open Reports or you can click the Reports icon on the toolbar The wizard guides you through creating various reports showing details of your network or an object in the network See Report Wizard on page 270 Tools menu From Tools you can access the following commands e Update Devices Update Devices is used to update the security gateway configuration with the configuration currently in the Directory Server database e Show Trace Console Trace Console is used to log some debugging information This information is used by Avaya support to diagnose and troubleshoot any problems that may occur Help menu From Help you can access the VPNmanager Help and
324. onsible for password protecting this data Disable split tunneling Split tunneling allows the VPNremote Client to simultaneously maintain both a VPN secure connection and a clear connection This is the default You must check the Disable Split Tunneling check box to turn the default off When the default is off only secure VPN traffic from the VPNremote client computer is allowed How you configure this function depends on your corporate security policy With the default setting to allow split tunneling a typical application might be when the client wishes to explore a public website while maintaining an email connection on the private corporate network Ina security conscious organization where there is a perceived risk of intrusion into the private network through a remote client s public connection split tunneling would be disabled When split tunneling is disabled the remote users see a message on their VPNremote Client console indicating Connected Private access only Dyna Policy Defaults Global tab The Preferences Dyna Policy Defaults Global tab is used to define the dyna policy defaults for the number of times a user can enter an incorrect password before log on fails and the number of minutes that a user is locked out after the password fails 108 Avaya VPNmanager Configuration Guide Release 3 7 Configuring a global dyna policy Figure 34 Preferences Dyna Policy Global tab x Advanced Remote Client
325. onsole main window select Failover as a New Object The Failover tab appears 2 From the Failover gt Contents column select the device to configure for Failover 3 Select Enable to provide an alternate network path to re establish access to the central site resources Issue 4 May 2005 227 Using advanced features 4 Select Get IP List for DNS Names so that when a DNS query is made the security gateway keeps all the IP addresses that are returned in the cache The security gateway attempts to respond to the queries in the same order that the queries were received If this parameter is not selected and a DNS query is made the security gateway uses the first IP address of the DNS response that is returned 5 In the Number of Failed Hosts field enter the number of configured hosts that can fail before network path failover criteria is reached If multiple hosts are configured and all hosts are critical enter 1 If any one of the configured hosts failed to respond network path failover occurs 6 In the Consecutive No Responses field enter the number of consecutive connectivity checks without a response that you want to allow The default is 10 7 In the Monitor Check Interval field Enter the number of seconds that you want to allow between connectivity checks to the configured host or hosts The interval is also used to define the response time of the host Monitor checks are made at the same time to each host The default i
326. or html file then print from Acrobat or a browser respectively Figure 84 Report Sample y VPNManager Report x Report Help B Save As A Avaya Inc VPN Manager Report ou TechPubs o vpnet com admin 2002 5 20 3 4 49 pm B VPNs 1 Boston VPN TYPE ISAKMP DIRECTORY NAME ou VPNs ou TechPubs o vpnet com VSU Members IP Group Members User Group Members User Members 2 San Francisca VPN TYPE ISAKMP DIRECTORY NAME ou VPNs ou TechPubs o wpnet corn VSU Members IP Groun Memhers 272 Avaya VPNmanager Configuration Guide Release 3 7 Device diagnostics Device diagnostics Beginning with VPNmanager 3 7 device specific diagnostic reports can be retrieved from a security gateway running VPNos 4 6 or higher The device diagnostic capability allows the network administrator to run any of the available diagnostic reports from a central network management location Diagnostic reports provides convenient access to remote security gateways that can be used to troubleshoot common configuration problems The following diagnostic reports show internal network related information for the security gateway that can be used to diagnose configuration and network problems Table 30 Diagnostic Reports Report Type Description General Diagnostics Routing Table Shows information regarding how the network traffic flows within
327. original address and the translated address to configure Static NAT e Port NAT With Port NAT addresses from internal nonroutable networks are translated to one routable address in Port NAT Port numbers in the case of TCP UDP packets and sequence numbers and IDs in the case of ICMP packets are used to create unique channels Port NAT is unidirectional That is Port NAT translates only outgoing packets and not incoming but it does translate the replies On the way out the source address of the packet is translated For the replies the destination address is translated back You can choose from predefined network objects or user defined network objects or you can specify the IP address and the Mask for the original address You must specify the IP address and the port ranges for the translated address The port ranges must be ina range from 5000 to 65535 Note When using Port NAT the ESP trailer must be configured in the VPN IPSec parameters e Port Redirection With port redirection addresses from a specific address and a specific port are redirected to another address and port Port redirection translates the destination address of an incoming packet and the source address of the reply You must specify the from address the to address and the port number By default NAT is enabled and the Share public address to reach the internet feature is selected NAT affects only clear traffic Issue 4 May 2005 85 Setting up the netwo
328. ority object located in directory server The object is where the CRL is located Click Save Issue 4 May 2005 155 Configuring VPN objects Enabling CRL checking For certificate based VPNs using IKE negotiation a security gateway must verify the other certificate of the VSU When Certification Revocation List CRL Checking is enabled the VSU validates the certificate revocation list downloaded from the VPNmanager using the Certificate Authority CA certificate The VSU checks the certificate against the validated CRL If the CRL locates a revoked certificate the IKE negotiation is cancelled To manually install a CRL into Directory Server from the CA s LDAP server 1 a A O N From the CA s LDAP server obtain the CRL that is associated with your installed issuer certificate Save the CRL as crl content txt Open the crl content txt file to extract the necessary CRL information To extract the necessary CRL information open the crl content txt file Locate the dn header with the organization unit ou that corresponds to the CRL For example dn ou vpnet VSU o Avaya Inc c US Locate the paragraphs starting with cacertificate binary and certificaterevocationlist binary For example cacertificate binary MI TCKzCCAZSgAwI BAgIQRTP 4LaWm1SRKYLv8 6Cphk vgPDgMZ10q4o000Nyy26HRAVOyJ certificaterevocationlist binary MI1C2zCCAkQwDQYJKoZIhvcNAQEEBQAw Copy the cacertification binary an
329. ors etc Information entered here is associated only with this User Group This information is stored only in the database and not downloaded to the security gateways 130 Avaya VPNmanager Configuration Guide Release 3 7 User Group Actions tab User Group Actions tab The Actions tab is used to control authentication for specific user groups Figure 44 User Group Actions Tab De Ean yew Tools Hew 7 How Object 2 Delow update Devices Upgrade Armwaro save Epon Reh BE a a aero AA User Group Actions User Manager authentication Rekey is used to change the key of the highlighted user group You should change the key regularly to ensure maximum security Only SKIP and Preshared Secret IKE VPNs can be manually rekeyed In the case of SKIP rekeying generates and distributes a new master key to all security gateways associated with the VPN This SKIP master key is used to generate session keys used for cryptographic functions In the case of Preshared Secret IKE VPNs rekeying generates and distributes a new negotiation key to all security gateways associated with the VPN This negotiation key is used to provide authentication during IKE negotiations in which the actual session key is dynamically generated Manual Keyed VPNs can be rekeyed by manually editing the relevant keys Configuring a user group To configure a user group 1 Move to the Configuration Console window 2 From the Icon toolbar click
330. ote This value is also entered later in the RADIUS server Client file Check your RADIUS server documentation for valid password length and allowed characters 7 In the Confirm Password text box type in the shared secret to confirm it 8 In the IP Address text boxes type in the address of the RADIUS server Note An IP address must be entered domain names are not valid There must be an IP route between the security gateway and the target RADIUS server Note To verify that a valid IP route exists use the security gateway proxy ping function security gateway tab Connectivity and enter the target RADIUS server s IP address as the ping target 9 In the UDP Port text box type the port number for the server 12 13 The default number is usually 1645 but use the RADIUS server s documentation to confirm the number From the Use this as my options assign a query order to the server If backup servers are being used here is where they can be identified e Select Primary Server if no backup servers are used or if this is the server primarily used if backup servers are running e Select Secondary Server if this server operates as a backup to the primary server e Select Tertiary Server if this server operates as a backup to the secondary server Click OK to return to the Policy Manager window From the list of servers select the new server Issue 4 May 2005 127 Configuring remote access users 14 Fro
331. ound packets that matched a rule requiring that a TCP Reset or ICMP packet be sent in response Account In Number of inbound packets that matched a filtering rule with a declared action of count Account Out Number of outbound packets that matched a filtering rule with a declared action of count Bad Frag Alloc In Number of failed attempts to allocate a Fragment table entry for inbound packets This occurs when a filter rule is declared using the keep frag option A packets matching this rule cause a Fragment table entry to be allocated If the table is full the allocation fails 3 of 7 Using Monitor Issue 4 May 2005 259 Monitoring your network Table 23 FilterStats Parameters continued Parameter Description Bad Frag Alloc Out Number of failed attempts to allocate a Fragment table entry for outbound packets This occurs when a filter rule is declared using the keep frag option A packets matching this rule cause a Fragment table entry to be allocated If the table is full the allocation fails New Frag Alloc In Number of successful attempts to allocate a Fragment table entry for inbound packets This occurs when a filter rule is declared using the keep frag option A packets matching this rule cause a Fragment table entry to be allocated This value does not reflect the size of the table only the number of entry allocations which succe
332. our company s behalf Whereas a malicious party is anyone including someone who may be otherwise authorized who accesses your telecommunications equipment with either malicious or mischievous intent Such intrusions may be either to through synchronous time multiplexed and or circuit based or asynchronous character message or packet based equipment or interfaces for reasons of Utilization of capabilities special to the accessed equipment Theft such as of intellectual property financial assets or toll facility access Eavesdropping privacy invasions to humans Mischief troubling but apparently innocuous tampering Harm such as harmful tampering data loss or alteration regardless of motive or intent Be aware that there may be a risk of unauthorized intrusions associated with your system and or its networked equipment Also realize that if such an intrusion should occur it could result in a variety of losses to your company including but not limited to human data privacy intellectual property material assets financial resources labor costs and or legal costs Responsibility for Your Company s Telecommunications Security The final responsibility for securing both this system and its networked equipment rests with you Avaya s customer system administrator your telecommunications peers and your managers Base the fulfillment of your responsibility on acquired knowledge and resources fr
333. ox 5 Use the Look in drop down list to navigate to a directory where you want to save the certificate request 6 In the File name text box type in a name for the Certificate Request then click Save 7 The VSU saves a Certificate Request into this new file then update the Maintain Certificates list with information about the new Certificate Request The status column for the unsigned request displays Request Ready The request exists in the Privacy Enhanced Mail PEM using PKCS 10 format 8 Send the Certificate Request to a PKI System 9 The PKI System must use the Distinguishing Encoding Rules DER format for creating the 10 Signed Certificate The PKI System creates a Signed Certificate for the VSU Figure 77 shows what a certificate in PEM format looks like its body has been shortened for the example Currently a VSU accepts the certificate delivery formats of PEM DER Base64X509 and PKCS 7 236 Avaya VPNmanager Configuration Guide Release 3 7 Policy Manager My Certificates Figure 77 An Example of a Signed Certificate oS AR Header SS BEGIN CERTIFICATE nfi897rho987fb mht gt o0i s25hg3 98iJop k3h GrDfgyui9873jg55dJ99KIY6S 3LLSAS 43dbi00M1 _ mhjuuhJ8 stfeEckiooplk3ghf hk3JhyytuUTffRgYyYUy 6676 RgLo010LI BETRE END CERTIFICATE Pe o Footer 11 Cut the signed certificate from whatever file the PKI System sent it in then paste it to the file you created in Step 6 Include the header an
334. passing secure traffic is 1404 bytes which includes the additional IPSec information The MTU of a security gateway passing unprotected traffic is 1514 bytes If Path MTU Discovery is running a security gateway does not convert the following types of packets into secured traffic and it uses an ICMP message to ask the source of the packets to fragment them e Packets larger than 1404 bytes e Packets with the Don t Fragment Bit set e Packets being the first fragment in the IP datagram Following are reasons why you may not want a security gateway to participate in Path MTU e A firewall sits between the security gateway and the source of packets needing VPN services This would prevent the source from receiving security gateway ICMP messages indicating that fragmentation is needed e The source of packets needing VPN services does not fragment packets even when notified by a security gateway ICMP message e A router in the network is outdated and will not send an ICMP need fragmentation message or will not send a message at all The symptom of either of these situations would be that a network sniff indicates the security gateway is sending a fragmentation needed ICMP message but the traffic initiator is retransmitting the original packet To configure the Path MTU Discovery 1 From the Device gt Contents column select the security gateway you want to configure 2 Click the Advanced tab to bring it to the front 3 From the Prope
335. pdate frequency is also indicated here Presentation There are four types of presentations e Bar graph e Line graph e Pie chart e Table Some types of data cannot be displayed in all four presentation styles For example only the System Group can be presented as a bar graph Only the available presentation types appear in this field for the group previously selected the table is the most common format for most of the groups Update Time Update time defines how often your presentation is updated security gateway MIB is re read You can choose minutes or seconds Display The display area offers two selections for how your security gateway groups are presented either one window per security gateway or a single window in which the desired security gateway is selected from a drop down menu Monitoring alarms On the main VPNmanager window the Alarm pane displays alarm information arriving from the security gateways in the VPN When an alarm arrives a rotating red beacon light activates Conditions causing alarms include a security gateway device not reachable and several security attacks such as a manager authentication failure a key failure or a CCD failure The alarm console can also be used as a general trap target gather SNMP trap information from other network devices Two buttons appear at the bottom of the pane Properties and Delete By default all device alarms are displayed however alarms from a specific se
336. pears upon successful import From the VPNmanager Console click Config From the left pane click VPN then the General tab to bring it to the front In the General tab click Certificate Based to enable certificate based VPN checking Click the Advanced tab to bring it to the front In the Advanced tab click CRL checking and enter the CRL dn in the Directory Name of Certificate Authority field Note For the CRL dn use the same dn used in Step 9 From the left pane click Device then the Servers tab to bring it to the front Add the Directory Server IP address and port number Default clear 389 default SSL 636 Click OK From the Configuration Console click Save From the Configuration Console click Update Devices During IKE negotiations the CRL is uploaded to the VSU for CRL checking The CRL is held in the memory of the VSU Issue 4 May 2005 157 Configuring VPN objects If the Directory Server has been updated using a new CRL the cached CRL must be manually removed from the VSU console To remove the CRL from the VSU 1 O O ON OO KF W PY From the VSU Console enter 3 for the Utilities menu From the Utilities menu enter 18 to Show CRL information After selecting 18 from the Utilities menu a list of serial numbers appear on the screen Enter Y to delete the CRL list From the VPNmanager main menu click Config Select Device From the Content pane select the security gateway that incl
337. pendent copies of VPNmanager and involves the same steps as creating any other VPN create the VSUs then the Groups and Clients and finally the VPN The names chosen for VPN components must be synchronized within each corporation s VPNmanager This requires close coordination between the system administrators during the VPN component creation process and can be achieved by performing the following procedure e The administrators at each corporation agree that all VPN components will be created by one of the administrators the exporting administrator and that the exporting administrator will create and deliver an export VPN configuration file to the other administrators the importing administrators e The exporting administrator then creates security gateways groups users and VPNs required with the exception of the security gateways under management control of importing administrators The VPN name must be unique to both the exporting and importing administrators VPNmanager databases 284 Avaya VPNmanager Configuration Guide Release 3 7 Importing and exporting VPN configurations to a device e When creating an alien Group which is a group that includes IP address mask pairs residing within an importing administrator s network the exporting administrator associates each alien Group with an extranet device In the Group configuration the IP address of the importing administrator s security gateway must be
338. pendent upon the authentication policy last downloaded from VPNmanager SuperUser Password OFF or ON Remember that if you set the SuperUser Password to OFF you are no longer able to connect to the VSU using the SuperUser account The only way to recover SuperUser authentication is to change the setting to back to ON then do one of the following 1 Authenticate via your LDAP user account or 2 Go to the VSU console and reset the Configuration VPNmanager Authorization Authorization Provider value to SuperUser LDAPuser then authenticate by either your LDAPuser account or SuperUser account Tunnel Persistence This feature consists of the following radio buttons e Maintain VPN tunnels on device update e Rebuild all VPN tunnels on device update In a multiple VPN structure with tunnel persistence set to Maintain VPN tunnels on device update traffic is interrupted within the modified VPN only In a multiple VPN structure with tunnel persistence set to Rebuild All VPN tunnels on device update all VPNs related to the modified device are interrupted until the configuration update is complete Figure 63 illustrates tunnel persistence between SGs If Maintain VPN tunnel is enabled the addition of SGp to VPN interrupts and re establishes tunnel persistence in VPN only Because modifications have not been made in VPN SG and SGp or VPN3 SGg and SGp tunnels remain persistent Issue 4 May 2005 207 Using advanced features Figure 6
339. per the interface s default rule No Match Block In Number of inbound packets for a given interface which did not match any filtering rule and were ultimately blocked per the interface s default rule No Match Block Out Number of outbound packets for a given interface which did not match any filtering rule and were ultimately blocked per the interface s default rule 7 of 7 Table 24 Filter Rules Parameters Parameter Description Rule Filtering Rule description Shows the rule parameters as they would appear when typed in or displayed at the security gateway console Rule Match Number of packets which matched this filtering rule Rule Byte Total byte count for packets which match this Count filtering rule Using Monitor Issue 4 May 2005 263 Monitoring your network Table 25 Active Ports Parameters Parameter Group Description Active Ports The number of active ports on this security gateway Traffic Rate See Traffic Rate Table Parameters on Table Group page 264 Overview See Overview Statistics Table Parameters on Statistics Table page 265 Group Ethernet See Ethernet Statistics Table Parameters on Statistics Table page 266 Group Table 26 Traffic Rate Table Parameters Parameter Description Traffic Port Description A description of each port Traffic Port Index The index of
340. permit or deny If no matching rule is found the default action is to permit the packet Note For devices with VPNos 4 1 and earlier domain level rules and firewall templates are not available See Voice Over IP on page 175 Levels of firewall policy management The Firewall Rules tab is used to manage the firewall rules both at the domain level and at the individual device level in the domain You can view the Firewall rules and add or edit rules from the VPNmanager Configuration Console gt View gt Firewall command Firewall policy management includes domain firewall rules device firewall rules and firewall templates Issue 4 May 2005 163 Establishing security Figure 52 Firewall tab 3 Cra ysemenes 02 Add Jomplato Rutes Name Action Source s Bestination s BSerice s Device Se Enshi Zone TOirocti i Pornit AN ANY ANY 1 Yes pubic in Done geting object list At the domain level firewall policy management allows the network administrator to set rules across the domain These rules are referred to as domain level firewall rules These rules can be applied to all or some of the devices in the domain Rules can also be set for specific devices in the domain At the device level firewall policy management allows the network administrator to set rules for a specific device These rules are referred to as device level firewall rules For convenience you can select from three predefined sets
341. phic attack Unable to Reach device Indicates no response was received from a security gateway to a VPNmanager polling request for management data 2 of 2 You can select to either ignore the alarm or take action on the alarm If Take Action on Alarm is checked the User Defined Action Upon Alarm is executed User Defined Action Upon Alarm Enter the name of the application to be launched when any alarm is generated The action can be any executable file for example an application that pages the system administrator Report Wizard The Report wizard is used to generate summaries of configuration details and a variety of reports about the VPN its components and how they are performing This is especially useful in the configuration debugging process and as an audit trail to document the overall VPN configuration For accounting see SYSLOG 270 Avaya VPNmanager Configuration Guide Release 3 7 Report Wizard The first Report wizard screen allows you to specify the objects you wish to include in the report The available objects include IP Group User User Group Device security gateway VPN To create a report using the report wizard 1 Move to the Main Console 2 Click Report to start the Report Wizard o N O O A In the Report Contents portion of the screen select the object types to be included in the report The Select All and Deselect All buttons are provided
342. r Configuration Guide Release 3 7 Packet Filtering 6 From the Action drop down list select Permit to activate the QoS Mark drop down list Note As you build your Packet Marking Rule its parameters populate the Filtering Policy in Progress text box which is located at the bottom of the wizard 7 From the QoS Mark drop down list do one of the following e Select Inherit if you want the VSU to examine the ToS field of packets entering the VSU then copy the QoS mark to the ToS field of the payload packet header exiting the VPN tunnel or the VPN packet header entering the tunnel Which packet depends on the rule being created Note If you do one of the following assure that the mark used for the rule matches the mark configured in your router s e Select User Defined if you want to activate the User Defined text box then type a specific mark into the box The mark must be a number from 0 to 63 e Select a specific CS mark if you want to use a predefined Class Selector mark Although the specific CS mark used must be the same as the one configured in your router s these marks serve as a backward compatibility mechanism for P Precedence Marks which predate modern QoS Marks e Select a specific AF mark if you want to use a predefined Assured Forwarding mark The AF mark identifies which level of precedence the packet must be dropped from the stream if traffic congestion limits are exceeded e Select the EF mark
343. r for Issuer Certificates for the VSU needing the certificate Click Add to open the Open dialog box Use the Look in drop down list for navigating to the location of the ssuer Certificate Select the ssuer Certificate then click Open to return to the Policy Manager window on oo sz After the VSU has received the Issuer Certificate the certificate appears in the ssuer Certificates list IKE Certificate Usage If you are creating VPNs which use certificates for authentication and security use the Policy Manager for IKE Certificate Usage to configure how VSU Certificates must be used Those certificates were created and installed in VSUs from the My Certificates policies See Policy Manager My Certificates on page 234 The IKE Certificate Usage policies is the mechanism used for exchanging certificates in a VPN 240 Avaya VPNmanager Configuration Guide Release 3 7 Policy Manager My Certificates About Certificate Usage Exchange Every certificate identifies its owner and contains the owner s public key The concept of certificate usage is based on Owners and Targets An owner sends its certificate to a target who then uses it to encrypt any information it sends to the owner Owners and targets can be a VSU Remote Client or any device that can use the nternet Key Exchange IKE protocol to exchange certificates The roles of owners and targets is purely based on point of view Whenever a target needs to rece
344. rations occurring for outbound packets These occur when a packet is fragmented across multiple internal memory buffers and there is insufficient information available to properly process the packet Successive memory buffers are read until there is enough information to process the packet Bad Pullup In Number of failed pullup operations occurring for inbound packets These occur when a packet is fragmented across multiple internal memory buffers and there is insufficient information available to properly process the packet Successive memory buffers are read until there is enough information to process the packet Bad Pullup Out Number of failed pullup operations occurring for outbound packets These occur when a packet is fragmented across multiple internal memory buffers and there is insufficient information available to properly process the packet Successive memory buffers are read until there is enough information to process the packet No Match Pass In Number of inbound packets for a given interface which did not match any filtering rule and were ultimately allowed to pass per the interface s default rule 6 of 7 262 Avaya VPNmanager Configuration Guide Release 3 7 Table 23 FilterStats Parameters continued Parameter Description No Match Pass Out Number of outbound packets for a given interface which did not match any filtering rule and were ultimately allowed to pass
345. re also allows traceroute capability when the traceroute criteria are met allowing network administrators to trace network path failures Keep alive packets can be sent to configured hosts that are in a protected networks and unprotected networks therefore these packets can be encrypted or clear traffic based on the VPN policy on the device 232 Avaya VPNmanager Configuration Guide Release 3 7 Keep Alive Figure 74 Keep alive tab E YPsmanager Configuration Console le gon yew Tools Hew Now Object y 7 Delete Update Devices Upgrade Firmware save SHO fh DS Oe B TE EE xi Hoste Agaty thie confguraton to Pase devices Aga 1 total hosts 0 255 Desa getting ceja tet To configure keep alive 1 From the Configuration Console window select New Object gt Keep Alive The Keep ALive dialog is displayed In the Keep Alive name text box enter a unique name Click Apply Click Close to go to the Keep Alive tab 3 Click Enable to enable the keep alive configuration 4 From the Send From drop down menu select a network zone e Public The public network interface provides connection to the Internet usually by way of a wide area network WAN By default DHCP Client is used to configure the public IP address e Private The private network interface usually provides connection to your private local area network LAN or your corporate LAN In the Keep Alive Interval field enter the
346. re entries for all four fields refer to your Definity documentation for further information Non Avaya IP telephones require at a minimum the TFTP server IP address Note The following IP telephone DHCP options are supported e Option 150 Proprietary to Avaya IP telephones This option is for the TFTP server IP address e Option 176 Proprietary to Avaya IP telephones Definity Clan IP address and port along with optional TFTP server IP address all four fields in the IP telephony Configuration section must contain entries e Option 66 Standard DHCP option for TFTP server TFTP Server IP This is the address of the TFTP server on which the latest version of the IP Phone firmware is maintained for upgrade purposes TFTP File Path Used when the file path is other than the default path DEFINITY Clan IP The IP address of the DEFINITY Clan server DEFINITY Clan Port Port number for the DEFINITY server Default port 1719 Port ranges 1 to 65535 To add an IP Device 1 From security gateway Objects select the Private Port tab from the Properties pane 2 Select the Local DHCP Server radio button 3 Click Add 4 Enter the required information to complete the IP Device configuration 5 Click OK 6 Click Save DHCP Relay Select DHCP Relay to configure the security gateway to support DHCP Relay functionality This functionality allows the DHCP Relay agent to bind to the device s private port and forwards only DHCP
347. red data through an unsecure network like the Internet by using dynamically created connections between member of the VPN 318 Avaya VPNmanager Configuration Guide Release 3 7 Index Numerical SDES oie eo cae AO a Be eee A e 142 A Access Control List ACL using the 190 ACE Server AccessManager 126 action tab device 2 0004s 279 Active VPN Sessions 247 ActiveSessions Group parameters 253 Add IPSec Proposal dialog box 154 add QoS policy o o 182 Add SNMP Trap Target 246 247 address DNS Server 65 private configuringa 204 secondary creating a 204 address mask pair description ofan 97 Administrators VPNmanager Role Based Management detailed explanation 2200 4 Advanced action detailed description 219 Advanced tab User Object fora 2 2 0000 119 VPN Object fora 0 2 008 155 VSU Object fora 2 2 2 008 85 AES 128 2 0 0 0 a 146 154 Aggressive mode IKE 150 AH Header ee 154 AHWHESP i go pa aa a a ae 145 AH ESP drop down list 154 alarm monitoring pane 44 Alarm Properties a a 269 Alarm Types aoaaa a 269 Alarm Disposition a aoa a a 269 Alarm Monitoring lt oa oea a 52 Apply
348. remote user requests CCD from the security gateway the security gateway s RADIUS client contacts the RADIUS server to authenticate the user Upon successful authentication the CCD serer provides the default VPN policy to the user Issue 4 May 2005 135 Configuring VPN objects Creating a new VPN object To create a new VPN object 1 From the VPNmanager Console main window click New Object and select VPN The New VPN dialog is displayed In the Name text box type in a name for your new VPN Object Any characters can be used except a comma From the VPN Type options do one of the following e Select SKIP to create a SKIP VPN Object e Select IKE to create an IKE VPN Object 4 Click Apply to create the object 5 If you want to create another object repeat step 2 and step 3 6 Click Close The Configuration Console appears and the details pane displays a series of tabs Click Save to save your work Creating a default VPN To create a default VPN within a selected domain 1 Add the security gateway s Add an IPGroup s and associate this group with this security gateway 2 Create a default user or default user group in the VPNmanager 3 Create new VPN Object see Creating a new VPN object on page 136 and check Default VPN checkbox 4 Add default user and IPGroup s to the new VPN 5 Configure the RADIUS Server using the Policy Manager 6 Enable the RADIUS Authentication L
349. ress or range e TCP UDP ICMP protocol e Port or port ranges e IP protocol e Interface e Direction A set of common network services is provided and custom network services or objects can be easily defined for use in both firewall and QoS policies Firewall rules can be individually enabled to track state information on TCP UDP ICMP packet flows and can be user configured with advanced state timers Login can also be enabled for each rule Note Domain level rules and firewall templates are available for VPNos release 4 2 and later Denial of Service The following Denial of Service DOS categories are enabled to protect the security gateway from attack by hackers Issue 4 May 2005 27 Overview of implementation Ping of Death The ping of death sends packets with invalid lengths When the receiving system attempts to rebuild the packets the system crashes because the packet length exhausts the available memory IP Spoofing This attack sends an IP packet with an invalid IP address If the system accepts this IP address the attacker appears to reside on the private side of the security gateway The attacker is actually on the public side and bypasses the firewall rules of the private side Smurf Attack This attack floods the system with broadcast IP packet pings If the flood is large enough and long enough the attacked host is unable to receive or distinguish real traffic Tear Drop This attack sends IP fragments
350. ring 5 Click Advanced to open the Packet Filter Rule Advanced dialog box 6 Use Table 12 for determining which option you want Table 12 Packet Filter rule advanced options Option Description Permit all non VPN traffic Select this button to permit all non VPN packets Deny all IP non VPN traffic Select this button to block all IP non VPN packets Deny all non VPN traffic Select this button to block all non VPN packets Drop all IP fragments Select this check box to block all IP packets that have been fragmented See Path MTU Discovery on page 201 for information about packet fragmentation Drop all Short IP Packets Select this check box to block all IP packets that are unusually small The following are considered short packets e IP packets shorter than 20 bytes e TCP packets shorter than 40 bytes e UDP packets shorter than 28 bytes e ICMP packets shorter than 28 bytes Keep Filter Statistics Select this check box if you want to send the packet filtering log to a common SNMP manager The manager that is used is configured in the Routing 7 Click OK to return to the Policy Manager for Packet Filtering 8 Click Save to save your work Marking packets for differentiated services QoS If your network is running Differentiated Services a VSU can be configured to mark specific IP packets for specific types of services 192 Avaya VPNmanager Configuration Guide
351. rity involves establishing an agreement between security gateways about which IPSec protocol configurations to use The Security IPSec tab has two sets of options The PSec options control packet alteration and the PSec Proposal options are used for creating up to four different proposals for payload encryption and authentication Security gateways must use the same IPSec Proposal An IPSec Proposal dialog box is used for creating different proposals in cases where the proposal is unknown Figure 48 VPN Security IPSec Tab YE YPSmnanager Configuration Console a fe gon yew Toots Hew O Now Object e IX Deiote Update Dewees Upgrade Firmware sve Bao AN Ona Oa Be i anoa Members Oroups Securty KE Seura ese Advanced General Momo Actions VPN IPSec Poe Esino gt Porfoct Forward Secrecy No v ANSP ESP Trater Y pirie Helman Groep Piet Proposals Priory Proposa List s Energion Acthenicaton UteTima siom SiywUint LtwTime Tima Une 1005 HMAC IMA O geting A Days Stans In the IPSec area you set up the IPSec protocol information that you want the VPN to use 144 Avaya VPNmanager Configuration Guide Release 3 7 Using the VPN tabs LZS This refers to Lempel Ziv Stac hardware date compression technique used prior to encryption Yes No enables or disables its use AH ESP This is the Authentication Header AH Encapsulation Security Payload ESP IKE VPNs authenticate IP packets using e
352. rity policies on the tunnel end points This template also gives a higher priority to VPN traffic None Firewall rules are not enforced All traffic is permitted into and out of the network 4 Click Apply to create the domain The name of your new VPN domain appears in the title bar of the VPNmanager Console main window The domain is open and ready to be configured 56 Avaya VPNmanager Configuration Guide Release 3 7 Configuring a security gateway Configuring a security gateway The New Object gt Device function is used to create security gateways and VPN Service Units VSU in a VPN environment The security gateway acts as the end points of VPN tunnels Note Beginning with VPNmanager 3 4 this configuration guide uses the term security gateway to refer to both the security gateway and the VSU The VPNmanager application uses the term Device to refer to both of these components In order to configure a security gateway the security gateway must have an IP address and can be reached over the network When you select New Object for the device a setup wizard is launched that allows you to configure the following security gateway functions e Name for the security gateway e IP address that is used to identify the security gateway to the VPNmanager console e SNMP community string VPNmanager uses the SNMP protocol to monitor the security gateways See Using SNMP to monitor the device on page 245
353. rk Note If your network contains any nonroutable addresses Avaya recommends that you enable the Share public address to reach the internet feature Any firewall rules that are in use can block translated traffic Priority of NAT types NAT is a rule based policy where the priority is based on the NAT type and then the order in which the NAT types appear in the NAT list NAT types have the following priority 1 Redirection 2 Static NAT 3 Port NAT Configuring NAT VPNos 4 31 Note You should understand how NAT works before trying to configure NAT for VPNos This guide does not explain how NAT works The NAT screen displays the following information for each rule Scroll to see all the information e The type of rule The types are static port or redirection e The zone to which the NAT rule applies e The protocol Protocols are TCP UDP TCP UDP or ANY e The Original IP address mask e The Translation IP address e The Start port e The End port e The status of the rule Status is enabled or not enabled You can add modify and delete NAT rules You can construct a series of rules and enable or disable each rule as necessary A rule can be moved up or down to change the priority See Priority of NAT types on page 86 Enable NAT NAT is enabled when this box is checked NAT List Note that this is a rule based policy where the priority of the rule is the order in which they appear in the NAT List
354. rmation e The private IP address and private mask of the private ethernet port e Select Use this address when directly communicating with this device if the VPNmanager is on the private side of the security gateway and needs to communicate using the security gateway s private IP address Click Next Note Entering a security gateway IP address from the VPNmanager Console does not change the security gateway s address The address and subnet mask of a security gateway can only be changed with a computer connected directly to the security gateway s console interface The address entered here is used to identify the security gateway so VPNmanager Console can communicate with it In the Authentication section enter the superuser name and password 5 If the Detect Device checkbox is selected default VPNmanager will attempt to contact the 10 12 device and retrieve the device details Select the device from the drop down menu in the Network Configuration screen If the Public Interface Uses a Dynamic User VPN IP Address checkbox is selected enter the device serial number Enter the Policy Server IP DNS name and port where the Policy Server is running In the Device Details section when the Detect Device checkbox selected VPNmanager automatically detects the device and updates the device details If the Detect Device checkbox is not selected select the device type from the drop down menu In the SN
355. rs in the Contents column 6 Click Save After an IP Group is created use the General and Memo tabs to record notes about the IP group New IP Group The New IP Group screen is displayed when News gt IP Group is selected or when no IP Groups currently exist Note If the Hide directory context field box is unchecked in the Advanced tab of the Preferences drop down menu the Context field is displayed default off This field is used to define where the object is located in the LDAP directory tree All VPN components must have unique names To prevent naming conflicts 1 Add the suffix group to the group name 1 Check the names of existing groups to avoid duplication 1 Use department or work group references for group names for example Chicago_Sales Group or Seattle _Engineering_Group since groups usually represent one or more host devices belonging to employees in a corporate network IP Group General tab The General tab is used to manage your IP Groups In addition to displaying a list of all existing IP Groups it also provides a means of adding new IP Groups and linking the IP Group to a specific device 98 Avaya VPNmanager Configuration Guide Release 3 7 IP Group General tab Figure 31 IP Group General tab 0 5 Efe Edt Mew Toole Help Ihiw Obiect y DX Dente pate Devs Upgrade Fumare san auna O28 5050085 antec N Detuie ing 100_208 Genera Momo pa_Se IP Group Directo
356. rst Failed Host The network host IP address specified in the keep alive host list Traceroute will be initiated to the first failed host from the configured keep alive host list that meets the traceroute criteria 1 Host IP The network host IP address to monitor connectivity Traceroute will be initiated on the specified host IP address d Click Save Policy Manager My Certificates If you are creating VPNs that use certificates for authentication and security use the Policy Manager for My Certificates to install signed certificates into specific VSU After one or more certificates have been installed see IKE Certificate Usage on page 240 about configuring a target for a signed certificate and Issuer certificates on page 238 about installing issuer certificates on a target About VSU certificates VSUs use public key certificates based on CCITT Recommendation X 509 Within the framework of the recommendation each certificate includes a Rivest Shamir and Adleman RSA Public Key Cryptography Standard PKCS Number 10 for authentication A VSU can store up to nine certificates One is a default certificate which is only used for the SSL connection between the VSU and the VPNmanager Console The remaining eight certificates are My Certificates and are statically stored in the flash memory of the VSU The default certificate is issued by Avaya Inc Note The default certificate has a six year period of validity which start
357. rties column select MTU Path Discovery to display the MTU Path Discovery values 4 From the Values list do the following e Select the On radio button to run MTU Path Discovery e Select the Off radio button to disable MTU Path Discovery 5 Enter the Path MTU Timeout value The path MTU timeout value is the number of minutes the SG will remember the new MTU learned for a path When the timeout expires the SG will attempt to send the maximum configured packet size The default value is1000 The timeout value 0 means that the path MTU will never timeout 202 Avaya VPNmanager Configuration Guide Release 3 7 Device Advanced 6 In the Fragmentation Control for Encapsulated VPN Traffic area select the appropriate Do Not Fragment DF bit property Note If DF bit is set in the IP header the packet would not be fragmented further down the network path e Copy DF bit from the source packet If this property is selected the DF bit from the source IP header is copied to the VPN traffic When Path MTU is enabled On the copy DF bit from the source packet property is the default behavior When Path MTU is disabled Off the copy DF bit from the source packet property is a configurable behavior e Set DF bit If this property is selected the DF bit VPN traffic is always ON When Path MTU disabled Off the set DF bit property is a configurable behavior e Clear DF bit If this property is selected the DF bit for the VPN traffic is
358. rty allows you to add modify and delete QoS policies Each policy can include up to four configurable classes highest high medium and low You can configure each class according to how network traffic should be prioritized Each class can contain data voice or both Within each class the following is configured e Bandwidth allocation Percentage of bandwidth to be allocated to the class The sum of all allocations for a QoS policy should be 1 to 98 The remaining 2 is internally allocated by default to ICMP IGMP and RSVP The excess bandwidth not specified in the sum of allocations of the policy is reserved for all other traffic not defined in the classes 180 Avaya VPNmanager Configuration Guide Release 3 7 QoS policy and QoS mapping Therefore it is not necessary to create a class for all other traffic If 0 is allocated the class is removed from the existing configuration Note When the media interface is configured the total upstream bandwidth can be specified in Media Settings and this setting is partitioned to the specified classes Whether Burst is enabled For each class the burst capability value can be set to Yes or No The default is No If bursting is configured for a class when this class becomes over limit it tries to borrow from the unused bandwidth of other classes If no unused bandwidth is available the packets are dropped when the class becomes over limit CAUTION Allowing bursting in classes that
359. ry Name coming _ 265 0u Groups ousiplanesS fe none scevpnetdcecom Mombers IP NotworwMath Pars Done geting object list One or more address mask pairs can be created and the group can be associated with a specific security gateway Your new group can even be associated with a security gateway belonging to an extranet a VPN outside your domain and belonging to another organization such as suppliers banks or customers This tab includes the following information Members IP Network Mask Pairs and Ranges This list shows the IP address and Mask Pairs for all the security gateways currently in the IP Group Associate this group with Associating a group with a security gateway means that the hosts corresponding to the IP address mask pair entered are on a network that is behind or protected by the selected security gateway The list contains the names of all security gateways in the VPNmanager database a choice of None and a choice of Extranet device Extranet device You can create a group associated with a security gateway that is not managed by your company s VPNmanager You do this to create extranets or VPNs between partner companies In an extranet each company network uses VPN components that are managed separately by their respective system administrators If you are creating an extranet choose Extranet device as the group s associated security gateway Doing this enables the Extranet IP Address entry field
360. s VPNremote Client users who log in to the VPN through the security gateway must have their user authentication configured on the security gateway User objects are used for creating remote users Those remote users connect to the VPN through an ISP Internet Service Provider Each user is defined by a name password and dyna policy distribution and authentication method As a minimum you must configure the user name and the password for each remote user The dyna policy can be defined globally for all users on the VPN or you can define them for individual remote users This chapter describes how to e Configure a default client configuration e Create new remote users e Configuring a dyna policy either global or for individual users Establish a path to a secure DNS server to resolve client DNS names e Use Policy Manager to configure client IP address pools Radius ACE authentication and create a legal notice for users e Define the type of IKE identifier associated with a user Default client configuration When you create a domain with VPNmanager a default client configuration download CCD is configured that can be shared by the users Using the default client configuration makes it faster to configure new user parameters The default configuration can be changed as required by your specific security and authentication requirements The VPNmanager Preferences property includes three tabs Dyna Policy Default Users Dyna P
361. s 10 seconds 8 Click the Advanced button to configure the traceroute settings during failover Select Enable and complete the following e Enable traceroute during failover In the event of tunnel failover leave the current remote tunnel endpoint in effect following a system reboot e Set consecutive no responses The number of consecutive connectivity initiation checks without a response from the number of failed hosts specified in the failover configuration to initial traceroute e Select the target host Click OK The target host is the host where traceroute will be initiated e First Failed Host The network host IP address specified in the failover host list Traceroute will be initiated to the first failed host from the configured list of failover hosts e Host IP The network host IP address to monitor connectivity Traceroute will be initiated on the specified host IP address 9 In the Reconnect area select the appropriate failover reconnect option e Restore the Remote TEP on Reboot In the event of tunnel failover leave the current remote tunnel endpoint in effect following a system reboot In previous releases of VPNos 4 x a system reboot would not restore the original RTEP e Restore primary RTEP In the event of tunnel failover restore the original primary remote tunnel endpoint in effect following a system reboot 228 Avaya VPNmanager Configuration Guide Release 3 7 Failover 10 In the Hosts field clic
362. s NOS image may alternately be loaded when it is desired to switch between the two NOS versions The flash from which the security gateway is currently executing its NOS is indicated Flash O or Flash 1 Additional information can be found in the security gateway Data portion of the security gateway General tab Reset password Reset password is used to change the console password on the selected security gateway An example of when this is used is if you were to forget the security gateway console password you may change it using this dialog box Disable FIPS This key is used to turn Federal Information Processing Standards FIPS mode off FIPS indicates whether the VSU is running in the normal or FIPS level 2 mode Avaya recommends that this mode be used only if an organization s policy requires FIPS 140 1 level 2 certification for cryptographic devices 220 Avaya VPNmanager Configuration Guide Release 3 7 High Availability High Availability This tab provides access to the High Availability HA functions for the security gateway including enabling high availability setting the public and private virtual addresses adding security gateway members to the HA group viewing the status of the HA group converting a passive member to an active member configuring member VSUs the VRRP advertisement interval version number third party reference points for the public and private interfaces and minimum connectivity to reference
363. s at the factory when it s put into the VSU Reprogramming the flash is the only way to change the default certificate 234 Avaya VPNmanager Configuration Guide Release 3 7 Policy Manager My Certificates Up to eight certificates can be stored in a VSU During IKE negotiation a VSU sends a specified certificate to its target Those other VSUs and clients are called targets Likewise the target that received a certificate must distribute its unique certificate to the sender to complete the exchange The VSUs use the exchange to authenticate each other and to distribute their public keys These additional certificates can be created then installed into a VSU Each certificate is assigned a target see IKE Certificate Usage on page 240 for additional information about making those assignments A VSU only needs a single certificate to distribute its public key to multiple VSUs but additional certificates can be created for establishing secure connections with special targets The process of getting a certificate for a specific VSU is illustrated in Figure 75 Figure 75 Installing a Signed Certificate into a VSU a 2 eo lt DO GaG VPNmanager Console Note For this process to work the security gateway must have already been configured with an IP address Explanation for Figure 75 1 An administrator uses VPNmanager Console to get a Certificate Request from a specific VSU 2 The
364. s can be specified on each interface Public Private or Tunnel The packets are checked against the firewall rules at the interface where they are defined 23 Select the Direction from the drop down list 24 Direction is in respect to the security gateway in or out 25 If this rule is to be logged select the Log Enable check box 26 If this rule is to keep state select the KeepState Enable check box 27 The keepstate function allows a rule set for the intended traffic to also be applied to the reply packets The function can be applied to TCP UDP and ICMP packets 28 Keepstate sets up a state table with each entry set up by the sending side Reply packets pass through a matching filter based on the respective state table entry A state entry is not created for packets that are denied 29 Click Advanced to change the default keepstate values to TCP UDP or ICMP 30 Click Finish to return to the Firewall Template General Tab Services The Services property provides a list of predefined traffic types and user defined traffic types that facilitate the definition of the firewall and Quality of Service QoS rules For instance you can add a user defined service for use in firewall rules that allows or blocks a specific type of traffic Figure 54 Services property E NS x File gon View Toole Help I New Object y X Osata apaan Drac Upgrade firmware som Bas On 8 Qa 88 Content H ACTIVERTE General Ser
365. s of packets exchanged between two devices on the network A special VPN packet broadcast by a primary security gateway used to facilitate the resilient tunnel function A key management protocol IKE defines procedures and packet formats to establish negotiate modify and delete Security Associations SAs and defines payloads for exchanging key generation and authentication data These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique encryption algorithm and authentication mechanism Now combined with Oakley to form IKE IP Groups are a convenient means of managing your VPN resources IP Groups are collections of IP network mask pairs associated with security gateways hosts and workstations located behind the security gateway The network cryptographic protocols for protecting IP packets The key management protocol used in conjunction with IPSec See Certificates Issuer Issue 4 May 2005 315 LAN LAN LDAP Lifetime Key LZS M Mask Pairs MIB Enterprise MIB II Non Enterprise Migration My Certificates N NAT Not My security gateway Local Area Network Lightweight Directory Access Protocol is a simplified version of the standard X 500 distributed directory model standard LDAP specifies how a client accesses a directory server LDAP has emerged as a favored protocol since it also handles key management with key an
366. s the appropriate IP address to route the voice packet to the correct destination A Important The LRQ Required functionality is available on security gateways running VPNos 4 6 and higher In the Service Port field enter specify the H 323 protocol port The default is 1720 8 In the Timeout field specify the idle timeout for the connection Timeout is the number of 10 15 seconds that the security gateway allows for inactivity on the connection If the inactivity continues beyond the specified timeout the connection is closed The default is 90 seconds Click Next The source endpoints dialog appears e Inthe Zone field select the zone which the source endpoints are connected to For example if the calling trunk endpoints are connected to the public zone select public zone for this field e In the Network Objects field specify the source endpoint network object This should be defined as a network object or network objects with IP addresses equal to the calling trunk endpoints Note If the network object does not exist cancel the configuration and create one Click Next The Destination Endpoints dialog appears e Inthe Zone field select the zone which the destination endpoints are connected to For example if the called trunk endpoints are connected to the private zone select private zone for this field Click Add The Add Destination Trunk dialog appears 12 13 14 In the Endpoint IP field spe
367. security gateways DES or 3DES are part of the same VPN Having a DES proposal establishes a common ground for the two security gateways to communicate Issue 4 May 2005 145 Configuring VPN objects Add IPSec proposal You can add up to four IPSec proposals You determine the encryption method the authentication methods how long a single set single set of cryptographic keys is used when applying VPN services to IP packets and the order this proposal is in the list Field Description Encryption Select one of the following types e DES A common encryption algorithm not subject to export regulation e 3DES A robust encryption algorithm e AES 128 The advanced encryption standard that uses a 128 bit block to help resist large attacks e Any Accepts any encryption proposal made by the device on the other side Authentication Select one of the following types e Any Accepts any authentication proposal that is made by the device on the other side e None e HMAC MD5 e HMAC SHA Compression Select one of the following types e None e LZS The security gateway supports IP payload compression using IPCOMP Use of the LZS parameter improves usage of bandwidth and throughput This is the default configuration This parameter applies to VPN traffic only 146 Avaya VPNmanager Configuration Guide Release 3 7 Using the VPN tabs Field Description Lifetime Payload key
368. session Pkts Out Number of packets sent from this security gateway to the VPNremote Client or remote security gateway identified by Name during this session Bytes In Number of bytes sent to this security gateway from the VPNremote Client or remote security gateway identified by Name during this session Bytes Out Number of bytes sent from this security gateway to the VPNremote Client or remote security gateway identified by Name during this session Issue 4 May 2005 253 Monitoring your network Table 21 Address Table Parameters Parameter Description Address Table Index The interface on which this entry s equivalence is effective The interface identified by a particular value of this index is the same interface as identified by the same value of ifindex Physical Address The media dependent physical address Network Address The Network Address e g the IP address corresponding to the media dependent physical address Table 22 ipRouteTable Parameters Parameter Description Destination The destination IP address of this route An entry with a value of 0 0 0 0 is considered a default route Multiple routes to a single destination can appear in the table but access to such multiple entries is dependent on the table access mechanisms defined by the network management protocol in use IP RouteTable Interface Index The index value which
369. specified if any tunnel mode VPNs include this security gateway e After creating the VPN the exporting administrator exports the VPN configuration file and delivers it along with the password used to protect the file to the importing administrators e The importing administrators import the VPN configuration file using the supplied password e Finally the importing administrators edit the alien Group modifying the security gateway association appropriately The Export VPN screen appears allowing you to select the VPN to be exported Once you have entered the password click OK The new VPN file decodes and is entered into the VPNmanager server and the new VPN objects appear If any pair in the Current IP Network Mask Pairs list represents a network under your management control associate the Group with the appropriate security gateway by modifying the Associate this Group with security gateway picklist For Groups with network mask pairs that are not under your management control leave the Associate this Group with security gateway picklist as an extranet device and confirm that the Extranet IP Address entry field contains the correct IP address especially if any tunnel mode VPNs include this security gateway Repeat this step for all Groups in the imported VPN Note For any Certificate Based IKE extranet VPNs verify that the proper certificates are installed on all devices Exporting RADIUS T
370. ssign ANY service and ANY network objects Click Next The Source Network Objects dialog appears Select the network object from the Available source and move it to the Members column Click Next The Destination Networks Objects dialog appears Select the network object from the Available destinations and move it to the Members column Click Next The Services dialog is displayed listing the predefined and user defined traffic types Select the services from the Available column and move to the Members column Do not assign ESP or IKE as a service within a class as these encrypted packets are assigned to all the classes based on the DSCP field on the packet Click Finish Complete the configuration of each of the classes from step 3 When the classes have been configured click Save Issue 4 May 2005 183 Establishing security QoS mapping QoS Mapping is the mapping of a QoS policy to a zone A zone can map to only one QoS policy but a QoS policy can be applied to multiple zones When you map QoS policies consider the following e f QoS is configured over multiple interfaces the DSCP values belonging to a class for a particular zones should not belong to a different class for other zones e When QoS is applied over multiple zones the QoS policies should be identical in definition of classes DSCP and service networks attributes The only difference in these QoS policies should be in the bandwidth allocation percent
371. sword at the start of a VPN session The policy is automatically downloaded The user is prompted to create a password to protect the policy e Check Disable Split Tunneling if users cannot browse the Internet while they are connected to the VPN 6 If Local Authentication is used for authentication method in the Authentication Password text box type in the a password for this VPNremote Client user Note These text boxes are not available if the RADIUS or LDAP authentication is used For more information about authentication methods see Dyna Policy Authentication tab on page 109 7 If the User object can communicate with an extranet click the Advanced tab to bring it to the front 8 If the method used to identify a remote user is different than within your VPN use the IKE identifier options to configure a method which is used in the extranet See Exporting a VPN object to an extranet on page 158 for information about connecting to an extranet After configuring a User object the user name and password pairs must be given to the VPNremote Client user Information for VPNremote Client users Users who receive their Dyna Policies by the Client Configuration Download CCD method must have a user name and password pair When trying to connect they use the pair to authenticate themselves After passing authentication CCD is used to send the Dyna Policy to the VPNremote Client Which pairs to use depends on the authentication
372. t Product Safety Standards This product complies with and conforms to the following international Product Safety standards as applicable Safety of Information Technology Equipment IEC 60950 3rd Edition including all relevant national deviations as listed in Compliance with IEC for Electrical Equipment IECEE CB 96A Safety of Information Technology Equipment CAN CSA C22 2 No 60950 00 UL 60950 3rd Edition Safety Requirements for Customer Equipment ACA Technical Standard TS 001 1997 One or more of the following Mexican national standards as applicable NOM 001 SCFI 1993 NOM SCFI 016 1993 NOM 019 SCFI 1998 Electromagnetic Compatibility EMC Standards This product complies with and conforms to the following international EMC standards and all relevant national deviations Limits and Methods of Measurement of Radio Interference of Information Technology Equipment CISPR 22 1997 and EN55022 1998 Information Technology Equipment Immunity Characteristics Limits and Methods of Measurement CISPR 24 1997 and EN55024 1998 including Electrostatic Discharge ESD IEC 61000 4 2 Radiated Immunity IEC 61000 4 3 Electrical Fast Transient IEC 61000 4 4 Lightning Effects IEC 61000 4 5 Conducted Immunity IEC 61000 4 6 Mains Frequency Magnetic Field IEC 61000 4 8 Voltage Dips and Variations IEC 61000 4 11 Powerline Harmonics IEC 61000 3 2 Voltage Fluctuations and Flicker IEC 61000 3 3
373. t Any is allowed Click Save and then click Update Devices to send the configuration change to the security gateway Changing device administrator s passwords The following security gateway administrators configure and monitor the security gateway e Super useris the VPNmanager centralized management administrator The VPNmanager super user has full read and write privileges to configure and monitor security gateways The super user name and the password are entered from the VPNmanager console and are authenticated before VPNmanager is used to make configuration changes on the security gateway For centralized management the security gateway must have the Permit Centralized Management feature enabled See the VPNos Configuration Guide for details 276 Avaya VPNmanager Configuration Guide Release 3 7 Using the Connectivity tab e Rootis the login name for the security gateway administrator The root administrator has full privileges to configure and maintain a specific security gateway network and user configuration e Monitor is the login name for an administrator who can view the Inspect properties and monitor sub functions of the security gateway s interface software The monitor user has read only permissions These administrator s cannot be deleted but their passwords can be changed Go to the Device gt Management tab to change the passwords To reset the passwords 1 Move to the Configuration Console window 2 From
374. t box type in any information about the security gateway 4 When finished click Save DNS tab Use the DNS tab to define where to forward the Domain Name Service DNS name resolution requests from the IP devices on the private side of the security gateway Figure 18 DNS tab E VPrmanager Configuration Consol Fe Edt View Toole Help New Object y X Qewte Update Devices Upgrade firmara sem BHOG 08 DE OB E rg Mtana Poles Connoctaty Upyase Danisieegamte Vore Management ey Oanei Memo ONS delatan NobwoskObj ct NMP Gta Reve Armed DNS DNS Relay Contguration Domain Prenacy IP Address Becondiey IP Address Add Stabe ONG Servers Es Configuring the DNS tab for security gateways at 4 3 or later The security gateway includes a DNS name server and accepts DNS queries from devices on the private side DHCP devices on the private side receive access to the DNS service automatically Non DHCP devices must be manually configured to identify the security gateway as their DNS server The security gateway server maintains a DNS database on all DHCP clients on the private interface Non DHCP clients have no DNS identity Note The security gateway performs DNS relay functionality only for the private zone To resolve DNS queries the security gateway first consults its own database If this is unsuccessful the query is forwarded through the public interface If DNS Relay Configuration domai
375. talled Click Add to open the Open dialog box Use the Look in list for navigating to the location of the ssuer Certificate Select the ssuer Certificate then click OK to return to the Policy Manager window oN O OO After the device has received the Issuer Certificate the certificate appears in the ssuer Certificates list 9 Close the window Repeat Step 1 through Step 7 for each device that needs to have an Issuer s Certificate installed Note The certificates and procedures involved in this appendix are not related to creating a certificate based VPN They are only for securing the communications between the VPNmanager Console Directory Server and the device For information about certificate based VPNs see Chapter 7 Configuring VPN objects 296 Avaya VPNmanager Configuration Guide Release 3 7 Appendix B Firewall rules template General The security gateway contains a powerful multi layer inspection engine to provide extensive filtering capabilities essential for a full time connection to the Internet You can configure your own rules but as a convenience in setting up the Firewall on the security gateway predefined general firewall rules templates can be selected to protect the public private semi private DMZ and maintenance zones These predefined firewall rules are grouped into security levels of high medium and low One firewall security level is applied to the security gateway and the
376. te device level firewall rules 1 From the Configuration Console window select View gt Firewall 2 In the Firewall tab s Firewall Global and Device area click Device 3 4 Complete the Firewall Wizard dialog Click Add to start the Firewall Policy wizard e Inthe Name text box type a unique name that identifies the rule e By default the Status is Enabled and the Action is Permit Change these if they are not the correct settings e Inthe Memo area type notes to describe the firewall rule optional Click Next to display the Device dialog Select the devices to which the rule is applied Click Move Left to move the selected members to the Device s for this Rule column Click Next to display the Source dialog Select the sources click Move Left to move the selected source to the Source column Click Next From the Available Destination s column select the destinations click Move Left to move the selected destination to the destination column Click Next From the Available Service column select the services click Move Left Click Next 9 The Firewall Wizard Configuration dialog is displayed From the Zone list select the zone to 10 If you want this rule to be logged select Enable Log If you do not select Enable Log this which you want to apply this rule For maximum flexibility and capability the firewall rules for the security gateway can be specified for specific zones The packets are
377. te is created using an existing security gateway firewall configuration Select the existing security gateway from the drop down list Using an existing security gateway configuration is also know as cloning the configuration None The user defined template is created without using a predefined template or an existing security gateway firewall configuration 6 Click Apply 7 To create a user defined firewall template type in a name for your new firewall template otherwise click Cancel Confirm that the correct user defined firewall template is selected in the Contents column Click Add to open the Firewall Policy wizard 10 11 12 13 14 15 16 17 18 19 20 21 Type a name for the new rule in the Name text box Select Enabled or Disabled in the Status drop down list to enable or disable the new rule Select Permit or Deny in the Action drop down list to control the flow of packets for this rule Permit allows all packets of the selected traffic type to pass Deny blocks all packets of the selected traffic type Click Next Select the set of sources from the available source list Click Next Select the set of destinations from the available destination list Click Next Select the set of services from the available services list Select the Interface from the drop down list Issue 4 May 2005 171 Establishing security 22 For maximum flexibility and capability the firewall rule
378. te network infrastructure Traffic on the semi private interface is usually encrypted Only one semi private zone can be configured on the security gateway DMZ The demilitarized zone DMZ network interface is usually used to provide Internet users with access to some corporate services without compromising the private network where sensitive information is stored A DMZ network contains resources such as Web servers FTP servers and SMTP e mail servers Because DMZ networks are vulnerable to attack that is denial of service corporations usually add additional security devices such as intrusion detection systems virus scanners and so on Only one DMZ zone can be configured on the device Management The management interface connection can be configured to simplify network deployments to eliminate enterprise network dependencies on switches or routers The management network interface is usually used as an access point for a dedicated VPNmanager management station or as a dedicated interface for dumping log messages to a syslog server Issue 4 May 2005 69 Setting up the network Options for IP addressing for interface zones You can configure each zone with different addressing options and the private port can be configured as a DHCP server or DHCP relay used to obtain IP addresses from the DHCP server Table 7 This section explains the options in detail Table 7 Type of IP addressing available by zone Public Private P
379. ter the number of minutes of inactivity before sessions time out Default is 4 minutes e If Syslog services are running enter the number of minutes the VPN session can be inactive before a Syslog message is sent The default is 10 minutes 7 Click OK to save your changes After the default parameters have been adjusted to meet your VPN s needs user can be created Creating new user object A user object is built with either a default or a custom CCD Using a default CCD speeds up the configuration process but the existing default CCD might not meet all of your users requirements The New User dialog is used to enter information about a new user Fields are included for the new user s name password and confirmation of password A default user check box is included to create a default user 114 Avaya VPNmanager Configuration Guide Release 3 7 About creating individual dynamic policy Default user The Default User feature is normally used in conjunction with the default dyna policy to establish a common template by which a desired VPN policy type is delivered to the remote clients in the domain Multiple default users can exist in a domain but only one default user can exist per VPN in a domain When a remote user is configured as a default user the user password is not required to log in Note that the Default User has a unique icon To create a new user object 1 From the VPNmanager Console main page click New Ob
380. tes are using the same private network addresses NAT mapping must be performed on packets entering and leaving the Sales_VPN tunnel This is required to ensure that unique host addresses are used on each side of the tunnel Communication between a member of the SF_Sales_Group and the server in LA_Sales_Group starts with a DNS lookup of the LA_Sales_Group server address which in this example returns a destination address of 10 0 88 20 The SF_VSU proxy ARPs for 10 0 88 20 by sending its own MAC address in response to an ARP request When the packet sent from 10 1 1 17 to 10 0 88 20 enters SF_VSU through the private interface its destination address is changed from 10 0 88 20 to 172 16 1 20 by applying the NAT rule assigned to the security gateway s private interface The SF_VSU performs a VPN lookup and determines that the packet needs to be tunneled to the LA_VSU Since the packet is leaving the SF_VSU through the Sales_VPN tunnel the SF_VSU applies the tunnel NAT rule to the packet s source address 90 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway changing it from 10 1 1 17 to 172 16 0 17 At this point the packet s source and destination addresses are 172 16 0 17 gt 172 16 1 20 The packet is then tunneled across the public network to LA_VSU Since the packet enters LA_VSU through a tunnel the NAT rule on the tunnel interface is applied to the packet changing its destinati
381. teway without the Local DHCP Server configuration or the DHCP Relay configuration None is the default configuration If None is selected and the VPNmanager is on the private side of the security gateway then the IP address of the computer running VPNmanager should be statically or dynamically configured through other DHCP servers Device users tab The Device gt Device Users tab displays the device account user configuration and the VPN authentication profile associated with the device account user The device account user acts as a proxy VPN user for all configured IP devices You cannot delete the device account user Issue 4 May 2005 79 Setting up the network Figure 24 Device Users tab 5 Edit View Tools Help i New Object y XK Delete Update Devices Upgrade Firmware Swe EEE aga Be oe ew Contents NY Office Advanced Actions Policies Connectivity 1 ene DenialofSemice VoIP Management General memo DNS Interfaces Dewce Users NeworkObject SNMP Static Route Device Users Device Account User None X VPN Authentication Profle Primary Device None v Oons Backup 8 Device None DNS Port 1443 Authentication Standard CHAP Rechallenge PAP To add a device account user 1 From the Configuration Console Contents column select the device to be configured Click the Device Users tab to bring it to the front 2 Click on the Device Account User drop dow
382. than a normal heartbeat request interval 214 Avaya VPNmanager Configuration Guide Release 3 7 Resilient Tunnel Add resilient tunnel There are four parameters associated with Resilient Tunnel automatic backup mode They are Heartbeat Interval The time in seconds between heartbeat request attempts made by the remote security gateway to the primary security gateway Default is 10 seconds Heartbeat Retry Limit The number of times a heartbeat request is sent by the remote security gateway before the primary security gateway is declared inactive Default is 3 tries Hold Up Time The time in seconds to wait before the remote security gateway attempts to contact the secondary tunnel endpoint security gateway This allows for the latency of a dialup link typically much longer than the heartbeat interval Default is 0 Hold Down Time Wait time between the remote security gateway determining that the primary endpoint security gateway is able to reconnect and when the switchover actually occurs This wait time ensures that the primary security gateway is stable before switching occurs Default is 20 seconds Prerequisites Security gateway for the controlling primary and secondary end points must exist For instructions see Configuring a security gateway on page 57 A VPN Object that uses the controlling and primary security gateway objects must exist For instructions see Creating a new VPN object on page 136
383. the client s private address remains in effect until the client traffic is idle for a user defined period of time When this idle period is reached the mapped address is returned to the pool of available addresses When all public addresses have been assigned no other private clients can initiate a connection to the public network until a public address becomes available One limitation for dynamic mapping is that communication with remote hosts on the public network can only be initiated from clients on the private network If communication initiated from either the public or private side is required static address mapping must be used Static address mapping permanently maps private addresses to their corresponding public addresses thereby allowing communication between clients and hosts to be initiated from either the private or public network Setting up VPN with overlapping private addresses Figure 29 shows an example of using NAT to set up VPNs between two sites that use the same private network addresses while still allowing private network connections to the Internet Three NAT rules are applied to each security gateway one on the private interface one on the public interface and one on the VPN tunnel A DNS entry is also required for each host that can be reached through the tunnel The tunnel mode VPN named Sales_VPN provides a secure connection between the SF_Sales_ Group and LA_Sales_Group over the public network Since both si
384. the intended traffic to also be applied to the reply packets This function can be applied to both TCP and UDP packets Keep State sets up a state table with each entry set up by the sending side Reply packets pass through a matching filter based on the respective state table entry Note Although UDP is connectionless if a packet is first sent out from a given port a reply is expected in the reverse direction on the same port Keep State essentially remembers the port and lets the replying packet enter in the same port Source Port Appears when User defined TCP or User defined UDP selections are made Select the Range Any or User defined then enter the from and to values The port range is inclusive If you want to choose a single port simply specify the same port as both start and end port You can also choose an operator on the port range means in the port range and means out of the port range Destination Port Appears when User defined TCP or User defined UDP selections are made Select the Range Any or User defined then enter the from and to values The port range is inclusive If you want to choose a single port simply specify the same port as both start and end port You can also choose an operator on the port range means in the port range and means out of the port range Comparator Permits logical include or exclude operation on the range entered For example if you want to b
385. this route was last updated or otherwise determined to be correct Note that no semantics of too old can be implied except through knowledge of the routing protocol by which the route was learned Route Mask Indicate the mask to be logical ANDed with the destination address before being compared to the value in the ipRouteDest field For those systems that do not support arbitrary subnet masks an agent constructs the value of the ipRouteMask by determining whether the value of the correspondent ipRouteDest field belong to a class A B or C network and then using one of mask network 255 0 0 0 class A 255 255 0 0 class B 255 255 255 0 class C If the value of the ipRouteDest is 0 0 0 0 a default route then the mask value is also 0 0 0 0 It should be noted that all IP routing subsystems implicitly use this mechanism 3 of 4 256 Avaya VPNmanager Configuration Guide Release 3 7 Table 22 ipRouteTable Parameters continued Parameter Description Metric 5 An alternate routing metric for this route The semantics of this metric are determined by the routing protocol specified in the route s ipRouteProto value If this metric is not used its value should be set to 1 Route Info A reference to MIB definitions specific to the particular routing protocol which is responsible for this route as determined by the value specified in the route s ipRouteProto value If this informati
386. tible clients Every Signed Certificate identifies which Public Key Infrastructure PKI System has signed it However targets must use a method to authenticate every Signed Certificate they receive An Issuer Certificate may be called a Signing Certificate or Certification Authority CA Certificate Targets use an Issuer Certificate to authenticate a Signed Certificate Therefore the Issuer Certificate must be from the same PKI System as the Signed Certificate was signed by the issuer s private key Figure 78 illustrates how ssuer Certificates fit in the scheme of signed certificate exchange 238 Avaya VPNmanager Configuration Guide Release 3 7 Policy Manager My Certificates Figure 78 Issuer Certificates VSU VSU Target of VSUA Targets use Issuer Certificates to authenticate Signed Certificates they receive The Issuer Certificate must be from the same PKI System that created the Signed Certificate Issuer Certificates are stored on targets Explanation for Figure 78 1 A Certificate Request from VSUA is sent to a PKI System to be signed 2 The PKI uses the Certificate Request to create a Signed Certificate specifically for VSU The Signed Certificate is then stored on VSU 3 Every target of VSU must have VSUj s Signed Certificate Note The target uses an ssuer Certificate to authenticate VSUA s Signed Certificate The Issuer Certificate must be from the same PKI whic
387. tication and filtering tasks at the boundary of the VPN After the security gateway is installed and configured the security gateway is transparent to users who are logged into the VPN Issue 4 May 2005 21 Overview of implementation VPNremote Client software VPNremote Client software is a communications application that runs on remote computers that use dialup DSL and cable connection supplied by Internet Service Providers ISP to connect to the corporate VPN When communicating with a VPN the software seamlessly performs authentication and cryptography tasks To install and use the software an account with an ISP must first be created The software is installed on the remote user s computer and then Client Configuration Download CCD can be used to configure the remote user s Dyna Policy for authentication to a specific VPN When remote users log in they connect to the ISP and type in their user authentication information if asked Upon authentication any traffic that uses the VPN is safely encrypted as it is transported through the public networks VPNmanager software VPNmanager software lets network managers define configure manage VPN and firewall policies upgrade firmware and manage remote user access policies from a central location The VPNmanager software combines two components the VPNmanager Console and the policy server e The VPNmanager console is a client that is used for configuring managi
388. time e Click Add to open the Add IPSec Proposal dialog box e From the Encryption drop down list select the type of encryption to be applied to packet payloads e Null Payload is not encrypted but AH ESP headers are included Used by engineers for packet analysis e DES Single DES encryption is applied to the payload e 3DES Triple DES encryption is applied to the payload e AES 128 AES 128 advanced encryption is applied to the payload e RC5 Applies RC5 encryption e Any Let the security gateways negotiate which encryption method to use 154 Avaya VPNmanager Configuration Guide Release 3 7 29 30 31 32 33 34 35 Configuring an IKE VPN e From the Authentication drop down list select the type of authentication to use e None Packets are not authenticated e HMAC MD5 Packets are authenticated using the Hash based Message Authentication Code HMAC coupled with the Message Digest 5 MD5 hash function e HMAC SHA Packets are authenticated using the Hash based Message Authentication Code HMAC coupled with the Secure Hash Algorithm SHA SHA is considered to be a stronger authentication algorithm than MD5 e Any The security gateways negotiates which encryption method to use e Use the Lifetime text boxes and lists to control the period for creating and exchanging a new Set of unique keys If the Time based value expires before the Throughput value key creation and exchange is performed
389. tion different from log action and the rule action is declared to be pass a log entry is generated for each packet that matches the rule Pass Log Out Number of outbound packets that were allowed to pass which have been logged When a filtering rule is declared using the log option different from log action and the rule action is declared to be pass a log entry is generated for each packet that matches the rule Block Log In Number of inbound packets not allowed to pass which have been logged When a filtering rule is declared using the log option different from log action and the rule action is declared to be block a log entry is generated for each packet that matches the rule Block Log Out Number of outbound packets not allowed to pass which have been logged When a filtering rule is declared using the log option different from log action and the rule action is declared to be block a log entry is generated for each packet that matches the rule No Match Log In Number of inbound packets on a given interface that did not match any filtering rule and were subsequently logged regardless of whether or not the packet was ultimately passed or blocked per the interface s default rule No Match Log Out Number of outbound packets on a given interface that did not match any filtering rule and were subsequently logged reg
390. tion Device Group You can group devices and assign users the those specific devices Qos You create a quality of service QOS policy to classify and prioritize traffic based on a DSCP value and TCP IP services and networks Admin You can configure VPNmanager administrators and assign administrative roles Failover You can configure up to five IP address for tunnel end points TEP and properties for failover reconnection Converged You can configure the CNA test plug feature to monitor your Network Analyzer network in real time to detect and diagnose converged network CNA Test Plug related issues 2 of 2 Edit menu From Edit you can chose one of the following commands e Delete Object Select an object from the VPN diagram and then select Edit gt Delete Object e Modify Object Select an object form the VPN diagram and then select Edit gt Modify Object e Preferences Edit gt Preferences brings up a window with tabs to select from See Preferences on page 48 for a description of the tabs and how to configure VPNmanager preferences View menu From View you can select to view the Configuration the Monitoring Screen or the Report Wizard e Configuration Select View gt Configuration to open the Configuration Console or you can click the Config icon on the toolbar From the Configuration console you can configure and modify the VPN network See Configuration Console window on page 44 e M
391. tion Service Direction Zone Keep Description State InBoundD Deny Any Any Any In DMZ No Deny the rest of MZBlockAll traffic OutBound Permit Any DMZNet ICMPEchoReq PING Out DMZ Yes Permit outgoing DMZAcces FTP Ctrl PassiveFTP traffic with the 2 SSH TELNET services HTTP HTTPS DNS TCP DNS UDP POP3 IMAP SMTP NNTP OutBound Deny Any Any Any Out DMZ No Deny the rest of DMZBlock the traffic All 310 Avaya VPNmanager Configuration Guide Release 3 7 Management zone security Management zone security Management interface connection can be configured to simplify network deployments to eliminate enterprise network dependencies on switches or routers The Management zone is a trusted network similar to the Private zone Outgoing traffic is allowed but incoming traffic is restricted Only traffic initiated by the security gateway is allowed High medium and low security rules are the same Incoming All traffic is allowed to come in from the management network Outgoing Only packets from the Management IP to the Management zone are allowed Table 43 Management high medium and low security firewall rules Rule Name Action Source Desti nation Servi Direct Zone Keep ce ion State InBoundManagementinterfacePer Permit Any ManagementIP Any In Management No mitAccess InBoundManagementPermitAll Permit Any Any Any In Management Yes OutBoundManagementinterfaceAc Perm
392. tion provided from the overviewStatTable in the MIB Ethernet Statistics displays information provided from the etherStatTable in the MIB VPN Statistics displays information provided from the vpnStatTable in the MIB IfTable displays information from the ifTable from RFC 1213 Compression displays information provided from the compression group in the MIB QoS Statistics displays information provided from the qosStatTable in the MIB Event Log displays information provided from the eventLogTable in the MIB Network Test Probe displays information provided from the netTestProbeResultTable in the MIB VSU System displays information provided from vsuSystem in the MIB Issue 4 May 2005 251 Monitoring your network The following tables detail the individual enterprise MIB items in each of the monitoring groups Table 18 Log Group Parameters Parameter Description Log Index An integer identifying this row in the Log table Time sysUpTime value when this attack occurred Attack Type Indicates the reason that the packet was registered in the attack log Six identifier types are reported e 1 SKIP header error packet was not IPSec AH or IPSec ESP e 3 SKIP Algorithm mismatch The parameters of the VPN that this packet belongs to does not match the VPN parameters in the SKIP header e 4 SKIP Authentication error The authentication key in the offending packet was not correct This type of attack results in an auth
393. to government regulation Contact Avaya VPN Support for a current list of controlled and uncontrolled applications and territories Authentication Select one of the following types Algorithm e MD5 RFC1321 e SHA1 e Any Accepts any authentication proposal that is made by the device on the other side IKE VPNs use either an ESP trailer as defined in RFC2406 or AH as defined in RFC2402 to authenticate IP packets 142 Avaya VPNmanager Configuration Guide Release 3 7 Using the VPN tabs Field Description Lifetime Payload key lifetime defines the extent to which a single set of cryptographic keys is used when applying VPN services to IP packets Lifetimes are either time based or based on throughput Time based lifetimes are based on the amount of time that the keys are used without a key change Throughput lifetimes are defined by the amount of data that is acted on by a set of keys The more often a key is changed the more secure the system However frequent key changes can affect system performance Enter a numerical value and select a unit of measure for both time based and throughput lifetimes Whichever occurs first triggers the new key Note For time based lifetime the following are the minimum values in each category Day 1 Minutes 1 and Seconds 60 Diffie Hellman Group Diffie Hellman groups define the cryptographic key strengths used during IKE negotiations
394. to site operation theVSU100R is provided with additional functionality to support dial in VPNremote clients To use this facility Remote Access must be enabled Note You are required to enter a valid license registration number to activate this option Should you miskey the number a Registration number invalid message appears Other error messages may also appear if the VSU is not reachable Issue 4 May 2005 291 Upgrading firmware and licenses 292 Avaya VPNmanager Configuration Guide Release 3 7 Appendix A Using SSL with Directory Server As an added benefit all communications with the Directory Server can be secured by SSL Secure Sockets Layer In order to enable SSL a Public Key Infrastructure PKI is used for creating a signed certificate and an issuer s certificate Both signed certificates are then installed on the server The issuer s certificate is then installed in the policy server the VPNmanager Console and the devices belonging to the VPN domain The PKI can be owned and operated by a third party called a Certification Authority or it can be owned and run by your organization After the certificates are installed the policy server and the VPNmanager Console are started and during login SSL services are started Figure 88 Installing Certificates for Running SSL Certificate SET P S wip VPNmanager Issuer and 2 SE Server Signer V VPNmanager AS Server Explanation for F
395. to the front In the Default Gateway area select the Enable box to enable the default gateway Enter the IP Address for the default gateway In the Use This Gateway For area select one of the following e Decrypted Traffic e Non VPN Traffic Select the Enable VPN Traffic Auto Forwarding box to disable traffic auto forwarding If an SG receives a VPN packet that is not destined for the protected network the SG will automatically forward this packet to the configured remote TEP By default the Enable VPN Traffic Auto Forwarding box is selected or checked To disable the automatic forwarding of packets the Enable VPN Traffic Auto Forwarding box should be un checked When the VPN traffic auto forwarding is disabled the SG will divert the packets to the private interface By redirecting the packets to the private interface the packets can be monitored by Intrusion Detection Systems software before sending the packets to the remote TEP on the private network Before disabling VPN traffic auto forwarding confirm that a VTDR or static route is configured on the private interface If a VTDR is not configured on the private interface the redirected packet will not be sent back to the SG to be forwarded to the remote TEP In the Static Routes area click Add to start the Static Route Configuration Wizard Note Configure Static Route for security gateways VPNos 4 4 and below In the IP Address of Next Hop field type in the address
396. tomatically create a secret click Auto generate Click OK Note Modify Secret is only available when creating a VPN based on Preshared Secret Click the Security IPSec tab to bring it to the front The Security IPSec tab is used to set up the desired IPSec protocol information parameters relating to payload that the VPNs use Two sets of options are available The IPSec options control packet alteration and the IPSec Proposal options are used to create up to four different proposals for payload encryption and authentication Use the LZS list for applying compression to packet payloads According to RFC 2395 IP Payload Compression using LZS experiments have shown that the LZS algorithm compressed a 64 byte file to 85 of its original size while a 16384 byte file was compressed to 47 of its original size Whether or not your network benefits from compression depends on what is typically transported for example video and sound traffic are already compressed so additional compression has little effect and may load the security gateway e Select Yes to apply compression e Select No to not apply compression Use the Perfect Forward Secrecy list to control key creation Issue 4 May 2005 153 Configuring VPN objects 22 23 24 25 26 27 28 Perfect Forward Secrecy PFS is a key creation method used for assuring that a new key is not related to any previous keys This is done by using key creation values
397. ts 114 rUNN Ng ke ek Sk a ew a ww 249 services about 0 4 5 248 Syslog Policy add noa oa aa 249 SVOG Feit iaa a ee is hena ee RO e 248 Syslog Host Name IP Addr 248 Syslog Port 1 eee ee 248 Syslog Send from 000 248 Syslog Type aoao a 248 System Group parameters 252 T Target Type drop down list 243 AA 28 174 technical support 5 2804s 19 telephone configure IP telephone 72 Templates Firewall Policy Management 169 324 Avaya VPNmanager Configuration Guide Release 3 7 templates firewall 44 297 TEP policy detailed description 209 terminal equipment to a VPN adding 97 Topology VPN Access Control One armed Remote Tunnel option 84 TOS marking 193 traffic non VPN filtering 192 non IP filtering o o 192 Transport mode SKIP VPNs i o 133 transport mode o 134 Transport radio button 150 tunnel interface NAT 94 Tunnel mode IKEVPN inan 08 134 SKIP VPN ina 4 4 133 tunnel mode 00 052 eae 134 Tunnel radio button 2 ee ee 150 Type of Service field marking the 193 U UDP PORE mangey Sob wate Ace a Ae hs 126 UNIX login wie a eee
398. ublic backup Semi private DMZ Manage ment Address assigned Static X X X X X X DHCP Client X x PPPoE Server modes Static Xx DHCP Server DHCP Relay X XxX X Xx H 323 X X X The DHCP Client for the private zone is for SG5 5X 200 and VSU5 5X 500 bootcode only Static addressing Use static addressing if a dedicated IP address should be assigned to the public interface of the security gateway To configure static addressing complete the following information Field Description IP Address The public IP address that is assigned to the security gateway Network Mask The subnet mask Route The IP address of the gateway router to the Internet DHCP addressing Use DHCP addressing if the gateway obtains its IP address dynamically from the internet service provider ISP This can be configured for public backup 70 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway Point to Point Protocol Over Ethernet PPPoE Client Use PPPoE Client addressing as a convenient way to connect the public or public backup zone of the security gateway to the Internet if your ISP supports PPPoE addressing PPPoE Client addressing requires user authentication To configure PPPoE addressing complete the following information Field Description PPPoE User Account user name
399. udes the CRL list Click the Advanced tab Clear the CRL checking box Click Update Devices Exporting a VPN object to an extranet Exporting a VPN object is a feature used for interconnecting VPN domains Each domain views other domains as extranets 158 Avaya VPNmanager Configuration Guide Release 3 7 Exporting a VPN object to an extranet Figure 51 Exporting a VPN Object to an Extranet Domain created the VPN Object that was exported to an extranet Domain This method allows members of VPN Object and VPN Object to privately share network resources and communicate Domaina VPN Objecta IP Group Objecta IP Group Object Device Objecta Extranet Device P Group Object is configured with Device Object but Device Object does not get exported to Domains IP Group Object is configured with an Extranet Device The device is configured with the IP address of Device Objects VPN Object is built with IP GroupA and IP GroupB IP Group is configured with IP address masks for terminal devices in Domain and IP GroupB is configured with IP address masks for terminal devices in Domain VPN Object is exported to Domains Domaing VPN Objecta IP Group Objecta IP Group Objects Device OB Extranet Device a Device Object is configured from Domainz The Extranet Device and Device Object have the same IP addresses th
400. ued Parameter Description Bad State Alloc In Number of failed attempts to allocated State table entries for inbound packets This occurs when a filter rule is declared using the keep state option Packets that match the rule cause a State table entry to be allocated This allows expected return packets to bypass other filtering rules that might normally block them Allocation fails if the State table is full and a new entry cannot be allocated Bad State Alloc Out Number of failed attempts to allocated State table entries for outbound packets This occurs when a filter rule is declared using the keep state option Packets that match the rule cause a State table entry to be allocated This allows expected return packets to bypass other filtering rules that might normally block them Allocation fails if the State table is full and a new entry cannot be allocated Keep State Alloc In Number of successful attempts to allocated State table entries for inbound packets This occurs when a filter rule is declared using the keep state option Packets that match the rule cause a State table entry to be allocated This allows expected return packets to bypass other filtering rules that might normally block them Keep State Alloc Out Number of successful attempts to allocated State table entries for outbound packets This occurs when a filter rule is declared using the keep state option P
401. up Wizard 3 Select the device Actions tab 4 Click the Import Configuration button Ethernet Speed The Ethernet Speed button only appears when a VSU10000 is the selected device Ethernet Speed button allows the VPNmanager to configure the Ethernet speed on a per port basis When the Ethernet Speed button is selected there is a short delay in presenting the Ethernet Speed dialog box This delay is due to VPNmanager trying to contact the security gateway to retrieve the current port speed settings When the VPNmanager has retrieved the current speed settings the Ethernet Speed dialog box displays the public port settings by default The current private port settings are displayed at the top of the Ethernet Speed dialog box Port Select the public or private port to configure the port speed of the selected security gateway Set Speed Configure the Ethernet speed by selecting one of the following speed options Note When selecting the port speed be sure to select a speed that is supported by the host PC If the host PC does not support the selected speed the VPNmanager looses connectivity to the security gateway Auto Negotiate Auto negotiation allows the security gateway s Ethernet port and host PC to automatically select the correct port soeed and duplex mode to be used between the two ports 1000 Mbps Full Duplex This option allows the VPNmanager to configure the security gateway s Ethernet port speed to
402. urity Gateways and FTP ges ee eee a ee Firewall templates sa e RB RHE R REM HERR ED MEM Dm HER AAA Re EO Predefined templates e o ee Usor delned templates 4 cas e A a A 10 Avaya VPNmanager Configuration Guide Release 3 7 Contents o a hk Be eh eS eh eh eh eh Ge Be de dE oe dig hs de Sk Fe 172 Dene GOP 6 ca se oS EARS EDS Re KEES DREGE OE Hoe E SS 173 Denial ol GOC a noda dedui dea dka a BEE Rw RH Ome RH EER HR a 173 Vace Over IP e eara aio ar a AA RA A 175 Using the IP Trunking Call Model ear esre 0 e ki tAn ee 175 Using the LRQ Required checkbox of the IP Trunking Call Model 176 Using the Gatekeeper Routed Call Model ooa a a a a a a eee es 178 Add gatekeeper settings oaoa ooa a mo 179 Qos policy and QGS MAPPING e 244 e be eee Em Ra e e Bm eR eS 180 Ope Py asa ek ee teh he a A ht Qe we ae de ee wee 180 Ces Mapp eee Re kee See eRe SR A CR A EERE SEG 184 PASE PINS IIE sc dices A A Be AAA eee eS ee 184 Whatcan be filiered s kag Xk ek Se A wk AAA 185 Packet Filtering and NAT ss s stasi oe tasca sta Re ee OH 185 A IIA 186 Permit Deny non VPWN traffic Radio Buttons 2 lt co nee sees esas 186 Add Packet Filtering Policy lt osoioo o c lt we EER SR RR RE e 187 ad af de GO ok th owe hee dk doe oe ee ee a ee 188 WOME sc 6 he ORES OS 8 EBS Ode EES hE GS DE AAA 189 The Filtering Policy in progress 2 2 ee
403. urity gateway All other information that is displayed is view only 60 Avaya VPNmanager Configuration Guide Release 3 7 Using Device tabs to configure the security gateway Figure 17 Device General tab zi Fie Edt View Tools Help UI New Object y X Devote Uptate Devices Upgradefirmware Swe Sman EA MS Oa fa ang Arnone Polities Connactvay Upgrade DenistofSeeuce YOR Management oe Cerra Memo ONE Imertaces Netweck Object SWP Static Route Agrances Device Derectory Name cnesg20R ousD mec es cum iplaneti2 frenone scevenet descr Device Data IP Acaress ONS Name 1005 1 20 IP Defaut Route 100 111 IP Mask 266 244 2550 MAC Address 0080 41 0008 65 Device Type 30203 Device Ferrerare Versi n 43112 Curificala Name 30100907557 IP Group Associated with mis Device Done gating object ust Directory Name The directory name is the location of the security gateway in the directory tree structure The security gateway name is unique within the VPN domain to which it is assigned VPN Mode The VPN mode can either be VPN Gateway or User VPN In the VPN Gateway mode the security gateway is configured in a site to site VPN The VPNmanager can manage the device in the VPN Gateway mode In the User VPN mode the security gateway connects to the head end device to download the VPN policies through CCD The VPNmanager cannot manage the device in the User VPN mode IP Address DNS Name VPNmanager uses t
404. used The default values is 514 for UDP 13 When you want to send the configuration to the security gateway click Update Devices from the VPNmanager Console Using Monitor When the Monitor button on the Main Console screen is selected the Monitoring Wizard is launched This wizard facilitates quick and easy construction of the desired presentation format and VPN information you wish to monitor Once this setup is completed the data and its presentation type is displayed on your VPNmanager console screen and is dynamically updated at your specified intervals A hardcopy can be printed on demand Enterprise MIB Monitoring is accomplished by selecting specific MIB objects from MIB II and the VPNet Enterprise MIB within the VSUs or SGs These individual items are assembled into preconfigured report groups for convenience Individual parameters are also available for creating custom monitoring groups Monitoring wizard The Monitoring wizard is designed to help you quickly set up the VPN objects and parameter groups you wish to monitor and the format most appropriate for displaying the information produced The first Monitoring wizard dialog allows you to perform a high level selection of the domain and VPN s then to choose specific network devices within the VPN You can also select a monitoring group which is a predefined suite of VPN parameters to monitor 250 Avaya VPNmanager Configuration Guide Release 3 7 Using Monitor
405. ver Previous or older versions of the firmware can be deleted from the firmware library repository on the policy server Issue 4 May 2005 287 Upgrading firmware and licenses e Upgrade Options The upgrade options are e Skip devices that are up to date This option is the default setting The devices that up to date will not display in the upgrade list If a device should be downgraded this option must be unchecked to view all devices in the upgrade list e Prompt for reboot This option is not the default setting All devices selected in the upgrade list to be upgraded will reboot when the upgrade is completed All devices must be rebooted in order for the upgrade to take effect e Upgrade Devices The upgrade devices button activates the upgrade wizard Use the upgrade wizard to walk you through the steps to upgrade using the centralized firmware management feature Note The upgrade devices wizard dose not allow downgrading of devices To upgrade the firmware using centralized firewall management 1 From the configuration console click the Upgrade Firmware button 2 The Device Inventory dialog appears 3 Select the Upgrade Devices button to begin the upgrade devices wizard 4 Select the device s to be upgraded from the Available Devices column 5 Click the Move Left button to move the selected devices into the Device s to Upgrade column 6 Click Next to review pending device s upgrade 7 Click Upgrade to compl
406. vice Sorko Type Pro Dinos Configuration The VPNmanager provides predefined services The supported predefined services are listed in the Contents column of the Services object 172 Avaya VPNmanager Configuration Guide Release 3 7 Device Group The predefined services can be used as a general service set or as a starting point for creating a customized service or user defined service that is required for use in the firewall definition The service types IP TCP UDP and ICMP are provided and parameters for each of these types can be specified in the user defined service A comprehensive suite of UDP TCP and ICMP filter options are provided One or more predefined service can be specified in each firewall rule using the firewall wizard Note The predefined services can be used as a basis for user defined services however the predefined services cannot be modified To create a user defined service click New Object gt Services Device Group Device groups help to minimize firewall configuration complexity by allowing network administrator s to create groups of devices that share a common firewall configuration To create a device group object 1 Move to the Configuration Console window From the Objects column select Device Group Click New Object to start the New Device Group Wizard In the Name text box type in a name for your new Device Group Click Apply oOo a fF W DY To create another De
407. vice Group type in a name for your new Device Group otherwise click Close N Select the devices to be included in the Device Group from the Available Members column 8 Click Move Left to move the selected members from the Available Members column to the Group Members column Denial of Service For servers running VPNos 4 2 configure the DOS to protect the security gateway from attacks by hackers A domain has default Denial of Service DOS configuration settings that apply to all the devices in the domain These settings can be seen from the Firewall Objects Denial of Service tab Issue 4 May 2005 173 Establishing security The security gateway objects Denial of Service tab is used to change the settings for specific devices Changing the settings here overrides the domain level settings for that category When devices are updated the DOS categories at the device level and the remaining DOS categories from the domain level are sent to the device Figure 55 Denial of Service ES Fle Edt View Toole Help LD ew Object e X Quiete Updete Devices Upgrade Ferrara some 255600 RAA BE 09 Y 5 ta yl mr Acgons Poing Gonnetimity Upgrade Donia ot Secece VWP Management sgir Oemoral Momo ONS maas Network Object SNMP State Rouo ARCOS Denial of Service Add Settings You can enable protection for the following seven areas of attack Ping of Death The ping of death sends packets with
408. vides access to global settings for both the machine on which the VPNmanager resides and the domain currently in focus Preferences is located in the Edit menu in the VPNmanager Main Console When you select Preferences a series of tabs are displayed A short description of the tabs follows General tab The Preferences General tab is used to set how you want to save changes on the VPNmanager You can choose either Save configuration changes automatically or Alert me before saving configuration changes 48 Avaya VPNmanager Configuration Guide Release 3 7 Preferences Figure 10 Preferences General Tab W Preferences xl Advanced Remote Client Alarm Monitoring TEP Policy General Dyna Policy Defaults User Dyna Policy Defaults Global Dyna Policy Authentication General Saving e Save Configuration changes automatically Automatically saves all changes Alert me before saving Configuration changes Asks before saving anything Cancel OK Save Configuration changes automatically When this radio button is active any changes made to an object are automatically saved upon moving to another object Alert me before saving configuration changes When this radio button is active any changes made to an objects triggers a Save prompt upon attempting to move to another object Dyna Policy Defaults User The Dyna Policy Defaults User tab is used to define
409. w tunnel end points must authenticate themselves End points are defined as security gateways and VPNremote Clients e Select Certificate Based to use X 509 public key certificates e Select Preshared Secret to use shared secret keys Optional Click the Memo tab to bring it to the front then type in a note about this specific VPN Object To add User Objects or User Group Objects as members of this VPN Object do the following e Click the Members Users tab to bring it to the front e From the Available list select specific User Objects and User Group Objects User Group Objects are always located at the bottom of the list e Click Move Left to move the selected items to the Current Members list To add P Group Objects as members of this VPN Object do the following e Click the Members IP Groups tab to bring it to the front e From the Available list select specific IP Group Objects e Click Move Left to move the selected items to the Current Members list 9 Click the Security IKE tab to bring it to the front Configuring the encryption and authentication algorithms used at the end points of a VPN tunnel Use the Encryption Algorithm list to select a specific type of encryption algorithm that each security gateway and VPNremote Client must use for this VPN Object e Select Any if you want the security gateways to automatically negotiate which algorithm to use e Select DES to divide VPN traffic into 64
410. wee eee eee 126 Update Configuration dialog box 48 update configuration to security gateway 280 update devices 1 oao a 47 Update VSUs dialogbox 47 upgrade license 2 222005 290 upgrading Upgrade Firmware button using the 289 Use aggressive mode for clients check box 155 Use as Manager Certificate check box 238 Use SSL Check box 211 User Defined marks whatare 193 User Group definition 129 User Group Object configuring o o 131 User Group creating 129 User Object CCD whatiS os e saw sorsara inu 106 configuring lt a e a a a 118 DES check box ee eee 118 Dyna Policy whatisa 106 V Voice Over IP 1 2 aaa 175 VolP ERGa onae 21m ie aa a e 177 Index VPN Create Designated 137 Default VPN 2 204 136 Domains about a ada aa Da E e a T a a 55 hierarchy detailed view 55 IKE VPN see IKE VPN 134 rekeying aoao a 162 SKIP VPN see SKIP VPN 133 VPN Virtual Private Network key management and packet mode 135 NAMING 205 a eRe Bae a a a ee ewe OG 55 packet mode noaoo 134 transport mode noaoo aa a 134 VPN configurations import and export 284 VPN Object creating a s s s s s cae a a 136 types of oaoa a 133
411. wnload the latest firmware from Avaya Inc The security gateway firmware download is password protected Contact technical support at vpnsupport avaya com to request a password prior to beginning the download Read the latest security gateway product readme file before beginning the upgrade For the latest version of the file for all security gateways go the VPN and Security page from the Avaya Support Technical Database Web site at http support avaya com and select the security gateway type to be downloaded follow the links to the Readme file Following are a few definitions that you should be familiar with prior to using the centralized firmware management feature e Device Inventory The device inventory is displayed when the Upgrade Firmware button is selected The device inventory lists the name of the available devices to be upgraded type of the device available for upgrade current firmware version and the available versions of firmware for the specific device e Firmware Library The firmware library list the devices and the available firmware versions for that specific device The firmware library is a repository that is stored and maintained on the policy server The various versions of firmware for the different devices are stored in the firmware library Firmware versions can be added to the firmware library Click the Add button to Browse to the firmware location and add to the firmware library repository on the policy ser
412. xt entry Repeat the process until you have entered all required Client IP Address Click Close to return to the Policy Manager for Client IP Address Pools window 9 The new pool is seen in the Current Client IP Address Pool list 12 13 14 Optional If a client DNS address should be configured in the Client DNS area enter the DNS address and click Add Up to three client DNS addresses can be configured Optional If Client WINS should be configured enter the WINS address to use for VPNremote virtual adapter configuration Two Client WINS addresses can be configured Click Save Click Close to return to the Configuration Console window When you want to send the configuration to the security gateway click Update Device Configuring client attributes From Policy Manager Client Attributes property you can configure a message that remote users see every time they log in and specify the brand name used for VPNRemote Client Creating a message The message you create can be a legal message about company policy for using the network or any other type of message to communicate information when remote users log in This message can be configured so that remote users are required to accept the message before the log in is complete 122 Avaya VPNmanager Configuration Guide Release 3 7 Using Policy Manager for user configuration Figure 41 Policy Manager for client attributes Selected Type of Object Object N
413. y 2 From the task bar click Start gt Run to open the Run dialog box 3 In the Open text box type the following command line to install the certificate The filename is a name of the certificate file and aliasname is the alias you choose for the certificate file 4 C Program Files AvayaVPNmanager Console importcert aliasname filename 5 The DOS window will appear containing a message confirming the install To view all the installed issuer s certificates 1 From the Task bar click Start then select Run to open the Run dialog box 2 In the Open text box type the following command line to view all installed certificates 3 C Program Files AvayaVPNmanager Console listcert 4 The DOS window will appear listing all the certificates To delete an installed issuer s certificates 1 From the Windows NT Taskbar click Start then select Run to open the Run dialog box 2 In the Open text box type the following command line to view all installed certificates where aliasname is the alias you gave the certificate when it was installed 3 C Program Files AvayaVPNmanager Console deletecert aliasname 294 Avaya VPNmanager Configuration Guide Release 3 7 Installing the Issuer s Certificate into a security gateway Solaris OS Computers To install a certificate in VPNmanager Console 1 Copy the certificate to the opt Avaya VPNmanager Console directory 2 Open a Console window 3 Move to the opt Avaya VPNmanager Console dir
Download Pdf Manuals
Related Search