Page 1 Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500) Customer FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 Support Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018 Information Web site: www.blackbox.com • E-mail: info@blackbox.com...
Page 2: Table Of Contents
Contents Preface ............................9 About This Document..........................9 Contacting Black Box Technical Support ..................... 10 Chapter 1: Getting Started ....................... 11 ETEP Introduction ..........................11 Managing the ETEP ..........................12 Default User Names and Passwords..................... 13 Prerequisites..........................13 Logging in to the Command Line Interface ..................13 Logging in through a Serial Link ....................
Page 3 Contents Configuring the Management Port....................36 Setting the Date and Time ......................40 Entering the Throughput License ....................40 Changing the Auto-negotiation Settings on the Local and Remote Ports ........41 Setting Loss of Signal Pass Through ....................43 Changing the CLI Inactivity Time-out .................... 44 Configuration Examples ........................
Page 4 Contents Policy Configuration........................82 Assigning Policy Names......................83 Configuring an IKE Encryption Policy ..................84 Configuring a Manual Key Encryption Policy ................86 Configuring a Bypass or Discard Policy on the Management Port ......... 89 Deploying Policies ......................... 90 Viewing the Policy Set......................91 Backing Up the Policy Set.......................
Page 5 Contents FIPS Mode Failures and Zeroization ...................123 Other Operating Boundaries......................123 Exiting FIPS Mode........................123 Chapter 8: Command Reference ................... 125 CLI Overview............................125 Format Conventions ........................125 Tips on Command Usage ......................126 Commands............................127 autoneg............................128 backup-policy-set.........................130 banner-config..........................131 clear-certificates ..........................131 clear-known-hosts ........................132 clear-policies..........................133 clear-policy-set ..........................133 cli-inactivity-timer .........................134 configure ............................135 date..............................135...
Page 6 Contents policy-add ............................166 policy-config..........................167 policy-delete ..........................168 policy-ike-ipsec ..........................169 policy-ike-peer ..........................170 policy-keying..........................171 policy-layer2-selector........................172 policy-manual-key (local-site policies) ..................173 policy-manual-key (management IPsec policies) ................174 policy-mode ..........................176 policy-packet-count........................177 policy-priority ..........................178 policy-selector..........................179 port-enable ..........................181 reassembly ..........................181 reboot ............................182 remote-interface ..........................183 remote-user-cert-auth-mode......................183 restart-ike.............................184 restore-filesystem ........................185 restore-policy-set .........................186 show ............................187 show-ike-params .........................189 show-policy-set ..........................189...
Page 7 Contents ETEP CLI User Guide...
Page 8: Preface
About This Document Purpose The ETEP CLI User Guide describes how to use the command line interface to configure and manage Black Box™ ETEP EncrypTight Enforcement Points, define and deploy point-to-point IKE policies, and perform troubleshooting tasks. Intended audience This document is intended for use by network technicians and security administrators who are familiar with setting up and maintaining network equipment.
Page 9: Contacting Black Box Technical Support
Preface Contacting Black Box Technical Support Contact our FREE technical support, 24 hours a day, 7 days a week: Phone 724-746-5500 724-746-0746 e-mail info@blackbox.com Web site www.blackbox.com ETEP CLI User Guide...
Page 10: Chapter 1: Getting Started
Getting Started This section includes the following topics: ETEP Introduction ● Managing the ETEP ● Logging in to the Command Line Interface ● Next Steps ● ETEP Introduction The EncrypTight Enforcement Point (ETEP) Variable Speed Encryptors (VSEs) are high performance, purpose-built encryption appliances that provide encrypted throughput at wire-speed.
Page 11: Managing The Etep
Getting Started The ETEP interfaces with network equipment through two data ports, the local port and the remote port. Unencrypted traffic that originates from a trusted, local network is received on the local port, where the ETEP applies security processing to it. The encrypted traffic is then sent from the remote port to an untrusted network such as the Internet.
Page 12: Default User Names And Passwords
Logging in to the Command Line Interface Default User Names and Passwords The ETEP has two roles: Administrator and Ops. The Administrator manages users, configures the appliance, and creates and deploys policies. ● The Ops user has access to a limited set of commands for initial appliance configuration, status ●...
Page 13: Logging In Through A Serial Link
Getting Started Logging in through a Serial Link Initial setup is performed through a serial link to the RS-232 port. To log in to the CLI via a serial link: 1 Connect the RS-232 serial port directly to a PC or workstation, as described in Chapter 2 Open a terminal session through a VT-100 terminal emulation program such as HyperTerminal.
Page 14: Next Steps
Next Steps When entering a command with several optional parameters, you must enter all of the optional ● parameters up to and including the parameter of interest. Subsequent optional parameters will be left at their default settings. Auto-completion can save time when entering commands, and online help is available to display syntax options.
Page 15 Getting Started ETEP CLI User Guide...
Page 16: Chapter 2: User Administration
User Administration This section contains the following topics: Overview ● Password Enforcement Options ● Adding Users ● Assigning Passwords ● Enabling and Disabling Accounts ● Using the Login Banner ● Audit Logging ● Using Common Access Cards for User Authorization ●...
Page 17: Setting The Password Enforcement Policy
User Administration The default password controls are less stringent than the strong password controls, and use standard values for password expiration and maximum number of user logins. The default password controls are enforced on the ETEP unless you explicitly enable strong enforcement. Strong password controls enforce more stringent password conventions, limit the reuse of passwords, and allow the Administrator to configure the following items: Password expiration: the maximum number of days before the password expires.
Page 18: Cautions For Strong Password Enforcement
Password Enforcement Options The strong password controls are enforced on any password that is entered after strong password enforcement is enabled. Existing user accounts can continue to use their old passwords, and the accounts retain their default password expiration settings until the user is modified in strong password mode. Enabling strong password enforcement restarts the SSH daemon, closing any open SSH connections.
Page 19: Upgrading Software
User Administration Upgrading Software To avoid having strong passwords expire during an upgrade process, we recommend minimizing the time period between a software upgrade operation and reboot. If you plan to wait a day or more between an upgrade and reboot, disable strong passwords prior to performing the upgrade.
Page 20: Understanding User Roles
Adding Users “Creating a New User: Strong Password Enforcement Policy” on page 23 ● “Assigning Passwords to Users” on page 27 ● “Enabling and Disabling Accounts” on page 29 ● Understanding User Roles The user role determines how a user can access the appliance and what tasks the user can perform once logged in.
Page 21: User Name Conventions
User Administration User Name Conventions User name conventions are as follows: User names can range from 1-32 characters. ● Valid characters are alpha and numeric characters (a-z, 0-9), _ (underscore), and - (dash). ● User names must start with an alpha character or an underscore. The first character cannot be a ●...
Page 22: Creating A New User: Strong Password Enforcement Policy
Adding Users The following example adds a user named “dallas” as an Administrator, and includes a common name. user-config> user-add dallas admin name@domain.com Related topics: “Understanding User Roles” on page 21 ● “Password Enforcement Options” on page 17 ● “Adding Users” on page 20 ●...
Page 23: Modifying Users
User Administration Table 8 user-add command description: strong password enforcement Attribute Description password warning The number of days prior to password expiration that a warning is given to the user. The valid range is 1-30. password grace period The number of days after the password expires that a user can log in using the expired password.
Page 24: Deleting Users
Adding Users Examples This example changes the tech1 user’s role from Ops to Admin. Default password enforcement is in effect on the ETEP. user-modify tech1 admin user-config> In the next example the ETEP is configured for strong password enforcement. The Administrator changes the tech1 Ops user warning days to 3.
Page 25: Viewing A List Of Users
User Administration Viewing a List of Users Two show commands provide information about ETEP users. From command mode, the show running-config command lists the users currently logged in to the ETEP. In user-config mode, the show command provides a summary of ETEP users. It displays the password enforcement policy that is in force on the ETEP, along with user configurations.
Page 26: Assigning Passwords To Users
Assigning Passwords Assigning Passwords to Users Default user names and passwords are shown in Table 9. It is strongly recommended that the Administrator change the default passwords before putting the ETEP into operation in the network. Table 9 Default user names and passwords on the ETEPs Role Default user name Default password...
Page 27: Changing Your Own Password
User Administration You must explicitly enable strong password enforcement for the ETEP to enforce these conventions. CAUTION We recommend that you store your passwords in a safe place. If you are unable to log in to the ETEP with a valid Administrator user name and password, the ETEP must be returned to the factory to be reset. To assign a new password to a user: 1 Enter user configuration mode.
Page 28: Enabling And Disabling Accounts
Enabling and Disabling Accounts Related topics: “Default Password Conventions” on page 27 ● “Strong Password Conventions” on page 27 ● Enabling and Disabling Accounts The Administrator can manually enable and disable user accounts. If a user is locked out of an account due to a login failure or password expiration, the Administrator can unlock the account for that user.
Page 29: Login Failures
User Administration To disable an account: 1 Enter user configuration mode. admin> configure config> user-config user-config> 2 Type user-enable <username> false , where username specifies the user account to disable. Example The following example disables the tech1 user account. configure admin>...
Page 30 Using the Login Banner By using this IS (which includes any device attached to this IS), you consent to the following conditions: — The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
Page 31: Audit Logging
User Administration Audit Logging Audit logs report attempts to gain access to the ETEP and to configure it. The audit log is configured and viewed by the Administrator user. Audit log characteristics are as follows: Audit log events are always sent to the log file. ●...
Page 32 Using Common Access Cards for User Authorization communications. If the common name used in the communications is on the access list, the operation is allowed. Each component in the EncrypTight system must maintain a list of authorized users (EncrypTight software, ETKMS, and ETEP). Communications that do not use an authorized common name and a valid certificate are rejected.
Page 33 User Administration ETEP CLI User Guide...
Page 34: Chapter 3: Configuring The Etep
Configuring the ETEP This section includes the following topics: Configuration Overview ● Basic Configuration ● Layer 2 Configuration ● Layer 3 Configuration ● Shutting Down the ETEP ● Configuration Overview The information in this chapter describes how to configure the ETEP using CLI commands. The procedures described in this chapter assume that you are logged in as the Administrator user, although some of the basic configuration commands are also available to the Ops user.
Page 35: Basic Configuration
Configuring the ETEP Basic Configuration This section describes the common set of commands that are used to configure the ETEP regardless of whether it is operating in Layer 2 or Layer 3 mode. Table 11 provides a list of the commands, a brief description, and the default values.
Page 36 On the management port, the ETEPs support the speeds shown in Table Table 12 Link speeds on the management port Link speed Auto-negotiate Auto-negotiate Fixed Speed ET0010A ET0100A / ET1000A All ETEPs 10 Mbps Half-duplex 10 Mbps Full-duplex 100 Mbps Half-duplex 100 Mbps Full-duplex ETEP CLI User Guide...
Page 37 Link speeds on the management port Link speed Auto-negotiate Auto-negotiate Fixed Speed ET0010A ET0100A / ET1000A All ETEPs 1000 Mbps Full-duplex 1000 Mbps Half-duplex To configure the management port: 1 At the command prompt, type configure to enter configuration mode.
Page 38 Basic Configuration Table 13 Management port autoneg command description Attribute Description enable Enables auto-negotiation on the management port. This is the default setting. disable Disables auto-negotiation on the management port. Use this setting to manually configure link speed and flow control. speed [100m-full | 10m-full | 100m-half |10m-half] When auto-negotiation is disabled, the speed attribute specifies the link...
Page 39: Setting The Date And Time
Configuring the ETEP Setting the Date and Time Setting the date and time on the ETEP helps ensure that the appliance’s time can be synchronized properly with other ETEPs or components in the EncrypTight system. The time zone on the ETEP is set to UTC 0 (Coordinated Universal Time), and is not user configurable. Enter the date and time relative to UTC 0, also referred to as Greenwich Mean Time (GMT).
Page 40: Changing The Auto-Negotiation Settings On The Local And Remote Ports
Model Available Throughput ET0010A 3, 6, 10, 25, 50 Mbps ET0100A 100, 155, 250 Mbps ET1000A 500, 650 Mbps, 1 Gbps You need to install a license on each ETEP that you use. Licenses are linked to the serial number of the ETEP on which they are installed.
Page 41 When auto-negotiation is disabled, the speed attribute specifies the link speed and duplex setting. On the local and remote ports, the speed of the default setting is hardware dependent: ET0010A = 10m-full, ET0100A = 100m-full, and ET1000A = 1000m. flow-control...
Page 42: Setting Loss Of Signal Pass Through
Basic Configuration Examples The following example disables auto-negotiation on the remote interface. The speed is set to 100 Mbps full-duplex, and flow control is set to on. configure admin> remote-interface config> rem-if> autoneg disable 100m-full on The next example restores auto-negotiation on the local interface. configure admin>...
Page 43: Changing The Cli Inactivity Time-Out
Configuring the ETEP Example The following example sets the remote port transmitter to follow the receiver. configure admin> remote-interface config> tx-enable follow-rx rem-if> Related topic: “tx-enable” on page 197 ● Changing the CLI Inactivity Time-out The CLI session is terminated if no activity is detected on the CLI in a specified amount of time. When the CLI inactivity time-out is set to zero the session does not expire.
Page 44: Layer 2 Configuration
Layer 2 Configuration configure admin> config> remote-interface rem-if> tx-enable follow-rx rem-if> exit local-interface config> tx-enable follow-rx loc-if> exit loc-if> cli-inactivity-timer 0 config> config> exit Layer 2 Configuration Check the following settings when the ETEP is operating in a Layer 2 deployment: Configure the IKE VLAN tag if you are deploying Layer 2 point-to-point policies in a network that ●...
Page 45: Verifying Transparent Mode
Configuring the ETEP Example The following example enables the VLAN tag feature on the ETEP’s remote interface. The priority is set to 1 and the VLAN ID is set to 4. admin> configure config> remote-interface rem-if> vlan-tag 1 4 Related topic: “vlan-tag”...
Page 46: Layer 3 Configuration
Layer 3 Configuration Figure 4 show running-config output Layer 3 Configuration This section includes the following topics: “Interoperating with the Network” on page 47 ● You may need to configure other network settings in order for the ETEP to interoperate in the network.
Page 47: Reassembling Fragmented Packets
Configuring the ETEP Table 20 provides a description of each command along with its default setting. Table 20 Commands that control network interoperability Command Description Default Setting reassembly Specifies who performs the gateway reassembly of fragmented packets: the destination host or gateway.
Page 48: Df Bit Handling
Layer 3 Configuration Example The following example sets the reassembly mode to gateway. admin> configure config > local-interface loc-if > reassembly gateway Related topics: “DF Bit Handling” on page 49 ● “reassembly” on page 181 ● DF Bit Handling When the ETEP is configured for use in Layer 3 IP encryption policies, its default behavior is to ignore the “do not fragment”...
Page 49: Ipv6 Traffic Handling
Configuring the ETEP Related topic: “Reassembling Fragmented Packets” on page 48 ● “dfbit-ignore” on page 138 ● IPv6 Traffic Handling Layer 3 encryption policies support only IPv4 traffic. The ipv6Traffic command determines how the ETEP handles any IPv6 packets that it receives on its local and remote ports. The ETEP can either pass the IPv6 packets in the clear or discard them.
Page 50 Layer 3 Configuration Figure 5 DHCP Relay allows local clients to access a DHCP server on a remote subnet Local and remote port IP addresses are required for proper DHCP Relay Agent behavior. In order to use local and remote port IP addresses, the ETEP must be operating in non-transparent mode. Complete the following steps to use the DHCP relay feature: 1 Assign local and remote port IP addresses to the ETEP, using the ip command.
Page 51: Configuring Transparent Mode For Layer 3 Policies
Configuring the ETEP local-interface config> loc-if> dhcprelay enable 10.168.67.55 Related topics: “Assigning Remote and Local Port IP Addresses” on page 52 ● “Configuring Transparent Mode” on page 53 ● “dhcprelay” on page 139 ● Configuring Transparent Mode for Layer 3 Policies Transparent mode is the ETEP’s default mode of operation on the local and remote ports.
Page 52: Configuring Transparent Mode
Layer 3 Configuration Table 25 ip command description Attribute Description ip address IPv4 IP address in dotted decimal notation. subnet mask The subnet mask must be entered in dotted decimal notation. gateway The default gateway IP address is used when the ETEP is in a routed network.
Page 53: Shutting Down The Etep
The ETEP remains in a shutdown state until the power is cycled. The shutdown state is indicated with an operational code on the status/diagnostic display as shown in Table Table 27 Shutdown operational codes Appliance model Operational code ET0010A 2, 3, 4 ET0100A, ET1000A – – ETEP CLI User Guide...
Page 54 Shutting Down the ETEP To shut down the ETEP from the CLI: 1 Log in as Administrator (user name admin) or Ops (user name ops). 2 At the command prompt, type shutdown. After the system shutdown is complete, the following message is displayed on the terminal.
Page 55 Configuring the ETEP ETEP CLI User Guide...
Page 56: Chapter 4: Creating Policies
Creating Policies This section includes the following topics: Creating Layer 2 Point-to-Point Policies ● Creating Local Site Policies ● Securing Management Port Traffic with IPsec ● This chapter explains how to create standalone policies on the data path and on the management port using the CLI commands.
Page 57: Defining A Layer 2 Point-To-Point Policy
Creating Policies Defining a Layer 2 Point-to-Point Policy The layer2-p2p command allows an Administrator user to define a Layer 2 point-to-point policy on the ETEP. This command is available from policies mode. To configure a Layer 2 point-to-point policy on the ETEP: 1 Log in to the CLI as the Administrator user.
Page 58: Configuring The Policy Mode
Creating Layer 2 Point-to-Point Policies Table 28 layer2-p2p command description Attribute Description Preshared-key We recommend that you change the key from its default value of 01234567 prior to deploying the ETEP.The identical key value must be entered in both appliances. Note the following conventions when creating a preshared key: •...
Page 59: Layer 2 Policy Example
Creating Policies CAUTION When you change the policy-mode of an in-service ETEP , all encrypt and drop policies currently installed on the ETEP are removed. Traffic is sent in the clear until you create and deploy new policies. To configure the policy mode on the ETEP: 1 Log in to the CLI as the Administrator user.
Page 60 Creating Layer 2 Point-to-Point Policies The remote ETEP is set to the primary role as shown in Figure 7, and the local site ETEP is assigned the secondary role as shown in Figure 8. Both ETEPs are configured with the same preshared key value and group ID.
Page 61: Verifying The Policy
Creating Policies Figure 8 Local site ETEP Verifying the Policy To check the current policy configuration mode on the ETEP, issue the show encrypt-policy command from command mode or the show command from policies mode. Both show commands display the policy mode and policy if applicable, and indicate whether EncrypTight is enabled.
Page 62: How The Etep Encrypts And Authenticates Layer 2 Traffic
Creating Layer 2 Point-to-Point Policies How the ETEP Encrypts and Authenticates Layer 2 Traffic When operating as a Layer 2 encryptor in a negotiated policy, the ETEP’s encapsulation mode (CE-ESP) authenticates the encrypted frame’s Ethernet payload. The ETEP uses the AES algorithm with 256-bit keys to encrypt the Ethernet payload.
Page 63: Creating Local Site Policies
Creating Policies Creating Local Site Policies Local site policies allow you to create locally configured policies from the command line, without requiring an EncrypTight ETKMS for key distribution. Using the local-site CLI commands you can create manual key encryption policies, bypass policies, and discard policies at either Layer 2 or Layer 3. Mesh policies can be created by defining policies that share the identical keys and SPIs on multiple ETEPs.
Page 64: Policy Configuration
Creating Local Site Policies You can use the local-site CLI commands to create a variety of policies: Pass Layer 3 routing protocols in the clear when encrypting traffic at Layer 2 ● Encrypt in-line management traffic that is typically passed in the clear when deploying EncrypTight ●...
Page 65: Assigning Policy Names
Creating Policies On the ETEP, policies are prioritized in three broad categories: policies based on appliance configurations, local-site policies, and distributed key policies. Appliance configuration settings have the highest priority. Passing TLS traffic in the clear is an example of a policy based on an appliance configuration setting.
Page 66: Configuring A Local Site Bypass Or Discard Policy
Creating Local Site Policies Example The following example adds two policies. The first policy is named BypassPolicy, and the second one is named EncryptPolicy. configure admin> policies config> policies> local-site-policies policy-add BypassPolicy ipsec-config> policy-add EncryptPolicy ipsec-config> Configuring a Local Site Bypass or Discard Policy In a bypass policy, packets pass through the ETEP without being encrypted.
Page 67 Creating Policies Table 35 Policy selector commands Command Description policy-layer2- <ethertype> <vlan> selector This command configures Layer 2 selectors. It is valid only when the ETEP is configured for Layer 2 operation. Ethertype The Ethertype field can be entered as a hexadecimal or decimal value.
Page 68: Configuring A Local Site Encryption Policy
Creating Local Site Policies Configuring a Local Site Encryption Policy You can create a manual key encryption policy for Layer 2 or Layer 3 traffic. Layer 2 selectors protect traffic based on Ethertype or VLAN ID. Layer 3 selectors can be configured to protect all traffic, specific subnets, individual hosts, protocols, or ports.
Page 69 Creating Policies 2 Add a policy name, if you haven’t already done so (see “Assigning Policy Names” on page 83). policy-add <name> 3 Enter policy-config mode. As part of the command you will need to enter the name of a policy that has been added.
Page 70 Creating Local Site Policies Table 37 Manual key policy commands Command Description policy-selector <remote-ip> <local-ip> <protocol> <remote-port> <local-port> This command configures Layer 3 selectors. The defaults are: 0.0.0.0/0 (remote ip), 0.0.0.0/0 (local ip), any (protocol), any (remote port), any (local port). remote-ip IPv4 address and prefix or subnet mask of the endpoint on the far side of the untrusted network.
Page 71: Policy Deployment
Creating Policies Example The following example defines a Layer 2 manual key policy to encrypt traffic with VLAN ID 10. The policy-manual-key command uses the “any” attribute to create bidirectional SAs. The encryption and authentication keys are shown in the example below for demonstration purposes. When you enter keys in the ETEP, they are hidden after you press ENTER.
Page 72: Making A Backup Copy Of The Local Site Policy Set
Creating Local Site Policies To view the policies: 1 From the prompt, type show-policy-set . local-site-policy> Figure 12 The show-policy-set commands lists the active and pending policies Making a Backup Copy of the Local Site Policy Set Before making any changes to the local-site policies, it is a good practice to make a backup copy of the active policies.
Page 73: Managing Local Site Policies
Creating Policies Managing Local Site Policies This section describes how to manage the local-site policies on the ETEP. Tasks include: “Modifying a Local Site Policy” on page 74 ● “Deleting a Local Site Policy” on page 74 ● “Restoring the Local Site Policy Set” on page 75 ●...
Page 74: Restoring The Local Site Policy Set
Creating Local Site Policies The edit and backup options remove only the pending policies or backup policy set, respectively. These options do not affect the active, deployed policies. To clear the policy set: 1 From the prompt, enter the clear-policy-set command (see Table 50).
Page 75: Bypass Policy For Routing Protocols
Creating Policies Figure 13 Layer 2 network with in-line management Bypass Policy for Routing Protocols This example creates a bypass policy on ETEP 1. ETEP 1 is deployed in a Layer 2 network. The network is protected with a Layer 2 mesh policy that encrypts all traffic. The Layer 2 mesh policy was created and managed using EncrypTight.
Page 76: Encryption Policy For Layer 2 Ethertype
Securing Management Port Traffic with IPsec Encryption Policy for Layer 2 Ethertype This example creates an encryption policy on ETEP 1, which is configured for Layer 2 operation. The policy uses Layer 2 selectors to encrypt Ethertype 0x0806 (ARP). The policy-manual-key command uses the “any” attribute to create a bidirectional SA. The keys are shown in the example below for demonstration purposes.
Page 77: Task Overview
Creating Policies When the ETEP is configured for Layer 2 point-to-point operation, the management port IKE server ● is shut down, which prevents IKE SAs from being negotiated on the management port. Use manual key policies to encrypt management port traffic when operating in this mode. Task Overview Securing a communication channel between the ETEP and another device requires you to perform configuration tasks on the ETEP and on the other device.
Page 78: Configuring Global Settings For Ike Negotiations
Securing Management Port Traffic with IPsec Configuring Global Settings for IKE Negotiations All IKE encryption policies on the ETEP management port use the same set of IKE parameters. The default IKE parameter settings are shown in Table 41 Table 42. To enhance security, you may want to change the preshared key from its default value.
Page 79 Creating Policies To change the IKE parameters: 1 Enter ike-params-set configuration mode. admin> configure config> management-interface man-if> ipsec-config ipsec-config> ike-params-set ike-params-set> 2 Configure the IKE SA commands, if desired. See Table 43 for a description of the command options. ike-sa-presharedkey <key-value> ike-sa-lifetime <lifetime>...
Page 80: Viewing The Current Ike Parameter Settings
Securing Management Port Traffic with IPsec Table 44 IPsec SA commands (Phase 2) Attribute Description ipsec-sa-lifetime <lifetime> The time interval after which an SA must be replaced with a new SA or terminated. The lifetime is specified in seconds. Valid values are 3600–31536000. The default lifetime is 28800 seconds (8 hours).
Page 81: Policy Configuration
Creating Policies Figure 14 show-ike-params command output Policy Configuration For any policy, you need to decide the following: Policy name: uniquely identifies the policy on the ETEP. ● Policy action: bypass, discard, or protect ● Protect policy In a protect policy, the ETEP encrypts the traffic that matches the policy selectors.
Page 82: Assigning Policy Names
Securing Management Port Traffic with IPsec new policy. If you have two policies with non-consecutive priorities, such as 62000 and 59000, a new policy will be assigned 61999. In many cases you will want to override the default priority assignments to ensure that traffic is processed in the order in which you intend. As you create policies, carefully consider the policy priority that you choose.
Page 83: Configuring An Ike Encryption Policy
Creating Policies Example The following example adds two policies. The first policy is named MyPolicy, and the second one is named TestPolicy. configure admin> management-interface config> > ipsec-config man-if policy-add MyPolicy ipsec-config> policy-add TestPolicy ipsec-config> Configuring an IKE Encryption Policy In an IKE encryption policy, a security association is negotiated using automatically generated keys (IKE).
Page 84 Securing Management Port Traffic with IPsec 9 Assign a unique priority to the policy. Policies are enforced in descending order with the highest priority policy processed first. Each policy must have a unique priority. Valid values are 1-65500. policy-priority <priority> After configuring your policies, the next steps are to review the pending changes, backup the policy file, and then deploy the policies.
Page 85: Configuring A Manual Key Encryption Policy
Creating Policies Example This example is an IKE encryption policy to encrypt all traffic between the ETEP management port and the management workstation. The ETEP management port IP address is 203.0.113.9 and the management workstation IP address is 192.0.2.124. admin> configure config>...
Page 86 Securing Management Port Traffic with IPsec man-if> ipsec-config ipsec-config> 2 Add a policy name, if you haven’t already done so (see “Assigning Policy Names” on page 83). policy-add <name> 3 At the prompt, enter policy-config mode. As part of the command you will need to ipsec-config>...
Page 87 Creating Policies Table 46 Manual key policy commands Command Description policy-manual-key <direction> <spi> <protocol> <encryptionAlgorithm> <authenticationAlgorithm> <encryptionKey> <authenticationKey> direction {out | in} Specifies the direction of the SA. Each policy requires an inbound and outbound spi - Each SA must have a unique SPI. The SPI is a decimal value between 256 and 4096.
Page 88: Configuring A Bypass Or Discard Policy On The Management Port
Securing Management Port Traffic with IPsec policy-selector 198.51.100.20/32 203.0.113.9/32 any any policy-config> policy-manual-key in 1004 esp aes128-cbc sha1-96-hmac policy-config> Please enter 32 character hexadecimal number for encryption key: 11223344556677889900aabbccddeeff Please enter 40 character hexadecimal number for authentication key: 11223344556677889900aabbccddeeff87654321 policy-config> policy-manual-key out 1003 esp aes128-cbc sha1-96-hmac Please enter 32 character hexadecimal number for encryption key: 11223344556677889900aabbccddeeff...
Page 89: Deploying Policies
Creating Policies Table 48 Policy-selector command Command Description policy-selector <remote-ip> <local-ip> <protocol> <remote-port> <local-port> The defaults are: 0.0.0.0/0 (remote ip), 0.0.0.0/0 (local ip), any (protocol), any (remote port), any (local port). remote-ip IPv4 or IPv6 address of the endpoint on the far side of the untrusted network in CIDR notation (IP address/prefix).
Page 90: Viewing The Policy Set
Securing Management Port Traffic with IPsec Viewing the Policy Set The show-policy-set command lists the deployed and pending policies. Status indicators are listed in Table Table 49 show-policy-set status indicators Status Indicator Description Deployed Pending Edit session open for deployed policy For manual key policies, the parameters are associated with an inbound or outbound SA.The keys are wrapped to obscure the values entered by the user.
Page 91: Deploying Management Policies
Creating Policies Deploying Management Policies The deploy-policy-set command makes the pending management port policies active on the ETEP. It restarts the IKE server and updates the policy databases (SAD and SPD). Restarting the IKE server tears down existing IKE connections and updates the keys. Traffic is dropped until the new Phase 1 SAs are established.
Page 92: Deleting A Policy
Securing Management Port Traffic with IPsec Deleting a Policy To delete a management port policy, first issue the policy-delete command using the policy name that you want to remove, and then deploy the policy set. The targeted policy continues to run on the ETEP until the policy set is deployed.
Page 93: Restoring The Policy Set
Creating Policies Example The following example clears the pending policy changes to the management port policies. configure admin> management-interface config> ipsec-config man-if> ipsec-config> clear-policy-set edit Restoring the Policy Set The restore-policy-set command deploys the backup copy of the policy set. The backup copy of the policy set is retained after a restore operation.
Page 94: Ike Policy Example
Securing Management Port Traffic with IPsec Figure 17 Management port policy example IKE Policy Example This example shows how to create an IKE policy to encrypt all traffic between the ETEP management port and the management workstation. The commands in the example are grouped according to the following tasks: The first set of commands enters ipsec-config mode, makes a backup copy of the active policy set, ●...
Page 95: Manual Key Policy Example
Creating Policies Manual Key Policy Example The following example defines a manual key encryption policy between the ETEP management port (203.0.113.9) and a time server (198.51.100.20). The inbound and outbound SAs have unique SPIs, but use the same algorithms and keys. policy-add MyManualKeyPolicy ipsec-config>...
Page 96 Securing Management Port Traffic with IPsec exit policy-config> show-policy-set ipsec-config> backup-policy-set ipsec-config> deploy-policy-set ipsec-config> Figure 18 The show-policy-set commands lists the active and pending policies ETEP CLI User Guide...
Page 97 Creating Policies ETEP CLI User Guide...
Page 98: Chapter 5: Maintenance
Maintenance This section includes the following topics: Installing ETEP Software Updates ● File System Backup and Restore ● Restoring the Factory Configuration ● Changing the Port Status ● Installing ETEP Software Updates You can upgrade the ETEP software using the update-filesystem CLI command. In addition to loading new software on an appliance, the software upgrade process preserves a backup copy of the old file system and configuration.
Page 99: Restoring The Factory Configuration
Maintenance The backup copy of the file system is automatically created when the ETEP software is upgraded using the update-filesystem CLI command. The ETEP maintains only one backup copy of the appliance’s file system. After you generate a backup copy by upgrading, the previous backup copy is no longer available. The restore-filesystem command is used to restore the appliance file system from the backup copy.
Page 100: Changing The Port Status
Changing the Port Status image on the appliance after the command completes. Software versions 1.0 and 2.0 are used as examples in the Running Image column. Table 51 Backup and factory image commands Command Factory Image Backup Image Running Image New appliance (no Factory image created Backup image is a...
Page 101 Maintenance ETEP CLI User Guide...
Page 102: Chapter 6: Troubleshooting
Troubleshooting This section includes the following topics: Symptoms and Solutions ● Diagnostic Commands ● Additional Diagnostic Tools ● Symptoms and Solutions The following tables provide some solutions to common problems that may occur with your ETEP. “Management Troubleshooting” on page 104 ●...
Page 103: Management Troubleshooting
Troubleshooting Management Troubleshooting Table 52 Management Symptoms and Solutions Symptom Explanation and Possible Solutions The management workstation • Verify that the network connection to the management port is in can’t communicate with the place. ETEP. • Check that the management interface default gateway is properly configured if the management port and the management host are on different subnets.
Page 104: User Configuration Troubleshooting
Symptoms and Solutions Table 52 Management Symptoms and Solutions Symptom Explanation and Possible Solutions Cannot access the Ethernet • Issue the show running-config command and verify that SSH management port using SSH. enabled setting is true. • Entering either of the following commands causes the SSH daemon to restart, closing all open SSH connections: fips- mode-enable true and password-enforcement strong.
Page 105: Traffic Troubleshooting
Troubleshooting Traffic Troubleshooting Table 54 Traffic Symptoms and Solutions Symptom Explanation and Possible Solutions Traffic is not being passed. • Verify that the local and remote port cables are properly seated. The port status LEDs illuminate when the link is active, and blink at a steady rate when traffic is passing on the port.
Page 106: Policy Troubleshooting
Symptoms and Solutions Table 54 Traffic Symptoms and Solutions Symptom Explanation and Possible Solutions Traffic is running at reduced • Check your throughput license (show license command). throughput During the two week grace period the ETEP operates at full throughput, after which is reverts to the minimum speed for the hardware model.
Page 107 Troubleshooting Table 55 Policy Symptoms and Solutions Symptom Explanation and Possible Solutions Traffic destined for a virtual IP Check the ETEP configuration for the following: address is being discarded (the • Transparent mode is disabled. ETEP is operating in non- transparent mode) •...
Page 108: Error State
Diagnostic Commands Error State Table 57 Error State Symptoms and Solutions Symptom Explanation and Possible Solutions The Alarm LED is illuminated The ETEP enters an error state when a boot test fails, the operating temperature threshold is exceeded, signature errors are detected on critical files pertaining to policies and keys, or a FIPS test fails when the ETEP is in FIPS mode When the ETEP is in an error state the Alarm LED illuminates, and...
Page 109: Show Commands
Troubleshooting Show Commands The ETEP has several show commands that may be helpful in troubleshooting an appliance problem. The show commands display date and version information, and the content of log files. Show commands are available to the Admin and Ops users. Table 58 ETEP show commands Command...
Page 110: Network Tools
Diagnostic Commands Table 58 ETEP show commands Command Description show upgrade-status Displays the status of the current upgrade operation. show version Displays software and firmware version information, and system up time. The system uptime shows how long the Linux operating system has been running, the number of users and load average.
Page 111: Checking For Time Synchronization Problems
Troubleshooting Checking for Time Synchronization Problems If you think that you may be having time synchronization problems between the ETEP and the NTP server, you can verify the status using the show ntp-status command. Syntax show ntp-status Example The fields described in Table 59 can help you determine if there is a time sync problem.
Page 112 Diagnostic Commands clear. By comparing the counters on each ETEP, you can determine if the packets are being encrypted and sent from one ETEP, and then received at the other. For example, if the counters increment on ETEP-1 but not on ETEP-2, it demonstrates that ETEP-1 is sending packets, but they are not being received at ETEP-2.
Page 113: Additional Diagnostic Tools
Troubleshooting Example This example enables the policy-packet-count command. configure admin> policies config> policy-packet-count enable policies> This example displays and then resets the policy packet counters in the SPD and SAD. show policy-packet-count-clear admin> Related topic: “Discarded Packets” on page 115 ●...
Page 114: Port Status
Additional Diagnostic Tools Port Status ETEMS displays the status of the local and remote ports (View > Status), including: Operational status (interface up or down) ● Physical address ● Link speed ● ● The Refresh button updates the display (Figure 20).
Page 115: Encryption Statistics
Troubleshooting Table 62 Discard packet descriptions Reason Reason continued Local port unsupported VLAN type Remote port policy not IPSEC Remote port unsupported VLAN type Remote port failed decrypt check Local port unsupported MPLS type Remote port crypto error Remote port unsupported MPLS type Remote port failed auth check Local port non IP Encryption Statistics...
Page 116: Policy And Security Association Databases
Additional Diagnostic Tools Tx Counters The following counters are displayed for packets transmitted from the local and remote ports. Pause frames honored ● Frames dropped ● Defers ● Excess Defers ● Single Collisions ● Multiple Collisions ● Late Collisions ● Excessive Collisions ●...
Page 117: Viewing The Sad Entries
Troubleshooting SPD represents a policy. The SPD shows which policies the ETEP is going to enforce and in what order. Policies are listed in descending priority order, with the highest priority policy listed first. Table 63 SPD selectors SPD Selector Description Destination IP, subnet mask, The destination IP address, subnet mask, and protocol port...
Page 118 Additional Diagnostic Tools Table 64 SAD entries Field Description Expire lifetime This field always displays a zero. It is not populated with a meaningful value in this release. Renegotiate lifetime For IKE policies, this value represents the time, in seconds, before an SA is renegotiated.
Page 119 Troubleshooting ETEP CLI User Guide...
Page 120: Chapter 7: Fips 140-2 Level 2 Operation
FIPS 140-2 Level 2 Operation The ETEPs are FIPS Level 2 compliant. This section describes the FIPS mode of operation on the ETEPs. If you plan to operate the ETEP in FIPS mode, we recommend enabling FIPS mode as your first configuration task.
Page 121: Entering Fips Mode
FIPS 140-2 Level 2 Operation Entering FIPS Mode To place the ETEP in FIPS mode, issue the fips-mode-enable command. To verify the state of FIPS mode on the ETEP, issue the show running-config CLI command. Placing the ETEP in a FIPS-compliant configuration can take several minutes. Some communications services are reset when FIPS is enabled and disabled.
Page 122: Fips Mode Failures And Zeroization
FIPS Mode Failures and Zeroization If the ETEP is operational when you enable FIPS mode and one of the FIPS tests fail, the ETEP continues to operate with FIPS disabled. If the ETEP fails to boot properly while in a FIPS-enabled state or the cover is opened or removed while the unit is powered up, the appliance is zeroized.
Page 123 FIPS 140-2 Level 2 Operation ETEP CLI User Guide...
Page 124: Chapter 8: Command Reference
Command Reference This section includes the following topics: CLI Overview ● Commands ● CLI Overview The CLI can be accessed using a direct connection to the serial port or remotely through a secure SSH connection. To log in to the CLI, enter the user name and password. User names are associated with a role, which determines the tasks that a user can perform and the CLI commands that are available.
Page 125: Tips On Command Usage
Command Reference Brackets [ ] indicate that the enclosed parameter is optional. ● Braces { } indicate that the enclosed arguments or parameters are required. ● Arguments separated by the vertical bar | indicate that any one of the arguments may be used. For ●...
Page 126: Commands
Commands [enter] - Auto-completes a command, checks the syntax, and then executes the command. If a syntax ● error is found, the offending part of the command line is highlighted and explained. [space] - Auto-completes a command, or inserts a space if the command is already resolved. ●...
Page 127: Autoneg
When auto-negotiation is disabled, the speed attribute specifies the link speed and duplex setting. On the management port the speed defaults to 100m-full. On the local and remote ports, the speed of the default setting is hardware dependent: ET0010A = 10m-full, ET0100A = 100m-full, and ET1000A = 1000m. ETEP CLI User Guide...
Page 128 Table Table 72 Link speeds on the management port Link speed Auto-negotiate Auto-negotiate Fixed Speed ET0010A ET0100A / ET1000A All ETEPs 10 Mbps Half-duplex 10 Mbps Full-duplex 100 Mbps Half-duplex 100 Mbps Full-duplex 1000 Mbps Full-duplex 1000 Mbps Half-duplex On the local and remote ports, the ETEPs support the speeds shown in...
Page 129: Backup-Policy-Set
Command Reference Example The following example disables auto-negotiation on the management port, sets the speed to 100 Mbps full-duplex, and turns on flow control. configure admin> management-interface config> man-if> autoneg disable 100m-full on The next example restores auto-negotiation on the remote port. configure admin>...
Page 130: Banner-Config
Commands policies config> local-site-policies policies> backup-policy-set local-site-policy> banner-config Description The banner-config command places the ETEP in banner configuration mode. User Type Administrator Hierarchy Level Configuration mode Syntax banner-config Example banner-config config> banner-config> clear-certificates Description The clear-certificates command removes all certificates from the appliance and generates a self-signed certificate.
Page 131: Clear-Known-Hosts
Command Reference management workstation. You will be prompted for confirmation before the command executes. This command briefly interrupts communication with the ETEP. Related topics: “clear-policies” on page 133 ● “strict-client-authentication” on page 193 ● Example The following example clears the certificates that are used on the management port. admin>...
Page 132: Clear-Policies
Commands clear-policies Description The clear-policies command replaces the active EncrypTight distributed key policies with a default policy that passes all traffic in the clear. User Type Administrator Hierarchy Level Policies mode (config > policies) Syntax clear-policies Usage Guidelines The clear-policies command clears EncrypTight distributed key policies. It does not affect Layer 2 point- to-point policies, local-site policies, or IPsec policies on the management port.
Page 133: Cli-Inactivity-Timer
Command Reference Attributes Clears the edit session. Pending policy changes are removed. edit – Clears the backup copy of the policy set. backup – Clears the active policies that are running on the ETEP, pending policies, and the backup current – policy set.
Page 134: Configure
Commands Attributes 0–1440 minutes (24 hours) n – Usage Guidelines The CLI session is terminated if no activity is detected on the CLI in a specified amount of time. When the CLI inactivity time-out is set to zero the session does not expire. The inactivity timer is set to 10 minutes by default.
Page 135: Debug-Shell
The debug-shell command provides access to a number of system files that can be useful when troubleshooting problems with the ETEP. This command is intended for use only by customer support and authorized Black Box personnel. Incorrect use of the debug shell can permanently damage the ETEP file system and render the unit inoperable.
Page 136: Deploy-Policy-Set
Commands Hierarchy Level Command mode Syntax debug-shell Usage Guidelines The debug shell commands are intended for use only under the direction of customer support personnel. In order to enter the debug shell, FIPS mode must be disabled on the ETEP. To return to command mode from the debug shell, type exit at the prompt.
Page 137: Dfbit-Ignore
Command Reference applicable). Use the show-policy-set command to view the active and pending policies. The show-ike- params lets you review the global settings used for IKE negotiations in management port policies. If you find that the deployed policies are not executing as expected, you can restore the backup policies to revert to the previously executing set of policies.
Page 138: Dhcprelay
Commands A symptom of a PMTU problem is when the network operates normally when traffic passes in the clear but loses packets when encryption is turned on. You can override the default behavior by disabling the DF Bit handling on the local port. The ETEP will then discard packets in which the DF bit is set and the packet length, including the encryption header, exceed the PMTU.
Page 139: Disable-Trusted-Hosts
Command Reference Figure 23 DHCP Relay allows local clients to access a DHCP server on a remote subnet Local and remote port IP addresses are required for proper DHCP Relay Agent behavior. In order to use local and remote port IP addresses, the ETEP must be operating in non-transparent mode. Complete the following steps to use the DHCP relay feature: 1 Assign local and remote port IP addresses to the ETEP, using the ip command.
Page 140: Exit
Commands User Type Administrator and Ops Hierarchy Level Configuration mode Syntax disable-trusted-hosts Usage Guidelines When the trusted host feature is enabled on the ETEP, packets that are received from non-trusted hosts are discarded. This feature is enabled and configured using ETEMS. When the trusted host feature is enabled, the ETEMS management station must be included in the trusted host list.
Page 141 Command Reference image replaces the previous file system image and the previous backup image. The old backup image is overwritten with a duplicate copy of the new software image and default settings. User Type Administrator Hierarchy Level Command mode Syntax filesystem-download {<ftpIP>...
Page 142: Filesystem-Reset
Commands filesystem-reset Description The filesystem -reset command restores the factory image on the appliance without installing a new software version. The previous appliance configuration, passwords, throughput licenses, certificates, and policies are removed. The factory image is also saved as the backup file system, overwriting any previous backup image that was stored on the ETEP.
Page 143: Fips-Mode-Enable
Command Reference fips-mode-enable Description The fips-mode-enable command enables and disables FIPS mode on the ETEP. User Type Administrator Hierarchy Level Configuration mode Syntax fips-mode-enable {true | false} Usage Guidelines When operating in FIPS mode, the ETEP must be configured to use FIPS-approved encryption and authentication algorithms.
Page 144: Help
Commands Example admin> configure fips-mode-enable true config> help Description The help command displays the CLI help text. User Type Administrator and Ops Hierarchy Level Syntax help ike-params-set Description The ike-params-set command enters IKE parameters configuration mode on the management interface. From here you can define the global Phase 1 and Phase 2 negotiation settings used in IKE encryption policies.
Page 145: Ike-Sa-Dh-Group
Command Reference ike-sa-dh-group Description The ike-sa-dh-group command specifies the Diffie-Hellman group to use for Phase 1 ISAKMP communications in IPsec management policies. User Type Administrator Hierarchy Level ike-parameters-set mode (config > management-interface > ipsec-config > ike-parameters-set) Syntax ike-sa-dh-group {<DH-group-ID>} Attributes DH-group-ID - {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18} The Diffie-Hellman group ID.
Page 146: Ike-Sa-Presharedkey
Commands User Type Administrator Hierarchy Level ike-params-set mode (config > management-interface > ipsec-config > ike-parameters-set) Syntax ike-sa-lifetime {<lifetime>} Attributes IKE Phase 1 SA lifetime in seconds. Valid values are 3600-31536000 seconds. The default lifetime - is 86400 (1 day). Usage Guidelines The IKE Phase 1 lifetime specifies the interval after which an SA must be replaced with a new SA or terminated.
Page 147 Command Reference Syntax ike-sa-presharedkey {<key-value>} Attributes The preshared key is a case-sensitive alphanumeric string from 8-255 characters in key-value - length. The default key value is 01234567. Usage Guidelines The ike-sa-presharedkey command supplies the preshared key that will be used to create the security association in an IKE encryption policy on the management port.
Page 148 Commands Hierarchy Level Management, local, and remote interface configuration modes Syntax ip {<ip address> <subnet mask>} [gateway] Attributes IPv4 IP address in dotted decimal notation. ip address - The management interface mask must be entered in dotted decimal notation. subnet mask - - On the management port, the gateway specifies how to route traffic between the ETEP gateway management port and the management station and/or other EncrypTight components such as the key...
Page 149: Ip6
Command Reference admin> configure management-interface config> ip 192.168.1.224 255.255.192.0 192.168.1.1 man-if> man-if> admin> Description The ip6 command sets an IPv6 address and default gateway for the management interface. User Type Administrator and Ops Hierarchy Level Management configuration mode (config > management-interface) Syntax ip6 {<ip address>/<prefix-length>} [gateway] Attributes...
Page 150: Ipsec-Config
Commands IPv6 addresses often contain consecutive groups of zeros. To further simplify address entry, you can use two colons (::) to represent the consecutive groups of zeros when typing the IPv6 address. You can use two colons(::) only once in an IPv6 address. Table 74 IPv6 address representations Address Format...
Page 151: Ipsec-Sa-Lifetime
Command Reference ipsec-sa-lifetime Description The ipsec-sa-lifetime command defines lifetime in seconds of the IPsec Phase 2 security association (SA) in IKE policies on the management port. User Type Administrator Hierarchy Level ike-params-set mode (config > management-interface > ipsec-config > ike-parameters-set) Syntax ipsec-sa-lifetime {<lifetime>} Attributes...
Page 152: Ipv6Traffic
Commands Hierarchy Level ike-params-set mode (config > management-interface > ipsec-config > ike-parameters-set) Syntax ipsec-sa-pfs {<PFS-group-ID>} Attributes PFS-group-ID - {none | 1 | 2 | 5 | 14 | 15 | 16 | 17 | 18} The default Diffie-Hellman group ID is 2. Usage Guidelines With perfect forward secrecy (PFS), every time encryption or authentication keys are computed, a new Diffie-Hellman key exchange is included.
Page 153: Layer2-P2P
Command Reference Attributes IPv6 packets are passed in the clear. This is the default setting. clear - IPv6 packets are discarded. discard - Usage Guidelines Layer 3 encryption policies support only IPv4 traffic. The ipv6Traffic command determines how the ETEP handles any IPv6 packets that it receives on its local and remote ports. The ETEP can either pass the IPv6 packets in the clear or discard them.
Page 154: License
Commands peer. One of the ETEPs must be assigned the primary role and the other the secondary role. The role is not used when traffic-handling is set to clear or discard. auth-method - preshared-key The authentication method used in Layer 2 point-to-point policies is preshared keys. The preshared key is a case-sensitive alphanumeric string from 8-255 characters in preshared-key - length.
Page 155: Local-Interface
Configuration mode Syntax license {<string>} Attributes The license provided by Black Box. The license is case-sensitive. string - Usage Guidelines The license command is applicable only to ETEPs that are managed from the command line. In EncrypTight deployments, licenses must be managed from the EncrypTight software.
Page 156: Local-Site-Policies
Commands Syntax local-interface Example local-interface config> loc-if> local-site-policies Description The local-site-policies command enters local-site policy configuration mode from policies configuration mode. From here you can access commands for creating and managing local-site policies on the remote and local interfaces. User Type Administrator Hierarchy Level Policies mode (config >...
Page 157: Management-Interface
Command Reference Syntax logon-banner-enable {true | false} Usage Guidelines The logon banner appears after a successful login to the CLI and the EncrypTight application. The banner is disabled by default. The banner contains the standard US Department of Defense logon banner text. The text cannot be modified or replaced.
Page 158: Password
Commands Syntax network-tools Example network-tools admin> network-tools> password Description The password command allows a user to modify his or her own password. User Type Administrator and Ops Hierarchy Level Command mode Syntax password Usage Guidelines Users can modify their own passwords to maintain account security and when reminded that the current password is going to expire.
Page 159: Password-Enforcement
Command Reference password-enforcement Description The password-enforcement command configures the password control policy on the ETEP, which includes the stringency of password conventions, expiration, and history exclusion. User Type Administrator Hierarchy Level User-config mode (config > user-config) Syntax password-enforcement {default | strong} Attributes Enforces the default password controls.
Page 160: Password-Modify
Commands password-modify Description The password-modify command lets the Administrator change a user’s password. User Type Administrator Hierarchy Level User-config mode (config > user-config) Syntax password-modify {<username>} Usage Guidelines After entering the password-modify command and user name, the ETEP prompts you for the new password.
Page 161 Command Reference Hierarchy Level Network-tools mode (admin > network-tools) Syntax ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline] [-p pattern] [-s packetsize] [-t ttl] [-I interface or address] [-M mtu discovery hint] [-S sndbuf] [-T timestamp option] [-Q tos] [hop1 ...] destination Attributes Suppress loopback of multicast packets.
Page 162: Ping6
Commands Set special IP timestamp options. -T timestamp option - Set Quality of Service-related bits in ICMP datagrams. -Q tos - The IP address of the network host that you are trying to reach. destination - Displays help information. --help - Usage Guidelines The ping is sent from the ETEP’s management ports.
Page 163 Command Reference Hierarchy Level Network-tools mode (admin > network-tools) Syntax ping6 [-hLVdnrqfs] [-c count] [-i interval] [-p pattern] [-s packetsize] destination Attributes Informational options: Display help information and exit. -h, --help Display license information and exit. -L, --L Display version information and exit. -V, --version Options valid for all request types: Stop sending after N packets.
Page 164: Policies
Commands network-tools admin> ping6 -c4 -i2 2003:a8::124 network-tools> PING 2003:a8::124 (2003:a8::124): 56 data bytes 64 bytes from 2003:a8::124: icmp_seq=0 ttl=64 time=2.261 ms 64 bytes from 2003:a8::124: icmp_seq=1 ttl=64 time=0.545 ms 64 bytes from 2003:a8::124: icmp_seq=2 ttl=64 time=0.545 ms 64 bytes from 2003:a8::124: icmp_seq=3 ttl=64 time=0.598 ms --- 2003:a8::124 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.545/0.987/2.261/0.736 ms...
Page 165: Policy-Add
Command Reference Syntax policy-action {protect | discard | bypass} Attributes Packets that match the policy selectors will be encrypted. protect - Packets that match the policy selectors will be discarded. discard - Packets that match the policy selectors will be passed in the clear. This is the default. bypass - Usage Guidelines This command is used in conjunction with other policy commands to create management port policies or...
Page 166: Policy-Config
Commands Syntax policy-add {<name>} Attributes The policy name uniquely identifies the policy. The name is referenced when configuring the name - other policy commands. This attribute is mandatory. There is no default value, it must be specified by the user. Usage Guidelines The scope of the policy-add command is limited to the configuration mode in which you are operating when the command is issued: it adds either a management port policy or a local-site policy.
Page 167: Policy-Delete
Command Reference Hierarchy Level ipsec-config mode (config > management-interface > ipsec-config) ● local-site configuration mode (config> policies > local-site-policies) ● Syntax policy-config {<name>} Attributes The name of the policy you want to configure. The policy name must already exist on the ETEP. name - Usage Guidelines The scope of the policy-config command is limited to the configuration mode in which you are operating...
Page 168: Policy-Ike-Ipsec
Commands Usage Guidelines The scope of the policy-delete command is limited to the configuration mode in which you are operating when the command is issued: it deletes either the management port policies or the local-site policies on the data ports. To delete a policy, first issue the policy-delete command and then deploy the policy set.
Page 169: Policy-Ike-Peer
Command Reference Usage Guidelines This command is valid for IKE encryption policies. Prior to configuring the policy-ike-ipsec command, set the policy-action command to “protect” and policy-keying to “ike.” In an IKE negotiation, the encryption and hash algorithms constitute a proposal. In the current implementation, the proposal is limited to one encryption algorithm and one hash algorithm.
Page 170: Policy-Keying
Commands Usage Guidelines The policy-ike-peer command identifies the peer with whom the ETEP will be negotiating a secure tunnel. The ETEP accepts IPv4 and IPv6 addresses. Related topics: “Configuring an IKE Encryption Policy” on page 84 ● Example The following example defines a peer IP address for an IKE encryption policy named MyIKEpolicy. The example assumes that MyIKEpolicy has already been added to the ETEP.
Page 171: Policy-Layer2-Selector
Command Reference All encryption policies deployed on the ETEP must use the same keying method. You cannot deploy a mix of IKE and manual key policies. Related topics: “Configuring an IKE Encryption Policy” on page 84 ● “Configuring a Manual Key Encryption Policy” on page 86 ●...
Page 172: Policy-Manual-Key (Local-Site Policies)
Commands Example The following example configures Layer 2 selectors that filter traffic on the Ethertype for ARP packets with any VLAN ID. The Ethertype is entered in hexadecimal. This example assumes that a policy named MyLayer2Policy has already been added. admin>...
Page 173: Policy-Manual-Key (Management Ipsec Policies)
Command Reference Each secure connection consists of two security associations (SAs), one for inbound packets and one for outbound packets. In a manual key policy you can either configure each SA individually, or set the direction to “any,” which sets up two bi-directional SAs that share the same SPI, algorithms, and keys. When the ETEP is configured for Layer 2 operation, you must use aes256-cbc and sha1-96-hmac as the encryption and authentication algorithms.
Page 174 Commands Syntax policy-manual-key {<direction> <spi> <protocol> <encryptionAlgorithm> <authenticationAlgorithm> <encryptionKey> <authenticationKey>} Attributes direction - {out | in} Specifies the direction of the SA. Each policy requires an inbound and outbound SA. Each SA must have a unique SPI. The SPI is a d cimal value between 256 and 4096.
Page 175: Policy-Mode
Command Reference Example The following example defines an inbound SA for the ETEP. configure admin> management-interface config> ipsec-config man-if> policy-config MyManualKeyPolicy ipsec-config> policy-manual-key in 1004 esp aes128-cbc sha1-96-hmac policy-config> Please enter 32 character hexadecimal number for encryption key: 11223344556677889900aabbccddeeff Please enter 40 character hexadecimal number for authentication key: 11223344556677889900aabbccddeeff87654321 policy-mode Description...
Page 176: Policy-Packet-Count
Commands Usage Guidelines The policy setting determines whether the ETEP can be used in Layer 2 Ethernet or Layer 3 IP policies. ETEPs that are configured for Layer 2 cannot be used in Layer 3 policies and vice versa. If you intend to create a Layer 4 policy to encrypt only the packet payload, set the policy setting to Layer 3.
Page 177: Policy-Priority
Command Reference Usage Guidelines When the policy-packet-count command is enabled, the ETEP adds a count to the security policy and security association databases (SPD and SAD, respectively). The counters increment as packets use the policies and SAs. The counts are displayed when you issue any of the following CLI commands: show spd, show sad, and show policy-packet count.
Page 178: Policy-Selector
Commands Usage Guidelines The policy priority specifies the order in which policies are processed on the ETEP. Policies are enforced in descending order with the highest priority policy processed first. Each policy must have a unique priority. When you add a new policy, the ETEP automatically assigns it a priority. To avoid duplicate policy priorities, the ETEP decrements the priority by one from the highest priority that it finds.
Page 179 Command Reference Syntax policy-selector {<remote-ip> <local-ip>} [<protocol> <remote-port> <local- port>] Attributes IP address of the endpoint on the far side of the untrusted network. Enter the address remote-ip - using CIDR notation (IP address/prefix). The default is set to 0.0.0.0/0, which means “process all packets”...
Page 180: Port-Enable
Commands The next example defines selectors for a Layer 2 local-site policy named EncryptPolicy. It is a protect policy that encrypts traffic with VLAN ID 10. local-site-policies policies> policy-config EncryptPolicy local-site-policy> policy-action protect policy-config> policy-layer2-selector any 10 policy-config> port-enable Description The port-enable command lets you independently enable or disable the management, local, and remote interfaces.
Page 181: Reboot
Command Reference Syntax reassembly {host | gateway} Attributes This setting is required for the ETEPs to interoperate successfully with some security gateways. host – Packets are fragmented before they are encrypted, and the encryption header is added to the packet fragments.
Page 182: Remote-Interface
Commands Usage Guidelines Rebooting is required when loading new software on the appliance and when restoring factory settings. Example reboot admin> CAUTION Rebooting the appliance interrupts the data traffic on the ETEP local and remote ports. remote-interface Description The remote-interface command allows configuration of the remote interface. User Type Administrator Hierarchy Level...
Page 183: Restart-Ike
Command Reference Usage Guidelines The EncrypTight system supports the use of smart cards such as the DoD Common Access Card (CAC). Using a CAC provides user authorization in addition to certificate-based authentication. When you use a CAC, EncrypTight components use the certificates installed on the card to determine if a user is authorized to perform a specific action.
Page 184: Restore-Filesystem
Commands User Type Administrator Hierarchy Level ike-params-set mode (config > management-interface > ipsec-config > ike-parameters-set) Syntax restart-ike Usage Guidelines If you modify any of the ike-params-set commands, you can issue the restart-ike command to make them active on the ETEP. This command allows you to change the IKE parameters without redeploying policies.
Page 185: Restore-Policy-Set
Command Reference Make sure that you know the passwords used in the backup configuration. Once the backup image is ● restored on the appliance, you must use the passwords from the backup configuration to log in. After restoring the file system, redeploy policies to the ETEP to ensure that the appliance is using the ●...
Page 186: Show
Commands The scope of the restore-policy-set command is limited to the configuration mode in which you are operating when the command is issued: it restores either the management port policies or the local-site policies on the data ports. Example The following example restores the backup copy of the local-site policies. policies config>...
Page 187 Command Reference Displays the operational status of the ET1000A power supplies. dual-power-status - Displays the encryption policy settings: Layer 2/Layer 3, EncrypTight enabled/ encrypt-policy - disabled, and pass TLS in the clear setting true/false. Shows whether FIPS mode is enabled or disabled on the ETEP. fips-mode - Shows whether the NTP client is enabled, and if it is, displays NTP server information.
Page 188: Show-Ike-Params
Commands show-ike-params Description The show-ike-params command lists the settings used in IKE negotiations on the management port These are global settings that are applied to all IKE encryption policies that are configured on the management port. User Type Administrator Hierarchy Level ipsec-config mode (config >...
Page 189: Shutdown
Command Reference Syntax show-policy-set Usage Guidelines The scope of the show-policy-set command is limited to the configuration mode in which you are operating when the command is issued: it displays either the management port policies or the local-site policies. The show-policy-set command lists the deployed and pending policies. Policy status indicators are listed Table Table 77 show-policy-set status indicators...
Page 190: Snmpv3-Engine-Id-Seed
Commands Usage Guidelines It is important that a proper system shutdown is performed prior to powering off the appliance. Do not simply unplug the power cable to shut down the ETEP. Failure to perform a shutdown may lead to file system corruption and potential appliance failure.
Page 191: Ssh-Enable
Command Reference Example In the following example the Administrator configures an engine ID seed on the ETEP. snmpv3-engine-id-seed myEngineIDseed12345# admin> The next example shows a snippet of the output from the show command that displays the engine ID. admin> show running-config snmp-server contact ""...
Page 192: Strict-Client-Authentication
Commands strict-client-authentication Description The strict-client-authentication command enables and disables strict client authentication. With strict client authentication, all management communications with the appliance are secured with TLS and authenticated with CA-issued certificates. User Type Administrator Hierarchy Level Management interface configuration mode (config > management-interface) Syntax strict-client-authentication {enable | disable Attributes...
Page 193: Top
Command Reference Description The top command returns to the top hierarchy level, command mode. User Type Administrator and Ops Hierarchy Level All levels except command mode Syntax traceroute Description The traceroute command tracks the route taken by packets across an IP network on their way to a given host.
Page 194 Commands Tells traceroute to add an IP source routing option to the outgoing packet that tells the -g gateway - network to route the packet through the specified gateway. Specifies the interface through which traceroute should send packets. The ETEP -i iface - management port is eth2.
Page 195: Transparent-Mode-Enable
Command Reference transparent-mode-enable Description The transparent-mode-enable command configures whether the ETEP is viewable from a network standpoint. When operating in transparent mode, the local and remote ports do not utilize user-assigned IP addresses. User Type Administrator Hierarchy Level Configuration mode Syntax transparent-mode-enable {true | false} Usage Guidelines...
Page 196: Tx-Enable
Commands tx-enable Description The tx-enable command determines how the transmitter detects and responds to a loss of signal on either of the ETEP data ports. User Type Administrator Hierarchy Level Local and remote interface configuration mode Syntax tx-enable {always | follow-rx} Attributes The transmitter is always on regardless of whether a signal is received.
Page 197: Update-Filesystem
Command Reference update-filesystem Description The update-filesystem command downloads a new file system from an FTP server to the ETEP. This command performs a software upgrade, and merges the current appliance configuration with the upgraded file system upon reboot. This preserves the appliance configuration including the management IP address, passwords, and other settings.
Page 198: User-Add
Commands admin> update-filesystem 192.168.1.124 etep myName myPassword sftp user-add Description The user-add command lets the Administrator add ETEP users. Each user is assigned a user name and role. When strong password enforcement is enabled, the Administrator specifies the password expiration, expiration warning, minimum interval between password changes, and the maximum number of concurrent login sessions allowed per user.
Page 199 Command Reference Valid characters are alpha and numeric characters (a-z, 0-9), _ (underscore), and - (dash). ● User names must start with an alpha character or an underscore. The first character cannot be a ● numeric digit or a dash. Only lower case alpha characters are accepted.
Page 200: User-Config
Commands admin> configure user-config config> user-add tech1 ops user-config> Maximum days before password expires [60]: Minimum days between password reset [1]: Password expiration warning days [10]: Expiration grace period days [10]: Maximum login sessions [2]: The next example adds a user named “dallas” as an Administrator, and includes a common name as part of the user account.
Page 201: User-Enable
Command Reference Hierarchy Level User-config mode (config > user-config) Syntax user-delete {<username>} Usage Guidelines The user-delete command removes a user from the ETEP. The command takes effect immediately, preventing the deleted user from logging in to the ETEP. Example In this example, the Administrator deletes the user “tech1.” configure admin>...
Page 202: User-Modify
Commands configure admin> user-config config> user-enable tech1 true user-config> user-modify Description The user-modify command lets the Administrator change a user’s role, and add, change or delete a common name. When strong password enforcement is enabled, the Administrator can also modify the settings for password expiration and maximum login sessions.
Page 203 Command Reference When strong password enforcement is enabled, the Administrator can also modify the settings for password expiration and maximum login sessions. If the last time the a user’s password was changed exceeds the password expiration days, the ETEP will require the password to be reset before allowing you to modify other user settings.
Page 204: Vlan-Tag
Commands vlan-tag Description The vlan-tag command applies a specific VLAN tag to IKE negotiation packets. It is used in networks that require a specific VLAN tag for all Ethernet traffic. User Type Administrator Hierarchy Level Remote interface configuration mode (config > remote-interface) Syntax vlan-tag {enable [<tag-priority>] [<tag-id>]} | {disable} Attributes...
Page 205 Command Reference ETEP CLI User Guide...
Page 206: Index
Index clear-policy-set, 133 cli-inactivity-timer, 134 audit log, 32 configure, 135 autoneg command, 38, 41, 128 date, 135 auto-negotiation, configuring debug-shell, 136 local and remote ports, 41 deploy-policy-set, 137 management port, 37 dfbit-ignore, 138 dhcprelay, 139 disable-trusted-hosts, 140 exit, 141 backing up the file system, 100 filesystem-download, 141 backup-policy-set command, 130 filesystem-reset, 143...
Page 207 Index policy-ike-peer, 170 default password conventions, 27 policy-keying, 171 deploy-policy-set command, 137 policy-layer2-selector, 172 DF bit handling policy-manual-key (local-site policies), 173 configuring, 49 policy-manual-key (management IPsec description, 49 policies), 174 dfbit-ignore command, 138 policy-mode, 176 DHCP relay, using on a remote network, 50 dhcprelay command, 139 policy-packet-count, 177 policy-priority, 178...
Page 208 Index setting the management IP address, 36 logon-banner-enable command, 157 IP address, setting on the management port, 36 loss of signal pass through, configuring, 43 ip command, 148 ip6 command, 150 ipsec commands MAC statistics, viewing, 116 ike-params-set, 145 maintenance ipsec-config, 151 installing software updates, 99 IPv6...
Page 209 Index NTP, troubleshooting, 112 port status enabling and disabling, 101 monitoring, 106 port-enable command, 181 password command, 159 password-enforcement command, 160 password-modify command, 161 passwords reassembly command, 181 assigning to users, 27 reassembly mode, configuring, 48 changing the password enforcement policy, reboot command, 182 remote port ip address, assigning, 52 changing your own password, 28...
Page 210 Index system backup, 99 users system up time adding displaying, 111 default password enforcement, 22 load average, 111 overview, 20 strong password enforcement, 23 default user names, 13, 21 deleting, 25 technical support, 10 disabling an account, 29 throughput license modifying, 24 See also license restoring an account, 29...
Page 211 Index ETEP CLI User Guide...
Page 212 24/7 Tech support available in 30 seconds or less. © Copyright 2011. All rights reserved. Black Box and the Double Diamond logo are registered trademarks of BB Technologies, Inc. Any third-party trademarks appearing in this manual are acknowledged to be the property of their respective owners.

This manual is also suitable for:

Et0010a Et1000a

Black Box ET0100A Cli User Manual

Preface

Chapter 1: Getting Started

Chapter 2: User Administration

Chapter 3: Configuring the ETEP

Chapter 4: Creating Policies

Chapter 5: Maintenance

Chapter 6: Troubleshooting

Chapter 7: FIPS 140-2 Level 2 Operation

Chapter 8: Command Reference

Index

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Black Box ET0100A

Summary of Contents for Black Box ET0100A