Firewall Considerations For Trusted And Untrusted Vpn Interfaces; Routing Considerations For Vpn (And Firewall); Perfect Forward Secrecy - Nortel Secure 4134 Configuration

Security — configuration and management

Hide thumbs Also See for Secure 4134:

Installation manual (132 pages)

Installation — hardware components (124 pages)

Quick start manual (70 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

Table of Contents

However, deﬁning the match policy alone is not sufﬁcient to identify the

tunnel trafﬁc. To ensure that trafﬁc identiﬁed in the match command is

forwarded through the tunnel, you must identify at least one crypto trusted

interface that speciﬁes where the source trafﬁc enters the router (using the

crypto trusted command). This command identiﬁes the interface as

the source of tunnel trafﬁc.

If trafﬁc meeting the match ﬁlter rules enters the router through an interface

that is not identiﬁed as crypto trusted, the trafﬁc is not encrypted using

the VPN.

Firewall considerations for trusted and untrusted VPN interfaces

Identifying an interface as crypto trusted or untrusted has implications for

the ﬁrewall treatment of that interface.

When you set the external interface as crypto untrusted, the interface is

automatically added to the internet untrusted ﬁrewall zone.

For the untrusted crypto interfaces, you need to conﬁgure a ﬁrewall policy to

allow IKE negotiations to the local tunnel interface.

When you set the internal interface as crypto trusted, the interface is

automatically added to the trusted corp ﬁrewall zone. If you want the trusted

interface to belong to a different trusted ﬁrewall zone, you must conﬁgure

this preference using ﬁrewall commands.

For the trusted crypto interfaces, to allow VPN tunnel trafﬁc to pass through

the ﬁrewall from the untrusted interface, you must conﬁgure an inbound

policy on the trusted interface.

By default, most trusted outbound trafﬁc usually meets the default policy

of '1024 out allow' (unless this default policy has been administratively

altered), and so this trafﬁc will pass.

Routing considerations for VPN (and ﬁrewall)

The security processing must be aware of the route not only to the

destination network (which is always required for basic routing), but also the

route to the source network. Knowledge of the route to the source network

is used by the ﬁrewall to prevent spooﬁng.

Perfect forward secrecy

The SR4134 supports Perfect forward secrecy (PFS) for IKE key negotiation.

With PFS enabled, the IKE phase 2 SA shares no key material with the IKE

phase 1 SA. This feature increases the security of an IPsec SA.

Nortel Secure Router 4134

Security — Conﬁguration and Management

NN47263-600 01.02 Standard

10.0 3 August 2007

Perfect forward secrecy 57

Table of Contents

Firewall Considerations For Trusted And Untrusted Vpn Interfaces; Routing Considerations For Vpn (And Firewall); Perfect Forward Secrecy - Nortel Secure 4134 Configuration

Firewall considerations for trusted and untrusted VPN interfaces

Perfect forward secrecy

Related Manuals for Nortel Secure 4134

Related Content for Nortel Secure 4134

Table of Contents