1. Manuals
  2. Brands
  3. Blackridge Manuals
  4. Gateway
  5. BR-2120
  6. Setup manual

Blackridge BR-2120 Setup Manual

Gateway for aws
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
BlackRidge BR-2120
BlackRidge Technology Inc.
10615 Professional Circle Suite 201
Reno, NV 89521
U.S.A
Part No. 2120-0030-01
Revision 1.0, September 2016
Gateway for AWS
Setup Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the BR-2120 and is the answer not in the manual?

Questions and answers

Summary of Contents for Blackridge BR-2120

  • Page 1 BlackRidge BR-2120 Gateway for AWS Setup Guide BlackRidge Technology Inc. 10615 Professional Circle Suite 201 Reno, NV 89521 U.S.A Part No. 2120-0030-01 Revision 1.0, September 2016...

  • Page 2: Table Of Contents

    How This Guide is Organized ....................10 Typographical Conventions ....................... 11 SECTION I ..........................12 Task Map for the BlackRidge BR-2120 TAC Gateway for AWS ..........13 SECTION II ........................... 14 Identify Security Use Case & BlackRidge Solution Requirements ........... 15 Security Problem ........................
  • Page 3 Task: Create Security Groups ....................31 SECTION IV .......................... 35 Launch and Configure a Gateway AMI Instance ..............36 Task: Configure and Launch an AMI Instance ................36 Task: Stop the AMI Instance ..................... 42 Task: Review Settings of the eth0/Management Interface for the AMI Instance ....42 Task: Create Additional Interfaces for the AMI Instance ............
  • Page 4 Task: Resolver – Add Rule for and Link Identity to Protected Resource ........97 Task: Inserter – Enable Enforce Mode ..................98 Task: Resolver – Enable Enforce Mode ..................98 SECTION IX .......................... 99 Add Certificates to BlackRidge TAC Gateway..............100 Initiate a BlackRidge Certificate Signing Request (CSR) ............101...
  • Page 5 Appendix A: Accessing the BlackRidge Gateway (SSH) ............116 Using PuTTY and SSH to Access the Gateways ............... 116 Appendix B: CLI Commands for Configuring the IP Network Attributes of the BlackRidge TAC Gateway ........................... 119 Configure DHCP Network Settings for the Management Port ..........119 cfg (static IP) - Configure IPv4 Network Settings for the Management Port ......
  • Page 6 – Enable IPv6 on the Admin Port ................122 mod – Modify IPv6 Address on the Admin Port ..............123 Appendix C: CLI Commands for Configuring the DNS Network Attributes of the BlackRidge TAC Gateway ........................... 124 /etc/dns/ - DNS Configuration ................... 124 cfg - Configure DNS .........................
  • Page 7 BlackRidge Technology Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights or any other intellectual property rights of BlackRidge Technology Inc.

  • Page 8: Preface

    Preface About This Guide The BlackRidge BR-2120 is a TAC Gateway for Amazon™ Web Services (AWS). There are a number of initial tasks that must be completed to set up the TAC Gateway(s) for network access and operation. This document contains the instructions for deploying a single BlackRidge TAC Gateway into the AWS Elastic Compute Cloud (EC2) cloud server.

  • Page 9: Related Material

    IBM z/VM® platform.  BlackRidge BR-2120 Gateway for AWS - Setup Guide outlines the steps required to set up the gateway for network access and operation on the Amazon Web Services™ (AWS) platform.

  • Page 10: Who Should Use This Guide

    Who Should Use This Guide This guide is intended for experienced systems and networking IT professionals who are responsible for the initial setup of the BlackRidge BR-2120 TAC Gateway for AWS.

  • Page 11: How This Guide Is Organized

    Section II provides a sample network topology based on a pre-defined use case, and the resources that are required to architect it. Each port on the BlackRidge gateway is uniquely identified with a description of its function. Deciding what operational roles to assign the network endpoints is based on the criteria provided in this section.

  • Page 12: Typographical Conventions

    Typographical Conventions This document uses the following typographic conventions to help you locate and identify information: Italic text Identifies new terms, emphasis, and book titles Bold text Identifies button names and other items that you can click or touch in the graphical user interface or press on a computer keyboard Courier New Identifies commands, command syntax, command arguments and system prompts...

  • Page 13: Section I

    SECTION I...

  • Page 14: Task Map For The Blackridge Br-2120 Tac Gateway For Aws

    CREATE Virtual Private Cloud DEPLOY Gateway from AMI, management instance and trusted hosts/protected resources CONFIGURE Layer 3 mode for the BlackRidge BR-2120 Gateway for AWS VALIDATE Network connectivity for the BlackRidge BR-2120 Gateway for AWS INITIATE Certificate Signing Request (CSR)

  • Page 15: Section Ii

    SECTION II...

  • Page 16: Identify Security Use Case & Blackridge Solution Requirements

    Only one system is identified as being trustworthy to be given access to the Protected Resource. That system is a Linux client. Since it has been identified as an endpoint to be trusted by the BlackRidge solution, it is designated a Trusted Host. It is the only resource granted authorized access to the Protected Resource.

  • Page 17: Vpc Requirements For The Br-2120 Gateway For Ams

    VPC Requirements for the BR-2120 Gateway for AMS Since it runs in a Virtual Private Cloud (VPC), there are no Physical Host requirements for the BR-2120 Gateway for AMS. However, the following components must be configured:  Untrusted Subnet  Jump Host/Management Virtual Machine Note: The AMI Instance for the jump/management host can be a t2.micro.

  • Page 18: Select Resources To Trust And To Protect

     The two BlackRidge BR-2120 gateways will cooperate in establishing trusted communications between the Windows or Linux client and the Linux server. In this guide, the BlackRidge BR-2120 Gateway for AWS, with the user-defined hostname Gateway-1, will control which connected network endpoints can establish an outbound TCP/IP connection to a Protected Resource behind another BlackRidge gateway.

  • Page 19: Criteria To Determine Role(S)

    Trusted Hosts:  Any BlackRidge-authenticated network endpoint that is given access to a BlackRidge- protected, network-attached asset, is by definition a Trusted Host.  A single network endpoint can be configured as Trusted Host or a Protected Resource, or both.

  • Page 20: Design The Network Topology

    It is used for illustration purposes only. All host names and network addresses contained in this guide are not intended to be representative of any real entity outside the scope of this guide or test lab environment. Figure 2.1 – Sample AMI Instance Topology Using BlackRidge BR-2120 Gateway for AMS...

  • Page 21: Port Assignments For The Br-2120 Gateway For Aws

    TCP/IP connections to the high-value, networked assets (for example, servers for payroll, accounting and intellectual property) protected by BlackRidge gateways. Note: For the BlackRidge AWS GW the Management port M, DHCP is set by default.

  • Page 22: Section Iii

    SECTION III...

  • Page 23: Create And Configure Virtual Private Cloud

    Create and Configure Virtual Private Cloud This section describes the creation of a Virtual Private Cloud (VPC) in AWS, along with the following components:  Internet Gateway - Provides external access for internal components.  Subnets – Splits VPC into different zones (Trusted, Untrusted and Management subnets) ...

  • Page 24: Task: Create Vpc

    Task: Create VPC 1. Using the upper left menu, navigate to Services > VPC. 2. Click Start VPC Wizard. 3. Select VPC with a Single Public Subnet, then click Select.

  • Page 25: Task: Configure Internet Gateway

    4. Configure the following options: a. IP CIDR block – Use the default (10.0.0.0/16). b. VPC name – Set as required (for example, VPC Bravo). c. Public subnet – Use the default (10.0.0.0/24). d. Availability Zone – Select the region in which all instances and subnets will reside.

  • Page 26: Task: Create Subnets

    Find the entry created for your VPC in the VPC column. 3. Click the Name field for that row and name it (example: VPC Bravo INET GW). Task: Create Subnets 1. In the left hand menu, click Subnets. 2. Verify that the subnet created when the VPC was created is present. 3.
  • Page 27 7. Configure the following options: a. Name tag – Set as required (for example, VPC Bravo MGMT Subnet). b. VPC – Select your VPC. c. Availability Zone – Use the default. d. CIDR block – Set IP range to use on the management subnet as required (for example, 10.0.10.0/24).

  • Page 28: Task: Create Route Tables

    Task: Create Route Tables 1. In the left hand menu, click Route Tables. 2. Click the Name column to sort the table so that entries with blank names appear at the top. 3. Locate the row with blank name that also has a value of Yes in the Main column (it should also have 0 Subnets).
  • Page 29 6. Click in the Name field for this Route Table row, and name appropriately (example: VPC Bravo Untrusted RT). 7. Click the Routes tab at the bottom of the screen, and verify that this Route Table has a route for the INET Gateway (the Destination = 0.0.0.0/0 entry per below). 8.
  • Page 30 11. Select the Trusted Route Table, and click the Subnet Associations tab at the bottom of the page. 12. Click Edit, and select the check box next to the Trusted Subnet entry. 13. Click Save. 14. Click Create Route Table to create a route table for the MGMT subnet. 15.

  • Page 31: Task: Create Route Under The Mgmt Route Table

    16. Select the Trusted Route table, and click the Subnet Associations tab at the bottom of the page. 17. Click Edit, and select the check box next to the MGMT Subnet entry. 18. Click Save. Task: Create Route Under the MGMT Route Table 1) Select the MGMT Route table entry, and click the Routes tab at the bottom of the screen.

  • Page 32: Task: Create Security Groups

    Task: Create Security Groups 1. In the left hand menu under VPC Dashboard, click on Security Groups (under Security heading). 2. For any pre-existing entries with blank “Name tag” fields, click on the “Name tag” field and input “Do Not Use” (as we’ll be creating new security groups). 3.
  • Page 33 6. Click on the Security Group button, and create a group for the MGMT subnet. a. Name tag – set as desired (example: VPC Bravo MGMT SG) b. Group name – same as Name tag c. Description – set as desired d.
  • Page 34 This setting will allow ICMP access from any IP address. 10. Click on the Security Group button, and create a group for the Trusted subnet. a. Name tag – set as desired (example: VPC Bravo Trusted SG) b. Group name – same as Name tag c.

  • Page 36: Section Iv

    SECTION IV...

  • Page 37: Launch And Configure A Gateway Ami Instance

    Launch and Configure a Gateway AMI Instance This section describes how to deploy and configure a BRT TAC Gateway instance from AMI into a VPC. After initial configure and deployment of a Gateway instance with one interface, the rest of the interfaces will be added and configured one-by-one as appropriate. Two (2) Elastic IPs will be created and associated with the appropriate interfaces: ...
  • Page 38 3. With your AMI selected, click on the Launch button. 4. Choose the “t2.medium” instance type on the next screen (to ensure support for 3 NICs), and click on the “Next: Configure Instance Details” button at the far right. 5. On the next screen (Step 3), configure the following values: a.
  • Page 39 6. On the next screen (Step 4) accept the default settings and click on the “Next: Tag Instance” button at the far right. 7. On the next screen (Step 5), name the instance as desired (e.g., “VPC Bravo BRT GW”), then click on the “Next: Configure Security Group button”.
  • Page 40 8. On the next screen (Step 6), do the following: a. Under “Assign a security group:”, select the 2 radio button – “Select an existing security group”. b. Select the checkbox next to the Management security group. 9. Click on the “Review and Launch” button. 10.
  • Page 41 11. A popup will prompt for selection or creation of a key pair for accessing the instance. In the dropdown, select the option “Proceed without a key pair”, click on the “I acknowledge…” checkbox, and click on the “Launch” button. 12.
  • Page 42 a. If the instance has completed booting, you should be able to scroll down in the resulting popup and see the login prompt.

  • Page 43: Task: Stop The Ami Instance

    Task: Stop the AMI Instance 1. From the Actions button in the Instance screen, select -> Instance State -> Stop. 2. Verify the instance is stopped before proceeding. Task: Review Settings of the eth0/Management Interface for the AMI Instance 1. In the left hand menu, under the “Network & Security” heading, click on “Network Interfaces”.

  • Page 44: Task: Create Additional Interfaces For The Ami Instance

    Task: Create Additional Interfaces for the AMI Instance 1. Click Create Network Interface. 2. Configure the following values, and click Yes, Create. a. Description – set as desired (example: VPC Bravo GW Port 2 ETH1 Untrusted) b. Subnet – Select the Trusted subnet. c.
  • Page 45 5. Configure the following values, and click Yes, Create. a. Description – Set as required (for example, VPC Bravo GW Port 3 ETH2 Trusted). b. Subnet – Select the Trusted subnet. c. Private IP – Set as required from the IP range for the Subnet (for example, 10.0.20.20).

  • Page 46: Task: Attach Additional Interfaces To The Ami Instance

    Task: Attach Additional Interfaces to the AMI Instance 1. From the Instances screen, select the row for Port2 ETH1 (the Untrusted port), and click Attach at the top (or Actions > Attach). 2. At the popup, select the Instance ID, and click Attach. 3.

  • Page 47: Task: Allocate A New Elastic Ip Address For The Mgmt Interface

    Task: Allocate a New Elastic IP Address for the MGMT Interface 1. In the left hand menu, select Elastic IPs under Network and Security. 2. Click Allocate New Address. 3. Click Yes, Allocate. Note: You are limited to five free Elastic IPs. You will be charged for any additional IPs above that number.

  • Page 48: Task: Associate Elastic Ip With Mgmt Interface

    Task: Associate Elastic IP with MGMT Interface 1. In the left hand menu, select Network Interfaces to return to that screen. 2. Select the Management interface, then use the Actions button to perform the “Associate Address”. 3. In the resulting popup, make sure that the newly-generated Elastic IP address is matched with the Management interface address, then click “Associate Address”.
  • Page 49 7. When running (as shown above), SSH to the Elastic IP address as the admin user. This should result in traffic being forwarded to the Management interface on the Gateway. 8. At this point you may configure the GW as required, using the admin CLI and/or the Setup Wizard: a.

  • Page 50: Task: Modify Route Table For (Trusted + Protected) Side Of Brt Gw

    Task: Modify Route Table for (Trusted + Protected) Side of BRT 1. In the web UI, from the EC2 Dashboard (Services -> EC2), select “Network Interfaces” from the left hand menu. 2. Find the interface corresponding to Port 3 (eth2, the Trusted port) on the Gateway. Copy the Network Interface ID value for that interface.
  • Page 51 3. In the web UI, under the VPC Dashboard (Services -> VPC), click on “Route Tables” in the left hand menu. 4. Locate the Trusted Route Table for your VPC and select it. In the Routes tab at the bottom of the screen, click on the Edit button. 5.

  • Page 52: Task: Disable Source/Destination Check For Untrusted And Trusted Interfaces

    Note: The Status of the route you just added could say ‘Black Hole’. This happens when the instance is currently down. Task: Disable Source/Destination Check for Untrusted and Trusted Interfaces 1. Go back to the EC2 Dashboard, and select Network Interfaces under Network & Security.
  • Page 53 3. In the resulting popup, select Disabled, and click Save. 4. Repeat the last two steps for the Gateway’s Trusted interface. Note: These settings are required to allow instances to handle traffic that isn’t specifically intended for them (for example, instances providing NAT, routing or firewall services).

  • Page 54: Task: Disable Source/Destination Check For Untrusted And Trusted Interfaces

    Task: Disable Source/Destination Check for Untrusted and Trusted Interfaces 1. On the EC2 Dashboard, select Elastic IPs under Network & Security. 2. Click Allocate New Address. 3. Click Yes, Allocate.

  • Page 55: Task: Associate Elastic Ip With The Public/Untrusted Interface

    Task: Associate Elastic IP with the Public/Untrusted Interface 1. On the EC2 Dashboard, select Network Interfaces under Network & Security. 2. Select the Untrusted interface for the Gateway, right-click and select Associate Address. 3. Set the newly-created Elastic IP for the Address, and make sure the Gateway’s Untrusted interface’s IP address populates the Associate to private IP address drop- down.

  • Page 56: Section V

    SECTION V...

  • Page 57: Deploy A Jump Host Into The Mgmt Subnet In Vpc

    Deploy a Jump Host into the MGMT Subnet in VPC This section describes how to create an Amazon instance that can be used as a jump host to access the Trusted+Protected subnet behind the Gateway in AWS. As the Trusted + Protected host will not be directly accessible from the internet, and no VPN or similar access is provided in this setup, the jump host can be used to access the Trusted+Protected host as it will have two NICs:...

  • Page 58: Task: Create The Jump Host Instance

    Task: Create the Jump Host Instance 1. From the EC2 Dashboard, click Launch Instance. 2. Select the AMI to use. This example uses the Ubuntu 14.04 LTS image (the Amazon Linux image would also suffice).
  • Page 59 3. On the next screen (Step 2), select the t2.micro instance type, and click Next: Configure Instance Details. 4. On the next page (Step 3), configure the following settings (using the defaults for those not specified), and click Next: Add Storage. a.
  • Page 60 5. On the next page (Step 4), use the defaults and click Next: Tag Instance. 6. On the next page (Step 5), give the instance a name (for example, VPC Bravo MGMT VM), and click Next: Configure Security Group.
  • Page 61 7. On the next page (Step 6), under Assign a security group:, choose Select an existing security group. 8. In the result table, select your MGMT Security Group. 9. Click Review and Launch. 10. On the next page (Step 7), review the settings and click Launch.
  • Page 62 11. The Select an existing key pair or create a new key pair window appears. a. If you already have a key pair that you’d like to use in AWS, select it from the Select a key pair drop-down and click Launch Instances. b.
  • Page 63 e. Either way, the key pair will be used to access the jump host over SSH in lieu of password-based authentication. 12. On the resulting Launch Status page, click View Instances. 13. Locate your newly-created instance, and verify that the System Status Checks and Instance Status Checks show green.

  • Page 65: Task: Assign An Elastic Ip To The Jump Host

    Task: Assign an Elastic IP to the Jump Host 1. Go to the EC2 Dashboard screen. 2. Under Network & Security in the left hand menu, select Elastic IPs. 3. Click Allocate New Address.
  • Page 66 4. Click Yes, Allocate. 5. Under Network & Security in the left hand menu, click Network Interfaces.
  • Page 67 6. Locate the network interfaces for the jump host instance just created (using the Primary IP values you set), and name them if blank. For example: a. eth0 - VPC Bravo MGMT VM ETH0 b. eth1 - VPC Bravo MGMT VM ETH1 7.
  • Page 68 From the command line on Linux or Mac, use the following command to log in as the ec2-user: Ubuntu-based VMs ssh -i /path/to/<key pair file>.pem ubuntu@<Elastic IP_MGMT> ssh -i ~/.ssh/trust-prot-01.pem ubuntu@52.39.22.238 Red Hat or Amazon Linux-based VMs ssh -i /path/to/<key pair file>.pem ec2-user@<Elastic IP_MGMT> ssh -i ~/.ssh/trust-prot-01.pem ec2-user@52.39.22.238 a.

  • Page 69: Section Vi

    SECTION VI...

  • Page 70: Deploy A (Trusted + Protected) Host Into Trusted Subnet In Vpc

    Deploy a (Trusted + Protected) Host into Trusted Subnet in VPC This section describes how to deploy a simple Linux-based Instance into the Trusted Subnet of the VPC that can act as either a Trusted Host, or a Protected Resource, or both depending on the network configuration.

  • Page 71: Task: Provision An Instance Of The Amazon Linux Ami

    Task: Provision an Instance of the Amazon Linux AMI 1. Using the web UI, click Services > EC2. 2. On the EC2 Dashboard, click Launch Instance. 3. On the next page (Step 1), select the Amazon Linux AMI image.
  • Page 72 4. On the next page (Step 2), select the t2.micro image, then click on the “Next: Configure Instance Details” button. 5. On the next page (Step 3), configure the following values. a. Network – Type your VPC. b. Subnet – Select the Trusted subnet. c.
  • Page 73 8. On the next page (Step 5), configure a Value for the Name tag (for example, VPC Bravo trust-prot-01), and click Next: Configure Security Group. 9. On the next page (Step 6), under Assign a security group:, select Select an existing security group.
  • Page 74 11. Review the details, and click Launch. 12. Select either Create a new key pair from the drop-down, and create a new key pair or choose an existing key pair. If you create a new key pair, name it and click Download Key Pair.
  • Page 75 14. On the resulting Launch Status page, you should see a message indicating that the instance is launching. 15. Click the instance ID in the message to navigate to the Instances screen on the EC2 Dashboard to verify the status of the VM.
  • Page 76 a. Open a Command window, type Actions > Instance Settings > Get System Log.

  • Page 77: Task: Check Boot Status Through Aws Cli

    Task: Check Boot Status through AWS CLI For details on configuring the AWS CLI on your system, please refer to Appendix A in the AWS Deployment Guide. 1. From a terminal, run the following command: aws ec2 describe instances 2. Locate the entry for the just-deployed AMI, using the KeyName field (corresponds to the Name Tag configured earlier).

  • Page 78: Task: Ssh Into Trusted + Protected Instance

    Task: SSH into Trusted + Protected Instance 1. Locate the key pair file associated with the Trusted+Protected instance, and scp it to the jump host: Ubuntu-based Instances: scp -i ~/.ssh/trust-prot-01.pem ~/.ssh/trust-prot-01.pem ubuntu@52.53.235.97:.ssh/. Red Hat or Amazon Linux-based Instances: scp -i ~/.ssh/trust-prot-01.pem ~/.ssh/trust-prot-01.pem ec2- user@52.53.235.97:.ssh/.

  • Page 79: Task: Configure Static Networking And Routes On The Trusted + Protected Instance

    Task: Configure Static Networking and Routes on the Trusted + Protected Instance In order to ensure that traffic to and from the Trusted + Protected instance is routed through the Gateway, the networking will be re-configured on that instance from DHCP-based to static. At the same time, the default gateway will be redirected to use the BRT TAC Gateway Trusted Interface (10.0.20.20) instead of the default gateway assigned by AWS (10.0.20.1).
  • Page 80 i. Type to restart the interface. ifdown eth0; ifup eth0 j. Type to test that the networking is configured correctly (which ping 10.0.0.1 would not work previously) 2. For Red Hat/Amazon Linux-based instances: a. Type: cd /etc/sysconfig/network-scripts/ Replace the contents of the file with the following: ifcfg-eth0 DEVICE=eth0...

  • Page 81: Section Vii

    SECTION VII...

  • Page 82: Configure Layer 3 Nat - External-To-Vpc (Unidirectional)

    Configure Layer 3 NAT – External-to-VPC (Unidirectional) This section describes how to connect an Insertion Gateway in an external network (behind a NAT firewall) to a Resolving Gateway in a VPC.
  • Page 83 External Network Configuration (Trusted Host) Variable Description Value INS_TRUST_HOST_IP IP address of the Trusted Host in the 192.168.55.130 Trusted Subnet; Trusted side of NAT config INS_TRUST_GW_IP IP address of the Gateway Interface in the 192.168.55.20 Trusted Subnet; Trusted side of Route config INS_UNTRUST_GW_IP IP address of the Gateway Interface in the...
  • Page 85 VPC Network Configuration (Protected Resource) Variable Description Value RES_TRUST_HOST_IP IP address of the Trusted Host in the 10.0.20.30 Trusted Subnet; Trusted side of NAT config RES_TRUST_GW_IP IP address of the Gateway Interface in the 10.0.20.20 Trusted Subnet; Trusted side of Route config RES_UNTRUST_GW_IP IP address of the Gateway Interface in the...

  • Page 87: Task: Inserter - Generate And Export Skey

    Task: Inserter – Generate and Export SKEY 1. SSH into the MGMT interface of the Inserter Gateway as “admin”. 2. Run the following commands: /identity/skey/generate name=tr_key /identity/skey/export name=tr_key dest=display 3. When prompted, input a password of your choosing twice to encrypt the skey value. 4.

  • Page 88: Task: Inserter - Add Nat And Routes

    a. /layer3/nat/add tr_ip=<INS_TRUST_HOST_IP> tr_netmask=255.255.255.0 tr_vlanid=0 ut_ip=<INS_UNTRUST_GW_IP> ut_netmask=255.255.255.0 ut_vlanid=0 i. INS_TRUST_HOST_IP = IP of the Trusted Host in the Trusted Subnet ii. INS_UNTRUST_GW_IP = IP of the Gateway interface in the Untrusted Subnet b. /layer3/route/add trusted_flag=y ip=<INS_TRUST_GW_IP> netmask=255.255.255.0 vlanid=0 i. INS_TRUST_GW_IP = IP of the Gateway interface in the Trusted Subnet c.

  • Page 89: Task: Inserter - Add And Enable Identity

    b. /layer3/route/add trusted_flag=y ip=<RES_TRUST_GW_IP> netmask=255.255.255.0 vlanid=0 i. RES_TRUST_GW_IP = IP of the Gateway interface in the Trusted Subnet c. /layer3/route/add trusted_flag=n ip=<RES_UNTRUST_ROUTER_IP> netmask=255.255.255.0 vlanid=0 i. RES_UNTRUST_ROUTER_IP = IP of the Router interface in the Untrusted Subnet d. /layer3/enable Task: Inserter – Add and Enable Identity 1.

  • Page 90: Task: Resolver - Add And Enable Identity Using Skey

    a. /identity/host/add name=trhost1 ip=<INS_UNTRUST_GW_IP> mask=255.255.255.255 comment="Trusted host for L3." i. INS_UNTRUST_GW_IP = IP of the Gateway interface in the Untrusted Subnet b. /identity/associate name=tr-id1 host=trhost1 Task: Resolver – Add and Enable Identity Using SKEY 1. On the Resolver side, create and enable a corresponding identity: a.

  • Page 91: Task: Resolver - Add Rule And Link Identity

    Task: Resolver – Add Rule and Link Identity 1. On the Resolver side, configure a Forward rule for the Protected Resource and link it to the Identity: a. /policy/rule/add name=rule1 action=forward resource=prhost1 enable=yes b. /identity/link name=tr-id1 rule=rule1 Task: Inserter – Enable Enforce Mode 1.

  • Page 92: Section Viii

    SECTION VIII...

  • Page 93: Configure Layer 3 Nat - Vpc-To-Vpc (Bidirectional)

    This section will describe how to configure bidirectional communication between two separate VPCs in AWS that are protected by BlackRidge TAC Gateways. Specifically, the Gateways will be configured such that the Trusted+Protected host in VPC A can communicate with the Trusted+Protected host in VPC B, and vice versa.
  • Page 94 Variable Description Value TRUST_HOST_IP IP address of the Trusted Host in the 10.0.20.30 Trusted Subnet; Trusted side of NAT config TRUST_GW_IP IP address of the Gateway Interface in the 10.0.20.20 Trusted Subnet; Trusted side of Route config UNTRUST_GW_IP IP address of the Gateway Interface in the 10.0.0.20 Untrusted Subnet;...

  • Page 95: Task: Inserter + Resolver - Add Nat And Routes

    Task: Inserter + Resolver – Add NAT and Routes The Gateway in each VPC has been configured for Layer 3 NAT mode using the following commands:  /layer3/nat/add tr_ip=<TRUST_HOST_IP> tr_netmask=255.255.255.0 tr_vlanid=0 ut_ip=<UNTRUST_GW_IP> ut_netmask=255.255.255.0 ut_vlanid=0 o TRUST_HOST_IP = IP of the Trusted Host in the Trusted Subnet o UNTRUST_GW_IP = IP of the Gateway interface in the Untrusted Subnet ...

  • Page 96: Task: Inserter + Resolver - Configure Trusted Host And Protected Resource

    Task: Inserter + Resolver – Configure Trusted Host and Protected Resource Trusted Host and Protected Resource entries can be created for the Trusted+Protected host in each VPC, and referenced in the commands to follow. 1. Trusted Host /identity/host/add name=trhost1 ip=<UNTRUST_ROUTER_IP> mask=255.255.255.255 comment="Trusted host for L3."...

  • Page 97: Task: Resolver - Import Skey

    3. When prompted, input a password of your choosing twice to encrypt the skey value. 4. Copy the value printed to screen for use in the next step. Task: Resolver – Import SKEY 1. SSH into the MGMT interface of the Resolver Gateway as “admin”. 2.

  • Page 98: Task: Inserter - Associate Identity With Trusted Host

    Task: Inserter – Associate Identity with Trusted Host 1. On the Inserter Side, associate the new Identity with the Trusted Host: a. /identity/associate name=tr-id-Steve host=trhost1 Task: Resolver – Add and Enable Identity Using SKEY 1. On the Resolver side, create and enable a new Identity: a.

  • Page 99: Task: Inserter - Enable Enforce Mode

    Task: Inserter – Enable Enforce Mode 1. On the Inserter side, run the following command: /context/tac mode=enforce Task: Resolver – Enable Enforce Mode 1. On the Resolver side, run the following command: /context/tac mode=enforce...

  • Page 100: Section Ix

    SECTION IX...

  • Page 101: Add Certificates To Blackridge Tac Gateway

    Add Certificates to BlackRidge TAC Gateway To load signed certificates on a BlackRidge TAC Gateway, please ensure the customer site has the following:  Network access to TAC Gateway management IP address  Computer or server running Secure Copy Protocol (SCP), WinSCP or Bitvise ...

  • Page 102: Initiate A Blackridge Certificate Signing Request (Csr)

     Default gateway  DNS Caution: The IP address of the BlackRidge TAC Gateway management port is used as an additional security feature when generating certificate keys. Changing the IP address of the management port invalidates existing BlackRidge Technology certificates. Please contact BlackRidge Support when changing the IP address of the management port of the BlackRidge TAC Gateway that has certificates signed by BlackRidge Technology.

  • Page 103: Task: Generate Blackridge Tac Gateway Keys

    The customer or onsite SE generates a CSR by executing the gencsr command. Note: The entire output from the gencsr command must be copied and included in the e-mail that is sent to BlackRidge Technology. In the example below, a string of Xs is used as placeholders for the actual hashed output.

  • Page 104: Loading The Blackridge Technology-Signed Certificates

    Once the signed BlackRidge Technology certificates are received, the customer will contact BlackRidge Technology Support to get the decryption key for the certificate files. Note: The certificates are contained within an encrypted .zip file generated by 7-zip.
  • Page 105 Step 3: Select the certificate file, and right-click Extract files. Figure 7.3 – Screen capture selecting the certificate file...
  • Page 106 Step 4: Enter the BlackRidge-supplied password to decrypt the file. Figure 7.4 – Screen capture for entering the password supplied by BlackRidge Technology Support.
  • Page 107 Step 5: The Certificates are now ready to deploy to your TAC Gateway. Figure 7.5 – Screen capture of the certificates now ready to deploy to the Customer’s BlackRidge TAC Gateway...

  • Page 108: Importing Certificates Into Tac Gateway

    Customers must use values that are unique to their own environment. admin@Gateway-1[bump0]:/> cd /etc/certificate admin@Gateway-1[bump0]:/etc/certificate/> ca-import user=user host=192.168.2.29 filename=BlackRidgeSample_ca_chain.pem path=/Blackridge/Certs/164/ The authenticity of host '192.168.2.29 (192.168.2.29)' can't be established. ECDSA key fingerprint is 5f:fa:0e:0d:bc:1d:54:65:4a:dc:a9:ba:72:3b:f9:01.

  • Page 109: Task: Import The Blackridge Tac Gateway Certificates

    Task: Import the BlackRidge TAC Gateway Certificates The following is an example of importing the BlackRidge TAC Gateway certificates. The values used are for illustration purposes only. Customers must use values that are unique to their own environment. admin@Gateway-1[bump0]:/> cd /etc/certificate admin@Gateway-1[bump0]:/etc/certificate/>...

  • Page 110: Section X

    SECTION X...

  • Page 111: Testing The Configuration

    Testing the Configuration The following sections outline tests that can be performed to verify the configuration of VPCs and Gateway. These consist of:  Verifying that a Gateway will route traffic from Trusted to Untrusted locally  Verifying that traffic is sent from Trusted Host to Untrusted host through the respective Gateways.

  • Page 112: Section Xi

    SECTION XI...

  • Page 113: Set Transport Access Control (Tac) Mode Of Operation

    Untrusted port (Port 1 of Gateway) to the Trusted port (Port 2 of Gateway) and vice versa. It does not insert or authenticate tokens or protect any resources. When the BlackRidge Gateway is initially powered on, it will be in bridge mode. The first step to complete after the gateway is physically installed is to verify network connectivity by executing the ping command.

  • Page 114: Task: Display Tac Mode

    Task: Display TAC Mode Display the current TAC mode of operation for Gateway-1. admin@Gateway-1[bump0]:/> /context/show Context name : bump0 Context comment TAC mode : Enforce MISC SETTINGS Max anonymous connections: 100 Timer period Wait time : 3600 Hash source port : enable admin@Gateway-1[bump0]:/>...

  • Page 115: Task: Set The Tac Mode As "Monitor

    Task: Set the TAC Mode as “Monitor” Set the TAC mode of operation to monitor. admin@Gateway-1[bump0]:/> /context/tac monitor Monitor Mode enabled successfully. admin@Gateway-1[bump0]:/> /context/show Context name : bump0 Context comment TAC mode : Monitor MISC SETTINGS Max anonymous connections: 100 Timer period Wait time : 3600...

  • Page 116: Congratulations

    At this point, all the necessary tasks for getting your gateway operational and connected to the network have been successfully completed. The BlackRidge signed certificates are now imported on each of the BlackRidge TAC Gateways, and they are now ready for network access and operation.

  • Page 117: Appendix A: Accessing The Blackridge Gateway (Ssh)

    Appendix A: Accessing the BlackRidge Gateway (SSH) Using PuTTY and SSH to Access the Gateways Initial configuration of the BlackRidge BR-2120 TAC Gateway for AWS must be done through the Virtual Console port. After the initial configuration of the BlackRidge gateway has been completed through the Setup Wizard, you can use the SSH command to connect to the gateway through port 4, the M port, to perform subsequent administration and configuration tasks.
  • Page 118 Now you can do all your administration and configuration through this SSH connection should you decide to discontinue using the virtual console. If you want to create an SSH connection to BlackRidge Gateway (GW2), repeat steps 1 – 7 with your site-specific, user-defined IP address for the Management Port on Gateway-2 (for example, 192.168.1.43).
  • Page 119 Step 8: Click Yes to update your PuTTY cache. You will be prompted with the following: Login as: admin admin@192.168.1.42’s password: Connecting to dispatcher... Connected. BlackRidge Bridge Model BR-2110 Version 3.0.0.4619 Build Date Wed Aug 31 12:13:32 PDT 2016 WARNING: Your password is currently still set to the factory default! Change it for security reasons.

  • Page 120: Appendix B: Cli Commands For Configuring The Ip Network Attributes Of The Blackridge Tac Gateway

    Appendix B: CLI Commands for Configuring the IP Network Attributes of the BlackRidge TAC Gateway Configure DHCP Network Settings for the Management Port Configure the IPv4 network settings of the management port. Note: DHCP works for IPv4 and IPv6 protocols provided they are configured with it enabled.

  • Page 121: Cfg (Static Ip) - Configure Ipv4 Network Settings For The Management Port

    Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:402 errors:0 dropped:0 overruns:0 frame:0 TX packets:270 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:51286 (51.2 KB) TX bytes:31262 (31.2 KB) Persistent IPv4 Settings: # DHCP Netmask Gateway 4 Enabled <None> <None> <None>...

  • Page 122: Etc/Mgt/Ipv6/ - Configure An Ipv6 Address On The Admin Port

    /etc/mgt/ipv6/ – Configure an IPv6 Address on the admin Port add – Associate IPv6 Addresses with the Management Port Configure an IPv6 address on the management port. Authorization admin | netadm Syntax add ip=<ip_address> prefix=<prefix_length> gw=<default_gateway> ARGUMENTS DEFINITIONS IPv6 address of the management port prefix IPv6 address prefix Default gateway (optional)

  • Page 123: Disable - Disable Ipv6 On The Admin Port

    ARGUMENTS DEFINITIONS IPv6 address of the management port Example admin@Gateway-1[bump0]:/> cd /etc/mgt/ipv6 admin@Gateway-1[bump0]:/etc/mgt/ipv6> del ip=fe80::290:bff:fe1c:c961 IPv6 address deleted successfully. disable – Disable IPv6 on the Admin Port Disable IPv6 on the admin port. Authorization admin | netadm Syntax disable Arguments None.

  • Page 124: Mod - Modify Ipv6 Address On The Admin Port

    Arguments None. Example admin@Gateway-1[bump0]:/> cd /etc/mgt/ipv6 admin@Gateway-1[bump0]:/etc/mgt/ipv6> enable IPv6 enabled successfully. mod – Modify IPv6 Address on the Admin Port Modify an IPv6 address on the admin port. Authorization admin | netadm Syntax mod current_ip=<current_address> new_ip=<new_address> [new_prefix=<new_prefix_length>] [new_gw=<new_default_gateway>] ARGUMENTS DEFINITIONS current_ip Current IPv6 address of the management port new_ip...

  • Page 125: Appendix C: Cli Commands For Configuring The Dns Network Attributes Of The Blackridge Tac Gateway

    Appendix C: CLI Commands for Configuring the DNS Network Attributes of the BlackRidge TAC Gateway /etc/dns/ - DNS Configuration This directory contains commands for configuring up to three DNS servers for the management port on the gateway. cfg - Configure DNS Configure up to three distinct DNS servers.

  • Page 126: Show - Show Dns Settings

    show - Show DNS Settings Display the DNS configuration. Authorization admin | netadm Syntax show Arguments None Example admin@Gateway-1[bump0]:/> cd /etc/dns admin@Gateway-1[bump0]:/etc/dns> show # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 8.8.8.8 nameserver 8.8.4.4...

  • Page 127: Appendix D: Cli Commands For Configuring The Host Name Attributes Of The Blackridge Tac Gateway

    Appendix D: CLI Commands for Configuring the Host Name Attributes of the BlackRidge TAC Gateway /etc/hostname/ - Host Name and Domain Name Configuration This directory contains the host name and domain name configuration attributes and commands. cfg - Configure Hostname Set the hostname.

  • Page 128: Show - Show The Hostname And Domain Name

    show - Show the Hostname and Domain Name Display the current hostname and domain name. Authorization admin | cloakadm | keymgr | netadm | user Syntax show Arguments None Example admin@Gateway-1[bump0]:/> cd /etc/hostname admin@Gateway-1[bump0]:/etc/hostname> show Hostname=Gateway-1 Domainname=brt.com admin@Gateway-1[bump0]:/>...

Table of Contents