Page 2
Nortel Networks. Except as expressly authorized in writing by Nortel Networks, the holder is granted no rights to use the information contained herein and this document shall not be published, copied, produced or reproduced, modified, translated, compiled, distributed, displayed or transmitted, in whole or part, in any form or media.
New in this release The following section details what is new in Nortel Secure Router 4134 Security — Configuration and Management (NN47263-600). Features See the following sections for information about supported features: Firewall and NAT The SR4134 implements a stateful inspection firewall. The stateful inspection firewall relies on building network connections and monitoring...
Outside of the internet zone, all other zones on the router are trusted zones. No traffic is allowed into a trusted zone unless a session is initiated from within that zone. By default, all outbound connections from the trusted zone are allowed and all inbound connections are denied.
• Internet – The public untrusted network In this configuration, untrusted SSH and IKE connections to the router itself are allowed. Trusted and untrusted HTTP connections to a DMZ web server are allowed. And the default, corp trusted zone with all outbound connections are allowed.
• SIP ALG interoperability with Nortel MCS clients The SR4134 firewall supports a SIP ALG that enables Nortel MCS Clients, in tandem with the MCS 5100 Server, to complete calls via application-level address translation. It also dynamically opens the necessary pinholes for media traffic to traverse the firewall.
Typically, the range of external IP addresses is less than the number of internal addresses on the trusted side. Each time a request is made from a host on the private network, the router chooses an external IP address that is currently unused, and then performs the translation. Dynamic NAT picks external IP addresses in a round robin fashion to perform the translation.
firewall. The SIP ALG enables Nortel MCS Clients, in tandem with the MCS Server, to complete calls through application-level address translation. As shown in the following figure, all SIP traffic can be divided into two types depending on the origination and termination point.
Page 33
The SIP ALG cannot work if the SIP messages are encrypted. If the SIP ALG encounters an encrypted packet, it cannot decipher the contents. However, if the Secure Router is the system operating both the ALG and the VPN, then there is no issue. Only when packets are encrypted by other devices do they become opaque to the Secure Router firewall.
STUN • SIP-ALG Hairpinning is supported with the CS 1000 series call servers and Nortel IP Phones implementing a STUN-aware protocol and with the MCS 5100 implementing SIP. A limitation with SR4134 is that hairpinning and self policies are mutually exclusive on the router.
• The order in which you enter the filtering rules is important. As the Secure Router 4134 is evaluating each packet, the OS tests the packet against each rule statement sequentially. After a match is found, no more rule statements are checked. For example, if the first rule you create is a statement that explicitly permits all traffic, all traffic is passed...
In its basic configuration, site-to-site VPN connects two remote offices or a branch office to headquarters. In this case, each site is connected to the Internet through a secure router. The objective of the site-to-site VPN is to create a secure tunnel between the two secure routers through the Internet.
IKE authenticates the VPN server and client, and PPP authenticates the user via a password/login prompt. User Authentication can be handled by a user list on the Secure Router, or through a RADIUS server. RADIUS servers can interact with Windows...
In the CRL method, there can be a lag between the CA publishing an updated CRL and the SR4134 downloading the same CRL, creating a window of vulnerability. In this period, the router does not have a fool proof mechanism for validating the certificate. OCSP is used to overcome this vulnerability.
54 IPsec VPN fundamentals The secure router can use the certificates in IKE to establish IPsec security associations between two gateways. Manual certificate enrollment As an alternative to SCEP, the SR4134 also supports manual certificate enrollment. The steps that you must follow for manual enrollment are as follows: •...
This command identifies the interface as the source of tunnel traffic. If traffic meeting the match filter rules enters the router through an interface that is not identified as crypto trusted, the traffic is not encrypted using the VPN.
ACKs, the IKE phase 1 SA and all relevant IPsec SAs to the peer are torn down. After the tear down, if the router has traffic to the same destination, the router attempts to re-negotiate IKE with the peer.
To enable this configuration, packets arriving at the ingress point on the Ethernet interface must be marked with DSCP. For more information on QoS configuration, see Nortel Secure Router 4134 Configuration – Traffic Management (NN47263-601). Crypto QoS (CBQ) for IPsec VPN The SR4134 crypto engine preforms encryption and hashing of packets for IPsec VPN tunnels.
62 IPsec VPN fundamentals For more information on QoS configuration, see Nortel Secure Router 4134 Configuration – Traffic Management (NN47263-601). Logging and Statistics VPN provides logging support on a global level, this logging can be on a system console or telnet session of a syslog server. Statistics are maintained for the number of packets and bytes processed in the inbound and outbound direction for each SA.
The host or router at each end of a configured tunnel must support both the IPv4 and IPv6 protocol stacks. Manually configured tunnels can be configured between border routers or between a border router and a host. The entry tunnel end point (the encapsulating node) encapsulates the IPv6 packet with an IPv4 header with the configured IPv4 tunnel source...
Configure the Ethernet interface on which PPPoE is running in the internet security zone. To allow traffic to pass through the firewall, at least one other router interface must be configured in a trusted firewall zone (for example, corp).
The client is the network access point between the remote users and the server. RADIUS authentication allows a remote server to authenticate users attempting to log on to the router from the local console or Telnet. TACACS Terminal access controller access control system (TACACS+) is a security...
You can use EAPoL to set up network access control on internal LANs and to exchange authentication information between any end station or server connected to the Secure Router and an authentication server (such as a RADIUS server). This security feature extends the benefits of remote authentication to internal LAN clients.
AAA to determine the user’s actual capabilities and restrictions. The database can be located locally on the router or it can be hosted remotely on a RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights...
Even though the application traffic, matching the IPsec policy, is getting tunneled, the built-in firewall uses the IP route to cross check whether the router is expected to handle this traffic at all. Configure an inbound firewall policy in the internet zone for IKE negotiation (UDP 500).
Variable kilobytes <300-419430 3> seconds <300-864000> Configuring OCSP for the IKE policy Enable OCSP to configure the router to contact the CA for verification of the status of any certificate that the router receives. Procedure steps Step Action To enter the configuration mode, enter: configure terminal To specify crypto configuration for IPsec and IKE, enter:...
Page 145
Enabling OCSP on the remote access IKE policy Enable OCSP to instruct the router to contact the CA for verification of the status of any certificate that the router receives. Procedure steps Step Action To enter the configuration mode, enter: configure terminal To specify crypto configuration for IPsec and IKE, enter:...
Variable definitions Variable url <url> terminal Configuring parameters for the certificate request Configuring the certificate subject name Specify the subject name that identifies the Secure Router in the certificate request. Procedure steps Step Action To enter the configuration mode, enter: configure terminal To specify crypto configuration for IPsec and IKE, enter:...
Manually importing a self certificate If you are not using SCEP to import certificates, you can manually import the router certificate into the router using the cut and paste method. Procedure steps Step Action To enter the configuration mode, enter: configure terminal To specify crypto configuration for IPsec and IKE, enter:...
Configuring GRE tunnel parameters Configuring keepalive for GRE tunnels Enable keepalive packets to keep track of the tunnel end points. The router sends a keepalive at every configured interval. If no response is received after the configured number of retries, the tunnel is brought down. You can only configure keepalive on GRE tunnels.
Configuring checksum for GRE tunnels Enable end-to-end checksums to force the router to drop any corrupted packets. You can only configure checksum on GRE tunnels. By default, checksums are disabled. Procedure steps Step Action To enter configuration mode, enter: configure terminal To specify the name of the tunnel to configure, enter:...
SR4134 configuration for dynamic route exchange over IPsec tunnel interoperability with VPN Router Both Secure Router and VPN router currently support dynamic routing over IPsec. Secure router configuration for dynamic route exchange over IPsec Tunnel allows interoperability by using IP-on-IP over a transport mode IPsec connection.
Page 260
This document is protected by copyright laws and international treaties. All information, copyrights and any other intellectual property rights contained in this document are the property of Nortel Networks. Except as expressly authorized in writing by Nortel Networks, the holder is granted no rights to use the information contained herein and this document shall not be published, copied, produced or reproduced, modified, translated, compiled, distributed, displayed or transmitted, in whole or part, in any form or media.